|
 Author |
 How to remove many spammer sites at once (currently 9,173 views) |
| MarkGiles |
| Posted on: Friday, September 1st, 2006, 11:35pm |
 |
|
Posts: 363
|
Next time you get a spam, and you have a few minutes to spare, you might like to take a new approach to stopping the spammers.
Sure you can report it to Spamcop, or Knujon, and leave it at that. But you can do a whole lot better. You can use one spam to shut down between 5 and a hundred sites or more. Let's work through an example of a spam I got today.
SPAMVERTIZED WEB SITE
http://hinrost.net (see also http://hinrost.info)
US DRUGS illegal web site
( currently running on hacked machine at IP address 59.120.127.152, images on Yahoo http://stubsite.info/usd/images/logo.gif )
LOCATE THE NAME SERVERS (addresses are compromised machines)
http://www.dnsstuff.com/tools/traversal.ch?domain=hinrost.net&type=A
(substitute your spam site for hinrost.net)
ns1.urisrets.info [72.164.246.232]
ns1.preort.info [72.164.246.232]
ns2.westwelec.info [212.52.166.78]
ns2.tacttal.info [212.52.166.78]
(truncate the ns1. or ns2. from the domain names, leaving just urisrets.info etc)
FIRST NAME SERVER (ENOM)
http://www.dnsstuff.com/tools/whois.ch?ip=urisrets.info
Domain Name:URISRETS.INFO
Created On:10-Apr-2006 18:13:05 UTC
Last Updated On:31-Aug-2006 10:14:51 UTC
Expiration Date:10-Apr-2007 18:13:05 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:OK
SECOND NAME SERVER (ENOM)
http://www.dnsstuff.com/tools/whois.ch?ip=westwelec.info
Domain Name:WESTWELEC.INFO
Created On:16-May-2006 14:50:04 UTC
Last Updated On:31-Aug-2006 10:15:06 UTC
Expiration Date:16-May-2007 14:50:04 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:OK
THIRD NAME SERVER (TUCOWS)
http://www.dnsstuff.com/tools/whois.ch?ip=tacttal.info
Domain Name:TACTTAL.INFO
Created On:15-Apr-2006 15:00:12 UTC
Last Updated On:31-Aug-2006 10:15:25 UTC
Expiration Date:15-Apr-2007 15:00:12 UTC
Sponsoring Registrar:Tucows Inc. (R139-LRMS)
Status:OK
FOURTH NAME SERVER (TUCOWS / CSL GMBH)
http://www.dnsstuff.com/tools/whois.ch?ip=preort.info
Domain Name: PREORT.INFO
Created On:20-Aug-2006 16:48:21 UTC
Last Updated On:31-Aug-2006 23:09:05 UTC
Expiration Date:20-Aug-2007 16:48:21 UTC
Sponsoring Registrar:CSL Computer Service Langenbach GmbH (R161-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
COMPLAINTS TO
TUCOWS = compliance at opensrs.org
ENOM = legal at enom.com
You can find these addresses at http://www.icann.org/registrars/accreditation-qualified-list.html
REQUEST TO THE REGISTRAR
=================================
The name servers listed below are used to provide access to the illegal US DRUGS websites
run by the criminal Yambo Financials gang, listed in Spamhaus.
Please lock out customer access to these domains and set all Addresses records to 0.0.0.0
Lockout should include these options
CLIENT DELETE PROHIBITED
CLIENT RENEW PROHIBITED
CLIENT TRANSFER PROHIBITED
CLIENT UPDATE PROHIBITED
TRANSFER PROHIBITED
You can ensure the lockout is successful by using this link
http://www.dnsstuff.com/tools/traversal.ch?domain=hinrost.net&type=A
================================
If the registrars check out the link, and see the illegal sites are using name servers registered through them, they will remove that name server. There may be a few sites resolved by the name servers you have removed. There may be over a hundred. Either way, you have removed many sites that the spammers can no longer spamvertize.
