PGTS PGTS Pty. Ltd.   ACN: 007 008 568               Mobile Version Coming Soon

point Site Navigation







Valid HTML 4.01!






   Brilliant XED lighting!
   Australian XED Lighting

   AXL

   Australia/NZ Distributor of
   Reming XED Lighting Products





Feedback: February 2004, Published: March 2004

This month some additional information from the USA regarding spam.

Many ISPs only accept abuse notifications concerning the actual source of the spam. However in the case of portable addresses and open-relays, such an approach is not worth pursuing. In any case open relays are already documented, and there are several publically available lists of these sources.

Some postmasters opt for blocking portable (or dynamic) networks. There is the well known Pan-Am Dynamic List Project (see: http://www.pan-am.ca/pdl/) The data is also available from Open Source contributors.

PGTS does not recieve much spam, since the MTA at this site is a well configured Open Source variant.

And so an e-mail from the USA arrived with information that might shed some light on the activities of our old friend Mike from Girrawheen. This message from the USA reported some spam which was promoting a site called spews.biz. This porn site uses a name that is possibly a (rather lame) joke at the expense SPEWS (the legendary spam blocking list). The whois listing gives the following (obviously false) information:

	Domain Name:               SPEWS.BIZ
	Domain ID:                 D5473023-BIZ
	Sponsoring Registrar:      TUCOWS INC.
	Domain Status:             ok
	Registrant ID:             TUYJMBPYBCZ7TBXN
	Registrant Name:           polymenas Ioannis
	Registrant Organization:   spamcop
	Registrant Address1:       56 Kleyerstr st
	Registrant City:           frankfurt
	Registrant State/Province: na.
	Registrant Postal Code:    60326
	Registrant Country:        Germany
	Registrant Country Code:   DE

At the time that I investigated them, Spews.biz were using quantum-tech.com for the primary and secondary DNS. And it was then that I realised that the domain quantum-tech.com did not appear to have been setup correctly.

Quantum-tech.com still had the address of PO Box 6111 in Girrawheen and were hosted by the domain enom.com. The DNS entry for enom.com had not been setup correctly either. And yet somehow they had hosted themselves! According to whois, enom.com was located at PO Box 7449 in Bellevue WA (not far from Girrawheen - small world isn't it?) Although they had hosted themselves, enom.com used the name servers at name-services.com, which at the time, was another domain that had not been setup correctly.

The registry that hosted name-services.com was enom.com. So I was starting to go round in circles. The name servers for name-services.com were:

	dns2.NAME-SERVICES.COM. 4765    IN      A       216.52.184.230
	dns3.NAME-SERVICES.COM. 4765    IN      A       63.251.83.36
	dns4.NAME-SERVICES.COM. 4765    IN      A       64.74.96.242
	dns5.NAME-SERVICES.COM. 4765    IN      A       212.118.243.101
	dns5.NAME-SERVICES.COM. 4765    IN      A       212.118.243.99
	dns5.NAME-SERVICES.COM. 4765    IN      A       212.118.243.100
	DNS1.NAME-SERVICES.COM. 4765    IN      A       63.251.163.102

This approaches the mystical levels of the mythical Ouroboros (the serpent that eats its' own tail). In this regard, it seems that some of our home-grown Aussie spammers show as much enterprise as their US colleagues. If only such energy, innovation, ingenuity and sheer native-rat cunning had been devoted to purposes other than spamming!

The IP addresses for the Quantum-tech name servers are 69.31.33.245 and 69.31.36.116. And they are registered as belonging to quantum-tech.com (who else?). However they have been leased from nLayer Communications Inc, who are listed as 44050-195 Ashburn Plaza, #637, Ashburn VA.

A notification has been sent to nLayer Communications to inform them of this. However to date there has only been an automated response.

Since then there has been information received from Belgium that the IP address 69.31.33.79, has been port-scanning computers. The name servers in the Quantum-tech domain continue to dance a complex shuffle. Despite the fact that they appear to have avoided the major lists, SPEWS has fingered them. It may not be long many lists have banned the CIDR 69.31.32/21.

Feedback:

Spam Diaries:


Mike from Pillmedics

From: Mike (USA)
Date: Sun,  8 Feb 2004 03:38:09 +1100 (EST)

Dear Webmaster,

I read an article by Gerry Patterson that included references to
Quantum-Tech and their spam. We have recently received an e-mail from
wm@payformovies.com regarding "spews.biz". Is this the same guy? The
e-mail header is below. We are trying to locate their service provider.

Received: from localmail1.fastworldmail.com (unknown [202.22.163.16])
        by mail.info-services.net (Postfix) with SMTP id B201316648
        for <customerservice@XXXXXXXXXXXXX.net>; Sat,  7 Feb 2004 09:02:38 -0500
 (EST)
Received: (qmail 11644 invoked from network); 7 Feb 2004 14:26:55 -0000
Received: from unknown (HELO nuclear) (202.22.166.213)
  by localmail1.fastworldmail.com with SMTP; 7 Feb 2004 14:26:55 -0000
Message-ID: <004b01c3ed84$42435200$d5a616ca@nuclear>
From: "admin" <wm@payformovies.com>

Ed: 202.22.163.16 is not listed in any major black lists and does not
appear to be an open relay. According to whois, the address belongs to
an Australian firm called TSN Internet, and is part of their portable
(dynamic) network. According to SenderBase 202.22.163.16
(mailpickup1.fastworldmail.com), and 202.22.163.18
(outcluster2.fastworldmail.com) are sending large volumes of e-mail and
may be spam sources. Pre-emptive postmasters can add these addresses to
their block lists now, rather than waiting for spam to arrive from them.

