A Digital Age Deserves A Digital Leader

BadCow Spam

BadCow Spam

Postby 10pair » Sun Apr 30, 2006 6:19 am

Anyone good at tracking down spammers?

I used the spamcop tool to identify 'risinglordames.com' as being hosted by hichina.com - eventually received a reply from hichina, but they said the site had nothing to do with them:

The repugnant activity has nothing to do with us.


In the past I've found a combination of spamcop & manual reporting to be very effective at stopping spam, but this particular online pharmacy spam seems to be exceptionally good at persisting.

I know I could just filter the spam I get for this site & it's many variants (about 300 spams per day) but they bug me & if I can report them to the correct place that would be very satisfying. If, that is, the 'correct place' actually recognises the problem in the first place..

They send a subject line always of the format 'drug name in capitals, interspersed with a few random lower case letters', 'space', followed by 'new' or 'news':

Image

This particular spammer seems to change the network they actually use to send the spam, virtually every single mail. Either that or they are very good at forging headers.

So any info on risinglordames.com would be good

Previous domains used by the same spammer include:

ascendingmorsab.com
wicipasse.com
otecoureis.com
baicoscu.com
ploretocea.com
edeavilat.com

(Spamcop reports all these as being hosted by hichina.com, which they deny when contacted directly. Perhaps hichina.com really does have nothing at all to do with chinatietong.com, or perhaps they are taking the line that merely hosting the site, rather than allowing the sending of the mail itself, doesn't constitute collusion with the spammers. I don't know. Maybe neither hichina.com nor chinatietong.com really have anything to do with it at all! This stuff makes my head hurt.)

Here is an example of spamcop's analysis (an expanded excerpt of the part where it investigates a spamvertised web address).. one of hundreds all ultimately reaching the same conclusion as to the origin of the sites' hosting:

Code: Select all
Resolving link obfuscation

   http://www.risinglordames.com
   Host www.risinglordames.com (checking ip) = 61.233.42.4
   host 61.233.42.4 (getting name) no name

Tracking link: http://www.risinglordames.com

Resolves to 61.233.42.4

Routing details for 61.233.42.4

Reports routes for 61.233.42.4:
routeid:19140192 61.232.0.0 - 61.237.255.255 to:crnet_mgr@chinatietong.com
Administrator found from whois records
routeid:19140193 61.232.0.0 - 61.237.255.255 to:crnet_tec@chinatietong.com
Administrator found from whois records

Tracking details
"whois 61.233.42.4@whois.apnic.net" (Getting contact from whois.apnic.net mirror)

$ whois 61.233.42.4

[spamcop mirror]

inetnum:      61.232.0.0 - 61.237.255.255
netname:      CRTC
country:      CN
descr:        CHINA RAILWAY TELECOMMUNICATIONS CENTER
admin-c:      LQ112-AP
tech-c:       LM273-AP
status:       ALLOCATED PORTABLE
changed:      ipxx@cnxxxxxxxxxx 20030121
mnt-by:       MAINT-CNNIC-AP
source:       APNIC

person:       liu min
nic-hdl:      LM273-AP
e-mail:       crxxxxxxx@chxxxxxxxxxxxxxx
address:      22F Yuetan Mansion,Xicheng District,Beijing,P.R.China
phone:        +86-10-51848796
fax-no:       +86-10-51842426
country:      CN
changed:      ipxx@cnxxxxxxxxxx 20041208
mnt-by:       MAINT-CNNIC-AP
source:       APNIC

person:       LV QIANG
nic-hdl:      LQ112-AP
e-mail:       crxxxxxxx@chxxxxxxxxxxxxxx
address:      22F Yuetan Mansion,Xicheng District,Beijing,P.R.China
phone:        +86-10-51892106
fax-no:       +86-10-51890674
country:      CN
changed:      ipxx@cnxxxxxxxxxx 20050823
mnt-by:       MAINT-CNNIC-AP
source:       APNIC


lq112-ap = crnet_mgr@chinatietong.com
lm273-ap = crnet_tec@chinatietong.com
whois.apnic.net 61.233.42.4 = crnet_mgr@chinatietong.com, crnet_tec@chinatietong.com
whois: 61.232.0.0 - 61.237.255.255 = crnet_mgr@chinatietong.com, crnet_tec@chinatietong.com


