Is www.ripe.net Spamming The World?
Neredbojias
abetting same.
Someone was spamming my form mail, trying to use it for mass-mailings.
Don't worry, since I designed the script myself, nobody received any spam
except me in the form of alerts. Still, it was tiresome, so after 20-some
messages in a day or so, I locked the ass out.
However, a few hours later, I got to thinking (haha). As a result, I re-
installed the original script with a slight addendum and began to again
receive the spam. Another few hours later, I replaced this script with the
lockout one a second time.
The spammer, being a cunning maggot, has 2 addresses:
194.8.74.158
194.8.75.204
which are randomly alternated. I did a "whois" on them, leading me to:
that provided me the following whois information:
[START INFO]
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
ReferralServer: whois://whois.ripe.net:43
NetRange: 194.0.0.0 - 194.255.255.255
CIDR: 194.0.0.0/8
NetName: RIPE-CBLK2
NetHandle: NET-194-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 1993-07-21
Updated: 2005-08-03
Visit AboutUs.org for more information about RIPE.NET AboutUs:
RIPE.NET
Registrant: Make this info private
RIPE NCC
Singel 258
Amsterdam, NH 1016 AB
NL
Domain Name: RIPE.NET
Promote your business to millions of viewers for only $1 a month!
Learn how you can get an Enhanced Business Listing here for your domain
name.
Learn More
Administrative Contact :
Admin Contact, RIPE NCC
dns-re...@ripe.net
Singel 258
Amsterdam, Noord Holland 1016Ab
NL
Phone: 020 5354444
Fax: 020 5354445
Technical Contact :
RIPE Network Coordination Centre
o...@RIPE.NET
Singel 258
Amsterdam, NH 1016 AB **
NL
Phone: http://www.ripe.net
Fax: 123 123 1234
Record expires on 26-Feb-2010
Record created on 25-Feb-1992
Database last updated on 21-May-2008
Domain servers in listed order: Manage DNS
NS-EXT.ISC.ORG 204.152.184.64
NS3.NIC.FR
NS-PRI.RIPE.NET 193.0.0.195
SUNIC.SUNET.SE
Show underlying registry data for this record
Current Registrar: NETWORK SOLUTIONS, LLC.
IP Address: 193.0.19.25 (ARIN & RIPE IP search)
IP Location: UK(UNITED KINGDOM)
Record Type: Domain Name
Server Type: Apache 2
Lock Status: clientTransferProhibited
Web Site Status: Active
DMOZ 1 listings
Y! Directory: see listings
Secure: Yes
E-commerce: No
Traffic Ranking: 4
Data as of: 22-Apr-2008
[END INFO]
Now notice the "NetRange" in the data above: 194.0.0.0 - 194.255.255.255.
Notice also from the comments that ripe.net provides its own "whois"
utility. So...I employed that and it supplied me with this information:
[START INFO2]
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '194.8.74.0 - 194.8.75.255'
inetnum: 194.8.74.0 - 194.8.75.255
netname: DRAGONARA-NET
descr: Dragonara Alliance Ltd
country: GB
org: ORG-DRAG1-RIPE
admin-c: AGAV2-RIPE
tech-c: AGAV2-RIPE
status: ASSIGNED PI "status:" definitions
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-by: DRAGONARA-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: DRAGONARA-MNT
mnt-domains: DRAGONARA-MNT
source: RIPE # Filtered
organisation: ORG-DRAG1-RIPE
org-name: Dragonara Alliance Ltd
org-type: OTHER
address: Geneva Place, Waterfront Drive,
P. O. Box 3469, Road Town, Tortola,
British Virgin Islands
mnt-ref: DRAGONARA-MNT
mnt-by: DRAGONARA-MNT
source: RIPE # Filtered
person: Andrey Gavrilog
address: Geneva Place, Waterfront Drive,
P. O. Box 3469, Road Town, Tortola,
British Virgin Islands
mnt-by: DRAGONARA-MNT
abuse-mailbox: ab...@dragonara.net
phone: +41 435.001.009
nic-hdl: AGAV2-RIPE
source: RIPE # Filtered
% Information related to '194.8.74.0/23AS44557'
route: 194.8.74.0/23
descr: Dragonara Alliance
origin: AS44557
mnt-by: DRAGONARA-MNT
source: RIPE # Filtered
[END INFO2]
It appears that someone at or utilizing dragonara.net is the intrepid
spammer. The spam in question is undoubtedly automated by script, so I
doubt that it is just a casual individual hacker/phreaker-type behind the
crime.
I looked up:
on the Internet, and they tout themselves as some kind of high-level
hosting service based in Switzerland. Perhaps, although notice the British
Virgin Islands address in their whois info. To me, though, the real
question is are they criminals and assholes?
The spam itself is interesting. Before my first lockout, all the included
urls had within the href "boinc.gorlaeus.net", and, as I said, there were
well over 20 of them. The is the beginning of one as a sample:
<a href= http://boinc.gorlaeus.net/view_profile.php?userid=15709 >buy
viagra</a>
[url=http://boinc.gorlaeus.net/view_profile.php?userid=15709]buy viagra
[/url]
<a href= http://boinc.gorlaeus.net/view_profile.php?userid=15710 >buy
oxycontin </a>
[url=http://boinc.gorlaeus.net/view_profile.php?userid=15710]buy
oxycontin [/url]
<a href= http://boinc.gorlaeus.net/view_profile.php?userid=15711 >buy
voltaren </a>
[url=http://boinc.gorlaeus.net/view_profile.php?userid=15711]buy voltaren
[/url]
The "From: " handle in each message was always a different, random short
string. I wasn't about to lookup "boinc.gorlaeus.net" because my interest
is in the source, not its goal.
Now, after the first lockout-and-release and before the second lockout, a
period of time of around 5-8 hours, I received several more messages and
noticed that the url in the href from the "194.8.74.158" source was
"burp.boinc.dk" and then subsequently changed to
"www.lonelyplanet.com/thorntree/" as if the anonymous anus was trying to
get things working better. Veeery Int-eresting.
Anyway, that's about it. If anyone has a good idea about how to report
this officially, shoot. Don't tell me to go abuse.dragonara, though,
because it'd be like the fly reaching to the spider for a helping hand.
--
Neredbojias
http://www.neredbojias.net/
Great sights and sounds
viza
On Sat, 05 Jul 2008 00:00:00 +0200, Neredbojias wrote:
>
> From what I've seen, www.ripe.net IS spamming the world, or at least
> abetting same.
>
> Someone was spamming my form mail, trying to use it for mass-mailings.
Oh my goodness. Someone on the internet is trying to send spam! Phone
the police! Call out the reserves! Get my gun! Pannic! PAANNIC!
> Don't worry, since I designed the script myself, nobody received any
> spam
Ok, your site is working then. Have a pat on the back.
Saying ripe.net is sending spam is like saying the internet itself is
sending spam. True though, if you disconnect the internet, you won't get
spam.
The spam is being sent by the customer of the customer of the customer of
the customer of ripe.net, via the some of the companies you have listed.
None of them is sending spam either. You can trace it around the world
and try to find someone who (a) cares, and (b) has the power to stop it,
or you can just block or filter it yourself like the rest of the world
does.
Its only really worth asking about if the spammer is too clever for you
and is getting through, but it seems that that is not the case.
HTH
viza
Ed Mullen
> From what I've seen, www.ripe.net IS spamming the world, or at least
> abetting same.
>
>
> viagra</a>
> [url=http://boinc.gorlaeus.net/view_profile.php?userid=15709]buy viagra
> [/url]
> <a href= http://boinc.gorlaeus.net/view_profile.php?userid=15710 >buy
> oxycontin </a>
> [url=http://boinc.gorlaeus.net/view_profile.php?userid=15710]buy
> oxycontin [/url]
> <a href= http://boinc.gorlaeus.net/view_profile.php?userid=15711 >buy
> voltaren </a>
> [url=http://boinc.gorlaeus.net/view_profile.php?userid=15711]buy voltaren
> [/url]
>
>
> The "From: " handle in each message was always a different, random short
> string. I wasn't about to lookup "boinc.gorlaeus.net" because my interest
> is in the source, not its goal.
Although, it was interesting to look at:
--
Ed Mullen
http://edmullen.net
Young at heart. Slightly older in other places.
Neredbojias
You're probably right but it just seems like such a futile philosophy. Of
course I'm used to futility ever since my original program for training
women to avoid pregnancy went belly up.
PS: I had some real comments about your message but Ed Mullen's post puts a
new light on things.
Neredbojias
Indeed! I found this particularly interesting:
=====
News
4 july 2008
Yesterday this BOINC project and a lot of other people fell victim to a
spammer. Spam content was scripted into this projects fake user profiles
and spam send from an yet unknown e-mail relay server, referred to these
fake profiles. Measures taken at Leiden Classical were: 1) fake user
accounts and profiles removed from DB, 2) user agent checks implemented
into server PHP code (thanx to Willy de Zutter from BAM and BOINCstats) and
3) akismet checks on profile content has been implemented. Hope these
measures stop the spammers!
=====
If nothing else, it adds relevancy to my 2 previous posts regarding this
spam. Hope they'll plug up some of the "holes in the dike" so to speak.
Them dutchies can be clever when they're not too dizzy from watching the
windmills.