| On Mon, 28 Mar 2005, Freek de Kruijf wrote:
| -> Since about a month and a half I get daily
| -> about 70 UDP packages to the ports 1026 and 1027 from one
| IP-address 
| -> (Shanghai, China).
| That one host appeared over 7 times in the short time I was monitoring
| this. It appeared to have a lone SSH port and one snmp port open,
| everything else filtered.
| -> firewall in my Linux box. I examened the content once with tcpdump
| and 
| -> ethereal and the content showed some advertisement of a website;
| forgot 
| -> what it was about.
| www.win-fix.com. The usual "your machine is infected with spyware, go
| now and download this" scam. It redirects around circles and chases
| its own tail, then lands finally to a download, "setup.exe". I peeked
| at the imports and what was easily visible in the binary and it does
| some pretty registry intensive operations. If you didn't have
| spyware, you will after running this little gem.
|   Naturally I complained at the mail address
| -> associated with the IP-address, wanglin at shaidc.com, but this
| turned out 
| -> to be a non-existing address, however abuse at shaidc.com seemed to
| exist, 
| -> however no reaction.
| I wrote up a nice abuse report and sent it out to that address, the
| one of the super-spamming host, and all the contacts of the IPs
| involved, included all the proof, logs, packet dumps, etc. Not a one
| response; I couldn't belive it! (not)
| What is the 'Net coming to when a confirmed/reported spammer/scammer
| can just fire away at will and be completely immune from consequeces?

jayjwa, Freek et al.

Did you send the abuse report(s) to ip-admin at mail.online.sh.cn as well?

Found this address for via SpamCop (please see further below for
detailed info).

Parsing input:
host (getting name) no name
Routing details for
Report routing for ip-admin at mail.online.sh.cn
Statistics: not listed in bl.spamcop.net
More Information.. not listed in dnsbl.njabl.org not listed in dnsbl.njabl.org not listed in cbl.abuseat.org listed in dnsbl.sorbs.net ( ) not listed in relays.ordb.org.
Reporting addresses:
ip-admin at mail.online.sh.cn 
Reports routes for
routeid: 6375845 - to:
ip-admin at mail.online.sh.cn
Administrator interested in all reports

    Friday, July 30, 2004 09:37:26 +0300
    Corrupt notes were found here - combined raw data below:
    [Note added by, (no name)]
    i'm the admin who takes charge of the anti-spam work in my network.
    appears that you send all the spam abuse to
hostmaster at ns.chinanet.cn.net,
    which belongs to CHINANET(my headquater), not CHINANET-SH. so i'd
like to
    suggest you, please forward me the all spam abuse in the future, i
    these mails, they are evidences. any further information please feel
    writing to me via this mail address.

    these IP ranges is under my control:

    best regards,

    CHINANET-ShangHai IP Admininstrator

    Shanghai Telecom Corporation, CHINA
    ip-admin at mail.online.sh.cn
    *********************************************** 1069217531

