n0fx - delivers bp hosting and exploits

A young oldtimer. A digital gangsta (not my words). Found traces of him dating back a few years, probably back to the spamvault.net days.
Just out of his diapers back then.

Let's start with a one of his postings from bulkerforum.biz:

n0fx
Joined: 26 Mar 2007
Posts: 50
Posted: Tue Oct 02, 2007 4:44 pm Post subject: bp servers 4 sale - can use for ANYTHING but direct mailing
$250 Dedicated BP FAST China Servers

* 110% ANONYMOUS - your name and info not tied to them at all!

* Direct Mailing not allowed but pea mailing and any other applications running is fine -- social networks, chat bots, etc.

* IF for some reason the IP gets in trouble, your server will NEVER go down -- you will just be assigned new ip.

* WINDOWS OR FREEBSD O/S. No hosting on these servers.

***************

If you need FAST hosting BP, $500 a month. no adult or child porn *anything else is fine* - 25 Domains.

Contact me and I'll get you setup ASAP!

aim - batonRouge
skype - killpolice
icq - 216.587.192

Hm, hosting *anything* except adult and child porn. So malware and phish pages are just fine, me thinks.

Ties to Matt Leppala (Link to Leppalas ROKSO listing).
Has at least one site hosted at Leppalas (webnos) space on Staminus.
And some sites on phatservers.

A nice soul sent us a picture of three guys.
The problem is that we don't know which one is n0fx. And the source is silent.

Other nicks used around: skunx, PunkRockXXX, squatterpunx, Punk Rocks

Personally, I prefer to call him Steve.
No, I changed my mind. I prefer to call him Edmond. I wondered what that e@ in several domain registrations meant.
Now I know.
Ugly piece of shit according to a photo.

sanjay aka sancash

The Elite Herbal guy.

I originally included him in the "Snippets" posting, very briefly:

A quick note to self:
This guy is involved with Elite Herbal.
How high up he is in the food chain cannot be established accurately.
If not on top, he is very high up.

Definately to be continued.

There is a lot of buzz about Elite Herbal and genbucks going on now.
That is the only reason for this posting. I don't have that much new info on sanjay.

One tiny little detail is found in an old dig for the domain sancash.com (and this is sanjay's domain):

; <<>> DiG 9.2.4 <<>> sancash.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49188
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;sancash.com.                   IN      A

;; ANSWER SECTION:
sancash.com.            130     IN      A       66.11.113.41

;; AUTHORITY SECTION:
sancash.com.            172800  IN      NS      ns2.sancash.com.
sancash.com.            172800  IN      NS      ns1.sancash.com.

;; Query time: 57 msec
;; SERVER: 
;; WHEN: Sat Sep 22 18:46:19 2007
;; MSG SIZE  rcvd: 81

Then we take a look at that IP, 66.11.113.41:

Suavemente, INC. SUAVEMENTE-SAN-DIEGO (NET-66-11-112-0-1)
                                  66.11.112.0 - 66.11.127.255
IzoWeb, Inc IZOWEB-SANDIEGO (NET-66-11-113-0-1)
                                  66.11.113.0 - 66.11.114.255

Who else has IzoWeb/WireSix as a favorite hoster?
You're right: GenBucks.
Another small piece in the Elite Herbal/Genbucks connection.

And regarding IzoWeb: By the number of hosted genbucks sites and their related sites, is this really an independent host?
Or is it GenBucks themselves?

I am wondering a bit about Suavemente too.

Let's jump back:

Post subject: Penis enlargement pills .. Big Commissions! Epassporte Pay!
We are looking for a few more affiliates who are intrested in marketing enlargement pills, great alternative to replica or RX, our pills are converting great with average order of 6 bottles!. Payments every week. fast BP hosting, private bp domains.

We have solid references for those that dont know us.. affiliates will also need references.

Thxs Sanjay

AIM: sancash44
MSN: sancash44@hotmail.com
ICQ: 654052
SKYPE: sancash1

That was back in October 2006.

And a bit earlier in October 2006:

Herbal sites, high converting penis pills and Cum pills, Hoodia... market these and get weekly epassporte payments or wire if needed.

If you dont have an epassporte account, get just 1 sale we can send you a free ATM card.. get paid and withdraw it every week!

- multiple servers
- lots of fresh domains
- private domains
- add your own domains!
- detailed stats
- lots of sites, herbal, RX, adult products
- fast servers
- high commissions

plus lots more nice features

We have been in the industry for over 4 yrs, program was made by mailiers 4 mailers!

get your account today..

ICQ - 654052
SKYPE - sancash1

We dont normally hang at boards but do have people that can vouch for us.

Thxs Sanjay

Note: program was made by mailiers 4 mailers!.
Yeah, right genbucks. We rephrase that one:
The program was made by spammers for spammers.

Ron Paul spam tied to bulkerforum.biz

This story on slashdot made a couple of bells start ringing.

... someone calling themselves nenastnyj was behind it and their botnet control server has been shut down

nenastnyj is a member of bulkerforum.biz. You will probably know him as "nena" over there.
Drug spammer apparently in charge of PharmaBucks. Here is his first posting on bulkerforum in January 2007:

Posted: Tue Jan 09, 2007 7:36 am
Post subject: New big money with PharmaBucks
Dear colleagues (we hope that we will be able to call you partners of our partnership program in future),

The partnership program "PharmaBucks" is more than happy to encourage you to cooperate with us.

