[linux-elitists] Re: MCI boots send-safe (Register) -- adds a net of 11 more spam hosts
Tue Mar 1 17:18:40 PST 2005
On Tuesday 01 March 2005 18:31, Karsten M. Self wrote:
> One down, Um, 204 to go. They're still up a net of 11 spamhausen
> since we started this thread:
> That said: the pressure seems to be working. Somewhat. I say keep
> it on.
The MCI problem isn't appreciably better, although it has given new
hope to those who would send LARTs, so who knows?
The send-safe.com issue is going pretty well. He's on what looks like a
dynamic IP in China. The dynamic DNS provider, vavic.com, seems to have
pages only in Chinese, so that one might be difficult.
Yesterday he had about an hour or so on Netfirms before he was noticed
and LARTed. They were amazingly fast in getting rid of him. It was no
more than 80 minutes from the first known LART to the first sighting of
the "account terminated" page.
I am trying with gandi.net, who is the registrar of send-safe.com, and
now is also providing the DNS, SMTP, and HTTP redirect. I first asked
them on 2005/02/05 to cut off send-safe.com, and their reply was quite
lame indeed ... "talk to their hosting provider".
Hmmm, I call HTTP redirection a form of hosting ...
Gandi, in France, had all of today (yesterday, in their TZ) but failed
to respond. They might not. What can they say?
What I'd like to do, and this is certainly a nice Elitist project, is
sniff the network traffic of send-safe and other zombies, to see how
and where they phone home. I'm almost certain that they use DNS,
because Mama never knows when she's going to be kicked out of her
latest ISP; not even MCI is completely bullet-proof. She has to be able
to give her babies their orders.
I'll bet the host wasn't in the send-safe.com zone, either, but I would
think it would be hard-coded in the zombieware/virus. If THAT domain
can be put out of business, Send Safe (as is presently deployed) is
New stuff discovered while I was writing this:
1. I am having trouble resolving send-safe.com. It fails when attempted
through normal recursive DNS at 3 different sites, 4 different ISP's,
and I run the nameservers at each.
2. Interesting tidbit inside of the page at http://9323iuse.vicp.net/
referring to http://u1164.82.spylog.com/ .
Google for Spylog in turn led to http://www.mytrix.com/ , which sure
enough, is in the same netblock as Spylog.
Rob - /dev/rob0
More information about the linux-elitists