| Overview - Innocent Bystander
terrific.com Damaged by Spammers |
| Back to Terrific.com |
| Analysis of sample spam for the
"pharaohmeds.biz" site.
First of the 2004 spam, we can count on more to follow later.
"Got ` Xan+a+x ` :P:ntermin - V1@Gra '
So|m|a ` Va.l.ium More available. H4Bme8Fv " |
Analysis of sample spams for the
"Tabfor.biz" Collection of Crap -
brought to you from the jerks that have many sites now just blocking the
entire set of .biz domains as useless. All these spamvertizers are
registered to the same old tabfor.biz
and spamvertize pills and medicine - we hope the FDA and the FTC catch up
with them soon.
- spamvertizer = vpachka.biz
"Thats what i heard" (also received as
"In
your neighborhood")
- spamvertizer = spamsraahnet.biz Thur, 16 Oct 2003 "Xanax is ready nowO"
We don't know this was tabfor.biz as the domain was dead by the time we
got their, but it looks like his work.
- spamvertizer = hosting4vegas.com &
usosdland.biz Fri, 17 Oct 2003
"Che@ting House Wives: Quality Enjoyment for Days & Nights!..."
We find this one VERY interesting as it associates the "tabfor.biz"
garbage for the first time with a "Cheating House Wives" site, by virtue
of having both links in the same spam. We think Eddy screwed up.
- spamvertizer = kkuoher.biz Sat, 18 Oct 2003
"Xanax now part of the line g89ad23ldlxxf3s6clrf2e3e"
- spamvertizer = osaustech.biz Sat, 18 Oct 2003
"Valium now in the product line gwdahz2q1aagw29p4"
- spamvertizer =
osauser.biz Sun, 19 Oct 2003
"Overnight the Valium ic7kfz163vcoe1l8zbrx2b"
- spamvertizer = osausist.biz Sun, 19 Oct 2003
"All Valium 5e9grc2tgk4vg2je"
- spamvertizer =
ultraosaus.biz Sun, 19 Oct 2003
"Xanax in your
inbox maj6m21rn6s9m1zsn"
- spamvertizer = extrakurasd.biz
Sun, 19 Oct 2003
"tOtAl XaNAX 3yxkfs3irydy7d"
- spamvertizer = gojhaus.biz
Tuesday, October 21, 2003
"Valium in your inbox kixhch3uk7jhq3"
- spamvertizer = ejdojf.biz
Sat, 25 Oct 2003 "Fwd:
ValiumOHV"
- spamvertizer = activeosaus.biz
Sun, 26 Oct 2003
"Xanax is ready to goKKIYYZ"
- spamvertizer = realpouvr.biz
Fri, 31 Oct 2003 "Order
some prescription drugs, Zanaflex, zanaflex, viagrast
tiwveaunqavldushoqybgjog"
We see from reading NANAE that these domains are the work of
Eddy Marin. Ones he recently registered
that we haven't seen the spams for yet are:
adosaus.biz casinosaustrai.biz casinosaustraia.biz
derosausa.biz dildosaustralia.biz eosaus.biz extraosaus.biz fosaus.biz
gasthofgosausee.biz goosaus.biz gosauschmied.biz gosausee.biz hyperosaus.biz
interosaus.biz iosaus.biz magliosausage.biz malosaustralia.biz mimosausa.biz
myosaus.biz osaus.biz osaus1.biz osausant.biz osausarium.biz
osauscentral.biz osaused.biz osausent.biz osausing.biz osausion.biz
osausland.biz osausnet.biz osauss.biz osausweb.biz overosaus.biz
porcelanosausa.biz preosaus.biz proosaust.biz realosaust.biz
sabatinosausage.biz suposaust.biz symosaust.biz techosaust.biz theosaust.biz
transosaust.biz vamosausa.biz vosaus.biz |
| Analysis of sample spams from spamvertizers
registered to "Frerrics Domains SL"
(probably not their real name, I wouldn't put my real name on it,
would you?). Typically some flavor of "Online Cheating Wives".
