SPAMMER Killing Everyone On JaguarPC

**Zhen-Xjell** · 07-25-2003, 10:25 AM

I'm checking my root email and what do I find?

(reason: 550 5.7.1 ... Mail from 66.227.19.111 refused by blackhole site relays.osirusoft.com)

So I go here:

http://relays.osirusoft.com/cgi-bin/rbcheck.cgi

And enter the base IP of my dedicated server running nukecops.com and computercops.biz:

http://relays.osirusoft.com/cgi-bin/rbcheck.cgi

This is the result problem:

[1] Jaguar Technologies, see http://spews.org/ask.cgi?S2763

So I goto Spews and run a check on my IP:

66.227.19.111

What do I find?

Jaguar Technologies
|--------------------
1, 66.227.16.0 - 66.227.23.255, Jaguar Technologies (Yipes)
0, 66.227.56.0 - 66.227.63.255, Jaguar Technologies (Yipes)
0, 66.227.64.0 - 66.227.71.255, Jaguar Technologies (Yipes)
0, 66.227.72.0 - 66.227.87.255, Jaguar Technologies (Yipes)
---------------------|

One spammer too many hosting here.

See: <http://groups.google.com/groups?q=22&scoring=d>
<http://groups.google.com/groups?selm....utoronto. ca>

--------------------------------------------------------------------------------
[66.227.19.150] server1.netprofitleads.com

www.extremepowerline.com has address 65.73.206.81
www.extremepowerline.com has address 65.73.206.82
www.extremepowerline.com has address 65.73.206.86

genovadiscounts.com has address 65.249.65.36

1, 66.227.17.84, Peter DeCaro / i-marketingpro.com (Jaguar Technologies LLC / nocdirect.com)
1, 66.227.17.0/25, Jaguar Technologies LLC / nocdirect.com (Peter DeCaro / i-marketingpro.com)

[66.227.18.1] texas.businessx.com / www.pos2life.biz

1, 64.46.108.35, u-bulk.com
1, 64.46.108.1 - 64.46.108.255, u-bulk.com (aletia.com)
--------------------------------------------------------------------------------
OrgName: Jaguar Technologies LLC
OrgID: JTL-8
Address: 4201 SW Freeway
City: Houston
StateProv: TX
PostalCode: 77478
Country: US

NetRange: 66.227.16.0 - 66.227.23.255
CIDR: 66.227.16.0/21
NetName: YIPS-JTL-8-S020303
NetHandle: NET-66-227-16-0-1
Parent: NET-66-227-0-0-1
NetType: Reassigned
NameServer: NS.NOCDIRECT.COM
NameServer: NS2.NOCDIRECT.COM
Comment:
RegDate: 2003-02-04
Updated: 2003-02-04
--------------------------------------------------------------------------------
OrgName: Jaguar Technologies LLC
OrgID: JTL-8
Address: 4201 SW Freeway
City: Houston
StateProv: TX
PostalCode: 77478
Country: US

NetRange: 66.227.56.0 - 66.227.63.255
CIDR: 66.227.56.0/21
NetName: YIPS-JAGUAR-S082102-2
NetHandle: NET-66-227-56-0-1
Parent: NET-66-227-0-0-1
NetType: Reassigned
NameServer: NS.NOCDIRECT.COM
NameServer: NS2.NOCDIRECT.COM
Comment:
RegDate: 2002-08-22
Updated: 2002-09-25

TechHandle: GL538-ARIN
TechName: Landis, Greg
TechPhone: +1-832-279-5529
TechEmail: admin@jaguarpc.net
--------------------------------------------------------------------------------
OrgName: Jaguar Technologies LLC
OrgID: JTL-8
Address: 4201 SW Freeway
City: Houston
StateProv: TX
PostalCode: 77478
Country: US

NetRange: 66.227.72.0 - 66.227.87.255
CIDR: 66.227.72.0/21, 66.227.80.0/21
NetName: YIPS-JTL-8-A102102
NetHandle: NET-66-227-72-0-1
Parent: NET-66-227-0-0-1
NetType: Reallocated
Comment:
RegDate: 2002-10-21
Updated: 2002-10-21
--------------------------------------------------------------------------------
OrgName: Jaguar Technologies LLC
OrgID: JTL-8
Address: 4201 SW Freeway
City: Houston
StateProv: TX
PostalCode: 77478
Country: US

NetRange: 66.227.64.0 - 66.227.71.255
CIDR: 66.227.64.0/21
NetName: YIPS-JTL-8-S092302
NetHandle: NET-66-227-64-0-1
Parent: NET-66-227-0-0-1
NetType: Reassigned
NameServer: NS.NOCDIRECT.COM
NameServer: NS2.NOCDIRECT.COM
Comment:
RegDate: 2002-09-23
Updated: 2002-09-23
--------------------------------------------------------------------------------
Domain Name: NOCDIRECT.COM

