Taking out an IP address

Spammers should not profit, so post information here that hits their pockets. There are many ways to fight spammers, and we have automation tools to combat them efficiently. These forums are moderated, but do not reflect the views of the hosting company, domain registrar, etc. By entering any of these forums, you agree that you cannot hold anyone liable for anything related in any way to these forums.

Taking out an IP address

Postby Red Dwarf » Mon Jun 09, 2014 4:28 pm

Sometimes you see hundreds of fraud domains hosted at the same IP address. In a campaign to combat fraud, there are advantages in taking such an IP address out of circulation.

    1. There will be a period of disruption while the fraud syndicate reassigns the hosts to a replacement IP address, and a period of down-time for the spammed domains affected.

    2. Once they are reassigned, there is still a second disruption. Any name servers that have been placed on Client Hold can still perform their function of resolving domain names due to caching within the DNS system of the Internet. When the access to the IP address is stopped, then this caching will fail.

    3. If the owners know that there is a compromised machine at that IP, they can locate it and clean it up, making it more robust and less likely to be compromised again.
Let's look at an example. On June 8, 2014 over 200 Eva Pharmacy fraud sites were detected on IP address 87.117.192.110
A WHOIS lookup on 87.117.192.110 shows that it belongs to RapidSwitch in the United Kingdom, with these contact details -
Code: Select all
remarks:        ******************************************************
remarks:        * ABUSE REPORTS                                      *
remarks:        * https://myservers.rapidswitch.com/reportabuse.aspx *
remarks:        ******************************************************


Filling in the abuse report form at that web page lets them know of the issue
IP Address: 87.117.192.110
Type of Abuse:Hacking
Affects Network:
Hacked server hosting hundreds of fraud pharmacies

Details:
Please null route the access to this IP address, used to host over 200 pharmacy fraud domains

Details are posted at
http://www.spamtrackers.eu/wiki/index.php/Netlynx#Sample_illegal_domains

Examples
adacarleen.com
adelheidines.com
adriannairina.com
aggidaffinan.com
albertakaterine.com
aloiseerica.com
annmariecharmane.com
arielchelsie.com
aureliechiarra.com
bettekassia.com
blanchekaja.com
clairgizela.com
claudehesther.com
connihannie.com

alanaheloise.in
alleneandree.in
anettekaterina.in
annelisenanniekai.in
ardithleyla.in
arlinazarla.in
aureliecoral.in
babrenelle.in
bambicorny.in
beagiuliagui.in

Evidence about the perpetrators can be seen at these links
http://spamtrackers.eu/wiki/index.php/EvaPharmacy
http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm358794.htm
http://www.cipa.com/fraudulent-sites/
http://scamfraudalert.org/2013/07/06/fda-warning-letter-eva-pharmacy/

Usually the host machine has been hacked and the server added.

Domain Name:spamtrackers.eu
Protocol:http
Port:80
Material:
http://spamtrackers.eu/wiki/index.php/EvaPharmacy


rapidswitch wrote:Thank you for your abuse report regarding IP address 87.117.192.110.

We are a conduit for this IP address, and the party responsible for it according to our records is one of our clients. Your complaint has been passed to the client, who will deal with the matter accordingly. Their response will be passed back to you at the e-mail address you raised this report from.

If no response is received from our client, it will automatically be escalated to a member of our staff. We aim to get a respose to all abuse reports within five working days.

Regards,

RapidSwitch


A traceroute will show if the IP is still accessible:

https://www.ultratools.com/tools/lookingGlassTools allowing for 15 hops
Code: Select all
Hop number:  12
Connected to:  87.117.212.38 ( 87.117.212.38 )
Roundtrip times:  82.22 ms
81.088 ms
83.048 ms
Country:  United Kingdom

Hop number:  13
Roundtrip times:  Timed out.

Hop number:  14
Roundtrip times:  Timed out.