As a result of this web site we are hearing from other domain owners who
have also been subjected to having their domain names forged into spam
messages from these people. A partial list of some of the other
spamvertizing domains registered to the Frerrics Domains gang includes:
easy-loans-now.info fast-loans-now.info freewebtoken.info money-trees.info
refi-today.info save-hundreds.info
In most cases, the spamvertizer has registered both a .biz and a .info
version of the same domain name. |
| Analysis of sample spam spamvertizer =
net-click.net.ph ( Inovasion / FT International
) "I know
all that"
(also received as "Did you lose my ICQ?" &
"Do you remember me ?")
Insurance Crap |
| Analysis of sample spam spamvertizer =
1pills4less.biz
"Meet me
tomorrow" Make your penis bigger pills, although you'll never
be as big a dick as the "Edward Davidson" who is the false name this site is
registered to. |
| A collection of spams from a spamvertizer promising pills
that will make your dick bigger. Hosted in Brazil.
Spammer also has registered YOURPUBLICDNS.BIZ
and runs own DNS servers, one hosted in Brazil and one with
servepath.com in California. |
| Analysis of sample spam spamvertizer =
stuffedgrapes.net Tue, 21 Oct 2003
"Why not ask me. tywdip7hxkihk17iio3jgail1m" |
Analysis of sample spam spamvertizer =
rizonthebiz.biz
Fri, 24 Oct 2003 "saw ya online tdogrvbtiffwlbgx"
(also received as "Why not ask
me. mjnibicnvpdebdjkq"
Analysis of sample spam spamvertizer =
downmoon.info
Tue, 11 Nov 2003 "Need
some action. ghdeafdpcnxzmdyae" believed to be from the
same jerks who brought us rizonthebiz.biz |
| A domain registrant of RTH, Inc
does a lot of spamming to seemingly random addresses (meaning children may
easily receive these) pushing free access to pornography. Nothing is
free, and we can bet there is at least some spyware or trojans being
installed on the machines or users foolish enough to click the link.
Domains registered to them include
goldfingerrock.biz, smackonthewall.biz, DNS4PROVIDERS.COM,
DNS4PROVIDERS.NET, CONTINENTALHOSTING.COM, INDUSTRIALMEDS.COM, CORPTOPIA.COM, FAKINBACON.COM,
& PANAMERICANHOSTING.COM spamvertizer =
goldfingerrock.biz
Sat, 25 Oct 2003 "this
is what you wanted naibbvcpnslkquhvjxlbqhi"
spamvertizer =
smackonthewall.biz
Sat, 25 Oct 2003 "is
this you zzmtxahudeyicddsdtdcolvwmm"
spamvertizer = rodotee.biz
Sun, 26 Oct 2003 "Get
in this way. xvieybdbjnxudtyjfdl" |
|
Here is the spam message, with its links disabled so nobody will
accidentally click and end up in spam hell.
From: Parveen Elledge [parveen.elledge_rt@terrific.com]
Sent: Thursday, October 09, 2003 5:48 PM
To: mavis@canada.com
Subject: Thats what i heard
Wholesale prescription medications at bargain prices
Our doctors will write you a prescription
Get all your prescription meds online
If you don't want to hear from us again please follow the link below
vhafwdbsobdae
jnmnckbwdrdzi scaiuhdiuaniap osdadabencdbmb voldwucgroz kdnzmicithjzhd
bivhoxdledn vyitrycjrqipb
oslvpqvffbbe sqzxlfnkki ldvhdjdanvr uplkbvqtssr avjvabgphjjlbj uowqykbxdvq
rppkrivkto
fskbphdergbofr fahsiadnqpdeib dowpnzbnxcecmc
qffkuhbfuv vdjslgcvxqftf
djlgwcvsda ttspgdazfbnk
dlmxdqdgmy blcecmbgshww yuohhgcgryczzn
sxlocgceniu daropyvbhsydc pucbgscmpk pchhfyjpreaqc slerhqcroohk
dcjjkgbwwpyie ylogcfrcpptxs fsgcrybfvwkgq
Thanks, bye.
Here is another version of the spam message, only the subject is different,
received a couple days later, also with its links disabled so nobody will
accidentally click and end up in spam hell.
