Hi, On Mon, 10 Nov 2003, Frank Pineau wrote:
> So, I get this message in my inbox this morning. Unless I'm totally > misreading the headers, it appears that it actually is from oem-cd.biz. Nope, it's from an AOL dialup [172.190.115.221]: $ nslookup 221.115.190.172.dynablock.easynet.nl Non-authoritative answer: Name: 221.115.190.172.dynablock.easynet.nl Address: 127.0.0.2 The RR address given (69.75.80.125) is either a forgery or a disposed-of exploited cable modem. oem-cd.biz has a bunch of A records associated with it: ; <<>> DiG 8.3 <<>> oem-cd.biz ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2 ;; QUERY SECTION: ;; oem-cd.biz, type = A, class = IN ;; ANSWER SECTION: oem-cd.biz. 1m34s IN A 24.158.204.50 oem-cd.biz. 1m34s IN A 193.77.243.158 oem-cd.biz. 1m34s IN A 68.158.76.242 oem-cd.biz. 1m34s IN A 68.61.178.172 oem-cd.biz. 1m34s IN A 68.61.212.199 ;; AUTHORITY SECTION: oem-cd.biz. 20m16s IN NS NS2.HOST-800.INFO. oem-cd.biz. 20m16s IN NS NS1.HOST-800.INFO. ;; ADDITIONAL SECTION: NS2.HOST-800.INFO. 19h45m28s IN A 63.246.140.60 NS1.HOST-800.INFO. 17h42m32s IN A 216.185.57.42 ;; Total query time: 0 msec ;; FROM: soyokaze to SERVER: default -- 0.0.0.0 ;; WHEN: Mon Nov 10 10:17:46 2003 ;; MSG SIZE sent: 28 rcvd: 189 Note the obscenely low TTL on the A records (94 seconds) and NS records (1216 seconds.) The A records have got to point at 0wnz0r3d cablemodem/DSL boxes. Let's check their rDNS: 193.77.243.158 : 158.243.77.193.IN-ADDR.ARPA domain name pointer BSN-77-243-158.dsl.siol.net 216.185.57.42 : Host not found. (No rDNS: here's the whois() info from ARIN) OrgName: AO Technologies OrgID: AOTK Address: 8314 Harlem Road, Suite 200 City: Westerville StateProv: OH PostalCode: 43081 Country: US NetRange: 216.185.32.0 - 216.185.63.255 CIDR: 216.185.32.0/19 NetName: AOTECH NetHandle: NET-216-185-32-0-1 Parent: NET-216-0-0-0-0 NetType: Direct Allocation NameServer: NS1.CMH.AOTECH.NET NameServer: NS2.CMH.AOTECH.NET 24.158.204.50 : 50.204.158.24.IN-ADDR.ARPA domain name pointer 24-158-204-50.chartertn.net 63.246.140.60 : Host not found. (No rDNS: here's the whois() info from ARIN) CustName: North America Internet Exchange, Inc. Address: 325M Sharon Park Drive, #442 City: Menlo Park StateProv: CA PostalCode: 94025 Country: US RegDate: 2003-02-21 Updated: 2003-02-21 NetRange: 63.246.128.0 - 63.246.143.255 CIDR: 63.246.128.0/20 NetName: ASN-NAIX-NET-01 NetHandle: NET-63-246-128-0-2 Parent: NET-63-246-128-0-1 NetType: Reassigned Comment: RegDate: 2003-02-21 Updated: 2003-02-21 AbuseHandle: ABUSE185-ARIN AbuseName: Abuse AbusePhone: +1-888-993-9339 AbuseEmail: [EMAIL PROTECTED] 68.158.76.242 : 242.76.158.68.IN-ADDR.ARPA domain name pointer adsl-158-76-242.asm.bellsouth.net 68.61.178.172 : 172.178.61.68.IN-ADDR.ARPA domain name pointer pcp01119246pcs.flshng01.mi.comcast.net 68.61.212.199 : 199.212.61.68.IN-ADDR.ARPA domain name pointer pcp01111605pcs.flint01.mi.comcast.net > A quick google on the address reveals it to be yet another marketing > firm. This one touts > > "You Can Stop Cold Calling Business Prospects & Battling Voice Mail - > And Make Them Chase You Instead" > > Oh, really? Is that how you get them to chase you? Curse at them and > accuse them of being spammers themselves? Nice. Anyone else get > anything like this? Congratulations! You appear to have found one of the Russian proxy-virus/spam gangs: Domain Name: OEM-CD.BIZ Domain ID: D5625791-BIZ Sponsoring Registrar: DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM) Domain Status: clientTransferProhibited Registrant ID: DI_213625 Registrant Name: Andrey Gurkov Registrant Organization: ZAO ?????? Registrant Address1: novie cheremushinskaya str. 15a-7-77 Registrant City: Tula Registrant Postal Code: 101671 Registrant Country: Russian Federation Registrant Country Code: RU Registrant Phone Number: +7.671811 Registrant Email: [EMAIL PROTECTED] ... Name Server: NS2.HOST-800.INFO Name Server: NS1.HOST-800.INFO Maybe the best you can do is alert the ISPs of the exploited DSL/Cable boxes and ask Hotmail to nuke oem-cd.biz's contact address ([EMAIL PROTECTED]). Don't bother with host-800.info; that's the spammer himself (same contact info as oem-cd.biz.) There a ghost of a chance that oem-cd.biz's registrar (directi.com) might pull their registration for spamming. However, if you can get <[EMAIL PROTECTED]> revoked, you can report to directi.com that oem-cd.biz's contact information is invalid (bad email address) and they just might hold their registration until that gets fixed. Dirty business, this spamming... -- Bob > Return-Path: <[EMAIL PROTECTED]> > Received: from ACBE73DD.ipt.aol.com (ACBE73DD.ipt.aol.com [172.190.115.221]) > by MY SERVER (8.12.10/8.12.10) with SMTP id hAAAVnil024184 > for <MY ADDRESS>; Mon, 10 Nov 2003 05:32:01 -0500 > Received: from oem-cd.biz (oem-cd.biz [69.75.80.125]) > by ACBE73DD.ipt.aol.com (Postfix) with ESMTP id B960BE02E1 > for <MY ADDRESS>; Mon, 10 Nov 2003 05:29:18 -0500 > Return-Receipt-To: [EMAIL PROTECTED] > Reply-To: [EMAIL PROTECTED] > From: "Carlton U. Receptors" <[EMAIL PROTECTED]> > To: Frank <MY ADDRESS> > Subject: Frank > Date: Mon, 10 Nov 2003 05:29:18 -0500 > Message-ID: <[EMAIL PROTECTED]> > MIME-Version: 1.0 > Content-Type: text/plain > Content-Transfer-Encoding: 7bit > X-Priority: 3 (Normal) > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook, Build 10.0.3416 > Importance: Normal > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 > Disposition-Notification-To: [EMAIL PROTECTED] > X-AntiVirus: OK! AntiVir MailGate Version 2.0.1; AVE: 6.15.0.0; VDF: 6.15.0.6 > X-Virus-Scanned: by amavisd-new > X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on > MY SERVER > X-Spam-Level: ** > X-Spam-Status: No, hits=2.1 required=5.0 tests=BAYES_40, > RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK autolearn=no version=2.60 > > fuck you spammer > ------------------------------------------------------- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
