Boo-yah! Down another one goes... I found a registrar who's actually taking action against one of our spammers.
Here's the message from InterCosmos.com: Thanks for the information. We have put the domain tecmnsd.info on registrar-hold. So the domain will stop resolving. Donny
I sent them back a message, telling them about the spammer having other URLs registered through them, 5 of them, so I may just get this spammer shut down wholesale.
> I sent them back a message, telling them about the spammer having other > URLs registered through them, 5 of them, so I may just get this spammer > shut down wholesale.
My mistake, only two of the spammer's 5 domains were registered with InterCosmos.com, but they're gone now... all Registrars should be as responsive as InterCosmos.com. That's damned impressive. Now we wait for the DNS changes to propagate, and they'll be off the air.
What's funny is that even though the domains are on Registrar hold, meaning that DNS won't resolve for them anymore, my DNS server's still got the required information to hit them with SpamVampire. So, nobody can visit, except for me. And I'm visiting a lot. And I'm not allowing my DNS server to update that DNS record, so I'll be able to continue hitting them for as long as that server is serving those websites, even if DNS won't point anyone else to them.
I've got to be hell on the poor spammers... nobody can visit their websites except the one they don't want to have visit under any circumstances... too much fun. But, it's all part of striking fear into the hearts of spammers everywhere. If I can become world-famous in spammer circles as someone to avoid, I'll have accomplished my goal.
> "Anonymous" <Anonym...@domain.invalid> wrote in message > news:laaQc.459$of6.157@newssvr29.news.prodigy.com... > > I sent them back a message, telling them about the spammer having other > > URLs registered through them, 5 of them, so I may just get this spammer > > shut down wholesale.
> My mistake, only two of the spammer's 5 domains were registered with > InterCosmos.com, but they're gone now... all Registrars should be as > responsive as InterCosmos.com. That's damned impressive. Now we wait for > the DNS changes to propagate, and they'll be off the air.
> What's funny is that even though the domains are on Registrar hold, meaning > that DNS won't resolve for them anymore, my DNS server's still got the > required information to hit them with SpamVampire. So, nobody can visit, > except for me. And I'm visiting a lot. And I'm not allowing my DNS server > to update that DNS record, so I'll be able to continue hitting them for as > long as that server is serving those websites, even if DNS won't point > anyone else to them.
> I've got to be hell on the poor spammers... nobody can visit their websites > except the one they don't want to have visit under any circumstances... too > much fun. But, it's all part of striking fear into the hearts of spammers > everywhere. If I can become world-famous in spammer circles as someone to > avoid, I'll have accomplished my goal.
That's the Russian Spam Gang.
Intercosmos is DirectNIC. How did you contact them? What did you tell them?
How about going after the nameserver for lots of them- LIONSTAM.BIZ?
Yep, that's the Russian Spam Gang... I've been hammering the living hell out of their websites with my SpamVampire (http://www.hillscapital.com/antispam/index.htm feel free to grab the source code and set up your own).
> Intercosmos is DirectNIC. How did you contact them? What did you tell
them?
I sent the LART to ab...@intercosmos.com, with a note at the top that they were the registrar, and that they should check the registration information for the site, and terminate it if it was found that the registration information was invalid.
> How about going after the nameserver for lots of them- LIONSTAM.BIZ?
Tried that... the email address obtained by doing a dig on Lionstam.biz bounces.
> Yep, that's the Russian Spam Gang... I've been hammering the living hell > out of their websites with my SpamVampire > (http://www.hillscapital.com/antispam/index.htm feel free to grab the > source code and set up your own).
Hooo-BOY, we're going after these scumbags in a big way! I just got another spam from them on a new domain they'd registered with InterCosmos. It's already down...
#begin Ale...@invalid.domain.exe (or was it Alexis.com) message <mDbQc.4499$Mg1.2...@bignews4.bellsouth.net> reply:
<SNIP>
> Intercosmos is DirectNIC. How did you contact them? What did you tell them?
I have several such replies from Intercosmos, when CC:ing DirectNIC on spams. But in all other cases I get their standard "we are just a Registrar, contact ISPs" answer. No idea what triggers that "lucky" reply.
> Hooo-BOY, we're going after these scumbags in a big way! I just got another > spam from them on a new domain they'd registered with InterCosmos. It's > already down...