From: Jamison R. Karibian [jamison.karibiandx@terrific.com]
Sent: Thursday, October 09, 2003 3:08 AM
To: doubled@iwc.net
Subject: In your neighborhood
Wholesale prescription medications at bargain prices
Our doctors will write you a prescription
Get all your prescription meds online
If you don't want to hear from us again please follow the link below
ugfzrqcmry
bwjdxedxlln fxdrlvdsfpynb wtwharcpfvpbxd kxfcfeboxmpp ikbtxldmbprzb
vkufmplrrjkr ivqogwdvggf
ffishbmfwd fxvrjbbstlbvv pyqwcrcxqmgfbr iogdpubzvcihm bapcudbqvxlkub
olxlthcbxntt znktqpcqwlv
kmfjxsqyrb xohqyrbmyljbx imcvonrgzsqaco
lfjvwfyhrysqrc bawccjcvgstce
lkcdhwjomhwuke rhzslxdogokb
ocyakrnyevwqza nyxdwxboic kxfqctdboiiu
ysbqtdbdbt dampxldeloyvq xhffyzbsrwiyz fesnafdpsoqn hsuwvvmkokzlzf
grxdjkdqludub seifmyrqxrd pbnporhhsvmp
Thanks, bye.
Here is the header from the spam message
Return-Path: <parveen.elledge_rt@terrific.com>(forged
to appear to come from terrific.com)
Received: (cpmta 14427 invoked from network); 9 Oct 2003 15:47:35 -0700
Received: from 81.203.157.42 (HELO zlp.com)
by smtp.c009.snv.cp.net (209.228.34.142)
with SMTP; 9 Oct 2003 15:47:35 -0700(actually from a
trojan program installed on an unwitting users pc at this ip address, one of
hundreds of such infected pcs sending a steady stream of spam out)
X-Received: 9 Oct 2003 22:47:35 GMT
Message-ID: <5a3c01c38eb7$2594877e$2f96ff57@lrdnjwc>
From: "Parveen Elledge" <parveen.elledge_rt@terrific.com>
To: mavis@canada.com
Subject: Thats what i heard
Date: Thu, 09 Oct 2003 22:47:35 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_03BD_D13C290E.8843FFAB"
Here we find "whois" the domain which sponsored the spam (vpachka.biz)
registered to
| .BIZ Registry WHOIS Data |
-
| Domain Name |
VPACHKA.BIZ |
| Domain ID |
D5340660-BIZ |
| Sponsoring Registrar |
ENOM, INC. |
| Domain Status |
ok |
| Registrant ID |
8D270BB815DDFF79 |
| Registrant Name |
domain admin |
| Registrant Organization |
Upravlenije imenami Zamoras |
| Registrant Address1 |
Ulbrokas 7 k. 1 |
| Registrant Address2 |
Pasta kaste 233 |
| Registrant City |
Riga |
| Registrant State/Province |
Riga |
| Registrant Postal Code |
LV 1021 |
| Registrant Country |
Latvia |
| Registrant Country Code |
LV |
| Registrant Email |
admin@tabfor.biz |
| Administrative Contact ID |
8D270BB815DDFF79 |
| Administrative Contact Name |
domain admin |
| Administrative Contact Organization |
Upravlenije imenami Zamoras |
| Administrative Contact Address1 |
Ulbrokas 7 k. 1 |
| Administrative Contact Address2 |
Pasta kaste 233 |
| Administrative Contact City |
Riga |
| Administrative Contact State/Province |
Riga |
| Administrative Contact Postal Code |
LV 1021 |
| Administrative Contact Country |
Latvia |
| Administrative Contact Country Code |
LV |
| Administrative Contact Email |
admin@tabfor.biz |
| Billing Contact ID |
8D270BB815DDFF79 |
| Billing Contact Name |
domain admin |
| Billing Contact Organization |
Upravlenije imenami Zamoras |
| Billing Contact Address1 |
Ulbrokas 7 k. 1 |
| Billing Contact Address2 |
Pasta kaste 233 |
| Billing Contact City |
Riga |
| Billing Contact State/Province |
Riga |
| Billing Contact Postal Code |
LV 1021 |
| Billing Contact Country |
Latvia |
| Billing Contact Country Code |
LV |
| Billing Contact Email |
admin@tabfor.biz |
| Technical Contact ID |
8D270BB815DDFF79 |
| Technical Contact Name |
domain admin |
| Technical Contact Organization |
Upravlenije imenami Zamoras |
| Technical Contact Address1 |
Ulbrokas 7 k. 1 |
| Technical Contact Address2 |
Pasta kaste 233 |
| Technical Contact City |
Riga |
| Technical Contact State/Province |
Riga |
| Technical Contact Postal Code |
