CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

$9736.22 of $21422.68
left sidedonated so farneed $11686.46 donated to reach our goalright side, our goal
Help CastleCops serve the community on new servers, Donate Here to reach our goal.

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
Survey
spacer
Was 2007 a good year?

Yes it was a wonderful year
Yes, but there is always room for improvement
Status quo
It was a challenge
Other (leave comment)



Results
Polls

Votes: 940
Comments: 25
block bottom
spacer spacer

SIRT(TM)

Spam Incident Reporting and Termination(TM) Squad

A global spam termination operation launched by CastleCops, the volunteer SIRT Squad is comprised of folks who report spam, investigate spam, and actively work on spam takedown and termination. SIRT is funded by CastleCops. Become a SIRT Squad terminator by reporting spam today!

[ How-To / FAQ ]

SIRT -> Confirmed Spam | Terminated Spam


evidence status: terminated

HTTP Response
29 Sep, 2007
18:33:21		HTTP/1.1 502 Proxy Error
ID11714 (termination link)
TitleElite Herbal, Pharma Shop, Reliable Pharmacy, SwissWatchesDirect
Entry
SIRT Squad
Reporter		Nolimit
Timestamp14 Sep, 2007 @ 09:35:16
Topic ID201218 - Read/respond to SIRT commentary.
Handler Note:
14 Sep, 2007
13:51:33		tembow: Consumed following related reports:

[11688] http://kvgw.kmthedi.com
[11689] http://kavj.kmthedi.com
[11712] http://bvpgs.kmthedi.com
[11713] http://bfeavq.kmthedi.com
[11715] http://bfeavq.kmthedi.com/
[11726] http://ksqciz.kmthedi.com
[11727] http://knjk.kmthedi.com
[11728] http://klrcv.kmthedi.com
[11729] http://kelei.kmthedi.com
[11756] http://rbmsth.kmthedi.com
[11757] http://raivxb.kmthedi.com
[11777] http://dtsqn.kmthedi.com/
Handler Note:
14 Sep, 2007
14:12:48		tembow: Directs to 4 different illegal spam sites, depending on the first letter of the prefix

Runs on illegally hijacked machines infected with trojan web server code

Addresses for this domain registered with Beijing ILT (set status to clientHold)

Address | Reverse | BL | Country | Reporting nameserver | Links
N/A | N/A | | | |
77.41.66.220 | N/A | YES | Russian Federation | ns2.rthtrhreyh.biz | http://www.spamhaus.org/query/bl?ip=77.41.66.220
82.253.146.115 | N/A | YES | France | ns2.rthtrhreyh.biz | http://www.spamhaus.org/query/bl?ip=82.253.146.115
84.112.124.98 | N/A | YES | Austria | ns2.rthtrhreyh.biz | http://www.spamhaus.org/query/bl?ip=84.112.124.98
121.155.147.216 | N/A | YES | Korea, Republic of | ns2.rthtrhreyh.biz | http://www.spamhaus.org/query/bl?ip=121.155.147.216
200.125.112.109 | N/A | YES | Argentina | ns2.rthtrhreyh.biz | http://www.spamhaus.org/query/bl?ip=200.125.112.109
212.45.81.37 | N/A | YES | Bulgaria | ns2.rthtrhreyh.biz | http://www.spamhaus.org/query/bl?ip=212.45.81.37
61.93.104.193 | N/A | YES | Hong Kong | ns2.rthtrhreyh.biz | http://www.spamhaus.org/query/bl?ip=61.93.104.193
67.191.246.225 | N/A | YES | United States | ns2.rthtrhreyh.biz | http://www.spamhaus.org/query/bl?ip=67.191.246.225
121.155.147.216 | N/A | YES | Korea, Republic of | ns3.rthtrhreyh.biz | http://www.spamhaus.org/query/bl?ip=121.155.147.216
200.125.112.109 | N/A | YES | Argentina | ns3.rthtrhreyh.biz | http://www.spamhaus.org/query/bl?ip=200.125.112.109
212.45.81.37 | N/A | YES | Bulgaria | ns3.rthtrhreyh.biz | http://www.spamhaus.org/query/bl?ip=212.45.81.37
61.93.104.193 | N/A | YES | Hong Kong | ns3.rthtrhreyh.biz | http://www.spamhaus.org/query/bl?ip=61.93.104.193
67.191.246.225 | N/A | YES | United States | ns3.rthtrhreyh.biz | http://www.spamhaus.org/query/bl?ip=67.191.246.225
77.41.66.220 | N/A | YES | Russian Federation | ns3.rthtrhreyh.biz | http://www.spamhaus.org/query/bl?ip=77.41.66.220
82.253.146.115 | N/A | YES | France | ns3.rthtrhreyh.biz | http://www.spamhaus.org/query/bl?ip=82.253.146.115
84.112.124.98 | N/A | YES | Austria | ns3.rthtrhreyh.biz | http://www.spamhaus.org/query/bl?ip=84.112.124.98

Name servers run on hijacked machines - Sponsoring Registrar: TODAYNIC.COM INC. (null route ns A records, set status = clientHold
Nameserver(s) according to NS-records
Internal lookup Address Reverse Liststatus Country Links
ns1.rthtrhreyh.biz 75.139.131.171 N/A Blacklisted United States http://www.spamhaus.org/query/bl?ip=75.139.131.171 |
ns2.rthtrhreyh.biz 59.149.105.240 N/A Blacklisted Hong Kong http://www.spamhaus.org/query/bl?ip=59.149.105.240 |
ns3.rthtrhreyh.biz 200.220.208.194 N/A Blacklisted Brazil http://www.spamhaus.org/query/bl?ip=200.220.208.194 |
ns4.rthtrhreyh.biz 68.255.75.106 N/A Blacklisted United States http://www.spamhaus.org/query/bl?ip=68.255.75.106 |

Evidence of other criminal actions is at http://www.spamtrackers.eu/wiki/index.php?title=Category:Well-known_Spam
Handler Note:
14 Sep, 2007
14:15:43		tembow: Elite Herbal, Pharma Shop, Reliable Pharmacy, SwissWatchesDirect
Handler Note:
14 Sep, 2007
14:15:56		tembow: Generated and sent email spam alert to respective parties.
Fetched URLs
Slaves11688, 11689, 11712, 11713, 11715, 11726, 11727, 11728, 11729, 11756, 11757, 11777,

Report for at 14 Sep, 2007 @ 09:41:11

fetched page

at 14 Sep, 2007 @ 09:41:39
MD5 Fingerprint: 83521ac78004838f1012e4ca7bc9b808
SHA1 Fingerprint: bae52f91fdd6a18b849ee69832dcc2fc31064c9e

fetched page

at 14 Sep, 2007 @ 13:54:24
MD5 Fingerprint: a6b6294a36da1302d0653e511c076a35
SHA1 Fingerprint: 6e0ead7ba9f2db57076049919b89a8a1dee9a5a5

fetched page

at 14 Sep, 2007 @ 13:55:43
MD5 Fingerprint: 49b3434f0a7a351ea42278df4cf3240b
SHA1 Fingerprint: aaca73dc4963c7fdf63c2875401bb66aac1ce261