IP Address Inspector

O.Wichmann commented...

Whois of their network:
http://www.stopforumspam.com/whois/194.165.42.151
Note the contact address in Saudi Arabia was blatantly stolen from "nashirnet.net" whois, a legitimate hosting company in Saudi Arabia. "nashirnet.biz" is entirely unrelated to them and was fraudulently registered to bypass Name/Adress checks done by RIPE. So we have a clear case of identity theft here.

A look at their email domains used as whois contacts:

"nashirnet.biz" (92.48.126.216, v3servers) was anonymously registered at Chinese spam support registrar OnlineNic (they themselves former forum spammers) on October 6th, 2008.

"comunmente.info" (85.12.44.71, Euroaccess) was also anonymously registered at some directi reseller (privacyprotect.org is associated with Directi) on February 20th, 2008.

I'm curious for how long this will go on like this...
November 22 2008 03:19 PM

O.Wichmann commented...

These fine fellows posing as arab fake ISP "nashirnet" are in fact the usual pack of Russian spammers. All ips in their /24 are routed to Euroaccess in the Netherlands:

Also see this message at NANAE:
http://groups.google.com/group/news.admin.net-abuse.email/msg/96642dc61a1c0f1f

Routing of "nashirnet"

route: 194.165.42.0/24
origin: AS34305
descr: EUROACCESS Euroaccess Global Autonomous System
lastupd-frst: 2008-10-07 17:35Z 193.203.0.21@rrc05
lastupd-last: 2008-11-22 05:19Z 195.66.224.54@rrc01
seen-at: rrc00,rrc01,rrc04,rrc05,rrc06,rrc07,rrc10,rrc11,rrc12,rrc13,rrc14,rrc15,rrc16
num-rispeers: 108
source: RISWHOIS

spam sample as evidence:
http ://www .angelinajolie.com/forum/member.php?u=158131

=> spamvertised profile with link to "nenene.org" (62.109.1.60).

Whois of 62.109.1.60:

inetnum: 62.109.0.0 - 62.109.7.255
netname: ISPSYSTEM
descr: ISPsystem at MSM
country: RU
admin-c: PAS28-RIPE
tech-c: AB11726-RIPE
status: ASSIGNED PA
mnt-by: ISPSYSTEM-MNT
source: RIPE # Filtered

whois of domain:

Domain ID:D153615495-LROR
Domain Name:NENENE.ORG
Created On:17-Aug-2008 13:33:53 UTC
Last Updated On:12-Nov-2008 11:47:01 UTC
Expiration Date:17-Aug-2009 13:33:53 UTC
Sponsoring Registrar:EstDomains, Inc. (R1345-LROR)
Status:OK
Registrant ID:DI_3517281
Registrant Name:Alex
Registrant Organization:Alex&Alex
Registrant Street1:Usa
Registrant Street2:
Registrant Street3:
Registrant City:New-York
Registrant State/Province:New York
Registrant Postal Code:na
Registrant Country:US
Registrant Phone:+001.41512345678
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:jaimsbond@gmail.com
November 22 2008 11:41 AM

A.Degives Mas commented...

Comment spammer without doubt; engages in repeated automated attempts to inject comment spam.

User agent shown as: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
November 16 2008 06:08 AM

I.Ellis commented...

wanted one and only one file - guestbook - and nothing else. Guestbook was disallowed in robots.txt, but that was ignored.
November 15 2008 08:28 PM