|
 Author |
 How to remove many spammer sites at once (currently 2,635 views) |
| MarkGiles |
| Posted on: Tuesday, December 5th, 2006, 5:11am |
 |
|
Posts: 363
|
|
|
|
 |
Reply: 30 - 80 |
|
|
| MarkGiles |
| Posted on: Monday, December 11th, 2006, 1:42pm |
|
|
Posts: 363
|
Crossposted from another forum, for Gandi's action -
I just attempted to figure out why a pharma shop website was suddenly running more javascript than usual. I got some interesting evidence which I am passing along here, as well as to my usual law enforcement outlets.
DO NOT visit any of these sites, especially if you run any flavor of IE.
Domain which was spammed:
Code:
http://writersboll.info/
Which in turn redirects you to:
Code:
http://postaltag.info/?ec1e98dfdd5778S408059d8S9e62acb8
That site uses obfuscated javascript in the footer of the page in an attempt to load iframe content from:
Code:
http://mynetwork.hk/404.php
That page contains 100% pathetically obfuscated javascript code which in turn attempts to load yet another iframe from:
Code:
http://mynetwork.hk/external.php
THAT page: contains XMLHTTP download and installation of the following items:
* New registry setting: clsid D96C556-65A3-11D0-983A-00C04FC29E36 (That's a Remote Data Service object, allowing the execution of code from a remote source.)
* hxxp : / / mynetwork.hk/win32_update.exe (my Symantec instantly disabled this. It's called the "Bloodhound Exploit")
[ http://www.symantec.com/security_response/writeup.jsp?docid=2006-041114-2838-99 ]
* Attempts to run via shell the abovementioned exe file.
From the Symantec site:
Quote:
Bloodhound.Exploit.64 is a heuristic detection for the Vulnerability in MDAC Function Could Allow Code Execution issue.
An attacker who exploits this vulnerability could execute arbitrary code with the privileges of the logged-on user. The attack has be launched by visiting a website that hosts the malicious code. The exploit requires no user interaction to trigger.
So Pharma Shop, as a spam operation, is now directly associated with the following activities:
- 419 scamming via alleged Russian wife / date scams
- 419 scamming via alleged dead dictator emails
- Lottery scam emails
- (Obviously) illegal pharmaceutical sales (if indeed they do sell anything.)
- Credit card fraud
And now:
- Malicious virus install and execution.
I want to kill these bastards. I mean that. I want to get to the bottom of who's allowing these domains to exist.
Original site's DNS is via globedns.biz, located in Russia. All contact info is (of course) fake.
mynetwork.hk's dns is via: NS1.BABIESAREINN.NET, a gandi sarl authorized domain.
Code:
Server Name: NS1.BABIESAREINN.NET
IP Address: 69.154.76.126
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
This is outrageous behavior.
SiL |
|
|
|
|
Reply: 31 - 80 |
|
|
| Ryan |
| Posted on: Monday, December 11th, 2006, 3:27pm |
|
|
Spam Fighter 
Posts: 76
|
Hi Mark,
BABIESAREINN.NET is already suspended...
NS1.BABIESAREINN.NET - as are the other 5 - are (as they say in France), "Hors Service" 
On a separate topic, how do you identify an Alex P scheme? Are there special clues that can be spotted? What do you go by?
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
 |
Reply: 32 - 80 |
|
|
| MarkGiles |
| Posted on: Monday, December 11th, 2006, 6:21pm |
|
|
Posts: 363
|
sportystuuff.com
50.0% of queries will end in failure at 60.200.246.242 (ns1.sportystuuff.com) - query timed out
50.0% of queries will end in failure at 221.4.243.136 (ns2.sportystuuff.com) - query timed out
technollogyhere.com
100.0% of queries will end in failure at 221.194.111.55 (ns1.technollogyhere.com) - query timed out
That's 1,950 sites no longer accessible today. Alex takes a palpable hit. |
|
|
|
|
Reply: 33 - 80 |
|
|
| MarkGiles |
| Posted on: Monday, December 11th, 2006, 7:36pm |
|
|
Posts: 363
|
Hi Mark,
Sorry to beat you to it (maybe not, lol!), but...
BABIESAREINN.NET is already suspended... |
Gandi has gone from snail to lightning !!
Quoted Text NS1.BABIESAREINN.NET - as are the other 5 - are (as they say in France), "Hors Service" |
Hors de combat and hors d'oeuvres
Quoted Text
On a separate topic, how do you identify an Alex P scheme? Are there special clues that can be spotted? What do you go by?
|
Some ideas:
1.
Naming convention of 2-4 English words joined, and more recently one or two extra characters thrown in. Samples
stormegkdboxes.com
quitkherfunnyyes.com
deskhrtkrouble.com
watchskesforumom.com
Not conclusive, just a sign
2.
Name of registrant - often totally fictitious, but sometimes easily identified as a known alias, listed in Spamhaus in his ROKSO records.
3.
Once his sites are identified, then he is identifiable by the site itself. Known examples are
My Canadian Pharmacy
International Legal RX
US Drugs / American Pharmacy
Canadian Health&Care
Exquisite Replicas
HGH Life
Hoodia Life
Note:
Sites that are not his, but attributable to ROKSO #2 Leo Kuvayev, are
Toronto Pharmacy
Pharmacy Express
Health Suite
Health Nation
ED Choice
Finest RX
Special RX
Software Downloads
Conclusion
There are just some of the techniques used. Spamhaus and good old Google always help add weight to the evidence.
|
|
|
|
|
Reply: 34 - 80 |
|
|
| MarkGiles |
| Posted on: Tuesday, December 12th, 2006, 1:59pm |
|
|
Posts: 363
|
Hi Mark, Sorry to beat you to it (maybe not, lol!), but... BABIESAREINN.NET is already suspended... NS1.BABIESAREINN.NET - as are the other 5 - are (as they say in France), "Hors Service" |
Please review the nameserver resolution provided at
http://www.dnsstuff.com/tools/traversal.ch?domain=mynetwork.hk&type=A
Gandi needs to lock out the domain from update / delete / transfer and set address records for ns1 to something unworkable as was done for ns2 - ns5
ns1.samooosa.info [75.18.211.177] 213.190.217.23 213.22.136.210 213.22.65.212 85.242.206.204 87.72.80.150
ns2.samooosa.info [217.70.185.0] Timeout
ns3.samooosa.info [217.70.185.0] Timeout
ns4.samooosa.info [217.70.185.0] Timeout
ns5.samooosa.info [217.70.185.0] Timeout
---
One horse is still in service |
|
|
|
|
Reply: 35 - 80 |
|
|
| MarkGiles |
| Posted on: Tuesday, December 12th, 2006, 2:36pm |
|
|
Posts: 363
|
|
|
|
|
Reply: 36 - 80 |
|
|
| MarkGiles |
| Posted on: Wednesday, December 13th, 2006, 1:12am |
|
|
Posts: 363
|
He seems to be wrestling them back. How well are they locked out by Gandi? Who is the mole?
ns1.babiesareinn.net [69.208.153.223] 202.144.125.229 217.132.148.210 59.93.73.240 68.252.96.1 69.208.153.223
ns2.babiesareinn.net [202.144.125.229] 202.144.125.229 217.132.148.210 59.93.73.240 68.252.96.1 69.208.153.223
ns3.babiesareinn.net [217.70.185.0] Timeout
ns4.babiesareinn.net [217.70.185.0] Timeout
ns5.babiesareinn.net [217.70.185.0] Timeout
Domain Name: BABIESAREINN.NET
Registrar: GANDI
Whois Server: whois.gandi.net
Referral URL: http://www.gandi.net
Name Server: NS3.BABIESAREINN.NET
Name Server: NS4.BABIESAREINN.NET
Name Server: NS1.BABIESAREINN.NET
Name Server: NS2.BABIESAREINN.NET
Name Server: NS5.BABIESAREINN.NET
Status: REGISTRAR-LOCK
EPP Status: clientDeleteProhibited
EPP Status: clientTransferProhibited
Updated Date: 12-Dec-2006
ClientUpdate not prohibited? How about Registrar Hold? |
|
|
|
|
Reply: 37 - 80 |
|
|
| Ryan |
| Posted on: Wednesday, December 13th, 2006, 2:05pm |
|
|
Spam Fighter
Posts: 76
|
Hi all,
For all who are interested, if one does not see a ClientUpdate Prohibited on a Gandi-registered domain, that does not mean that the client can a priori update the information. In certain cases, back office operations have the same effect by restricting user rights on the web interface (ex. ability to change IP addresses, etc...).
So, for those who care:
ns1.babiesareinn.net [217.70.185.0] Timeout
ns2.babiesareinn.net [217.70.185.0] Timeout
ns3.babiesareinn.net [217.70.185.0] Timeout
ns4.babiesareinn.net [217.70.185.0] Timeout
ns5.babiesareinn.net [217.70.185.0] Timeout
and
ns1.samooosa.info [217.70.185.0]
and
many others...
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 38 - 80 |
|
|
| MarkGiles |
| Posted on: Wednesday, December 13th, 2006, 3:25pm |
|
|
Posts: 363
|
Pretty soon, Gandi will be blacklisted by the whole spammer community. Congratulations.