LV 1021 |
| Technical Contact Country |
Latvia |
| Technical Contact Country Code |
LV |
| Technical Contact Email |
admin@tabfor.biz |
| Name Server |
NS1.MOSKVA66.BIZ |
| Name Server |
NS2.MOSKVA66.BIZ |
| Name Server |
NS2.MANGO34EF.BIZ |
| Created by Registrar |
ENOM, INC. |
| Last Updated by Registrar |
ENOM, INC. |
| Domain Registration Date |
Fri Sep 19 09:46:38 GMT 2003 |
| Domain Expiration Date |
Sat Sep 18 23:59:59 GMT 2004 |
| Domain Last Updated Date |
Thu Oct 09 13:02:30 GMT 2003 |
| |
|
Curious, we notice that the contacts for the spam sponsoring domain have
their email at tabfor.biz so we do a whois on tabfor.biz
| Domain Name |
TABFOR.BIZ |
| Domain ID |
D5157508-BIZ |
| Sponsoring Registrar |
TUCOWS, INC. |
| Domain Status |
ok |
| Registrant ID |
TUESKWCOD7JRJ8WR |
| Registrant Name |
domain administrator |
| Registrant Organization |
Tehillimzeiger Pushkaya |
| Registrant Address1 |
Suite M-242, Christamar 43-B |
| Registrant Address2 |
Avda. De las Naciones Unidas |
| Registrant City |
Puerto Banus - Marbella |
| Registrant State/Province |
Malaga |
| Registrant Postal Code |
29660 |
| Registrant Country |
Spain |
| Registrant Country Code |
ES |
| Registrant Phone Number |
+371.9154123 |
| Registrant Email |
admin@tabfor.biz |
| Administrative Contact ID |
TUESKWCOD7JRJ8WR |
| Administrative Contact Name |
domain administrator |
| Administrative Contact Organization |
Tehillimzeiger Pushkaya |
| Administrative Contact Address1 |
Suite M-242, Christamar 43-B |
| Administrative Contact Address2 |
Avda. De las Naciones Unidas |
| Administrative Contact City |
Puerto Banus - Marbella |
| Administrative Contact State/Province |
Malaga |
| Administrative Contact Postal Code |
29660 |
| Administrative Contact Country |
Spain |
| Administrative Contact Country Code |
ES |
| Administrative Contact Phone Number |
+371.9154123 |
| Administrative Contact Email |
admin@tabfor.biz |
| Billing Contact ID |
TUESKWCOD7JRJ8WR |
| Billing Contact Name |
domain administrator |
| Billing Contact Organization |
Tehillimzeiger Pushkaya |
| Billing Contact Address1 |
Suite M-242, Christamar 43-B |
| Billing Contact Address2 |
Avda. De las Naciones Unidas |
| Billing Contact City |
Puerto Banus - Marbella |
| Billing Contact State/Province |
Malaga |
| Billing Contact Postal Code |
29660 |
| Billing Contact Country |
Spain |
| Billing Contact Country Code |
ES |
| Billing Contact Phone Number |
+371.9154123 |
| Billing Contact Email |
admin@tabfor.biz |
| Technical Contact ID |
TUESKWCOD7JRJ8WR |
| Technical Contact Name |
domain administrator |
| Technical Contact Organization |
Tehillimzeiger Pushkaya |
| Technical Contact Address1 |
Suite M-242, Christamar 43-B |
| Technical Contact Address2 |
Avda. De las Naciones Unidas |
| Technical Contact City |
Puerto Banus - Marbella |
| Technical Contact State/Province |
Malaga |
| Technical Contact Postal Code |
29660 |
| Technical Contact Country |
Spain |
| Technical Contact Country Code |
ES |
| Technical Contact Phone Number |
+371.9154123 |
| Technical Contact Email |
admin@tabfor.biz |
| Name Server |
NS1.MOSKVA66.BIZ |
| Name Server |
NS2.MOSKVA66.BIZ |
| Created by Registrar |
TUCOWS, INC. |
| Last Updated by Registrar |
TUCOWS, INC. |
| Domain Registration Date |
Wed Aug 13 20:43:23 GMT 2003 |
| Domain Expiration Date |
Thu Aug 12 23:59:59 GMT 2004 |
| Domain Last Updated Date |
Thu Aug 28 07:51:05 GMT 2003 |
| |
Oh, look, the same email for the contacts of both
vpachka.biz registered in Latvia and tabfor.biz registered in Spain. And
both domains have the same name servers at moskva66.biz too.
So now what about those nameservers for both domains, whois moskva66.biz?
| Domain Name |
MOSKVA66.BIZ |
| Domain ID |
D5147142-BIZ |
| Sponsoring Registrar |
TUCOWS, INC. |
| Domain Status |
ok |
| Registrant ID |
TUOSSBQGOZTZ4QUQ |
| Registrant Name |
Yitzhak Bar Levi Hanon |
| Registrant Organization |
Tehillimzeiger Pushkaya |
| Registrant Address1 |
Salnas 5-82 |
| Registrant City |
Riga |
| Registrant Postal Code |
LV-1021 |
| Registrant Country |
Latvia |
| Registrant Country Code |
LV |
| Registrant Phone Number |
+371.9154123 |
| Registrant Email |
admin@tabfor.biz |
| Administrative Contact ID |
TUOSSBQGOZTZ4QUQ |
| Administrative Contact Name |
Yitzhak Bar Levi Hanon |
| Administrative Contact Organization |
Tehillimzeiger Pushkaya |
| Administrative Contact Address1 |
Salnas 5-82 |
| Administrative Contact City |
Riga |
| Administrative Contact Postal Code |
LV-1021 |
| Administrative Contact Country |
Latvia |
| Administrative Contact Country Code |
LV |
| Administrative Contact Phone Number |
+371.9154123 |
| Administrative Contact Email |
admin@tabfor.biz |
| Billing Contact ID |
TUOSSBQGOZTZ4QUQ |
| Billing Contact Name |
Yitzhak Bar Levi Hanon |
| Billing Contact Organization |
Tehillimzeiger Pushkaya |
| Billing Contact Address1 |
Salnas 5-82 |
| Billing Contact City |
Riga |
| Billing Contact Postal Code |
LV-1021 |
| Billing Contact Country |
Latvia |
| Billing Contact Country Code |
LV |
| Billing Contact Phone Number |
+371.9154123 |
| Billing Contact Email |
admin@tabfor.biz |
| Technical Contact ID |
TUOSSBQGOZTZ4QUQ |
| Technical Contact Name |
Yitzhak Bar Levi Hanon |
| Technical Contact Organization |
Tehillimzeiger Pushkaya |
| Technical Contact Address1 |
Salnas 5-82 |
| Technical Contact City |
Riga |
| Technical Contact Postal Code |
LV-1021 |
| Technical Contact Country |
Latvia |
| Technical Contact Country Code |
LV |
| Technical Contact Phone Number |
+371.9154123 |
| Technical Contact Email |
admin@tabfor.biz |
| Name Server |
NS2.MOSKVA66.COM |
| Name Server |
NS1.MOSKVA66.COM |
| Created by Registrar |
TUCOWS, INC. |
| Last Updated by Registrar |
TUCOWS, INC. |
| Domain Registration Date |
Mon Aug 11 20:34:36 GMT 2003 |
| Domain Expiration Date |
Tue Aug 10 23:59:59 GMT 2004 |
| Domain Last Updated Date |
Wed Aug 20 19:55:24 GMT 2003 |
The spammers domain of also listed a third name server at
MANGO34EF.BIZ so lets whois that too
| Domain Name |
MANGO34EF.BIZ |
| Domain ID |
D5150981-BIZ |
| Sponsoring Registrar |
TUCOWS, INC. |
| Domain Status |
ok |
| Registrant ID |
TUESKWCOD7JRJ8WR |
| Registrant Name |
domain administrator |
| Registrant Organization |
Tehillimzeiger Pushkaya |
| Registrant Address1 |
Suite M-242, Christamar 43-B |
| Registrant Address2 |
Avda. De las Naciones Unidas |
| Registrant City |
Puerto Banus - Marbella |
| Registrant State/Province |
Malaga |
| Registrant Postal Code |
29660 |
| Registrant Country |
Spain |
| Registrant Country Code |
ES |
| Registrant Phone Number |
+371.9154123 |
| Registrant Email |
admin@tabfor.biz |
| Administrative Contact ID |
TUESKWCOD7JRJ8WR |
| Administrative Contact Name |
domain administrator |
| Administrative Contact Organization |
Tehillimzeiger Pushkaya |
| Administrative Contact Address1 |
Suite M-242, Christamar 43-B |
| Administrative Contact Address2 |
Avda. De las Naciones Unidas |
| Administrative Contact City |
Puerto Banus - Marbella |
| Administrative Contact State/Province |
Malaga |
| Administrative Contact Postal Code |
29660 |
| Administrative Contact Country |
Spain |
| Administrative Contact Country Code |
ES |
| Administrative Contact Phone Number |
+371.9154123 |
| Administrative Contact Email |
admin@tabfor.biz |
| Billing Contact ID |
TUESKWCOD7JRJ8WR |
| Billing Contact Name |
domain administrator |
| Billing Contact Organization |
Tehillimzeiger Pushkaya |
| Billing Contact Address1 |
Suite M-242, Christamar 43-B |
| Billing Contact Address2 |
Avda. De las Naciones Unidas |
| Billing Contact City |
Puerto Banus - Marbella |
| Billing Contact State/Province |
Malaga |
| Billing Contact Postal Code |
29660 |
| Billing Contact Country |
Spain |
| Billing Contact Country Code |
ES |
| Billing Contact Phone Number |
+371.9154123 |
| Billing Contact Email |
admin@tabfor.biz |
| Technical Contact ID |
TUESKWCOD7JRJ8WR |
| Technical Contact Name |
domain administrator |
| Technical Contact Organization |
Tehillimzeiger Pushkaya |
| Technical Contact Address1 |
Suite M-242, Christamar 43-B |
| Technical Contact Address2 |
Avda. De las Naciones Unidas |
| Technical Contact City |
Puerto Banus - Marbella |
| Technical Contact State/Province |
Malaga |
| Technical Contact Postal Code |
29660 |
| Technical Contact Country |
Spain |
| Technical Contact Country Code |
ES |
| Technical Contact Phone Number |
+371.9154123 |
| Technical Contact Email |
admin@tabfor.biz |
| Name Server |
NS1.MOSKVA66.BIZ |
| Name Server |
NS2.MOSKVA66.BIZ |
| Created by Registrar |
TUCOWS, INC. |
| Last Updated by Registrar |
TUCOWS, INC. |
| Domain Registration Date |
Tue Aug 12 16:10:40 GMT 2003 |
| Domain Expiration Date |
Wed Aug 11 23:59:59 GMT 2004 |
| Domain Last Updated Date |
Thu Aug 28 07:51:47 GMT 2003 |
Lets recap a minute. We have four domains, all
with the same contact email of
admin@tabfor.biz
for admin, billing and technical contact.
We have three different organization names involved, and addresses in Spain and
Latvia, but all apparently registered to the same contact person
Interesting to note that the phone number
+371.9154123 for the contact person is the
same on three out of the four domains, too. For the fourth domain,
the one that is sponsoring the spam, no phone is listed. Maybe they don't
want any calls. One of the domains lists an actual
persons name for the contact name - "Yitzhak
Bar Levi Hanon". Wonder if this is a real name?
Now lets go find out the ip addresses for all these servers
Here we find the ip address for the website sponsoring the spam
10/10/03 00:47:40 dns http://www.vpachka.biz
Mail for www.vpachka.biz is handled by www.vpachka.biz
Canonical name: vpachka.biz
Aliases:
www.vpachka.biz
Addresses:
203.197.204.81
10/09/03 18:23:35 dns http://www.vpachka.biz
Mail for www.vpachka.biz is handled by www.vpachka.biz
Canonical name: vpachka.biz
Aliases:
www.vpachka.biz
Addresses:
218.66.17.135
Well, look at this! Two lookups above done six
hours apart and the site moved in between times! Coincidence? Or do
they overstay their welcome that quickly? Remember, these folks are using
their own name servers, so they can easily stay on the move if they wish too.
