2017 targetted whois spam

well there was n bomb and ….

The zoo’s (plus zoo1 -3) domain owner account is not handled by the zoo, but a separate email system that i do not control. Just in case things go apocalyptic.

So i do get some spam

I login about once a week and clear the crap which strangely appears to be supermarket vouchers and i doubt these ‘organisations’ pay out and they are data phishing scams of which the monkey house has no interest in discovering and probably need a facebook thing that i do not have – most things need facebook if its scammy/marketing.

I never look at them except at the brand names being ripped off – why would a discount German based supermarket be offering more money off on its ‘low’ prices*.

scumbag spammer Robert Soloway

Anyhow its very boring compared to the crap Robert Soloway (my blog) sent and who i helped play a part in his downfall.

Anyhow since role accounts are hosted by us and they get no spam it is good way to judge our email system. ssl confirmations and other stuff do get through.

*an exercise left to the reader to figure out

Zimbabwean isps in the wild

the boss of unemployment

Zimbabwe sends the zoo some odd attempted email traffic considering that 96% of its people are unemployed and the chinese rmb (my blog) is its currency last time i checked.

Those Chinese people are sure generous with money and the family who run it.

The more exotic the country (my blog) then the more fun these are to do

197.221.237.138 attempts 56

/smtpd[*]: warning: hostname 16.138.telone.co.zw does not resolve to address 197.221.237.138: No address associated with hostname

197.221.240.250 attempts 4

smtpd[*]: warning: hostname 16.250.telone.co.zw does not resolve to address 197.221.240.250: No address associated with hostname

196.27.127.154 attempts 2

policyd-spf[*0]: None; identity=helo; client-ip=196.27.127.154; helo=307311.customer.zol.co.zw; envelope-from=karrycristinajm@excite.it; receiver=ape@zoo
smtpd[*]: NOQUEUE: reject: RCPT from unknown[196.27.127.154]: 554 5.7.1 Service unavailable; Client host [196.27.127.154] blocked using xbl.spamhaus.org; https://www.spamhaus.org/query/ip/196.27.127.154;

The last one is kind of interesting but it has deemed spammy and quite why an Italian domain is sending mail from there confirms it.

Surely they cannot all be unemployed spammers, or perhaps the best ones emigrate to Nigeria ?

The .zw tld does not help being one of the last so they kind of deserve the attention being my geoip script lists it last and so sticks out like a sore thumb..Anyhow it is amusing that its leader who hates the english (not americans) allows his citizens to try and email the zoo i mean that being a really shit despot mind you there’s the 4% he still has to make jobless.

Try harder Grace Mugabe.

Afghanistan internet favourites

So another .af address (my blog) had a quick chat with the email server.

smtpd[*]: connect from unknown[117.55.207.29]
policyd-spf[*]: None; identity=helo; client-ip=117.55.207.29; helo=[117.55.207.4]; envelope-from=mfd@thezoo; receiver=user@thezoo
policyd-spf[*]: Fail; identity=mailfrom; client-ip=117.55.207.29; helo=[117.55.207.4]; envelope-from=mfd@thezoo; receiver=user@thezoo
smtpd[*]: NOQUEUE: reject: RCPT from unknown[117.55.207.29]: 554 5.7.1 Service unavailable; Client host [117.55.207.29] blocked using xbl.spamhaus.org; https://www.spamhaus.org/query/ip/117.55.207.29; from=<MFD@thezoo> to=<user@thezoo> proto=ESMTP helo=<[117.55.207.4]>
smtpd[*]: disconnect from unknown[117.55.207.29]

the man who became a pig

So lets say a big hello to

address: Neda Telecommunications 13, Esmat Muslim Street,Shar-e-Naw Kabul, Afghanistan
e-mail: abuse@neda.af

Oddly there pretending to be the zoo – Probably not pork product spam then.

The paradox of cavemen selling art

I wrote a geoip script (my blog) and if you mess about with various log formats it works with many output logs since they all differ to a certain extent and so i ran it aganust our email server.

So i got curious and wondered what Afghanistan was sending….

/smtpd[*]: connect from unknown[103.224.215.18]
policyd-spf[*]: Neutral; identity=mailfrom; client-ip=103.224.215.18; helo=[103.224.215.18]; envelope-from=*@billwatsonfineart.com; receiver=thezoo
/smtpd[*]: NOQUEUE: reject: RCPT from unknown[103.224.215.18]: 554 5.7.1 Service unavailable; Client host [103.224.215.18] blocked using xbl.spamhaus.org; 103.224.215.18; from=.215.18; from=<*@billwatsonfineart.com> to=<*@billwatsonfineart.com> to=<thezoo> proto=ESMTP helo=<[103.224.215.18]>
/smtpd[*]: disconnect from unknown[103.224.215.18]

No idea but Afganistan selling art sounds wrong based on this (my blog).  I am sure the domain owner would not be welcome in Kabul.

