Bits and Pieces about This and That

Posted August 19th, 2007 by DucksInTwoRows

Those DDoS attacks kind of pisses me off. Not that spam-court is that important. In the big picture, this site is hardly worth mentioning at all. You have probably never seen a site with so few hits, except when it's DDoS time.
Search engines and robots like spam-court.com though. That could explain why the spammers at bulkerforum.biz dislike the site. So much that they have initiated 4 attacks on the site (or is it 5, I have lost count).
The pure fact that this is criminal activity pisses me off.

I would like to see some of the members of bulkerforum go down. Hard.
Especially the moderators. Swank, Phantom and Crypto.

Rumors are going around that Swank is a bit more active than we at spam-court.com thought a few months ago.
He is an american and it should be possible to take him down. The authorities are a bit more interested in guys like him now than only a few years back. His identity is known. The rest should be relatively easy.

Phantom is from Australia. He is slippery and there are different opinions about who he is. His own bragging is what probably has led to his identification. By us. But we quite can't believe it ourselves, it seems a bit unlikely. Little pieces and fractions of info from here and there, coupled together gives a preliminary picture of a small corner of the puzzle. Others disagree and have their own opinion.
Time will show. He is being watched and we think that in the long run the only way to avoid identification is going out of business. But he is not "ezy" to find and he "magically" disappears when you think you got him. And we don't know how concerned the authorities in Australia are regarding this kind of criminal activity.

Crypto, the Moldovian expert on copyright and hacking will probably live peacefully. I don't think the authorities there will go after him.

Bulkerforum.biz also has an admin. In the beginning we thought it could be Crypto, but their writing styles are different.
Their mistreatment of the english language is different too. We have an idea about who he is. Or more correctly, in what branch of the spamming business he operates in. He is probably a Russian, living in Russia. Usually that means he can do what he wants.

A few of the other members of the forum are a bit interesting too. But the forum has turned into a comedy lately. Scamming each other, paranoia is spreading, there is talk about starting another forum etc. Social engineering is out of the question, they are seeing ghosts in broad daylight. Our sources dried out too.

We never thought the spammers would resort to DDoS-ing spam-court.com. That was very naive and stupid. The site is hosted in a shared environment, which is not a good idea when you are the victim of an attack. A DDoS can affect other users on Dreamhosts servers. That is our main concern. Not spam-court going down, we can live with that. Dreamhost support has been fantastic during the attacks and we are wondering if there is any host like that out there at all. But in the long run we don't think it can be hosted on a shared server. And a dedicated server is out of the question. So we are going somewhere in the middle that means that spam-court may go down, but it will not effect the other users. Hopefully.

New content is possible from the middle of September.
If the site is still up.
If not, some of the old content and new stuff will be up at http://ducksintworows.blogspot.com/ , http://veruccawatcher.blogspot.com/ and a couple of other places.

admin - bulker.biz

Posted August 28th, 2007 by DucksInTwoRows

• bulkerforum.biz

Coming!
The admin of bulkerforum.biz, where the criminals gather.
He is running bulker.biz, some may know him as e-bulker or ebulker too.
mybulker.biz is his too.

From one of his "newsletter" postings on bulkerforum:

================ TOP Products ==============

- Viagra
- Cialis Soft
- Cialis + Viagra
- Viagra Soft
- Cialis
- Ambien
- Soma
- HGH

================ TOP Domains ============

- yahoo.com
- aol.com
- hotmail.com
- comcast.net
- sbcglobal.net
- cox.net
- earthlink.net
- bellsouth.net
- msn.com
- gmail.com

Best Regards, Bulker.Biz Team

Mailto: support@bulker.biz
ICQ: 333192431
Skype: BulkerSupport

So there you have the admin's "products" and to what domains they are mailing. Good luck in catching him.

He kind of revealed himself in a posting lately on bulkerforum.
I cannot remember seeing a post from admin where he gets directly involved (I am most likely wrong), but when someone complained about not getting payment from "bulker", "admin" could not shut up:

bulker never pay frauders. die looser

And Crypto licks the admins ass:

agree

Whois info for bulker.biz and mybulker.biz says "Hasan Aly Polat".
For reasons unknown, we can't believe that this is true.
Both Veru and I have strong reasons to believe that this guy's first name is "Alex".
For some you this was probably already known, no shock there.
Or could there be one Russian and one Turk? We don't know. Yet.

Just continue those attacks on spam-court.com and we will find motivation to dig and publish more.

DDoS again - August 18, 2007

Posted August 18th, 2007 by DucksInTwoRows

• DDoS

The site went live again on August 14.
Sat there quietly, almost no hits. Which means mainly search engines and some rss-readers.
Except for that, almost nothing. Several hours between hits.

Then another ddos started again a couple of hours ago (according to the log: 18/Aug/2007:11:16:11 -0700).

As I said, almost no hits.
Just a few minutes before the attack started, there was a hit from this IP: 83.174.246.78:

inetnum: 83.174.240.0 - 83.174.255.255
netname: DSL-POOL
descr: Bashinformsvyaz Company, RUMS, DSL POOL
country: RU
admin-c: IHK1-RIPE
tech-c: AAR21-RIPE
status: ASSIGNED PA
mnt-by: RUMS-MNT
source: RIPE # Filtered

person: Ilgiz H Kalmetev
address: Lenin street, 30, RUMS
address: RUSSIA, 450000, Ufa city
phone: +7 3472 001331
nic-hdl: IHK1-RIPE
e-mail: ilgiz@bashtelecom.ru
source: RIPE # Filtered

person: Alexei A. Roumyantsev
address: JSC Bashinformsvyaz
address: Lenin street, 30, RUMS
address: RUSSIA, 450000, Ufa city
phone: +7 3472 001198
nic-hdl: AAR21-RIPE
e-mail: lesha@ufamts.ru
source: RIPE # Filtered

% Information related to '83.174.240.0/20AS28812'

route: 83.174.240.0/20
descr: RU, Ufa, JSC Bashinformsvyaz, RUMS
origin: AS28812
mnt-by: RUMS-MNT
source: RIPE # Filtered

Looked like this, only the first part of the line in the log, filehits and UA omitted:

83.174.246.78 - - [18/Aug/2007:11:10:18 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:19 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:19 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:19 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:20 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:20 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:22 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:25 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:26 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:26 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:26 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:28 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:30 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:29 -0700]
83.174.246.78 - - [18/Aug/2007:11:14:03 -0700]
83.174.246.78 - - [18/Aug/2007:11:15:27 -0700]
83.174.246.78 - - [18/Aug/2007:11:15:28 -0700]
83.174.246.78 - - [18/Aug/2007:11:16:06 -0700]
88.236.16.74 - - [18/Aug/2007:11:16:11 -0700]

For those interested in details, the User Agent was:
""Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.12) Gecko/20070531 Firefox/1.5.0.12 Flock/0.7.14""

So, he comes in at around 11:10, peeps a little a few minutes later, and then the attacks starts.
Coincidense?
Project HoneyPot has seen that ip before.
It is a "DSL-POOL", but I don't know if that IP is dynamic or static.

That last IP (88.236.16.74) is the first one in the attack.
Some of the others:
58.78.157.109
58.111.188.199
59.9.153.115
59.95.166.183
61.0.121.94
61.229.138.30
62.77.65.2
62.101.165.191
62.135.70.64
66.177.151.223
74.100.191.232
76.26.232.8
78.56.52.95
80.82.38.78
80.188.34.243
80.252.53.154
81.2.60.220
81.30.51.157
81.33.104.24
81.38.63.203
81.95.236.97
82.166.224.133
82.208.72.175
83.5.28.120
83.13.202.187
83.21.7.219
83.69.111.228
84.18.110.56
84.77.149.114
86.120.46.119
87.219.247.200
87.251.96.42
88.232.98.119
88.234.161.5
88.236.16.74
88.236.18.51
88.245.19.159
88.251.110.145
89.102.230.220
124.121.182.246
125.27.158.26
125.232.112.28
165.21.154.8
165.21.154.9
165.21.154.10
165.21.154.12
165.21.154.15
165.21.154.68
165.21.154.69
165.21.154.70
165.21.154.71
165.21.154.72
165.21.154.73
165.21.154.74
165.21.154.76
165.21.154.77
165.21.154.108
165.21.154.109
165.21.154.110
165.21.154.111
165.21.154.112
165.21.154.113
165.21.154.114
165.21.154.115
165.21.154.117
165.21.155.8
165.21.155.10
165.21.155.13
165.21.155.15
165.21.155.108
165.21.155.109
165.21.155.110
165.21.155.111
165.21.155.112
165.21.155.113
165.21.155.114
165.21.155.115
165.21.155.116
165.21.155.117
189.144.99.205
189.194.67.64
190.42.41.108
195.58.241.26
195.72.251.176
195.161.213.203
200.43.232.136
200.85.47.250
201.21.121.53
201.69.117.170
201.103.68.111
201.132.156.183
201.132.210.118
201.141.195.172
201.160.116.162
201.160.168.202
203.113.40.73
203.118.97.248
203.172.60.252
207.248.45.11
211.26.23.1
212.116.219.20
217.185.5.41
219.78.136.59
222.127.223.71
222.254.28.5

Another small detail:
Only a few seconds after the attack started, there were a few hits from alertra.com.
The IPs are partially consistent with those listed at their site.
One of their services: "Get Notified When Your Site Goes Down!".
They have a free 30 day trial.
I don't think anyone at spam-court has signed up for that trial.
It is likely that the ddoser himself or the guy(s) that hired him has signed up for a trial (I doubt they have a paid service).

This time the attack lasted for about 15 hours.
We expect it to go down again, so if you find something interesting here, you should grab it before that happens.

This should be said:
Dreamhost is a fantastic host. Thank you!