[Dshield] some fishy IM messages and the reply from Supportindeed.com...

Mark Guiney froynlaven at gmx.net
Mon Dec 1 07:32:28 GMT 2008


1. I recently sent this abuse report to tinyurl and supportindeed.com:

/*
tinyurl:

someone on my chat list is apparently infected with something that is
using tinyurl links...

1.
http://tinyurl.com/66e57y

target = http://9784631.getenjoyment.net/


2.
http://tinyurl.com/6d8a4u

target = http://8568477.mywebcommunity.org/


please kill these links to help avoid the spread of the attack


abuse at supportindeed.com:

you appear to host both targets listed above. If the target URL
contains hostile code and/or spam, the content is a clear violation of
your TOS (section 12).

Both domains have the same admin/abuse contact, and for all I know,
the attacker is at that address. Please follow up and remove the
content.

Many thanks,
-Mark
*/

I got this reply:

/*
Hello Mark,

We apologize for the delayed reply.
Not pretty sure how these URLs turned out to be hosted with us but they
surely resolve to servers that are not a part of our network. Please
provide us with more details about the issue so that we can assist you
properly. If I am mistaken, please feel free to correct me. Thank you.


Best Regards,
George

*SupportIndeed* Abuse Department
_abuse at supportindeed.com_
*/

3. from my desktop:
/*
C:\>tracert getenjoyment.net

Tracing route to getenjoyment.net [82.197.130.15]
over a maximum of 30 hops:

 1     1 ms     1 ms     1 ms  ^C
C:\>tracert mywebcommunity.org

Tracing route to mywebcommunity.org [82.197.130.15]
over a maximum of 30 hops:

 1     1 ms     1 ms     3 ms  ^C
C:\>tracert supportindeed.com

Tracing route to supportindeed.com [82.197.130.15]
over a maximum of 30 hops:

 1     2 ms     1 ms     1 ms  ^C
C:\>
*/

So, 'chat' buddy I haven't chatted with in months begins sending 'hey,
check this out' messages with tinyurl links
I assume it's an infection, check the tinyurl targets, do a whois on
each domain, both have nearly identical whois records (I used
DomainTools.com), I figure the admin/abuse contact may be complicit,
and go directly to the abuse contact at the hosting company.
I think that the response I get from the host means "that content is
not on our servers", though I think it is not worded clearly.
Yet trace confirms the 2 targets resolve to the same IP as supportindeed.com.

I'm thinking that, assuming this is spam or malicious code,
supportindeed.com is the host (if not of the content, then of the
servers that redirect to the content), and the abuse contact is aware
of this and having a little fun at my expense.
Or am I missing something?

Thanks,
-Mark


More information about the Dshield mailing list