UPDATE JUNE 13, 2014
RapidSwitch wrote:The RapidSwitch abuse team have returned your abuse ticket to the client who
was hosting the material you complained about. They should respond to the
ticket shortly. The comment added by the abuse team follows:

Ticket escalated to staff due to no response within 4 days. Please provide an update and confirm if the issue has been resolved. Thanks


All of the over 200 domains have been relocated onto another IP address, 107.6.41.96

Anyone want to try this one in the same fashion?
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10453
Joined: Tue Jun 27, 2006 2:01 am

Re: Taking out an IP address

Postby Red Dwarf » Mon Jun 09, 2014 4:38 pm

The WHOIS LOOKUP for the contact details for 107.6.41.96 are found at

http://whois.domaintools.com/107.6.41.96

RAbuseHandle: NSA-ARIN
RAbuseName: Peer 1 Network AUP Enforcement
RAbusePhone: +1-604-484-2588
RAbuseEmail: abuse@peer1.net

EVIDENCE
* https://www.virustotal.com/en/ip-address/107.6.41.96/information
* https://www.mywot.com/en/scorecard/107.6.41.96

UPDATED June 20 2014
Traceroute ends at 107.6.40.157

Code: Select all
Hop number:  10
Connected to:  107.6.40.157 ( 107.6.40.157 )
Roundtrip times:  2965.855 ms
Country:  United States
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10453
Joined: Tue Jun 27, 2006 2:01 am

Re: Taking out an IP address

Postby Red Dwarf » Mon Jun 09, 2014 5:59 pm

Another IP with over 140 fraud pharmacy domains is on 188.68.249.213

EVIDENCE
https://www.virustotal.com/en/ip-addres ... formation/

Contact
SPRINT in Poland - olsztyn@sprint.pl

Sample domains
bplispills.com
canadafamilydrugstore.com
canadafamilypharm.com
contabcanada.be
fmggvexb.eu
marsiellamelicent.com
maxygretna.com
myherbalpills.net
mymedicaretab.eu
pharmacycanadainc.com
pharmacyhealthgroup.eu
pharmedicares.eu
theprescriptiongenerics.be
us-online-pharmacy.com
welnesshealthcarecenter.eu

veglax.ru
viagrapharmaceuticals.ru
walgreenpharm.ru
walgreenspharmacyrx.ru
walgreenspills.ru
welnessdietpills.ru
yourcapsules.ru
yourpharmacytech.ru
yuants.ru
zigier.ru

UPDATE JUNE 13 2014
From https://www.ultratools.com/tools/lookingGlassTools with 15 hops
Code: Select all
Hop number:  10
Connected to:  n16h14.rev.sprintdatacenter.pl ( 46.29.16.14 )
Roundtrip times:  112.564 ms
Country:  Poland

Hop number:  11
Roundtrip times:  Timed out.

Hop number:  12
Roundtrip times:  Timed out.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10453
Joined: Tue Jun 27, 2006 2:01 am

Re: Taking out an IP address

Postby Red Dwarf » Fri Jun 13, 2014 6:14 pm

IP address 192.69.90.43

List of detected fraud domains
https://www.virustotal.com/en/ip-address/192.69.90.43/information/

Traceroute successful at https://www.ultratools.com/tools/traceRoute

WHOIS lookup at http://www.dnsstuff.com/tools#whois|type=ipv4&&value=192.69.90.43

OrgName: VolumeDrive
Address: 1143 Northern Blvd
City: Clarks Summit
StateProv: PA
PostalCode: 18411
Country: US

OrgAbuseHandle: VOLUM1-ARIN
OrgAbuseName: VolumeDrive POC
OrgAbusePhone: +1-862-266-1083
OrgAbuseEmail: info@volumedrive.com

Sample Russian pharmacy fraud domains on 6/14/2014
Code: Select all
leluce.ru
levitrapillsdrug.ru
luckydrugseshop.ru
luckygenericsale.ru
luckywelnessstore.ru
magichealthcaremall.ru
magicmedicativemall.ru
magicmedstrade.ru
medicalsafereward.ru
medicarespharmacy.be
medicatingbesttrade.ru
medicatingherbstore.ru
medicatingsafemart.ru
medicativeherbsmall.ru
medicativehotmall.ru
medicinalbestmarket.ru
mycuringinc.ru
myherbquality.com
mymedicatingstore.ru
mypharmaceuticgroup.ru
mypharmservices.ru
myremedialdeal.ru
mytabsbargain.ru
naturaldrugsstore.ru
naturalfirstgroup.in
naturalglobalinc.ru
naturalmedicaresale.ru
naturalsmartreward.ru
newmedicinaleshop.ru


UPDATED June 14 2014
No longer routed:
Code: Select all
Hop number:  6
Connected to:  xe-0-0-0.cr1.phl1.us.nlayer.net ( 69.22.142.163 )
Roundtrip times:  9.886 ms
27.029 ms
9.878 ms
Country:  United States

Hop number:  7
Roundtrip times:  Timed out.

