Re: EVERYTHING about Booters (and CloudFlare)

[Adrian <choprboy () dakotacom net>]

On Wednesday 27 July 2016 07:58:49 Paras Jha wrote:
> Hi Justin,
>
> I have submitted abuse reports in the past, maybe from 2014 - 2015, but I
> gave up after I consistently did not even get replies and saw no action
> being taken. It is the same behavior with other providers who host malware
> knowingly. I appreciate you coming out onto the list though, it's nice to
> see that CF does maintain a presence here.

I am not seeing Justin's replies hitting my mailbox, only snipets of quotes 
and replies... but my experience to date with CloudFlare has been exactly the 
same, no response or action of any kind to abuse reports.

...Searching... here is an example. Banco do Brasil "you must update your 
details" phishing fraud using compromised hosts. Example email and for details 
neccessary to confirm sent to abuse () cloudflare com on 7/17. Ten days later and 
the compromised CloudFlare-fronted site is still up and still running. Would 
there be any confusion if the following abuse report (plus attached original 
email) arrived in your mailbox?

====================
Phishing / Fraud / Compromised server

Phishing URL:
http://www.rua.edu.kh/joomla/tecno/porta-bb2.com.jpg/

Redirects to:
http://fonecomercial.com.br/admin/wip.php/index.php

Redirects to:
http://app.flipedition.com/css/www2.bb.com.br.jpg/

Compromised server:
www.rua.edu.kh - 203.189.134.18
fonecomercial.com.br - 104.27.148.36  104.27.149.36
app.flipedition.com - 62.75.219.22

====================

Any guesses who 104.27.148.36 104.27.149.36 is? PlusServer.de (62.75.219.22) 
terminated the final destination compromised pages within 12 hours... The 
others are still up. Some providers actively monitor and take control of 
reported abuses. Some providers actively ignore reported abuses.