For the time being, there is one shop and four medical preparations, that are the most needed, available in our partnership program.

We offer you sales with commissions from 30 to 50%. According to the promotion of our program everybody who registers before February 1st, 2007 will be registered in partnership plan " Silver " that offers you 40%.

Our conditions and benefits:

- Detailed and very honest statistics! You will feel it from the very first minute of our cooperation;
- Commissions up to 55%;
- Referral system of 5%
- Our own steady bulk-servers;
- Support is always ready to answer your questions comprehensively and correctly;
- Daily change of domains, personal domains for the big adverts;
- Regular professional text refreshments;
- Salaries webmoney, fethard, wire;
- Hold – 14 days;
- % commissions according to the following tariff description:

0-10 sales per day - 30% commission
11-20 sales per day - 40% commission
20-50 sales per day - 45% commission
50+ sales per day - 55% commission


Our cooperation and your time is of a great value for us, that’s why we made all the conditions of successful and lucrative cooperation with you so much easier.

Everybody, from the beginners to the professionals, is more than welcome to join our partnership program. Respectful and sophisticated Support is always ready to help you with any kind of problem.

Our working team consists of exceptional professionals that have invested all their experience acquired throughout many years into this program.
We are always looking with a perspective concentrating our attention and experience only on reaching the highest peaks, comprehensively analyzing and improving our accomplishments.

We hope that you will value our advantages starting from today.

To register and start working you can by connecting to this ICQ number: 303-435-751.
Back to top
View user's profile Send private message
ICQ Number <------- 304927900 304-927-900

A bit later he answers neuman's question:
what are the products?

now only 4, and 1 shop, soon ill be 4more products
now only Viagra Soft tabs Cialis soft tabs, cialis, and viagra pro

A small image from pharmabucks.biz when the page was still up:

We have not been following nena/PharmaBucks around, so we don't know the story after January.


Back to the Ron Paul spam:
More details in a report from Secureworks.
A bit shorter version on ars technica

And there is something else that is a bit interesting in that report.
The Ron Paul spam has been tied to "Reactor botnet". "spamit" on bulkerforum is being mentioned, but SecureWorks doubt he is the author. It is more likely that he is a customer of the author of the bot controlling software.
Interesting points anyway.

Now, I highly doubt that the Russians are especially interested in US politics.
Which leaves the question: Which american spammers (and probably with connections to bulkerforum.biz) are behind the spam for Ron Paul?

We know that the Digital Gangstas Matt Leppala, Pete Snoufax and ytcracker are close to an orgasm if Ron Paul is being mentioned. But we have no idea if they were behind the spam. n0fx on bulkerforum is an old buddy of them.

This blog back after DDoS

The criminals did not only attack spam-court.com, but also this blog.
I just discovered it was back, don't know when that happened.
It must be during the last two or three days.

spam-court had a short-lived reappearance too.
That was not intentional and it soon disappeared again.

spam-court ddosed again

And this time Dreamhost has shut the door for good.
So that's it.

Snippets

A collection where small snippets are saved temporarily and gradually expanded towards an independent blogpost.
More like memos to myself. Read them if you like, but don't expect much.
Mainly regarding members of bulkerforum.biz who are offering services that are illegal in most countries.

AbdAllah

[Nov 16, 2007]
His second post on bulkerforum.biz:

BP servers & hosting for mailing, trojan's, exploit's, etc. in Turkey, Malaysia, HongKong, USA, Thailand, China.
Fast setup, cheap price.
Please contact ICQ: 483-384-343 (Mr.Abdulla)
or write to PM.
Thank you !

One example of the typical hard working, honest members of bulkerforum.biz.

And the moderator Crypto greets him:

He is a well known russian BP provider.
Dobro pajalovati na bulkerforum AbdAllah.

We know that hosting mule scams is one of those included in his term "etc.", but what else is possible?
Child porn, carder sites? Not unlikely.

Honored with an SBL-listing in Spamhaus in November 2007, SBL59691.

To be continued ........

ProfDDoS

Nick says it all.
His post #5 on bulkerforum.biz:

Greeting!!!!

Let me to bring to your attention professional DDoS service!
Quality is guaranteed by uniqueness of the updated and supported software. Huge, constantly growing quantity of bots worldwide online.
Destroy a site of the competitor!!!
The prices depend on duration and complexity of the project.
For information welcome in the icq.
For all questions: ICQ support 448845. skype ss_support1

Moderators Dollar and Crypto are not totally happy about that post.
A bit strange regarding Crypto when reading his greetings to AbdAllah, but who knows what's inside these guys brains.
Crypto has not been showing too much intelligence in his posts, so it is perhaps not so strange after all.

Phantom rushes to his defense:

I have to disagree here guys LOL this person has been of great service to us all without you even knowing about it ..Thanks guy

ProfDDoS is the same guy as, or in bed with .....damn I lost that part.

Maybe continued.

