On 06/14/2018 02:18 PM, Mirimir wrote:
On 06/14/2018 04:33 AM, nusenu wrote:
this kind of spam also happens if you post emails to tor-dev.
last spam sender address: rosegregory714756@cc.mexyst.com
It seems that they've given up on me, after some days with no reply. So is that a pattern for y'all?
OK, so much for that hypothesis. Just got one from Camryn. It actually seems responsive ...
| Hey I'm glad to see someone real responding haha
... and it appeared within minutes of my post to the list. So there's apparently a human involved, who's actively watching the list.
Also, as before, the In-Reply-To header matches my Message-ID header.
But something interesting. The ultimate message source is "localhost (unknown [107.178.101.4])". From https://ipinfo.io/ I get that this is "vox21.hurters.biz". With a little work, I get to "http://hurters.biz/?domain=hurters.biz?reqp=1&qaspoofip=206.190.145.84&a..." which shows:
| Welcome to hurters.biz | This Web page is parked for FREE, courtesy of GoDaddy.com.
From https://ipinfo.io/ I get to 206.190.145.84.adsl.inet-telecom.org
which looks a lot like a home ADSL account. Botnet maybe?
And what is "qaspoofip"?
Again, this is all on mellowhost.com by Input Output Flood LLC. The abuse contact is Gabriel Ramuglia (abuse@ioflood.com).
Anyway, here's the https://ipinfo.io/ data:
Received: from us37.axiobyte.com (us37.axiobyte.com [104.161.37.171])
ip: "104.161.37.171" hostname: "us37.axiobyte.com" city: "Dhaka" region: "Dhaka Division" country: "BD" loc: "23.7231,90.4086" postal: "1000" asn: Object asn: "AS53755" name: "Input Output Flood LLC" domain: "ioflood.com" route: "104.161.32.0/20" type: "hosting" company: Object name: "Mellowhost" domain: "mellowhost.com" type: "hosting"
Received: from localhost (unknown [107.178.101.4])
ip: "107.178.101.4" hostname: "vox21.hurters.biz" city: "Dhaka" region: "Dhaka" country: "BD" loc: "23.8179,90.4103" postal: "1206" asn: Object asn: "AS53755" name: "Input Output Flood LLC" domain: "ioflood.com" route: "107.178.64.0/18" type: "hosting" company: Object name: "Mellowhost" domain: "mellowhost.com" type: "hosting"
... domain=hurters.biz ... qaspoofip=206.190.145.84 ...
ip: "206.190.145.84" hostname: "206.190.145.84.adsl.inet-telecom.org" city: "Providence" region: "Utah" country: "US" loc: "41.6929,-111.8150" postal: "84332" asn: Object asn: "AS29854" name: "WestHost, Inc." domain: "westhost.com" route: "206.190.128.0/19" type: "hosting" company: Object name: "Hosting Services, Inc." domain: "banahosting.com" type: "hosting"
I finally did review the images, in a Debian LiveCD with no network connectivity. They're not bad porn, really. Images from Becky and Camryn have no obvious watermarks, but those from Rose are marked "cherryscott". And they're clearly @CherryScott23. If I could, I'd tweet her about the ripoff.
So anyway, our spammer is clearly using stock image libraries. And maybe that was obvious.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays