lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200310141136.19330.stefmit@comcast.net>
From: stefmit at comcast.net (stefmit)
Subject: Re: Any news on www.kievonline.org site?

FYI: I got the "thank you" reply very close after reporting the original 
message to spamcop.net ==> makes me think that some monitoring takes place?!? 
Here are the two reports:

======== trace for the original message ==============================

SpamCop version 1.3.4 (c) SpamCop.net, Inc. 1998-2003 All Rights Reserved

Received: from ABE (unknown[208.131.61.181](misconfigured sender))
          by rwcrmxc11.comcast.net (rwcrmxc11) with SMTP
          id <20031014010448r1100evm7qe>; Tue, 14 Oct 2003 01:04:59 +0000
Message-ID: <0013______________________a8c0@...A>
Reply-To: "Moshe Koldny" <admin@...vonline.org>
From: "Moshe Koldny" <admin@...vonline.org>
To: "x" <x>
Subject: Please Support Me 
Date: Mon, 13 Oct 2003 23:21:04 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
  type="multipart/alternative";
  boundary="----=_NextPart_000_000F_01C391E0.AC22A7C0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Status: R 
X-Status: N
X-KMail-EncryptionState:  
X-KMail-SignatureState:  

Skip to Reports

Parsing header:

Received:  from ABE (unknown[208.131.61.181](misconfigured sender)) by 
rwcrmxc11.comcast.net (rwcrmxc11) with SMTP id <20031014010448r1100evm7qe>; 
Tue, 14 Oct 2003 01:04:59 +0000
Possible spammer: 208.131.61.181
Received line accepted

Tracking message source: 208.131.61.181:
Routing details for 208.131.61.181
[refresh/show] Cached whois for 208.131.61.181 : abuse@...net
Using abuse net on abuse@...net
abuse net cw.net = abuse@...net, spamcomplaints@...net
Using best contacts abuse@...net spamcomplaints@...net
208.131.61.181 not listed in dnsbl.njabl.org
208.131.61.181 not listed in dnsbl.njabl.org
208.131.61.181 not listed in proxies.blackholes.easynet.nl
208.131.61.181 listed in cbl.abuseat.org ( 127.0.0.2 )
208.131.61.181 is an open proxy
208.131.61.181 not listed in query.bondedsender.org

Would send message source reports to:

Re:208.131.61.181 (Administrator of network where email originates)

spamcomplaints@...net
abuse@...net

======= trace of the "thank you" one =========================

SpamCop version 1.3.4 (c) SpamCop.net, Inc. 1998-2003 All Rights Reserved

Received: from user-0cetm97.cable.mindspring.com ([24.238.217.39])
          by sccrmxc14.attbi.com (sccrmxc14) with SMTP
          id <20031014055315s14005gs82e>; Tue, 14 Oct 2003 05:53:15 +0000
Message-ID: <000d______________________a8c0@...A>
Reply-To: <admin@...vonline.org>
From: <admin@...vonline.org>
To: "x" <x>
Subject: thank you
Date: Tue, 14 Oct 2003 07:34:07 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="----=_NextPart_000_000A_01C39225.8D4F8530"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Status: R 
X-Status: N
X-KMail-EncryptionState:  
X-KMail-SignatureState:  

Skip to Reports

Parsing header:

Received:  from user-0cetm97.cable.mindspring.com ([24.238.217.39]) by 
sccrmxc14.attbi.com (sccrmxc14) with SMTP id <20031014055315s14005gs82e>; 
Tue, 14 Oct 2003 05:53:15 +0000
Possible spammer: 24.238.217.39
Received line accepted

Tracking message source: 24.238.217.39:
Routing details for 24.238.217.39
[refresh/show] Cached whois for 24.238.217.39 : abuse@...se.earthlink.net
Using abuse net on abuse@...se.earthlink.net
abuse net abuse.earthlink.net = abuse@...se.earthlink.net
Using best contacts abuse@...se.earthlink.net
24.238.217.39 not listed in dnsbl.njabl.org
24.238.217.39 not listed in dnsbl.njabl.org
24.238.217.39 not listed in proxies.blackholes.easynet.nl
24.238.217.39 not listed in cbl.abuseat.org
24.238.217.39 not listed in dnsbl.sorbs.net
24.238.217.39 not listed in relays.ordb.org.
24.238.217.39 not listed in query.bondedsender.org

Would send message source reports to:

Re:24.238.217.39 (Administrator of network where email originates)

abuse@...se.earthlink.net

Re:24.238.217.39 (Third party interested in email source)

spamcop@...phost.com

On Tuesday 14 October 2003 10:31 am, Michael A. Starr wrote:
> Gentlemen;
>
> I got the same message that is being discussed in this thread.  I include
> it again, not to continue the propagation, but to have it convenient for
> viewing.  From reading this thread, it seems that the site in question is,
> or rather was, some kind of porn site, possibly which this guy
> admin@...vonline.org would like to advertise.  If you look at the words
> that were chosen, you'll notice that there are several of the words that
> *should* get picked up by body content filters (if we're running body
> content filters) -- ranging from sex (fuck, head), to golden showers
> (piss), to "hate words" (nigger), to "hacking and warez" (hacking), phrases
> like "in my face", and "a man needs" might get tagged as well.
>
> What I suspect is that the kievonline.org site was a throw-away, and that
> this guy is really running some kind of sophisticated probe against mail
> servers to determine what filters we have in place.  I hate to say so, but
> it might even be a subscriber to this list that is monitoring who reports
> receiving this email.  The spam assassin score was a 3.0, so that probably
> won't catch it. Header filters certainly won't stop the subject "Thank
> you". He's even prepped us for a spam flood by saying that he added our
> address to every spam list he could find. . .  All in all a very convincing
> package. I don't think the point of this is a malicious code attack, but as
> I said, a probe to see what can be gotten through.
>
> Any thoughts?
>
> Michael Starr, GSEC
>
>
>
> <---Begin Spam --->
> You are a piss head for hacking my site and informing my isp !!! Fuck you
> nigger.
>
> if your a man you should come here and tell me in my face
> A man needs to make a living you know, Now you think my isp is going to do
> something to stop me ?
>
> FUCK YOU
>
> Nice try. I have added your email address to every fucking spam list I can
> find
>
> Next time youll fuck with the right person
> <--- End Spam --->
>
> -----Original Message-----
> From: Johannes Segitz [mailto:jusenet2@...itz.de]
> Sent: Tuesday, October 14, 2003 5:48 AM
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] Re: Any news on www.kievonline.org site?
>
> Steve Wray <steve.wray@...adise.net.nz> wrote:
> > So far in my googling I havn't found anything about
> > the site.
>
> It's slowly getting into the index
> http://groups.google.com/groups?q=kievonline.org&hl=en&lr=&ie=UTF-8&oe=utf-
>8 &sa=N&tab=wg
>
> It's spam. Just feed your $BAYESIAN_FILTER
>
> Regards,
> Johannes
> --
>       Give a man a match and he will be warm for a while,
> light him on fire and he will be warm for the rest of his life
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