Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 12 November 2008

Internet Landfill: McColo Corporation

Posted on 05:19 by Unknown
Brian Krebs has turned his sights on another Internet Landfill, this time the McColo Corporation. Today his column is titled: Major Source of Online Scams and Spams Knocked Offline. Later this morning, the Washington Post ran a longer story on the topic, Major Source of Internet Spam Yanked Offline: Web Hosting Firm Shuttered After Connection to Spammers is Exposed He mentions in the column that he has been researching McColo for several months, and that when he contacted McColo's upstream providers, Global Crossings and Hurricane Electric, that something interesting happened.

Hurricane Electric's Benny Ng told Krebs:

"We looked into it a bit, saw the size and scope of the problem you were reporting and said 'Holy cow! Within the hour we had terminated all of our connections to them."

Although Global Crossings declined to give Krebs a comment, apparently Krebs has once more accomplished what the entire rest of the security world has been unable to do -- removing another Internet Landfill from the world wide web.

I coined the term "Internet Landfill" in a presentation regarding Krebs earlier amazing work almost single-handedly removing Intercage from the Internet. I explained it by saying:

Every house has a trash can, and every business has a dumpster. There's a little garbage anywhere you look. But when someone buys the land in your neighborhood and decides to make it a garbage dump, or a landfill, usually the citizens in that neighborhood protest. Some places on the Internet, such as Intercage, exist solely to store filth, malware, and crime. Those places should be treated like "Internet Landfills", and their neighbors should rise up and protest their presence in their neighborhood.


In case anyone has a question about what type of organization McColo is, here is a little fact-finding adventure, using the excellent Reverse IP Tools from DomainTools.com, and the ASN information from CIDR-Report.

McColo's Autonomous System Number is AS26780.

At this time, Hurricane Electric is no longer listed as an upstream, but Global Crossing *IS* still showing a listing, connecting AS3549 (GBLX) to AS26780(MCCOLO).

The Netblocks currently published as being at McColo are:

208.66.192.0/22
208.72.168.0/21

All their other netblocks are strangely missing.

(See: http://www.cidr-report.org/cgi-bin/as-report?as=as26780)

All of McColo's "Business" webpages were on the server 208.66.192.100. That IP resolved McColo.biz, .com, .info, .net, and .org.

None of those domain names are currently resolving.


Moving through their Class C addresses . . .



208.66.193.* previously had four major domains:

proxyspy.biz
audiobookss.com
authorstore.org
gente.ru

None of those domain names are currently resolving.



208.66.194.* previously had 94 domain names. Just choosing from a few . . .

bestincestfamily dot com (registered at ESTDomains)
bestincestmovies dot com (registered at ESTDomains)
cheapincestpics dot com (registered at ESTDomains)
eliteincestsite dot com (registered at ESTDomains)
teenincestpics dot com (registered at ESTDomains)

None of those domain names are currently resolving.



208.66.195.* previously had domain names. Again, just choosing a few...

protect-access dot com (registered at ESTDomains)
downloadcopy dot com (registered at ESTDomains)
pantyhosefiesta dot com
wm-chance dot net

The pantyhose sites have been moved already to "Sago Networks, LLC".
WM-chance has also been moved to Sago (November 12th) but is not yet operational in its new location. Its a Russian language online lottery winning site. Some of the other sites in this group show signs of being "in the process" of moving.



207.72.168.* previously had 1,183 domain names. Again, just choosing a few...

Megacaptcha dot biz (registered at EstDomains)
CaptchaToMoney dot biz (registered at EstDomains)
Torrentpump dot com (registered at Directi)
FtvInnocentAngels dot net (registered at EstDomains)
Coastal-health dot com (registered at OnlineNIC, Inc)
Canadianpharmacycorp1 dot com (registered at Xin Net)
Canadianpharmacycorp2 dot com
Canadianpharmacycorp3 dot com
Canadianpharmacycorp4 dot com
(through 10)
Onlinepharmacysolutions-a dot com (registered at Directi)
Onlinepharmacysolutions-b dot com
Onlinepharmacysolutions-c dot com
Onlinepharmacysolutions-d dot com
Rxmania dot com (registered at GoDaddy)
Pay4pills dot com (registered at GoDaddy)
Asc-antispyware dot com (registered at Beijing Innovative)
A-pennystock dot com (registered at GoDaddy)
Incest-rape dot com (registered at GoDaddy)
Little-gays dot com (registered at EstDomains)
Allyoungmovies dot com (registered at EstDomains)
Smallpussy dot name (registered at EstDomains)(*1)
nymphets dot name (registered at EstDomains)
LittleCuties dot name (registered at EstDomains)

*1 - received 19,317 visitors per month according to Compete.com

None of the sites in this group are currently resolving.



