Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Instant domain check

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam
View previous topic :: View next topic  
Author Message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Thu Aug 20, 2009 2:19 pm    Post subject: Instant domain check Reply with quote

My spamtrap surely did not ask for an "instant domain check":

Headers:
Quote:
Delivered-To: <snip>
Received: by 10.216.29.196 with SMTP id <snip>;
Wed, 19 Aug 2009 <snip> -0700 (PDT)
Received: by 10.224.65.40 with SMTP id <snip>;
Wed, 19 Aug 2009 <snip> -0700 (PDT)
Return-Path: <learn@find-your-domain.info>
Received: from mail.domain.com ([203.202.255.153])
by mx.google.com with ESMTP id <snip>;
Wed, 19 Aug 2009 <snip> -0700 (PDT)
Received-SPF: neutral (google.com: 203.202.255.153 is neither permitted nor denied by best guess record for domain of learn@find-your-domain.info) client-ip=203.202.255.153;
Authentication-Results: mx.google.com; spf=neutral (google.com: 203.202.255.153 is neither permitted nor denied by best guess record for domain of learn@find-your-domain.info) smtp.mail=learn@find-your-domain.info
Received: from Jewellaptop ([127.0.0.1])
by mail.domain.com (IceWarp 9.1.0) with SMTP id <snip>
for <snip>; Thu, 20 Aug 2009 <snip> +0700
Message-ID: <[snip]@jewellaptop>
Reply-To: "InstantDomain" <learn@find-your-domain.info>
From: "InstantDomain" <learn@find-your-domain.info>
To: <snip>
Subject: Instant domain check
Date: Thu, 20 Aug 2009 <snip> +0700
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180



Quote:
<body bgcolor="#eeeeee">
<div align="center"> <font face="Arial, Helvetica, sans-serif" size="5"> <a href="http://www.find-your-domain.info">www.find-your-domain.info, Check domain availability instantly!</a><br></font>
<br></div>
<div align="left"><font face="Arial, Helvetica, sans-serif" size="2">
<a href="http://www.find-your-domain.info">www.find-your-domain.info</a> offers ajax based instant domain availability checker. Type the domain name you want to check. You will get instant result. If you like this tool you can <a href="http://www.find-your-domain.info/domain_search.zip">Download </a> and install it on your own website. Enjoy!</font></div></body>



The sending server host 203.202.255.153 (rig153.rad1.global-bd.net) is located in Bangladesh:

Quote:
inetnum: 203.202.240.0 - 203.202.255.255
netname: GOSLBD
descr: Global Online Services Limited,
country: BD
admin-c: SA119-AP
tech-c: SA119-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-BD-GOSL
mnt-routes: MAINT-BD-GOSL
changed: hm-changed at apnic.net 20051107
source: APNIC

route: 203.202.240.0/20
descr: Global Online Services Limited, Internet Service Provider
origin: AS24323
country: BD
mnt-by: MAINT-BD-GOSL
changed: hm-changed@apnic.net 20080114
source: APNIC

person: Syed Faruque Ahmed
nic-hdl: SA119-AP
e-mail: sfque at texasgroup.net
address: 20 Kemal Ataturk Avenue,
address: Safura Tower (12th floor),
address: Banani C/A,
address: Dhaka,
address: Bangladesh.
phone: +880-288-61100
fax-no: +880-288-50044
country: BD
changed: sfque at texasgroup.net 20040521
mnt-by: MAINT-NEW
source: APNIC


Currently not listed by any relevant blacklist.

The spamvertised domain, however, is located elsewhere:

http://www.robtex.com/ip/76.191.102.160.html

find-your-domain.info -> 76.191.102.160

Other stuff on this server:
http://www.robtex.com/ip/76.191.102.160.html

network whois:
Quote:
OrgName: Sentris Network LLC
OrgID: SNL-8
Address: 19662 Aurora N Ave, #B
City: Seattle
StateProv: WA
PostalCode: 98133
Country: US

NetRange: 76.191.100.0 - 76.191.103.255
CIDR: 76.191.100.0/22
NetName: SPECTRUM-SEA-SENTRIS-DISCOUNT-BLOCK-1
NetHandle: NET-76-191-100-0-1
Parent: NET-76-191-64-0-1
NetType: Reallocated
NameServer: NS.WAHJU.COM
NameServer: NS2.WAHJU.COM
Comment:
RegDate: 2008-02-23
Updated: 2008-02-23

