- This topic is empty.
-
AuthorPosts
-
January 7, 2007 at 5:15 pm #721358AnonymousInactivegreek39 wrote:For the site http://www.sierrastarcasino.com/ I find the following servers:
pdns1.ultradns.net:
204.74.108.1
pdns2.ultradns.net:
204.74.109.1
pdns3.ultradns.org:
199.7.68.1
pdns4.ultradns.org:
199.7.69.1
pdns5.ultradns.info:
204.74.114.1
pdns6.ultradns.co.uk:When I cross reference this with my own archives I find:
PDNS1.ULTRADNS.NET 204.74.108.1
PDNS3.ULTRADNS.ORG 199.7.68.1
PDNS2.ULTRADNS.NET 204.74.109.1
PDNS6.ULTRADNS.CO.UK
PDNS4.ULTRADNS.ORG 199.7.69.1
PDNS5.ULTRADNS.INFO 204.74.114.1Would anybody agree this linkage provides proof the spam is coming from these servers for the domain mentioned. Because if it is you will not believe who is doing this.
greek39
I wouldn’t agree because sierrastarcasino is the ultimate destination of one of the links posted in the email. It is NOT the source of the email itself.
The sources are:
Received: from 66-79-17-75.dsl.coastalnow.net (66.79.17.75)
Received: from [62.212.219.169] ([62.212.219.169])
Received: from host-81-190-73-39.gdynia.mm.pl (81.190.73.39)It should be patently obvious that this is coming from various infected PCs, with the real origin completely masked. Without knowing what trojan is on these PCs, you will never be able to tell what the real source is unless you track the owners of the links such as:
1stmart.com – the first spammer, apparently unrelated:
Quote:Registrant:
Global Soft Technologies, Inc.
265 Klassen Rd.
Kelowna, BC V1X7P1
CARegistrar: DOTSTER
Domain Name: 1STMART.COM
Created on: 28-FEB-99
Expires on: 28-FEB-07
Last Updated on: 01-MAR-06Administrative, Technical Contact:
Sadowick, Fred admin@1stchoiceinternational.com
Global Soft Technologies, Inc.
265 Klassen Rd.
Kelowna, BC V1X7P1
CA
(250) 491-9386
(250) 491-5644Domain servers in listed order:
NS1.1STCHOICE-UN.NET
NS2.1STCHOICE-UN.NETand arengor.com. which is where all the links in the following emails point to:
Quote:Registrant ContactName: Lenin Leon
Address: 482 Pennsylvania Avenue
Kenova, WV 25530
US
Email Address: leninjleon@gmail.com
Phone Number: (304)438-3839Administrative Contact
Name: Lenin Leon
Address: 482 Pennsylvania Avenue
Kenova, WV 25530
US
Email Address: leninjleon@gmail.com
Phone Number: (304)438-3839Technical Contact
Name: Lenin Leon
Address: 482 Pennsylvania Avenue
Kenova, WV 25530
US
Email Address: leninjleon@gmail.com
Phone Number: (304)438-3839Record Created on…….. 2006-12-22 15:05:17.449
Expire on……………. 2007-12-22 15:15:01.000Domain servers in listed order:
ns1.aruanresar.com
ns2.bustersolg.comJanuary 7, 2007 at 5:23 pm #721362AnonymousInactiveYes spearmaster I have that info already. I agree to a certain extent I am looking for one person/company.
greek39
January 7, 2007 at 5:35 pm #721363AnonymousInactiveI don’t believe these are coming from zombie machines. But I better take a break for a while.
January 7, 2007 at 5:43 pm #721364AnonymousInactiveTrust me, they’re zombies. I just got one (and I wasn’t paying attention but I’ve been getting quite a few every day as well) from
Quote:Domain Name: colkinhf.com
Registrar: THE NAME IT CORPORATION DBA NAMESERVICES.NETRegistrant Contact
Name: Mary Childree
Address: 2934 New Britain Ave
Cheshire, CT 06410
US
Email Address:
Phone Number: (860)656-6284Administrative Contact
Name: Mary Childree
Address: 2934 New Britain Ave
Cheshire, CT 06410
US
Email Address:
Phone Number: (860)656-6284Technical Contact
Name: Mary Childree
Address: 2934 New Britain Ave
Cheshire, CT 06410
US
Email Address:
Phone Number: (860)656-6284Record Created on…….. 2006-12-29 04:49:18.824
Expire on……………. 2007-12-29 04:59:02.000Domain servers in listed order:
ns1.mrachnishko.com
ns2.dencovinsho.comThe only similarity is the name registrar – and look at the date the domains were created… this one JUST created a few days before the New Year…
Best thing to do is pass on the domain names colkinhf.com and arengor.com to Wagershare and ask them to check their logs to see which affiliate is referring them this traffic… and shut his ass down.
edit – add iklunfex.com – and similar DNS servers as arengor.com.
