Spying the messenger :-)

  • Thread starter Thread starter George Valkov
  • Start date Start date
G

George Valkov

Hi all,
I noticed that my hardware firewall was blocking much traffic on ports UDP
1026-1032, so I set a sniffer to see what will arrive. And I colleted a list
of websites abusing the messenger service?
What should I do now? Send the list to some abuse prevention service? Which?
 
Hi all,
I noticed that my hardware firewall was blocking much traffic on ports UDP
1026-1032, so I set a sniffer to see what will arrive. And I colleted a list
of websites abusing the messenger service?
What should I do now? Send the list to some abuse prevention service? Which?
Click to expand...

Messenger traffic, while a PITA, is not illegal. Just block it at the
perimeter firewall, that's what most of us do.

If you find a source that is hammering your IP, then copy the logs and
send them to the ISP/Provider that owns the network, not the person that
owns the website, send it to the provider that owns the network itself.
 
What does the 'PITA' abbreviation mean? The traffic is blocked already, I
never fear from any trafic on the Internet. Respect and take precautions
yes, but never fear from.

If I don't mistake, offering false repair tools and antivirus programs for
money is it self abuse and crime. So any site performing such activity
should be taken off. Okay, I'll send a few e-mails to
abuse@IP-address-pool-owner-company.


All messages look like this:

[SYSTEM ALERT]
STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.

Windows has found CRITICAL SYSTEM ERRORS.

To fix the errors please do the following:
1. Download Registry Cleaner from:
(here are some addresses I collected)
[
fixwin32.com
www.wreg32.com
www.sys32win.com
http://www.regrinsepro.com
http://WindowsRepair.net
http://www.regpro32.com
]
2. Install Registry Cleaner
3. Run Registry Cleaner
4. Reboot your computer
FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!
 
What does the 'PITA' abbreviation mean? The traffic is blocked already, I
never fear from any trafic on the Internet. Respect and take precautions
yes, but never fear from.
Click to expand...

PITA - Pain In The A&&
If I don't mistake, offering false repair tools and antivirus programs for
money is it self abuse and crime. So any site performing such activity
should be taken off. Okay, I'll send a few e-mails to
abuse@IP-address-pool-owner-company.
Click to expand...

I didn't see where you mentioned the content, and Messenger traffic is
not illegal, but, a sales pitch may be illegal depending on the
items/content.
All messages look like this:

[SYSTEM ALERT]
STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.

Windows has found CRITICAL SYSTEM ERRORS.

To fix the errors please do the following:
1. Download Registry Cleaner from:
(here are some addresses I collected)
Click to expand...

[removed malware sites links]
]
2. Install Registry Cleaner
3. Run Registry Cleaner
4. Reboot your computer
FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!
Click to expand...

I would report these source systems to the owner of the IP block and let
them handle it. If you report it to the owner of the site names listed
or the actual IP user, nothing will happen. You need to go after the
net-block owner.
 
I always use ipnetinfo.exe from NirSoft. It uses WhoIs servers to give
detailed info for the address - like e-mail for abuse, telephone for
contacts and so on.

I already received a replay for one of the sites claiming that the request
will be processed in 24 hours, but the others will most likely not not
affected.

Thank you for the replay... Bye the way 2 abuse posts from 'independent'
sources will take more attention, so thanks again :-)

I also spent a few minutes to visit the sites, because I didn't want to hurt
inocent companies, but all sites link to two or tree places, and all seem
like fake software and spyware. The're doing their best to install their
software on my computer ;-)
 
Chances are the ip addresses you are chasing up are spoofed.

--
Jon

You cannot make an omelet without breaking eggs

The previous comment in this thread was actually made by "George Valkov"
 
Hi Jon, I'm not wasting any time in chasing the source IP addresses. I know
that UDP is session-less, so messages can be send from spoofed IP address,
which is most likely the case.

Instead, I'm chasing the web-sites that are in those messages, because I saw
they offer fake software and/or spyware and ask inocent victims to pay money
for it. This is a crime and abuse.
 
ok got it.. good luck with that.

[ Noticed that 2 of the sites are owned by the same person.
(wreg32.com, fixwin32.com) ]
 
Hello George,

Thank you for using newsgroup!

From your post, I am not sure if the system has been infected by any
viruses or spyware. I suggest you update your antivirus programs to the
latest version and then clean up any viruses from the system. Meanwhile,
you may run the following tools to clean up spyware.

Download and install Windows Defender (Beta 2)
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Use spy-killer to scan your computer completely.
More information about spy-killer, please refer to link below:
http://www.spy-killer.com/

Run Ad-Aware (free version)
http://www.lavasoft.de

SpyBot
http://www.safer-networking.org/en/index.html

Note: This response contains reference to some third party World Wide Web
sites. Microsoft is providing this information as a convenience to you.
Microsoft does not control these sites and has not tested any software or
information found on these sites; therefore, Microsoft cannot make any
representations regarding the quality, safety, or suitability of any
software or information found there. There are inherent dangers in the use
of any software found on the Internet, and Microsoft cautions you to make
sure that you completely understand the risk before retrieving any software
from the Internet.

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
| From: "George Valkov" <[email protected]>
| References: <#qXERS#[email protected]>
<[email protected]>
<eQo0im#[email protected]>
<[email protected]>
<e5AG37#[email protected]>
<[email protected]>
| Subject: Re: Spying the messenger :-)
| Date: Sun, 24 Sep 2006 20:35:27 +0300
| Lines: 40
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.2663
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
| X-RFC2646: Format=Flowed; Response
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.windowsxp.general
| NNTP-Posting-Host: 87-126-145-8.btc-net.bg 87.126.145.8
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windowsxp.general:1574545
| X-Tomcat-NG: microsoft.public.windowsxp.general
|
| Hi Jon, I'm not wasting any time in chasing the source IP addresses. I
know
| that UDP is session-less, so messages can be send from spoofed IP
address,
| which is most likely the case.
|
| Instead, I'm chasing the web-sites that are in those messages, because I
saw
| they offer fake software and/or spyware and ask inocent victims to pay
money
| for it. This is a crime and abuse.
|
|
| "Jon" wrote:
| > Chances are the ip addresses you are chasing up are spoofed.
| >
| > --
| > Jon
| >
| > You cannot make an omelet without breaking eggs
| >
| > The previous comment in this thread was actually made by "George
Valkov"
| > <[email protected]> in message | >>I always use ipnetinfo.exe from NirSoft. It uses WhoIs servers to give
| >>detailed info for the address - like e-mail for abuse, telephone for
| >>contacts and so on.
| >>
| >> I already received a replay for one of the sites claiming that the
| >> request will be processed in 24 hours, but the others will most likely
| >> not not affected.
| >>
| >> Thank you for the replay... Bye the way 2 abuse posts from
'independent'
| >> sources will take more attention, so thanks again :-)
| >>
| >> I also spent a few minutes to visit the sites, because I didn't want
to
| >> hurt inocent companies, but all sites link to two or tree places, and
all
| >> seem like fake software and spyware. The're doing their best to
install
| >> their software on my computer ;-)
| >>
| >>
| >>
| >
|
|
|
 
Hello Ken!
Thank You for the advices! I added the links to my list.

I do not use any antivirus or any kind of protection software on the 'main'
(working)instalation, because I need the top-performance of my PC. I do
however have a 'backup' installation and use it to check the main
installation for viruses and perform backup/restore tasks. The man who
laughts best, is the the man who has a fresh and clean backup ;-)
I do treat unsafe programs and sites with respect, but I don't fear them,
because I know how to find and remove most of them manually. Truth is if you
never let the attacker access or run programs on your computer, it will ever
be your computer (until you sell it). I'm trying to follow the 10 rules
about security that I've been once given. I remember it was somewhere on
Microsoft's site, but I can't remember where. It was something like:
If an attacker runs code on your computer, it is no longer your computer...
(and so on).

To be honest, about four years ago, on my old computer I had Windows Me with
latest update installed, NortonAntivirus (latest definitions) and Norton
InternetSecurity (updated). It was a fresh installation of Windows that
lived less than 5 days and died (on blue screen) from this virus: Boot
Aragorn injected in kernel32.dll. I think it came from the LAN. I ran the
DOS version of Norton antivirus using the path of the windows version's
definitions and found the virus. Then I reformated the the partion, but the
XP was unable to start from the other partition (I had three primary
partitions, each boots its OS when marked as active). Perhaps the virus had
modified the boot record(s) or the master boot record. I used FIXBOOT and
FIXMBR from recovery console, to repair this and make XP work. Ever since
then, I have never trusted Norton or WinMe again.



"Ken Zhao [MSFT]" said:
Hello George,

Thank you for using newsgroup!

From your post, I am not sure if the system has been infected by any
viruses or spyware. I suggest you update your antivirus programs to the
latest version and then clean up any viruses from the system. Meanwhile,
you may run the following tools to clean up spyware.

