Feedback: February 2004, Published: March 2004
This month some additional information from the USA regarding spam.
Many ISPs only accept abuse notifications concerning the actual source of the spam. However in the case of portable addresses and open-relays, such an approach is not worth pursuing. In any case open relays are already documented, and there are several publically available lists of these sources.
Some postmasters opt for blocking portable (or dynamic) networks. There is the well known Pan-Am Dynamic List Project (see: http://www.pan-am.ca/pdl/) The data is also available from Open Source contributors.
PGTS does not recieve much spam, since the MTA at this site is a well configured Open Source variant.
And so an e-mail from the USA arrived with information that might shed some light on the activities of our old friend Mike from Girrawheen. This message from the USA reported some spam which was promoting a site called spews.biz. This porn site uses a name that is possibly a (rather lame) joke at the expense SPEWS (the legendary spam blocking list). The whois listing gives the following (obviously false) information:
Domain Name: SPEWS.BIZ Domain ID: D5473023-BIZ Sponsoring Registrar: TUCOWS INC. Domain Status: ok Registrant ID: TUYJMBPYBCZ7TBXN Registrant Name: polymenas Ioannis Registrant Organization: spamcop Registrant Address1: 56 Kleyerstr st Registrant City: frankfurt Registrant State/Province: na. Registrant Postal Code: 60326 Registrant Country: Germany Registrant Country Code: DE
At the time that I investigated them, Spews.biz were using quantum-tech.com for the primary and secondary DNS. And it was then that I realised that the domain quantum-tech.com did not appear to have been setup correctly.
Quantum-tech.com still had the address of PO Box 6111 in Girrawheen and were hosted by the domain enom.com. The DNS entry for enom.com had not been setup correctly either. And yet somehow they had hosted themselves! According to whois, enom.com was located at PO Box 7449 in Bellevue WA (not far from Girrawheen - small world isn't it?) Although they had hosted themselves, enom.com used the name servers at name-services.com, which at the time, was another domain that had not been setup correctly.
The registry that hosted name-services.com was enom.com. So I was starting to go round in circles. The name servers for name-services.com were:
dns2.NAME-SERVICES.COM. 4765 IN A 220.127.116.11 dns3.NAME-SERVICES.COM. 4765 IN A 18.104.22.168 dns4.NAME-SERVICES.COM. 4765 IN A 22.214.171.124 dns5.NAME-SERVICES.COM. 4765 IN A 126.96.36.199 dns5.NAME-SERVICES.COM. 4765 IN A 188.8.131.52 dns5.NAME-SERVICES.COM. 4765 IN A 184.108.40.206 DNS1.NAME-SERVICES.COM. 4765 IN A 220.127.116.11
This approaches the mystical levels of the mythical Ouroboros (the serpent that eats its' own tail). In this regard, it seems that some of our home-grown Aussie spammers show as much enterprise as their US colleagues. If only such energy, innovation, ingenuity and sheer native-rat cunning had been devoted to purposes other than spamming!
The IP addresses for the Quantum-tech name servers are 18.104.22.168 and 22.214.171.124. And they are registered as belonging to quantum-tech.com (who else?). However they have been leased from nLayer Communications Inc, who are listed as 44050-195 Ashburn Plaza, #637, Ashburn VA.
A notification has been sent to nLayer Communications to inform them of this. However to date there has only been an automated response.
Since then there has been information received from Belgium that the IP address 126.96.36.199, has been port-scanning computers. The name servers in the Quantum-tech domain continue to dance a complex shuffle. Despite the fact that they appear to have avoided the major lists, SPEWS has fingered them. It may not be long many lists have banned the CIDR 69.31.32/21.
