Analysis of sample spam
spamvertizer = rodotee.biz
Sun, 26 Oct 2003 00:30:02 +0000
"Get in this way. xvieybdbjnxudtyjfdl"

Overview - Innocent Bystander terrific.com Damaged by Spammers
Back to Terrific.com
Analysis of sample spam for the "pharaohmeds.biz" site.  First of the 2004 spam, we can count on more to follow later.  "Got ` Xan+a+x ` :P:ntermin - V1@Gra ' So|m|a ` Va.l.ium More available. H4Bme8Fv "
Analysis of sample spams for the "Tabfor.biz" Collection of Crap - brought to you from the jerks that have many sites now just blocking the entire set of .biz domains as useless.  All these spamvertizers are registered to the same old tabfor.biz and spamvertize pills and medicine - we hope the FDA and the FTC catch up with them soon.

We see from reading NANAE that these domains are the work of Eddy Marin. Ones he recently registered that we haven't seen the spams for yet are:
adosaus.biz casinosaustrai.biz casinosaustraia.biz derosausa.biz dildosaustralia.biz eosaus.biz extraosaus.biz fosaus.biz gasthofgosausee.biz goosaus.biz gosauschmied.biz gosausee.biz hyperosaus.biz interosaus.biz iosaus.biz magliosausage.biz malosaustralia.biz mimosausa.biz myosaus.biz osaus.biz osaus1.biz osausant.biz osausarium.biz osauscentral.biz osaused.biz osausent.biz osausing.biz osausion.biz osausland.biz osausnet.biz osauss.biz osausweb.biz overosaus.biz porcelanosausa.biz preosaus.biz proosaust.biz realosaust.biz sabatinosausage.biz suposaust.biz symosaust.biz techosaust.biz theosaust.biz transosaust.biz vamosausa.biz vosaus.biz

Analysis of sample spams from spamvertizers registered to "Frerrics Domains SL" (probably not their real name, I wouldn't put my real name on it, would you?).  Typically some flavor of "Online Cheating Wives".

As a result of this web site we are hearing from other domain owners who have also been subjected to having their domain names forged into spam messages from these people.  A partial list of some of the other spamvertizing domains registered to the Frerrics Domains gang includes: easy-loans-now.info fast-loans-now.info freewebtoken.info money-trees.info refi-today.info save-hundreds.info

In most cases, the spamvertizer has registered both a .biz and a .info version of the same domain name.
Analysis of sample spam spamvertizer = net-click.net.ph ( Inovasion / FT International ) "I know all that"  (also received as "Did you lose my ICQ?" & "Do you remember me ?") Insurance Crap
Analysis of sample spam spamvertizer = 1pills4less.biz "Meet me tomorrow" Make your penis bigger pills, although you'll never be as big a dick as the "Edward Davidson" who is the false name this site is registered to.
A collection of spams from a spamvertizer promising pills that will make your dick bigger.  Hosted in Brazil.

Spammer also has registered YOURPUBLICDNS.BIZ and runs own DNS servers, one hosted in Brazil and one with servepath.com in California.
Analysis of sample spam spamvertizer = stuffedgrapes.net Tue, 21 Oct 2003 "Why not ask me. tywdip7hxkihk17iio3jgail1m"
Analysis of sample spam spamvertizer = rizonthebiz.biz Fri, 24 Oct 2003 "saw ya online tdogrvbtiffwlbgx"  (also received as "Why not ask me. mjnibicnvpdebdjkq"
Analysis of sample spam spamvertizer = downmoon.info Tue, 11 Nov 2003 "Need some action. ghdeafdpcnxzmdyae" believed to be from the same jerks who brought us rizonthebiz.biz
A domain registrant of RTH, Inc does a lot of spamming to seemingly random addresses (meaning children may easily receive these) pushing free access to pornography.  Nothing is free, and we can bet there is at least some spyware or trojans being installed on the machines or users foolish enough to click the link.  Domains registered to them include goldfingerrock.biz, smackonthewall.biz, DNS4PROVIDERS.COM, DNS4PROVIDERS.NET, CONTINENTALHOSTING.COM, INDUSTRIALMEDS.COM, CORPTOPIA.COM, FAKINBACON.COM, & PANAMERICANHOSTING.COM