Download and install Windows Defender (Beta 2)
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Use spy-killer to scan your computer completely.
More information about spy-killer, please refer to link below:
http://www.spy-killer.com/

Run Ad-Aware (free version)
http://www.lavasoft.de

SpyBot
http://www.safer-networking.org/en/index.html

Note: This response contains reference to some third party World Wide Web
sites. Microsoft is providing this information as a convenience to you.
Microsoft does not control these sites and has not tested any software or
information found on these sites; therefore, Microsoft cannot make any
representations regarding the quality, safety, or suitability of any
software or information found there. There are inherent dangers in the use
of any software found on the Internet, and Microsoft cautions you to make
sure that you completely understand the risk before retrieving any
software
from the Internet.

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.





--------------------
| From: "George Valkov" <[email protected]>
| References: <#qXERS#[email protected]>
<[email protected]>
<eQo0im#[email protected]>
<[email protected]>
<e5AG37#[email protected]>
<[email protected]>
| Subject: Re: Spying the messenger :-)
| Date: Sun, 24 Sep 2006 20:35:27 +0300
| Lines: 40
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.2663
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
| X-RFC2646: Format=Flowed; Response
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.windowsxp.general
| NNTP-Posting-Host: 87-126-145-8.btc-net.bg 87.126.145.8
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windowsxp.general:1574545
| X-Tomcat-NG: microsoft.public.windowsxp.general
|
| Hi Jon, I'm not wasting any time in chasing the source IP addresses. I
know
| that UDP is session-less, so messages can be send from spoofed IP
address,
| which is most likely the case.
|
| Instead, I'm chasing the web-sites that are in those messages, because I
saw
| they offer fake software and/or spyware and ask inocent victims to pay
money
| for it. This is a crime and abuse.
|
|
| "Jon" wrote:
| > Chances are the ip addresses you are chasing up are spoofed.
| >
| > --
| > Jon
| >
| > You cannot make an omelet without breaking eggs
| >
| > The previous comment in this thread was actually made by "George
Valkov"
| > <[email protected]> in message | >>I always use ipnetinfo.exe from NirSoft. It uses WhoIs servers to give
| >>detailed info for the address - like e-mail for abuse, telephone for
| >>contacts and so on.
| >>
| >> I already received a replay for one of the sites claiming that the
| >> request will be processed in 24 hours, but the others will most
likely
| >> not not affected.
| >>
| >> Thank you for the replay... Bye the way 2 abuse posts from
'independent'
| >> sources will take more attention, so thanks again :-)
| >>
| >> I also spent a few minutes to visit the sites, because I didn't want
to
| >> hurt inocent companies, but all sites link to two or tree places, and
all
| >> seem like fake software and spyware. The're doing their best to
install
| >> their software on my computer ;-)
| >>
| >>
| >>
| >
|
|
|
Click to expand...
 
Hi George,

Thanks for your experience sharing here.