Mike from Pillmedics
From: Mike (USA) Date: Sun, 8 Feb 2004 03:38:09 +1100 (EST) Dear Webmaster, I read an article by Gerry Patterson that included references to Quantum-Tech and their spam. We have recently received an e-mail from email@example.com regarding "spews.biz". Is this the same guy? The e-mail header is below. We are trying to locate their service provider. Received: from localmail1.fastworldmail.com (unknown [188.8.131.52]) by mail.info-services.net (Postfix) with SMTP id B201316648 for <customerservice@XXXXXXXXXXXXX.net>; Sat, 7 Feb 2004 09:02:38 -0500 (EST) Received: (qmail 11644 invoked from network); 7 Feb 2004 14:26:55 -0000 Received: from unknown (HELO nuclear) (184.108.40.206) by localmail1.fastworldmail.com with SMTP; 7 Feb 2004 14:26:55 -0000 Message-ID: <004b01c3ed84$42435200$d5a616ca@nuclear> From: "admin" <firstname.lastname@example.org> Ed: 220.127.116.11 is not listed in any major black lists and does not appear to be an open relay. According to whois, the address belongs to an Australian firm called TSN Internet, and is part of their portable (dynamic) network. According to SenderBase 18.104.22.168 (mailpickup1.fastworldmail.com), and 22.214.171.124 (outcluster2.fastworldmail.com) are sending large volumes of e-mail and may be spam sources. Pre-emptive postmasters can add these addresses to their block lists now, rather than waiting for spam to arrive from them. I am grateful for the fact that Mike (from USA) drew my attention to Quantum-tech.com again. It seems that I over-looked a few details concerning the registration of this domain. For more information see the comments at the top of this document
SPAM: Mail abuse from the name-services.com group
From email@example.com Tue Feb 10 06:00:07 2004 Return-Path: <firstname.lastname@example.org> Received: from mail.linkguage.org (red-corpb36ADSL-75.telnor.net [126.96.36.199] (may be forged)) by pgts04.xxxx.com.au (8.11.6/8.11.6) with ESMTP id i19J06i87972 for <email@example.com>; Tue, 10 Feb 2004 06:00:06 +1100 (EST) (envelope-from firstname.lastname@example.org) Received: from china (mail.linkguage.org [127.0.0.1]) by mail.linkguage.org (8.12.8/8.12.8) with SMTP id i19ItamB015179 for <email@example.com>; Mon, 9 Feb 2004 10:55:44 -0800 Message-Id: <200402091855.i19ItamB015179@mail.linkguage.org> Subject: pgts.com.au Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" To: firstname.lastname@example.org Date: Mon, 9 Feb 2004 10:55:36 -0800 From: Johnny R<email@example.com> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by pgts04.xxxx.com.au id i19J06i87972 Content-Length: 1405 Lines: 31 I am contacting you about cross linking. I am interested in pgts.com.au because it looks like it's relevant to a site for which I am seeking links. The site is about pet care products. I'll keep the web address confidential and will send it to you only if you give me permission to do so. Just let me know if it's OK, and I'll send you the web address for your review. If you approve of the site, then the intention is to exchange links. Looking forward to your reply. Sincerely, Johnny R firstname.lastname@example.org http://www.link-builder.com Experts in Quality Link Building P.S. If for any reason you don't want me to contact you again, email me with NO EMAIL as the subject. Link Builder Apartado Postal #7 Tijuana, B.C. 22001 Ed: This IP address is not listed in major lists (with the exception of dnsbl.sorbs.net). Judging by the report from senderbase.org however, the entire netblock 200.76.229/24 looks highly suspicious. It has been added to the PGTS block list. The main reason for resurrecting the "Spam Diary" was the nameservers used by link-builder.com. At the time of writing they were name-services.com. However, a few hours later they had been changed to dnsnameservice4u.net. The nameservers seem to be in a constant state of flux. The primary and secondary DNS are constantly changing. This spam seems to be related to Quantum-tech.com (who have also used name-services.com)
SPAM: Spam and Bulk e-mailers, hosting - http://mazafaka.ru/
From email@example.com Mon Feb 23 06:02:43 2004 Return-Path: <firstname.lastname@example.org> Received: from bzq-139-106.red.bezeqint.net (bzq-139-106.red.bezeqint.net [188.8.131.52]) by pgts04.xxxx.com.au (8.11.6/8.11.6) with SMTP id i1MJ2c505740 for <email@example.com>; Mon, 23 Feb 2004 06:02:40 +1100 (EST) (envelope-from firstname.lastname@example.org) Received: from 184.108.40.206 by 220.127.116.11; Sat, 21 Feb 2004 23:30:50 +0400 Message-ID: <NXSIWRCVVNIQMHEVDPLHFOH@mail.ru> From: "Carlos Sanders" <email@example.com> Reply-To: "Carlos Sanders" <firstname.lastname@example.org> To: email@example.com Date: Sat, 21 Feb 2004 16:21:50 -0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--850225259559076392" X-Webmail-Time: Sat, 21 Feb 2004 16:25:50 -0300 Content-Length: 1098 Lines: 42 ----850225259559076392 Content-Type: text/plain; Content-Transfer-Encoding: quoted-printable Hello Alexis Strong Welcome to our site - http://www.mazafaka.ru On our site you will find more for Hackers and Carders: 1) Children, Gays, Sex, Porno, Anal - http://mazafaka.ru/xxx/ 2) Spam and Bulk e-mailers, hosting - http://mazafaka.ru/ 3) Cracks - http://mazafaka.ru/cracks/ 4) Viruses and Trojan's - http://mazafaka.ru/viruses/trojans/ 5) Stolen credit cards, guns and heroin - http://mazafaka.ru/forum/ And thank you for using our Forum - http://mazafaka.ru/forum/ Administration. ICQ: 777887 firstname.lastname@example.org email@example.com ---- Great thanks to our Hosting! http://www.majordomo.ru firstname.lastname@example.org -C-R-Y-P-T- dispense aventine bean northrup eclipse cloy bronzy couldn't centrifugal p= ickerel ph.d bowen filly megavolt adrian taketh cadillac nostradamus=20 ----850225259559076392-- Ed: This is as bold and brash as any spam I have ever encountered. It appears to be a genuine advertisement of goods in services for the Organised Crime sector. They just let it all hang out!