Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

starlogic.biz referrer spam

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam
View previous topic :: View next topic  
Author Message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Wed Aug 12, 2009 1:33 am    Post subject: starlogic.biz referrer spam Reply with quote

I've just noticed that my firewall ruleset for Dutch Ecatel, a hosting company that has a long history of harbouring Ruskrainian cybercrime [1], contained a gaping hole and excluded a range I was missing out on. But thanks to Ecatel's customer base, this isn't hard to discover, so that hole is finally plugged by now Smile. Within this range, a server resides which apparently serves as spambot to drive customers to a Russia based Ecatel reseller, who call themselves starlogic.biz. Their spam, however didn't get through, because my heuristics were triggered, so all they got were 403 responses from my webserver:

Quote:
93.174.93.54 - - [11/Aug/2009:16:52:26 +0200] www.example.com "GET / HTTP/1.0" 403 202 "http://starlogic.biz/Time_to_change_hosting" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)"
93.174.93.54 - - [11/Aug/2009:16:52:26 +0200] www.example.com "GET / HTTP/1.0" 403 202 "http://starlogic.biz/Time_to_change_hosting" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)"
93.174.93.54 - - [11/Aug/2009:16:52:26 +0200] www.example.com "GET / HTTP/1.0" 403 202 "http://starlogic.biz/Time_to_change_hosting" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
93.174.93.54 - - [11/Aug/2009:16:52:26 +0200] www.example.com "GET / HTTP/1.0" 403 202 "http://starlogic.biz/Time_to_change_hosting" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"


When we look up the ip-address we can spot the following:
Quote:
inetnum: 93.174.93.0 - 93.174.93.255
netname: NL-ECATEL
descr: AS29073, Ecatel LTD
country: NL
admin-c: EL25-RIPE
tech-c: EL25-RIPE
status: ASSIGNED PA
mnt-by: ECATEL-MNT
mnt-lower: ECATEL-MNT
mnt-routes: ECATEL-MNT
source: RIPE # Filtered

role: Ecatel LTD
address: P.O.Box 19533
address: 2521 CA The Hague
address: Netherlands
abuse-mailbox: abuse@ecatel.net
admin-c: EL25-RIPE
tech-c: EL25-RIPE
nic-hdl: EL25-RIPE
source: RIPE # Filtered

% Information related to '93.174.88.0/21AS29073'

route: 93.174.88.0/21
descr: AS29073, Route object
origin: AS29073
mnt-by: ECATEL-MNT
source: RIPE # Filtered


It looks like the customer was assigned this 93.174.93.0/24, but there are no details available. This "anonymisation", of course, isn't particularly helpful and fortunately not, what the majority of legitimate hosting companies do. The spammer plays some DNS tricks, apparently to fool inexperienced users and direct complaints to wrong parties:

93.174.93.54 resolves to borderfreehosting.com.
borderfreehosting.com, however, resolves to 69.89.31.78.

69.89.31.78 in return resolves to box278.bluehost.com, a hosting company located in Provo, UT.

If we try to visit that page, we are greeted with a "suspended" screen:
Quote:
This Domain (borderfreehosting.com) Has Been Disabled
For information on restoring your account please call customer service as soon as possible

When/If you call our support help line, please have your site name ready.

raw HTTP headers:

HTTP/1.1 302 Found
Date: Wed, 12 Aug 2009 08:33:11 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8k DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Location: h
ttp://box278.bluehost.com/suspended.page/disabled.cgi/borderfreehosting.com
Content-Type: text/html; charset=iso-8859-


Apparently, whoever owned the domain before, has no longer control over it:
Quote:
Registrar: FastDomain Inc.
Provider Name....: BlueHost.Com
Provider Whois...: whois.bluehost.com
Provider Homepage: http://www.bluehost.com/

Domain Name: BORDERFREEHOSTING.COM

Created on..............: 2008-06-29 04:49:39 GMT
Expires on..............: 2009-07-25 19:30:40 GMT
Last modified on........: 2009-02-23 14:48:15 GMT

