HI! I'm a spambot and post kiddypr0n! Come see!

[anneslogUsede]

There used to be kiddypr0n here. It be gone, now.

[Jari]

And now I'm going to make an exception.

The bot, which has attempted to post several times, during several days, operates from IP 212.117.164.85, using [email protected] as its email address. Which can't really be that faked, since you need to use the activation link the board sends you. It has been spamming several boards, using different emails, but most if not all belong to the atvclub.msk.ru-domain.

Information about the IP and who owns it, follows:

Code: [Select]

inetnum:        212.117.160.0 - 212.117.175.255
netname:        SERVER-LU
descr:          root eSolutions
country:        LU
admin-c:        AB99-RIPE
tech-c:         RE655-RIPE
status:         ASSIGNED PA
mnt-by:         ROOT-MNT
source:         RIPE # Filtered

role:           root eSolutions
address:        35, rue John F. Kennedy
address:        7327 Steinsel
address:        Luxembourg
phone:          +352 20.500
fax-no:         +352 20.500.500
e-mail:         
remarks:
remarks:        +------------------------------------+
remarks:        | Operational Issues:                |
remarks:        |                      |
remarks:        +------------------------------------+
remarks:        | Abuse and Spam:                    |
remarks:        |                    |
remarks:        +------------------------------------+
remarks:
admin-c:        RE655-RIPE
tech-c:         AB99-RIPE
nic-hdl:        RE655-RIPE
mnt-by:         ROOT-MNT
source:         RIPE # Filtered

person:         Andy BIERLAIR
address:        root SA
address:        35, rue John F. Kennedy
address:        7327 Steinsel
address:        Luxembourg
phone:          +352 20.500
fax-no:         +352 20.500.500
nic-hdl:        AB99-RIPE
mnt-by:         ROOT-MNT
remarks:
remarks:        +------------------------------------+
remarks:        |                                    |
remarks:        | I did *NOT* spam your mailbox!     |
remarks:        | I will *NOT* reply to abuse mails! |
remarks:        |                                    |
remarks:        | Please contact  !  |
remarks:        |                                    |
remarks:        | Be friendly ...                    |
remarks:        | Unfriendly emails will be ignored! |
remarks:        |                                    |
remarks:        +------------------------------------+
remarks:
e-mail:         
source:         RIPE # Filtered

route:          212.117.160.0/19
descr:          root eSolutions
origin:         AS5577
mnt-by:         ROOT-MNT
source:         RIPE # Filtered


The atvclub.msk.ru-domain details follow:

Code: [Select]

domain:     MSK.RU
nserver:    ns.ru.net.
nserver:    ns.spb.ru.
nserver:    ns1.relcom.ru.
state:      REGISTERED, DELEGATED, VERIFIED
org:        "Relcom.BN", Ltd
phone:      +7 499 1960820
phone:      +7 499 1960720
phone:      +7 499 196 0823
fax-no:     +7 499 1963295
e-mail:     
registrar:  RELCOM-REG-RIPN
created:    1998.07.21
paid-till:  2010.08.01
source:     TCI


If someone is in the mood for lulz, maybe you should call these people. Or the police.

[Kudistos Megistos]

Judging by their site, root eSolutions seem most likely to be the negligent enabler rather than the culprit, unless my understanding of how VPNs work is wrong (and it may very well be). It seems like a pretty amateur organisation, and their website hardly ever gets updated, so it wouldn't be surprising if they were letting their services get used for all kinds of weird stuff.

Once again, there's a good chance that I'm talking out of my arse.

[Jari]

Judging by their site, root eSolutions seem most likely to be the negligent enabler rather than the culprit

This is almost certainly true. Very likely the same thing with atvclub.msk.ru, as well (although I can't be arsed even to check what kind of a content they host). It might not even be a client of theirs, it's entirely possible - perhaps even likely - that there's either a single infected system, or part of an actual botnet behind this.

It would take a Herbie-level LOGIC FAIL to send kiddypr0n spam from something that is clearly registered to you, after all.

So, don't go sending letter bombs, that would be bad. Feel free to annoy the heck out of their abuse-contacts, though.

If someone were to take akshual measures to find out who is behind this; those two would be next step. We can show the IP and the email address and date and time, but we don't know more. They know - or should know - who is behind that IP and address.

Too bad that I didn't save the URL of the site they were advertising. I haz a screenshot saved - should someone need proof of the post's contents, but since the URL was only a link, it's not visible. Although I really doubt that there would be a connection between that URL and either the owner of the IP range, or the owner of the domain the email was sent to.

[Kudistos Megistos]

Google shows some interesting results for [email protected], including this one. Whatever they tried to do clearly wasn't effective (or hasn't got any results yet; the post was 5 days ago). The email seems to be getting used for spam everywhere, and the site "atvclub.msk.ru" can't be accessed (unsurprisingly).