Phantom

One of the moderators.
Been hanging around for some years now.
Always been very slippery, but now the smelly ex-wannabee-spammer "Nick Danger" (Marion Sidney Lynn) claims to have his identity and has "outed" him.

We have seen that info earlier, but we are not totally convinced about how real this is.
Two long and wild shots: This "outed" identity is either a middleman or a deliberate smoke screen.

Both Veru and myself are going more in the direction of "back to the roots" like WarriorForum and Bulkbarn, like Phantom himself indirectly suggests in his various postings on different forums during the last years. And like magic, some info fits. Pure magic it is.
This indicates another identity, but this does not seem very likely either.
The fact that both of us, originally independent of each other, went in that direction is a sign that there may be something here. And so is the fact that some of our findings were identical. That's magical.
It still seems unlikely though, so we are open for suggestions and speculations combined with hard facts.
Especially hard facts about the identity "outed" by the smelly chicken of an ex-wannabee-spammer.

escape

Usman Ahzaz, escap3@gmail.com, ahsen_@hotmail.com

Snippets:

• olatesuite
• exploits
• Ucraine
• drug spammer

.

From a posting about a month ago on bulkerforum, someone asked for this:

subject: Need a persistent exe application
One that will take an exe I already have and make it 'persistent' - hidden from the filesystem, hard to remove, etc

skype: myst231 or pm me here (i dont know if the pm situation has been resolved)

And the OlateSuitemaster of exploits answers:

escape
Joined: 15 Sep 2006
Posts: 55

votes: 2 Posted: Wed Oct 17, 2007 3:30 pm Post subject: y0
i can help you out
_________________
OlateSuite - HiSpeed Mirrored BP Shared Hosting & Dedicated Servers...
Exclusive Ip Restricted Socks4

The Christmas season is approaching, so watch out for OlateSuits exploits this year too:
Happy Holiday Season, TrendLabs article from 2006 about OlateSuit exploit
Watch out for any Holiday Season Blowout Sales this year.

See also:
http://garwarner.blogspot.de/2009/05/phishers-try-msn-worms-to-steal.html

Yet another hard working, honest businessman on the bulkerforum.

kref/spamit (glavmed)

Probably two guys, belonging to the same gang.
Crypto hugs kref:

kref, is known in the BlackSEO biz. He is a good guy and pay on time.
Have his own design/coders team(for his rx websites), and the affilate system for mailers looks very nice
He have a lot of references, just pm him, and find out more,
I think you gonna like it.

With such good references, we don't hesitate to label those guys as criminal spammers.
Snippets:

• despmedia.com
• glavmed.com
• glavmed.org
• hzmedia.info
• spamit.com
• thecanadianmeds.com
• saintd / saintdmitry
• Michael_sun2k
• Their "designers": dadaev.com

To come

• David (from Houston, TX.)
• perka (from Romania - ZedCash)
• rxnic
• TLCmail / Stolder / leadz / empharmpartners (this is probably Impulse Marketing Group, or at least connected to them)
• toxicdog (alex0ra, alexora, goomenuk, Prague, spamilka.com, Black Network, 69.50.177.122)
• Note to self: The nick "n" is probably also known as elitet0kr, EvilAnarchistGuy, nathanownzu, t0k3d, EliteRAHA. Remember the guy from a couple of years back: Nathan?

sanjay / sancash

A quick note to self:
This guy is involved with Elite Herbal.
How high up he is in the food chain cannot be established accurately.
If not on top, he is very high up.

RackSpace06

Yes sir. Verynice, both dealz and site here.

"Rajesh Khanna". Oh well. Maybe not. That's the name he is using. If it's for real? I don't know.
No sir, I really don't know. Yet. Mayor or Moe? I really don't know.

Provider of bulletproof servers for both mail and hosting.
Has some space in lacnic and something at fdc-servers.
And probably other places too.

It's a sad day for the spammers and spamsupporters when you cannot trust anyone.
Not even the Romanians. Never scam a Romanian.

Bluehost strikes again

Less than 10 minutes again to remove a paypal phish site.

But of course, others can have complained earlier.
I don't think so, the same happened after the first time I sent a heads up.
A bit early to say, but there could be a pattern here.

Which tells me Bluehost is extremely effective.

hetzner.de - tragic. Or wait - Is it Google mail? Or wait - is it Hetzner after all?

Received a spam for a Lloyds Bank phish and sent off an email to the abuseaddress at hetzner.de, who host the site.
That spam arrived yesterday, but the phish site is still up. So I thought I should send off a heads up when I discovered it.

I must confess that I messed up a bit and used the mail to bluehost regarding the paypal phish. so it became a paypal instead of a Lloyds phish in the email.

But anyway, here is the response from hetzner.de, their abuse@. Correction, this could be google not sending it out at all:

Delivery to the following recipient failed permanently:

    abuse[at]hetzner.de

Technical details of permanent failure:
PERM_FAILURE: SMTP Error (state 16): 550 This message contains malware (Email.Phishing.RB-1597)


Doh.
Should I think a bit and try to rewrite it? Naw.
I have no idea what triggers that response.
OK, then. I will leave out the full link and only give the domain. And not use the word "phish".
But only one more try.

Update two days later

Nine hours ago I received the following from Hetzner:

Hello,

thanks a lot for the information. We have informed our customer to take care
of the problem. If you have trouble with one of our servers furthermore,
don't hesitate to contact us again.

Sorry for the problems.

Not a problem for me, mate.
But it could be a problem for others that the phishing page is still up.

This is a lloyds bank phish site.
And this week is apparently "National Identity Fraud Prevention Week" in the UK, starting today:
http://www.lloydstsb.com/security/fraud_prevention_week.asp.
Ironic.

Bluehost: Less than 10 minutes to remove a phishing site.
Hetzner: (Two) (Three) (Four days) 5 days.......
Last check Thursday October 11 and the phishing page was gone, took them around 5 days.

Bluehost - fastest I have seen

Paypal phish on sendinbox.info.
Sent off an email to bluehost abuse, less then ten minutes later the phish setup was gone.
Others could have made bluehost aware of it earlier, of course, but it is the fastest I have seen.

Usually those phish sites are hacked, but this one was registered yesterday using bluehost.
I am not so sure if it was a hacked site this time.

Cudos to whoever is at work reading bluehosts abusebox on this saturday.

bigjohnson / eliteboy ...

Igor Shaposhnikov.

This is confirmed. And checked. And doublechecked. I even triplechecked.
So I guess I can't be wrong.

Convicted for bankfraud.

Gave spam-court.com as return addresses for a spamrun earlier this year.
Hm, "three years of supervised release", what about spamming during that time?

More details later. If I get around to do something.

Mailing Provider

An old posting this one, we are trying to catch up.
There is so much info and so little time to dig around.

Mailing Provider
Joined: 29 Nov 2006
Posts: 2

Posted: Wed Nov 29, 2006 10:42 pm Post subject: Usa Servers
We provide usa direct mailing servers , dynamic or static ips , windows free bsd or linux , the best deliver rates and speed all clean ips , ask your quotation

Steve L.
stevelee@mac.hush.com
ICQ Number

Brief summary:

Related to or is allhostingservers.org.
Whois is probably fake.

Interesting stuff:

; QUESTION SECTION:
;allhostingservers.org.         IN      A

;; ANSWER SECTION:
allhostingservers.org.  167     IN      A       75.143.67.240
allhostingservers.org.  167     IN      A       70.128.47.199
allhostingservers.org.  167     IN      A       67.181.91.202
allhostingservers.org.  167     IN      A       76.99.113.84
allhostingservers.org.  167     IN      A       76.109.192.116
allhostingservers.org.  167     IN      A       75.53.213.166
allhostingservers.org.  167     IN      A       24.8.20.123
allhostingservers.org.  167     IN      A       70.136.54.202
allhostingservers.org.  167     IN      A       196.217.99.80
allhostingservers.org.  167     IN      A       68.82.254.54

;; AUTHORITY SECTION:
allhostingservers.org.  86385   IN      NS      ns5.c0fbfef6e372ca34a.com.
allhostingservers.org.  86385   IN      NS      ns2.c0fbfef6e372ca34a.com.
allhostingservers.org.  86385   IN      NS      ns1.c0fbfef6e372ca34a.com.
allhostingservers.org.  86385   IN      NS      ns3.c0fbfef6e372ca34a.com.
allhostingservers.org.  86385   IN      NS      ns4.c0fbfef6e372ca34a.com.

;; ADDITIONAL SECTION:
ns5.c0fbfef6e372ca34a.com. 172786 IN    A       68.82.254.54
ns4.c0fbfef6e372ca34a.com. 172786 IN    A       71.12.14.160
ns3.c0fbfef6e372ca34a.com. 172786 IN    A       76.227.0.163
ns2.c0fbfef6e372ca34a.com. 172786 IN    A       66.190.101.125
ns1.c0fbfef6e372ca34a.com. 172786 IN    A       71.81.244.187
ns1.c0fbfef6e372ca34a.com. 172786 IN    A       69.251.167.240


Other nameservers that are related:
ns1.f580c9d2e65.com
ns2.f580c9d2e65.com
ns3.f580c9d2e65.com
ns4.f580c9d2e65.

Again a criminal on bulkerforum.biz using other peoples hijacked computers.

canadaguy99

Finally nailed this one.
I had an idea who it could be, and I think I can say it is confirmed.

TheScribblers posting about him on spam-court.com can give some hints:

Posted September 17th, 2006 by TheScribblers

His first posting on bulkerforum:
Posted: Sat Sep 16, 2006 11:25 pm Post subject: Would you like to promote your own online college?

Turnkey online college for sale. Why mail for someone else when you can do it yourself. Price is $5000 complete - never bulked to.

Option II -- we provide the backend, you market it and take 65% of the net.
PM me for info.

This is really Alton Scott Poe.
I would feel unsafe on bulkerforum.biz with that guy around.
Ask Rizler. If you can reach him.

admin - bulker.biz

Coming!
The admin of bulkerforum.biz, where the criminals gather.
He is running bulker.biz, some may know him as e-bulker too.
mybulker.biz is his too.