We went back and looked again about 10/10/03 07:30 and found they were back to
the original spot.
Now we look to see who owns the two different ip address blocks. First
where the spam sponsoring site was last night 218.66.17.135
inetnum: 218.66.0.0 - 218.67.127.255
netname: CHINANET-FJ
descr: CHINANET Fujian province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CA67-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-FJ
changed: hostmaster@ns.chinanet.cn.net 20010820
status: ALLOCATED NON-PORTABLE
source: APNIC
role: CHINANETFJ IP ADMIN
address: 7,East Street,Fuzhou,Fujian,PRC
country: CN
phone: +86-591-3333169-293
fax-no: +86-591-3371954
e-mail: fjnic@fjdcb.fz.fj.cn
trouble: send spam reports and abuse reports
trouble: to abuse@fjdcb.fz.fj.cn
trouble: Please include detailed information and
trouble: times in UTC
admin-c: FH71-AP
tech-c: FH71-AP
nic-hdl: CA67-AP
mnt-by: MAINT-CHINANET-FJ
changed: fjnic@fjdcb.fz.fj.cn 20020719
source: APNIC
person: Chinanet Hostmaster
address: No.31 ,jingrong street,beijing
address: 100032
country: CN
phone: +86-10-66027112
fax-no: +86-10-66027334
e-mail: hostmaster@ns.chinanet.cn.net
e-mail: anti-spam@ns.chinanet.cn.net
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: hostmaster@ns.chinanet.cn.net 20021016
source: APNIC
Now where the spam sponsoring site was six hours later 203.197.204.81
inetnum: 203.197.0.0 - 203.197.255.255
netname: VSNL-IN
descr: Videsh Sanchar Nigam Ltd - India.
descr: Videsh Sanchar Bhawan, M.G. Road
descr: Fort, Bombay 400001
country: IN
admin-c: IA15-AP
tech-c: VT43-AP
remarks: Internet Service Provider
mnt-by: APNIC-HM
mnt-lower: MAINT-VSNL-AP
changed: hostmaster@apnic.net 19980915
changed: hostmaster@apnic.net 20010608
status: ALLOCATED PORTABLE
source: APNIC
person: IP Administrator
address: 10th Floor, 2 MG Road
address: Fort Mumbai - 400001
address: India
country: IN
phone: +91-22-2623620
fax-no: +91-22-2653887
e-mail: ip-admin@giasbm01.vsnl.net.in
nic-hdl: IA15-AP
mnt-by: MAINT-VSNL-AP
changed: gpsingh@giasbm01.vsnl.net.in 20010605
source: APNIC
person: VSNL Tech
address: 10th Floor, 2 MG Road
address: Fort Mumbai - 400001
address: India
country: IN
phone: +91-22-2623620
fax-no: +91-22-2653887
e-mail: ip-tech@giasbm01.vsnl.net.in
nic-hdl: VT43-AP
mnt-by: MAINT-VSNL-AP
changed: gpsingh@giasbm01.vsnl.net.in 20010605
source: APNIC
Here we find the ip address for the domain contact's email server
10/10/03 00:42:02 dns http://tabfor.biz
Mail for tabfor.biz is handled by www.tabfor.biz
Canonical name: tabfor.biz
Addresses:
64.106.182.80
and who owns that ip address block where the contact for all these domains
hosts his mail server?
10/10/03 01:02:44 IP block 64.106.182.80
Trying 64.106.182.80 at ARIN
Trying 64.106.182 at ARIN
OrgName: DataPipe
OrgID: DATAPI-2
Address: 80 River Street, 5th Floor
City: Hoboken
StateProv: NJ
PostalCode: 07030
Country: US
NetRange: 64.106.128.0 - 64.106.255.255
CIDR: 64.106.128.0/17
NetName: DATAPIPE-BLK4
NetHandle: NET-64-106-128-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.DATAPIPE.NET
NameServer: NS2.DATAPIPE.NET
NameServer: NS3.DATAPIPE.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-04-02
Updated: 2003-04-16
OrgTechHandle: DH1029-ARIN
OrgTechName: DataPipe Hostmaster
OrgTechPhone: +1-201-792-1918
OrgTechEmail: hostmaster@datapipe.com
# ARIN WHOIS database, last updated 2003-10-09 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
Wow, now who would have thunk that! After finding
things in Latvia, Spain, China and India suddenly we come to an IP address that
is owned by a company in good old New Jersey!
