[Dshield] 1026-27

jayjwa jayjwa at atr2.ath.cx
Fri Aug 12 11:05:32 GMT 2005


On Thu, 11 Aug 2005, Paul Marsh wrote:

-> Firewall? Hey that's a good idea, only kidding ;)  I understand what
-> they are.  I guess I should have been a little more detailed in my first
-> post.  Are the source ports accurate or spoofed?  I guess I'm looking
-> for a way to get to the bottom of this stuff and get it shut down.


If you really follow it to the source, ALOT of this stuff seems to be from 
domains registered by one of these guys below. Here's one for the infamous 
"reg-patch.com" (which is what these MS Messenger NetSend SPAM are always 
advertising, fake Windows Update|Patch sites where you can download 
binaries, sometimes for a price. Anyone want to guess what they contain 
when disassembled?):


    Domain Services Provided By:
       000domains, support at 000domains.com
       http://www.000domains.com

Registrant:
    Repair Registry Pro
    3434 W. Anthem Way
    Ste 118-252
    PHOENIX, AZ 85086
    US

    Registrar: 000DOM
    Domain Name: REG-PATCH.COM
       Created on: 17-MAR-05
       Expires on: 17-MAR-06
       Last Updated on: 11-JUN-05

    Administrative, Technical Contact:
       Registry Pro, Repair  support at repairregistrypro.com
       3434 W. Anthem Way
       Ste 118-252
       PHOENIX, AZ  85086
       US
       1.6023573452


    Domain servers in listed order:
       FWNS1.000DOMAINS.COM
       FWNS2.000DOMAINS.COM

End of Whois Information


Doing a whois lookup on the spammed website name usually leads to a 
Dotster.com (http://www.dotster.com/) or a glbx.net address. Using 
Dotster's whois fuction helps you go a little further, this is here:

https://secure.registerapi.com/services/whois.php

They also have "SwipeSpy.com" and a bunch of others I since forgot. As 
long as places like 000domains.com register fraudulent-sounding names for 
pennies a piece to anyone who then use any old info they want, we'll keep 
seeing a mess of this stuff. Frequently the contact person is listed as
a Yahoo or Gmail address. Check out this one's phone number:

"regcleanser.com"

Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com

Domain Name: regcleanser.com

    Created on..............: 12 Jun 2005 13:05:06
    Expires on..............: 12 Jun 2006 13:05:06

Administrative Info:
    INUX, LTD
    Bee Wms
    POB 1818
    KIngstown,  SVG
    VC
    Phone: +1.5555555555
    Fax..:
    Email: b at inuxltd.com

Billing Info:
    INUX, LTD
    Bee Wms
    POB 1818
    KIngstown,  SVG
    VC
    Phone: +1.5555555555
    Fax..:
    Email: b at inuxltd.com

Technical Info:
    INUX, LTD
    Bee Wms
    POB 1818
    KIngstown,  SVG
    VC
    Phone: +1.5555555555
    Fax..:
    Email: b at inuxltd.com

Registrant Info:
    INUX, LTD
    Bee Wms
    POB 1818
    KIngstown,  SVG
    VC
    Phone: +1.5555555555
    Fax..:
    Email: b at inuxltd.com


Interesting contact email too. "b@". Supposedly you can complain about the 
fraudulent nature of the sites and have them shutdown, but I've seen no 
evidence this actually works. And why would they? That would be losing 
customers, and that means their $$$.

It looks like spammers compromise a whole ton of machines, probably using 
an IRC bot or the like, and then upload one of those NetSend spamming 
programs I've posted about here in the past. They spray out the messages 
for the fake websites, which the spammers register with places like 
000domains.com and Dotster.com for pennies. The actual spamming hosts are 
by and large in China/Korea, as well as the websites, but the companies 
and the registers of those companies are almost always in the US (like the 
above example), at least as far as I've seen/researched this.

They don't fill my logs because I don't log it and there is nothing 
listening for it on my systems. I have to sniff for it specially, but just 
the idea of someone broadcasting junk out, trying to hit me with it ticks 
me off.



-- 
:::STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION:::
www.reg-patch.com    Dotster.com   | tcpdump -p
www.regproscan.com   gblx.net      | -i ppp0 -s0
www.regcleanser.com  gblx.net      | -A -v 'udp
www.updatepatch.info kornet.net    | dst port 1026'
www.regprofix.com    gblx.net      | 10 pckts cap.
WWW.WUPDATE.NET      interland.com | 20 pckts rec.

6 SPAM Sites per 20 packets hosted by ISPs shown





More information about the list mailing list