Many of those on that list that I gave for IP 61.128.198.12 are registered at namebay.com. It appears that BUENOCARTO.INFO has 27 domain names registered, all associated with this spam group.
BUENOCARTO.INFO doesn't appear on Polarbeach because it doesn't resolve and they apparently only used it to sign up the other spam domains. Here is the info:
[Note: using the whois.namebay.com server reveals the actual registrar while whois.afilias.info does not]
contacting server whois.namebay.com
Domain Name : BUENOCARTO.INFO Created On : 2004-07-01 Expiration Date : 2005-07-01 Status : ACTIVE Registrant Name : Valery Binanaka Registrant Street1 : Bolshoy Kamenniy Most 21, 14 Registrant City : Moscow Registrant State/Province : RU Registrant Postal Code : 132423 Registrant Country : RU Admin Handle : VB38284 Admin Name : Valery Binanaka Admin Street1 : Bolshoy Kamenniy Most 21, 14 Admin City : Moscow Admin State/Province : RU Admin Postal Code : 132423 Admin Country : RU Admin Phone : +7.6490189 Admin Email : valerybinan...@mail.ru Tech Handle : VB38284 Tech Name : Valery Binanaka Tech Street1 : Bolshoy Kamenniy Most 21, 14 Tech City : Moscow Tech State/Province : RU Tech Postal Code : 132423 Tech Country : RU Tech Phone : +7.6490189 Tech Email : valerybinan...@mail.ru Billing Handle : VB38284 Billing Name : Valery Binanaka Billing Street1 : Bolshoy Kamenniy Most 21, 14 Billing City : Moscow Billing State/Province : RU Billing Postal Code : 132423 Billing Country : RU Billing Phone : +7.6490189 Billing Email : valerybinan...@mail.ru Name Server : FIRST.BUENOCARTO.INFO Name Server : SECOND.BUENOCARTO.INFO Name Server : THIRD.BUENOCARTO.INFO Name Server : ADDON.BUENOCARTO.INFO Registrar Name : NAMEBAY Registrar WebSite : http://www.namebay.com
#begin gl...@mfire.invalid.com.exe (or was it glgxg.com) message <10h2upkl937d...@corp.supernews.com> reply:
<SNIP>
> BUENOCARTO.INFO doesn't appear on Polarbeach because it doesn't resolve > and they apparently only used it to sign up the other spam domains. > Here is the info:
> [Note: using the whois.namebay.com server reveals the actual registrar > while whois.afilias.info does not]
<SNIP>
It actually does, just the encoded way (no idea why they do it like that):
$ jwhois BUENOCARTO.INFO [Querying whois.afilias.info] [whois.afilias.info] <...> Domain ID:D6033888-LRMS Domain Name:BUENOCARTO.INFO Created On:01-Jul-2004 16:04:15 UTC Last Updated On:02-Jul-2004 07:00:33 UTC Expiration Date:01-Jul-2005 16:04:15 UTC Sponsoring Registrar:R123-LRMS <== Note <...>
And another one down, and another one down, another one bites the dust. Hey, spammy, we're gonna get you, too. Another one bites the dust!
bjbmdbe.info is now dead. Another Russian Spam Gang domain gone... and this one, they didn't even get a chance to send any spam for. InterCosmos is killing them off preemptively now. I've got them searching through their records for the email addresses the Russian Spam Gang has used to register other domains, and they're killing any off that were registered with those email addresses.
This is too much fun... 4 spammer domains killed off (and possibly quite a few more once they find them) in two days... the Russian Spam Gang has got to be wondering what's going on.
People, if you want to help kill off an egregious spammer in a vicious, brutal bloodletting, then I urge you to contact InterCosmos with any Russian Spam Gang spam you've gotten, and to set up your own SpamVampire (http://www.hillscapital.com/antispam/index.htm grab the source code) and hit them as hard as you can for the domains they didn't register through InterCosmos.
We've got a chance right now to kill off a major spam ring that's been sending out hundreds of millions of spams, for mortgages, fake viagra, penis enlargement, and pirated software.
Anonymous wrote: > And another one down, and another one down, another one bites the dust. > Hey, spammy, we're gonna get you, too. Another one bites the dust!
