Wired mag article on spammers playing traceroute games with trojaned boxes

Mike Tancsa mike at sentex.net
Thu Oct 9 18:36:53 UTC 2003



Looks like attachments wont go through, so I will repost without the 
attachment. If anyone wants a copy, let me know

         ---Mike


At 01:28 PM 09/10/2003, Andy Ellifson wrote:


>Oops... Try this again...
>
>And as soon as you call law enforcement what happends?  The spammer is
>located offshore.  Then what?

Actually, in the case of the wired article (removeform.com), it seems to be 
connected to a site in Florida.  I asked my programmer (gabor at sentex.net) 
to decode the obfuscated java script/page that is served up by one of the 
zombies (On FreeBSD fetch -B 18192 -o danger.html 
http://www.removeform.com/d - I got it from 207.5.215.72  at the time).  I 
have attached it as a zip file with its contents. You will note that the 
form post goes back to

form action="http://207.36.47.68/cgi-bin/addinfo.cgi"


OrgName:    CyberGate, Inc.
OrgID:      CYBG
Address:    3250 W. Commercial Blvd. Suite 200
City:       Ft. Lauderdale
StateProv:  FL
PostalCode: 33309
Country:    US

         ---Mike




>--- Hank Nussbacher <hank at att.net.il> wrote:
> >
> > On Thu, 9 Oct 2003, Suresh Ramasubramanian wrote:
> >
> > > * "Follow the money" - find out the spammer / the guy who he spams
> > for,
> > > from payment information etc.Sic law enforcement on them.
> > >
> > >     srs
> >
> > I think we can all safely assume that the people behind this are most
> > probably on NANOG or reading the archives and are now aware of your
> > idea
> > :-)
> >
> > -Hank
> >




More information about the NANOG mailing list