Registrant Info: (FAST-12785240)
Attn: borderfreehosting.com
BlueHost.com- INC
1958 South 950 East
** FREE DOMAIN REGISTRATION **
Hosting plans starting at ONLY $6.95 per month -
Provo, Utah 84606
United States
Phone: +1.8017659400
Fax..: +1.8017651992
Email: whois @ bluehost.com
Last modified: 2009-04-10 18:18:13 GMT


Note that as I wrote in earlier instances, it is trivial to set a server's PTR to domains belonging to someone else, because the authority for PTR changes, unlike A or CNAME records, is delegated to the network owner (which may allow his/her customers to set them to anything they want). Therefore I believe that "borderfreehosting.com" is just a smoke screen unrelated to the Russian hosting bidniz.

How Do I know they're Russians? This is the part I want to shed some light on next:

starlogic.biz resolves to 82.146.57.16, which belongs to a Russian hosting company:
Quote:
inetnum: 82.146.56.0 - 82.146.63.255
netname: ISPSYSTEM
descr: ISPsystem at CORBINA
country: RU
admin-c: PAS28-RIPE
tech-c: AB11726-RIPE
status: ASSIGNED PA
remarks: INFRA-AW
mnt-by: ISPSYSTEM-MNT
source: RIPE # Filtered

person: Peter A Svistunov
address: ISPsystem, Raduzhny 34a
address: Irkutsk, 664017, Russian Federation
phone: +7 3952 525789
abuse-mailbox: abuse at ispserver.com
nic-hdl: PAS28-RIPE
source: RIPE # Filtered

person: Alexandr Brukhanov
address: PoBox30, 664017, Irkutsk, Russia
phone: +7 495 727 38 79
nic-hdl: AB11726-RIPE
source: RIPE # Filtered

% Information related to '82.146.56.0/21AS29182'

route: 82.146.56.0/21
descr: ISPsystem-RU
origin: AS29182
mnt-by: ISPSYSTEM-MNT
remarks: **************************************
remarks: * For spamming or other abuse issues
remarks: * please send your requests to
remarks: * abuse at ispserver.com
remarks: **************************************
source: RIPE # Filtered


Exhibit 2 is the PTR of this ip-address:
82.146.57.16 resolves to uxxicom.com

To ensure it is not another fake, we need to check another time, whether the domain's A record points to the same ip-address:

olliver@kaori:~$ host uxxicom.com
uxxicom.com has address 82.146.57.16
uxxicom.com mail is handled by 10 mail.uxxicom.com.
uxxicom.com mail is handled by 20 mail.uxxicom.com.

On uxxicom.com, we can find the following:
Quote:
Теперь не будучи американцем можно удаленно работать в США и зарабатывать
до 70$ в день, заполняя On-line опросы!

Знаете ли Вы , что Вы можете работать и получать оплату:

За заполнение опросов от 2$ - 75$ за опрос
За участие в группах опроса от 20$ - 150$ за час
За тестирование продукции от 10$ - 50$ за 1 продукт
За просмотр новых фильмов от 5$ - 25$ за час просмотра
А также работать с опросами теперь еще проще - Вы будете иметь доступ к более чем 500 ответам на вопросы людей, работающих в данной области уже более 3 лет!
Служба поддержки работы с опросами
Да, это правда... Работа на дому - это лучшая работа!

(source: uxxicom.com)

Don't worry, they translated their pages to English, too:
Quote:
Our Services...

Listing and Selling Businesses In A Discreet Manner
Matching Potential Franchise Owners With Franchises
Financing Existing Businesses With A Guaranteed Review By 3 Lenders
Professional Valuation Services To Place A Value On Your Business.
Paid Surveys - A Complete list of get paid to take surveys and Earn money to taking online surveys.

* http://1-s.us/
* http://findforsalebyowner.com/
* http://bestchoiceart.com/
* http://immigration.uxxicom.com/
* http://becomeaboss.com/

Other Business Services

* Business Loans
* Business Valuations
* Equipment Loans
* Merchant Account
* Sell Your Business
* Sell Your Business Note
* Web Design & Management

Franchise Sales

Find franchises and franchise opportunity that meets your interests.