> bjbmdbe.info is now dead. Another Russian Spam Gang domain gone... and this > one, they didn't even get a chance to send any spam for. InterCosmos is > killing them off preemptively now. I've got them searching through their > records for the email addresses the Russian Spam Gang has used to register > other domains, and they're killing any off that were registered with those > email addresses.
> This is too much fun... 4 spammer domains killed off (and possibly quite a > few more once they find them) in two days... the Russian Spam Gang has got > to be wondering what's going on.
> People, if you want to help kill off an egregious spammer in a vicious, > brutal bloodletting, then I urge you to contact InterCosmos with any > Russian Spam Gang spam you've gotten, and to set up your own SpamVampire > (http://www.hillscapital.com/antispam/index.htm grab the source code) and > hit them as hard as you can for the domains they didn't register through > InterCosmos.
> We've got a chance right now to kill off a major spam ring that's been > sending out hundreds of millions of spams, for mortgages, fake viagra, > penis enlargement, and pirated software.
I wouldn't get quite so excited... you are talking about INTERCOSMOS MEDIA GROUP, INC. after all.
Just be advised that it's a snapshot type database lookup, so it can have a time lag. You need to look up the individual names for verification via other standard tools.
> it and it's name servers seem to be tied via ad...@sanita77.biz
<...> For the record, here are some domains, IPs, and DNS for others from the same asshat (ad...@sanita77.biz):
shingle6722dryg.us (subdomain snipped b/c it's so weird I'm sure it's a tracking method) at 221.143.42.37 using NS3.AIRMARAMBA.BIZ and NS2.AUDI56SEW.BIZ
Order page is www.123prescription.biz at 222.55.10.19 using NS1.AIRMARAMBA.BIZ and NS1.B2002BUKA.BIZ
ns1.b2002buka.biz = 221.143.42.92 using NS1.MOSKVA66.BIZ and NS2.MOSKVA66.BIZ
ns1.moskva66.biz = 218.66.101.152 and ns2.moskva66.biz = 218.66.17.132.
ns1.airmaramba.biz (222.55.10.19) uses NS1.BEER99.BIZ = 219.234.95.68 and NS1.LUNOMUN.BIZ = 61.145.118.248
That's just what I did... I found seven URLs, all pointing to the same IP address hosted out of Brazil, all with the same exact web pages hawking mortgage quotes, penis enlargement, viagra, and pirated software.
And by tomorrow, I'll have the following Russian Spam Gang websites shut down: AEAMDGI.INFO BHGNCGE.INFO ENLDLID.INFO FDGFDBI.BIZ KJFDMJE.INFO KLCBHGF.BIZ NFKIIJL.INFO
If anyone finds any Russian Spam Gang spam in their Inbox, or comes across one of their websites, post here, so we can compile a complete list of their domains. We'll try to get as many of them shut down as possible.
The ones we can't get shut down, we'll drop into the SpamVampire, and hammer the hell out of.
> Just be advised that it's a snapshot type database lookup, so it can > have a time lag. You need to look up the individual names for > verification via other standard tools.
Too cool! I've been looking for a way to do that for quite some time now. Thanks.
BTW, how many domains is average to be hosted on one machine? Our web host has 344 on our machine, yet they say that it's not worth it to upgrade the mail server that goes along with that web server so it reports Source IP addresses correctly. Are they blowing smoke up my ass, as I suspect they are?
> If anyone finds any Russian Spam Gang spam in their Inbox, or comes across > one of their websites, post here, so we can compile a complete list of > their domains. We'll try to get as many of them shut down as possible.
> The ones we can't get shut down, we'll drop into the SpamVampire, and > hammer the hell out of.
You know what's amazing? I'm hitting spamvertised websites hosted out of China and Brazil, but I keep seeing a BellSouth IP address showing up in my IDS/IRS... hmmm... spammy is trying to figure out who's costing them so much, perhaps? BellSouth is out of Florida.
It's adsl-80-85-61.asm.bellsouth.net, IP address 65.80.85.61.
Hey, spammy, I don't care where you host your websites, if you spam our domain, I'm hitting them and getting them borked. If you think you can stop me, think again... you've become a major cost of doing business, so now I am YOUR cost of doing business. And I'm not going away until you do. Get used to it, like we've all had to get used to putting up with your spew.
You stop spamming our domain, I'll stop hitting your spamvertised websites. That's the deal. No negotiations.
|
