Hi *Taka Khumbartha* :
> Claude LaFrenière @ 2006/10/06 12:24: >> For the moment nothings prove that any exit nodes are responsibles for this. >> We have to do somethings based on facts not fears... >> > > How about this then? .... when navigating to www.ezboard.com the proper page > is loaded and displayed. > verified by comparing the IP address of www.ezboard.com found with and > without tor_resolve.exe. > however, after entering your username/password and logging in from that page, > the request is handled > by login.ezboard.com, which resolved to 64.74.223.198 !! the correct IP for > login.ezboard.com is 209.66.118.157. > also, the now in-famous URL with the flanding.domainsponsor.com and > SUSPECTED+UNDESIRABLE+BOT junk in it was shown as the address. > i think 64.74.223.198 possibly now hijacked the ezboard login information! > unfortunately during this time i was scurrying about trying to reset > my password and wasn't able to get the IP of the exit node i was using. > >> I suggest, If the facts prove that some exit nodes are responsible, that we >> keep them temporarely, instead of immediatly blocking them, and use them >> as "guinea pig" to study their behaviour and prevent that kind of abuse in >> the future. >> >> Consider this as a laboratory experience with "cyber-rats" ! ;-) >> Better than [EMAIL PROTECTED] IMHO. >> >> :) >> > > fact or fear, then? ;) > > using un-encrypted authentication over Tor is dumb to begin with, but this > really emphasizes it i think! >this is too unfortunate as many sites still do not use SSL but sometimes Tor >users still at least need location privacy. > so i for one hope we can dispose of these cyber-rats soon. I found some interesting information about this IP address: 64.74.223.198 *A) First IP query* ... *"The domain name for the specified IP address could not be found"* Initiating server query ... Looking up the domain name for IP: 64.74.223.198 (The domain name for the specified IP address could not be found.) Connecting to the server on standard HTTP port: 80 [Connected] Requesting the server's default page. The server returned the following response headers: HTTP/1.1 200 OK Connection: close Date: Sun, 08 Oct 2006 13:45:07 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 p3p: CP="CAO PSA OUR" Set-Cookie: Domain=; path=/ Set-Cookie: Domain=223.198; path=/ Set-Cookie: RSAddParams=; path=/ Set-Cookie: RSAddParams=dmxargs=03u3hs9yoaj11qQTDDRRATT40txSy0lsLQ7K3oUg2iAcp4horctsrlkG-ApV8QOKsyB5kP__xvek2IXUyHdaJqI5t6tpKyTKqmJSm0V1DPfpDBHppNXjFKlH8Sm7L3Lvyapfvaaamj6pVRlFechgR5wQkDC7RuB1FqstRZKAhV_EEOZz2zXNybkrsnzAUBfdG-SGB5P-a_1VrJSpHZrlPphCK4r9B1PifOr4w0kNtM-iN3vw-1z6vF07LDwbhPYYYipjk4t0GvDN-nzq_34xVXdgP61cH_Vg..; path=/ Set-Cookie: LastURL=; path=/ Set-Cookie: LastURL=http://64.74.223.198/default.pk; path=/ Set-Cookie: RefPage=; path=/ Set-Cookie: RefPage=0; path=/ Set-Cookie: PCAddParams=; path=/ Set-Cookie: PCAddParams=dmxargs=03u3hs9yoaj11qQTDDRRATT40txSy0lsLQ7K3oUg2iAcp4horctsrlkG-ApV8QOLsy4P_hv7-Pr0nxC0mQbrRNRFdvltLWSTVU5KX2igoZz9K4IzNJi8ZJUk_i03au5b_Jml89plqaTqnFGUV5GGA3nECQcLum4EUWiy1VkhCFf8Qy5svbJc15uVuyjMB8AsGjfpD7srWalaqzkqcjCVxx06BFfV-c6hhPIV-YaUe2n_Rp91Yfp5-Hi3Flw4NEnnMMb0xecb6DOC3en1a_24zSfcIfV1IA; path=/ Set-Cookie: SessionHitCount=; path=/ Set-Cookie: SessionHitCount=1; path=/ Set-Cookie: ActionsTaken=; path=/ Set-Cookie: ActionsTaken=D A1 22L ; path=/ Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 2381 Vary: Accept-Encoding Content-Encoding: gzip Query complete. *B) Here I found the domain name: enom* *and the Hosting provider: internap* http://www.ipv6tools.com/tools/whois.ch?ip=64.74.223.198&src=ShowIP Location: United States [City: Oakland, California] NOTE: More information appears to be available at NET-64-74-223-0-1. Internap Network Services PNAP-SEA-BLOCK4 (NET-64-74-0-0-1) 64.74.0.0 - 64.74.255.255 eNom INAP-SJE-ENOM-3077 (NET-64-74-223-0-1) 