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
| From: "George Valkov" <[email protected]>
| References: <#qXERS#[email protected]>
<[email protected]>
<eQo0im#[email protected]>
<[email protected]>
<e5AG37#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| Subject: Re: Spying the messenger :-)
| Date: Mon, 25 Sep 2006 10:31:00 +0300
| Lines: 162
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.2663
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
| X-RFC2646: Format=Flowed; Original
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.windowsxp.general
| NNTP-Posting-Host: 87-126-145-8.btc-net.bg 87.126.145.8
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windowsxp.general:1574811
| X-Tomcat-NG: microsoft.public.windowsxp.general
|
| Hello Ken!
| Thank You for the advices! I added the links to my list.
|
| I do not use any antivirus or any kind of protection software on the
'main'
| (working)instalation, because I need the top-performance of my PC. I do
| however have a 'backup' installation and use it to check the main
| installation for viruses and perform backup/restore tasks. The man who
| laughts best, is the the man who has a fresh and clean backup ;-)
| I do treat unsafe programs and sites with respect, but I don't fear them,
| because I know how to find and remove most of them manually. Truth is if
you
| never let the attacker access or run programs on your computer, it will
ever
| be your computer (until you sell it). I'm trying to follow the 10 rules
| about security that I've been once given. I remember it was somewhere on
| Microsoft's site, but I can't remember where. It was something like:
| If an attacker runs code on your computer, it is no longer your
computer...
| (and so on).
|
| To be honest, about four years ago, on my old computer I had Windows Me
with
| latest update installed, NortonAntivirus (latest definitions) and Norton
| InternetSecurity (updated). It was a fresh installation of Windows that
| lived less than 5 days and died (on blue screen) from this virus: Boot
| Aragorn injected in kernel32.dll. I think it came from the LAN. I ran the
| DOS version of Norton antivirus using the path of the windows version's
| definitions and found the virus. Then I reformated the the partion, but
the
| XP was unable to start from the other partition (I had three primary
| partitions, each boots its OS when marked as active). Perhaps the virus
had
| modified the boot record(s) or the master boot record. I used FIXBOOT and
| FIXMBR from recovery console, to repair this and make XP work. Ever since
| then, I have never trusted Norton or WinMe again.
|
|
|
| | > Hello George,
| >
| > Thank you for using newsgroup!
| >
| > From your post, I am not sure if the system has been infected by any
| > viruses or spyware. I suggest you update your antivirus programs to the
| > latest version and then clean up any viruses from the system. Meanwhile,
| > you may run the following tools to clean up spyware.
| >
| > Download and install Windows Defender (Beta 2)
| > http://www.microsoft.com/athome/security/spyware/software/default.mspx
| >
| > Use spy-killer to scan your computer completely.
| > More information about spy-killer, please refer to link below:
| > http://www.spy-killer.com/
| >
| > Run Ad-Aware (free version)
| > http://www.lavasoft.de
| >
| > SpyBot
| > http://www.safer-networking.org/en/index.html
| >
| > Note: This response contains reference to some third party World Wide
Web
| > sites. Microsoft is providing this information as a convenience to you.
| > Microsoft does not control these sites and has not tested any software
or
| > information found on these sites; therefore, Microsoft cannot make any
| > representations regarding the quality, safety, or suitability of any
| > software or information found there. There are inherent dangers in the
use
| > of any software found on the Internet, and Microsoft cautions you to
make
| > sure that you completely understand the risk before retrieving any
| > software
| > from the Internet.
| >
| > Thanks & Regards,
| >
| > Ken Zhao
| >
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| >
| >
| >
| > --------------------
| > | From: "George Valkov" <[email protected]>
| > | References: <#qXERS#[email protected]>
| > <[email protected]>
| > <eQo0im#[email protected]>
| > <[email protected]>
| > <e5AG37#[email protected]>
| > <[email protected]>
| > | Subject: Re: Spying the messenger :-)
| > | Date: Sun, 24 Sep 2006 20:35:27 +0300
| > | Lines: 40
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.3790.2663
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
| > | X-RFC2646: Format=Flowed; Response
| > | Message-ID: <[email protected]>
| > | Newsgroups: microsoft.public.windowsxp.general
| > | NNTP-Posting-Host: 87-126-145-8.btc-net.bg 87.126.145.8
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windowsxp.general:1574545
| > | X-Tomcat-NG: microsoft.public.windowsxp.general
| > |
| > | Hi Jon, I'm not wasting any time in chasing the source IP addresses. I
| > know
| > | that UDP is session-less, so messages can be send from spoofed IP
| > address,
| > | which is most likely the case.
| > |
| > | Instead, I'm chasing the web-sites that are in those messages,
because I
| > saw
| > | they offer fake software and/or spyware and ask inocent victims to pay
| > money
| > | for it. This is a crime and abuse.
| > |
| > |
| > | "Jon" wrote:
| > | > Chances are the ip addresses you are chasing up are spoofed.
| > | >
| > | > --
| > | > Jon
| > | >
| > | > You cannot make an omelet without breaking eggs
| > | >
| > | > The previous comment in this thread was actually made by "George
| > Valkov"
| > | > <[email protected]> in message | > | >>I always use ipnetinfo.exe from NirSoft. It uses WhoIs servers to
give
| > | >>detailed info for the address - like e-mail for abuse, telephone for
| > | >>contacts and so on.
| > | >>
| > | >> I already received a replay for one of the sites claiming that the
| > | >> request will be processed in 24 hours, but the others will most
| > likely
| > | >> not not affected.
| > | >>
| > | >> Thank you for the replay... Bye the way 2 abuse posts from
| > 'independent'
| > | >> sources will take more attention, so thanks again :-)
| > | >>
| > | >> I also spent a few minutes to visit the sites, because I didn't
want
| > to
| > | >> hurt inocent companies, but all sites link to two or tree places,
and
| > all
| > | >> seem like fake software and spyware. The're doing their best to
| > install
| > | >> their software on my computer ;-)
| > | >>
| > | >>
| > | >>
| > | >
| > |
| > |
| > |
| >
|
|
|
 
Back
Top