Friday, December 28, 2007

More on Sanjay / Sancash / Genbucks

There is a lot of buzz about Elite Herbal and genbucks going on now.
That is the only reason for this posting. I don't have that much new info on sanjay.

One tiny little detail is found in an old dig for the domain sancash.com (and this is sanjay's domain):

; <<>> DiG 9.2.4 <<>> sancash.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49188
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;sancash.com. IN A
;; ANSWER SECTION:
sancash.com. 130 IN A 66.11.113.41
;; AUTHORITY SECTION:
sancash.com. 172800 IN NS ns2.sancash.com.
sancash.com. 172800 IN NS ns1.sancash.com.
;; Query time: 57 msec
;; SERVER:
;; WHEN: Sat Sep 22 18:46:19 2007
;; MSG SIZE rcvd: 81

Then we take a look at that IP, 66.11.113.41:

Suavemente, INC. SUAVEMENTE-SAN-DIEGO (NET-66-11-112-0-1)
66.11.112.0 - 66.11.127.255
IzoWeb, Inc IZOWEB-SANDIEGO (NET-66-11-113-0-1)
66.11.113.0 - 66.11.114.255

Who else has IzoWeb/WireSix as a favorite hoster?
You're right: GenBucks.
Another small piece in the Elite Herbal/Genbucks connection.

And regarding IzoWeb: By the number of hosted genbucks sites and their related sites, is this really an independent host?
Or is it GenBucks themselves?

I am wondering a bit about Suavemente too.

Let's jump back:

Post subject: Penis enlargement pills .. Big Commissions! Epassporte Pay!
We are looking for a few more affiliates who are intrested in marketing enlargement pills, great alternative to replica or RX, our pills are converting great with average order of 6 bottles!. Payments every week. fast BP hosting, private bp domains.

We have solid references for those that dont know us.. affiliates will also need references.

Thxs Sanjay

AIM: sancash44
MSN: sancash44@hotmail.com
ICQ: 654052
SKYPE: sancash1

That was back in October 2006.

And a bit earlier in October 2006:

Herbal sites, high converting penis pills and Cum pills, Hoodia... market these and get weekly epassporte payments or wire if needed.

If you dont have an epassporte account, get just 1 sale we can send you a free ATM card.. get paid and withdraw it every week!

- multiple servers
- lots of fresh domains
- private domains
- add your own domains!
- detailed stats
- lots of sites, herbal, RX, adult products
- fast servers
- high commissions

plus lots more nice features

We have been in the industry for over 4 yrs, program was made by mailiers 4 mailers!

get your account today..

ICQ - 654052
SKYPE - sancash1

We dont normally hang at boards but do have people that can vouch for us.

Thxs Sanjay

Note: program was made by mailiers 4 mailers!.
Yeah, right genbucks. We rephrase that one:
The program was made by spammers for spammers.

Wednesday, November 28, 2007

Hellhoster

History:
This one was posted on December 29th, 2006 by veruccawatcher



This creature is apparently a "she".
Asian (Chinese?) hoster.
Got her first post on bulkerforum.biz slightly edited.
Parts of the original posting from December 6th, some edits:


We are Glad to launch Our Hosting Solutions officially ,
We have Auto Changing IPs Hosting Solution which can take GOOD , GAURENTEED Care of the following problems -
1) DDOS
2) Downtime due to tracking by SpamHaus
3) BlackListing of the DNS , IPS which again give problem in keeping the server up
4) Any Situation we give you the solution
.
.
.
What we can Host -
1)Adult (any , legal or illegeal) ( Gaurenteed UP time on Them)
2)Pharma ( Gaurenteed UP time on Them)
3)Replicas ( Gaurenteed UP time on Them)
4)Oems ( Gaurenteed UP time on Them)
5)Enlargment Pills ( Gaurenteed UP time on Them)
6)Phising Pages ( Gaurenteed UP time on Them)

We can also Host Bank Scams and Shits , but only for known and trusted members (no intention to hurt the rules of the board just telling about the services)

BP SERVERS IN CHINA , HK , KOREA

We can give you SOLID MACHINES which mean REAL BULLET PROOF
We can take care of Persons who get listed in a WEEK's Time , But then the prices are accordingly Smile
I know many of friends here may think we are overnigth players here but please let me make it clear we have hosted MANY BIGGIES here without Mentioning their names Smile

If you feel we are scammers / rippers / snitch please before posting commets or asking about ref TEST OUR SERVICES - FREE

We have Good BIGGES here who can vouch for our Services .

Peace,
-Hell Host-
_________________
BP Servers - HK , Korea , China
Botnet Hosting Solutions
BP Domains

icq- 289-566-222


Now that led to some more posts.
"Crazy" and "mcproxy" were not too happy about some of the content.
"adultguy1" responded:

I can say we have been doing business with vinci for 6 months now and have been very pleased with the speed of her servers and the service she provides

She is also very HOTTT!!!!

We are wondering a bit what services he is using. Illegal adult maybe?
We just have to check him out later. Maybe we will try to find out who the "biggies" are. Testing her services for free would be a good start.

The "ethical" Swank, usually so concerned about the reputation of "the industry" because spammers so often get mixed together with the carders, phishers etc. was not to concerned this time. According to his first response which of course was a question about pics of the hot creature, not a comment at all about her services. A permafried brain, money or sex is difficult to combine with ethics for the spammers. Too much to handle.

Anyway, the hoster from Hell's post has been slightly edited to fit the impression of "ethicul" standards. But kick her from the forum? No way, she is still there. And they all know what she is offering. "Gaurenteed".

Crypto on Copyright

This one was posted on January 22nd, 2007 by TheScribblers

Or did someone get it all wrong?
Crypto with a posting bearing all signs of a genius, including the following:

11. Copyright Notice and Permissions Policy
The purpose of this Web site is to unite both professionals of spam business, and beginners for sharing experience in bulkmailing area, for buying and selling different services, and for discussing different spam related topics.
Our Permissions Policy:
All material on this Web site is copyright © 2006-2007, BulkerForum (www.bulkerforum.biz). Nothing may be reproduced or copied in any form without the express written permission of BulkerForum.