---
I love the smell of 217.70.185.0 in the morning |
|
|
|
|
Reply: 39 - 80 |
|
|
| Ryan |
| Posted on: Wednesday, December 13th, 2006, 3:33pm |
|
|
Spam Fighter
Posts: 76
|
That would (will) be a great day indeed....
|
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips |
|
|
|
| |
Reply: 40 - 80 |
|
|
| tracker |
| Posted on: Wednesday, December 13th, 2006, 4:47pm |
|
|
Posts: 41
|
Here are a couple notes back from registrars:
Hello,
The problem that you have brought to our notice relates to how the below mentioned domain names are involved in SPAM abuse:
domain name: TRQ2ME.COM
We are extremely strict and proactive with regards to our terms of usage. Pursuant to our terms of service we have already Suspended this domain name.
For reporting any Abuse from a domain name registered with Registrar Directi.com, please send an e-mail to abuse@publicdomainregistry.com.
Moreover, you may report Spam for domain names either Registered through Registrar DIRECT INFORMATION PVT LTD D/B/A PUBLICDOMAINREGISTRY.COM or Hosted on our Servers from our website at http://www.publicdomainregistry.com/contactus/report-spam/ and Whois Inaccuracy of domain names Registered through us at http://www.publicdomainregistry.com/contactus/report-false-whois/.
Regards,
Karna Kumar Jain
PublicDomainRegistry Abuse Desk
PublicDomainRegistry Spam Reporting Tool -
http://www.publicdomainregistry.com/contactus/report-spam/
PublicDomainRegistry False Whois Reporting Tool -
http://www.publicdomainregistry.com/contactus/report-false-whois/
And from Netfirms:
Hello,
Thank-you for your e-mail enquiry.
Please be advised that we have disabled this site.
Netfirms provides legitimate web hosting services and has a ZERO tolerance policy towards these violations.
Regards,
Todd
Netfirms Inc.
http://www.netfirms.com
Unfortunately, nothing can be done about the Chinese registered nameservers. |
|
|
|
|
Reply: 41 - 80 |
|
|
| tracker |
| Posted on: Wednesday, December 13th, 2006, 4:58pm |
|
|
Posts: 41
|
|
|
|
|
Reply: 42 - 80 |
|
|
| spamislame |
| Posted on: Wednesday, December 13th, 2006, 10:44pm |
|
|
Posts: 66
|
Some bad news is that I'm trying to figure out why Tucows is rejecting my domain/dns abuse reports.
"<banterwebhelp1@tucows.com>: host emd2-imta.prosp.tucows.com[64.97.156.1] said:
550 Requested action not taken: excessive spam content (in reply to end of
DATA command)"
Does that indicate that I've been reporting too much Polykov spam??? What good does it do to report this stuff if your emails don't make it through? |
What I usually do in that case is send a more generic email. quoting nothing, which outlines that you wish to bring to their attention one or more domains which are abusing their terms of service. Zip up a file containing the spam messages and post them to your file host of choice (you may notice I stick with mytempdir.com) Include the link to that file in your email and ensure that you tell them it is virus free and contains data that has not made it through their email server's spam filters.
It blows my mind when spam / abuse email addresses reject the very messages we're supposed to report to them. I understand they must be bombarded day in and day out by idiot spammers but come on.
Anyway I hope that helps.
SiL |
|
|
|
|
Reply: 43 - 80 |
|
|
| tracker |
| Posted on: Thursday, December 14th, 2006, 10:26am |
|
|
Posts: 41
|
SiL, I understand you fully. At first I was quoting and inserting "evidence" within my emails, since some Registrars can't do anything without it. However, the rejected email to Tucows was simply the following:
The following domain registered by TUCOWS INC. is engaged in email spam, phishing, and fraud abuse:
http://samonrize.com/
These domains are using nameservers:
ns1.anatomyabstract.com.ns-not-in-service.org [0.0.0.0]
ns1.poertodas.com [83.143.12.252] Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
ns2.grettnos.com [63.223.11.14] Registrar: XIN NET TECHNOLOGY CORPORATION
ns2.seveopd.com [63.223.11.14] Registrar: XIN NET TECHNOLOGY CORPORATION
Please lock out customer access to these domains and set all address records to 0.0.0
Do not support Internet fraud abuse
Unfortunately, BEIJING INNOVATIVE LINKAGE TECHNOLOGY and XIN NET TECHNOLOGY CORPORATION do not respond to abuse reports, but you can make a small difference. Thank you. |
|
|
|
|
Reply: 44 - 80 |
|
|
Pages: 
Logged
Locked Board