Quote:Domain Name: iklunfes.com
Registrar: THE NAME IT CORPORATION DBA NAMESERVICES.NETRegistrant Contact
Name: alejandro bianchi
Address: p.o.box 12
bronx, ny 10453
US
Email Address:
Phone Number: (917)804-3922Administrative Contact
Name: alejandro bianchi
Address: p.o.box 12
bronx, ny 10453
US
Email Address:
Phone Number: (917)804-3922Technical Contact
Name: alejandro bianchi
Address: p.o.box 12
bronx, ny 10453
US
Email Address:
Phone Number: (917)804-3922Record Created on…….. 2006-12-22 15:31:04.203
Expire on……………. 2007-12-22 15:41:00.000Domain servers in listed order:
ns1.aruanresar.com
ns2.bustersolg.comedit 2 –> Ok… I got it… found something I need to check on.
January 7, 2007 at 5:57 pm #721369AnonymousInactiveWell if they are zombies pretty tuff too track but not impossible. I don’t feel it would be worth the time. Instead I will focus on the message ID and see if certain agencies can trap these people. This would put them out of business for good. I need a name and address of the person, this is what I am looking for.
The domain is the easy part. But it couldn’t hurt contacting the hosts of the domains.
greek39
January 7, 2007 at 6:04 pm #721372AnonymousInactiveLet me make it easy for you.
All of the websites with the strange names are on a single server, with the IP 203.87.155.69.
If you have the ability to “take out” a server, this is your target.
January 7, 2007 at 6:08 pm #721373AnonymousInactiveThank you spearmaster these had to be coming from a server of some kind.
greek39
January 7, 2007 at 6:11 pm #721374AnonymousInactiveThe emails are not coming from this server. Zombies are sending the emails.
The destination – ie the links in the emails – all point to various websites which are hosted on this server.
January 7, 2007 at 6:13 pm #721376AnonymousInactiveFrom spamhaus
Ref: SBL49407
203.87.155.69/32 is listed on the Spamhaus Block List (SBL)
02-Jan-2007 05:47 GMT | SR22
Spam webhosting – nasamih.com
Spamvertized URL: [url]xhttp://nasamih.com/micro/4[/url]
nasamih.com has address 203.87.155.69
nasamih.com. 2D IN NS ns1.ferontairc.com.
nasamih.com. 2D IN NS ns2.merbologa.com.ns1.ferontairc.com. 2D IN A 84.41.233.252
ns2.merbologa.com. 2D IN A 210.76.106.15—
Server IP address is 203.87.155.69
HTTP/1.1 200 OK
Connection: close
Date: Sat, 23 Dec 2006 19:09:54 GMT
Accept-Ranges: bytes
ETag: “dfb37-aa-9a583440”
Server: Apache/2.0.40 (Red Hat Linux)
Content-Length: 170
Content-Type: text/html; charset=ISO-8859-1
Last-Modified: Tue, 19 Dec 2006 10:31:37 GMT
Vistors are being redirected via a Javascript. The file bs.js looks like this:
// JavaScript Document
var defUrl = “xhttp://www.the999casino.com/click.asp?site=4”
self.location.replace(defUrl)—
ns1.bedolic.com A 203.87.155.69
ns1.newhad.com A 203.87.155.69
ns2.newhad.com A 203.87.155.69
ns1.madetad.com A 203.87.155.69
ns2.madetad.com A 203.87.155.69
lvqzm.madetad.com A 203.87.155.69
tiredf.com A 203.87.155.69
ns1.tiredf.com A 203.87.155.69