If you act on fresh spam, you can really annoy them by having their sites removed before they have completed a spamming run.
It makes a refreshing change when it is the spammer who is annoyed, doesn't it?
 |
|
|
|
|
|
| HS |
| Posted on: Saturday, September 2nd, 2006, 1:32pm |
|
|
Guest User
|
It's a Great Idea!
But for the non-net pro, it's difficult to follow.
If there were just a button and wow!
Spam. Dead In The Water! |
|
 Logged |
|
|
 |
Reply: 1 - 80 |
|
|
| MarkGiles |
| Posted on: Thursday, September 7th, 2006, 5:02pm |
|
|
Posts: 363
|
I tried to automate it, but it was a bit too hard.
You just start with the spamvertized site, pay it a visit using just the web site part of the link.
eg http://g1a2r3b4a5g6.spammed.com/?junk=34725 becomes simply spammed.com
That's to find out what kind of site it is. Then you need to find out the name servers used to get to it. So you take the site name spammed.com and put it into this link
http://www.dnsstuff.com/tools/traversal.ch?domain=spammed.com&type=A
The result tells you the 2 or 4 name servers.
(You can go to http://www.dnsstuff.com and key it into the top right box for DNS Lookup. On the output, click on "Click here" to get what they call the "transversal" that shows all the name servers at the bottom of the next output screen)
For each name server, you want to complain to the Registrar, so you do a look-up to find them.
eg for a name server like ns1.preort.info you strip it down to just preort.info and put it into this link
http://www.dnsstuff.com/tools/whois.ch?ip=preort.info
(Or you can go to http://www.dnsstuff.com and key the domain name preort.info in the third box down, left column, called "Whois info")
That is where you can discover who the registrar company is.
But then, how do you know where to send the complaint? All registrars accredited by ICANN - the goverinig organization - have their contact details listed here.
http://www.icann.org/registrars/accreditation-qualified-list.html
You go there and do a find (Ctrl-F or Edit / Find) to locate the registrar. Once you've done that a few times, and you know the registrar contact from a previous complaint, you don't need that last step.
Then you email them a complaint. You can copy the links used above to document why they are responsible for the name server that supports the spamvertized site. If the site itself is illegal, be sure to point that out.
It isn't really rocket-science. Anyone can do it, and the payoff in spammer frustration makes the effort well worthwhile. Registrars do not like to be seen to be acting on the side of the Internet crime syndicates. It doesn't do anything positive for their business reputation, and scares off shareholders. |
|
|
|
 |
Reply: 2 - 80 |
|
|
| MarkGiles |
| Posted on: Saturday, September 23rd, 2006, 7:38pm |
|
|
Posts: 363
|
I get hundreds of spams for pharmacy sites. The subject is always of the form PHAxyzRMA where xyz varies. When I look up the name servers, there are only six.
ns0.avuihdesunhawio.com sponsored by DNS.COM.CN
ns0.sadewunmkedefuna.com sponsored by DNS.COM.CN
ns0.hadesunjadukinma.com sponsored by XIN Net
ns0.hadegandestui.com sponsored by DNS.COM.CN
ns2.yadesaxinmer.com sponsored by XIN Net
ns3.ovdesaxinme.com sponsored by DNS.COM.CN
You can email requests to remove these nameservers to the official registrar contacts at
"Li Wei"<liwei@dns.com.cn>, litao@dns.com.cn, abuse@anti-spam.cn
"Zhao Le"<registrar@xinnet.com>, abuse@anti-spam.cn
China's anti-spam team will also take an interest. They take pride in the reduction of spam in China.
In your complaint, refer to the known criminal Leo Kuvayev. He is listed at Chinese sites
http://www.anti-spam.cn/ShowArticle.php?id=3169
http://www.chinaemail.com.cn/laji/flzblack/200607/6134.html
You are entitled to send a request with the spam attached for each such spam that you receive. If everyone did that, the message that we will not tolerate registrars who sponsor criminals will be heard loud and clear.