Registrant:
Secure Web Services
SSL Service (admin@nocdirect.com)
4002 sw freeway
Houston
TX,77026
US
Tel. +713.9601581

Creation Date: 13-Jan-2002
Expiration Date: 13-Jan-2004

Domain servers in listed order:
ns.nocdirect.com
ns2.nocdirect.com

Administrative Contact:
Secure Web Services
SSL Service (admin@nocdirect.com)
4002 sw freeway
Houston
TX,77026
US
Tel. +713.9601581

Status: ACTIVE
--------------------------------------------------------------------------------
--- contacting nameserver: ns.nocdirect.com [66.227.57.1]

nocdirect.com MX 0 nocdirect.com
nocdirect.com NS ns.nocdirect.com
nocdirect.com NS ns2.nocdirect.com
nocdirect.com A 66.227.84.185
nocdirect.com SOA
origin = ns.nocdirect.com
mail addr = root@ns.nocdirect.com
serial = 2003052301
refresh = 10800 (3 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
minimum ttl = 86400 ()
nocdirect.com A 66.227.84.185
ns.nocdirect.com A 66.227.57.1
ns2.nocdirect.com A 66.227.56.5
--------------------------------------------------------------------------------

**Zhen-Xjell** · 07-25-2003, 10:27 AM

Domain name- NOCDNS.COM

Nameservers-
ns1.aletia.com
ns2.aletia.com

Start of registration- Fri May 18 2001 03:50:17
Registered through- Tue May 18 2004 03:50:17

Registrant Contact-
Jaguar Technologies LLC
Domain Administrator (admin@jaguarpc.net)
+1.112816330343
FAX- +1.118885603607
4201 sw freeway
houston, TX 77027
US

Status: PROTECTED
--------------------------------------------------------------------------------
--- contacting nameserver: ns1.aletia.com [66.227.56.34]

nocdns.com MX 0 nocdns.com
nocdns.com SOA
origin = ns.nocdirect.com
mail addr = root@krypton.nocdirect.com
serial = 1035812419
refresh = 28800 (8 hours)
retry = 7200 (2 hours)
expire = 3600000 (41 days 16 hours)
minimum ttl = 86400 ()
nocdns.com NS ns2.nocdirect.com
nocdns.com NS ns.nocdirect.com
nocdns.com A 66.227.83.157
nocdns.com A 66.227.83.157
ns.nocdirect.com A 66.227.57.1
ns2.nocdirect.com A 66.227.56.5
--------------------------------------------------------------------------------
Domain name: ALETIA.COM

Registrant :
Jaguar Technologies LLC
Domain Administrator (admin@jaguarpc.net)
+1.112816330343
FAX: +1.118885603607
4201 sw freeway
houston, TX 77027
US

Status: PROTECTED

Name servers:
NS1.ALETIA.COM
NS2.ALETIA.COM
--------------------------------------------------------------------------------
--- contacting nameserver: ns2.aletia.com [66.227.56.246]

aletia.com SOA
origin = ns1.aletia.com
mail addr = root@ns1.aletia.com
serial = 2002121905
refresh = 28800 (8 hours)
retry = 7200 (2 hours)
expire = 3600000 (41 days 16 hours)
minimum ttl = 86400 ()
aletia.com NS ns1.aletia.com
aletia.com NS ns2.aletia.com
aletia.com NS ns3.aletia.com
aletia.com A 66.227.56.28
aletia.com MX 0 aletia.com
ns1.aletia.com A 66.227.56.34
ns2.aletia.com A 66.227.56.246
ns3.aletia.com A 66.227.56.28
--------------------------------------------------------------------------------

I follow the link to Google Groups:

http://groups.google.com/groups?selm....utoronto. ca

And sure enough as the above quote says:

host server1.netprofitleads.com
server1.netprofitleads.com has address 66.227.19.150

host netprofitleads.com
netprofitleads.com has address 66.227.19.150

[whois.arin.net]
Yipes Communications, Inc. YIPES-BLK5 (NET-66-227-0-0-1)
66.227.0.0 - 66.227.127.255
Jaguar Technologies LLC YIPS-JTL-8-S020303 (NET-66-227-16-0-1)
66.227.16.0 - 66.227.23.255

First spam was advertising:

MMF internet home business @ www.extremepowerline.com

host www.extremepowerline.com
www.extremepowerline.com has address 65.73.206.81
www.extremepowerline.com has address 65.73.206.82
www.extremepowerline.com has address 65.73.206.86

**Zhen-Xjell** · 07-25-2003, 10:28 AM

Second spam was advertising:

anabolic steroids @ www.genovadiscounts.com

host www.genovadiscounts.com
www.genovadiscounts.com is an alias for genovadiscounts.com.
genovadiscounts.com has address 65.249.65.36

At first sight, there doesn't appear to be any obvious connection
between netprofitleads and the spam-advertised domains.

