Atrivo - spam-friendly. They think that if their customer is too big to provide them with a lot of money, then they should not terminate the client's account if the client is spam-friendly, provides abusers with the Internet connectivity and ignores requests even from Atrivo themselves to terminate those (or signing them back right after removing). === Evidence === Newsgroups: news.admin.net-abuse.blocklisting From: Russ@Atrivo.com Subject: Re: Atrivo/InterCage Abuse Approved: NANAB Moderators Injection-Info: f14g2000cwb.googlegroups.com; posting-host=69.107.73.156; posting-account=2w8xwQ0AAADzda9cIvAir5JUpndTEjLg Content-Type: text/plain; charset="iso-8859-1" X-Complaints-To: groups-abuse@google.com User-Agent: G2/0.2 Complaints-To: groups-abuse@google.com Sender: nanab@zorch.sf-bay.org (Charlie Root) Nntp-Posting-Date: Fri, 2 Sep 2005 17:48:03 +0000 (UTC) Nntp-Posting-Host: 69.107.73.156 X-Http-Useragent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322),gzip(gfe),gzip(gfe) Organization: http://groups.google.com Message-ID: <1125683278.320264.138150@f14g2000cwb.googlegroups.com> References: <1125616541.094735.138810@z14g2000cwz.googlegroups.com> <11hgs71j941hs0a@corp.supernews.com> X-Trace: posting.google.com 1125683283 16154 127.0.0.1 (2 Sep 2005 17:48:03 GMT) Mime-Version: 1.0 Date: Fri, 2 Sep 2005 19:51:13 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 54 Path: x-privat.org!news.glorb.com!logbridge.uoregon.edu!newsfeed.stanford.edu !zorac!blocklisting.com!robomod!not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16903 Hello fhh, There is no "network of esthost". The network in which Esthost resides is our network. Esthost is one of our larger clients, They are very successful in the industry of web hosting and domain registration. They just recently became an ICANN Accredited Registrar. I won't comment on "why" they're so successful... But for some, that may be obvious. I believe an investigation by law enforcement is a very corrective step... That would definately clean Esthost up. I can honestly say, there are 2 of our major clients who are very successful... and with both of those comes occasional abuse. On one, it's the occasional spam via exploit. The other... Esthost... Well... A lot worse abuse then just spam. One of the things I find quite rediculous is people have taken all of our business emails from whois etc, and placed them in spam runs. How stupid can you get?... Honestly! You have never received a spam email that came from our business servers... Our clients (like EVERY other companies clients) do get the abuse of spam from their servers. For all of our clients (esthost aside)... This is not very often. We can't please everyone. We try... But when you have to go through and work with a client like esthost who doesn't quite take abuse too seriously... and the only other thing you can do is null their client's server.... it's hard to get a "correct" action taken. The correct action on any intentional spammer is to be immediately removed. As well as intentional virii distributors. This is seen with iframecash.biz... We took reports from P Thompson and demanded their removal... That appeared to be resolved... and then they pop up again. If I had the ability... I would cut Esthost as a client... But, in doing so, it causes nearly a quarter if not half of the company's monthly revenue to be cut. That is not too good of a move nor reasonably possible ;) People consider Atrivo/InterCage to be some abuse supporting company... If only any of you knew what the position would be in a company our size. It's not as easy as you believe it to be ;) Thank you for your time. Have a great day. -- Russell Mitchell - Russ[at]Atrivo.com Atrivo Technologies -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === And where is that abuser now? Yes - on EstHost again, through InterCage === $ host iframecash.biz iframecash.biz has address 195.95.218.171 iframecash.biz mail is handled by 10 relay.iframecash.biz. $ jwhois 195.95.218.171 [Querying whois.ripe.net] [whois.ripe.net] <...> % Information related to '195.95.218.0 - 195.95.219.255' inetnum: 195.95.218.0 - 195.95.219.255 netname: EstHost descr: Inhoster hosting company descr: OOO Inhoster, ul.Antonova 5, Kiev, 03186, Ukraine remarks: ----------------------------------- remarks: Abuse notifications to: abuse@inhoster.com remarks: Network problems to: noc@inhoster.com remarks: Peering requests to: peering@inhoster.com remarks: ----------------------------------- country: UA org: ORG-EST1-RIPE admin-c: AK4026-RIPE tech-c: AK4026-RIPE tech-c: FWHS1-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-HM-PI-MNT mnt-lower: RIPE-NCC-HM-PI-MNT mnt-by: RECIT-MNT mnt-routes: RECIT-MNT mnt-domains: RECIT-MNT mnt-by: DAV-MNT mnt-routes: DAV-MNT mnt-domains: DAV-MNT source: RIPE # Filtered organisation: ORG-EST1-RIPE org-name: INHOSTER org-type: NON-REGISTRY remarks: ************************************* remarks: * Abuse contacts: abuse@inhoster.com * remarks: ************************************* address: OOO Inhoster address: Poltavskij Shliax 24, Xarkov, address: 61000, Ukraine phone: +38 066 4633621 e-mail: support@inhoster.com admin-c: AK4026-RIPE tech-c: AK4026-RIPE ref-nfy: support@ydav.com ref-nfy: support@inhoster.com mnt-ref: DAV-MNT mnt-by: DAV-MNT source: RIPE # Filtered person: Andrei Kislizin address: OOO Inhoster, address: ul.Antonova 5, Kiev, address: 03186, Ukraine phone: +38 044 2404332 nic-hdl: AK4026-RIPE source: RIPE # Filtered person: Fast Web Hosting Support address: 01110, Ukraine, Kiev, 20� Solomenskaya street. room 201. address: UA phone: +357 99 117759 e-mail: support@fwebhost.com nic-hdl: FWHS1-RIPE source: RIPE # Filtered $ traceroute 195.95.218.171 traceroute to 195.95.218.171 (195.95.218.171), 30 hops max, 38 byte packets <...> 19 p5-0.core01.den01.atlas.cogentco.com (66.28.4.29) 308.186 ms 268.980 ms 257.942 ms 20 p4-0.core02.sfo01.atlas.cogentco.com (66.28.4.130) 284.281 ms 272.932 ms 276.387 ms 21 g0-1.na21.b003070-1.sfo01.atlas.cogentco.com (66.250.9.6) 275.489 ms 272.959 ms 286.308 ms 22 Intercage.demarc.cogentco.com (38.112.11.238) 286.028 ms 279.999 ms 315.411 ms 23 195.95.218.171 (195.95.218.171) 276.034 ms 266.645 ms 277.117 ms === My reply === #begin Russ@Atrivo.com.exe (or was it Russ@Atrivo.com.com) message <1125683278.320264.138150@f14g2000cwb.googlegroups.com> reply: > Hello fhh, > > There is no "network of esthost". The network in which Esthost resides > is our network. Esthost is one of our larger clients, > But when you have to go through and work > with a client like esthost who doesn't quite take abuse too > seriously... and the only other thing you can do is null their client's > server.... Several questions arise: 1. Does the Atrivo's AUP permit their clients to abuse or run services that help to abuse other networks? - Your AUP says it is "Unacceptable use". 2. Do ALL Atrivo's clients have to follow it? - Your AUP says: "This policy applies to all customers (also known as 'subscribers') using the products and services provided by Atrivo." 