OrgAbuseHandle: NETWO1907-ARIN
OrgAbuseName: Network Admin
OrgAbusePhone: +1-206-686-3353
OrgAbuseEmail: supportamerica at sentris.com

OrgNOCHandle: NETWO1907-ARIN
OrgNOCName: Network Admin
OrgNOCPhone: +1-206-686-3353
OrgNOCEmail: supportamerica at sentris.com

OrgTechHandle: NETWO1907-ARIN
OrgTechName: Network Admin
OrgTechPhone: +1-206-686-3353
OrgTechEmail: supportamerica at sentris.com


Interestingly, the domain itself points back to Bangladesh:
Quote:
Domain ID:D28125450-LRMS
Domain Name:FIND-YOUR-DOMAIN.INFO
Created On:24-Mar-2009 05:56:22 UTC
Last Updated On:23-May-2009 20:33:01 UTC
Expiration Date:24-Mar-2010 05:56:22 UTC
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Registrant ID:GODA-061418521
Registrant Name:Learn Earn Online
Registrant Organization:LearnEarnOnline
Registrant Street1:Shekher Tek
Registrant Street2:
Registrant Street3:
Registrant City:Dhaka
Registrant State/Province:Dhaka
Registrant Postal Code:1207
Registrant Country:BD
Registrant Phone:+880.1727056050
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:info@learnearnonline.net
Admin ID:GODA-261418521
Admin Name:Learn Earn Online
Admin Organization:LearnEarnOnline
Admin Street1:Shekher Tek
Admin Street2:
Admin Street3:
Admin City:Dhaka
Admin State/Province:Dhaka
Admin Postal Code:1207
Admin Country:BD
Admin Phone:+880.1727056050
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:info@learnearnonline.net
Billing ID:GODA-361418521
Billing Name:Learn Earn Online
Billing Organization:LearnEarnOnline
Billing Street1:Shekher Tek
Billing Street2:
Billing Street3:
Billing City:Dhaka
Billing State/Province:Dhaka
Billing Postal Code:1207
Billing Country:BD
Billing Phone:+880.1727056050
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:info@learnearnonline.net
Tech ID:GODA-161418521
Tech Name:Learn Earn Online
Tech Organization:LearnEarnOnline
Tech Street1:Shekher Tek
Tech Street2:
Tech Street3:
Tech City:Dhaka
Tech State/Province:Dhaka
Tech Postal Code:1207
Tech Country:BD
Tech Phone:+880.1727056050
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:info@learnearnonline.net
Name Server:NS1.LINKSPAPA.COM
Name Server:NS2.LINKSPAPA.COM


Godaddy have a nice "report spam" form and they a notorious for zapping spamvertised domains pretty fast.

Sending emails to:
info@learnearnonline.net
learn@find-your-domain.info
may or may not be read by the spammer.

O.
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Mon Aug 24, 2009 8:18 am    Post subject: Reply with quote

Spammy is back with another blast:

Quote:
Delivered-To: <spamtrap>
Received: by 10.216.39.85 with SMTP id <snip>;
Sat, 22 Aug 2009 <snip> (PDT)
Received: by 10.220.101.17 with SMTP id <snip>;
Sat, 22 Aug 2009 <snip> -0700 (PDT)
Return-Path: <[snip]me@eigbox.net>
Received: from bosmailout04.eigbox.net (bosmailout04.eigbox.net [66.96.187.4])
by mx.google.com with ESMTP id <snip>;
Sat, 22 Aug 2009 <snip> -0700 (PDT)
Received-SPF: pass (google.com: domain of [snip]me@eigbox.net designates 66.96.187.4 as permitted sender) client-ip=66.96.187.4;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [snip]me@eigbox.net designates 66.96.187.4 as permitted sender) smtp.mail[snip]me@eigbox.net
Received: from bosmailscan23.eigbox.net ([10.20.15.23])
by bosmailout04.eigbox.net with esmtp (Exim)
id <snip>
for <spamtrap>; Sat, 22 Aug 2009 <snip> -0400
Received: from bosimpout01.eigbox.net ([10.20.55.1])
by bosmailscan23.eigbox.net with esmtp (Exim)
id <snip>
for <snip>; Sat, 22 Aug 2009 <snip> -0400
Received: from iis07101.nt.com ([10.15.71.1])
by bosimpout01.eigbox.net with NO UCE
id <snip>; Sat, 22 Aug 2009 <snip> -0400
X-EN-OrigOutIP: 10.15.71.1
X-EN-IMPSID: <snip>
Received: from IIS07101 ([127.0.0.1]) by iis07101.nt.com with Microsoft SMTPSVC(6.0.3790.1830);
Sat, 22 Aug 2009 <snip> -0400
Date: Sat, 22 Aug 2009 <snip> -0400
Subject: Looking for domain name!
To: <snip>
From: DomCheck <admin_b@jeebika.com.bd>
Reply-To: admin_b@jeebika.com.bd
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-ID: <[snip]@iis07101.nt.com>
X-OriginalArrivalTime: 22 Aug 2009<snip> (UTC) FILETIME=[snip]