spamvertizer = goldfingerrock.biz Sat, 25 Oct 2003 "this is what you wanted naibbvcpnslkquhvjxlbqhi"
spamvertizer = smackonthewall.biz Sat, 25 Oct 2003 "is this you zzmtxahudeyicddsdtdcolvwmm"
spamvertizer = rodotee.biz Sun, 26 Oct 2003 "Get in this way. xvieybdbjnxudtyjfdl"

 

Here is the spam message, with its links disabled so nobody will accidentally click and end up in spam hell.

From: Jackelyn Wilhelmson [jwilhelmson_jz@terrific.com]
Sent: Saturday, October 25, 2003 7:30 PM
To: slates_crazed@yahoo.com
Subject: Get in this way. xvieybdbjnxudtyjfdl
Ok, this is how to get into all adlt sites at no cost to ya.
no cost access to adlt.
This is it.
It is here now (links to spamhttp://www.rodotee.biz/napofprn/ -Ed.)

beaepnpynqeccsdttynbhappizyshhqcknsqwvrcjhdkazfbyhyyphbxmniffdygjcclgfhgu
oavxxzdbmvkbmddavqplympnkxzibsohuslxgjdrskgwmbbeqscmcpxuzkmlciosdmppd
wdxmiqdoytlnqrhuavictmzceuvzpzamwiyvugsdfkagrdiggqivbmppcchsfkdfxltlntcholflad
snkvkodbaypttlggibtuvhiqphpsdcptwtlxspngjbymtlpljexmdxwenbrfzqchfehxgr

Here is the header from the spam message

Received: from simferop.com ([64.230.77.9]) by tomts5-srv.bellnexxia.net
(InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP
id <20031026002958.NBHT21460.tomts5-srv.bellnexxia.net@simferop.com>
for <slates_crazed@yahoo.com>; Sat, 25 Oct 2003 20:29:58 -0400
Message-ID: <60ca01c39b58$c011e4db$de8d6941@ujlfaod>
From: "Jackelyn Wilhelmson" <jwilhelmson_jz@terrific.com>
To: slates_crazed@yahoo.com
Subject: Get in this way. xvieybdbjnxudtyjfdl
Date: Sun, 26 Oct 2003 00:30:02 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_086A_1849FC3A.2A63208C"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

really from 64.230.77.9 HSE-Ottawa-ppp237448.sympatico.ca)

Here we find "whois" the domain which sponsored the spam (smackonthewall.biz) registered to

.BIZ Registry WHOIS Data
Domain Name RODOTEE.BIZ
Domain ID D5513980-BIZ
Sponsoring Registrar CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Status ok
Registrant ID CNEU-89920
Registrant Name Domain Manager
Registrant Address1 1717 Nocta way
Registrant City Marate
Registrant Postal Code 33063
Registrant Country United States
Registrant Country Code US
Registrant Phone Number +999.9999999
Registrant Email datapoint5@ureach.com
Administrative Contact ID CNEU-89860
Administrative Contact Name Domain Manager
Administrative Contact Address1 1717 Nocta way
Administrative Contact City Marate
Administrative Contact Postal Code 33063
Administrative Contact Country United States
Administrative Contact Country Code US
Administrative Contact Phone Number +999.9999999
Administrative Contact Email datapoint5@ureach.com
Billing Contact ID CNEU-89860
Billing Contact Name Domain Manager
Billing Contact Address1 1717 Nocta way
Billing Contact City Marate
Billing Contact Postal Code 33063
Billing Contact Country United States
Billing Contact Country Code US
Billing Contact Phone Number +999.9999999
Billing Contact Email datapoint5@ureach.com
Technical Contact ID CNEU-89860
Technical Contact Name Domain Manager
Technical Contact Address1 1717 Nocta way
Technical Contact City Marate
Technical Contact Postal Code 33063
Technical Contact Country United States
Technical Contact Country Code US
Technical Contact Phone Number +999.9999999
Technical Contact Email datapoint5@ureach.com
Name Server NS1.DNS4PROVIDERS.COM
Name Server NS2.DNS4PROVIDERS.COM
Name Server NS1.DNS4PROVIDERS.NET
Name Server NS2.DNS4PROVIDERS.NET
Name Server NS1.CONTINENTALHOSTING.COM
Name Server NS2.CONTINENTALHOSTING.COM
Created by Registrar CSL COMPUTER SERVICE (D.B.A. JOKER.COM)
Domain Registration Date Wed Oct 22 20:26:34 GMT 2003