This means the entire YIPES/JaguarPC IP Blocks are now BLOCKED in SPEWS. Get ready for your servers not being able to send emails because of these a-hole spammers.

They need to be dealt with IMMEDIATELY as business is now at risk.

The SPEWS FAQ # 42:

Q42: My IP address/range is being listed by SPEWS but I'm not a spammer and I just signed up for this/these address(s). What can I do to be removed from the list?
A42: SPEWS is just an automated system, if spam or spam involvement (hosting spammers, selling spamware) from your IP address/range ceases, it will drop out of the list in time. Normally the listing involves spam related problems with your host and the first step you need to take is to complain to them about the listing, in almost all cases, they are the only people who can get an address/range out of the SPEWS list. If there is a spam related problem with your host, their IP address/range will not be removed until it is resolved. If your host or network is certain a listing mistake has been made, ask them to read this FAQ then post a message in a public forum mentioned above with the SPEWS record number (eg. S123) and/or the IP address/range information in it. Placing the text "SPEWS:" in the subject can help a SPEWS editor or developer see the message and they may double check the listing - note that, although others may, no SPEWS editor or developer will ever reply to the posting. Will this get your IP address/range removed from a SPEWS listing? Again, not if there are currently spam related problems with your host. Be aware that posting ones email address to any publicly viewable forum or website makes it instantly available to spammers. If you're concerned about getting spammed, change or "mung" the email address you use to post with.

I have just opened an URGENT dedicated ticket with JagPC on this issue.

Heads up everyone, it seems like we may all be blocked right now. I'm not confirming everyone's IP, but via SPEWS, it seems like the whole blocks are listed.

Test yours here:

http://relays.osirusoft.com/cgi-bin/rbcheck.cgi

And certainly post results. Is this just me? I hope so... but I fear it may not be.

Thanks to www.extremepowerline.com and www.genovadiscounts.com for taking doing this to us.

**Zhen-Xjell** · 07-25-2003, 10:32 AM

Dedicated server response team at JagPC writes:

Frankly speaking spews operates in a strange way, they just block the entire ISP thinking they will stop the spam. I had a very bad experience with them in the past. Anyway, we are looking into it now. But its going to take sometime to have the whole JaguarPC network IPs removed from there.

Most of the domains reported in Spam are already gone from Jaguar Network. But I think one is still active. So will need to deal with it.

My recommendation is you alert your customers to this thread and advise them you aren't a SPAMMER.

**JPC-Masood** · 07-25-2003, 10:38 AM

Spews is notorious for blocking entire ISP based on few spam reports. Many big NOCs remain blocked in spews probably since it started. Who knows?

There was a heated discussion on it sometimes in WHT forums. They think they will stop the spam this way.

The facts speak against it. 99% of spammers leave the network once the damage is done, like this current case is in front of us. And then the rest of the damage is done by spews by blocking legitimate emails.

**Zhen-Xjell** · 07-25-2003, 10:46 AM

That's a real problem. I don't believe that blocking an entire IP block is an appropriate solution. I think its time folks start thinking of a class action lawsuit against SPEWS. I hate SPAM, but not at the expense of bringing my own business down.

**JPC-Masood** · 07-25-2003, 11:13 AM

Spews say they don't force anyone to use their list. Its actually the choice of other network operators/admins who use spews blacklist. I think mostly spews creators/defenders use it themselves.

No one would like to block entire ISPs and block their users emails. If we start using spews and other lists, half of the legitimate emails will start bouncing, but spam will continue to be there. Because spammer will spam from a fresh and unblocked IP

**Connie** · 07-25-2003, 11:47 AM

66.227.59.72 is NOT DNSBL listed by dnsbl.sorbs.net Nomination policy information
Number of sites listing this IP: 0

I'm assuming the above means my ISP is not on the block list.

You might want to read this article if you haven't already.

Spam peddlers hijack computers

http://news.bbc.co.uk/2/hi/technology/3036092.stm

**Vin DSL** · 07-25-2003, 01:08 PM

Originally posted by Zhen-Xjell

Test yours here:

http://relays.osirusoft.com/cgi-bin/rbcheck.cgi

And certainly post results. Is this just me? I hope so... but I fear it may not be...