From one of his "newsletter" postings on bulkerforum:

================ TOP Products ==============

- Viagra
- Cialis Soft
- Cialis + Viagra
- Viagra Soft
- Cialis
- Ambien
- Soma
- HGH

================ TOP Domains ============

- yahoo.com
- aol.com
- hotmail.com
- comcast.net
- sbcglobal.net
- cox.net
- earthlink.net
- bellsouth.net
- msn.com
- gmail.com

Best Regards, Bulker.Biz Team

Mailto: support@bulker.biz
ICQ: 333192431
Skype: BulkerSupport

So there you have the admin's "products" and to what domains they are mailing. Good luck in catching him.

He kind of revealed himself in a posting lately on bulkerforum.
I cannot remember seeing a post from admin where he gets directly involved (I am most likely wrong), but when someone complained about not getting payment from "bulker", "admin" could not shut up:

bulker never pay frauders. die looser

And Crypto licks the admins ass:

agree

More coming later. (A pain in the ass to get something done when the site is under attack)

ddos on spam-court.com again

Scribbler is back to care of things and that is good.
He just posted this on spam-court:

Not so strong this one and Dreamhost obviously has a few tricks up their sleeves this time.
The attackers said "Hello" from 216.32.84.92 this time, which is Layered.
The browser looked like this:
"Opera/9.02 (Windows NT 5.1; U; ru)" .
Hm, "ru" again. I am not surprised.

The forum at thecarpcstore.com is under attack too, and is down.

None of us will be surprised if this increases.

This calls for more work, more publishing.
Yesterday I wrote a little piece about "lhl".
I guess I have to ask Ducks nicely if his writings about ebulker is ready.

I am not quite ready, could post a few small things maybe. We'll see.

This is hardly a ddos btw, not so far.

Bits and Pieces about This and That

Those DDoS attacks on spam-court.com kind of pisses me off. Not that spam-court is that important. In the big picture, this site is hardly worth mentioning at all. You have probably never seen a site with so few hits, except when it's DDoS time.
Search engines and robots like spam-court.com though. That could explain why the spammers at bulkerforum.biz dislike the site. So much that they have initiated 4 attacks on the site (or is it 5, I have lost count).
The pure fact that this is criminal activity pisses me off.

I would like to see some of the members of bulkerforum go down. Hard.
Especially the moderators. Swank, Phantom and Crypto.

Rumors are going around that Swank is a bit more active than we at spam-court.com thought a few months ago.
He is an american and it should be possible to take him down. The authorities are a bit more interested in guys like him now than only a few years back. His identity is known. The rest should be relatively easy.

Phantom is from Australia. He is slippery and there are different opinions about who he is. His own bragging is what probably has led to his identification. By us. But we quite can't believe it ourselves, it seems a bit unlikely. Little pieces and fractions of info from here and there, coupled together gives a preliminary picture of a small corner of the puzzle. Others disagree and have their own opinion.
Time will show. He is being watched and we think that in the long run the only way to avoid identification is going out of business. But he is not "ezy" to find and he "magically" disappears when you think you got him. And we don't know how concerned the authorities in Australia are regarding this kind of criminal activity.

Crypto, the expert on copyright and hacking will probably live peacefully. I don't think the local authorities go after him.

Bulkerforum.biz also has an admin. In the beginning we thought it could be Crypto, but their writing styles are different.
Their mistreatment of the english language is different too. We have an idea about who he is. Or more correctly, in what branch of the spamming business he operates in. He is probably a Russian, living in Russia. Usually that means he can do what he wants.

A few of the other members of the forum are a bit interesting too. But the forum has turned into a comedy lately. Scamming each other, paranoia is spreading, there is talk about starting another forum etc. Social engineering is out of the question, they are seeing ghosts in broad daylight. Our sources dried out too.

We never thought the spammers would resort to DDoS-ing spam-court.com. That was very naive and stupid. The site is hosted in a shared environment, which is not a good idea when you are the victim of an attack. A DDoS can affect other users on Dreamhosts servers. That is our main concern. Not spam-court going down, we can live with that. Dreamhost support has been fantastic during the attacks and we are wondering if there is any host like that out there at all. But in the long run we don't think it can be hosted on a shared server. And a dedicated server is out of the question. So we are going somewhere in the middle that means that spam-court may go down, but it will not effect the other users. Hopefully.

New content is possible from the middle of September.
If the site is still up.
If not, some of the old content and new stuff will be up at http://ducksintworows.blogspot.com/ , http://veruccawatcher.blogspot.com/ and a couple of other places.

spam-court up, but ddosed again

spam-court.com went live again on August 14.
Sat there quietly, almost no hits.

Then another ddos started again a couple of hours ago (according to the log: 18/Aug/2007:11:16:11 -0700).

