[Dshield] What is the fun of this? Daily 70 packets to 1026 and 1027

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Wed Mar 30 19:43:46 GMT 2005

list-bounces at lists.dshield.org <mailto:list-bounces at lists.dshield.org>
wrote on Wednesday, March 30, 2005 3:52 PM (EET) UTC+3 on behalf of

| On Mon, 28 Mar 2005, Freek de Kruijf wrote:
| -> Since about a month and a half I get daily
| -> about 70 UDP packages to the ports 1026 and 1027 from one
| IP-address 
| -> (Shanghai, China).
| That one host appeared over 7 times in the short time I was monitoring
| this. It appeared to have a lone SSH port and one snmp port open,
| everything else filtered.
| -> firewall in my Linux box. I examened the content once with tcpdump
| and 
| -> ethereal and the content showed some advertisement of a website;
| forgot 
| -> what it was about.
| www.win-fix.com. The usual "your machine is infected with spyware, go
| now and download this" scam. It redirects around circles and chases
| its own tail, then lands finally to a download, "setup.exe". I peeked
| at the imports and what was easily visible in the binary and it does
| some pretty registry intensive operations. If you didn't have
| spyware, you will after running this little gem.
|   Naturally I complained at the mail address
| -> associated with the IP-address, wanglin at shaidc.com, but this
| turned out 
| -> to be a non-existing address, however abuse at shaidc.com seemed to
| exist, 
| -> however no reaction.
| I wrote up a nice abuse report and sent it out to that address, the
| one of the super-spamming host, and all the contacts of the IPs
| involved, included all the proof, logs, packet dumps, etc. Not a one
| response; I couldn't belive it! (not)
| What is the 'Net coming to when a confirmed/reported spammer/scammer
| can just fire away at will and be completely immune from consequeces?

jayjwa, Freek et al.

Did you send the abuse report(s) to ip-admin at mail.online.sh.cn as well?

Found this address for via SpamCop (please see further below for
detailed info).

- Pete

    "Only one passion could drive me away from my habits of study;
                              but was it not also study?"
               Honoré de Balzac (1799-1850), French author.

SpamCop v 1.418.2.2 (C) Ironport Systems Inc., 1998-2005 , All rights
Parsing input:
host (getting name) no name
Routing details for
Report routing for ip-admin at mail.online.sh.cn
Statistics: not listed in bl.spamcop.net
More Information.. not listed in dnsbl.njabl.org not listed in dnsbl.njabl.org not listed in cbl.abuseat.org listed in dnsbl.sorbs.net ( ) not listed in relays.ordb.org.
Reporting addresses:
ip-admin at mail.online.sh.cn 
Reports routes for
routeid: 6375845 - to:
ip-admin at mail.online.sh.cn
Administrator interested in all reports

    Friday, July 30, 2004 09:37:26 +0300
    Corrupt notes were found here - combined raw data below:
    [Note added by, (no name)]
    i'm the admin who takes charge of the anti-spam work in my network.
    appears that you send all the spam abuse to
hostmaster at ns.chinanet.cn.net,
    which belongs to CHINANET(my headquater), not CHINANET-SH. so i'd
like to
    suggest you, please forward me the all spam abuse in the future, i
    these mails, they are evidences. any further information please feel
    writing to me via this mail address.

    these IP ranges is under my control:

    best regards,

    CHINANET-ShangHai IP Admininstrator

    Shanghai Telecom Corporation, CHINA
    ip-admin at mail.online.sh.cn
    *********************************************** 1069217531

More information about the list mailing list