Security

Spamming for script-kiddies

Well, this has got to be the most annoying piece of spam I have received recently. It seems that now even the crack-scripting community is using spam to advertise their “services.” I have included a copy of the email – the more disturbing items I have emphasized in bold. The email:

From: noreply-52@ww-nn.web-hack.ru
Bcc:
Return-Path: noreply-52@ww-nn.web-hack.ru
X-OriginalArrivalTime: 06 Mar 2006 13:36:47.0450 (UTC)
FILETIME=410ABA0:01C64123]
Date: 6 Mar 2006 04:36:47 -0900
Dear Sir/Madam, Hello!
We are internet hackers crew – Web-hack. We propose you for sale some interesting things: – private exploits – http://forum.web-hack.ru – stolen credit cards and bank accounts – http://forum.web-hack.ru – we infect users pc’s with your trojan for low prices (10000 infected pc’s for 25$) – http://forum.web-hack.ru – bulletproof domains and hosting – http://forum.web-hack.ru Best offer – bulletproof domain + hosting =0 usd/week. You can use this hosting for any scam/fraud and nobody will close it! For more information look at – http://forum.web-hack.ru P.S. We are registering bulletproof domains on our partner site http://www.r01.ru/ there we have “our” people to guarantee stability of our domains and hosting so any organization like spamhaus.org cannot down our hosting and domains. We are now spaming 5 000 000 people look out the domain is alive as always and never gonna be down !! Please go and order our services at: http://forum.web-hack.ru Msg-ID: 12543

Whois:

forum.web-hack.ru
ww-nn.web-hack.ru

217.107.217.167
217.107.217.168

OrgName: RIPE Network Coordination Centre
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
Comment:
RegDate:
Updated: 2004-12-13
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 217.0.0.0 – 217.255.255.255
CIDR: 217.0.0.0/8
NetName: 217-RIPE
NetHandle: NET-217-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2000-06-05
Updated: 2005-07-27

# ARIN WHOIS database, last updated 2006-03-05 19:10
# Enter ? for additional hints on searching ARIN’s WHOIS database.

www.r01.ru

195.24.65.17

% This is the RIPE Whois query server #2.
% The objects are in RPSL format.

% Information related to ‘195.24.64.0 – 195.24.71.255’

inetnum: 195.24.64.0 – 195.24.71.255
netname: PARKLINE-1
descr: Garant-Park-Telecom
descr: Science Park, MSU
descr: Lebedeva St., Leninskie Gory
descr: Moscow 119899, Russia
country: RU
admin-c: PAN-RIPE
tech-c: PAN-RIPE
status: ASSIGNED PI
mnt-by: PAN1-RIPE-MNT
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: PAN1-RIPE-MNT
source: RIPE # Filtered

person: Alexander V Panov
address: MSU, Science Park, Garant-Park-Telecom
address: Moscow
address: Russia
remarks: phone: +7 095 7898207
phone: +7 495 7898207
remarks: fax-no: +7 095 9308800
fax-no: +7 495 9308800
e-mail: panov@parkline.ru
nic-hdl: PAN-RIPE
mnt-by: PAN1-RIPE-MNT
source: RIPE # Filtered
remarks: modified for Russian phone area changes

% Information related to ‘195.24.64.0/21AS25537’

route: 195.24.64.0/21
descr: Garant-Park Telecom Block 3
descr: Science Park, Moscow State University
descr: Lenin’s Hills, Moscow, Russia
origin: AS25537
mnt-by: PAN1-RIPE-MNT
source: RIPE # Filtered

Definitely ones to watch for in your log files.