As I said, almost no hits.
Just a few minutes before the attack started, there was a hit from this IP: 83.174.246.78:

inetnum:        83.174.240.0 - 83.174.255.255
netname:        DSL-POOL
descr:          Bashinformsvyaz Company, RUMS, DSL POOL
country:        RU
admin-c:        IHK1-RIPE
tech-c:         AAR21-RIPE
status:         ASSIGNED PA
mnt-by:         RUMS-MNT
source:         RIPE # Filtered

person:       Ilgiz H Kalmetev
address:      Lenin street, 30, RUMS
address:      RUSSIA, 450000, Ufa city
phone:        +7 3472 001331
nic-hdl:      IHK1-RIPE
e-mail:       ilgiz@bashtelecom.ru
source:       RIPE # Filtered

person:       Alexei A. Roumyantsev
address:      JSC Bashinformsvyaz
address:      Lenin street, 30, RUMS
address:      RUSSIA, 450000, Ufa city
phone:        +7 3472 001198
nic-hdl:      AAR21-RIPE
e-mail:       lesha@ufamts.ru
source:       RIPE # Filtered

% Information related to '83.174.240.0/20AS28812'

route:          83.174.240.0/20
descr:          RU, Ufa, JSC Bashinformsvyaz, RUMS
origin:         AS28812
mnt-by:         RUMS-MNT
source:         RIPE # Filtered

Looked like this, only the first part of the line in the log, filehits and UA omitted:

83.174.246.78 - - [18/Aug/2007:11:10:18 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:19 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:19 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:19 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:20 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:20 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:22 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:25 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:26 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:26 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:26 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:27 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:28 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:30 -0700] 
83.174.246.78 - - [18/Aug/2007:11:10:29 -0700] 
83.174.246.78 - - [18/Aug/2007:11:14:03 -0700] 
83.174.246.78 - - [18/Aug/2007:11:15:27 -0700] 
83.174.246.78 - - [18/Aug/2007:11:15:28 -0700] 
83.174.246.78 - - [18/Aug/2007:11:16:06 -0700] 
88.236.16.74 - - [18/Aug/2007:11:16:11 -0700] 

For those interested in details, the User Agent was:
""Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.12) Gecko/20070531 Firefox/1.5.0.12 Flock/0.7.14""

So, he comes in at around 11:10, peeps a little a few minutes later, and then the attacks starts.
Coincidense?
Project HoneyPot has seen that ip before.
It is a "DSL-POOL", but I don't know if that is IP dynamic or static.

The last IP (88.236.16.74) is the first one in the attack.
Some of the others:
58.78.157.109
58.111.188.199
59.9.153.115
59.95.166.183
61.0.121.94
61.229.138.30
62.77.65.2
62.101.165.191
62.135.70.64
66.177.151.223
74.100.191.232
76.26.232.8
78.56.52.95
80.82.38.78
80.188.34.243
80.252.53.154
81.2.60.220
81.30.51.157
81.33.104.24
81.38.63.203
81.95.236.97
82.166.224.133
82.208.72.175
83.5.28.120
83.13.202.187
83.21.7.219
83.69.111.228
84.18.110.56
84.77.149.114
86.120.46.119
87.219.247.200
87.251.96.42
88.232.98.119
88.234.161.5
88.236.16.74
88.236.18.51
88.245.19.159
88.251.110.145
89.102.230.220
124.121.182.246
125.27.158.26
125.232.112.28
165.21.154.8
165.21.154.9
165.21.154.10
165.21.154.12
165.21.154.15
165.21.154.68
165.21.154.69
165.21.154.70
165.21.154.71
165.21.154.72
165.21.154.73
165.21.154.74
165.21.154.76
165.21.154.77
165.21.154.108
165.21.154.109
165.21.154.110
165.21.154.111
165.21.154.112
165.21.154.113
165.21.154.114
165.21.154.115
165.21.154.117
165.21.155.8
165.21.155.10
165.21.155.13
165.21.155.15
165.21.155.108
165.21.155.109
165.21.155.110
165.21.155.111
165.21.155.112
165.21.155.113
165.21.155.114
165.21.155.115
165.21.155.116
165.21.155.117
189.144.99.205
189.194.67.64
190.42.41.108
195.58.241.26
195.72.251.176
195.161.213.203
200.43.232.136
200.85.47.250
201.21.121.53
201.69.117.170
201.103.68.111
201.132.156.183
201.132.210.118
201.141.195.172
201.160.116.162
201.160.168.202
203.113.40.73
203.118.97.248
203.172.60.252
207.248.45.11
211.26.23.1
212.116.219.20
217.185.5.41
219.78.136.59
222.127.223.71
222.254.28.5

Another small detail:
Only a few seconds after the attack started, there were a few hits from alertra.com.
The IPs are partially consistent with those listed at their site.
One of their services: "Get Notified When Your Site Goes Down!".
They have a free 30 day trial.
I don't think anyone at spam.court has signed up for that trial.
It is likely that the ddoser himself or the guy(s) that hired him has signed up for a trial (I doubt they have a paid service).

It is not over yet, but they have succeeded in taking the server down.
spam-court.com is not reachable, but noone else is suffering on the server.

After about 4 hours after the attack started , the site was up for a few minutes and then went down again.

72.199.153.138

Nice area, San Diego. Ramona is nice too.
Here is a little snippet from the spam-court logs only three days before the first ddos.
I am wondering if they first tried to hack the site and when that did not succeed, they resorted to the ddos?
I am also wondering who this was. Veru says he has some kind of idea, but have to wait until he is back.
But I am told to take some pics, if possible.

A quick google for 72.199.153.138 gets one hit, where the IP is tied to a harvester?
Who on bulkerforum.biz is selling harvested lists?

[Thu Jun 14 18:14:46 2007] [error] [client 72.199.153.138] File does not exist: /4dm1n/
[Thu Jun 14 18:14:45 2007] [error] [client 72.199.153.138] File does not exist: /Files/
[Thu Jun 14 18:14:45 2007] [error] [client 72.199.153.138] File does not exist: /file/
[Thu Jun 14 18:14:47 2007] [error] [client 72.199.153.138] File does not exist: /File/
[Thu Jun 14 18:14:47 2007] [error] [client 72.199.153.138] File does not exist: /Forums/
[Thu Jun 14 18:14:46 2007] [error] [client 72.199.153.138] File does not exist: /forum/
[Thu Jun 14 18:14:48 2007] [error] [client 72.199.153.138] File does not exist: /Forum/
[Thu Jun 14 18:14:48 2007] [error] [client 72.199.153.138] File does not exist: /Forumz/
[Thu Jun 14 18:14:48 2007] [error] [client 72.199.153.138] File does not exist: /forums/
[Thu Jun 14 18:14:48 2007] [error] [client 72.199.153.138] File does not exist: /Forums/
[Thu Jun 14 18:14:49 2007] [error] [client 72.199.153.138] Invalid URI in request GET .txt/ HTTP/1.1
[Thu Jun 14 18:14:49 2007] [error] [client 72.199.153.138] Invalid URI in request GET .txt/ HTTP/1.1
[Thu Jun 14 18:14:49 2007] [error] [client 72.199.153.138] Invalid URI in request GET txt/ HTTP/1.1
[Thu Jun 14 18:14:49 2007] [error] [client 72.199.153.138] Invalid URI in request GET txt/ HTTP/1.1
[Thu Jun 14 18:14:50 2007] [error] [client 72.199.153.138] File does not exist: /txt/
[Thu Jun 14 18:14:50 2007] [error] [client 72.199.153.138] File does not exist: /_private/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /_vti_bin/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /_vti_cnf/
[Thu Jun 14 18:14:50 2007] [error] [client 72.199.153.138] File does not exist: /_vti_pvt/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /admin/
[Thu Jun 14 18:14:50 2007] [error] [client 72.199.153.138] File does not exist: /admin/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /asp/
[Thu Jun 14 18:14:50 2007] [error] [client 72.199.153.138] File does not exist: /audio/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /bin/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /binary/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /cfg/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /cgi-bin/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /conf/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /config/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /cgi-local/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /cgi-bin/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /cpanel/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /cpp/
[Thu Jun 14 18:14:53 2007] [error] [client 72.199.153.138] File does not exist: /cutenews/
[Thu Jun 14 18:14:51 2007] [error] [client 72.199.153.138] File does not exist: /cute/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /data/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /database/
[Thu Jun 14 18:14:54 2007] [error] [client 72.199.153.138] File does not exist: /db/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /forum/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /home/
[Thu Jun 14 18:14:52 2007] [error] [client 72.199.153.138] File does not exist: /iissamples/
[Thu Jun 14 18:14:54 2007] [error] [client 72.199.153.138] File does not exist: /image/
[Thu Jun 14 18:14:53 2007] [error] [client 72.199.153.138] File does not exist: /images/
[Thu Jun 14 18:14:55 2007] [error] [client 72.199.153.138] File does not exist: /Image/
[Thu Jun 14 18:14:55 2007] [error] [client 72.199.153.138] File does not exist: /Images/
[Thu Jun 14 18:14:55 2007] [error] [client 72.199.153.138] File does not exist: /include/
[Thu Jun 14 18:14:54 2007] [error] [client 72.199.153.138] File does not exist: /log/
[Thu Jun 14 18:14:54 2007] [error] [client 72.199.153.138] File does not exist: /logs/
[Thu Jun 14 18:14:54 2007] [error] [client 72.199.153.138] File does not exist: /mp3s/
[Thu Jun 14 18:14:56 2007] [error] [client 72.199.153.138] File does not exist: /msadc/
[Thu Jun 14 18:14:56 2007] [error] [client 72.199.153.138] File does not exist: /news/
[Thu Jun 14 18:14:57 2007] [error] [client 72.199.153.138] File does not exist: /perl/
[Thu Jun 14 18:14:57 2007] [error] [client 72.199.153.138] File does not exist: /php-bin/
[Thu Jun 14 18:14:57 2007] [error] [client 72.199.153.138] File does not exist: /php/
[Thu Jun 14 18:14:56 2007] [error] [client 72.199.153.138] File does not exist: /private/
[Thu Jun 14 18:14:57 2007] [error] [client 72.199.153.138] File does not exist: /public/
[Thu Jun 14 18:14:56 2007] [error] [client 72.199.153.138] File does not exist: /pvt/
[Thu Jun 14 18:14:57 2007] [error] [client 72.199.153.138] File does not exist: /phpBB/
[Thu Jun 14 18:14:58 2007] [error] [client 72.199.153.138] File does not exist: /pwd/
[Thu Jun 14 18:14:58 2007] [error] [client 72.199.153.138] File does not exist: /software/
[Thu Jun 14 18:14:59 2007] [error] [client 72.199.153.138] File does not exist: /forbidden.html
[Thu Jun 14 18:14:57 2007] [error] [client 72.199.153.138] File does not exist: /sound/
[Thu Jun 14 18:14:59 2007] [error] [client 72.199.153.138] File does not exist: /src/
[Thu Jun 14 18:14:59 2007] [error] [client 72.199.153.138] File does not exist: /tar/
[Thu Jun 14 18:14:58 2007] [error] [client 72.199.153.138] File does not exist: /warez/
[Thu Jun 14 18:14:59 2007] [error] [client 72.199.153.138] File does not exist: /topics/
[Thu Jun 14 18:15:00 2007] [error] [client 72.199.153.138] File does not exist: /txt/
[Thu Jun 14 18:14:58 2007] [error] [client 72.199.153.138] File does not exist: /cmps/
[Thu Jun 14 18:14:58 2007] [error] [client 72.199.153.138] File does not exist: /programsandscripts/
[Thu Jun 14 18:15:00 2007] [error] [client 72.199.153.138] File does not exist: /programs/
[Thu Jun 14 18:15:01 2007] [error] [client 72.199.153.138] File does not exist: /jffk1.txt/
[Thu Jun 14 18:15:01 2007] [error] [client 72.199.153.138] File does not exist: /ohiockk.txt/
[Thu Jun 14 18:15:01 2007] [error] [client 72.199.153.138] File does not exist: /ohioguy.txt/
[Thu Jun 14 18:14:59 2007] [error] [client 72.199.153.138] File does not exist: /plcap.txt/
[Thu Jun 14 18:15:00 2007] [error] [client 72.199.153.138] File does not exist: /ravvz1.txt/
[Thu Jun 14 18:15:00 2007] [error] [client 72.199.153.138] File does not exist: /ravvz2.txt/
[Thu Jun 14 18:15:00 2007] [error] [client 72.199.153.138] File does not exist: /spppc2.txt/
[Thu Jun 14 18:15:02 2007] [error] [client 72.199.153.138] File does not exist: /wazt1.txt/
[Thu Jun 14 18:15:02 2007] [error] [client 72.199.153.138] File does not exist: /xx2.txt/
[Thu Jun 14 18:15:01 2007] [error] [client 72.199.153.138] File does not exist: /xxt23.txt/
[Thu Jun 14 18:15:03 2007] [error] [client 72.199.153.138] File does not exist: /xxtt23.txt/
[Thu Jun 14 18:15:01 2007] [error] [client 72.199.153.138] File does not exist: /peas.txt/
[Thu Jun 14 18:15:03 2007] [error] [client 72.199.153.138] File does not exist: /Proxies.txt/
[Thu Jun 14 18:15:01 2007] [error] [client 72.199.153.138] File does not exist: /txt/
[Thu Jun 14 18:15:02 2007] [error] [client 72.199.153.138] File does not exist: /sample/
[Thu Jun 14 18:15:04 2007] [error] [client 72.199.153.138] File does not exist: /s/
[Thu Jun 14 18:15:02 2007] [error] [client 72.199.153.138] File does not exist: /c/
[Thu Jun 14 18:15:04 2007] [error] [client 72.199.153.138] File does not exist: /b/
[Thu Jun 14 18:15:03 2007] [error] [client 72.199.153.138] Invalid URI in request GET t// HTTP/1.1
[Thu Jun 14 18:15:03 2007] [error] [client 72.199.153.138] Invalid URI in request GET t// HTTP/1.1