3. If such a client repeatedly violates your AUP, but you refure to apply your AUP and terminate the client's account, it says what? - That you do not want to. > it's hard to get a "correct" action taken. Oh, it's very easy! You don't even need to read a manual to grasp the idea of how a wirecutter works. It's all about the WILL to do it. > The correct > action on any intentional spammer is to be immediately removed. As well > as intentional virii distributors. So you know what should be done, too. > This is seen with iframecash.biz... > We took reports from P Thompson and demanded their removal... That > appeared to be resolved... and then they pop up again. And your customer who let them back on, and moreover - still keeps them on, is still your customer? Atrivo knows about it, and Atrivo still keeps them? And you honestly do not understand why the whole Atrivo's net space should not be trusted with a single packet? > If I had the ability... I would cut Esthost as a client... Oh, the ability you have! Don't tell that there is not a single wirecutter around, or that you do not know which plugs lead to that client of your's. It's the will to do that, that's what Atrivo lacks. > But, in > doing so, it causes nearly a quarter if not half of the company's > monthly revenue to be cut. That is not too good of a move nor > reasonably possible ;) Is it just me, or is this whole thing looks like HostNOC/BurstNET and Azoogle all over again? How much of blocking Atrivo is ready to suffer before they will cut the abusers off? > People consider Atrivo/InterCage to be some abuse supporting company... And it isn't so exactly why? Your client supports abuse, you keep that client. You know what it means? It means that YOU support abuse. > If only any of you knew what the position would be in a company our > size. > > It's not as easy as you believe it to be ;) The size doesn't matter, it's how you use it. BurstNET has also said exactly the same: The excuse didn't fly then, and I don't think it will fly now, either. > Thank you for your time. Have a great day. > > -- > Russell Mitchell - Russ[at]Atrivo.com > Atrivo Technologies Welcome to my firewall, say "Hi" to BurstNET, while you are there. When Atrivo will stop providing network services to the abuse-friendly clients, let the world know. Dolphin. -- URL: http://www.DolphinWave.org Mail: on the web page (no spam) ICQ: 6615461 === Other people reply, 1st === Newsgroups: news.admin.net-abuse.blocklisting From: fhh Subject: Re: Atrivo/InterCage Abuse Approved: NANAB Moderators Content-Type: text/plain; charset=us-ascii X-Complaints-To: abuse@supernews.com Sender: nanab@zorch.sf-bay.org (Charlie Root) Content-Transfer-Encoding: 7Bit Organization: Posted via Supernews, http://www.supernews.com Message-ID: <11hjop9ci9opeb2@corp.supernews.com> References: <1125616541.094735.138810@z14g2000cwz.googlegroups.com> <11hgs71j941hs0a@corp.supernews.com> <1125683278.320264.138150@f14g2000cwb.googlegroups.com> Mime-Version: 1.0 Date: Sat, 3 Sep 2005 23:24:48 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 58 Path: x-privat.org!news.newsland.it!newshub.sdsu.edu!headwall.stanford.edu !newsfeed.stanford.edu!zorac!blocklisting.com!robomod!not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16915 Russ@Atrivo.com wrote: > There is no "network of esthost". The network in which Esthost resides > is our network. Esthost is one of our larger clients, They are very > successful in the industry of web hosting and domain registration. They > just recently became an ICANN Accredited Registrar. I won't comment on > "why" they're so successful... But for some, that may be obvious. > > I believe an investigation by law enforcement is a very corrective > step... That would definately clean Esthost up. > > I can honestly say, there are 2 of our major clients who are very > successful... and with both of those comes occasional abuse. On one, > it's the occasional spam via exploit. The other... Esthost... Well... A > lot worse abuse then just spam. > > One of the things I find quite rediculous is people have taken all of > our business emails from whois etc, and placed them in spam runs. How > stupid can you get?... Honestly! You have never received a spam email > that came from our business servers... Our clients (like EVERY other > companies clients) do get the abuse of spam from their servers. For all > of our clients (esthost aside)... This is not very often. We can't > please everyone. We try... But when you have to go through and work > with a client like esthost who doesn't quite take abuse too > seriously... and the only other thing you can do is null their client's > server.... it's hard to get a "correct" action taken. The correct > action on any intentional spammer is to be immediately removed. As well > as intentional virii distributors. This is seen with iframecash.biz... > We took reports from P Thompson and demanded their removal... That > appeared to be resolved... and then they pop up again. > > If I had the ability... I would cut Esthost as a client... But, in > doing so, it causes nearly a quarter if not half of the company's > monthly revenue to be cut. That is not too good of a move nor > reasonably possible ;) > > People consider Atrivo/InterCage to be some abuse supporting company... > If only any of you knew what the position would be in a company our > size. What you are saying here is really alarming. In fact you are admitting that up to 50% of the revenue of Atrivo.com may be related to (proxy) spam and other serious abuse. You are confirming that Atrivo is unable and unwilling to stop the abuse by customers of Esthost. > It's not as easy as you believe it to be ;) Well, your own words suggest that Atrivo.com is in very bad shape indeed. -- feike -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === Another reply === Newsgroups: news.admin.net-abuse.blocklisting From: Morely Dotes Subject: Re: Atrivo/InterCage Abuse Approved: NANAB Moderators Content-Type: text/plain; charset=ISO-8859-1 X-Greylisting: NO DELAY (Relay+Sender autoqualified); processed by UCSD_GL-v2.1 on mailbox8.ucsd.edu; Sat, 03 September 2005 22:30:16 -0700 (PDT) User-Agent: Pan/0.14.2.91 (As She Crawled Across the Table (Debian GNU/Linux)) Hamster/2.0.6.0 Sender: nanab@zorch.sf-bay.org (Charlie Root) Content-Transfer-Encoding: 8bit NNTP-Posting-Host: news.newsdawg.com Organization: No one has detected any such Message-ID: X-Spamscanner: mailbox8.ucsd.edu (v1.6 Aug 4 2005 15:27:38, 0.0/5.0 3.0.4) References: <1125616541.094735.138810@z14g2000cwz.googlegroups.com> <11hgs71j941hs0a@corp.supernews.com> <1125683278.320264.138150@f14g2000cwb.googlegroups.com> <11hjop9ci9opeb2@corp.supernews.com> X-Spam-Level: Level Mime-Version: 1.0 X-Mailscanner: PASSED (v1.2.8 9869 j845UF0X010732 mailbox8.ucsd.edu) Date: Sun, 4 Sep 2005 11:20:05 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 27 Path: x-privat.org!Iskon!fu-berlin.de!headwall.stanford.edu !newsfeed.stanford.edu!zorac!blocklisting.com!robomod!not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16921 On Sat, 03 Sep 2005 23:24:48 +0000, fhh wrote: > What you are saying here is really alarming. In fact you are admitting that > up to 50% of the revenue of Atrivo.com may be related to (proxy) spam and > other serious abuse. You are confirming that Atrivo is unable and unwilling > to stop the abuse by customers of Esthost. And, in fact, that up to half of Atrivo's income is dependent on criminal activities, and that Atrivo knowingly (if passively) permits that criminal activity to continue. That's not an admission calculated to inspire trust. You have another job lined up somplepace, Russ? I'd say the final nail is now in Atrivo's coffin. -- Tired of spam in your mailbox? Come to http://www.spamblocked.com Who is Brad Jesness? http://www.wilhelp.com/bj_faq/ To the spammers, my motto: FABRICATI DIEM, PVNC. -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === And more of the abuser still being hosted at Esthost/Atrivo === Newsgroups: news.admin.net-abuse.blocklisting From: "Spamhuntress" Subject: Re: To Russel at Atrivo Approved: NANAB Moderators Injection-Info: g14g2000cwa.googlegroups.com; posting-host=217.212.249.25; posting-account=pYzhaA0AAAB9xdIn18bWMs58j6LRcW1D Content-Type: text/plain; charset="iso-8859-1" X-Greylisting: NO DELAY (Relay+Sender autoqualified); processed by UCSD_GL-v2.1 on mailbox7.ucsd.edu; Mon, 05 September 2005 03:58:52 -0700 (PDT) X-Complaints-To: groups-abuse@google.com User-Agent: G2/0.2 Complaints-To: groups-abuse@google.com Sender: nanab@zorch.sf-bay.org (Charlie Root) Nntp-Posting-Date: Mon, 5 Sep 2005 10:58:51 +0000 (UTC) Nntp-Posting-Host: 217.212.249.25 X-Http-Useragent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6,gzip(gfe),gzip(gfe) Organization: http://groups.google.com Message-ID: <1125917927.524215.97750@g14g2000cwa.googlegroups.com> X-Spamscanner: mailbox7.ucsd.edu (v1.6 Aug 4 2005 15:27:38, -2.8/5.0 3.0.4) References: <1115632168.758698.260210@z14g2000cwz.googlegroups.com> <1115806409.846150.263890@o13g2000cwo.googlegroups.com> <1115891582.608794.177530@g43g2000cwa.googlegroups.com> <431b5e67$0$18642$14726298@news.sunsite.dk> X-Spam-Level: Level X-Trace: posting.google.com 1125917931 9123 127.0.0.1 (5 Sep 2005 10:58:51 GMT) Mime-Version: 1.0 X-Mailscanner: PASSED (v1.2.8 64627 j85AwpgP073378 mailbox7.ucsd.edu) Date: Mon, 5 Sep 2005 11:21:59 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 25 Path: x-privat.org!news.newsland.it!newshub.sdsu.edu!headwall.stanford.edu !newsfeed.stanford.edu!zorac!blocklisting.com!robomod!not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16927 Eugene is still at it. ESThost terminated his domains where he was selling his spam submitter, but have so far refused to terminate service to his boxes. I hadn't seen any spam from him since he revenge spammed my name and personal domain. But I went looking, and found some. This time he was using free webpages, pointing to one of his main domains. And the last spam I found was September 4, this year. I've seen phpNuke spam (September 4), profile spam (August 30), blogspam (September 1). All for the same subdomain: mypascal.alfaspace.net And when I found that one, I found others. Including dynamic IP subdomains as late as the end of August7beginning of September: http://www.fairvotecanada.org/phpBB/bb_memberlist.php?&start=550&sortby= Yep, he's still a spammer! -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === Confirmed by others === Newsgroups: news.admin.net-abuse.blocklisting From: Anri Erinin Subject: Re: To Russel at Atrivo Approved: NANAB Moderators Content-Type: text/plain; charset=us-ascii; format=flowed X-Accept-Language: en-us, en X-Complaints-To: staff@sunsite.dk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) Sender: nanab@zorch.sf-bay.org (Charlie Root) Nntp-Posting-Host: 212.50.17.121 Content-Transfer-Encoding: 7bit Organization: SunSITE.dk - Supporting Open source Message-ID: <431b5e67$0$18642$14726298@news.sunsite.dk> References: <1115632168.758698.260210@z14g2000cwz.googlegroups.com> <1115806409.846150.263890@o13g2000cwo.googlegroups.com> <1115891582.608794.177530@g43g2000cwa.googlegroups.com> X-Trace: news.sunsite.dk DXC=ZQ4[d6c2=cf`=De8eDBgc`YSB=nbEKnkkB1HQahRcg_9UDbheZ]ja_8>MKP;j KKklehNBL\^V2`2N2d5S\iQ7jhf2iVJbagfm Mime-Version: 1.0 Date: Sun, 4 Sep 2005 20:33:48 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 32 Path: x-privat.org!news.glorb.com!news.kjsl.com!zorac!blocklisting.com!robomod !not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16924 Spamhuntress wrote: > Eugene is still at it. Check this page: > http://www.analogindustries.com/mt/archives/2004/12/64_times_64_is.html > The nude asians entry from May 10 can be tracked back to Eugene, and > the domain hidden in the javascript (redirect) is on that same machine. > Even the dynamic IP site is on Atrivo IP space: 69.50.170.77, in > William Lu's IP space. Hm, it does not look dynamic: whois -h rwhois.intercage.com 69.50.170.77 network:IP-Network:69.50.170.64/28 network:IP-Network-Block:69.50.170.64 - 69.50.170.79 network:Org-Name:Coteco, LLC. network:Street-Address:73 GreenTree Drive #36 but it does look like esthost: 220 r4-h111.esthost.com ESMTP Sendmail 8.13.1/8.12.11; Sun, 4 Sep 2005 -- Yes, I do have a spellchequer -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === Atrivo wants more information on the abuser (what their abuse@ for?..) === Newsgroups: news.admin.net-abuse.blocklisting From: Russ@Atrivo.com Subject: Re: To Russel at Atrivo Approved: NANAB Moderators Injection-Info: g44g2000cwa.googlegroups.com; posting-host=67.120.99.146; posting-account=2w8xwQ0AAADzda9cIvAir5JUpndTEjLg Content-Type: text/plain; charset="iso-8859-1" X-Complaints-To: groups-abuse@google.com User-Agent: G2/0.2 Complaints-To: groups-abuse@google.com Sender: nanab@zorch.sf-bay.org (Charlie Root) Nntp-Posting-Date: Tue, 6 Sep 2005 04:26:38 +0000 (UTC) Nntp-Posting-Host: 67.120.99.146 X-Http-Useragent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322),gzip(gfe),gzip(gfe) Organization: http://groups.google.com Message-ID: <1125980793.816826.56470@g44g2000cwa.googlegroups.com> References: <1115632168.758698.260210@z14g2000cwz.googlegroups.com> <1115806409.846150.263890@o13g2000cwo.googlegroups.com> <1115891582.608794.177530@g43g2000cwa.googlegroups.com> <431b5e67$0$18642$14726298@news.sunsite.dk> <1125917927.524215.97750@g14g2000cwa.googlegroups.com> X-Trace: posting.google.com 1125980798 2380 127.0.0.1 (6 Sep 2005 04:26:38 GMT) Mime-Version: 1.0 Date: Tue, 6 Sep 2005 10:59:30 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 18 Path: x-privat.org!news.glorb.com!news.kjsl.com!zorac!blocklisting.com!robomod !not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16932 Hello Spamhuntress, Would you mind providing me with whatever information you have on the IPs/Domains/Servers he is on. We haven't had one report of blog spam since we (thought) we got rid of him. I guess we're wrong. Thank you for your time. Have a great day. Sincerely, Russell Mitchell - Russ[at]Atrivo.com Atrivo Technologies -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === Reply === Newsgroups: news.admin.net-abuse.blocklisting From: "Spamhuntress" Subject: Re: To Russel at Atrivo Approved: NANAB Moderators Injection-Info: g47g2000cwa.googlegroups.com; posting-host=217.212.249.25; posting-account=pYzhaA0AAAB9xdIn18bWMs58j6LRcW1D Content-Type: text/plain; charset="iso-8859-1" X-Greylisting: NO DELAY (Relay+Sender autoqualified); processed by UCSD_GL-v2.1 on mailbox7.ucsd.edu; Tue, 06 September 2005 06:53:21 -0700 (PDT) X-Complaints-To: groups-abuse@google.com User-Agent: G2/0.2 Complaints-To: groups-abuse@google.com Sender: nanab@zorch.sf-bay.org (Charlie Root) Nntp-Posting-Date: Tue, 6 Sep 2005 13:52:49 +0000 (UTC) Nntp-Posting-Host: 217.212.249.25 X-Http-Useragent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6,gzip(gfe),gzip(gfe) Organization: http://groups.google.com Message-ID: <1126014764.442772.282930@g47g2000cwa.googlegroups.com> X-Spamscanner: mailbox7.ucsd.edu (v1.6 Aug 4 2005 15:27:38, -2.8/5.0 3.0.4) References: <1115632168.758698.260210@z14g2000cwz.googlegroups.com> <1115806409.846150.263890@o13g2000cwo.googlegroups.com> <1115891582.608794.177530@g43g2000cwa.googlegroups.com> <431b5e67$0$18642$14726298@news.sunsite.dk> <1125917927.524215.97750@g14g2000cwa.googlegroups.com> <1125980793.816826.56470@g44g2000cwa.googlegroups.com> X-Spam-Level: Level X-Trace: posting.google.com 1126014769 13729 127.0.0.1 (6 Sep 2005 13:52:49 GMT) Mime-Version: 1.0 X-Mailscanner: PASSED (v1.2.8 26083 j86DrKfH031930 mailbox7.ucsd.edu) Date: Tue, 6 Sep 2005 18:35:33 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 13 Path: x-privat.org!area.cu.mi.it!nntp.eutelia.it!itgate.net!nntp1.phx1.gblx.net !nntp.gblx.net!nntp.gblx.net!rahul.net!wasp.rahul.net!rahul.net!news.kjsl.com !zorac!blocklisting.com!robomod!not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16936 