HI! I'm a spambot and post kiddypr0n! Come see!

[anneslogUsede]

There used to be kiddypr0n here. It be gone, now.

 

[Jari]

And now I'm going to make an exception.

The bot, which has attempted to post several times, during several days, operates from IP 212.117.164.85, using [email protected] as its email address. Which can't really be that faked, since you need to use the activation link the board sends you. It has been spamming several boards, using different emails, but most if not all belong to the atvclub.msk.ru-domain.

Information about the IP and who owns it, follows:

Code: [Select]

inetnum:        212.117.160.0 - 212.117.175.255netname:        SERVER-LUdescr:          root eSolutionscountry:        LUadmin-c:        AB99-RIPEtech-c:         RE655-RIPEstatus:         ASSIGNED PAmnt-by:         ROOT-MNTsource:         RIPE # Filteredrole:           root eSolutionsaddress:        35, rue John F. Kennedyaddress:        7327 Steinseladdress:        Luxembourgphone:          +352 20.500fax-no:         +352 20.500.500e-mail:         remarks:remarks:        +------------------------------------+remarks:        | Operational Issues:                |remarks:        |                      |remarks:        +------------------------------------+remarks:        | Abuse and Spam:                    |remarks:        |                    |remarks:        +------------------------------------+remarks:admin-c:        RE655-RIPEtech-c:         AB99-RIPEnic-hdl:        RE655-RIPEmnt-by:         ROOT-MNTsource:         RIPE # Filteredperson:         Andy BIERLAIRaddress:        root SAaddress:        35, rue John F. Kennedyaddress:        7327 Steinseladdress:        Luxembourgphone:          +352 20.500fax-no:         +352 20.500.500nic-hdl:        AB99-RIPEmnt-by:         ROOT-MNTremarks:remarks:        +------------------------------------+remarks:        |                                    |remarks:        | I did *NOT* spam your mailbox!     |remarks:        | I will *NOT* reply to abuse mails! |remarks:        |                                    |remarks:        | Please contact  !  |remarks:        |                                    |remarks:        | Be friendly ...                    |remarks:        | Unfriendly emails will be ignored! |remarks:        |                                    |remarks:        +------------------------------------+remarks:e-mail:         source:         RIPE # Filteredroute:          212.117.160.0/19descr:          root eSolutionsorigin:         AS5577mnt-by:         ROOT-MNTsource:         RIPE # Filtered

The atvclub.msk.ru-domain details follow:

Code: [Select]

domain:     MSK.RUnserver:    ns.ru.net.nserver:    ns.spb.ru.nserver:    ns1.relcom.ru.state:      REGISTERED, DELEGATED, VERIFIEDorg:        "Relcom.BN", Ltdphone:      +7 499 1960820phone:      +7 499 1960720phone:      +7 499 196 0823fax-no:     +7 499 1963295e-mail:     registrar:  RELCOM-REG-RIPNcreated:    1998.07.21paid-till:  2010.08.01source:     TCI

If someone is in the mood for lulz, maybe you should call these people. ;D Or the police.

 

[Kudistos Megistos]

Judging by their site, root eSolutions seem most likely to be the negligent enabler rather than the culprit, unless my understanding of how VPNs work is wrong (and it may very well be). It seems like a pretty amateur organisation, and their website hardly ever gets updated, so it wouldn't be surprising if they were letting their services get used for all kinds of weird stuff.

Once again, there's a good chance that I'm talking out of my arse. ;D

 

[Jari]

Judging by their site, root eSolutions seem most likely to be the negligent enabler rather than the culprit

This is almost certainly true. Very likely the same thing with atvclub.msk.ru, as well (although I can't be arsed even to check what kind of a content they host). It might not even be a client of theirs, it's entirely possible - perhaps even likely - that there's either a single infected system, or part of an actual botnet behind this.

It would take a Herbie-level LOGIC FAIL to send kiddypr0n spam from something that is clearly registered to you, after all.

So, don't go sending letter bombs, that would be bad. ;D Feel free to annoy the heck out of their abuse-contacts, though.

If someone were to take akshual measures to find out who is behind this; those two would be next step. We can show the IP and the email address and date and time, but we don't know more. They know - or should know - who is behind that IP and address.

Too bad that I didn't save the URL of the site they were advertising. I haz a screenshot saved - should someone need proof of the post's contents, but since the URL was only a link, it's not visible. Although I really doubt that there would be a connection between that URL and either the owner of the IP range, or the owner of the domain the email was sent to.

 

[Kudistos Megistos]

Google shows some interesting results for [email protected], including this one. Whatever they tried to do clearly wasn't effective (or hasn't got any results yet; the post was 5 days ago). The email seems to be getting used for spam everywhere, and the site "atvclub.msk.ru" can't be accessed (unsurprisingly).