In order to request permission for copying or redistribute any material from this web site, you should send an PM to BulkerForum administration (Admin, Dollar, Phantom or Crypto).


In another thread this genius from Moldova had a couple of more words which didn't reach the final stage:
"Any company or individual working, in Anit-Spam or AntiVirus filed, is not authorized to use this site and any its content in any form, and should leave this site immediately."

We prefer to rewrite:
"We are criminals and our criminal activity is protected by copyright".
And proudly announce a new term in respect of this deep thinker: "Cryptoright".

The member mcproxy seems to be a guy with something between his ears, at least compared with Crypto:
"I believe they will compare this to a drug dealer forcing someone to sign a non-disclosure contract or whatever. Good luck though haha"

And Crypto responds:

But still laws are laws...
If they breake the law about the copyright thing.
That means:
1. we are not the only one who brake them, anti's are in the same list too
2. they so rightfully, and now BUM they are dirty, ha ha ha
3. We have the legal right to sue them [Wink] ( that's the nice part [Very Happy] )"


He apparently "brakes" what he calls "the law". And when someone writes about that, he will sue?
We are wondering; Is there a program called Moldovas dumbest criminals?

You know Crypto: Take your copyright and shove it up a certain place where the sun never shines.
How can you even possibly think that e.g. postings about installs, proxies, drug spam and so on will ever be protected by copyright?

We wonder if Swank now is banging his permafried head against every wall he can find.
According to his nice sig on the forum he can't stand "intellectual midgets". We don't think he quite makes the connection though. Heavy stuff being permafried.

Some years ago Swank wrote the following:


Everything is posted under the permission of the United States of America. If you would like additional information about fair use of copyrighted information please go to your local library or surf the web and look up the United States Code Title 17, Section 107 entitled "Fair Use". Within this section of the document you will read that "The fair use of a copyrighted work, including such use by reproduction in copies or phone records or by any other means specified by that section for purposes such as criticism, comment, news reporting, teaching, scholarship, or research, is not an infringement of copyright."



We hesitate to lean on the words from the permafried brain of a spammer, but Crypto could perhaps learn a thing or two.
He obviously has a brain only a mother can love.

Monday, November 26, 2007

ucraineanu

Posted September 16th, 2006 by TheScribblers

* bulkerforum.biz

Presenting himself as replica spammer. Formerly selling proxies and "GI" emails. Probably still is. From Romania.
Nice AIM icon.

Possible name: Iulian Varzaru
aim: ucraineanu
skype: iulianv
icq: 246999133 ( 246 999 133 / 246-999-133 ) / 175420059 (175 420 059 / 175-420-059)
Yahoo: cergat, cergatus
AKA spamking
emailaddresses: ukraineanu@yahoo.com
Domains: shoppgateway.com (dead), evirtualshop.com (probably him, or his "sponser")

One posting on bulkerforum starts out like this:

hey there - this is fairlogic from BC - most might know me as ucraineanu - here to present you my watch sponser - been around for a whyle - doin very good

iannewla

Posted May 27th, 2007 by DucksInTwoRows

* bulkerforum.biz

Not much here at this time, just the basics.

From Australia.
Also a member of the spammerforum at spamplanet.net.
"Iannewla" gave a few hits in searchenginges.
We ended up with a couple of postings in yahoogroups which gave us a couple of email-addresses and a corresponding icq #.
The road to the domain pkbsupport.com was short after that.
Which again lead to Ian Newlan in Australia.
And some other domains, investagenius.com and ustockplaya.com to mention a couple.

He is offering "Professional BP Credit Card Processing" on bulkerforum.
A forum packed with criminals.
You should have stayed with the pokerbots, Ian.

canadaguy99

Posted September 17th, 2006 by TheScribblers

* bulkerforum.biz

His first posting on bulkerforum:
Posted: Sat Sep 16, 2006 11:25 pm Post subject: Would you like to promote your own online college?

Turnkey online college for sale. Why mail for someone else when you can do it yourself. Price is $5000 complete - never bulked to.

Option II -- we provide the backend, you market it and take 65% of the net.

PM me for info.

moneyminters

Posted December 17th, 2006 by veruccawatcher

* bulkerforum.biz

Hoster
AKA qualitypaintings (not using it anymore?).
Calling itself Devid Felix.

Skype: moneyminters
icq: 271749180
aim: moneyminters, dedicatedsols (old?)
yahoo: dedicatedsolutions4u (old?)
Emailaddresses, a nice mix of old and new:
moneyminters@gmail.com, bulletproofsolutions@hotmail.com, urfriend911@indiatimes.com, moneyminter@ureach.com,

Nice list of what it is offering:

* Hosting
* Direct Mailing
* Domains
* Botnet
* Yahoo Accounts
* GeoRedirects
* BlueBottle
* Custom PHP Works
* Web Designing
* Drop Shipping

Botnet, hmmm. And "dropshipping"? Illegal drugs into US?
And he shouts like hell over not be able to call out with Skype.
The error message he gets should tell him, it must be kind of slow:

Message
Call Failed – Internal Error

Meaning
Calling from a known fraudulent node

r3v3nu

Posted May 25th, 2007 by DucksInTwoRows


"r3v3nu" sounded familiar. Had seen that one somewhere else, but where?
As usual, it turned out to be on spamhaus.org. Or at least very similar: "r3v3nu3".
Just has to be George Ryan in ROKSO. Take a look there:
http://www.spamhaus.org/rokso/index.lasso.
Look out for George Ryan.

We again steal a couple of sentences from Spamhaus:

George Ryan is a small time, but quite prolific spammer, mostly into free giveaway scams, pharma and pirated software stuff. Likely just an affiliate of one of the Russian gangs trying to make a name for himself.

We again lean heavily on work already done by Spamhaus.
One little small addition could be that if you are looking for some more of his spam, we suspect this is him (one way or another):
Viagra and other pill spam from news.admin.net-abuse.sightings and other places
(sort it by date, looks better that way).

Proxies, pill spam. Did we hear legal, honest business?
What will it take to nail such guys?
A reincarnated John Wayne maybe.
Or maybe Marion could have a new fresh start with what he claims to have left +35 years ago and let his guns speak?

Look out for tomorrow's few words about "neuman" "europe".
Happy quacking in the meantime.

Saturday, November 24, 2007

Seedcash / cluster

Daniel Lessing
An oldtimer, listed in ROKSO (Spamhaus' Register of Known Spam Operations).
Nicks on bulkerforum.biz are seedcash and cluster.
He used "cluster" on the spammer forum specialham too, in addition to dl1227.
On other he used dl69hunt.

Into porn, mortgage spamming, hosting and trying to sell some harvested lists on bulkerforum.

Hmm, selling harvested lists? Is that legal?

Bioshah

Let's just give this one the status of "under construction" now.

A "dropshipper".
Content from the private part of bulkerforum has been "outed" by the smelly ex-wannabe-spammer.

The most interesting part is who he really is.
We don't know. Yet.
Only a couple of clues.

Small keywords to be checked and sorted out:


  • Hitesh

  • biologicalmiracle

  • shacro

  • hitmanshah

  • London


Hmm, London.
A few years back a letter went out from the FDA to:
Biologicalmiracle.com
PO Box 726
London, England EC1 V 7QQ
United Kingdom

Time will show if this is the same guy.
Biologicalmiracle is still up, same snake oil.

Quoting from one of his posts on the former private part of bulkerforum (smelly ex-wannabe-spammers can sometimes come in handy):
Pharma Sponsor & Drop Shipping
Im posting this here as I dont want Anti Fuckers to contact me in main Forum.
We still have pharma sponsor with controlled meds. So if any of you are interested PM.

Maybe FDA, FBI or others would like to contact him too?

LHL

LHL or lhyfrank


A Smart Condor. Known at least since the specialham days. Probably Chinese. Aka "lhyfrank".
lhl1922@yahoo.com
At first glance he specializes in adult, MySpace and yahoo bots.
Has at least one listing in Spamhaus.
Some indications that this one also is or was involved in hosting.
Latest domain is thxkilo.com. Whatever that is.
Easy to spot and trace. I will leave that to others and maybe fill in some more later.

Thursday, November 22, 2007

Sanjay / sancash

A quick note to self:
This guy is involved with Elite Herbal.
How high up he is in the food chain cannot be established accurately.
If not on top, he is very high up.

Definitely to be continued.

ProfDDoS

Saturday, November 17, 2007

The Nickname says it all.
His post #5 on bulkerforum.biz:
Greeting!!!!

Let me to bring to your attention professional DDoS service!
Quality is guaranteed by uniqueness of the updated and supported software. Huge, constantly growing quantity of bots worldwide online.
Destroy a site of the competitor!!!
The prices depend on duration and complexity of the project.
For information welcome in the icq.
For all questions: ICQ support 448845. skype ss_support1


Moderators Dollar and Crypto are not totally happy about that post.
A bit strange regarding Crypto when reading his greetings to AbdAllah, but who knows what's inside these guys' brains.
Crypto has not been showing too much intelligence in his posts, so it is perhaps not so strange after all.

Phantom rushes to the defense of ProfDDoS:
I have to disagree here guys LOL this person has been of great service to us all without you even knowing about it ..Thanks guy


ProfDDoS is the same guy as, or in bed with .....damn I lost that part.

[end of Ducks' posting]

Note: ProfDDoS is the same guy as, or in bed with "Caesar" on bulkerforum.

onlinecasino Jeroen Puttemans

An old acquaintance from the specialham days.
I am not visiting the bulkeforum board so often these days.
It is good to have other spammers draw your attention to stuff you overlook.

Good old Jeroen (well, he is not that old, soon 24) is now selling stolen lists.
Our spammer suspected it when he saw this post from him:

1.7 million opt-in gamblers data from pureplay.com for sale
exclusive leads taken by our team straight downloaded from database
i'm selling them cheap
price 2 k


And the best part of it is that Puttemans confirmed the list was stolen when he was accused of selling a fake list:
it's not fake you fag!
our hacker stole it, the data is real


Another criminal on bulkerforum.biz.

Puttemans will mess it up for himself sooner or later, he tends to do that.
Here is a sad story from him (godmailer) back in 2004:


godmailer: damn my sagonet servers all got shutdown
godmailer: im going to charge back

godmailer: i have no proxies, no server damn im out of business
godmailer: i was too greedy
godmailer: should i apologize to god maybe thats best lol

godmailer: i need to complete 80 gamblers in 2 weeks and i have nothing'
godmailer: especially no proxys
godmailer: thats a 10 K pre paid order
bisz: sucks to be u
godmailer: yes it is
godmailer: i already received the 10 k pre paid order


Nice little row of IP-adresses he had back then:

Sago Networks SAGO-20030401 (NET-65-110-32-0-1)
65.110.32.0 - 65.110.63.255
Jeroen Puttemans SAGO-65-110-63-100 (NET-65-110-63-100-1)
65.110.63.100 - 65.110.63.109


But he messed up.

There are some other stories about him too.
I will be filling in more stuff. Maybe a picture, if I can find it. The fatcat.

Abdullah / AbdAllah

Thursday, November 22, 2007

tiket.cc - AbdAllahs support site?

AbdAllah, the proud member of bulkerforum.biz with connections to the Russian Business Network has a site that avoids attention:
Some info:


Domain: tiket.cc
Status: Protected

DNS:
ns1.dnsmanager.org
ns2.dnsmanager.org

Created: 2007-11-04 03:15:56
Expires: 2008-11-04
Last Modified: 2007-11-03 15:15:53

Registrant Contact:
Private person
Ahmad Gashmi Ahmad Gashmi (mailbox@abdulla.cc)
Rublevskoe Shosse 7
Moskow, Moskow, RU 542009
P: +7.4952038129 F: +7.4952038129


Hosted at leaseweb in the Netherlands, 85.17.184.21.

Compare with this one:

Domain Name: ABDULLA.CC

Registrant:
AbdAllah net inc.
AbdAllah El Ahmad Gashmi (abdulla@abdulla.cc)
Kreshatik street 32/16
Kreshatik street 32/16
Kyiv
Kyïv,45434
UA
Tel. +38.0632687263


The last one is listed on spamhaus.org, SBL49890.


This guy has connection to the Russian Business Network, one of the worst criminal networks in history.
And he is a proud member of bulkerforum.biz, offering his services there.
The moderator Crypto (Victor Goncearencu) gives him a nice welcome hug:

[Nov 16, 2007]
His second post on bulkerforum.biz:

BP servers & hosting for mailing, trojan's, exploit's, etc. in Turkey, Malaysia, HongKong, USA, Thailand, China.
Fast setup, cheap price.
Please contact ICQ: 483-384-343 (Mr.Abdulla)
or write to PM.
Thank you !


One example of the typical hard working, honest members of bulkerforum.biz.

And the moderator Crypto (Victor Goncearencu) greets him:

He is a well known russian BP provider.
Dobro pajalovati na bulkerforum AbdAllah.



We know that hosting mule scams is one of those included in his term "etc.", but what else is possible?
Child porn, carder sites? Not unlikely.

Honored with an SBL-listing in Spamhaus in November 2007, SBL59691.
And if you look closely you will find him in SBL49890 from January 2007 too.

To be continued ........
One "snippet" from ducksintworows.blogspot.com, which is still under DDoS.

Wednesday, August 29, 2007

Bits and Pieces about This and That

Bits and Pieces about This and That

Those DDoS attacks kind of pisses me off. Not that spam-court is that important. In the big picture, this site is hardly worth mentioning at all. You have probably never seen a site with so few hits, except when it's DDoS time.
Search engines and robots like spam-court.com though. That could explain why the spammers at bulkerforum.biz dislike the site. So much that they have initiated 4 attacks on the site (or is it 5, I have lost count).
The pure fact that this is criminal activity pisses me off.

I would like to see some of the members of bulkerforum go down. Hard.
Especially the moderators. Swank, Phantom and Crypto.

Rumors are going around that Swank is a bit more active than we at spam-court.com thought a few months ago.
He is an american and it should be possible to take him down. The authorities are a bit more interested in guys like him now than only a few years back. His identity is known. The rest should be relatively easy.

Phantom is from Australia. He is slippery and there are different opinions about who he is. His own bragging is what probably has led to his identification. By us. But we quite can't believe it ourselves, it seems a bit unlikely. Little pieces and fractions of info from here and there, coupled together gives a preliminary picture of a small corner of the puzzle. Others disagree and have their own opinion.
Time will show. He is being watched and we think that in the long run the only way to avoid identification is going out of business. But he is not "ezy" to find and he "magically" disappears when you think you got him. And we don't know how concerned the authorities in Australia are regarding this kind of criminal activity.

Crypto, the Moldovian expert on copyright and hacking will probably live peacefully. I don't think the authorities there will go after him.

Bulkerforum.biz also has an admin. In the beginning we thought it could be Crypto, but their writing styles are different.
Their mistreatment of the english language is different too. We have an idea about who he is. Or more correctly, in what branch of the spamming business he operates in. He is probably a Russian, living in Russia. Usually that means he can do what he wants.

A few of the other members of the forum are a bit interesting too. But the forum has turned into a comedy lately. Scamming each other, paranoia is spreading, there is talk about starting another forum etc. Social engineering is out of the question, they are seeing ghosts in broad daylight. Our sources dried out too.

We never thought the spammers would resort to DDoS-ing spam-court.com. That was very naive and stupid. The site is hosted in a shared environment, which is not a good idea when you are the victim of an attack. A DDoS can affect other users on Dreamhosts servers. That is our main concern. Not spam-court going down, we can live with that. Dreamhost support has been fantastic during the attacks and we are wondering if there is any host like that out there at all. But in the long run we don't think it can be hosted on a shared server. And a dedicated server is out of the question. So we are going somewhere in the middle that means that spam-court may go down, but it will not effect the other users. Hopefully.

New content is possible from the middle of September.
If the site is still up.
If not, some of the old content and new stuff will be up at http://ducksintworows.blogspot.com/ , http://veruccawatcher.blogspot.com/ and a couple of other places.

admin - bulker.biz

admin - bulker.biz

Coming!
The admin of bulkerforum.biz, where the criminals gather.
He is running bulker.biz, some may know him as e-bulker or ebulker too.
mybulker.biz is his too.

From one of his "newsletter" postings on bulkerforum:

================ TOP Products ==============

- Viagra
- Cialis Soft
- Cialis + Viagra
- Viagra Soft
- Cialis
- Ambien
- Soma
- HGH

================ TOP Domains ============

- yahoo.com
- aol.com
- hotmail.com
- comcast.net
- sbcglobal.net
- cox.net
- earthlink.net
- bellsouth.net
- msn.com
- gmail.com

Best Regards, Bulker.Biz Team

Mailto: support@bulker.biz
ICQ: 333192431
Skype: BulkerSupport

So there you have the admin's "products" and to what domains they are mailing. Good luck in catching him.