I'll round up what I have, privately. For now, have a look at this page. Hasn't been updated much lately, but it provides an overview of my investigation to determine that he was in fact a spammer himself: http://spamhuntress.com/wiki/Eugene_Blagodarny -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === The web page's content === Eugene Blagodarny From Spamhuntress New: He's spamming guestbooks in my name (http://spamhuntress.com/2005/08/18/revenge-spam-from-eugene-blagodarny/), August 4-19. He's still spamming (September 4). Forum profile spam, blogs. Occasionally PHPnuke. I’ve been keeping an eye on some porn spammers. Some usually leave trackbacks with sites on dynamic dns servers. This one however used comments. I followed the trail of one such site (from dyndns site to site it redirects to via javascript), and ended up on the same server as Eugene Blagodarny’s advanced-submitter. It’s exactly the kind of software used for spamming the blogs. This was in April, and the site I found and pinged, is no longer in the zone. Stuff moves around. So, my question is, do all the sites on that server belong to Eugene Blagodarny, or just the two connected with his submitter software? Oh yes, he’s got something to do with it. Might even be his. The e-mail address used for registering the porn domains use an e-mail address from a domain registered by Eugene. Mark Bosner is often the name associated with the domains, when there’s someone associated with them at all. But since the e-mail address given for those domain names resolves to Eugene’s own e-mail address (VRFY is disabled on most mail servers, but this one was sloppy…), I think we can bypass Mark Bosner easily: Here's the output from my trace: VRFY domains@gals4all.com 252 2.1.5 May 10, 2005, I found some newly spammed free sites (man-fucking-dog.beastialityx.x24hr.com) that redirected to a site (inceststories.ws) that was hosted on 205.252.251.146. On that IP number, I found a domain name (free-gay-video-clip.com) that was spamvertized via comments March 17, 2004. The whois info is again for Mark Bosner, but the e-mail address of the registrant is different from the other contacts, and it contains: eugene@trafficshop.com. It also contains Eugene's phone number: +38.0675555555. Another domain spamvertized that same day (http://off.net/m-t/__mt-comments-flurp.cgi?entry_id=2995) has a domain (sweethotgirls.com) with this whois info for registrant: Eugene eugene@trafficshop.com +38.0675555555 PHP/PERL Solutions WA str, 45a London,WA,UNITED KINGDOM 23555 Yep, unless Eugene is fronting for someone else, he’s a spammer himself. I trust that wasn’t a big surprise? I verified my findings May 9, and posted my findings to link usenet (http://groups-beta.google.com/group/news.admin.net-abuse.blocklisting/msg/a427d469d68f118c). Spammers move their domains around a lot, so if your findings are different weeks from now, that's to be expected. After mucking around a bit with spam domains, I finally found some that had Eugene's well known e-mail address from php-soft on them. And I found Eugene soliciting content (http://www.master-x.com/forum/postings/133311/). So, we know Eugene at trafficshop reads and writes Russian. Advanced-submitter still has Eugene's name on the whois info, but he's changed his location to Australia. The info leaves no doubt that php-soft.com belongs to him, even though that now sports a different whois info. Geodog captured an earlier version of advanced-submitter's whois info (http://www.thebishop.net/geodog/archives/2004/09/18/anatomy_of_comment_spam_script_vendors_emil_kacperski_eugene_blagodarny_and_corporate_helpers.html) My original expose (http://spamhuntress.com/2005/04/18/eugene-blagodarny-porn-spammer/), containing some of the same text as this article Some IP numbers housing websites belonging to him: * 66.230.140.146 (holds some of his non-porn sites) - isprime.com * 69.50.164.156 - esthost * 69.50.164.157 (holds his submitter script as well as porn sites) - esthost * 69.50.170.75 (added May 15. Probably only dynamic IP sites) * 69.50.170.76 (only sites with pointers from dynamic DNS services) - William Lu/Atrivo * 69.50.170.77 (only sites with pointers from dynamic DNS services) - William Lu/Atrivo * 69.50.191.27 - (holds php-soft and perl-soft as well as porn and other affiliates) esthost * 70.85.190.43 - The Planet * 80.77.85.103 - hqhost * 205.252.251.146 - advanedhoster === Request to comment on hosting DNS for some nasty viruses/troyans on the === === whole bunch of IPs at Atrivo. Of course no answer from Atrivo === Newsgroups: news.admin.net-abuse.blocklisting From: Anri Erinin Subject: Re: Atrivo/InterCage Abuse Approved: NANAB Moderators Content-Type: text/plain; charset=us-ascii; format=flowed X-Accept-Language: en-us, en X-Greylisting: NO DELAY (Relay+Sender autoqualified); processed by UCSD_GL-v2.1 on mailbox4.ucsd.edu; Wed, 07 September 2005 07:41:16 -0700 (PDT) X-Complaints-To: staff@sunsite.dk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) Sender: nanab@zorch.sf-bay.org (Charlie Root) Nntp-Posting-Host: 212.50.17.121 Content-Transfer-Encoding: 7bit Organization: SunSITE.dk - Supporting Open source Message-ID: <431efc05$0$18641$14726298@news.sunsite.dk> X-Spamscanner: mailbox4.ucsd.edu (v1.6 Aug 4 2005 15:27:38, 0.0/5.0 3.0.4) References: <1125616541.094735.138810@z14g2000cwz.googlegroups.com> X-Spam-Level: Level X-Trace: news.sunsite.dk DXC=Fo>28J8@mhSlB1HQahRcW_9UDbheZ]jQ_8>MKP;j KK[lehNBL\^V2Pda=Uk^98jeRH=dYdK==4TP Mime-Version: 1.0 X-Mailscanner: PASSED (v1.2.8 56697 j87EfEkx058435 mailbox4.ucsd.edu) Date: Wed, 7 Sep 2005 17:11:03 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 38 Path: x-privat.org!news.newsland.it!news.glorb.com!news.kjsl.com!zorac !blocklisting.com!robomod!not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16941 Russ@Atrivo.com wrote: > Hello all, > > I'de just like to recap for the past few months. We haven't heard very > much as far as abuse on the network. So we take that as abuse has > slowed down. Russell, can you please comment on this: http://www.google.com/search?num=100&as_qdr=all&q="85.255.112.9" http://www.google.com/search?num=100&as_qdr=all&q="85.255.112.10" http://www.google.com/search?num=100&as_qdr=all&q="85.255.112.11" http://www.google.com/search?num=100&as_qdr=all&q="85.255.112.12" http://www.google.com/search?num=100&as_qdr=all&q="85.255.112.13" http://www.google.com/search?num=100&as_qdr=all&q="85.255.112.15" http://www.google.com/search?num=100&q="195.95.218.1" http://www.google.com/search?num=100&q="195.95.218.3" http://www.google.com/search?num=100&q="195.95.218.4" http://www.google.com/search?num=100&q="195.95.218.5" Note that in most cases the other DNS is within 69.50.160.0/19... Just one example: http://www.google.com/search?num=100&as_qdr=all&q="69.50.184.86" -- Yes, I do have a spellchequer -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === Another reply, pointing out a whole bunch of spam sites, still being === === hosted at Atrivo, 5 MONTHS after the spams were reported to Atrivo! === Newsgroups: news.admin.net-abuse.blocklisting From: Rich Kulawiec Subject: Re: Atrivo/InterCage Abuse (Attn: SPEWS S2489) Approved: NANAB Moderators Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.5.9i Sender: nanab@zorch.sf-bay.org (Charlie Root) Organization: Collocated; Los Angeles, CA Message-ID: <20050906170212.GA26156@gsp.org> References: <1125616541.094735.138810@z14g2000cwz.googlegroups.com> <11hgs71j941hs0a@corp.supernews.com> <1125683278.320264.138150@f14g2000cwb.googlegroups.com> Content-Disposition: inline Mime-Version: 1.0 Date: Tue, 6 Sep 2005 17:46:03 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 193 Path: x-privat.org!area.cu.mi.it!news.newsland.it!newshub.sdsu.edu !headwall.stanford.edu!newsfeed.stanford.edu!zorac!blocklisting.com!robomod !not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16935 > If I had the ability... I would cut Esthost as a client... But, in > doing so, it causes nearly a quarter if not half of the company's > monthly revenue to be cut. That is not too good of a move nor > reasonably possible ;) However, it is necessary that you do so immediately. But we'll get to that. First, let's see how you've done with spammers on your network that were reported to you not only here but (with considerably more detail) to your abuse address back in early April -- FIVE MONTHS AGO. Of course, any responsible and competent abuse desk would have had all of these completely and permanently removed within hours. Yet, we find (as of 12 noon EST September 6) that all of these spammers/abusers/phishers are still on Atrivo's network: 69teenage.com 69.50.175.248 alfa-search.com 69.50.160.42 alloha.info 69.31.79.190 amateur-thumbs.net 69.50.179.56 any-find.com 69.50.172.99 aroundweb.com 69.50.177.4 bad-movies.net 69.50.187.18 bad-passion.com 69.50.187.18 bizonio.com 69.50.172.99 brealistic.com 69.50.182.149 callbackgsm.biz 69.50.160.19 car-fuck.net 69.31.79.103 conyc.com 69.50.164.77 deftonsm.com 69.50.166.174 devonanal.com 69.31.79.185 dm3ti.com 69.50.167.215 dubolom.com 69.50.172.99 easyteenies.com 69.31.77.219 family-incest.us 69.50.164.158 find-online.net 69.50.171.44 find4u.net 69.50.172.99 free-hardcore-movie.net 69.31.130.223 fxincomeline.biz 69.50.168.126 galsonbed.com 69.50.179.58 ghbikfgjhf.com 69.50.166.68 gms-world.biz 69.50.168.126 gotofucks.com 69.31.74.194 hourlyfxgold.biz 69.50.171.19 justasex.com 69.31.79.103 kloun.com 69.50.172.99 klounada.com 69.50.172.99 linuxwaves.net 69.50.187.19 macinstruct.net 69.50.187.19 moretraffic-4u.com 69.50.177.114 my-find.com 69.50.172.99 myemailvideo.co.uk 69.22.169.21 mypoisk.com 69.50.172.99 mypoiskovik.com 69.50.172.99 nude-teens-bodies.com 69.50.177.252 onemarq.net 69.50.182.149 online-greencard.com 69.31.74.202 passwordlovers.com 69.50.170.36 pics-porn.org 69.50.187.19 pics-stories.com 69.50.171.19 pip-gold.biz 69.50.168.126 pissing-girls.org 69.50.188.199 projectw.org 69.50.165.90 qatarforum.com 69.50.164.234 realpan.com 69.50.171.122 reddest.org 69.50.171.122 robogold.biz 69.50.187.99 rpreal.com 69.50.187.20 secureroot.org 69.50.187.19 sexyteenvirgin.com 69.50.166.58 sparklingnights.com 69.50.166.218 sportprofitsclub.biz 69.50.171.19 stickylist.com 69.31.77.218 stopstandby.com 69.50.166.218 stories-adult.net 69.31.79.103 teenagepic.com 69.31.77.219 thehuj.net 69.50.187.20 tropotun.com 69.50.172.99 turboreactor.com 69.50.160.146 usbitches.com 69.50.179.57 vanchungtelephone.com 69.50.179.66 x-pictures.org 69.50.187.19 your-search.info 69.50.160.42 And then we get to Esthost, which of course is nothing but a front for spammers, phishers, and other varieties of scum. A brief glance there turns up: 4-counter.com aroundweb.com deftonsm.com easy-search.net find-online.net icanfindit.net oopsearch.com thesearchs.com maximumsearch.net find4u.net who are all in the spyware business, and then there's the "Lamagro" spam gang: alloha.info amateur-thumbs.net car-fuck.net devonanal.com galsonbed.com justasex.com stories-adult.net usbitches.com and another spyware scumbag: topantispyware.com as well as a generous assortment of others: 1-online-poker.us 100-sex.com 1800callsex.com 1amateursexroad.com 666videosex.com airteens.com all-mature.com antiaids.info apninc.biz aroundcock.com asian-girls.name asianjam.com asiasexpic-free.com british-hardcore.net coolvids.net cumonchicks.com dotsidegroup.com fist-sex.info free-gigz.com fucksuck.biz gay-planet.biz gay-room.com getpornodvd.com getthis4free.com group-place.com i-horny.com indian-sex.name inet-search.info inzcest.com milf-hardcore.net my-dialer.com ph-e-ntermine.com riskfreeinvest.com s-rx.com sex-mania.net sexdrivex.com supernetmall.biz trylogos.com virginsworld.com And like I said: a *brief* glance. No doubt a more thorough examination would turn up many more. Now let's return to your statement: > If I had the ability... I would cut Esthost as a client... But, in > doing so, it causes nearly a quarter if not half of the company's > monthly revenue to be cut. That is not too good of a move nor > reasonably possible ;) You are the abuse desk at Atrivo, are you not? Then it is presumed that you have the ability to cut ANYONE as a client. Instantly. I therefore expect all the domains in the first group above, as as Esthost, to be promptly and permanently removed from Atrivo's network. "promptly", as in today. Any further delay will be factored into my decision about whether or not any IP traffic from Atrivo-controlled network space will be permitted on my network or any of my clients'. Please do not bother to follow up this message with excuses or hand-wringing or rationalization or or whining or anything else. I am interested, at this point, ONLY in your actions. ---Rsk -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === Another one === Newsgroups: news.admin.net-abuse.blocklisting From: Rich Kulawiec Subject: Re: Atrivo/InterCage Abuse (Attn: SPEWS S2489) Approved: NANAB Moderators Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/1.5.9i Sender: nanab@zorch.sf-bay.org (Charlie Root) Organization: Collocated; Los Angeles, CA Message-ID: <20050914162924.GA7727@gsp.org> References: <1125616541.094735.138810@z14g2000cwz.googlegroups.com> <11hgs71j941hs0a@corp.supernews.com> <1125683278.320264.138150@f14g2000cwb.googlegroups.com> <20050906170212.GA26156@gsp.org> Content-Disposition: inline Mime-Version: 1.0 Date: Wed, 14 Sep 2005 15:36:43 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 25 Path: x-privat.org!news.newsland.it!news.glorb.com!news.kjsl.com!zorac !blocklisting.com!robomod!not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16989 On Tue, Sep 06, 2005 at 01:02:12PM -0400, Rich Kulawiec wrote: > I therefore expect all the domains in the first group above, as > as Esthost, to be promptly and permanently removed from Atrivo's network. [...] > Please do not bother to follow up this message with excuses or > hand-wringing or rationalization or or whining or anything else. > I am interested, at this point, ONLY in your actions. And a week of action -- or rather, inaction -- speaks volumes. Meanwhile, Anri Erinin has continued to point out still *more* spammers, phishers, spyware vendors, etc. on Atrivo's network. (See NANAE.) I think we're done here. ---Rsk -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === Test of the list of virus and spyware Esthost hosts on Atrivo above === Newsgroups: news.admin.net-abuse.blocklisting From: Anri Erinin Subject: Re: Atrivo/InterCage Abuse (Attn: SPEWS S2489) Approved: NANAB Moderators Content-Type: text/plain; charset=us-ascii; format=flowed X-Accept-Language: en-us, en X-Complaints-To: staff@sunsite.dk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) Sender: nanab@zorch.sf-bay.org (Charlie Root) Nntp-Posting-Host: 212.50.17.121 Content-Transfer-Encoding: 7bit Organization: SunSITE.dk - Supporting Open source Message-ID: <431e020d$0$18641$14726298@news.sunsite.dk> References: <1125616541.094735.138810@z14g2000cwz.googlegroups.com> <11hgs71j941hs0a@corp.supernews.com> <1125683278.320264.138150@f14g2000cwb.googlegroups.com> <20050906170212.GA26156@gsp.org> X-Trace: news.sunsite.dk DXC=g@\l:_7bhdO1F[;SJ[;K0EYSB=nbEKnkKl58mSL^b02H4>B1HQahRcG_9UDbheZ]jA_8>MKP;j KKKlehNBL\^V2@WljD6Sg_@iFb\9k\5>G]BF Mime-Version: 1.0 Date: Tue, 6 Sep 2005 20:05:35 