Hop number:  8
Roundtrip times:  Timed out.


Above examples now resolving to new address 213.155.190.76 in Poland
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10453
Joined: Tue Jun 27, 2006 2:01 am

Re: Taking out an IP address

Postby Red Dwarf » Sat Jun 14, 2014 6:48 pm

IP address 213.155.190.76

List of detected fraud domains
https://www.virustotal.com/en/ip-address/213.155.190.76/information/

Traceroute successful at https://www.ultratools.com/tools/traceRoute
Code: Select all
Hop number:  10
Connected to:  tunneliinges.com ( 213.155.190.76 )
Roundtrip times:  115.644 ms
Country:  Poland


WHOIS lookup at http://www.dnsstuff.com/tools#whois|type=ipv4&&value=213.155.190.76

role: Academic Centre of Computer Science
org: ORG-AMAN1-RIPE
address: Zachodniopomorski Uniwersytet Technologiczny w Szczecinie
address: Akademickie Centrum Informatyki
address: al. Piastow 41
address: 71-065 Szczecin
address: POLAND
remarks: Akademicka Miejska Siec Komputerowa - AMSK Szczecin
phone: +48.914495858
abuse-mailbox: abuse@man.szczecin.pl

Sample Russian pharmacy fraud domains on 6/14/2014
Code: Select all
leluce.ru
levitrapillsdrug.ru
luckydrugseshop.ru
luckygenericsale.ru
luckywelnessstore.ru
magichealthcaremall.ru
magicmedicativemall.ru
magicmedstrade.ru
medicalsafereward.ru
medicarespharmacy.be
medicatingbesttrade.ru
medicatingherbstore.ru
medicatingsafemart.ru
medicativeherbsmall.ru
medicativehotmall.ru
medicinalbestmarket.ru
mycuringinc.ru
myherbquality.com
mymedicatingstore.ru
mypharmaceuticgroup.ru
mypharmservices.ru
myremedialdeal.ru
mytabsbargain.ru
naturaldrugsstore.ru
naturalfirstgroup.in
naturalglobalinc.ru
naturalmedicaresale.ru
naturalsmartreward.ru
newmedicinaleshop.ru
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10453
Joined: Tue Jun 27, 2006 2:01 am

Re: Taking out an IP address

Postby NotBuyingIt » Sun Jun 15, 2014 12:38 pm

Red Dwarf wrote:Sample Russian pharmacy fraud domains on 6/14/2014
Code: Select all
leluce.ru
levitrapillsdrug.ru
luckydrugseshop.ru
luckygenericsale.ru
luckywelnessstore.ru
magichealthcaremall.ru
magicmedicativemall.ru
magicmedstrade.ru
medicalsafereward.ru
medicarespharmacy.be
medicatingbesttrade.ru
medicatingherbstore.ru
medicatingsafemart.ru
medicativeherbsmall.ru
medicativehotmall.ru
medicinalbestmarket.ru
mycuringinc.ru
myherbquality.com
mymedicatingstore.ru
mypharmaceuticgroup.ru
mypharmservices.ru
myremedialdeal.ru
mytabsbargain.ru
naturaldrugsstore.ru
naturalfirstgroup.in
naturalglobalinc.ru
naturalmedicaresale.ru
naturalsmartreward.ru
newmedicinaleshop.ru
I have noticed their migration to IP address 95.84.156.43
NCNET Broadband customers
National Cable Networks
Moscow
NotBuyingIt
Spammer Killing Machine
 
Posts: 609
Joined: Sun Jun 13, 2010 5:22 pm

Re: Taking out an IP address

Postby Red Dwarf » Mon Jun 16, 2014 2:56 am

IP address 189.197.62.153

List of detected fraud domains
https://www.virustotal.com/en/ip-addres ... formation/

Traceroute successful at https://www.ultratools.com/tools/traceRoute
Code: Select all
Hop number:  17
Connected to:  customer-TGZ-62-153.megared.net.mx ( 189.197.62.153 )
Roundtrip times:  76.365 ms
Country:  Mexico


WHOIS lookup at http://whois.domaintools.com/189.197.62.153

ownerid: MX-MSCV17-LACNIC
responsible: Orencio Meza
address: Av. Lazaro Cardenas, 1694, Del Fresno
address: 44900 - Guadalajara - JA
country: MX
phone: +52 3337500020 []
contact: nic_tech@megacable.com.mx

Sample Russian pharmacy fraud domains on 15 June 2014
Code: Select all
acalk.ru
antulb.ru
apocts.ru
bestpillstrade.ru
bioportfoliopill.ru
biotechhealthcarepills.ru
bplispills.com
bprxmedspills.ru
brennanlispharmacy.ru
caloriesdietpill.ru
canadafamilydrugstore.com
canadafamilypharm.com
perpills.ru
pharmacycanadainc.com
pharmacydrugstoreprescriptions.ru
pharmacyherbaldrugs.ru
pharmacylevitraprescription.ru
pharmacymedicinesdrugstore.ru
pharmacytabdrugstore.ru
pharmacytabletsomma.ru
pharmbioportfolio.ru
pharmedicine.ru
phlort.ru
pillbioportfolio.ru
pillcareprescription.ru
pilldrugpharmacy.ru
pilldrugstorepharmacy.ru
pilldrugstorerx.ru
pillhealthplans.ru
pillhealthsupplements.ru
pillmedicalvitamin.ru
pillmedicineprescription.ru
pillmediterranean.ru
pillshealthcarerx.ru
pillsherbaldrug.ru
prescriptiondrugstorepills.ru
prescriptionhealthdrug.ru
prescriptionpharmacylevitra.ru
remedyriprxtablets.ru
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10453
Joined: Tue Jun 27, 2006 2:01 am

Re: Taking out an IP address

Postby Red Dwarf » Sun Jun 22, 2014 12:15 am

IP address 31.193.132.18

List of detected fraud domains
https://www.virustotal.com/en/ip-address/31.193.132.18/information/

Traceroute successful at https://www.ultratools.com/tools/traceRoute
Code: Select all

Hop number:  8
Connected to:  a.9.magic-hex.as29550.net ( 213.229.85.162 )
Roundtrip times:  87.864 ms
Country:  United Kingdom

Hop number:  9
Connected to:  31-193-132-18.static.as29550.net ( 31.193.132.18 )
Roundtrip times:  82.844 ms
Country:  United States (?)


Updated July 23
Code: Select all
Hop number:  10
Connected to:  po-1.r00.londen03.uk.bb.gin.ntt.net ( 129.250.4.134 )
Roundtrip times:  250.288 ms
244.842 ms
202.853 ms
Country:  United States

Hop number:  11
Roundtrip times:  Timed out.


WHOIS lookup at http://whois.domaintools.com/31.193.132.18

role: AS29550 Operators
address: Simply Transit
address: Unit 2
address: Smallmead Road
address: Reading
address: Berkshire
address: RG2 0QS
remarks: For abuse please contact abuse@as29550.net
phone: +44 (0)1628 777730

Sample Russian pharmacy fraud domains as seen on 21 June 2014
Code: Select all
asvyaaaq.com
bestherbsquality.ru
bestpillgroup.ru
biologicalfaststore.ru
boispy.ru
canadianpillsmarket.ru
canadiansecuremall.in
curativehealthmall.ru
curativemedsshop.ru
curativesmartmart.ru
curingbetterbargain.com
curingmedsquality.ru
curingpillsquality.ru
curingrxmall.com
dietpillsmed.ru
dkriexyz.com
doserxpharmacy.ru
drugherbalpharmacy.ru
drugsdrugstorepills.ru
drugsherbalpill.ru
drugstoreviagrawalgreen.ru
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10453
Joined: Tue Jun 27, 2006 2:01 am

Re: Taking out an IP address

Postby Red Dwarf » Sun Jun 22, 2014 6:57 pm

The WHOIS LOOKUP for the contact details for 123.63.204.183 are found at

http://whois.domaintools.com/123.63.204.183

role: VODAFONE ESSAR SPACETEL LIMITED
address: C48 Okhla Industrial Estate, New Delhi-110020
country: IN
phone: +91-20-71714178
fax-no: +91-22-2498 6789
e-mail: uday.joshi@vodafone.com
abuse-mailbox: antiabuse.ipnoc@vodafone.com

EVIDENCE
* https://www.virustotal.com/en/ip-address/123.63.204.183/information
* https://www.mywot.com/en/scorecard/123.63.204.183

Traceroute successful at https://www.ultratools.com/tools/traceRoute
Traceroute ends in China via India

Code: Select all

Hop number:  16
Connected to:  vodafone-india-gw.lns.cw.net ( 195.59.77.70 )
Roundtrip times:  83.18 ms
Country:  Europe

Hop number:  17
Connected to:  (123.63.85.253) ( 239.424 )
Roundtrip times:  Timed out.

Hop number:  18
Connected to:  (123.63.85.253) ( 243.397 )
Roundtrip times:  239.84 ms
242.908 ms

Hop number:  19
Connected to:  123.63.204.183 ( 123.63.204.183 )
Roundtrip times:  240.51 ms
Country:  China


Sample Russian EVA Pharmacy fraud domains as seen on June 22, 2014

Code: Select all
capricecyndia.in
cariottajorey.in
carlyngoldie.in
carmelitaeryn.in
carmenelverabel.in
carmonsaundra.in
casibrandea.in
cassigayla.in
cassyaigneis.in
cathiblake.in
tamole.ru
thelevitrapill.ru
themedicarepill.ru
togirs.ru
treatmentspills.ru
us-online-pharmacy.com
veglax.ru
welnessdietpills.ru
yuants.ru
zigier.ru
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10453
Joined: Tue Jun 27, 2006 2:01 am

Re: Taking out an IP address

Postby Red Dwarf » Sun Jun 22, 2014 8:09 pm

The WHOIS LOOKUP for the contact details for 50.115.164.56 are found at
http://whois.domaintools.com/50.115.164.56

Abuse reporting is at https://myvirpus.com/submitticket.php
AbuseHandle: NETWO2357-ARIN
AbuseName: Virpus Network Operations
AbusePhone: +1-877-484-7787
AbuseEmail: abuse (at) myvirpus.com

EVIDENCE
* https://www.virustotal.com/en/ip-address/50.115.164.56/information
* https://www.mywot.com/en/scorecard/50.115.164.56

Traceroute successful at https://www.ultratools.com/tools/traceRoute
Traceroute ends at 50.115.164.56

Code: Select all

Hop number:  14
Connected to:  199.180.135.16 ( 199.180.135.16 )
Roundtrip times:  33.401 ms

Hop number:  15
Connected to:  50.115.164.56 ( 50.115.164.56 )
Roundtrip times:  33.437 ms


UPDATED JUNE 26
Code: Select all

Hop number:  14
Connected to:  38.100.182.58 ( 38.100.182.58 )
Roundtrip times:  33.685 ms
Country:  United States

Hop number:  15
Roundtrip times:  Timed out.


Code: Select all
Pinging 50.115.164.56 with 32 bytes of data:
Request timed out.


Sample Russian EVA Pharmacy fraud domains observed on June 22, 2014

Code: Select all
ailinatiffi.in
biankajulianna.in
brettdasie.in
guillemettedaryl.in
gwendolenmadlen.in
janenepansy.in
kelilaedythmyra.in
margaretteconstancy.in
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10453
Joined: Tue Jun 27, 2006 2:01 am

Re: Taking out an IP address

Postby NotBuyingIt » Tue Jun 24, 2014 11:20 pm

The domain status of guillemettedaryl.in and gwendolenmadlen.in is "HOLD" :silthumb:
NotBuyingIt
Spammer Killing Machine
 
Posts: 609
Joined: Sun Jun 13, 2010 5:22 pm


Return to Fight Spammers

Who is online

Users browsing this forum: No registered users and 1 guest

cron