Re: Re: Any news on www.kievonline.org site?

[stefmit <stefmit () comcast net>]

FYI: I got the "thank you" reply very close after reporting the original 
message to spamcop.net ==> makes me think that some monitoring takes place?!? 
Here are the two reports:

======== trace for the original message ==============================

SpamCop version 1.3.4 (c) SpamCop.net, Inc. 1998-2003 All Rights Reserved

Received: from ABE (unknown[208.131.61.181](misconfigured sender))
          by rwcrmxc11.comcast.net (rwcrmxc11) with SMTP
          id <20031014010448r1100evm7qe>; Tue, 14 Oct 2003 01:04:59 +0000
Message-ID: <0013______________________a8c0@MOHA>
Reply-To: "Moshe Koldny" <admin () kievonline org>
From: "Moshe Koldny" <admin () kievonline org>
To: "x" <x>
Subject: Please Support Me 
Date: Mon, 13 Oct 2003 23:21:04 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
  type="multipart/alternative";
  boundary="----=_NextPart_000_000F_01C391E0.AC22A7C0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Status: R 
X-Status: N
X-KMail-EncryptionState:  
X-KMail-SignatureState:  

Skip to Reports

Parsing header:

Received:  from ABE (unknown[208.131.61.181](misconfigured sender)) by 
rwcrmxc11.comcast.net (rwcrmxc11) with SMTP id <20031014010448r1100evm7qe>; 
Tue, 14 Oct 2003 01:04:59 +0000
Possible spammer: 208.131.61.181
Received line accepted

Tracking message source: 208.131.61.181:
Routing details for 208.131.61.181
[refresh/show] Cached whois for 208.131.61.181 : abuse () cw net
Using abuse net on abuse () cw net
abuse net cw.net = abuse () cw net, spamcomplaints () cw net
Using best contacts abuse () cw net spamcomplaints () cw net
208.131.61.181 not listed in dnsbl.njabl.org
208.131.61.181 not listed in dnsbl.njabl.org
208.131.61.181 not listed in proxies.blackholes.easynet.nl
208.131.61.181 listed in cbl.abuseat.org ( 127.0.0.2 )
208.131.61.181 is an open proxy
208.131.61.181 not listed in query.bondedsender.org

Would send message source reports to:

Re:208.131.61.181 (Administrator of network where email originates)

spamcomplaints () cw net
abuse () cw net

======= trace of the "thank you" one =========================

SpamCop version 1.3.4 (c) SpamCop.net, Inc. 1998-2003 All Rights Reserved

Received: from user-0cetm97.cable.mindspring.com ([24.238.217.39])
          by sccrmxc14.attbi.com (sccrmxc14) with SMTP
          id <20031014055315s14005gs82e>; Tue, 14 Oct 2003 05:53:15 +0000
Message-ID: <000d______________________a8c0@MOHA>
Reply-To: <admin () kievonline org>
From: <admin () kievonline org>
To: "x" <x>
Subject: thank you
Date: Tue, 14 Oct 2003 07:34:07 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="----=_NextPart_000_000A_01C39225.8D4F8530"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Status: R 
X-Status: N
X-KMail-EncryptionState:  
X-KMail-SignatureState:  

Skip to Reports

Parsing header:

Received:  from user-0cetm97.cable.mindspring.com ([24.238.217.39]) by 
sccrmxc14.attbi.com (sccrmxc14) with SMTP id <20031014055315s14005gs82e>; 
Tue, 14 Oct 2003 05:53:15 +0000
Possible spammer: 24.238.217.39
Received line accepted

Tracking message source: 24.238.217.39:
Routing details for 24.238.217.39
[refresh/show] Cached whois for 24.238.217.39 : abuse () abuse earthlink net
Using abuse net on abuse () abuse earthlink net
abuse net abuse.earthlink.net = abuse () abuse earthlink net
Using best contacts abuse () abuse earthlink net
24.238.217.39 not listed in dnsbl.njabl.org
24.238.217.39 not listed in dnsbl.njabl.org
24.238.217.39 not listed in proxies.blackholes.easynet.nl
24.238.217.39 not listed in cbl.abuseat.org
24.238.217.39 not listed in dnsbl.sorbs.net
24.238.217.39 not listed in relays.ordb.org.
24.238.217.39 not listed in query.bondedsender.org

Would send message source reports to:

Re:24.238.217.39 (Administrator of network where email originates)

abuse () abuse earthlink net

Re:24.238.217.39 (Third party interested in email source)

spamcop () imaphost com

On Tuesday 14 October 2003 10:31 am, Michael A. Starr wrote:
> Gentlemen;
>
> I got the same message that is being discussed in this thread.  I include
> it again, not to continue the propagation, but to have it convenient for
> viewing.  From reading this thread, it seems that the site in question is,
> or rather was, some kind of porn site, possibly which this guy
> admin () kievonline org would like to advertise.  If you look at the words
> that were chosen, you'll notice that there are several of the words that
> *should* get picked up by body content filters (if we're running body
> content filters) -- ranging from sex (fuck, head), to golden showers
> (piss), to "hate words" (nigger), to "hacking and warez" (hacking), phrases
> like "in my face", and "a man needs" might get tagged as well.
>
> What I suspect is that the kievonline.org site was a throw-away, and that
> this guy is really running some kind of sophisticated probe against mail
> servers to determine what filters we have in place.  I hate to say so, but
> it might even be a subscriber to this list that is monitoring who reports
> receiving this email.  The spam assassin score was a 3.0, so that probably
> won't catch it. Header filters certainly won't stop the subject "Thank
> you". He's even prepped us for a spam flood by saying that he added our
> address to every spam list he could find. . .  All in all a very convincing
> package. I don't think the point of this is a malicious code attack, but as
> I said, a probe to see what can be gotten through.
>
> Any thoughts?
>
> Michael Starr, GSEC
>
>
>
> <---Begin Spam --->
> You are a piss head for hacking my site and informing my isp !!! Fuck you
> nigger.
>
> if your a man you should come here and tell me in my face
> A man needs to make a living you know, Now you think my isp is going to do
> something to stop me ?
>
> FUCK YOU
>
> Nice try. I have added your email address to every fucking spam list I can
> find
>
> Next time youll fuck with the right person
> <--- End Spam --->
>
> -----Original Message-----
> From: Johannes Segitz [mailto:jusenet2 () segitz de]
> Sent: Tuesday, October 14, 2003 5:48 AM
> To: full-disclosure () lists netsys com
> Subject: [Full-disclosure] Re: Any news on www.kievonline.org site?
>
> Steve Wray <steve.wray () paradise net nz> wrote:
> > So far in my googling I havn't found anything about
> > the site.
>
> It's slowly getting into the index
> http://groups.google.com/groups?q=kievonline.org&hl=en&lr=&ie=UTF-8&oe=utf-
> 8 &sa=N&tab=wg
>
> It's spam. Just feed your $BAYESIAN_FILTER
>
> Regards,
> Johannes
> --
>       Give a man a match and he will be warm for a while,
> light him on fire and he will be warm for the rest of his life
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html