 |
Alleged centurion's checklist at the sack of
Carthage during the Third Punic War:
|
|
Alleged centurion's checklist at the sack of
Carthage during the Third Punic War:
|
Bestiality spammer Yellowsun01.com has been getting on Uncle Romulus' nerves recenctly.
Yellowsun01.com is no longer spamming its "animal husbandry" ads from qwest.com, I guess something bad happened to their account, but it is still spamming. Let's begin with the latest spew (12/07/01, remember that happened to the last gang to launch an attack on December 7... but I digress.) It includes some bandwidth-consuming graphics, perhaps of the spammer's sister, mother, aunt, cousin, spouse (or a combination of two or more of these) with farm animals, and a link to Yellowsun01.com.Note that he spammed romulus "at" stentorian.com! Sort of like a herring crashing a dolphin convention and yelling, "Kill the whales!"
Step 1: E-mail service provider
- Step 1: E-mail service provider
- Step 2: Domain hosting information (Yellowsun01's nameservers and registrar)
- Note: if the name servers had abuse reporting addresses, one would be pretty much finished here.
- Step 3: Yellowsun01's domain registration information from its registrar
- Step 4: Dealing with Yellowsun01's name servers
- Step 5: Name servers' backbone providers via IP address lookup
- ADDENDUM, 12/17/01 Sam Spade's Address Digger!
- PINGing the moving spammer
From :
e19974@k.ro
To :
Subject :
Animal Lovers Go To The Extreme!!! 4067
Date :
Fri, 07 Dec 2001 11:21:41 -0500
MIME-Version: 1.0
Received: (qmail 95768 invoked from network); 7 Dec 2001 16:26:11 -0000
Received: from mailhost.lasaosa.fr (HELO lasaosa?srv.lasaosa.fr) (217.109.163.133) by xi.pair.com with SMTP; 7 Dec 2001 16:26:11 -0000
Received: from hebe.or.intel.com_[192.168.229.60] (81.dallas-03rh16rt-tx.dial-access.att.NET [12.86.204.81]) by lasaosa_srv.lasaosa.fr with
Intel.com and 192.168.229.60 are apparently forged. 12.86.204.81 verifies as att.net through a traceroute. abuse and postmaster "at" att.net were therefore copied on the spam complaint.
SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)id YMQLS80K; Fri, 7 Dec 2001 17:26:51 +0100
Received: from Ladymail.cz by hebe.or.intel.com with ESMTP; Fri, 07 Dec 2001 11:21:49 -0500
Ignore Ladymail.cz and intel.com because they have no bracketed IP address associated with them.
Return-Path:
Delivered-To: wlevinso-stentorian:com-romulus "at" stentorian.com
X-Envelope-To: romulus "at" stentorian.com [reinforces this guy's candidacy for an Internet Darwin Award]
Message-ID: <0000645c7c5e$00007d3f$00000fe3@Ladymail.cz>
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000Now for the domain: Yellowsun01.com
Step 2: Internic WhoIs of Yellowsun01.com http://www.internic.net/cgi/whois?whois_nic=yellowsun01.com&type=domain
ADDENDUM 12/17/01 XWhoIs is better: http://Xwhois.com/check/default.asp?domain=yellowsun01.com (hopefully soon to be "WhoWas")Domain Name: YELLOWSUN01.COM
Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com
Name Server: DV1.GRINDBIND.COM
Name Server: NM1.GRINDBIND.COM
Name Server: KO1.GRINDBIND.COM
Name Server: NS1.NETWORKBEAT.NET
Name Server: NS2.NETWORKBEAT.NET
Updated Date: 03-nov-2001OK: this tells us that:
Step 3: Tracking down Yellowsun01 at Joker.com
- Yellowsun01.com is hosted by grindbind.com and networkbeat.net.
- Normally one would complain to postmaster and abuse "at" grindbind.com and networkbeat.net. These seem, however, to be problem domain hosts (as Cyber Promotions once was) because E-mail to these addresses is undeliverable. Furthermore, these name servers do not have accessible home pages. That is a problem, but for them, not us, as we'll see below.
- Yellowsun01.com's registrar is joker.com
Results from Joker.com:
That domain can be administered by: jbmull@hotmail.com#0Whois-output
DOMAIN yellowsun01.com
Registrar: JOKER.COM (CSL-GmbH as ICANN registrar)
Status: production
Handle: 327899
Owner: Jakob Mullinax
Organization:
Address: P.O. Box 35814
Postalcode/City:
State:
Country: US
Owner contact: jbmull@hotmail.com#0
This address is no longer valid. postmaster, support, sales, and abuse "at" joker.com (the site does not provide E-mail contact information, at least none that I could find) were informed that yellowsun01.com may be in violation of Joker.com's terms of service for failing to provide valid contact information. The idea is to cause revocation of the domain registration itself.