<body bgcolor="#fefefe">
<div align="center"> <font face="Arial" size="5"> <a href="http://jeebika.com.bd/flash/cong.htm">Instant Domain Check!</a><br></font>
<br></div>
<div align="left"><font face="Arial, Helvetica, sans-serif" size="2">
<a href="http://jeebika.com.bd/flash/cong.htm">Click here</a> and check domain availability instantly. Type and get instant. All top level domains results are available.</font></div></body>


Spammy has a new throwaway domain:
Quote:
olliver@kaori:~$ host jeebika.com.bd
jeebika.com.bd has address 66.96.144.172
jeebika.com.bd mail is handled by 30 mx.jeebika.com.bd

Mailswerver is in the same block:
olliver@kaori:~$ host 66.96.187.4
4.187.96.66.in-addr.arpa domain name pointer bosmailout04.eigbox.net.

Quote:
OrgName: The Endurance International Group, Inc.
OrgID: EIG-12
Address: 70 Blanchard Road
City: Burlington
StateProv: MA
PostalCode: 01803
Country: US

NetRange: 66.96.128.0 - 66.96.191.255
CIDR: 66.96.128.0/18
NetName: BIZLAND-FC01
NetHandle: NET-66-96-128-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BIZLAND.COM
NameServer: NS2.BIZLAND.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-04-03
Updated: 2005-03-31


But the throway domain just redirects visitors to his money page:
Quote:
olliver@kaori:~$ curl http://jeebika.com.bd/flash/cong.htm
<html>
<head>
<meta http-equiv="Refresh" content="0; url=http://www.find-your-domain.info">
</head>
</html

Which is still at the same place:
find-your-domain.info -> 76.191.102.160

Looks like Sentris Network LLC is a good place for bulletproof hosting, but then again, the spammer's mail volume may be just too low to get noticed by blacklists or spam heuristics.

Spammy's site provides some clues:
He's a Google Adsense customer with the number pub-9211204963082487:
Quote:
google_ad_client = "pub-9211204963082487";
/* find-your-domain_img */
google_ad_slot = "9765590236";
google_ad_width = 728;
google_ad_height = 90;


And AffID=575848 for Easycgi's shared hosting affiliate programme

Quote:
http://www.easycgi.com/join/index.bml?AffID=575848&LinkName=find_domain


easycgi.com resolves to 65.254.229.20 which belongs to:
Quote:
OrgName: The Endurance International Group, Inc.
OrgID: EIG-12
Address: 70 Blanchard Road
City: Burlington
StateProv: MA
PostalCode: 01803
Country: US

NetRange: 65.254.224.0 - 65.254.255.255
CIDR: 65.254.224.0/19
NetName: BIZLAND-FC03
NetHandle: NET-65-254-224-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BIZLAND.COM
NameServer: NS2.BIZLAND.COM
Comment:
RegDate: 2004-01-06
Updated: 2005-03-31


Ooops, so he sends his spam from their servers and and plants his affiliate links to them on his landing pages . Perhaps someone need to tell easycgi about their spamming affiliate from Bangladesh:
Quote:
EasyCGI ("EasyCGI") maintains a zero tolerance policy for use of its network or services in any manner associated with the transmission, distribution or delivery of any bulk e-mail, including unsolicited bulk or unsolicited commercial e-mail, or the sending, assisting, or commissioning the transmission of commercial e-mail that does not comply with the U.S. CAN-SPAM Act of 2003 ("SPAM").

http://www.easycgi.com/legal/legal_antispam.bml

Quite a clear language in theory... But whether they care in practice? I'll never learn (unless I want to burn my spamtrap).

O.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group