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 365 Path: x-privat.org!news.glorb.com!news.kjsl.com!zorac!blocklisting.com!robomod !not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16937 Rich Kulawiec wrote: >>If I had the ability... I would cut Esthost as a client... But, in >>doing so, it causes nearly a quarter if not half of the company's >>monthly revenue to be cut. That is not too good of a move nor >>reasonably possible ;) > > > However, it is necessary that you do so immediately. But we'll get to that. > > First, let's see how you've done with spammers on your network that were > reported to you not only here but (with considerably more detail) to your > abuse address back in early April -- FIVE MONTHS AGO. > > Of course, any responsible and competent abuse desk would have had all > of these completely and permanently removed within hours. > > Yet, we find (as of 12 noon EST September 6) that all of these > spammers/abusers/phishers are still on Atrivo's network: Most of these are hosted by Esthost/Estdomains (Coteco LLC) with a few exceptions for adultxspace.com (yet another Russian spamer), "Thumbest Hosting" - (yet another adult hosting) and one William Lu: > > 69teenage.com 69.50.175.248 network:IP-Network-Block:69.50.175.240 - 69.50.175.255 network:Org-Name:adultxspace.com > alfa-search.com 69.50.160.42 > your-search.info 69.50.160.42 network:IP-Network-Block:69.50.160.40 - 69.50.160.47 network:Org-Name:Coteco, LLC. > alloha.info 69.31.79.190 network:IP-Network-Block:69.31.79.176 - 69.31.79.191 network:Org-Name:Coteco, LLC. > amateur-thumbs.net 69.50.179.56 network:IP-Network-Block:69.50.179.48 - 69.50.179.63 network:Org-Name:Coteco, LLC. > any-find.com 69.50.172.99 > bizonio.com 69.50.172.99 network:IP-Network-Block:69.50.172.96 - 69.50.172.127 network:Org-Name:Coteco, LLC. > aroundweb.com 69.50.177.4 network:IP-Network-Block:69.50.177.0 - 69.50.177.7 network:Org-Name:Coteco, LLC. > bad-movies.net 69.50.187.18 > bad-passion.com 69.50.187.18 network:IP-Network-Block:69.50.187.16 - 69.50.187.23 network:Org-Name:Coteco, LLC. > brealistic.com 69.50.182.149 network:IP-Network:69.50.182.144/29 network:IP-Network-Block:69.50.182.144 - 69.50.182.151 > callbackgsm.biz 69.50.160.19 network:IP-Network-Block:69.50.160.16 - 69.50.160.23 network:Org-Name:Coteco, LLC. > car-fuck.net 69.31.79.103 network:IP-Network-Block:69.31.79.96 - 69.31.79.111 network:Org-Name:Coteco, LLC. > conyc.com 69.50.164.77 network:IP-Network-Block:69.50.164.72 - 69.50.164.79 network:Org-Name:Coteco, LLC. > deftonsm.com 69.50.166.174 network:IP-Network-Block:69.50.166.168 - 69.50.166.175 network:Org-Name:Coteco, LLC. > devonanal.com 69.31.79.185 network:IP-Network-Block:69.31.79.176 - 69.31.79.191 network:Org-Name:Coteco, LLC. > dm3ti.com 69.50.167.215 network:IP-Network-Block:69.50.167.208 - 69.50.167.215 network:Org-Name:Coteco, LLC. > easyteenies.com 69.31.77.219 network:IP-Network-Block:69.31.77.208 - 69.31.77.223 network:Org-Name:Thumbest Hosting network:Street-Address:Vaci Ut 27 network:City:Budapest network:State:Pest megye network:Postal-Code:1025 > family-incest.us 69.50.164.158 network:IP-Network-Block:69.50.164.152 - 69.50.164.159 network:Org-Name:Coteco, LLC. > find-online.net 69.50.171.44 network:IP-Network-Block:69.50.171.40 - 69.50.171.47 network:Org-Name:Coteco, LLC. > free-hardcore-movie.net 69.31.130.223 network:IP-Network-Block:69.50.168.120 - 69.50.168.127 network:Org-Name:Coteco, LLC. > fxincomeline.biz 69.50.168.126 network:IP-Network-Block:69.50.168.120 - 69.50.168.127 network:Org-Name:Coteco, LLC. > galsonbed.com 69.50.179.58 network:IP-Network-Block:69.50.179.48 - 69.50.179.63 network:Org-Name:Coteco, LLC. > ghbikfgjhf.com 69.50.166.68 network:IP-Network-Block:69.50.166.64 - 69.50.166.71 network:Org-Name:Coteco, LLC. > gms-world.biz 69.50.168.126 network:IP-Network-Block:69.50.168.120 - 69.50.168.127 network:Org-Name:Coteco, LLC. > gotofucks.com 69.31.74.194 network:IP-Network-Block:69.31.74.128 - 69.31.74.255 network:Org-Name:Coteco, LLC. > hourlyfxgold.biz 69.50.171.19 > pics-stories.com 69.50.171.19 > sportprofitsclub.biz 69.50.171.19 network:IP-Network-Block:69.50.171.16 - 69.50.171.31 network:Org-Name:Coteco, LLC. > justasex.com 69.31.79.103 network:IP-Network-Block:69.31.79.96 - 69.31.79.111 network:Org-Name:Coteco, LLC. > kloun.com 69.50.172.99 > klounada.com 69.50.172.99 > my-find.com 69.50.172.99 > mypoisk.com 69.50.172.99 > mypoiskovik.com 69.50.172.99 > find4u.net 69.50.172.99 > dubolom.com 69.50.172.99 > tropotun.com 69.50.172.99 network:IP-Network-Block:69.50.172.96 - 69.50.172.127 network:Org-Name:Coteco, LLC. > linuxwaves.net 69.50.187.19 > macinstruct.net 69.50.187.19 > pics-porn.org 69.50.187.19 > secureroot.org 69.50.187.19 > x-pictures.org 69.50.187.19 network:IP-Network-Block:69.50.187.16 - 69.50.187.23 network:Org-Name:Coteco, LLC. > moretraffic-4u.com 69.50.177.114 network:IP-Network-Block:69.50.177.112 - 69.50.177.119 network:Org-Name:William Lu network:Street-Address:916 East Navilla Place network:City:Covina network:State:CA network:Postal-Code:91724 > myemailvideo.co.uk 69.22.169.21 network:IP-Network-Block:69.22.169.21 - 69.22.169.21 network:Org-Name:SearchNSearch network:Street-Address:7a Wolverhampton Road Bloxwich network:City:Walsall network:State:West Midlands network:Postal-Code:WS3 2EY > robogold.biz 69.50.187.99 network:IP-Network-Block:69.50.187.96 - 69.50.187.103 network:Org-Name:Coteco, LLC. n > nude-teens-bodies.com 69.50.177.252 network:IP-Network-Block:69.50.177.248 - 69.50.177.255 network:Org-Name:Coteco, LLC. > onemarq.net 69.50.182.149 network:IP-Network-Block:69.50.182.144 - 69.50.182.151 > online-greencard.com 69.31.74.202 network:IP-Network-Block:69.31.74.128 - 69.31.74.255 network:Org-Name:Coteco, LLC. > passwordlovers.com 69.50.170.36 network:IP-Network-Block:69.50.170.32 - 69.50.170.39 network:Org-Name:Coteco, LLC. > pip-gold.biz 69.50.168.126 network:IP-Network-Block:69.50.168.120 - 69.50.168.127 network:Org-Name:Coteco, LLC. > pissing-girls.org 69.50.188.199 network:IP-Network-Block:69.50.188.192 - 69.50.188.207 network:Org-Name:Coteco, LLC. > projectw.org 69.50.165.90 network:IP-Network-Block:69.50.165.88 - 69.50.165.95 network:Org-Name:adultxspace.com > qatarforum.com 69.50.164.234 network:IP-Network-Block:69.50.164.232 - 69.50.164.239 network:Org-Name:William Lu > realpan.com 69.50.171.122 > reddest.org 69.50.171.122 network:IP-Network-Block:69.50.171.120 - 69.50.171.127 network:Org-Name:Coteco, LLC. > rpreal.com 69.50.187.20 network:IP-Network-Block:69.50.187.16 - 69.50.187.23 network:Org-Name:Coteco, LLC. > sexyteenvirgin.com 69.50.166.58 network:IP-Network-Block:69.50.166.56 - 69.50.166.63 network:Org-Name:adultxspace.com > sparklingnights.com 69.50.166.218 network:IP-Network-Block:69.50.166.216 - 69.50.166.223 network:Org-Name:William Lu > stickylist.com 69.31.77.218 network:IP-Network-Block:69.31.77.208 - 69.31.77.223 network:Org-Name:Thumbest Hosting network:Street-Address:Vaci Ut 27 network:City:Budapest network:State:Pest megye network:Postal-Code:1025 > stopstandby.com 69.50.166.218 network:IP-Network-Block:69.50.166.216 - 69.50.166.223 network:Org-Name:William Lu > stories-adult.net 69.31.79.103 network:IP-Network-Block:69.31.79.96 - 69.31.79.111 network:Org-Name:Coteco, LLC. > teenagepic.com 69.31.77.219 network:IP-Network-Block:69.31.77.208 - 69.31.77.223 network:Org-Name:Thumbest Hosting > thehuj.net 69.50.187.20 network:IP-Network-Block:69.50.187.16 - 69.50.187.23 network:Org-Name:Coteco, LLC. > turboreactor.com 69.50.160.146 network:IP-Network-Block:69.50.160.144 - 69.50.160.151 network:Org-Name:adultxspace.com > usbitches.com 69.50.179.57 network:IP-Network-Block:69.50.179.48 - 69.50.179.63 