Routing details for 61.233.42.4

Reports routes for 61.233.42.4:
routeid:19140215 61.232.0.0 - 61.237.255.255 to:crnet_mgr@chinatietong.com
Administrator found from whois records
routeid:19140216 61.232.0.0 - 61.237.255.255 to:crnet_tec@chinatietong.com
Administrator found from whois records

Using abuse net on crnet_mgr@chinatietong.com
abuse net chinatietong.com = postmaster@chinatietong.com, abuse@hichina.com
Using best contacts postmaster@chinatietong.com abuse@hichina.com


Cached whois for 61.233.42.4 : crnet_mgr@chinatietong.com crnet_tec@chinatietong.com
Using abuse net on crnet_mgr@chinatietong.com
abuse net chinatietong.com = postmaster@chinatietong.com, abuse@hichina.com
Using best contacts postmaster@chinatietong.com abuse@hichina.com


However if I do a manual reverse DNS lookup on 61.233.42.4 I get:

unable to resolve 61.233.42.4


which seems odd to me, still, I know very little about the finer points of IP & DNS.

[edit]
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL41070
http://www.spamhaus.org/rokso/listing.l ... /%20BadCow
after a bit of research it seems the outfit behind these spams is run by one Leo Kuvayev / BadCow.
There's even a nice mugshot of the happy character at the above links.
Guess not a lot can be done apart from filtering, to all intents & purposes
[/edit]

Anybody else plagued by these jokers? Any comments from the network specialists out there?
Skype available if necessary, PM for my ID
PRO Level 9
User avatar
Posts: 371
Joined: Wed Nov 02, 2005 3:30 pm
Location: Liverpool Area, UK

Postby NT50 » Wed May 03, 2006 11:05 pm

Are you just wanting to catch this guy, get him to stop, or what. Does Spam cop just send reports to you or does it report it to the spamming database etc etc etc. This person is probably just spoofing hichina.com and once he uses it up he will find another to spoof. I have used this software a little but really not sure about it, it is called iHateSpam. It says it reports it to some type of database that will be used by the software online and I think other software uses the same database.

Anyway I was jsut wondering how far you want to go with this person.
Dogs Have Owners; Cats Have Staff
PROfessional Member
User avatar
Posts: 8220
Joined: Sat Jun 19, 2004 4:46 pm
Location: Jackson, TN USA
Real Name: Jeff Replogle

Postby 10pair » Thu May 04, 2006 12:00 am

It parses spam, prepares reports to send to the spammers ISP & to the administrators of compromised networks, and compiles aggregate info for some kind of commonly used spam blacklist. I use it to analyse spam to attempt to discover the source & networks used, before either sending its reports as-is, or else sending them manually myself.

Before I reply further I'd better just say that really, I've decided the best thing to do is just let the filters take care of it. Don't want anyone to spend time on something that's increasingly looking like an insoluble problem. There are just too many unknowns for it to be anything other than an academic excercise now I think, for all but the most intrepid of spammer hunters.

Initially I wanted to try & convince the host of the spam-advertised site to take a look at it & consider closing it. But now, it seems like a lost cause as far as I can tell. I don't have enough network knowledge to differentiate fact from fiction in the headers and within spamcop's processing, to the depths necessary. It's looking like I would have to spend a massive amount of time & energy trying to successfully pin the true identity of the host down, and even if I did, there seems to be little hope of actually getting anything done short of engaging International Rescue.

All of these mails (and there are thousands of them now in my junk folder lol) advertise the same site. The domain name changes regularly, but it always resolves to the same IP, whether I use spamcop or various flavours of other tools such as traceroute - 61.233.42.4; & the site content shows up as identical on all domains. Looks like there's hundreds of different domains all pointing to one IP.

