Anyone else have any information on this? ---------- Forwarded message ---------- Date: Mon, 26 May 1997 04:09:32 -0700 From: Babu Mengelepouti <dialtone@vcn.bc.ca> Newsgroups: comp.dcom.telecom Subject: Spamford Getting Service From Cable & Wireless? Spamford appears to be multi-homed, if the research I have done is any indication. I took the novel approach of looking up who owns the IP blocks that his nameservers run on. His nameservers are easily obtainable by a simple whois: Cyber Promotions, Inc (CYBERPROMO-DOM) 8001 Castor Avenue Suite #127 Philadelphia, PA 19152 US Domain Name: CYBERPROMO.COM Administrative Contact, Technical Contact, Zone Contact: Wallace, Sanford (SW1708) domreg@CYBERPROMO.COM 215-628-9780 Billing Contact: Wallace, Sanford (SW1708) domreg@CYBERPROMO.COM 215-628-9780 Record last updated on 24-Jan-97. Record created on 26-Apr-96. Database last updated on 25-May-97 04:56:34 EDT. Domain servers in listed order: NS7.CYBERPROMO.COM 205.199.2.250 NS5.CYBERPROMO.COM 205.199.212.50 NS8.CYBERPROMO.COM 207.124.161.65 NS9.CYBERPROMO.COM 207.124.161.50 Well, starting with ns7.cyberpromo.com, it's no surprise: Whois: net 205.199.2 AGIS/Net99 (NETBLK-NET99-BLK4) NET99-BLK4 205.198.0.0 - 205.199.255.0 Cyber Promotions Inc (NETBLK-CYBERPROMO-205-199B) CYBERPROMO-205-199B 205.199.2.0 - 205.199.2.255 And the same for ns5.cyberpromo.com... Whois: whois net 205.199.212 AGIS/Net99 (NETBLK-NET99-BLK4) NET99-BLK4 205.198.0.0 - 205.199.255.0 Cyber Promotions Inc (NETBLK-CYBERPROMO-205-199) CYBERPROMO-205-199 205.199.212.0 - 205.199.212.255 But wait? Is spamford multihoming? A Cable & Wireless Class C block! Whois: net 207.124.161 Cable & Wireless, Inc. (NETBLK-NET3-CWI-NET) NET3-CWI-NET 207.124.0.0 - 207.124.255.255 IDCI (NETBLK-CWI-IDCI2) CWI-IDCI2 207.124.160.0 - 207.124.164.255 IDCI (NETBLK-IDCI-BLK-11) IDCI-BLK-11 207.124.161.0 - 207.124.162.255 But strangely, it doesn't resolve... 1 2427 ms 2135 ms 2716 ms Max18.Seattle.WA.MS.UU.NET [207.76.5.24] 2 1235 ms 929 ms 477 ms Ar1.Seattle.WA.MS.UU.NET [207.76.5.3] 3 175 ms 167 ms 623 ms Fddi0-0.CR1.SEA1.Alter.Net [137.39.33.41] 4 213 ms 263 ms 265 ms 110.Hssi4-0.CR1.TCO1.Alter.Net [137.39.69.121] 5 271 ms 264 ms 597 ms 313.atm1-0.gw1.tco1.alter.net [137.39.21.153] 6 258 ms 990 ms 244 ms cwix2-gw.customer.ALTER.NET [137.39.184.82] 7 739 ms 482 ms 655 ms nyd-7513-1-h4-0.cwix.net [207.124.104.50] 8 581 ms 257 ms 490 ms ny1-7000-02-f0/0.cwi.net [205.136.191.228] 9 634 ms 1044 ms 1183 ms ny1-7000-01-f4/0.cwi.net [205.136.191.227] 10 580 ms 358 ms 297 ms idci-cwi.cwi.net [205.136.226.210] 11 232 ms 731 ms 302 ms phl-bcn1-client-router.idci.net [205.136.21.3] 12 1267 ms 1197 ms 899 ms 146.145.254.62 13 * * * Request timed out. 14 * * * Request timed out. 15 * * * Request timed out. And another! Whois: net 207.124.161 Cable & Wireless, Inc. (NETBLK-NET3-CWI-NET) NET3-CWI-NET 207.124.0.0 - 207.124.255.255 IDCI (NETBLK-CWI-IDCI2) CWI-IDCI2 207.124.160.0 - 207.124.164.255 IDCI (NETBLK-IDCI-BLK-11) IDCI-BLK-11 207.124.161.0 - 207.124.162.255 ^^^^^^^^^^^^^^^^^^^^^^^^^ What is IDCI, I wonder? This one doesn't resolve either. 