He kind of revealed himself in a posting lately on bulkerforum.
I cannot remember seeing a post from admin where he gets directly involved (I am most likely wrong), but when someone complained about not getting payment from "bulker", "admin" could not shut up:

bulker never pay frauders. die looser

And Crypto licks the admins ass:

agree

Whois info for bulker.biz and mybulker.biz says "Hasan Aly Polat".
For reasons unknown, we can't believe that this is true.
Both Veru and I have strong reasons to believe that this guy's first name is "Alex".
For some you this was probably already known, no shock there.
Or could there be one Russian and one Turk? We don't know. Yet.

Just continue those attacks on spam-court.com and we will find motivation to dig and publish more.

DDOS again - August 18, 2007

DDoS again - August 18, 2007

The site went live again on August 14.
Sat there quietly, almost no hits. Which means mainly search engines and some rss-readers.
Except for that, almost nothing. Several hours between hits.

Then another ddos started again a couple of hours ago (according to the log: 18/Aug/2007:11:16:11 -0700).

As I said, almost no hits.
Just a few minutes before the attack started, there was a hit from this IP: 83.174.246.78:

inetnum: 83.174.240.0 - 83.174.255.255
netname: DSL-POOL
descr: Bashinformsvyaz Company, RUMS, DSL POOL
country: RU
admin-c: IHK1-RIPE
tech-c: AAR21-RIPE
status: ASSIGNED PA
mnt-by: RUMS-MNT
source: RIPE # Filtered

person: Ilgiz H Kalmetev
address: Lenin street, 30, RUMS
address: RUSSIA, 450000, Ufa city
phone: +7 3472 001331
nic-hdl: IHK1-RIPE
e-mail: ilgiz@bashtelecom.ru
source: RIPE # Filtered

person: Alexei A. Roumyantsev
address: JSC Bashinformsvyaz
address: Lenin street, 30, RUMS
address: RUSSIA, 450000, Ufa city
phone: +7 3472 001198
nic-hdl: AAR21-RIPE
e-mail: lesha@ufamts.ru
source: RIPE # Filtered

% Information related to '83.174.240.0/20AS28812'

route: 83.174.240.0/20
descr: RU, Ufa, JSC Bashinformsvyaz, RUMS
origin: AS28812
mnt-by: RUMS-MNT
source: RIPE # Filtered

Looked like this, only the first part of the line in the log, filehits and UA omitted:

83.174.246.78 - - [18/Aug/2007:11:10:18 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:19 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:19 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:19 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:20 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:20 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:22 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:25 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:26 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:26 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:26 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:28 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:30 -0700]
83.174.246.78 - - [18/Aug/2007:11:10:29 -0700]
83.174.246.78 - - [18/Aug/2007:11:14:03 -0700]
83.174.246.78 - - [18/Aug/2007:11:15:27 -0700]
83.174.246.78 - - [18/Aug/2007:11:15:28 -0700]
83.174.246.78 - - [18/Aug/2007:11:16:06 -0700]
88.236.16.74 - - [18/Aug/2007:11:16:11 -0700]

For those interested in details, the User Agent was:
""Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.12) Gecko/20070531 Firefox/1.5.0.12 Flock/0.7.14""

So, he comes in at around 11:10, peeps a little a few minutes later, and then the attacks starts.
Coincidense?
Project HoneyPot has seen that ip before.
It is a "DSL-POOL", but I don't know if that IP is dynamic or static.

That last IP (88.236.16.74) is the first one in the attack.
Some of the others:
58.78.157.109
58.111.188.199
59.9.153.115
59.95.166.183
61.0.121.94
61.229.138.30
62.77.65.2
62.101.165.191
62.135.70.64
66.177.151.223
74.100.191.232
76.26.232.8
78.56.52.95
80.82.38.78
80.188.34.243
80.252.53.154
81.2.60.220
81.30.51.157
81.33.104.24
81.38.63.203
81.95.236.97
82.166.224.133
82.208.72.175
83.5.28.120
83.13.202.187
83.21.7.219
83.69.111.228
84.18.110.56
84.77.149.114
86.120.46.119
87.219.247.200
87.251.96.42
88.232.98.119
88.234.161.5
88.236.16.74
88.236.18.51
88.245.19.159
88.251.110.145
89.102.230.220
124.121.182.246
125.27.158.26
125.232.112.28
165.21.154.8
165.21.154.9
165.21.154.10
165.21.154.12
165.21.154.15
165.21.154.68
165.21.154.69
165.21.154.70
165.21.154.71
165.21.154.72
165.21.154.73
165.21.154.74
165.21.154.76
165.21.154.77
165.21.154.108
165.21.154.109
165.21.154.110
165.21.154.111
165.21.154.112
165.21.154.113
165.21.154.114
165.21.154.115
165.21.154.117
165.21.155.8
165.21.155.10
165.21.155.13
165.21.155.15
165.21.155.108
165.21.155.109
165.21.155.110
165.21.155.111
165.21.155.112
165.21.155.113
165.21.155.114
165.21.155.115
165.21.155.116
165.21.155.117
189.144.99.205
189.194.67.64
190.42.41.108
195.58.241.26
195.72.251.176
195.161.213.203
200.43.232.136
200.85.47.250
201.21.121.53
201.69.117.170
201.103.68.111
201.132.156.183
201.132.210.118
201.141.195.172
201.160.116.162
201.160.168.202
203.113.40.73
203.118.97.248
203.172.60.252
207.248.45.11
211.26.23.1
212.116.219.20
217.185.5.41
219.78.136.59
222.127.223.71
222.254.28.5

Another small detail:
Only a few seconds after the attack started, there were a few hits from alertra.com.
The IPs are partially consistent with those listed at their site.
One of their services: "Get Notified When Your Site Goes Down!".
They have a free 30 day trial.
I don't think anyone at spam-court has signed up for that trial.
It is likely that the ddoser himself or the guy(s) that hired him has signed up for a trial (I doubt they have a paid service).