We have seen these DNS servers before, they seem to be used by a lot of spam sites, lets see who owns them DNS4PROVIDERS.COM ; DNS4PROVIDERS.NET ; & CONTINENTALHOSTING.COM

whois -h whois.bestregistrar.com dns4providers.com ...
Whois Server Version 2.0

Domain Name: DNS4PROVIDERS.COM

Registrant:
Organization: RTH, Inc
Contact ID: PinAB1-BR
Name: RTH, Inc RTH, Inc
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Administrative Contact:
Organization: RTH, Inc
Contact ID: PINO1-BR
Name: RTH, Inc Admin Oncall
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Technical Contact:
Organization: RTH, Inc
Contact ID: PINT1-BR
Name: RTH, Inc Admin Oncall
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Name Servers:
NS1.DNS4PROVIDERS.COM
NS2.DNS4PROVIDERS.COM
NS1.DNS4PROVIDERS.NET
NS2.DNS4PROVIDERS.NET
NS1.CONTINENTALHOSTING.COM
NS2.CONTINENTALHOSTING.COM
NS1.INDUSTRIALMEDS.COM
NS2.INDUSTRIALMEDS.COM
NS1.CORPTOPIA.COM
NS2.CORPTOPIA.COM
NS1.FAKINBACON.COM
NS2.FAKINBACON.COM
NS1.PANAMERICANHOSTING.COM

Created Date: May 1, 2003
Updated Date: Sep 2, 2003
Expiration Date: May 1, 2005Registrant:

whois -h whois.bestregistrar.com dns4providers.net ...
Whois Server Version 2.0

Domain Name: DNS4PROVIDERS.NET

Registrant:
Organization: RTH, Inc
Contact ID: PinAB1-BR
Name: RTH, Inc RTH, Inc
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Administrative Contact:
Organization: RTH, Inc
Contact ID: PINO1-BR
Name: RTH, Inc Admin Oncall
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Technical Contact:
Organization: RTH, Inc
Contact ID: PINT1-BR
Name: RTH, Inc Admin Oncall
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Name Servers:
NS1.DNS4PROVIDERS.COM
NS2.DNS4PROVIDERS.COM
NS1.DNS4PROVIDERS.NET
NS2.DNS4PROVIDERS.NET
NS1.CONTINENTALHOSTING.COM
NS2.CONTINENTALHOSTING.COM
NS1.INDUSTRIALMEDS.COM
NS2.INDUSTRIALMEDS.COM
NS1.CORPTOPIA.COM
NS2.CORPTOPIA.COM
NS1.FAKINBACON.COM
NS2.FAKINBACON.COM
NS1.PANAMERICANHOSTING.COM

Created Date: May 1, 2003
Updated Date: Sep 2, 2003
Expiration Date: May 1, 2005

whois -h whois.bestregistrar.com continentalhosting.com ...
Whois Server Version 2.0

Domain Name: CONTINENTALHOSTING.COM

Registrant:
Organization: RTH, Inc
Contact ID: PinAB1-BR
Name: RTH, Inc RTH, Inc
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Administrative Contact:
Organization: RTH, Inc
Contact ID: PINO1-BR
Name: RTH, Inc Admin Oncall
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Technical Contact:
Organization: RTH, Inc
Contact ID: PINT1-BR
Name: RTH, Inc Admin Oncall
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Name Servers:
NS1.DNS4PROVIDERS.COM
NS2.DNS4PROVIDERS.COM
NS1.DNS4PROVIDERS.NET
NS2.DNS4PROVIDERS.NET
NS1.CONTINENTALHOSTING.COM
NS2.CONTINENTALHOSTING.COM
NS1.INDUSTRIALMEDS.COM
NS2.INDUSTRIALMEDS.COM
NS1.CORPTOPIA.COM
NS2.CORPTOPIA.COM
NS1.FAKINBACON.COM
NS2.FAKINBACON.COM
NS1.PANAMERICANHOSTING.COM

Created Date: Feb 20, 2003
Updated Date: Sep 2, 2003
Expiration Date: Feb 20, 2006

We may as well see who owns the extra DNS servers listed in the three registrations above, gets all the tangled web of spammers out in the open INDUSTRIALMEDS.COM ; CORPTOPIA.COM ; FAKINBACON.COM & PANAMERICANHOSTING.COM

whois -h whois.bestregistrar.com industrialmeds.com ...
Whois Server Version 2.0

Domain Name: INDUSTRIALMEDS.COM

Registrant:
Organization: RTH, Inc
Contact ID: PinAB1-BR
Name: RTH, Inc RTH, Inc
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Administrative Contact:
Organization: RTH, Inc
Contact ID: PINO1-BR
Name: RTH, Inc Admin Oncall
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Technical Contact:
Organization: RTH, Inc
Contact ID: PINT1-BR
Name: RTH, Inc Admin Oncall
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Name Servers:
NS1.DNS4PROVIDERS.COM
NS2.DNS4PROVIDERS.COM
NS1.DNS4PROVIDERS.NET
NS2.DNS4PROVIDERS.NET
NS1.CONTINENTALHOSTING.COM
NS2.CONTINENTALHOSTING.COM
NS1.INDUSTRIALMEDS.COM
NS2.INDUSTRIALMEDS.COM
NS1.CORPTOPIA.COM
NS2.CORPTOPIA.COM
NS1.FAKINBACON.COM
NS2.FAKINBACON.COM
NS1.PANAMERICANHOSTING.COM

Created Date: Aug 13, 2002
Updated Date: Sep 2, 2003
Expiration Date: Aug 13, 2006

whois -h whois.bestregistrar.com corptopia.com ...
Whois Server Version 2.0

Domain Name: CORPTOPIA.COM

Registrant:
Organization: RTH, Inc
Contact ID: PinAB1-BR
Name: RTH, Inc RTH, Inc
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Administrative Contact:
Organization: RTH, Inc
Contact ID: PINO1-BR
Name: RTH, Inc Admin Oncall
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Technical Contact:
Organization: RTH, Inc
Contact ID: PINT1-BR
Name: RTH, Inc Admin Oncall
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Name Servers:
NS1.DNS4PROVIDERS.COM
NS2.DNS4PROVIDERS.COM
NS1.DNS4PROVIDERS.NET
NS2.DNS4PROVIDERS.NET
NS1.CONTINENTALHOSTING.COM
NS2.CONTINENTALHOSTING.COM
NS1.INDUSTRIALMEDS.COM
NS2.INDUSTRIALMEDS.COM
NS1.CORPTOPIA.COM
NS2.CORPTOPIA.COM
NS1.FAKINBACON.COM
NS2.FAKINBACON.COM
NS1.PANAMERICANHOSTING.COM