1 532 ms 188 ms 168 ms Max18.Seattle.WA.MS.UU.NET [207.76.5.24] 2 1284 ms 2128 ms 2321 ms Ar1.Seattle.WA.MS.UU.NET [207.76.5.3] 3 3037 ms 2575 ms 453 ms Fddi0-0.CR1.SEA1.Alter.Net [137.39.33.41] 4 634 ms 475 ms 241 ms 110.Hssi4-0.CR1.TCO1.Alter.Net [137.39.69.121] 5 887 ms 1357 ms 929 ms 313.atm1-0.gw1.tco1.alter.net [137.39.21.153] 6 508 ms 447 ms 260 ms cwix2-gw.customer.ALTER.NET [137.39.184.82] 7 284 ms 275 ms 270 ms nyd-7513-1-h4-0.cwix.net [207.124.104.50] 8 610 ms 495 ms * ny1-7000-02-f0/0.cwi.net [205.136.191.228] 9 300 ms 264 ms 683 ms ny1-7000-01-f4/0.cwi.net [205.136.191.227] 10 621 ms 233 ms 275 ms idci-cwi.cwi.net [205.136.226.210] 11 275 ms 250 ms 767 ms phl-bcn1-client-router.idci.net [205.136.21.3] 12 648 ms 954 ms 647 ms 146.145.254.58 13 * * * Request timed out. 14 * * * Request timed out. 15 * * * Request timed out. 16 * * * Request timed out. Could Spamford have another provider up his sleeve? I wonder if Cable & Wireless is planning to give him a link when Agis finally bites the bullet and drops him. I could drop a couple of suggestions. Performing traceroutes into random addresses in his class C blocks revealed some very interesting results. And finally, even though he has disabled nslookup on most of his machines, he forgot one ... So here ya go. nslookups on his most infamous domains... answerme.com. SOA answerme.com hostmaster.cyberpromo.com. (1 17 172800 3600 1728000 172800) answerme.com. NS ns7.cyberpromo.com answerme.com. NS ns9.cyberpromo.com answerme.com. MX 5 answerme.com answerme.com. A 205.199.212.8 localhost A 127.0.0.1 ftp CNAME answerme.com news CNAME answerme.com www CNAME cybermirror1.com answerme.com. SOA answerme.com hostmaster.cyberpromo.com. (1 17 172800 3600 1728000 172800) cybermirror1.com. SOA cybermirror1.com hostmaster.cyberpromo.com . (117 172800 3600 1728000 172800) cybermirror1.com. NS ns7.cyberpromo.com cybermirror1.com. NS ns9.cyberpromo.com cybermirror1.com. MX 5 cybermirror1.com cybermirror1.com. A 205.199.2.248 answerme A 205.199.212.8 news CNAME cybermirror1.com localhost A 127.0.0.1 www CNAME cybermirror1.com auto1 A 205.199.212.36 auto2 A 207.124.161.91 auto3 A 207.124.161.78 ftp CNAME cybermirror1.com cybermirror1.com. SOA cybermirror1.com hostmaster.cyberpromo.com . (117 172800 3600 1728000 172800) cyberpromo.com. SOA cyberpromo.com hostmaster.cyberpromo.com. (126 172800 3600 1728000 172800) cyberpromo.com. NS ns7.cyberpromo.com cyberpromo.com. NS ns9.cyberpromo.com cyberpromo.com. MX 5 cyberpromo.com cyberpromo.com. MX 10 cyberpromo.com cyberpromo.com. A 205.199.212.36 news CNAME cyberpromo.com ns5 A 205.199.212.50 ns5 MX 10 ns5.cyberpromo.com ns7 MX 10 cyberpromo.com ns7 A 205.199.2.250 ns8 A 207.124.161.65 ns8 MX 10 ns8.cyberpromo.com localhost A 127.0.0.1 localhost A 205.199.212.36 localhost MX 10 cyberpromo.com ns9 A 207.124.161.51 ns9 MX 10 ns9.cyberpromo.com www A 205.199.2.247 ftp CNAME cyberpromo.com cyberpromo.com. SOA cyberpromo.com hostmaster.cyberpromo.com. (126 172800 3600 1728000 172800) ispam.net. SOA ispam.net hostmaster.cyberpromo.com. (113 172800 3600 1728000 172800) ispam.net. NS ns7.cyberpromo.com ispam.net. NS ns9.cyberpromo.com ispam.net. A 205.199.212.34 ispam.net. MX 5 ispam.net