It's NOT just you ZX. Here's my site...

(127.0.0.4) 66.227.17.133 is DNSbl listed. by spews.relays.osirusoft.com
[1] Jaguar Technologies, see http://spews.org/ask.cgi?S2763
Please visit this link for instructions about how spews operates.
This zone maintained by spews.org
Please visit this link for questions about why your mail was bounced.

You know what I find so disturbing about all this? The biggest reason I want to run a dedicated IP is so sh!t like this doesn't happen. Maybe this recent conversation explains it better:

VinDSL: Do you get a dedicated IP with an account here?

VinDSL: LoL! Never mind. I found it. Pro packages only, right?

ASP: Correct professional packages only. However, why do you want your own IP? I might be able to help you out.

VinDSL: The eternal question...

I suppose the only real benefit to me would be to prove my innocence in an investigation. If someone on my shared IP is spamming the internet, or decides to have a website defacement contest, or whatever, and 'they' decide to block traffic to and from that IP on 'their' routers, that could cause a problem, no? What if someone was launching DDoS attacks from our common IP? Wouldn't ALL "1000" of us be suspect? I know this seems like paranoia. LoL! If there's no problem, invent one, right? However, stranger things have happened to me.

Anyway, I've run on a shared IP before. It doesn't effect the operation of my site. I don't have my own mail server, need a secure server certificate, or any of that sort of stuff.

Maybe I'll give you a try. I've been wanting to go the Sphera route for a while now. I love the host I have now, but the boneheads that I share a server with lock the damn thing up every night. Uptime is never over 24 hours and it's getting old, you know?

It doesn't seem like it makes any difference now. These lazy f***s at spews just pull out the shotguns and blast us all...

Anyway, thanks, ZX! Good job of investigating. I guess the rest is up to Jag...

**G.Bloke** · 07-25-2003, 01:45 PM

I think the most important point here is that due to the 'shotgun' nature of spews most companies/individuals do not use their lists. Of course when your running a business that still means a tiny percentage of your emails may not make it through in theory, however it's not worth worrying about until you are actually getting mail bounced as Zhen-Xjell was.

**Vin DSL** · 07-25-2003, 01:54 PM

Hrm... that poses some interesting questions. Do ostrichs really stick their heads in sand, or is that just a myth? And, if there isn't any sand, what do they do then?

**Zhen-Xjell** · 07-25-2003, 03:15 PM

Originally posted by masood
Spews say they don't force anyone to use their list. Its actually the choice of other network operators/admins who use spews blacklist. I think mostly spews creators/defenders use it themselves.

But that begs the question, do their users know of this? Their email clients may want to get email from sites like mine and cannot because SPEWS is acting up. Seems to me like they are "Selling" a service that is either "all" or "nothing". No happy medium whatsoever.

Lets not forget that Jag is also a victim of this too. Their business suffers when trying to send emails.

By the way, I replied to the original newsgroup here:

http://groups.google.com/groups?dq=&...4ea9e832b3ce40

**Vin DSL** · 07-25-2003, 06:16 PM

Originally posted by Zhen-Xjell

Lets not forget that Jag is also a victim of this too. Their business suffers when trying to send emails.

By the way, I replied to the original newsgroup here:

http://groups.google.com/groups?dq=&...4ea9e832b3ce40

Man, those guys are hard core a-holes over there. They make me look like Tinkerbell. They're rippin' JagPC a new one and acting like "that's what we deserve for hangin' with criminals..."

Have you checked the replies?

http://groups.google.com/groups?hl=e....utoront o.ca

**Sara** · 07-25-2003, 06:53 PM

Originally posted by Vin DSL
Man, those guys are hard core a-holes over there. They make me look like Tinkerbell. They're rippin' JagPC a new one and acting like "that's what we deserve for hangin' with criminals..."

Have you checked the replies?

http://groups.google.com/groups?hl=e....utoront o.ca

They have always been like that in those groups. Most times it is warrented, but the do tend to go overboard a little when the "innocent" gets hit.

My own ISP is using Spews (And the other spamfiltering services), but instead of doing the filtering the hard way they just add special headers with the results so we easier can filter out junkmail. Makes it real easy to use Mailwasher

**Vin DSL** · 07-25-2003, 07:09 PM

Originally posted by Sara
...Most times it is warrented, but the do tend to go overboard a little when the "innocent" gets hit...

Um... can you clarify that?

LinkBack

Thread Tools

Display

SPAMMER Killing Everyone On JaguarPC

Bookmarks

Bookmarks

Posting Permissions