Re: Wired mag article on spammers playing traceroute gameswith trojaned boxes
Actually, in the case of the wired article (removeform.com), it seems to be connected to a site in Florida. I asked my programmer (gabor@sentex.net) to decode the obfuscated java script/page that is served up by one of
zombies (On FreeBSD fetch -B 18192 -o danger.html http://www.removeform.com/d - I got it from 207.5.215.72 at the time). I have attached it as a zip file with its contents. You will note that
the the
form post goes back to
form action="http://207.36.47.68/cgi-bin/addinfo.cgi"
OrgName: CyberGate, Inc. OrgID: CYBG Address: 3250 W. Commercial Blvd. Suite 200 City: Ft. Lauderdale StateProv: FL PostalCode: 33309 Country: US
This appears to be a rather prolific spammer. At first I thought they were affiliated with www.skynetweb.com because they have the same address, including suite number, but it now appears that they are really affiliated with these guys: http://www.affinity.com/about/our_team/our_team.htm John --
On Thu, 9 Oct 2003, John Neiberger wrote: Doing some Googling on tubul I found: WAP S.A. Katarzyna Piatek (tubul at wp.pl) +48.327811019 FAX- +48.327811025 Opolska 22 Katowice, 40-084 PL -Hank
Actually, in the case of the wired article (removeform.com), it seems to be connected to a site in Florida.I asked my programmer (gabor@sentex.net) to decode the obfuscated java script/page that is served up by one of the zombies (On FreeBSD fetch -B 18192 -o danger.html http://www.removeform.com/d - I got it from 207.5.215.72at the time).I have attached it as a zip file with its contents. You will note that the form post goes back to
form action="http://207.36.47.68/cgi-bin/addinfo.cgi"
OrgName: CyberGate, Inc. OrgID: CYBG Address: 3250 W. Commercial Blvd. Suite 200 City: Ft. Lauderdale StateProv:FL PostalCode: 33309 Country: US
This appears to be a rather prolific spammer. At first I thought they were affiliated with www.skynetweb.com because they have the same address, including suite number, but it now appears that they are really affiliated with these guys:
http://www.affinity.com/about/our_team/our_team.htm
John --
Hank Nussbacher
John Neiberger writes on 10/10/2003 1:12 AM:
This appears to be a rather prolific spammer. At first I thought they were affiliated with www.skynetweb.com because they have the same address, including suite number, but it now appears that they are really affiliated with these guys:
Affinity is a large - and extremely spammer infested - webhost. They do happen to have quite a few legitimate customers though. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations
On Thu, 2003-10-09 at 16:41, Suresh Ramasubramanian wrote:
Affinity is a large - and extremely spammer infested - webhost. They do happen to have quite a few legitimate customers though.
That's simple to over come. You notify those legitimate customers that they are doing business with an irresponsible provider. Surely there are providers on this list that would welcome the legitimate customers with open arms. -Jim P.
participants (4)
-
Hank Nussbacher -
Jim Popovitch -
John Neiberger -
Suresh Ramasubramanian