ns2.tiredf.com A 203.87.155.69
muref.com A 203.87.155.69
ns1.muref.com A 203.87.155.69
ns2.muref.com A 203.87.155.69
gefraing.com A 203.87.155.69
ns1.gefraing.com A 203.87.155.69
ns2.gefraing.com A 203.87.155.69
ns1.nasamih.com A 203.87.155.69
ns2.nasamih.com A 203.87.155.69
brigyh.com A 203.87.155.69
ns1.brigyh.com A 203.87.155.69
ns2.brigyh.com A 203.87.155.69
tranyh.com A 203.87.155.69
ns1.tranyh.com A 203.87.155.69
ns2.tranyh.com A 203.87.155.69
ns1.getgsi.com A 203.87.155.69
ns2.getgsi.com A 203.87.155.69
prorj.com A 203.87.155.69
ns1.prorj.com A 203.87.155.69
ns2.prorj.com A 203.87.155.69
ns1.lifejk.com A 203.87.155.69
ns2.lifejk.com A 203.87.155.69
jarboro.com A 203.87.155.69
ns1.jarboro.com A 203.87.155.69
ns2.jarboro.com A 203.87.155.69
clublp.com A 203.87.155.69
ns1.clublp.com A 203.87.155.69
ns2.clublp.com A 203.87.155.69
ns1.lifelp.com A 203.87.155.69
ns2.lifelp.com A 203.87.155.69
senfeder.com A 203.87.155.69
ns1.senfeder.com A 203.87.155.69
ns2.senfeder.com A 203.87.155.69
edrofer.com A 203.87.155.69
ns1.edrofer.com A 203.87.155.69
ns2.edrofer.com A 203.87.155.69
bigher.com A 203.87.155.69
ns1.bigher.com A 203.87.155.69
ns2.bigher.com A 203.87.155.69
ns1.retdirr.com A 203.87.155.69
ns2.retdirr.com A 203.87.155.69
rolganes.com A 203.87.155.69
ns1.rolganes.com A 203.87.155.69
ns2.rolganes.com A 203.87.155.69
ns1.muleis.com A 203.87.155.69
ns2.muleis.com A 203.87.155.69
ksiks.com A 203.87.155.69
ns1.ksiks.com A 203.87.155.69
ns2.ksiks.com A 203.87.155.69
arenmors.com A 203.87.155.69
ns1.arenmors.com A 203.87.155.69
ns2.arenmors.com A 203.87.155.69
ns1.bergfat.com A 203.87.155.69
helasct.com A 203.87.155.69
ns1.helasct.com A 203.87.155.69
ns2.helasct.com A 203.87.155.69
hedaft.com A 203.87.155.69
ns1.hedaft.com A 203.87.155.69
ns2.hedaft.com A 203.87.155.69
lpyou.com A 203.87.155.69
ns1.lpyou.com A 203.87.155.69
ns2.lpyou.com A 203.87.155.69
ns1.vasyou.com A 203.87.155.69
ns2.vasyou.com A 203.87.155.69
ns1.sadamaz.com A 203.87.155.69
ns2.sadamaz.com A 203.87.155.69—
Domain: nasamih.com
Registrant
John Greene
John Greene
xcolopkacan@yahoo.com
289 Houghton Street
Worcester, MA 01604 US
+1.5087985427Administrative
John Greene
John Greene
xcolopkacan@yahoo.com
289 Houghton Street
Worcester, MA 01604 US
+1.5087985427Billing
John Greene
John Greene
xcolopkacan@yahoo.com
289 Houghton Street
Worcester, MA 01604 US
+1.5087985427Technical
John Greene
John Greene
xcolopkacan@yahoo.com
289 Houghton Street
Worcester, MA 01604 US
+1.5087985427Record created on December 17, 2006
Record last updated on December 17, 2006
Record expires on December 17, 2007Domain Name Servers:
NS1.FERONTAIRC.COM
NS2.MERBOLOGA.COMJanuary 7, 2007 at 6:21 pm #721378AnonymousInactiveThe key line in what you just posted is this:
Quote:Spam webhosting – nasamih.comSpamhaus has listed the IP as a spam destination. It is not the source of the spam.
Filters in mail programs or on ISPs mail servers don’t block destinations – they only block sources.