network:Org-Name:Coteco, LLC. > vanchungtelephone.com 69.50.179.66 network:IP-Network-Block:69.50.179.64 - 69.50.179.79 network:Org-Name:William Lu > > And then we get to Esthost, which of course is nothing but a front > for spammers, phishers, and other varieties of scum. A brief glance > there turns up: > > 4-counter.com > icanfindit.net 216.239.59.99 - Heh! > aroundweb.com 69.50.177.4 > deftonsm.com 69.50.166.174 > easy-search.net > find-online.net 69.50.171.44 > oopsearch.com 80.77.85.97 -> uaonline > thesearchs.com > maximumsearch.net 66.246.221.83 - nac.net > find4u.net 69.50.172.99 Quote: "There is no "network of esthost". The network in which Esthost resides is our network." It looks like there is no 'network of intercage'... -- Yes, I do have a spellchequer -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === Reply from Atrivo === Newsgroups: news.admin.net-abuse.blocklisting From: Russ@Atrivo.com Subject: Re: Atrivo/InterCage Abuse Approved: NANAB Moderators Injection-Info: g44g2000cwa.googlegroups.com; posting-host=67.120.99.146; posting-account=2w8xwQ0AAADzda9cIvAir5JUpndTEjLg Content-Type: text/plain; charset="iso-8859-1" X-Complaints-To: groups-abuse@google.com User-Agent: G2/0.2 Complaints-To: groups-abuse@google.com Sender: nanab@zorch.sf-bay.org (Charlie Root) Nntp-Posting-Date: Tue, 6 Sep 2005 04:18:58 +0000 (UTC) Nntp-Posting-Host: 67.120.99.146 X-Http-Useragent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322),gzip(gfe),gzip(gfe) Organization: http://groups.google.com Message-ID: <1125980332.847354.16570@g44g2000cwa.googlegroups.com> References: <1125616541.094735.138810@z14g2000cwz.googlegroups.com> <11hgs71j941hs0a@corp.supernews.com> <1125683278.320264.138150@f14g2000cwb.googlegroups.com> <431c81e7$8$fuzhry+tra$mr2ice@news.patriot.net> X-Trace: posting.google.com 1125980338 1799 127.0.0.1 (6 Sep 2005 04:18:58 GMT) Mime-Version: 1.0 Date: Tue, 6 Sep 2005 04:08:22 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 17 Path: x-privat.org!news.glorb.com!news.kjsl.com!zorac!blocklisting.com!robomod !not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16931 Spamhuntress, fhh, Schmuel: As I've stated, I'll be bringing some new policies into effect with the launch of InterCage. They will be available soon. Thanks for your responses. Glad atleast a few of us can be on the same foot, Russell Mitchell - Russ[at]Atrivo.com Atrivo Technologies -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === What people think of it === Newsgroups: news.admin.net-abuse.blocklisting From: fhh Subject: Re: Atrivo/InterCage Abuse Approved: NANAB Moderators Content-Type: text/plain; charset=us-ascii X-Complaints-To: abuse@supernews.com Sender: nanab@zorch.sf-bay.org (Charlie Root) Content-Transfer-Encoding: 7Bit Organization: Posted via Supernews, http://www.supernews.com Message-ID: <11hrunjn2thcocc@corp.supernews.com> References: <1125616541.094735.138810@z14g2000cwz.googlegroups.com> <11hgs71j941hs0a@corp.supernews.com> <1125683278.320264.138150@f14g2000cwb.googlegroups.com> <431c81e7$8$fuzhry+tra$mr2ice@news.patriot.net> <1125980332.847354.16570@g44g2000cwa.googlegroups.com> Mime-Version: 1.0 Date: Tue, 6 Sep 2005 20:44:07 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 22 Path: x-privat.org!news.newsland.it!newshub.sdsu.edu!headwall.stanford.edu !newsfeed.stanford.edu!zorac!blocklisting.com!robomod!not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16938 Russ@Atrivo.com wrote: > Spamhuntress, fhh, Schmuel: > As I've stated, I'll be bringing some new policies into effect with the > launch of InterCage. > > They will be available soon. Ok, I will wait and see. Until then my conclusion is that Atrivo / Esthost resembles a bulletproof provider for malware and zombiemasters. Firewalling Atrivo/Intercage IP space looks quite appropriate for internet users who are not interested in zombiemasters, trojans and proxy spam. -- feike -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === Examples of various criminal activities on Esthost/Atrivo hosts: money === === fraud, pirate warez sells, viruses, troyans, spyware..., you name it === From spammers_lie@rambler.ru Fri Sep 16 21:54:43 2005 Newsgroups: news.admin.net-abuse.blocklisting From: Anri Erinin Subject: Re: Atrivo/InterCage Abuse (long) Approved: NANAB Moderators Content-Type: text/plain; charset=us-ascii; format=flowed X-Accept-Language: en-us, en X-Complaints-To: staff@sunsite.dk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) Sender: nanab@zorch.sf-bay.org (Charlie Root) Nntp-Posting-Host: 212.50.17.121 Content-Transfer-Encoding: 7bit Organization: SunSITE.dk - Supporting Open source Message-ID: <431abc00$0$18639$14726298@news.sunsite.dk> References: <1125616541.094735.138810@z14g2000cwz.googlegroups.com> <11hgs71j941hs0a@corp.supernews.com> <1125683278.320264.138150@f14g2000cwb.googlegroups.com> X-Trace: news.sunsite.dk DXC=nfB1HQahRcG_9UDbheZ]jA_8>MKP;jKKKlehNBL\^V2@da=Uk^98jeBSGI?^@?lEaE Mime-Version: 1.0 Date: Mon, 5 Sep 2005 02:36:56 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 931 Path: x-privat.org!news.glorb.com!news.kjsl.com!zorac!blocklisting.com!robomod!not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16926 Russ@Atrivo.com wrote: > Hello fhh, > > There is no "network of esthost". The network in which Esthost resides > is our network. I did notice atrivo.com became intercage.com but haven't noticed you are on the move again: http://groups.google.com/group/nl.internet.misbruik/msg/9afffd0636ae9bf9?hl=en& old netname: inetnum: 85.255.112.0 - 85.255.127.255 netname: EstHost descr: Inhoster hosting company descr: OOO Inhoster, ul.Antonova 5, Kiev, 03186, Ukraine current netname: inetnum: 85.255.112.0 - 85.255.127.255 netname: inhoster descr: Inhoster hosting company descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine > Esthost is one of our larger clients, They are very > successful in the industry of web hosting and domain registration. They > just recently became an ICANN Accredited Registrar. I won't comment on > "why" they're so successful... But for some, that may be obvious. I think we can safely use google as 'rating' or 'citation' service, can't we? http://www.google.com/search?q=%22estdomains.com%22 http://www.google.com/search?q=%22esthost.com%22 Please specificaly note the second one: Results 1 - 100 of about 12,800 for "esthost.com". spam, fraud, viruses, hijack, proxies, fraud, spam, abuse, fraud, scam, pr0n, spam, exploits, trojans, fraud, scam, spam. These are the supplementary words associated with these searches. I have a question to you: who is Coteco, LLC? Is this another atrivo alias or is it the name of the client of intercage? Because everything associated with esthost/estdomains/estboxes/estservers (well, most of it) resolves to Coteco, LLC at intercage: mckenell.com has address 69.50.182.18 network:IP-Network:69.50.182.16/29 network:IP-Network-Block:69.50.182.16 - 69.50.182.23 network:Org-Name:Coteco, LLC. network:Street-Address:73 GreenTree Drive #36 http://www.google.com/search?