Administrative contact: jbmull@hotmail.com#0
Technical contact: jbmull@hotmail.com#0
Billing contact: jbmull@hotmail.com#0
Nameserver:
ns1.networkbeat.net
ns2.networkbeat.net
ko1.grindbind.com
nm1.grindbind.com
dv1.grindbind.com
Same information we had before
created by JORE-1: 2001-11-03 17:40:49
modified by JORE-1: 2001-11-03 17:42:43
db-updated: 2001-12-08 18:27:54
expires: 2002-11-03 11:40:40Step 4. Tracking down the name servers, grindbind.com and networkbeat.net
Clicking on networkbeat.net at the Joker.com result page shown above yields:
Whois-output
HOST ns1.networkbeat.net
ip: 64.86.190.58 We will use this shortly
Registrar ID: JORE-1
created by JORE-1: 2001-10-10 17:24:44
modified by JORE-1: 2001-11-17 19:12:45
db-updated: 2001-12-08 18:27:54Furthermore, a WhoIs of networkbeat.net at Joker.com yields
That domain can be administered by:
peteni344@yahoo.com#0
This, as I recall, doesn't work either, which suggests that this is a problem domain.
Whois-output
DOMAIN networkbeat.net
Registrar: JOKER.COM (CSL-GmbH as ICANN registrar)
Status: production
Handle: 179577
Owner: Dave Johnson
Organization:
Address: 8923 Cedar Lane
Postalcode/City: Northville
State: WA
Country: US
Owner contact: peteni344@yahoo.com#0
Administrative contact: peteni344@yahoo.com#0
Technical contact: peteni344@yahoo.com#0
Billing contact: peteni344@yahoo.com#0
Nameserver: ns1.networkbeat.net
ns2.networkbeat.net
created by JORE-1: 2001-06-09 00:47:16
modified by JORE-1: 2001-10-10 17:27:51
db-updated: 2001-12-08 18:40:21
expires: 2002-06-08 18:46:55Joker.com WhoIs of grindbind.com
Organization:
Creative Marketing Zone, Inc.
Technical Support
5393 Maplewood
Detroit, MI 48204
US
Phone: 313-231-2474
Email: grindbind@yahoo.com As I recall, this doesn't workRegistrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.comDomain Name: GRINDBIND.COM
Created on..............: Tue, Aug 14, 2001
Expires on..............: Thu, Aug 14, 2003
Record last updated on..: Wed, Oct 10, 2001Administrative Contact:
Creative Marketing Zone, Inc.
Technical Support
5393 Maplewood
Detroit, MI 48204
US
Phone: 313-231-2474
Email: grindbind@yahoo.comTechnical Contact, Zone Contact:
Register.Com
Domain Registrar
575 8th Avenue - 11th Floor
New York, NY 10018
US
Phone: 212-798-9200
Fax..: 212-629-9305
Email: domain-registrar@register.com Copied on the complaint due to apparent lack of valid contact information in the registrationDomain servers in listed order: We will use these in the next step
NS1.GRINDBIND.COM 64.132.82.71
NS3.GRINDBIND.COM 65.160.45.60
NS4.GRINDBIND.COM 65.160.45.61
KO2.GRINDBIND.COM 24.178.61.20
KO1.GRINDBIND.COM 24.182.105.208
DV1.GRINDBIND.COM 4.60.111.133
NM2.GRINDBIND.COM 65.69.110.2
NM1.GRINDBIND.COM 65.69.110.1
DNS1.GRINDBIND.COM 208.178.236.187
DNS2.GRINDBIND.COM 208.178.236.188
NS2.GRINDBIND.COM 64.132.82.72Register your domain name at http://www.register.com
Step 5: Reporting the name servers to their backbone hosts
Now we use Sam Spade's IP address lookup for the name servers' IP addresses.
Networkbeat.net: http://samspade.org/t/ipwhois?a=64.86.190.58
Trying whois -h whois.arin.net 64.86.190.58
Teleglobe Inc. (NETBLK-TELEGLOBE) TELEGLOBE 64.86.0.0 - 64.86.255.255
Alta Tecnologia, S.A. , Internet Data Centers (NETBLK-ALTEC-TGO2) ALTEC-TGO2 64.86.190.32 - 64.86.190.63
Add postmaster and abuse "at" Altec1.com and Teleglobe.com (click on the links in the Sam Spade report to get domain ID's)Grindbind.com has a lot of IP addresses. Report 'em all, let the backbone providers sort 'em out.
http://samspade.org/t/ipwhois?a=64.132.82.71
Trying whois -h whois.arin.net 64.132.82.71Time Warner Telecom (NETBLK-NETBLK-TWTC-NETBLK-1)
3235 Intertech Drive, Suite 600
Brookfield, WI 53045
USNetname: NETBLK-TWTC-NETBLK-1
Netblock: 64.132.0.0 - 64.132.255.255
Maintainer: TWTCCoordinator: Time Warner Telecom (ZT87-ARIN) ipmanager "at" twtelecom.net Add twtelecom.net to the complaint addresses
http://samspade.org/t/ipwhois?a=65.160.45.60
Sprint (NETBLK-SPRINTLINK-2-BLKS) SPRINTLINK-2-BLKS65.160.0.0 - 65.174.255.255
INFOMAILER DBA GTW (NETBLK-FON-110101606469040) FON-110101606469040 65.160.44.0 - 65.160.45.255
Abuse "at" sprint.net and sprintlink.nethttp://samspade.org/t/ipwhois?a=24.178.61.20
@Home Network (NETBLK-HOME-2BLK)HOME-2BLK 24.176.0.0 - 24.183.255.255
@Home Network (NETBLK-DTRTMI1-MI-6) DTRTMI1-MI-6 24.178.43.0 - 24.178.63.255
Postmaster and abuse "at" home.nethttp://samspade.org/t/ipwhois?a=4.60.111.133
comes up with genuity.net Add genuity.net to the complaint addresseshttp://samspade.org/t/ipwhois?a=65.69.110.2
Add Southwestern Bell to the complaint addresseshttp://samspade.org/t/ipwhois?a=208.178.236.188
Postmaster and abuse "at" gblx.net
This pretty much covers it, although Yellowsun01.com mentions Zoosporn.com, so if one wants to go after them too... Their registrar is directnic.com, although Joker.com also provides their information.
http://www.directnic.com/whois/?query=zoosporn.com. We've already covered networkbeat.netRegistrant: bonus hosting
11 Novinsky Blvd
Moscow, Russia 121099
RUDomain Name: ZOOSPORN.COM
Administrative Contact:
levez, Uri root@zooporn.com
11 Novinsky Blvd
Moscow, Russia 121099
RU
011448422154Technical Contact:
levez, Uri root@zooporn.com
11 Novinsky Blvd
Moscow, Russia 121099
RU
011448422154Billing Contact:
levez, Uri root@zooporn.com
11 Novinsky Blvd
Moscow, Russia 121099
RU
011448422154Record last updated on 06-Dec-2001.
Record expires on 02-Oct-2003.
Record Created on 02-Oct-2001.Domain servers in listed order:
NS1.NETWORKBEAT.NET 64.86.190.58
NS2.NETWORKBEAT.NET 65.174.218.253Sam Spade's Address Digger
This is highly recommended, it gives you even more information about the spammer than XWhoIs
http://samspade.org/t/lookat?a=yellowsun01.com tells you not only the registration information, but also the current IP address. This is important because the spammer, having apparently been kicked off his previous service provider, might not be hosted at grindbind.com and networkbeat.net-- but it takes a while for the registrars to update their records.Pinging the spammer; how to track a running target
Uncle Romulus, having determined to implement a final solution to the Yellowsun01.com problem, began to track its whereabouts and send preemptive (heads-up) reports to its new host even before it spammed again. PING is a simple way (faster than tracert) to get a domain's current IP address.Pinging www.yellowsun01.com [208.187.65.17] with 32 bytes of data:
Reply from 208.187.65.17: bytes=32 time=347ms TTL=237
Reply from 208.187.65.17: bytes=32 time=335ms TTL=237
Reply from 208.187.65.17: bytes=32 time=335ms TTL=237
Reply from 208.187.65.17: bytes=32 time=385ms TTL=237
Ping statistics for 208.187.65.17:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 335ms, Maximum = 385ms, Average = 350mshttp://samspade.org/t/ipwhois?a=208.187.65.17
tells me to send a previous Yellowsun01.com spam (I've several on file) to abuse "at" eli.net and safepages.com.
(Yellowsun01.com did, in fact, spam Romulus "at" stentorian.com after this, so the preemptive or heads-up complaint was quite justified. I guess this guy wants to play...)E-mail: 
Uncle Romulus' Antispam Home Page