January 7, 2007 at 6:54 pm #721381AnonymousInactiveCourtesy of one of my good friends and prominent webmasters… the full list of sites on that IP:
1. abrolgaur.com
2. adrenfoal.com
3. aerbonas.com
4. arebolen.com
5. arelutlp.com
6. arengor.com
7. arenmors.com
8. argiurt.com
9. asomred.com
10. aurlies.com
11. avraon.com
12. barniag.com
13. bentiume.com
14. berasro.com
15. beromes.com
16. bersalo.com
17. bervarod.com
18. bfruerto.com
19. bigher.com
20. bredsazo.com
21. brigyh.com
22. brologaur.com
23. brolsher.com
24. builkar.com
25. caleros.com
26. casreho.com
27. chafuh.com
28. clervansd.com
29. clublp.com
30. clulnar.com
31. coilsbo.com
32. coimror.com
33. colkinhf.com
34. derscolv.com
35. dolcasher.com
36. dolkuero.com
37. dolps.com
38. edrofer.com
39. egrumrot.com
40. einrosh.com
41. erialan.com
42. ernugil.com
43. ersanfa.com
44. eurojk.com
45. eurour.com
46. feranim.com
47. ferasdok.com
48. ferdraref.com
49. feringoa.com
50. fetihavierat.com
51. findjk.com
52. florisakinza.com
53. fotruar.com
54. fourhont.com
55. freasenc.com
56. furnaor.com
57. gefraing.com
58. getgsi.com
59. gkoner.com
60. gohers.com
61. gutbasre.com
62. harcetosh.com
63. hasemat.com
64. hedaft.com
65. helasct.com
66. horeaetniker.com
67. hotrt.com
68. hounhir.com
69. iklunfes.com
70. ilaruo.com
71. jarboro.com
72. jorasil.com
73. kelrinfo.com
74. ksiks.com
75. lcofric.com
76. ledalse.com
77. lerargo.com
78. lifejk.com
79. lifelp.com
80. loemben.com
81. lpyou.com
82. madetad.com
83. mafringa.com
84. malikra.com
85. medimazerina.com
86. muleis.com
87. muref.com
88. nasamih.com
89. newhad.com
90. nubristas.com
91. nujklar.com
92. olkshart.com
93. oruper.com
94. papidaikusus.com
95. prorj.com
96. ratderno.com
97. renfeim.com
98. renosgatr.com
99. reoliad.com
100. resakel.com
101. retade.com
102. retdirr.com
103. retoksal.com
104. rolganes.com
105. romiare.com
106. ryyou.com
107. sadamaz.com
108. saurla.com
109. sdualkiu.com
110. senfeder.com
111. sormola.com
112. spheryt.com
113. splitsl.com
114. sualon.com
115. telirskar.com
116. tgaurga.com
117. tiredf.com
118. tranyh.com
119. ulsuhs.com
120. urdurs.com
121. vasyou.com
122. veriamfa.com
123. vershanc.com
124. veruar.com
125. vreirto.com
126. vuinerse.com
127. webgsi.com
128. yredyis.comJanuary 7, 2007 at 7:11 pm #721383AnonymousInactiveGetting very close Sorbs implemented a spamtrap as follows:
Netblock: 203.87.155.0/24 (203.87.155.0-203.87.155.255)
Record Created: Sun Dec 24 00:28:08 2006 GMT
Record Updated: Sun Dec 31 18:41:45 2006 GMT
Additional Information: spamvertised gefraing.com. 5M IN A 203.87.155.69
Currently active and flagged to be published in DNSSo it may very well be this person is getting by the trap by changing their message ID. I really want this persons name and address. So the authorities can bust their door down.
I ran a check on all domains residing on the server using the swiss army knive. I know the answer lies somewhere in the posts already made. Man is this fustrating!
The domains you listed are all using the Apache Web Server on Red Hat Linux.
greek39
January 7, 2007 at 7:38 pm #721384AnonymousInactiveCome on spearmaster bust out I can’t afford to lose anymore hair! We are darn close I must be sure who i will be going after.
BTW: all running wireless broadband
greek39
January 8, 2007 at 2:18 am #721418AnonymousInactiveWell frictionNet I gave it my best shot. Given the time and resources needed to catch this person would require a lot. But I believe this to be one person who pushes mainly Microgaming products. On the brighter side we created a good reference thread.
I am truley sorry, but I can’t speculate on things when it comes to pipe screwing. Good luck and try and get your program to bounce the email.
greek39
January 8, 2007 at 3:30 am #721420AnonymousInactiveNo need for apologies, greek. You’ve clearly put in a lot of time and effort – much of it goes over my head but it sounds good, anyway
-
AuthorPosts