Created Date: Apr 24, 2002
Updated Date: Sep 2, 2003
Expiration Date: Apr 24, 2006

whois -h whois.bestregistrar.com fakinbacon.com ...
Whois Server Version 2.0

Domain Name: FAKINBACON.COM

Registrant:
Organization: RTH, Inc
Contact ID: PinAB1-BR
Name: RTH, Inc RTH, Inc
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Administrative Contact:
Organization: RTH, Inc
Contact ID: PINO1-BR
Name: RTH, Inc Admin Oncall
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Technical Contact:
Organization: RTH, Inc
Contact ID: PINT1-BR
Name: RTH, Inc Admin Oncall
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Name Servers:
NS1.DNS4PROVIDERS.COM
NS2.DNS4PROVIDERS.COM
NS1.DNS4PROVIDERS.NET
NS2.DNS4PROVIDERS.NET
NS1.CONTINENTALHOSTING.COM
NS2.CONTINENTALHOSTING.COM
NS1.INDUSTRIALMEDS.COM
NS2.INDUSTRIALMEDS.COM
NS1.CORPTOPIA.COM
NS2.CORPTOPIA.COM
NS1.FAKINBACON.COM
NS2.FAKINBACON.COM
NS1.PANAMERICANHOSTING.COM

Created Date: Oct 7, 2002
Updated Date: Sep 2, 2003
Expiration Date: Oct 7, 2006

whois -h whois.bestregistrar.com panamericanhosting.com ...
Whois Server Version 2.0

Domain Name: PANAMERICANHOSTING.COM

Registrant:
Organization: RTH, Inc
Contact ID: PinAB1-BR
Name: RTH, Inc RTH, Inc
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Administrative Contact:
Organization: RTH, Inc
Contact ID: PINO1-BR
Name: RTH, Inc Admin Oncall
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Technical Contact:
Organization: RTH, Inc
Contact ID: PINT1-BR
Name: RTH, Inc Admin Oncall
Address: PO BOX 801123, Aventura
FL, 33280, US
Phone: 786 417-3506 Fax: null
Email: domains@continentalhosting.com

Name Servers:
NS1.DNS4PROVIDERS.COM
NS2.DNS4PROVIDERS.COM
NS1.DNS4PROVIDERS.NET
NS2.DNS4PROVIDERS.NET
NS1.CONTINENTALHOSTING.COM
NS2.CONTINENTALHOSTING.COM
NS1.INDUSTRIALMEDS.COM
NS2.INDUSTRIALMEDS.COM
NS1.CORPTOPIA.COM
NS2.CORPTOPIA.COM
NS1.FAKINBACON.COM
NS2.FAKINBACON.COM
NS1.PANAMERICANHOSTING.COM

Created Date: Feb 20, 2003
Updated Date: Sep 2, 2003
Expiration Date: Feb 20, 2006
 

Here we find the ip address for the spamvertizer, http://www.rodotee.biz/napofprn/

10/25/03 20:00:37 dns http://www.rodotee.biz/napofprn/
Canonical name: www.rodotee.biz
Addresses:
221.232.160.110

This is the same site as an earlier spams we analyzed today for:

10/25/03 19:23:13 dns http://www.smackonthewall.biz/fbuddies7/
Canonical name: www.smackonthewall.biz
Addresses:
221.232.160.110

10/25/03 12:49:35 dns http://www.goldfingerrock.biz/napofprn/
Canonical name: www.goldfingerrock.biz
Addresses:
221.232.160.110