The Poe-try of a snitching spammer

Chris Smith (Chris Rizler) sentenced to 30 years.
Interesting readings.

Alton Scott Poe, Smith's second-in-command at the pharmacy, came next. Engisch told Davis that Poe had been "one of the most significant and important cooperators in this matter." Poe pleaded guilty in February 2006 to conspiracy and unlawful distribution of a controlled substance. Davis sentenced him to 6 months in prison and 6 months of home detention, plus 3 years of supervised release.

Full story:
http://www.startribune.com/467/story/1337623.html

I am wondering where Poe is hanging around nowadays?

8/4/07:
I think I have a pretty good idea about that.
More later. Maybe.

I don't know exactly where he is hanging around, but bulkerforum.biz used to be one of the places.

Some big ducks in San Diego

Some big ducks went down in San Diego.

WASHINGTON – A federal grand jury in San Diego has indicted 18 individuals on racketeering and related charges for allegedly operating an Internet business that generated more than $126 million in gross revenues from the illegal sale of prescription pharmaceuticals, Assistant Attorney General Alice S. Fisher of the Criminal Division and U.S. Attorney Karen P. Hewitt for the Southern District of California announced today.

I have a little clue about Affpower, but not enough.

However, the area around San Diego is nice and there are some interesting guys living there.
Vacation time soon, I think I will take a couple of days in CA.

Ramona is especially nice someone told me.
I recently bought a new camera, could come in handy.
I love pictures of small ducks.

Small duck: Lizza

Claims to be "compliant". We know "Lizza" is not totally compliant.
Or so we are told.
What the hell would a "compliant" guy do on a forum packed with criminals anyway?
Just asking. Someone have an answer to that?

Shuffling the Ducks around

Between first and second row.