* Franchise Sales

The company Best Choice L.R. Inc. is a certified business broker

http://www.uxxicom.com/eng/about.htm

And finally, their their postal address, presumably some US shell company (though not incorporated in Delaware for a change Wink):
Quote:
Company: Best Choice L.R. Inc.
Country : USA
State: New York
Address: 7025 3rd Ave
City: Brooklyn, NY
Zip: 11209
Tel: +1-347-408-0367
Email: supportatuxxicom.com

http://www.uxxicom.com/eng/contacts.htm

Registered is the domain uxxicom.com to some Mikhail Yablakau:
Quote:
Registrant:
Best Choice L. R. Inc
Mikhail Yablakau (test@uxxicom.com)
7025 3rd Ave
Brooklyn, NY
NY,11209
US
Tel. +1.3474080367
Fax. +1.7186480518

Creation Date: 25-May-2005
Expiration Date: 25-May-2010

Administrative Contact:
Best Choice L. R. Inc
Mikhail Yablakau (test@uxxicom.com)
7025 3rd Ave
Brooklyn, NY
NY,11209
US
Tel. +1.3474080367
Fax. +1.7186480518

Technical Contact:
Best Choice L. R. Inc
Mikhail Yablakau (test@uxxicom.com)
7025 3rd Ave
Brooklyn, NY
NY,11209
US
Tel. +1.3474080367
Fax. +1.7186480518

Billing Contact:
Best Choice L. R. Inc
Mikhail Yablakau (test@uxxicom.com)
7025 3rd Ave
Brooklyn, NY
NY,11209
US
Tel. +1.3474080367
Fax. +1.7186480518

Status:ACTIVE


Domain servers in listed order:
ns1.uxxicom.com
ns2.uxxicom.com


Armed with this info we can now finally check the spamvertised hosting bidniz branch:

Quote:
Domain Name: STARLOGIC.BIZ
Domain ID: D17592863-BIZ
Sponsoring Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID: 303
Domain Status: ok
Registrant ID: PP-SP-001
Registrant Name: Domain Admin
Registrant Organization: PrivacyProtect.org
Registrant Address1: P.O. Box 97
Registrant Address2: Note - All Postal Mails Rejected, visit Privacyprotect.org
Registrant City: Moergestel
Registrant Postal Code: 5066 ZH
Registrant Country: Netherlands
Registrant Country Code: NL
Registrant Phone Number: +45.36946676
Registrant Email: contact@privacyprotect.org
Administrative Contact ID: PP-SP-001
Administrative Contact Name: Domain Admin
Administrative Contact Organization: PrivacyProtect.org
Administrative Contact Address1: P.O. Box 97
Administrative Contact Address2: Note - All Postal Mails Rejected, visit Privacyprotect.org
Administrative Contact City: Moergestel
Administrative Contact Postal Code: 5066 ZH
Administrative Contact Country: Netherlands
Administrative Contact Country Code: NL
Administrative Contact Phone Number: +45.36946676
Administrative Contact Email: contact@privacyprotect.org
Billing Contact ID: PP-SP-001
Billing Contact Name: Domain Admin
Billing Contact Organization: PrivacyProtect.org
Billing Contact Address1: P.O. Box 97
Billing Contact Address2: Note - All Postal Mails Rejected, visit Privacyprotect.org
Billing Contact City: Moergestel
Billing Contact Postal Code: 5066 ZH
Billing Contact Country: Netherlands
Billing Contact Country Code: NL
Billing Contact Phone Number: +45.36946676
Billing Contact Email: contact@privacyprotect.org
Technical Contact ID: PP-SP-001
Technical Contact Name: Domain Admin
Technical Contact Organization: PrivacyProtect.org
Technical Contact Address1: P.O. Box 97
Technical Contact Address2: Note - All Postal Mails Rejected, visit Privacyprotect.org
Technical Contact City: Moergestel
Technical Contact Postal Code: 5066 ZH
Technical Contact Country: Netherlands
Technical Contact Country Code: NL
Technical Contact Phone Number: +45.36946676
Technical Contact Email: contact@privacyprotect.org
Name Server: NS1.UXXICOM.COM
Name Server: NS2.UXXICOM.COM