Now we look to see who owns the ip address block.  The spamvertizer was 221.232.160.110

inetnum:      221.232.0.0 - 221.235.255.255
netname:      CHINANET-HB
descr:        CHINANET Hubei province network
descr:        China Telecom
descr:        A12,Xin-Jie-Kou-Wai Street
descr:        Beijing 100088
country:      CN
admin-c:      CH93-AP
tech-c:       CHA1-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-CN-CHINANET-HB
mnt-routes:   MAINT-CN-CHINANET-HB
remarks:      This object can only modify by APNIC hostmaster
remarks:      If you wish to modify this object details please
remarks:      send email to hostmaster@apnic.net with your
remarks:      organisation account name in the subject line.
changed:      hm-changed@apnic.net 20030715
status:       ALLOCATED PORTABLE
source:       APNIC

role:         CHINANET HB ADMIN
address:      8th floor of JinGuang Building
address:     #232 of Macao Road
address:      HanKou Wuhan Hubei Province
address:      P.R.China
country:      CN
phone:        +86 27 82862199
fax-no:       +86 27 82861499
e-mail:       hostmasterhb@dc.wh.hb.cn
trouble:      send spam reports to spam_hb@hbdcb.net.cn
trouble:      and abuse reports to abuse_hb@hbdcb.net.cn
trouble:      Please include detailed information and
trouble:      times in GMT+8
admin-c:      YZ83-AP
admin-c:      ZC77-AP
tech-c:       YZ83-AP
tech-c:       ZC77-AP
nic-hdl:      CHA1-AP
notify:       hostmasterhb@dc.wh.hb.cn
mnt-by:       MAINT-CN-CHINANET-HB
changed:      zhangyl@hbdcb.net.cn 20020820
source:       APNIC

person:       Chinanet Hostmaster
address:      No.31 ,jingrong street,beijing
address:      100032
country:      CN
phone:        +86-10-66027112
fax-no:       +86-10-66027334
e-mail:       hostmaster@ns.chinanet.cn.net
e-mail:       anti-spam@ns.chinanet.cn.net
nic-hdl:      CH93-AP
mnt-by:       MAINT-CHINANET
changed:      hostmaster@ns.chinanet.cn.net 20021016
source:       APNIC

We have previously tried larting to these addresses, spam_hb@hbdcb.net.cn and anti-spam@ns.chinanet.cn.net and the mail simply bounces back as sent to non-existent addresses.  These Chinese hosts offer "bulletproof hosting" where they basically won't cancel the hosting no matter what.  The best resort is for everyone to block the whole address range and isolate them from the rest of the internet.

These nameservers are also in this block

10/25/03 13:23:29 dns NS2.INDUSTRIALMEDS.COM
Canonical name: ns2.industrialmeds.COM
Addresses:
221.232.160.25

10/25/03 13:30:43 dns NS2.CONTINENTALHOSTING.COM
Canonical name: ns2.continentalhosting.COM
Addresses:
221.232.160.25

Now we look to see who owns the ip address block for some of the other domain name servers used

10/25/03 13:33:50 dns NS2.DNS4PROVIDERS.NET
Canonical name: NS2.DNS4PROVIDERS.NET
Addresses:
202.103.67.51

inetnum:      202.103.64.0 - 202.103.127.255
netname:      CHINANET-HN
descr:        CHINANET Hunan province network
descr:        China Telecom
descr:        A12,Xin-Jie-Kou-Wai Street
descr:        Beijing 100088
country:      CN
admin-c:      CH93-AP
tech-c:       YX69-AP
mnt-by:       MAINT-CHINANET
mnt-lower:    MAINT-CHINANET-HN
changed:      hostmaster@ns.chinanet.cn.net 20010119
status:       ALLOCATED PORTABLE
source:       APNIC

person:       Chinanet Hostmaster
address:      No.31 ,jingrong street,beijing
address:      100032
country:      CN
phone:        +86-10-66027112
fax-no:       +86-10-66027334
e-mail:       hostmaster@ns.chinanet.cn.net
e-mail:       anti-spam@ns.chinanet.cn.net
nic-hdl:      CH93-AP
mnt-by:       MAINT-CHINANET
changed:      hostmaster@ns.chinanet.cn.net 20021016
source:       APNIC

person:       Yali Xiao
address:      Hunan Data Communication Bureau No.9 middle wuyi road   ChangSha city,Hunan ,P.R.China 410011
country:      CN
phone:        +86-731-2260079
fax-no:       +86-731-2265549
e-mail:       liul@hnpta.net.cn
nic-hdl:      YX69-AP
mnt-by:       MAINT-CHINANET-HUNAN
changed:      liul@hndcb.hnpta.net.cn 20010523
source:       APNIC

