[63712] in North American Network Operators' Group
Re: Wired mag article on spammers playing traceroute games
daemon@ATHENA.MIT.EDU (Mike Tancsa)
Thu Oct 9 15:11:38 2003
Date: Thu, 09 Oct 2003 14:36:53 -0400
To: andy@ellifson.com, Hank Nussbacher <hank@att.net.il>,
Suresh Ramasubramanian <suresh@outblaze.com>
From: Mike Tancsa <mike@sentex.net>
Cc: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
Looks like attachments wont go through, so I will repost without the
attachment. If anyone wants a copy, let me know
---Mike
At 01:28 PM 09/10/2003, Andy Ellifson wrote:
>Oops... Try this again...
>
>And as soon as you call law enforcement what happends? The spammer is
>located offshore. Then what?
Actually, in the case of the wired article (removeform.com), it seems to be
connected to a site in Florida. I asked my programmer (gabor@sentex.net)
to decode the obfuscated java script/page that is served up by one of the
zombies (On FreeBSD fetch -B 18192 -o danger.html
http://www.removeform.com/d - I got it from 207.5.215.72 at the time). I
have attached it as a zip file with its contents. You will note that the
form post goes back to
form action="http://207.36.47.68/cgi-bin/addinfo.cgi"
OrgName: CyberGate, Inc.
OrgID: CYBG
Address: 3250 W. Commercial Blvd. Suite 200
City: Ft. Lauderdale
StateProv: FL
PostalCode: 33309
Country: US
---Mike
>--- Hank Nussbacher <hank@att.net.il> wrote:
> >
> > On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote:
> >
> > > * "Follow the money" - find out the spammer / the guy who he spams
> > for,
> > > from payment information etc.Sic law enforcement on them.
> > >
> > > srs
> >
> > I think we can all safely assume that the people behind this are most
> > probably on NANOG or reading the archives and are now aware of your
> > idea
> > :-)
> >
> > -Hank
> >
