Eva Pharmacy campaign

Spammers should not profit, so post information here that hits their pockets. There are many ways to fight spammers, and we have automation tools to combat them efficiently. These forums are moderated, but do not reflect the views of the hosting company, domain registrar, etc. By entering any of these forums, you agree that you cannot hold anyone liable for anything related in any way to these forums.

Re: Eva Pharmacy campaign

Postby Red Dwarf » Wed Jun 21, 2017 9:01 pm

Today's most popular hosting addresses for name servers
Code: Select all
123 125.212.224.130
114 103.249.86.214
 65 46.166.129.166
 60 185.120.77.254
 50 103.221.220.169
 31 218.2.22.96
 19 103.53.231.3
 17 185.65.206.111
 17 180.235.148.209
 16 42.112.27.111
 15 103.65.236.87
 15 103.224.243.10


Abuse addresses for those IPs
Code: Select all
 125.212.224.130 soc@viettel.com.vn
 103.249.86.214 abuse@invision7.com
 46.166.129.166 abuse@nforce.com
 185.120.77.254 admin@gohost.kz
 103.221.220.169 hoanglong@azdigi.com thachpham@azdigi.com
 218.2.22.96abuse@jsinfo.net
 103.53.231.3 phuly@aohoaviet.com
 185.65.206.111 mtalaat@citynethost.com
 180.235.148.209 ndr@ardhglobal.com
 42.112.27.111 haitt3@fpt.com.vn
 103.224.243.10 abuse@webwerks.com


Format of an abuse notification:[quote]Please read this information carefully. It concerns a security breach on your computer.

On your IP address at 118.193.240.40 there is a trojan proxy name server installed, that is being used by a pharmacy spamming gang to provide access to illegal web sites.

You can prove it with these links
Code: Select all
https://who.is/whois/safemedsvalue.ru
nserver:       ns1.safemedsvalue.ru . 84.200.211.128
nserver:       ns2.safemedsvalue.ru . 118.193.240.40

https://who.is/whois/yourpillstore.ru
nserver:       ns1.yourpillstore.ru . 84.200.211.128
nserver:       ns2.yourpillstore.ru . 118.193.240.40


For more information, see http://fraud-reports.wikia.com/wiki/Hijacked_host
and http://ksforum.inboxrevenge.com/viewtopic.php?f=1&t=4949&p=189675#p189675

If you are not the administrator for this machine, please forward on these instructions.

Please respond with your findings.

Thank you from
The Pharmacy Alert Security Team[/quote]

Here are 3 sample name servers for the top 6
 125.212.224.130
ns1.iljsvqxo.ru has address 125.212.224.130
ns1.ilypguxu.ru has address 125.212.224.130
ns1.iymrgtmb.ru has address 125.212.224.130

 103.249.86.214
ns1.bestpilleshop.ru has address 103.249.86.214
ns1.canadianhottrade.ru has address 103.249.86.214
ns1.curingmedsstore.ru has address 103.249.86.214

 46.166.129.166
ns1.besttabsbargain.com has address 46.166.129.166
ns1.curativerxdeal.com has address 46.166.129.166
ns1.curingaideshop.com has address 46.166.129.166

 185.120.77.254
ns2.besttabsbargain.com has address 185.120.77.254
ns2.curativerxdeal.com has address 185.120.77.254
ns2.curingaideshop.com has address 185.120.77.254

 103.221.220.169
ns1.smartherbsgroup.ru has address 103.221.220.169
ns1.thefirstbargain.ru has address 103.221.220.169
ns1.theherbsquality.ru has address 103.221.220.169

 218.2.22.96
ns1.onlinepillsdeal.ru has address 218.2.22.96
ns1.pureherbalmart.ru has address 218.2.22.96
ns1.pureherbalsupply.ru has address 218.2.22.96
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10539
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Sat Jun 24, 2017 1:58 am

Most frequently used name server addresses and reporting address for abuse
Code: Select all
  67 125.212.224.130
  46 140.115.80.23
  46 103.221.220.169
  39 185.120.77.254
  37 46.166.129.166
  32 109.73.164.172
  30 93.95.228.34
  21 103.227.255.92
  20 103.65.236.87
  17 103.214.144.56
  14 218.2.22.96
  12 103.53.231.3


125.212.224.130
soc@viettel.com.vn tiennd@viettel.com.vn

140.115.80.23
tanetadm@moe.edu.tw

103.221.220.169
hoanglong@azdigi.com thachpham@azdigi.com

185.120.77.254
admin@gohost.kz

46.166.129.166
abuse@nforce.com

109.73.164.172
abuse@dimenoc.com

93.95.228.34
abuse@1984.is

103.227.255.92
abuse@rajasa.co.id lukman@rajasa.co.id

103.65.236.87
abuse@ptbsti.com

103.214.144.56
network-abuse@adcdata.com

218.2.22.96
anti-spam@ns.chinanet.cn.net abuse@jsinfo.net

103.53.231.3
phuly@aohoaviet.com
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10539
Joined: Tue Jun 27, 2006 2:01 am

Re: Eva Pharmacy campaign

Postby Red Dwarf » Fri Jun 30, 2017 4:59 pm

As of July 1 2017, the registrars with the most domains supporting the Eva Pharmacy cyber-crime are in the list below.
The first figure is the number of domains suspended, the second is the number reported, and the third is the number still alive.

R01.RU18612622761
BIZCN123119
ARDIS-SU728412
REGTIME73752
GKG022
ADVANCED I T022
TUCOWS891
PDR1731730
Key-Systems1591590
TRUNKOZ TECHNOLOGIES990
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10539
Joined: Tue Jun 27, 2006 2:01 am

Previous

Return to Fight Spammers

Who is online

Users browsing this forum: No registered users and 1 guest

cron