We have previously tried larting to this address anti-spam@ns.chinanet.cn.net and the mail simply bounces back as sent to non-existent addresses.  These Chinese hosts offer "bulletproof hosting" where they basically won't cancel the hosting no matter what.  The best resort is for everyone to block the whole address range and isolate them from the rest of the internet.

Now we look to see who owns the ip address block for some of the other domain name servers used

10/25/03 13:37:58 dns NS1.DNS4PROVIDERS.NET
Canonical name: NS1.DNS4PROVIDERS.NET
Addresses:
202.9.156.40

inetnum:      202.9.128.0 - 202.9.159.255
netname:      DISHNET
descr:        DISHNETDSL LTD
descr:        19, Cathedral Garden Road
descr:        Nungambakkam
descr:        CHENNAI
country:      IN
admin-c:      DIH1-AP
tech-c:       DIH1-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-IN-DISHNET
changed:      hostmaster@apnic.net 20000321
changed:      hostmaster@apnic.net 20000927
changed:      hm-changed@apnic.net 20020612
status:       ALLOCATED PORTABLE
source:       APNIC

role:         DISHNET IP Hostmaster
address:      DishnetDSL Limited
address:      19, Cathedral Garden Road
address:      Chennai, 600 034
phone:        +91-44-825 6201
phone:        +91-44-825 6149
phone:        +91-44-826 9801
fax-no:       +91-44-825 7477
e-mail:       ip-admin@ddsl.net
trouble:      Network abuse issues and SPAM complaints
trouble:      should be sent to abuse@eth.net
admin-c:      BR31-AP
tech-c:       BR31-AP
nic-hdl:      DIH1-AP
remarks:      role object for Dishnet IP Administrators
notify:       ip-admin@ddsl.net
mnt-by:       MAINT-IN-DISHNET
changed:      bbreddy@ddsl.net 20020530
source:       APNIC
We have larted to abuse@eth.net to demand they terminate hosting for this dns server.

Now we look to see who owns the ip address block for some of the other domain name servers used

10/25/03 13:28:24 dns NS1.INDUSTRIALMEDS.COM
Canonical name: ns1.industrialmeds.COM
Addresses:
38.117.19.10

10/25/03 13:32:18 dns NS1.CONTINENTALHOSTING.COM
Canonical name: ns1.continentalhosting.COM
Addresses:
38.117.19.10

whois -h whois.arin.net !net-38-112-0-0-1 ...

OrgName: Performance Systems International Inc.
OrgID: PSI
Address: 1015 31st Street, NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US

NetRange: 38.112.0.0 - 38.119.255.255
CIDR: 38.112.0.0/13
NetName: COGENT-NB-0002
NetHandle: NET-38-112-0-0-1
Parent: NET-38-0-0-0-1
NetType: Reassigned
NameServer: AUTH1.DNS.COGENTCO.COM
NameServer: AUTH2.DNS.COGENTCO.COM
Comment: ReferralServer: rwhois://rwhois.cogentco.com:4321/
RegDate: 2003-08-20
Updated: 2003-08-20

OrgAbuseHandle: COGEN-ARIN
OrgAbuseName: Cogent Abuse
OrgAbusePhone: +1-877-875-4311
OrgAbuseEmail: abuse@cogentco.com

OrgNOCHandle: ZC108-ARIN
OrgNOCName: Cogent Communications
OrgNOCPhone: +1-877-875-4311
OrgNOCEmail: noc@cogentco.com

OrgTechHandle: IPALL-ARIN
OrgTechName: IP Allocation
OrgTechPhone: +1-877-875-4311
OrgTechEmail: ipalloc@cogentco.com

We have larted to abuse@cogentco.com to demand they terminate hosting for this dns server.