Join the campaign. |
|
|
|
|
Reply: 3 - 80 |
|
|
| randyt67 |
| Posted on: Saturday, September 23rd, 2006, 8:38pm |
|
|
Posts: 10
|
ns0.hadesunjadukinma.com sponsored by XIN Net
ns0.hadegandestui.com sponsored by DNS.COM.CN
are down by the way
If these could be shut down it would be nice.
ns2.briggsadnstratton.com
ns1.briggsadnstratton.com
email 'NOC at NRW.NET'
Anyway, the reason I'm here.
I received many spams for http://www.priuproadl.info Pharma Shop today.
I sent a complaint to dnsprofessioanals1k@yahoo.com (yes, I figured it was fake at the beginning) for TLDS INC.
It bounced of course. The nameservers are ns2.goalz.biz ns1.goalz.biz
I guess I'm outta luck here, huh?
|
|
|
|
|
Reply: 4 - 80 |
|
|
| MarkGiles |
| Posted on: Sunday, September 24th, 2006, 8:25pm |
|
|
Posts: 363
|
ns0.hadesunjadukinma.com sponsored by XIN Net
ns0.hadegandestui.com sponsored by DNS.COM.CN
are down by the way |
Not quite yet:
http://www.dnsstuff.com/tools/traversal.ch?domain=badewinkdasatun.com&type=A
Quoted Text
If these could be shut down it would be nice.
ns2.briggsadnstratton.com
ns1.briggsadnstratton.com
email 'NOC at NRW.NET'
|
You need to do some more homework. An obvious approach is to notify joker.com of the copyright infringement of the Briggs and Stratton trademark. Fire a copy off to B&S, too. They would love to tackle that one.
Quoted Text Anyway, the reason I'm here. I received many spams for http://www.priuproadl.info Pharma Shop today. I sent a complaint to dnsprofessioanals1k@yahoo.com (yes, I figured it was fake at the beginning) for TLDS INC. It bounced of course. The nameservers are ns2.goalz.biz ns1.goalz.biz I guess I'm outta luck here, huh? |
No, you are on the right path. Let's do a whois on goalz.biz
http://www.dnsstuff.com/tools/whois.ch?ip=goalz.biz&email=on
Sponsoring Registrar: TLDS INC.
Ask ICANN where to send a compliance request
http://www.icann.org/registrars/accreditation-qualified-list.html
TLDS L.L.C. d/b/a SRSPlus (United States)
http://www.srsplus.com
... SRSplus is a business unit and a wholly owned subsidiary of Network Solutions, LLC, an industry leader in Web identity services.
Tel: (570) 708-8787
Email: partnersupport@srsplus.com
Phone or email them. If you have problems, go to Network Solutions, the parent company at
Tel: 703.668.4600
Email: customerservice@networksolutions.com
(Better still, you should cc them on any email anyway, so that the parent can see what the subsidiary is doing to protect the company image)
|
|
|
|
|
Reply: 5 - 80 |
|
|
| randyt67 |
| Posted on: Monday, September 25th, 2006, 8:35pm |
|
|
Posts: 10
|
Thanks, Mark. I fired off those emails.
I guess those weird hxxxx nameservers came back because I checked as I typed that mail. DNSSTUFF had a timeout for those when I was about to send off another complaint. I assumed incorrectly they were down I guess.
|
|
|
|
|
Reply: 6 - 80 |
|
|
| MarkGiles |
| Posted on: Thursday, September 28th, 2006, 9:22pm |
|
|
Posts: 363
|
Yup. If you get a timeout on doing a traversal like Leo Kevayev's servers at
http://www.dnsstuff.com/tools/traversal.ch?domain=miteryanfades.com&type=A
you need to do a second attempt before you know it is really timing out.
One of them is permanently timing out, the other only occasionally.