Created by Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Last Updated by Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Domain Registration Date: Fri Apr 27 01:19:46 GMT 2007
Domain Expiration Date: Mon Apr 26 23:59:59 GMT 2010
Domain Last Updated Date: Tue Aug 04 12:07:41 GMT 2009


It seems people are not supposed to find out who starlogic.biz really is. I don't know of any legitimate hosting company that would hide behind some anonymisation services. Spammers, however, often do. If you look at the name servers marked as bold, you can easily recognise that the same people that run uxxicom.com are behind starlogic.biz. So from that, I suppose Mikhail Yablakau's money was was not exactly well spent on obfuscation services Wink

starlogic.biz claim to be located in Louisville, KY:
Google Map

Quote:
Global Headquarters

* starlogic.biz
460 South Fourth Street
Louisville, Kentucky

Sales

Online: Request a Quote
Email: AntiSpam

Careers at Starlogic.biz

Starlogic.biz is a privately held, fast-paced, fast-growing hosting solutions company with a proven record of success. Our incredibly talented people are passionate about their work and willing to go beyond the ordinary, resulting in a culture that is inspiring, innovative, and obsessed with delivering value for clients.

We strive to hire only the best in the business, assuring our clients that top skilled professionals are working hard to achieve success - professionals that are passionate, dedicated, driven and above all, successful. We have a fun and collaborative work environment where individual initiative is rewarded and encouraged.

If you're looking for a unique career experience, if you want to be in an exciting, creative work environment, if teamwork suits your style, please email us at Contact Form

(source: http://starlogic.biz/about.html)

And they point out that their servers are located in the Netherlands, which can only mean Ecatel (where the spam came from):

Quote:
200GB HARD 7,200rpm
from 5,000GB TRAFFIC/mo
3.2Ghz PENTIUM 4 HT
1GB DDR2 RAM
4 IP address
100mbit Connection Speed
Located NETHERLANDS




Order Now

$169 per month
Server Basic

Monthly traffic Connection Speed Connection Type Monthly fee
5 TB 100 mbit unshared $169
10 TB 100 mbit unshared $201
unmetered 100 mbit shared $221
unmetered 100 mbit unshared $462

(source: http://starlogic.biz/)

The prices aren't really hot, to put it mildly, thus my conclusion is the offers' value lies in providing bulletproof services, out of reach for US law enforcement agencies.

In any event, I opted for firewalling 93.174.88.0/21 on my webserver because Ecatel have a long record of harbouring cybercrime and stringing out removal of these gangs almost infinitely. I would not, however, recommend firewalling them on a mailserver, so long as they still have legitimate customers as well. Ecatel's main issue isn't email spam, but web related spam and malware hosting tied to Ruskrainian cybercrime gangs.

O.

[1] they gained notoriety for harbouring the remains of Esthost after the sudden collapse of Atrivo/Intercage and had for months an entire /20 listed at Spamhaus for that very reason
Back to top
View user's profile Send private message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Wed Aug 12, 2009 10:56 am    Post subject: Reply with quote

Mikhail Yablakau of uxxicom.com and starlogic.biz fame was a former customer of Hostfresh in HK:

Quote:
Sample Spam URLs & Keywords Posted From 58.65.235.193
Domain: www.uxxicom.com
URL: http://www.uxxicom.com/rus/
Domain: www.uxxicom.com
URL: http://www.uxxicom.com/


and a user comment that ties everything together:

Quote:
W.Keeley commented...
This IP is registered to a HongKong operation.
It's referring URLS are http://andgoogle.com/showthread.php and
http://starlogic.biz