Now we find the ip addresses for the three name servers our spam sponsoring
domain contact manages
10/10/03 01:13:11 dns NS1.MOSKVA66.BIZ
Canonical name: NS1.MOSKVA66.biz
Addresses:
218.66.101.152
10/10/03 01:13:45 dns NS2.MOSKVA66.BIZ
Canonical name: NS2.MOSKVA66.biz
Addresses:
218.66.17.135
10/10/03 01:14:53 dns NS2.MANGO34EF.BIZ
Canonical name: NS2.MANGO34EF.biz
Addresses:
203.197.204.84
Tedious work, eh? Not as tedious as getting
thousands of complaints a day about spam terrific.com never sent, and having to
write hundreds of requests a day to ISPs so that hijacked users machines on the
internet can be blocked from spewing more of it!
Now we look to see who owns these ip address blocks. The first two of
them are familiar, they (218.66.101.152 and 218.66.17.135 are in the same block
with the ip address where the spam sponsoring site was briefly found at last
night (218.66.17.135) It was:
inetnum: 218.66.0.0 - 218.67.127.255
netname: CHINANET-FJ
descr: CHINANET Fujian province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CA67-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-FJ
changed: hostmaster@ns.chinanet.cn.net 20010820
status: ALLOCATED NON-PORTABLE
source: APNIC
role: CHINANETFJ IP ADMIN
address: 7,East Street,Fuzhou,Fujian,PRC
country: CN
phone: +86-591-3333169-293
fax-no: +86-591-3371954
e-mail: fjnic@fjdcb.fz.fj.cn
trouble: send spam reports and abuse reports
trouble: to abuse@fjdcb.fz.fj.cn
trouble: Please include detailed information and
trouble: times in UTC
admin-c: FH71-AP
tech-c: FH71-AP
nic-hdl: CA67-AP
mnt-by: MAINT-CHINANET-FJ
changed: fjnic@fjdcb.fz.fj.cn 20020719
source: APNIC
person: Chinanet Hostmaster
address: No.31 ,jingrong street,beijing
address: 100032
country: CN
phone: +86-10-66027112
fax-no: +86-10-66027334
e-mail: hostmaster@ns.chinanet.cn.net
e-mail: anti-spam@ns.chinanet.cn.net
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: hostmaster@ns.chinanet.cn.net 20021016
source: APNIC
The last of the name servers at 203.197.204.84 is also in a familiar block.
It is in the same ip address block with the ip address where the spam sponsoring
site was moved to this morning (203.197.204.81) It was:
inetnum: 203.197.0.0 - 203.197.255.255
netname: VSNL-IN
descr: Videsh Sanchar Nigam Ltd - India.
descr: Videsh Sanchar Bhawan, M.G. Road
descr: Fort, Bombay 400001
country: IN
admin-c: IA15-AP
tech-c: VT43-AP
remarks: Internet Service Provider
mnt-by: APNIC-HM
mnt-lower: MAINT-VSNL-AP
changed: hostmaster@apnic.net 19980915
changed: hostmaster@apnic.net 20010608
status: ALLOCATED PORTABLE
source: APNIC
person: IP Administrator
address: 10th Floor, 2 MG Road
address: Fort Mumbai - 400001
address: India
country: IN
phone: +91-22-2623620
fax-no: +91-22-2653887
e-mail: ip-admin@giasbm01.vsnl.net.in
nic-hdl: IA15-AP
mnt-by: MAINT-VSNL-AP
changed: gpsingh@giasbm01.vsnl.net.in 20010605
source: APNIC
person: VSNL Tech
address: 10th Floor, 2 MG Road
address: Fort Mumbai - 400001
address: India
country: IN
phone: +91-22-2623620
fax-no: +91-22-2653887
e-mail: ip-tech@giasbm01.vsnl.net.in
nic-hdl: VT43-AP
mnt-by: MAINT-VSNL-AP
changed: gpsingh@giasbm01.vsnl.net.in 20010605
source: APNIC
|