[linux-elitists] Re: MCI boots send-safe (Register) -- adds a net of 11 more spam hosts

Rob McGee list+Elite@nodns4.us
Tue Mar 1 17:18:40 PST 2005

On Tuesday 01 March 2005 18:31, Karsten M. Self wrote:
> One down, Um, 204 to go.  They're still up a net of 11 spamhausen
> since we started this thread:
> That said:  the pressure seems to be working.  Somewhat.  I say keep
> it on.

The MCI problem isn't appreciably better, although it has given new  
hope to those who would send LARTs, so who knows?

The send-safe.com issue is going pretty well. He's on what looks like a 
dynamic IP in China. The dynamic DNS provider, vavic.com, seems to have 
pages only in Chinese, so that one might be difficult.

Yesterday he had about an hour or so on Netfirms before he was noticed 
and LARTed. They were amazingly fast in getting rid of him. It was no 
more than 80 minutes from the first known LART to the first sighting of 
the "account terminated" page.

I am trying with gandi.net, who is the registrar of send-safe.com, and 
now is also providing the DNS, SMTP, and HTTP redirect. I first asked 
them on 2005/02/05 to cut off send-safe.com, and their reply was quite 
lame indeed ... "talk to their hosting provider".

Hmmm, I call HTTP redirection a form of hosting ...

Gandi, in France, had all of today (yesterday, in their TZ) but failed 
to respond. They might not. What can they say?

What I'd like to do, and this is certainly a nice Elitist project, is 
sniff the network traffic of send-safe and other zombies, to see how 
and where they phone home. I'm almost certain that they use DNS, 
because Mama never knows when she's going to be kicked out of her 
latest ISP; not even MCI is completely bullet-proof. She has to be able 
to give her babies their orders.

I'll bet the host wasn't in the send-safe.com zone, either, but I would 
think it would be hard-coded in the zombieware/virus. If THAT domain 
can be put out of business, Send Safe (as is presently deployed) is 

New stuff discovered while I was writing this:

1. I am having trouble resolving send-safe.com. It fails when attempted 
through normal recursive DNS at 3 different sites, 4 different ISP's, 
and I run the nameservers at each.

2. Interesting tidbit inside of the page at http://9323iuse.vicp.net/ 
which is where I went when www.send-safe.com was resolving: javascript 
referring to http://u1164.82.spylog.com/ .

Google for Spylog in turn led to http://www.mytrix.com/ , which sure 
enough, is in the same netblock as Spylog.
    Rob - /dev/rob0

More information about the linux-elitists mailing list