64.74.223.0 - 64.74.223.255 http://www.dnsstuff.com/tools/whois.ch?ip=!NET-64-74-223-0-1&server=whois.arin.net CustName: eNom Address: 2002 156th Ave NE City: Bellevue StateProv: WA PostalCode: 98008 Country: US RegDate: 2005-09-23 Updated: 2005-09-23 NetRange: 64.74.223.0 - 64.74.223.255 http://www.dnsstuff.com/tools/whois.ch?ip=!INO3-ARIN&server=whois.arin.net&type=P Name: InterNap Network Operations Center Handle: INO3-ARIN Company: Internap Network Operations Center Address: Internap Network Services From: http://www.completewhois.com/hijacked/index.htm http://www.completewhois.com/cgi-bin/whois.cgi Completewhois.Com Whois Server, Version 0.91a33, compiled on May 28, 2006 Unknown domain: 64.74.223.198 [IPv4 whois information for 64.74.223.198 ] [whois.arin.net] Internap Network Services PNAP-SEA-BLOCK4 (NET-64-74-0-0-1) 64.74.0.0 - 64.74.255.255 eNom INAP-SJE-ENOM-3077 (NET-64-74-223-0-1) 64.74.223.0 - 64.74.223.255 # ARIN WHOIS database, last updated 2006-10-07 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. [whois.arin.net] OrgName: Internap Network Services OrgID: PNAP NetRange: 64.74.0.0 - 64.74.255.255 CIDR: 64.74.0.0/16 NetName: PNAP-SEA-BLOCK4 NetHandle: NET-64-74-0-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: NS1.PNAP.NET NameServer: NS2.PNAP.NET # ARIN WHOIS database, last updated 2006-10-07 19:10 [whois.arin.net] Internap Network Services PNAP-SEA-BLOCK4 (NET-64-74-0-0-1) 64.74.0.0 - 64.74.255.255 eNom INAP-SJE-ENOM-3077 (NET-64-74-223-0-1) 64.74.223.0 - 64.74.223.255 # ARIN WHOIS database, last updated 2006-10-07 19:10 [whois.arin.net] CustName: eNom Address: 2002 156th Ave NE City: Bellevue StateProv: WA PostalCode: 98008 Country: US RegDate: 2005-09-23 Updated: 2005-09-23 NetRange: 64.74.223.0 - 64.74.223.255 CIDR: 64.74.223.0/24 [OTHER (whois.cyberabuse.org) whois information for 64.74.223.198 ] [ Informations about 64.74.223.198 ] IP range : 64.74.223.0 - 64.74.223.255 Network name : INAP-SJE-ENOM-3077 Infos : eNom Infos : 2002 156th Ave NE Infos : Bellevue Infos : WA Infos : 98008 Country : United States of America (US) Abuse E-mail : [EMAIL PROTECTED] Source : ARIN [OTHER (rbl.completewhois.com) whois information for 64.74.223.198 ] Listed in country-rirdata: US - United States *C) Now a very interesting information:* *Listed in spam black list* : Listed in blacklist.spambag.org: 64.74.223.0/24 --> Blocked by spambag, see http://www.spambag.org/cgi-bin/spambag?mailfrom=012netil [OTHER (riswhois.ripe.net) whois information for 64.74.223.198 ] [riswhois.ripe.net] route: 64.74.208.0/20 origin: AS12182 descr: INTERNAP-2BLK - Internap Network Services lastupd-frst: 2006-01-01 00:03Z [EMAIL PROTECTED] lastupd-last: 2006-10-08 01:28Z [EMAIL PROTECTED] seen-at: rrc00,rrc01,rrc03,rrc04,rrc05,rrc06,rrc07,rrc10,rrc11,rrc12,rrc13,rrc14,rrc15 num-rispeers: 84 source: RISWHOIS http://www.spambag.org/query.html http://www.spambag.org/cgi-bin/spambag?query=64.74.223.198 *This IP address is listed by spambag.org's record for enom*. http://www.spambag.org/cgi-bin/spambag?record=enom Spambag: 63.251.160.0-63.251.199.255 Spambag: 66.151.144.0-66.151.159.255 Spambag: 212.118.240.0-212.118.255.255 Spambag: 69.25.140.0-69.25.159.255 Spambag: 216.52.180.0-216.52.191.255 Spambag: 64.74.80.0-64.74.109.255 Spambag: 64.74.223.0/24 Spambag: 63.251.80.0-63.251.95.255 Spambag: 70.42.32.0-70.42.47.255 *D) And here a beginning of answer ...:* *Massive problems with enom.com-hosted spam domain redirectors.* *enom.com must stop hosting domain redirectors for professional criminal spam gangs* *enom.com is hosted by Internap. Complaints to Internap has been ignored* *Internap must stop ignoring spam complaints about enom.com* *E) Is it related to the "tor-proxy1.internap.com" Tor exit node ???* US *inap1 *tor-proxy1.internap.com* Ref: http://serifos.eecs.harvard.edu/cgi-bin/exit.pl?textonly=1 :) -- Claude LaFrenière