Is hosting a phishing site and bouncing abuse reports.. ---------- Forwarded message ---------- From: Alexander Harrowell <a.harrowell@gmail.com> Date: Oct 31, 2006 2:38 PM Subject: Phisher To: abuse@rbnnetwork.org We're receiving large volumes of comments spam advertising a site hosted in your network. http://onlineinvestmentworld.com is located at 81.95.146.166, which is your netblock: inetnum: 81.95.144.0 - 81.95.147.255 netname: RBNET descr: Russian Business Network admin-c: RBNR-ORG tech-c: RBNR-ORG mnt-by: RBN-MNT status: ASSIGNED PA country: RU remarks: INFRA-AW changed: noc@rbnnetwork.com 20060 Tracert: 1 0 1 1 0.6 ms 66.36.240.2 AS14361 HOPONE-DCA c-vl102-d1.acc.dca2.hopone.net. 255 US Unix: 14:38:16.496 2 0 2 6 0.6 ms [+0ms] 66.36.224.232 AS0 IANA-RSVD-0 gec2.core1.dca2.hopone.net. 0 miles [+0] 254 US Unknown: 833f257b 3 0 0 1 0.7 ms [+0ms] 66.36.224.233 AS0 IANA-RSVD-0 gec2.core2.dca2.hopone.net. 0 miles [+0] 254 US Unix: 14:07:58.580 4 6 8 6 6.5 ms [+5ms] 198.32.160.102 AS0 IANA-RSVD-0 gi3-0.nyc-002-inter-1.interoute.net. 0 miles [+0] 253 US Unix: 14:37:46.936 5 * 75 77 74 ms [+67ms] 212.23.43.177 AS8928 INTEROUTE gi0-0.nyc-002-inter-1.interoute.net. 0 miles [+0] 248 GB Unix: 14:37:47. 45 6 * 75 75 74 ms [+0ms] 212.23.43.150 AS8928 INTEROUTE po3-0.lon-wal-core-2.interoute.net. 0 miles [+0] 250 GB Unix: 14:37:47.128 7 * 74 74 74 ms [+0ms] 217.118.119.26 AS8928 INTEROUTE te9-1.lon-wal-access-4.interoute.net. 0 miles [+0] 250 GB Unix: 14:37:47.162 8 * 85 78 78 ms [+3ms] 84.233.231.138 AS8928 INTEROUTE unknown.net.uk 0 miles [+0] 248 GB Unknown: 8100e8e2 9 * 124 125 124 ms [+46ms] 81.95.156.34 AS0 IANA-RSVD-0 gbit-eth-34-uk.sbttel.com. 0 miles [+0] 247 RU Unix: 14:37:16.972 10 * 125 124 124 ms [+0ms] 81.95.156.58 AS0 IANA-RSVD-0 oc-3-sbttel.rbnnetwork.com. 0 miles [+0] 55 RU Unix: 14:35:47.772 11 * 143 149 143 ms [+19ms] 81.95.146.166 ASN=40989[Destination Unreachable] ip-146-166.rbnnetwork.com.
Alexander Harrowell wrote:
Is hosting a phishing site and bouncing abuse reports..
Not so strange, gmail addresses are being used a lot a for spam sources. With the description you gave, I would also ignore it, it's a miracle that the spamfilter didn't drop it dead on the floor in the first place, especially as you are spamvertizing a certain website ;) Lets see what you should do different the next time you try to report something:
---------- Forwarded message ---------- From: Alexander Harrowell <a.harrowell@gmail.com>
Don't use gmail, use a real address, not something which everybody can create on the fly, at random and throw away again. That gives you some credit that you are not trying to fake somebody else. Having your full name instead of barbylover666 is a good part though, gmail isn't.
Date: Oct 31, 2006 2:38 PM Subject: Phisher
Phisher? Is that it? Lets assume you have to handle abuse@ and you get 1000 mails a day from silly automated tools, seeing 'Phisher' as the only thing in the subject from a person from gmail will simply trigger only one action: [del]. In the 'description' below you write that they are doing comment spam. Phising != comment spam. A better subject would have been: "Spamvertized website at <$ip> in your <$ispnet>, ASxxxx". Having the ASN in there gives some credibility.
To: abuse@rbnnetwork.org
We're receiving large volumes of comments spam advertising a site hosted in your network. http://onlineinvestmentworld.com is located at 81.95.146.166, which is your netblock: inetnum: 81.95.144.0 - 81.95.147.255
Who is "We"? Gmail? When reporting something it is actually useful to show proof somewhere, thus simply point to the websites in question. As those websites are yours you most likely also have logs of those sites, then you can also contact the ISP's who are actually spamming the comments. <SNIP RIPE object> They know who they are, so you don't have to repeat that. As this message, according to you, bounced, you could also have tried the admin and tech handles. Altough in this case that leads only to support@rbnnetwork.com. Email wise you are thus out of luck, but those handles do contain phone numbers, which you can use then to resolve this. Another way, instead of calling (which might be horrible if you don't speak russian ;) is too check their peers and transits: http://www.robtex.com/as/as40989.html which tells you that it is a very small company with only one /22, they are pretty new to the game and some other things. As they are a small ISP, they clearly have a transit and you can always contact them if they don't reply to your mails or they simply drop them on the floor. If you would have done a whois on rbnnetwork.com you would have found another email address and strangely, a US address and phone number. They are not so russian as they seem like after all ;) <SNIP traceroute> What does a traceroute do at all? It might be handy only in the case where some IP hijack is in progress, but in that case you can always do a BGPPlay using RIPE's RIS to figure out where it came from. Last but not least: there are dedicated spam etc reporting sites. Afaik Nanog is not that place. Unless your network went down because an ISP was overloading you with traffic of course ;) Greets, Jeroen
* Alexander Harrowell:
66.36.240.2 AS14361 HOPONE-DCA c-vl102-d1.acc.dca2.hopone.net. 255 US Unix: 14:38:16.496 2 0 2 6 0.6 ms [+0ms]
Uhm, are you a Hop One customer? In this case, it's a bit ... strange that you complain about malicious services hosted on other people's networks.
Alexander Harrowell wrote:
Is hosting a phishing site and bouncing abuse reports..
---------- Forwarded message ---------- From: Alexander Harrowell <a.harrowell@gmail.com> Date: Oct 31, 2006 2:38 PM Subject: Phisher To: abuse@rbnnetwork.org
We're receiving large volumes of comments spam advertising a site hosted in your network. http://onlineinvestmentworld.com is located at 81.95.146.166, which is your netblock: inetnum: 81.95.144.0 - 81.95.147.255 netname: RBNET descr: Russian Business Network admin-c: RBNR-ORG tech-c: RBNR-ORG mnt-by: RBN-MNT status: ASSIGNED PA country: RU remarks: INFRA-AW changed: noc@rbnnetwork.com 20060
Alexander, Please contact our Abuse department at abuse@hopone.net with your complaint. Or online at http://abuse.hopone.net/ Thanks -Bill -- Bill Sehmel - bsehmel@HopOne.net -- 1-206-242-2743 Systems Administrator, HopOne Internet Corp. SEA2 NOC Bandwidth & full range of carrier/web host colo + networking services: http://www.hopone.net ASN 14361
participants (4)
-
Alexander Harrowell
-
Bill Sehmel
-
Florian Weimer
-
Jeroen Massar