Now we look to see who owns the ip address block for some of the other domain name servers used

10/25/03 13:22:03 dns NS1.CORPTOPIA.COM
Canonical name: ns1.corptopia.COM
Addresses:
208.153.140.180

10/25/03 13:12:39 dns NS1.FAKINBACON.COM
Canonical name: NS1.FAKINBACON.COM
Addresses:
208.153.140.180

10/25/03 13:06:49 dns NS1.PANAMERICANHOSTING.COM
Canonical name: ns1.panamericanhosting.com
Addresses:
208.153.140.180

whois -h whois.arin.net !net-208-153-140-0-1 ...

OrgName: INTERNATIONAL LE DRI INT
OrgID: ILDI
Address: 1470 NW 107TH AVE
City: MIAMI
StateProv: FL
PostalCode: 33172
Country: US

NetRange: 208.153.140.0 - 208.153.141.255
CIDR: 208.153.140.0/23
NetName: CW-208-153-140
NetHandle: NET-208-153-140-0-1
Parent: NET-208-128-0-0-1
NetType: Reassigned
Comment:
RegDate: 1997-05-01
Updated: 2002-09-13

TechHandle: EB1313-ARIN
TechName: Bornstein, Eric
TechPhone: +1-305-597-8899
TechEmail: eric@internetco.net

TechHandle: UIAA-ARIN
TechName: US IP Address Administration
TechPhone: +1-800-977-4662
TechEmail: ipadmin@clp.cw.net

TechHandle: GIAA-ARIN
TechName: Global IP Address Administration
TechPhone: +1-919-465-4096
TechEmail: ip@gnoc.cw.net

We have not larted these dns servers, as they were not listed in the registration for goldfingerrock.biz

Now we look to see who owns the ip address block for some of the other domain name servers used

10/25/03 13:42:59 dns NS1.DNS4PROVIDERS.COM
Canonical name: NS1.DNS4PROVIDERS.COM
Addresses:
207.49.157.125

10/25/03 13:41:20 dns NS2.DNS4PROVIDERS.COM
Canonical name: NS2.DNS4PROVIDERS.COM
Addresses:
207.49.157.125

10/25/03 13:20:30 dns NS2.CORPTOPIA.COM
Canonical name: ns2.corptopia.COM
Addresses:
207.49.157.125

10/25/03 13:15:10 dns NS2.FAKINBACON.COM
Canonical name: ns2.FAKINBACON.COM
Addresses:
207.49.157.125

whois -h whois.arin.net !net-207-49-156-0-1 ...

OrgName: Internetco Communications, Inc.
OrgID: INTERN-198
Address: 1470 NW 107th Ave.
City: Miami
StateProv: FL
PostalCode: 33172
Country: US

NetRange: 207.49.156.0 - 207.49.159.255
CIDR: 207.49.156.0/22
NetName: CW-207-49-156
NetHandle: NET-207-49-156-0-1
Parent: NET-207-48-0-0-1
NetType: Reassigned
Comment:
RegDate: 1997-09-01
Updated: 2002-09-13

TechHandle: JTW2-ARIN
TechName: Williams, Jimmie T
TechPhone: +1-305-597-8899
TechEmail: jimmie@internetco.net

TechHandle: UIAA-ARIN
TechName: US IP Address Administration
TechPhone: +1-800-977-4662
TechEmail: ipadmin@clp.cw.net

TechHandle: GIAA-ARIN
TechName: Global IP Address Administration
TechPhone: +1-919-465-4096
TechEmail: ip@gnoc.cw.net

We have larted to jimmie@internetco.net & ipadmin@clp.cw.net to demand they terminate hosting for this dns server.

 

This page last updated 01/24/2004 02:37:20 PM -0600