As far as I can tell using spamcop, 61.233.42.4 is under the control of chinatietong, for whom the abuse address appears to be @hichina.com - but I'm not entirely confident of this. hichina did acknowledge receipt of my reports, but denied any involvement & asked to recieve no further reports. Therefore, without any better info to go on, I've no choice to believe them. I don't believe them, but with the tools and abilities at my command I can't prove anything.

The quandry is that whilst I must give them the benefit of the doubt, china railway / chinatietong / hichina do seem to have been widely accused in the past of providing a 'bulletproof haven' of web hosting to spammers, from reading around the spam newsgroups. From what I've read, I would totally expect them to deny hosting a spammer's website & accuse the spam reporter themselves of spamming :confused

At the same time however, as you mentioned, it's possible spammers may be spoofing hichina.com? I don't know. Hichina itself isn't mentioned by name in the spam - the connection is, that spamcop universally decides that the spamvertised domains always resolve to 61.233.42.4, and then it further attributes that IP each and every time to hichina hosting. See the example of spamcop's processing above. So, I guess the question would be, is it possible for the spammer to misattribute the host of the IP address somewhere along the line in the DNS system, so that spamcop thinks hichina is the correct reporting address when in fact it's not.

Or, alternatively, is spamcop just plain getting it wrong when it says hichina is the host for 61.233.42.4 ? That's possible..

Or are hichina just passing the buck. After all, if they *are* hosting the spamvertised site, that still doesn't technically make them spam hosts themselves. They're just hosting a website. I haven't been able to find their TOS, maybe they don't even prohibit it! In which case, I guess that's the end of the story, short of asking Tony Blair & George Bush to intervene in the international spam wars

One thing does seem suspicious & that is that hichina appears to bounce all messages to their abuse address from spamcop. It was only when I mailed them direct that I got any kind of response at all. Sign of guilt from an dodgy ISP, or exasperation from an ISP under fire from a misconfigured spam-reporting organisation?

'Who Knows' lol. Certainly not the end users like me. Back to the filters.

I'll have a look at iHateSpam, thanks.
Skype available if necessary, PM for my ID
PRO Level 9
User avatar
Posts: 371
Joined: Wed Nov 02, 2005 3:30 pm
Location: Liverpool Area, UK

Postby NT50 » Thu May 04, 2006 12:52 am

Hmmmm....

I have chased a problem like this before also. Just remember, it could be somebody on the inside also............
Dogs Have Owners; Cats Have Staff
PROfessional Member
User avatar
Posts: 8220
Joined: Sat Jun 19, 2004 4:46 pm
Location: Jackson, TN USA
Real Name: Jeff Replogle

Postby 10pair » Thu May 04, 2006 1:31 am

I'm reasonably convinced it's nothing so sinister, not that I have any particular proof of that.. it's just a PITA lol. I've gotten everything else to stop pretty successfully using spamcop, so this last one sticks out. I guess you have to hand it to them for staying power.

I was amazed spamcop did as well as it did really - the inbox which is 'under fire' was widely and ill-advisedly advertised openly across the 'net a few years back, FFA links programs etc etc etc, so it's not suprising really it's gotten itself onto a few stubborn lists.

Thought provoking comment though, worth a few follow ups..
Skype available if necessary, PM for my ID
PRO Level 9
User avatar
Posts: 371
Joined: Wed Nov 02, 2005 3:30 pm
Location: Liverpool Area, UK

Postby 3D-Orbit » Fri May 05, 2006 7:08 pm

If you use Gmail, Yahoo, or Hotmail, try downloading Blue Frog for free. Blue Frog will post complaints on the spammers site to remove your name from their mailing lists. It reduced spam dramatically on one of my Gmail accounts. If you use FireFox, you can also download the Blue Frog extension. Good Luck

http://www.bluesecurity.com/blue-frog/

https://addons.mozilla.org/firefox/1863/
PRO Level 2
User avatar
Posts: 27
Joined: Sun Jun 19, 2005 5:38 am
Location: Midwest

Return to Security & Virus

Who is online

Users browsing this forum: No registered users and 1 guest

cron
cron