208.72.169.* had 118 domains registered.

Angelgirlspic.com
Searchportalsite.com

Emailru.info
Emailrus.info
Mailfreedom4u.net
Mailblogal.info
Quickmailbox.info
Ruslandmail.info

DomainsUAgroups dot com

and some NOTORIOUS nameserver domains, which are said to belong to Leo Kuvayev, such as:

Jioketinjdesapionkderunjsa.com
Kedfinhderionkadesunpas.com
Vertunhandesikolasderun.com

None of the sites in this group are currently resolving.



208.72.170.* has 22 domain names, including:

cinema4free dot com
flashbill dot net
inc-rep dot biz
asapload dot com
theypay dot biz

playpokeronline-casinos dot com
gamble-poker-holdem dot com
texasholdem-vip dot com

None of the sites in this group are currently resolving.



208.72.171.* has only 4 domain names:

br-ladies dot com
ru-ladies dot com
kharkovblacklist dot com
uapeople dot com



208.72.172.* has 132 domain names. Most all of them have the word "sex" in the title of the domain name. Many of them have been used to fill blog comment and address books with "SEO spam" (Search Engine Optimization spam), such as the domain:

NicoleHDUncut dot com which has over 19,000 websites pointing back to it, mostly in comment spam.

Pornntube dot com
Sexntube dot com
Tubepornporn dot com
Just-sex-2008 dot com
Hot-girl2008 dot com
FtvHeavenFemme dot net
GoGetFreePorn dot com

clsoft dot net <== encryption software, makers of "cl secrets keeper" and "cl private disk"



208.72.175.* has 12 domain names:

dreamsservices dot com
FianceeOnline dot com
Rudreams dot com
Ukrainefiancee dot com
etc.

None of these sites are currently resolving



Is this the end of McColo? Probably not. Like the Intercage fiasco, we will probably see loud and public outcries of discrimination followed by mournful apologies and promises to do better, each accompanied with a short-lived resurrection, which will terminate again as soon as the new providers understand what sort of filth they are accomodating, and how the Neighbors (that's you and I, folks) feel about having this trash on OUR Internet.
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 2009 Year in Review
    As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share bac...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • More Merger Malware Wachovia Wells Fargo
    Today I received a message from Robert K. Steel, the President and CEO of Wachovia Bank. Actually I received several hundred messages from ...
  • Italian Court declares itself Friend of Pirates (or does it?)
    I couldn't believe this one. The Associated Press reported yesterday that Italian high court says file-swapping is not illegal . In this...
  • AffPower Indictments Scare Affiliates!
    Today I heard the news that the "AffPower" drug network is being shut down, starting with 18 arrests in Texas, Florida, Colorado, ...
  • Aggrevated Identity Theft Law in Action
    There are so many interesting angles to the story this week about a case in Tucson, Arizona. The conviction actually went down in March 200...
  • Bank of America Demo Account - DO NOT CLICK
    Beginning on November 25th, the UAB Spam Data Mine has been receiving messages claiming to be from Bank of America which will explain to us ...
  • Radical Muslim Hackers Declare CyberWar on Israel
    This weekend more than 300 Israeli websites have been defaced in a period of 48 hours. In a website "defacement" a hacker violate...
  • Securing Cyberspace in the 44th Presidency: Part Two
    Yesterday I provided some context for the Center for Strategic and International Studies report which was published yesterday: Security Cyb...
  • Dear CEO . . . You are Commanded to Go Phishing!
    This week has been busy with yet another Spear Phishing campaign being launched against the Execs of US-based companies. This is not a new ...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ▼  2008 (101)
    • ►  December (7)
    • ▼  November (17)
      • Mumbai Bombings: Coordinated Bombings in India are...
      • Bank of America Demo Account - DO NOT CLICK
      • AsProx: The Phisher King?
      • Igor Klopov sentenced
      • Facebook Users Beware
      • Enlisting YOUR BANK to steal your identity
      • Post McColo Spam - What do we see?
      • Unprecedented Drop in Spam
      • Internet Landfill: McColo Corporation
      • Microsoft Reveals Malware and Spam Trends
      • Election Malware and Obama Pill Ads?
      • Election Malware Targets Sore Losers - McCain Vide...
      • Yesterday's Obama Spammer Now Imitates Colonial Bank
      • Computer Virus masquerades as Obama Acceptance Spe...
      • ICE: Operation Predator - Solving Intertwined Chil...
      • More Merger Malware Wachovia Wells Fargo
      • MS08-067: New RPC Worm from China
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile