Cyrillic Spam

Spammers should not profit, so post information here that hits their pockets. There are many ways to fight spammers, and we have automation tools to combat them efficiently. These forums are moderated, but do not reflect the views of the hosting company, domain registrar, etc. By entering any of these forums, you agree that you cannot hold anyone liable for anything related in any way to these forums.

Cyrillic Spam

Postby AlphaCentauri » Sat Sep 13, 2014 2:53 pm

Checked my inbox and found Cyrillic spam for Eva Pharmacy (Canadian Health and Care Mall):

ндон.ювншъзнфцёэь.рф

рф is Cyrillic for "RF," or Russian Federation.

The parent domain times out and after I try to load it once, I can't load the subdomain anymore, either. Deleting cookies or using a different browser doesn't have any effect. Apparently my IP is blocked.

The spam itself contained an affiliate ID in Roman characters, which is interesting.

I tried looking up the whois and hosting information, and guess what? Our usual tools don't know what to do with Cyrillic input. They act like I hadn't entered any data at all.

Do people know of other means of investigation?
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Cyrillic Spam

Postby Red Dwarf » Sat Sep 13, 2014 7:27 pm

The WHOIS server for cyrillic domains is at
https://www.nic.ru/whois/en/

Supply the domain name: ювншъзнфцёэь.рф

nic.ru wrote:Data from WHOIS.TCINET.RU:

% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: XN--B1AKRB9AMKQWJC8B.XN--P1AI
nserver: ns1.xn--b1akrb9amkqwjc8b.xn--p1ai. 103.241.150.190
nserver: ns2.xn--b1akrb9amkqwjc8b.xn--p1ai. 61.150.109.186
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
registrar: R01-REG-RF
admin-contact: https://partner.r01.ru/contact_admin.khtml
created: 2014.08.06
paid-till: 2015.08.06
free-date: 2015.09.06
source: TCI

Last updated on 2014.09.14 03:16:38 MSK


To communicate with the registrant, should you choose to do so:
https://partner.r01.ru/contact_admin.khtml

r01.ru wrote:This form may be used for communication with Registrant
registered through R01 Registrar.
We do not own the domain name.

Domain (without www) *

Your name *

Your e-mail *

Subject of letter *

Letter body *

Spam protection *
Install all the pictures correctly ^

Move the sliders or click on the pictures

Send a letter
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10518
Joined: Tue Jun 27, 2006 2:01 am

Re: Cyrillic Spam

Postby AlphaCentauri » Sat Sep 13, 2014 9:15 pm

Hosted at 213.155.190.76

Code: Select all
IP Information for : 213.155.190.76
Updated : 2014-09-10
IP-based Geolocation : Poland
IP-based Coordinate : latitude : 52 | longitude : 20
Whois 213.155.190.76 :
inetnum: 213.155.0.0 - 213.155.31.255
netname: UA-HOSTING-20080402
descr: Tehnologii Budushego LLC
country: UA
org: ORG-TBL1-RIPE
admin-c: TM3037-RIPE
tech-c: ABS28-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: MNT-HOSTINGUA
mnt-routes: MNT-HOSTINGUA
source: RIPE # Filtered
organisation: ORG-TBL1-RIPE
org-name: Tehnologii Budushego LLC
org-type: LIR
address: Tehnologii Budushego LLC Mayakovskogo side-street 6 65000 ODESSA Ukraine
phone: +380487282111
fax-no: +380487282111
admin-c: ABS28-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: MNT-HOSTINGUA
mnt-by: RIPE-NCC-HM-MNT
abuse-c: TMUA1525-RIPE
source: RIPE # Filtered
person: Andrey Slusar
address: Ukraine Odessa Mayakovskogo 6
address: Tehnologii Budushego LLC
remarks: Please send all spam/scam/fraud abuse to abuse@hosting.ua
phone: +38 048 7282111
phone: +38 048 7281518
nic-hdl: ABS28-RIPE
mnt-by: MNT-HOSTINGUA
source: RIPE # Filtered
person: Top Management
remarks: Technologii Maybutnego LLC
address: 46 Dalnickaya str, 65001 Odessa Ukraine
phone: +38 048 7282111
abuse-mailbox: abuse@hosting.ua
nic-hdl: TM3037-RIPE
mnt-by: MNT-HOSTINGUA
source: RIPE # Filtered
route: 213.155.0.0/19
descr: Tehnologii Budushego LLC
descr: Datacenter Hosting.UA
origin: AS41665
mnt-by: MNT-HOSTINGUA
source: RIPE # Filtered


Neither Poland nor Ukraine are likely to be very sympathetic to Russian scammers right now ;)

Code: Select all
 13 Websites use this IP address :
yourcanadianbargain.com
zarxlevy.com
yourmedicinalsale.com
luckyhealingquality.com
medicinalherbsgroup.com
organicsafereward.com
tradingassociatesinc.com
thecanadianinc.com
medicalgenericsmart.com
tfyhcyru.com
yourgenericeshop.com
remedialsafereward.com
medicaresdoctor.com


But again, the Cyrillic domain names aren't getting captured. I suspect that list that came up on a general website is not up to date, either. The domains I tried aren't pinging.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Cyrillic Spam

Postby Red Dwarf » Mon Sep 15, 2014 4:32 pm

Here are 9 of the domains from your list that are already suspended:

* luckyhealingquality.com Canadian Neighbor Pharmacy NAMESILO, LLC
* organicsafereward.com My Canadian Pharmacy NETLYNX, INC.
* tradingassociatesinc.com My Canadian Pharmacy NAMESILO, LLC
* thecanadianinc.com My Canadian Pharmacy NETLYNX, INC.
* medicalgenericsmart.com Canadian Health&Care Mall NAMESILO, LLC
* tfyhcyru.com My Canadian Pharmacy NAMESILO, LLC
* yourgenericeshop.com My Canadian Pharmacy TRUNKOZ TECHNOLOGIES PVT LTD.
* remedialsafereward.com Canadian Health&Care Mall TRUNKOZ TECHNOLOGIES PVT LTD.
* medicaresdoctor.com My Canadian Pharmacy NAMESILO, LLC

That leaves 4 to go:
medicinalherbsgroup.com
yourcanadianbargain.com
zarxlevy.com
yourmedicinalsale.com
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10518
Joined: Tue Jun 27, 2006 2:01 am

Re: Cyrillic Spam

Postby Red Dwarf » Wed Sep 17, 2014 4:14 pm

3 more down:
yourcanadianbargain.com
zarxlevy.com
yourmedicinalsale.com

leaving:
medicinalherbsgroup.com (My Canadian Pharmacy) on NAMESILO, LLC
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10518
Joined: Tue Jun 27, 2006 2:01 am

Re: Cyrillic Spam

Postby Red Dwarf » Thu Sep 18, 2014 5:46 pm

A useful tool for converting URLs to/from cyrillic and punycode forms

http://mct.verisign-grs.com/

You key in a bulk list and get bulk results, like
INPUT:
Code: Select all
xn--x1afhb.xn--e1aajidm1f6atia.xn--p1ai
xn--x1ahh.xn--c1aaaghqz5jeidbt.xn--p1ai
xn--y1abc.xn--90admi5brd7b.xn--p1ai
xn--y1afg.xn--g1aao6bdcde4b.xn--p1ai
xn--z1abf.xn--g1ajbgsnaad2c.xn--p1ai
xn--z1aee.xn--e1aajidm1f6atia.xn--p1ai


RESULTS:
Code: Select all
ASCII . . . . . . . . . . . . . . . . . .    UNICODE   . . . . . . WHOIS QUERY
xn--x1afhb.xn--e1aajidm1f6atia.xn--p1ai   юышэ.еелншьяяиюк.рф   Domain Lookup
xn--x1ahh.xn--c1aaaghqz5jeidbt.xn--p1ai   ьшю.югюнеьгйгяэжь.рф   Domain Lookup
xn--y1abc.xn--90admi5brd7b.xn--p1ai   ыъщ.гхзйбъфс.рф   Domain Lookup
xn--y1afg.xn--g1aao6bdcde4b.xn--p1ai   ьющ.чшщзмзшэч.рф   Domain Lookup
xn--z1abf.xn--g1ajbgsnaad2c.xn--p1ai   эыъ.тмфффозщмф.рф   Domain Lookup
xn--z1aee.xn--e1aajidm1f6atia.xn--p1ai   юъь.еелншьяяиюк.рф   Domain Lookup


(The Domain Lookup link does not work though.)

The MYWOT.COM Mass Rating tool accepts URLs in both Cyrillic and punycode form and treats them identically.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10518
Joined: Tue Jun 27, 2006 2:01 am


Return to Fight Spammers

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot] and 1 guest

cron