I am grateful for the fact that Mike (from USA) drew my attention to
Quantum-tech.com again. It seems that I over-looked a few details
concerning the registration of this domain. For more information see the
comments at the top of this document

Back To Index


SPAM: Mail abuse from the name-services.com group

From johnny_clp@link-builder.com Tue Feb 10 06:00:07 2004
Return-Path: <johnny_clp@link-builder.com>
Received: from mail.linkguage.org (red-corpb36ADSL-75.telnor.net [200.76.229.75] (may be forged))
	by pgts04.xxxx.com.au (8.11.6/8.11.6) with ESMTP id i19J06i87972
	for <info@xxxx.com.au>; Tue, 10 Feb 2004 06:00:06 +1100 (EST)
	(envelope-from johnny_clp@link-builder.com)
Received: from china (mail.linkguage.org [127.0.0.1])
	by mail.linkguage.org (8.12.8/8.12.8) with SMTP id i19ItamB015179
	for <info@xxxx.com.au>; Mon, 9 Feb 2004 10:55:44 -0800
Message-Id: <200402091855.i19ItamB015179@mail.linkguage.org>
Subject: pgts.com.au
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
To: info@xxxx.com.au
Date: Mon, 9 Feb 2004 10:55:36 -0800
From: Johnny R<johnny_clp@link-builder.com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by pgts04.xxxx.com.au id i19J06i87972
Content-Length: 1405
Lines: 31

I am contacting you about cross linking. I am interested in pgts.com.au because it looks like it's relevant to a site for which I am seeking links. The site is about pet care products.

I'll keep the web address confidential and will send it to you only if you give me permission to do so. Just let me know if it's OK, and I'll send you the web address for your review. If you approve of the site, then the intention is to exchange links.

Looking forward to your reply.

Sincerely,
Johnny R
johnny_clp@link-builder.com
http://www.link-builder.com
Experts in Quality Link Building

P.S. If for any reason you don't want me to contact you again, email me with NO EMAIL as the subject.


Link Builder
Apartado Postal #7
Tijuana, B.C. 22001

Ed: This IP address is not listed in major lists (with the exception of
dnsbl.sorbs.net). Judging by the report from senderbase.org however, the
entire netblock 200.76.229/24 looks highly suspicious. It has been added
to the PGTS block list.

The main reason for resurrecting the "Spam Diary" was the nameservers
used by link-builder.com. At the time of writing they were
name-services.com. However, a few hours later they had been changed to
dnsnameservice4u.net. The nameservers seem to be in a constant state of
flux. The primary and secondary DNS are constantly changing. This spam
seems to be related to Quantum-tech.com (who have also used
name-services.com)

Back To Index


SPAM: Spam and Bulk e-mailers, hosting - http://mazafaka.ru/

From abuse@majordomo.ru Mon Feb 23 06:02:43 2004
Return-Path: <abuse@majordomo.ru>
Received: from bzq-139-106.red.bezeqint.net (bzq-139-106.red.bezeqint.net [62.219.139.106])
	by pgts04.xxxx.com.au (8.11.6/8.11.6) with SMTP id i1MJ2c505740
	for <gerry@xxxx.com.au>; Mon, 23 Feb 2004 06:02:40 +1100 (EST)
	(envelope-from abuse@majordomo.ru)
Received: from 110.216.112.234 by 62.219.139.106; Sat, 21 Feb 2004 23:30:50 +0400
Message-ID: <NXSIWRCVVNIQMHEVDPLHFOH@mail.ru>
From: "Carlos Sanders" <abuse@majordomo.ru>
Reply-To: "Carlos Sanders" <abuse@majordomo.ru>
To: gerry@xxxx.com.au
Date: Sat, 21 Feb 2004 16:21:50 -0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="--850225259559076392"
X-Webmail-Time: Sat, 21 Feb 2004 16:25:50 -0300
Content-Length: 1098
Lines: 42

----850225259559076392
Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

Hello Alexis Strong

Welcome to our site - http://www.mazafaka.ru


On our site you will find more for Hackers and Carders:

1) Children,  Gays, Sex, Porno, Anal - http://mazafaka.ru/xxx/
2) Spam and Bulk e-mailers, hosting - http://mazafaka.ru/
3) Cracks - http://mazafaka.ru/cracks/
4) Viruses and Trojan's - http://mazafaka.ru/viruses/trojans/
5)  Stolen credit cards, guns and heroin - http://mazafaka.ru/forum/
And thank you for using our Forum - http://mazafaka.ru/forum/


Administration.
ICQ: 777887
info@mazafaka.ru
stalk@stalk.ru

----
Great thanks to our Hosting!
http://www.majordomo.ru
support@majordomo.ru





-C-R-Y-P-T-
dispense aventine bean northrup eclipse cloy bronzy couldn't centrifugal p=
ickerel ph.d bowen filly megavolt adrian taketh cadillac nostradamus=20

----850225259559076392--

Ed: This is as bold and brash as any spam I have ever encountered. It
appears to be a genuine advertisement of goods in services for the
Organised Crime sector. They just let it all hang out!

Back To Index