Comments on: More Amsterdam Spam? from 212.95.54.38

By: Strangely Perfect

Strangely Perfect — Wed, 19 Nov 2008 20:28:21 +0000

Hi Jill.
My original post is here: http://strangelyperfect.tv/1576/more-info-on-eurosoftware-eurosoftmarket-dot-con/ and there’s a follow up too. I’ve had several investigations like this over the last few months. By the continuing hits on these posts, people are obviously peeved by the continuing dross.
Like you, I’ve been trying to make some (personal) sense out of the deluge of drivel etc and to hope that it’ll give me a clearer understanding of how it all works.

The Complainerator is here: http://www.complainterator.com/download.html Follow through on the simple menu system for more usage links etc and to learn about the dark world of the international spammer…
You need to get a good grasp of what it’s doing before you use it. When I ran it, it took about five minutes to complete all the lookups and make mail messages – so it’s not frozen!

Keep well!

Rees

By: Jill Olkoski

Jill Olkoski — Wed, 19 Nov 2008 18:02:01 +0000

Hi Strangely Perfect,
That’s a shame about your cats. Great names though!

The Russian Doll analogy is really interesting – I was unaware that you could somehow layer registrations, other than perhaps buying from a reseller. Please feel free to add a link to your “The Complainerator” link on your site, I’d like to read it and so might others.

By: Strangely Perfect

Strangely Perfect — Wed, 19 Nov 2008 08:49:55 +0000

Doh!
I’ve just checked your “about” page where you’ve explained everything perfectly.
We sort of adopted two almost feral kittens in Provence. We called them Capella & Aldebaran because of my astronomical bent! Space considerations forced us to leave Albebaran and we took just Capella with us for a few months in our van on our French travels before we had to return to the UK. Because of UK quarantine regs, we had to leave the (now big) cat because of the cost. So we found Bridget Bardot’s place in the north of France and tearfully left it there.
I don’t know why I’ve told this little tale here. It’s not connected apart from the name of the cat.

Tseug is a bit gruff and curt. But the info is right. Sometimes doing a whois isn’t straightforward as there’s no obligation for each organisation to pass any extra domain info to the rest. All they are required to do is serve names….I think! Because of this, the bad guys have registrations within registrations within registrations like a (somewhat appropriately) Russian Doll!
In a recent post on my site, I describe how I used “The Complainerator” to speed up this process. If you do this, make sure that you use an old spammers email address, not your good one – I detail what happened afterwards in a follow up. What happened was that I got bombarded by XIN NET who are obviously the lowest of the low and make no pretence about following the normal abuse channels that almost everyone else in the world adheres to.
Alternatively, it’s likely that there’s an already extant automation tool that will burrow down through the whois’s for you to speed up the manual searching, like The Complainerator but without the emailing. I haven’t looked for one yet.

Rees

By: Jill Olkoski

Jill Olkoski — Wed, 19 Nov 2008 03:55:28 +0000

Hi Strangely Perfect,
Whew, thanks for the nice comment. After that rant it’s nice to hear from someone friendly. Thank you for the additional resources. Yes, I’m a Taurus.

By: Jill Olkoski

Jill Olkoski — Wed, 19 Nov 2008 03:51:52 +0000

Dear Tseug, At least in this comment you didn't violate the Discussion Rules like you did in previous comment you left on my blog. I appreciate your trying to help and suggest you tone down the hostility a bit. I believe this post was all about trying to understand something, and getting beaten over the head after you've already said you're confused, doesn't help.

By: Tseug

Tseug — Tue, 18 Nov 2008 18:20:12 +0000

You’re using RIPE wrongly then .. it’s a database for European IP addresses, just like I have to use ARIN or LACNIC etc to find IP addresses from other countries. It doesn’t mean that there’s an Amsterdam based spam operation going on .. visit RIPE.NET and input the IP address and it’ll give you :-

inetnum: 212.95.54.0 – 212.95.54.255
netname: V3SERVERS-NET-967806
descr: v3Servers.net
country: BY
admin-c: SA4597-RIPE
tech-c: SR614-RIPE
status: ASSIGNED PA “status:” definitions
mnt-by: NETDIRECT-MNT
mnt-lower: NETDIRECT-MNT
mnt-routes: NETDIRECT-MNT
source: RIPE # Filtered

person: Sogreev Anton
address: 12 Knez Mihailova
address: apt. 18
address: Belgrade
address: 11000
address: Serbia
phone: +1 619 684 2664
abuse-mailbox: abuse@v3servers.net
nic-hdl: SA4597-RIPE
mnt-by: NETDIRECT-MNT
source: RIPE # Filtered

route: 212.95.32.0/19
descr: ORG-nA8-RIPE
origin: AS28753
org: ORG-nA8-RIPE
mnt-lower: NETDIRECT-MNT
mnt-routes: NETDIRECT-MNT
mnt-by: NETDIRECT-MNT
source: RIPE # Filtered

organisation: ORG-nA8-RIPE
org-name: netdirect
org-type: LIR
address: netdirekt e. K.
Kleyer Strasse 79 / Tor 14
60326 Frankfurt
Germany
phone: +49 69 90556880
fax-no: +49 69 905568822
admin-c: SR614-RIPE
admin-c: WW200-RIPE
mnt-ref: NETDIRECT-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

.. meaning that the spam operation is from an IP address in Belgrade – Serbia which uses an IP range hosted from a German server ..

There are several IP databases available to trace things ..:-

ripe.net – Europe
arin.net – N.America
lacnic.net – Latin America
AfriNIC.net – Africa
APNIC.net – Asia Pacific

Hope that helps .. cos you’ve gotten mighty confused LOL ;oP

By: Strangely Perfect

Strangely Perfect — Tue, 18 Nov 2008 09:45:47 +0000

Hi Jill.
I got one of these this morning, exactly the same. I also got the earlier ones last week in a big splurge, 94.102.60.150-3 I think they were (they’re gone now).
A simple search always seems to pop up the Netherlands connection, as you’ve found, but if you use different whois tools from different places, you get a fuller picture, I’ve discovered. And yes, nearly everything seems to end up in St Petersburg or XIN NET! Or both!!
http://whois.domaintools.com/ give a nice big picture of things, and don’t forget spamtracker and Castlecops as two big resources.
I had a purge of my htaccess file recently following this lot as they’d by-passed Akismet & htaccess. I reckon that Akismet et al do such a good job with their database collection of spammers that blocking individual IP addresses is self-defeating in personal time and the actual performance hit on the website. So I whipped all the IP blocks out but left the rest of the stuff of course.
The link you provided to the WordPress documentation says it all really, in that you have to keep on the ball at all times and change your defences as the spammers/crackers are always morphing and developing. There’s no one solution for everything.
For me, SABRE works well for registration spam in addition to Akismet for normal comments. The French guy that wrote it is here
http://didier.lorphelin.free.fr/blog/index.php/wordpress/sabre/
BTW. You’re not Taurus are you?

Rees

By: Ari Herzog

Ari Herzog — Tue, 18 Nov 2008 08:01:00 +0000

If you google for RIPE Network Coordination Centre and spam, you can see results going back a few years.

The problem is RIPE is an internet registry and serves several countries. So, it can’t be blocked.

I saw a new RIPE-hosted IP address add spam comment: 195.149.90.86

By: Jill Olkoski

Jill Olkoski — Tue, 18 Nov 2008 02:51:19 +0000

Hi Ari,
I’m not running any anti-spam programs at all on my computer. Just Akismet in the blog.

By: Ari Herzog

Ari Herzog — Tue, 18 Nov 2008 02:48:59 +0000

Ahh, but RIPE is an internet registry: http://en.wikipedia.org/wiki/RIPE_NCC

What anti-spam programs are you running?