This time the attack lasted for about 15 hours.
We expect it to go down again, so if you find something interesting here, you should grab it before that happens.

This should be said:
Dreamhost is a fantastic host. Thank you!

Saturday, July 7, 2007

From April 21

Spring time
Posted April 21st, 2007 by veruccawatcher

Late spring/early summer in some parts of the world and the birds are singing.
However, the ones singing to us can't carry a tune.
Or maybe we are missing the sheet or maybe we don't have an ear for music.

One was singing about Boris Mizhen, we found the sheet for that one, but it was a bit old.
Still harmonic though.

A couple of melodies about Swank, but we could not check that against the sheet.
Sounded awfully out of tune. Maybe a little one only trying to socialize.

So we are humming along for ourselves and checking the sheets we actually have.
Mostly concentrating on bulkerforum, though it feels like wasting time.

But the forums sing, google and other sources sing nicely along with it.
And so does our archives.

Oldtimers like Michael Lindsay, Charles Fielding Childs, Max Sutter, James Botkin, Glen MCCausland and Tony Banks are definitely on board, all in ROKSO.
A few others have been fully identified, like mcproxy, Nick Danger (Marion) and iannewla (um, well ... Ian).
And some others pretty close (europe, corleonem, canadaguy99, adultguy1, general).

US and European servers seem to be popular. Lindsay is taking care of the US part, but we are wondering a bit about the Europeans.
There are some Germans on board, we are pretty close to identifying one or two of them too. Only missing one or two sheets.

We are convinced there are other guys participating on the forum that can be found in ROKSO, directly or indirectly. Time will tell.
Swank's identity is known, but Phantom is a slippery guy. We would like some info there. Some birds were humming something about Australia, or was it New Zealand? The last moderator is Crypto, already found. So that leaves the Admin, slippery guy that too.

And Crypto has made a new program, a Yahoo and Hotmail email verifier. Selling it via cryptosoft.biz apparently.
We hope he has gotten some help regarding copyrights on the program. He is not too bright there.
And only selling it to a few spammers? He need some financial advice too. Nice feedback on the program on bulkerforum.
So why only sell it to a few? We don't know the price, couple of thousands maybe? That should leave something left after the expenses for the lawyers work with copyrighting it.

Anyway, back to the forums, the birds and the sheets.
We could need a few more sheets though.
Time is running out, we don't think bulkerforum will stay up more than a few months longer, probably three to four months and it is gone.

With respect,
scribbler

Thursday, July 5, 2007

bigjohnson / eliteboy

Updated May 29 2007
(Originally posted by TheScribblers)

We thought this one disappeared, but he did not.
Lots of nicks.
One key is equity488. Which we overlooked until now.
And there is more to come here, we don't have more time today.
We are noting that there are apparently some connection to Jose Rivera (aka Kingtriga, jrlove2001@yahoo.com).
We are also wondering a little about zenbulker (mmg.llc@gmail.com).
A bit slippery this one and the birds do not agree either.

Nicks:
bigjohnson, mbulks, eliteboy, bestleads, mrsoftee122, equity488, mbulker

aim: mbulks / mrsoftee122 (active)
icq: 247156389 [ 247-156-389 ] [ 247 156 389 ]

Socalled "aliases":
Manny Lively, Manny Rod

Hmm, could this be Kit? Or is Kit a partner?
We'll find out, sooner or later.

Whois for some domains:


Domain Name : wishyouwells.com

::Registrant::
Name : Manny Lively
Email : mbulks@gmail.com
Address : 827 Linden Street
Zipcode : 11211
Nation : US
Tel : 7182415544
Fax :

::Administrative Contact::
Name : Manny Lively
Email : equity488@aol.com
Address : 827 Linden Street
Zipcode : 11211
Nation : US
Tel : 7182415544
Fax :

::Technical Contact::
Name : Manny Lively
Email : equity488@aol.com
Address : 827 Linden Street
Zipcode : 11211
Nation : US
Tel : 7182415544
Fax :

::Name Servers::
ns1.wishyouwells.com 61.158.31.26
ns2.wishyouwells.com 222.179.142.50



Domain Name : rtheyloworwhat.net

::Registrant::
Name : Manny Lively
Email : mbulks@gmail.com
Address : 827 Linden Street
Zipcode : 11211
Nation : US
Tel : 7182415544
Fax :

::Administrative Contact::
Name : Manny Lively
Email : equity488@aol.com
Address : 827 Linden Street
Zipcode : 11211
Nation : US
Tel : 7182415544
Fax :

::Technical Contact::
Name : Manny Lively
Email : equity488@aol.com
Address : 827 Linden Street
Zipcode : 11211
Nation : US
Tel : 7182415544
Fax :

::Name Servers::
ns1.wishyouwells.com
ns2.wishyouwells.com


And some Magic Media Group:

Domain ID:D16314606-LRMS
Domain Name:WINSMART.INFO
Created On:31-Jan-2007 02:27:20 UTC
Last Updated On:01-Apr-2007 20:33:14 UTC
Expiration Date:31-Jan-2008 02:27:20 UTC
Sponsoring Registrar:Domain Discover (R183-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:TNTN-0000378402
Registrant Name:MMGROUP
Registrant Organization:Magic Media Group
Registrant Street1:101 Convention Center Drive
Registrant Street2:
Registrant Street3:
Registrant City:Las Vegas
Registrant State/Province:NV
Registrant Postal Code:89109
Registrant Country:US
Registrant Phone:+1.7029391455
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:mbulks@gmail.com
Admin ID:TNTN-0000378402
Admin Name:MMGROUP
Admin Organization:Magic Media Group
Admin Street1:101 Convention Center Drive
Admin Street2:
Admin Street3:
Admin City:Las Vegas
Admin State/Province:NV
Admin Postal Code:89109
Admin Country:US
Admin Phone:+1.7029391455
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:mbulks@gmail.com
Billing ID:TNTN-0000378400
Billing Name:Jason Alexander
Billing Organization:
Billing Street1:101 Madison Ave
Billing Street2:
Billing Street3:
Billing City:Brooklyn
Billing State/Province:NY
Billing Postal Code:11211
Billing Country:US
Billing Phone:+1.8582481904
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:mbulks@gmail.com
Tech ID:TNTN-0000378402
Tech Name:MMGROUP
Tech Organization:Magic Media Group
Tech Street1:101 Convention Center Drive
Tech Street2:
Tech Street3:
Tech City:Las Vegas
Tech State/Province:NV
Tech Postal Code:89109
Tech Country:US
Tech Phone:+1.7029391455
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:mbulks@gmail.com
Name Server:NS2.12DNSSERV.NET
Name Server:NS1.12DNSSERV.NET



Domain ID:D15314588-LRMS
Domain Name:RAGTORICHES.INFO
Created On:13-Nov-2006 21:04:24 UTC
Last Updated On:22-Nov-2006 21:03:10 UTC
Expiration Date:13-Nov-2007 21:04:24 UTC
Sponsoring Registrar:RegisterFly.com, Inc. (R318-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:tujkL7KDDnfVaIxT
Registrant Name:Tammara Gonzales
Registrant Organization:Magic Marketing Group
Registrant Street1:9606 Carroll Canyon Rd
Registrant Street2:
Registrant Street3:
Registrant City:San Diego
Registrant State/Province:CA
Registrant Postal Code:92126
Registrant Country:US
Registrant Phone:+1.6192712365
Registrant Phone Ext.:
Registrant FAX:+1.6192712365
Registrant FAX Ext.:
Registrant Email:mbulks@gmail.com
Admin ID:tujkL7KDDnfVaIxT
Admin Name:Tammara Gonzales
Admin Organization:Magic Marketing Group
Admin Street1:9606 Carroll Canyon Rd
Admin Street2:
Admin Street3:
Admin City:San Diego
Admin State/Province:CA
Admin Postal Code:92126
Admin Country:US
Admin Phone:+1.6192712365
Admin Phone Ext.:
Admin FAX:+1.6192712365
Admin FAX Ext.:
Admin Email:mbulks@gmail.com
Billing ID:tujkL7KDDnfVaIxT
Billing Name:Tammara Gonzales
Billing Organization:Magic Marketing Group
Billing Street1:9606 Carroll Canyon Rd
Billing Street2:
Billing Street3:
Billing City:San Diego
Billing State/Province:CA
Billing Postal Code:92126
Billing Country:US
Billing Phone:+1.6192712365
Billing Phone Ext.:
Billing FAX:+1.6192712365
Billing FAX Ext.:
Billing Email:mbulks@gmail.com
Tech ID:tujkL7KDDnfVaIxT
Tech Name:Tammara Gonzales
Tech Organization:Magic Marketing Group
Tech Street1:9606 Carroll Canyon Rd
Tech Street2:
Tech Street3:
Tech City:San Diego
Tech State/Province:CA
Tech Postal Code:92126
Tech Country:US
Tech Phone:+1.6192712365
Tech Phone Ext.:
Tech FAX:+1.6192712365
Tech FAX Ext.:
Tech Email:mbulks@gmail.com
Name Server:NS1.BLK128DNS.COM
Name Server:NS2.BLK128DNS.NET
Name Server:


"Magic Media Group"? Right now (May 29 2007) bulkerforum.biz has magically disappeared.
Lots of magics going on. Huh, Phantom?

Wednesday, July 4, 2007

OhDearTisTheFantom

The publication of the name, address, phone number and pictures of one of the leading players in the bulker business was set in type and all ready to go, but there was an urgent request from a higher authority to stay the execution. Wapol wants first dibs.

Tuesday, July 3, 2007

Europe is in Germany

europe

Saturday, November 17, 2007

europe / guschman

History:
This one was posted on May 26, 2007 by DucksInTwoRows
And edited November 17, 2007 by veruccawatcher, after the last ddos on spam-court.com. Change: Full name



Just a short one. The intention was to write some more, but today we prefer to spend most of our time on other, important things in life than following the scum of the net around.

"europe" aka "guschman" is Martin Neumann from Germany.
Tried to be careful.
But you can never trust a spammer, even not the "trusted" ones.
Just like their own spam, their info floats around.
From one spammer to the next. And so on.
Now Martin, try to hit that delete button now.
Aber ach, zu spät. Vielleicht.

We make an exception this time and try to believe that spammers don't always lie:
Born in 1981, lives in Rostock.
Was also a member of the dead and buried specialham.com and spamforum.biz.

We have been told he works with something IT-related.
Well, of course he does, he offers hosting.
Man, those spammers think they are clever when telling us stuff.

Or did we just pull that up from a hat?

Why the hell does a host offer their services to criminals?
You know Martin, you could just get rid of that spamhosting/spamsupporting part?
Your choice.

Maybe more later, we have to double- and triplecheck some stuff.
Auf Wiedersehn.

Monday, July 2, 2007

Crypto from Moldova

Posted January 9th, 2007 by TheScribblers

Drug spammer, first posting on bulkerforum:
Posted: Sat Sep 16, 2006 8:11 pm Post subject: s-rx.biz pharma partner

Dear members, i have the honor to recomend you a pharma partner (sponsor)

Affiliate Share: 50% !

People are working very good, right now they write they own mailer, and gives sock's to mailer's wich needs them. Tech Support is alway's on.
You can add your own domain's, or use predifined ones.

More info and registration is here: www.s-rx.biz

I work with them, and I'm very satisfied with their service.

Greets
_________________
SDD

Second posting on bulkerforum:

I have a good database of anti's (including spamcop members email's and bluesecurity membres email's) message me to filter your invite email's

ICQ:294059880

Probably from Moldova. Possible name Victor Goncearencu.
Birth date is probably correct. April 1, 1984, they are some kind of fools all these guys and an april fool is not worse than others.
email(s): crypto@xaker.ru
He is an admin over at x-land.org. We'll have a look there later.

Some "interesting" hits in the logs from Jan. 8th. From Moldova apparently, the IP says so; 217.26.156.3.
Probably Crypto himself or his "friends at a hacker board". Could be his friends over at x-land.org (whois info changed lately btw). Maybe Dorin gave him a hand? They are both from Chisinau btw. Or maybe it was just Crypto himself.
You know someone is trying something when the errorlog is bigger than the log.

He has been "promoted" to moderator at bulkerforum too.
Hes englis sems as badd as the admin's though, didd it "promote" itself?
We stronggly sugest that the ufficiul langage at the forrum hereafter is referred to as "cryptenglis".
With a taste of Moldowhine. And l33tish.
Yeah, Crypto is a cool guy. Or a real April fool.

Saturday, June 30, 2007

Burch and Brown

The first two inhabitants placed under the glare of the spotlight in this blog have quite a history.
Joshua Burch (ebulker) and Christopher J. Brown (dollar) rate a mention in many places, more often than not in relation to the DDoS attack that put Blue Security out of business.

Spotlighting News linked them together in that sorry episode in May 2006. They even make an appearance in the Wikipedia entry on Blue Frog and the duo scored a hit in Slashdot

Obviously these good ol' boys are not new to the DDoSing game.

Friday, June 29, 2007

Swank / Dollar / Brown

Swank (Christopher J. Brown) - intro
Posted December 8th, 2006 by veruccawatcher

For the non-spammers, Swank is probably best known from Spam Kings as "Richard Cunningham".
We think he actually is a minor player among the spammers.
He likes to give the impression of being a big player.
Most of his stuff has usually gone to pieces. Mainly a middle man.
ssoft.biz is apparently his now, earlier domains are down.
Seems he is running a forum for spammers there.
Most of his older domains are either dead or not renewed.
He likes to give the impression of being good at social engineering, investigating scammers and "antis". And of course he likes bragging about what a big guy he is, how long he has been in "the industry", what he has done earlier and so on.
Now that is a bit dangerous for him. We are coming very close, almost in his backyard by following all the trails he is giving. By following those, comparing various stories, doublechecking with other sources we are getting a picture of this guy.
He claims giving his attention more to his "legitimate" businesses now. Probably some VOIP, historically he has got a hang for opps involving that kind of stuff, e.g. Cognigen and other telecommunications/internet related. He is not doing too good though, not having too much money.
According to other sources he is running 6-7 PCs from home. Not all of them in good shape, he looses stuff regularly. A couple of them seems to be below the 1GHz mark too and he tries to upgrade them (messing it up of course, his uncle was apparently not a very good teacher, or Swank has difficulties learning).

To be continued/edited .....
See the Spamhaus entry on Christopher J. Brown

What Joshua Burch sells

MastaP

Posted: Tue Jun 26, 2007 1:24 pm
Post subject: Large Dom Full Optin Data Lists.


I have Full optin Data Here is the lists I have currently
data is from 06-07 up may of this year.

These are all FULL Data Name,address,email,ip,phone, time date,source etc

File Name: aol.txt
domain: aol.com
Unique Records: 4,092,039

File Name: yahoo.txt
domain: yahoo.com
Unique Records: 14,884,106

File Name: Hotmail.txt
domain: hotmail.com
Unique Records: 3,249,110

File Name: msn.txt
domain: msn.com
Unique Records: 749,080

File Name: earthlink.txt
domain: earthlink.net
Unique Records: 505,213

Interested in any of the lists contact ICQ: 277-819-069

Aren't there a lot of customers (23 million) on AOL, Yahoo, Hotmail, MSN and Earthlink who are sitting on the edge of their seats waiting for offers from Joshua's customers, the spamming community!

Joshua Burch

This summary is not available. Please click here to view the post.

Spam-Court hit by DDOS

During the month of June, 2007, spammers have mounted several Distributed Denial of Service attacks, designed to shut down any sites that have been gathering evidence about their antics.

They set their sites on Spamhaus but with little success, because they are well protected.
They mounted an attack on Castlecops - the premier Phish combat site, but to no avail.
Next they set their sites on URIBL and caused them two or three days of grief before the attack fizzled out.
Another fizzler was SURBL - again a two day wonder before they gave up, admitting defeat.

But the one that caught everyone's imagination was the sharpest thorn in their side. This was a little site that was hitting way above its lightweight status. Spam-Court was a sleeper. A little site but with great research. A small group (maybe two to four people) spent many hours researching the spammers who congregated at a "bulker" biz forum and started creating a dossier on some of its contributers.

Whenever anyone there posted any messages about illegal operations, the Spam-Court team noted it down, did a few Google searches, and found out more about them.

And that's where the story gets really interesting. Little by little, bit by bit, they started publishing their findings, all gleaned from looking around the Internet. When the bulker biz inhabitants discovered that their cover was being blown, thet got more than just a little hot under the collar, why, they blew their stacks. This could not be! Nobody should dare to unmask their true identities! Such mischievous behaviour might lead to all sorts of unpleasnt consequences, like their arrests.

So our spammy group at bulkers called for an all out attack on spam-court, to deal to them in much the same way as many of them had previously dealt to Blue Security a year ago.
You might be wondering what it was that got them so riled up?

Over the next few days, you will be able to read the contents of Spam-Court's postings right here. Of course, Spam-Court won't stay down for long. Every day the spammers use their zombie bot-nets for DDoS attacks is a day spent not using them for spamming. And they can't countenance that for long!

About Me

Take a web site down with a DDoS and you get multiple spin-offs, and the information you tried to suppress proliferates. In fact, everyone wants to see what the fuss was about, and it becomes even more widely known. Karma. Get used to it.