And even then, it may be transitory. The "pipe" to the site can sometimes be pretty sluggish.
|
|
|
|
|
Reply: 7 - 80 |
|
|
| spamjammer |
| Posted on: Saturday, September 30th, 2006, 8:17pm |
|
|
Posts: 1
|
Mark;
Just wondering; how do you deal with K's redirects embedded in the URL extensions?
Rapatska (his favorite programmer) often has decoy sites that respond to TL domain query chains; but, substituting random strings (or risking being identified by using the real article) take you to the payload site. These are almost always on completely different servers on different Net Blocks.
I haven't been much pestered by the Yambo Group on bogus financial or Rx Spam; but the above used to apply to K's Porn Spam spew before he sold most of it off last winter.
BTW: I haven't had any success using proxies to probe K's/Barnu Rapatska's sites of course; they get 'sniffed-out' and redirected PDQ.
sj |
|
|
|
|
Reply: 8 - 80 |
|
|
| MarkGiles |
| Posted on: Sunday, October 1st, 2006, 8:54pm |
|
|
Posts: 363
|
how do you deal with K's redirects embedded in the URL extensions? |
K? Is that Kuvayev? I thought Rapatska was either Panov or his partner in crime. Please elaborate.
Now to your question.
I am not sure why you are asking. But I am guessing at 2 reasons
1. concern at being tracked if you click on a URL that has imbedded detection of the email addressee
Answer- I go to the site of the de-obfuscated URL's domain name.If that fails, I go to the full URL. The reason for going to the spamvertized site is to find out what it is. If I am going to complain about it, I need to know whether it is a legitimate site, tasteless site, or outright illegal site. I can word the complaint accordingly
2. concern that an automated tool will not get to the right place
I want to get to the redirected site. Some operations spam a hundred sites that all redirect to the central one. The hope is that SpamCop will focus on the front ends, and leave the home site unscathed. Pharma Shop is an example.
Quoted Text
Rapatska (his favorite programmer) often has decoy sites that respond to TL domain query chains; but, substituting random strings (or risking being identified by using the real article) take you to the payload site. These are almost always on completely different servers on different Net Blocks.
|
The redirected site is where I want to be.
Quoted Text
I haven't been much pestered by the Yambo Group on bogus financial or Rx Spam; but the above used to apply to K's Porn Spam spew before he sold most of it off last winter.
|
OK
Quoted Text
BTW: I haven't had any success using proxies to probe K's/Barnu Rapatska's sites of course; they get 'sniffed-out' and redirected PDQ.
|
Any more specifics, or do you want to keep it out of public display?
|
|
|
|
|
Reply: 9 - 80 |
|
|
| MarkGiles |
| Posted on: Monday, October 2nd, 2006, 7:40pm |
|
|
Posts: 363
|
Here is a case in point. I will leave out all the URLs and keep it short.
You get a spam advertizing watches123.net. You do the address traversal and find the nameservers. They are ns1.dnsdomainok.com and ns2.dnsdomainok.com.
Now you do the Whois lookup on dnsdomainok.com. The registrar is eNom Inc.
The name of the registrant is "Paul Gregoire" so you do a Google search on him.
It turns out to be a frequently used alias for Alex Polyakov according to Spamhaus.
The given contact address is fake, too.
So you send your evidence off to eNom, requesting removal of dnsdomainok.com and wait for developments. |
|
|
|
|
Reply: 10 - 80 |
|
|
| MarkGiles |
| Posted on: Thursday, October 5th, 2006, 6:06pm |
|
|
Posts: 363
|
It is 3 days since that last posting. After a follow-up message, the registrar removed the name server, and its backup name server as requested. Now it just so happens that the name servers removed also provided access to web sites for Hoodia Life and HGH Life besides Exquisite Watches. If you looked up the address of the site, you would find that in fact there were
1,980
web server domain names running there, all accessed through the same name servers.
The bottom line is that today, 1,980 web sites were no longer responding. They were all running 3 days ago, but the complaints (in total 3 emails) have knocked them all out.