Both point to a website (advertising untold bandwidth and hosting for less than $6) that looks almost exactly alike. My gut is 100% sure that this is a spam operation.
September 04 2007 03:00 AM

http://www.projecthoneypot.org/ip_58.65.235.193

Meanwhile Hostfresh's allocation was returned to APNIC (perhaps time to remove stale firewall entries Wink)

O.
Back to top
View user's profile Send private message
MysteryFCM
Malware Expert


Joined: 28 Aug 2004
Last Visit: 03 Feb 2017
Posts: 865
Location: Tyne & Wear, UK

PostPosted: Thu Aug 13, 2009 6:22 am    Post subject: Reply with quote

Nice find Smile

On the subject of andgoogle.com Wink

http://www.aboutus.org/Perusal.net

Leads to a connection to karr.net

Have you also got this range blocked yet?

http://hosts-file.net/?s=93.174.92.64
_________________
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net
Back to top
View user's profile Send private message Visit poster's website
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Thu Aug 13, 2009 7:41 am    Post subject: Reply with quote

MysteryFCM wrote:

Have you also got this range blocked yet?

http://hosts-file.net/?s=93.174.92.64


Sweet. Reminds me of a hydra: Chop off one head and face ten more to deal with... To answer the question: Yes, I've already blocked the entire /21. There's no sane reason why I should allow servers in Ecatel's netblock to access my websites (after all, they are intended for humans, not spambots or harvesters)

O.
Back to top
View user's profile Send private message
MysteryFCM
Malware Expert


Joined: 28 Aug 2004
Last Visit: 03 Feb 2017
Posts: 865
Location: Tyne & Wear, UK

PostPosted: Thu Aug 13, 2009 8:02 am    Post subject: Reply with quote

I actually realised after the above, that they actually have;

93.174.88.0 - 93.174.95.255
http://hosts-file.net/?s=93.174.95.0

Bit strange that some of the 93.174.9x. ranges make it seem as if they don't .... netblock info for the one I posted previously for example, makes it seem as if it's only 92-92, when infact it's not.
_________________
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net
Back to top
View user's profile Send private message Visit poster's website
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Thu Aug 13, 2009 8:13 am    Post subject: Reply with quote

MysteryFCM wrote:
Bit strange that some of the 93.174.9x. ranges make it seem as if they don't .... netblock info for the one I posted previously for example, makes it seem as if it's only 92-92, when infact it's not.


There's an explanation for that:
These are routing bounderies. To put it in simple words, they sliced and diced their network in more handier portions for various reasons. Often, these bounderies co-incide with ranges of a particular customer, but I've also seen other reasons for doing this (separation by their purpose, i.e. virtual servers vs. dedicated servers vs. shared hosting)

for getting the entire picture, you can query the routing registry instead.

Quote:
olliver@kaori:~$ whois -h riswhois.ripe.net 93.174.92.64

% This is RIPE NCC's Routing Information Service
% whois gateway to collected BGP Routing Tables
% IPv4 or IPv6 address to origin prefix match
%
% For more information visit http://www.ripe.net/ris/riswhois.html

route: 93.174.88.0/21
origin: AS29073
descr: ECATEL-AS AS29073, Ecatel Network
lastupd-frst: 2009-06-21 00:26Z 198.32.160.15@rrc11
lastupd-last: 2009-08-13 04:45Z 208.51.134.248@rrc00
seen-at: rrc00,rrc01,rrc03,rrc04,rrc05,rrc06,rrc07,rrc10,rrc11,rrc12,rrc13,rrc15,rrc16
num-rispeers: 108
source: RISWHOIS


Note that riswhois.ripe.net answers any queries, not just those delegated to RIPE, so you can use it as supplement to the usual whois queries.

O.
Back to top
View user's profile Send private message
MysteryFCM
Malware Expert


Joined: 28 Aug 2004
Last Visit: 03 Feb 2017
Posts: 865
Location: Tyne & Wear, UK

PostPosted: Thu Aug 13, 2009 8:20 am    Post subject: Reply with quote

Nice one, cheers Smile
_________________
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group