 103.224.214.1 - 103.224.215.254
 Giganor-BroadBand-wireless-customers
 H # 263, Shora Street 4, Cart e 3, Kabul Kabul
 AF
 abuse-mailbox:  support@giganor.com

This ‘Freedom’ seems wasted on Islamic believers, However i guess it might be drugs or something deemed moral after all it been already flagged as spam its certainly not bacon.

The moral to this story do not use godaddy (my blog) who our cavemen are using for a false identity.

A picard moment for you (shodan.io)

Oh yes its our friendly scumbags from shodan (my blog) – over to you captain

connect from 
cloud.census.shodan.io[94.102.49.193]

Its from our beachhut scanning outpost in the Seychelles (my blog) and a small /24 this time if you want to mass block this scammy isp and its lovely client.

So shields up, and i hope you never get this recycled ip addresss once shodan.io have fucked it up reputation wise.  I never delist shodian.io ip addresses from who ever the isp is.

Enjoy your day.

rpz zones for the few not the many

Bananas was interested in rpz zones which nothing to do with car parking or planning regulations but dns zones, they look quite simple until you try and get one.

seocrookHowever with a bit searching rpz zones could be manually created and work but then its a little out of date, most threat zones are small rather than large so having a good mail server is way more important than a rpz zone blocking a specific url sent in a scammy email say.

bank.barclays.co.uk.olb-auth-loginlink.action. asdasd45.as4d56asdas.da 4s65d46asdasdsd. ta77lia. com _b

Whois says Egypt owner and hosted in DE  and  I guess it depends on how dumb your network users are, how money grabbing and unethical an ssl certificate provider is and how long it takes them to ignore abuse emails to the hosting provider to shutdown something.

Getting bad site data is quite easy once you start but making it rpz friendly is another  Theme and user content directories are popular for bad permissions and like the link above look shady.

Some malware domains just use an ip address so whether or not an rpz zone would work is a little more questionable.  A general and unscientific match of mail server abuse to phlishing domains (a grep) seems that these are tasked to one job only so there is no overlap by domain name.

rpz’s sound great but with freshness and everybody playing catch up perhaps its best that there left as something that just cisco users have.

Email for imaginary zoo staff

portal2melstoriesThe monkey houses email server is quite busy and to keep it that way the website has some famous video game characters  listed in a comment in html so your usually a robot extracting them rather than a carbon based lifeform with a computer.

It amazes me that people actually email these addresses which do not exist but might because there ‘listed’.

China seems to like them and these captains of banana management, and who am i not to keep the spammers happy?  Have no idea what was sent to these imaginary zoo employees but you too can buy them from spammers.

Some spammers get close but make the most amusing mistakes, you know who to email, our imaginary zoo staff will be happy to get your email honest.

Shodan.io’s beachhut in the Seychelles.

seuchelles-dumpAnother sighting for you (my blog) from the unbeautiful Seychelles this time.  It is 89.248.172.16 from an isp i have mentioned for dns probers quasinetworks.com (my blog)and its a house..

connect from house.census.shodan.io[89.248.172.16]

picardSo one more to crimson firewall.  I like blocking shodan.io ip addresses and you should too.

I like writing posts about shodan.- come on send me more shodan this is fun.

 

Facebook spammers

portal2melstoriesI was looking at the zoo’s mailserver logs (hint really exciting) and saw facebook trying to connect to an unknown user. I decided to see more and got something like this.

66.220.155.142
66.220.155.145
66.220.155.147
66.220.155.151
69.171.232.128
69.171.232.130
69.171.232.136
69.171.232.139
69.171.232.142
69.171.232.155
69.171.232.162
69.171.232.164
69.171.232.165
69.171.232.168
69.171.232.170
69.171.232.178

I have printed the magic command somewhere on this blog so this is not impossible output.

69.171.232 Which is facebook and i decided that there no reason to tolerate this crap since no ape here in the zoo is officially on facebook or the new person they think exists.   I also made a cron job so the zoo can be alerted as to extra activity which i have not yet blocked it runs once a day.

Fuck off Facebook.