InBoxRevenge KS Forum

I cannot find the contact address for the host of this:
hxxp:\\www.vermont-it.ru/bancopostaonline.poste.it/bpol/CARTEPRE/index.html

Hosted on IP address: 77.91.199.59:



That appears to be another hijacked 3rd-party server so you may want to contact the hosting company first.

SiL

I reported it to several addresses. It looks like vermont-it.ru is simply compromised. [email protected], [email protected], [email protected]
etc.

vermont-it.ru
IP: 77.91.199.59
AS43667

Not familiar with this host at all, but my first thought is it was highjacked, but not so sure now after digging a bit deeper, I see that vermont-it.ru appears to have legit content. I gleaned [email protected] from the website.

Also, I reported it to RIPE upstream: AS8615

404 that was quick, considering how late it is over in Moscow, after 6pm as I post this, I am pleasantly surprised.



--- connection closed

Nicely done! Just over one hour from when I posted the whois / dns.

Good to see.

SiL

I think I automatically get a little suspicious of anything .ru nowadays.

When I was suring to websites even as recently as 2000, I didn't equate things Russian with spamming / cybercriminality. Now, most anything with .ru that I am not familiar with, I am already suspicious. Same with websites that are Nigerian, Brazilian, Chinese, Korean, Romanian, Turkish, Estonian, Moldavian, etc.

Even so, most of the originating spam is on US networks.

thank you very much.

I'm interested in this case.
I had already wrote to the email recovered in whois report on domain.
But in whois on host IP, I cannot find a contact address.
Where you find it?

I used domainwhitepages.com by entering the domain and then check domain whois record, DNS records and network whois record. At the bottom you see the RIPE information under network whois record (IP ownership). Only, [email protected] was listed under networks as a plausible abuse /technical address for the hoster. [email protected] - was taken from the website and [email protected] was just a guess. You can use this for ISPs as well. Most Security /Abuse issues are directed to abuse@ ISP domain.

I did overlook the domain contact under domain WHOIS: I should have added: [email protected] as a contact, but did not in my report.



Sometimes you don't even see that much, so you try to contact their upstream provider if a lot of the information is not clear for contacting.

I hope this makes sense. Sometimes when you dig deeper, you try contacts for the name servers. Above the nameserver is vernet.su. I could try to find that email address if I couldn't find the ones listed earlier.

That's not that recently. About the same amount of time before that the World Wide Web didn't even exist .

I thounght that email present in "changed:" field like [email protected] was not for contact. thanks

Here another one, please someone report it again with me:

Oggetto: Phishing Poste.it using domain 'S3-POSTE.NET'
Data: Fri, 18 Sep 2009 13:52:19 +0200
Da: efa
A: [email protected], Policy <[email protected]>, network-abuse <[email protected]>

Dear Registrar and Host,
I have received another phish email, that contain a link to:

hxxp:\\s3-poste.net/bpol/CARTEPRE/login.html
registered by: MELBOURNE IT
resolves to 98.136.92.79
registered to: Yahoo! Inc.

domain: s3-poste.net redirect to:
hxxp:\\61.135.204.86/icons/www.poste.it/personale/index.php?logon=myposte
registered to: China Unicom

The link is a fake page of the Italian Bank 'Poste.it'

The domain 'S3-POSTE.NET' is registered uniquely for phishing on:18-sep-2009
Please suspend immediately the domain 'S3-POSTE.NET'

NOTE: This domain was previous registered by: MELBOURNE IT
on 15-sep-2009
that suspended it with HOLD only on 16-sep-2009
Now the domain in re-registered and used again by phisher!

IT'S NECESSARY to follow all the instructions reported in the link below
to suspend a domain and be sure the phisher cannot reuse it.
In particular all following four status MUST be applied:
ClientHold
ClientUpdateProhibited
ClientDeleteProhibited
ClientTransferProhibited

Detailed removal instructions are at this link:
http://www.spamtrackers.eu/wiki/index.p ... rar_Advice

The host '61.135.204.86' is cracked!
delete immediately these phishing pages

Regards, efa

While you're at it:

http://s3-poste.net/

Redirects to:

http://61.135.204.86/icons/www.poste.it ... on=myposte



SiL

I got another whois report for 61.135.204.86:


so I wrote to [email protected], no action.

China Unicom blows (that is English slang for they need to get rid of their spam). Just take a look at Spamhaus SBLs like this one:

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL78734


Spamhaus has this network under the name:cnc-group-bj
I think they are AS9800 (network identification) - I get confused with which Chinese Hosts, ISPs, are what sometimes.

Chinese Networks (very helpful) for research if unsure:
http://www.cymru.com/BGP/incon_asn_list.html

Maybe this phish will get pulled in November. Still up as of Tues 9/22/09 after being reported a few times.