He should not have sent me that spam for 123watches.net. |
|
|
|
|
Reply: 11 - 80 |
|
|
| MarkGiles |
| Posted on: Saturday, October 7th, 2006, 6:34pm |
|
|
Posts: 363
|
Alex Polyakov and his gang have been busy rebuilding his lost infrastructure. He lost over 2,000 fake watches, HGH Life and Hoodia Life sites when the registrar removed the nameserver that they were all defined under.
Now he has to take time off from spamming to creating new ones, and to transfer some of his favorite old ones to new nameservers. We can see how busy he has been.
Removed Site . . . . New nameservers
100watches.net . . . ns1.ucraineanu.com ns2.ucraineanu.com
abcofhghtwo.com .. ns3.dnsdomainplus.com ns4.dnsdomainplus.com
all-the-watches.net ns1.ucraineanu.com ns2.ucraineanu.com
All of his work will be to no avail when the registrars remove the new nameserver domains.
Let's see . .
http://www.dnsstuff.com/tools/whois.ch?ip=ucraineanu.com
Registered by "Paul Gregoire" alias Alex Polyakov.
And this domain is in turn resolved by these domain servers in listed order:
ns1.dnsgoldone.com
ns2.dnsgoldone.com
Let's see . .
http://www.dnsstuff.com/tools/whois.ch?ip=dnsgoldone.com
Registered by Paul Gregoire / Alex Polyakov
Can we do it again?
Domain servers in listed order:
NS1.DNSWHOISGOOD.COM 222.180.219.173
NS2.DNSWHOISGOOD.COM 222.180.219.173
Let's see . .
http://www.dnsstuff.com/tools/whois.ch?ip=DNSWHOISGOOD.COM
Once again, registered by Paul Gregoire / Alex Polyakov
Domain servers in listed order:
NS5.DNSQWICK.COM 221.194.68.63
NS6.DNSQWICK.COM 221.194.68.63
How long can this go on?
dnsqwick.com is also registered by the same fake registrant.
Illegal domains to remove:
Registrar: eNom Inc
. . . dnsdomainplus.com
. . . dnsqwick.com
. . . dnswhoisgood.com
. . . dnsgoldone.com
Registrar: ABR Products DBA = MISK.COM
. . . ucraineanu.com
Registrars do not have any time for known Internet criminals. And Alex's record, and his use of the Paul Gregoire alias are well documented at Spamhaus in the ROKSO Top 10 http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK6934
|
|
|
|
|
Reply: 12 - 80 |
|
|
| Quake14 |
| Posted on: Thursday, October 19th, 2006, 11:57am |
|
|
Posts: 4
|
This is a great technique I will be looking in to.
Instead of reporting on all of the kited domains and zombified cable modem users, go for the source. Knock out their infrastructure.
That is among the most satisfying antispam stories I have ever read.  |
|
|
|
|
Reply: 13 - 80 |
|
|
| dj |
| Posted on: Thursday, October 26th, 2006, 4:53am |
|
|
Super Spam Fighter 
Posts: 108
|
I have been trying this on some of the more persistant spams I get with varying success. Beijing Innovative (ha!) in particular seem oblivious to mails.
I have had a lot of mails recently promoting pbouvet.com, maxxtests.com, cationyamer.com and lettersmate.com. Tracing these all gives the same result, four name servers - ns1.fantastish.info. ns1.trashbream.com. ns2.concessiondog.info. ns2.fastundslow.com. When I do the dns lookup for pbouvet.com, maxxtests.com, cationyamer.com and lettersmate.com, they all give the name servers followed by timeout. I can still get at all the sites though.
Not sure what these means?????
Also a lot of them dont give a straight url but instead have something like - "outbind://102-00000000ACC7D6789F91BB498C2D2B88E630F37DC4B02900/" What are these????
I'm sure there is someone out there that can answer these. |
Dave
"Now its personal" "Don't get mad, get even!" |
|
|
|
|
Reply: 14 - 80 |
|
|
Pages: 1, 
Locked Board