localhost A 127.0.0.1 ftp CNAME ispam.net news CNAME ispam.net www CNAME cyberpromo.com ispam.net. SOA ispam.net hostmaster.cyberpromo.com. (113 172800 3600 1728000 172800) keepmailing.com. SOA keepmailing.com hostmaster.cyberpromo.com. (111 172800 3600 1728000 172800) keepmailing.com. NS ns7.cyberpromo.com keepmailing.com. NS ns9.cyberpromo.com keepmailing.com. MX 5 keepmailing.com keepmailing.com. A 205.199.212.30 localhost A 127.0.0.1 ftp CNAME keepmailing.com news CNAME keepmailing.com www CNAME keepmailing.com keepmailing.com. SOA keepmailing.com hostmaster.cyberpromo.com. (111 172800 3600 1728000 172800) Happy umm ... exploring. Of course, I would NEVER want ANYONE to even THINK of doing anything malicious with this information. HACKING IS ILLEGAL! I love Jeff Slaton. I love Spamford. They help the economy. AGIS is our friend. . /|\ //|\\ Welcome to the rainforest... ///|\\\ dialtone@vcn.bc.ca [TELECOM Digest Editor's Note: Thank you very much for passing that information along. Anyone from Cable & Wireless want to look into things from that side and give us a followup? PAT] -----End of forwarded message----- -- Carpe Dieum: Seize the Day! Carpe Beerum: Seize the Beer! Beerum Carpe: Get the fish drunk!
At 08:33 AM 5/28/97 -0500, you wrote:
Anyone else have any information on this?
(re: Spamford's C&W connection) I saw it a while back, and immediately blocked all mail from that class C. I haven't had complaints yet :-). The error message given in these cases, is along the lines of "if this error is wrong contact postmaster@..." which is (mostly) never filtered here. -- Jason Fesler jfesler@calweb.com 'whois jf319' | "Time is an illusion; Admin, CalWeb Internet Services www.calweb.com | lunchtime, doubly so." Junk email returned in bulk; 1 cc to your postmaster | -Ford Prefect in HHGTTG Junk mail probs? http://www.gigo.com/junkmail.htm | by Douglas Adams
Anyone else have any information on this?
Cyber Promotions has a machine at IDCI in New Jersey, IP address 207.124.161.54, which identifies itself as relay5.ispam.net. It appears to be a generic Unix box running a version of sendmail that adds the stupid "CLOAKED" header to mail that it relays. IDCI gets its feed from CWI which is in turn fed by Alternet. If you complain to IDCI about being spammed, you'll get a sanctimonious form letter from their Mr. Mossholder which makes the laughable claim that there's no legal basis on which he could terminate a spammer's account even if he wanted to. CWI seems to have forgotten that they have an ISP subsidiary, people have trouble finding anyone connected to it. You may recall that Cyber Promotions signed up a bunch of "bandwidth partners" on whose networks CP located PCs so CP could evade the router blocks against CP's home network. As far as I can tell, IDCI is the only one they have left. This is straying away from NANOG, there's plenty of discussion of this on n.a.n-a.e and the various e-mail lists about spam. -- John R. Levine, IECC, POB 640 Trumansburg NY 14886 +1 607 387 6869 johnl@iecc.com, Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
participants (3)
-
Brett Hawn -
Jason Fesler -
johnl@iecc.com