&sa=G&q=%22mckenell.org%22 http://mckenell.com/ http://stevegonz.web.aplus.net/Careerswithmckenell.html ORDER MANAGER Description Your role will include to handle the administration and processing of clients' orders and customer support cases in general, assist in pre-sales activities, work on documentation, develop a cash-flow scheme for each order, calculate service commission, and handle consulting activities on payment conversion details, etc. The training course is enclosed. We hope you to fulfill the following requirements: * Willingness to teach oneself on complex technical matters; * Ability to analyze complex problems and propose solution scenarios; * Willingness to convert telephone inquiries into paid orders; * Strong customer, interpersonal, sales and telephone skills; * Ability to work efficiently and achieve good interaction with potential customers. Salary The payment range is from $1000 - $1400 per week depending on individual willingness to work. Qualifications: * Age range from 26 to 45 years. * Prior payments management knowledge (bank transfers, checks, postal money orders, wire transfers) is a must. * Basic knowledge on most frequently used e-currency and e-payment systems (E-gold, PayPal, E-bullion, etc) and how they work. * Ability to conduct consulting. * Well-balanced personal and managerial style. * Be able to perform well under situations with tight time-requirements. * Computer proficiency (advanced user level). * 3+ years in finance environment is a benefit. General: * Office environment * Full-time employment and commitment required Important: A competitive salary, outstanding benefits package and professional support is offered to individuals willing to work and to achieve top-notch professional level. TRANSFER MANAGER Job Description The task of the Processing Manager is to process payments between our partners' clients and our company, in particular, to manage cash and balance receipts, follow up on accounts, etc. The job is related to remote Internet operations. Every payment order will be accompanied by detailed instruction. The brief training course is enclosed. Salary 5% from each transaction Candidate requirements * Willingness to work from home, take responsibility, set up and achieve goals * Ability to create good administrative reporting * Prior customer service experience is a good benefit, but not a must * Honesty, responsibility and promptness in operations * Effectively interaction with customers * Familiar to working online, Internet and e-mail skills * One or several personal bank accounts. General: This job will allow you to: * Work efficiently from home; * Increase available personal time * Achieve financial independence in half the normal time (1-3 hours per day) * Interact and associate with other members in order to benefit from their knowledge and experiences * Become able to share time and money with others less fortunate than yourself * Develop high self-respect and esteem. SUPPORT MANAGER Job DescriptionWe are looking for a new talent to strengthen our Support Team. We are mainly looking for candidates to receive and redirect phone calls to consultants if necessary, react to the calls and consult on various items himself. The brief training course is enclosed. Please contact us to know more about this job. Salary $700-$800 per week Candidate requirements: Ability to work well in a team Nice voice Ability to eliminate stress and good communication manners Customer service attitude, and ability to handle different kinds of people PC User skills Type of Activity: Full-time occupation Office environment WHOIS details for domain "mckenell.com": Request: mckenell.com from whois.crsnic.net:43 [cached Thu Mar 24 23:45:23 2005 UTC] from whois.directi.com:43 [cached Thu Mar 24 23:45:24 2005 UTC] Registration Service Provided By: ESTDOMAINS Contact: support@estdomains.com Website: http://www.estdomains.com Abuse Desk Email Address: abuse@estdomains.com Domain Name: MCKENELL.COM Registrant: McKenell Investiments Ltd. Kelly B. Potts (ateramaxi@mail15.com) 7204 Secret valley Ct SW Albuquerque NM,87121 US Tel. +505.2648443 Creation Date: 20-Jan-2005 Expiration Date: 20-Jan-2006 Domain servers in listed order: 24572.mercury.orderbox-dns.com 24572.venus.orderbox-dns.com 24572.earth.orderbox-dns.com 24572.mars.orderbox-dns.com Administrative Contact: McKenell Investiments Ltd. Kelly B. Potts (ateramaxi@mail15.com) 7204 Secret valley Ct SW Albuquerque NM,87121 US Tel. +505.2648443 Technical Contact: McKenell Investiments Ltd. Kelly B. Potts (ateramaxi@mail15.com) 7204 Secret valley Ct SW Albuquerque NM,87121 US Tel. +505.2648443 Billing Contact: McKenell Investiments Ltd. Kelly B. Potts (ateramaxi@mail15.com) 7204 Secret valley Ct SW Albuquerque NM,87121 US Tel. +505.2648443 Status:ACTIVE See also http://groups.google.com/groups?&as_scoring=d&num=100&as_q=orderbox-dns.com ------------------------- velocityglobalinc.com has address 217.106.234.205 http://velocityglobalinc.com/employ.html We have many ways to save our clients' money. We hire the cheapest programmers and designers all over the world. Our stuff works mostly from home and we don't pay high office rent. That is why our price is the best on the market. One of these ways to save money is hiring a Financial Manager. In case of getting order from another country we have to pay 15% fee for international bank transfer according to the US law. To reduce the tranfer cost we are looking for Financial Managers all over the world. When we get an order from another country, the Financial Manager in this country gets the payment and sends it to us through Western Union. Commission rate of Financial Managers is 3%. This way we reduce expences for international bank transfer twice. In order to qualify for the position, you must be aged 21 and above. The prospective candidate should be good with numbers, committed and a good communicator. No special education is required; however, any experience in accounting / finance / client relations / database management is an advantage. You will be working under the direct supervision of the respective Regional Collections Executive. You receive your commission as soon as the transfer is carried out. There are no probation periods, no rolling reserves and no hidden fees or deductions. Now required financial manager in: The United Kingdom Australia New Zealand whois -h whois.criticalinternet.com velocityglobalinc.com Registration Service Provided By: ESTDOMAINS Contact: +372.55647646 Website: http://www.estdomains.com Domain Name: VELOCITYGLOBALINC.COM Registrant: Velocity Global Serge (velocityinglobal@hotmail.com) 2100 West Loop S Houston Texas,77002 US Tel. +512.2885915 Creation Date: 23-Jul-2005 Expiration Date: 23-Jul-2006 Domain servers in listed order: ns1.velocityglobalinc.com ns2.velocityglobalinc.com Administrative Contact: Velocity Global Serge (velocityinglobal@hotmail.com) 2100 West Loop S Houston Texas,77002 US Tel. +512.2885915 Technical Contact: Velocity Global Serge (velocityinglobal@hotmail.com) 2100 West Loop S Houston Texas,77002 US Tel. +512.2885915 Billing Contact: Velocity Global Serge (velocityinglobal@hotmail.com) 2100 West Loop S Houston Texas,77002 US Tel. +512.2885915 Status:ACTIVE ------------------- http://www.google.com/search?&q=%22pukkasearch.net%22 http://www.google.com/search?&q=%22your-searcher.com%22 http://www.google.com/search?&q=%2224-7-search.com%22 http://groups.google.com/groups?q=%2224-7-search.com%22 Old: your-searcher.com has address 69.31.76.67 network:Handle:CUSTBLK-69-31-76-64-29 network:IP-Network:69.31.76.64/29 network:IP-Network-Block:69.31.76.64 - 69.31.76.71 network:Org-Name:Coteco, LLC. network:Street-Address:73 GreenTree Drive #36 your-searcher.com has address 69.50.172.99 network:IP-Network:69.50.172.96/27 network:IP-Network-Block:69.50.172.96 - 69.50.172.127 network:Org-Name:Coteco, LLC. network:Street-Address:73 GreenTree Drive #36 24-7-search.com has address 69.50.191.68 network:IP-Network-Block:69.50.191.64 - 69.50.191.71 network:Org-Name:Coteco, LLC. network:Street-Address:73 GreenTree Drive #36 ---------------- softzion.net has address 69.50.160.83 network:IP-Network:69.50.160.80/29 network:IP-Network-Block:69.50.160.80 - 69.50.160.87 network:Org-Name:Coteco, LLC. network:Street-Address:73 GreenTree Drive #36 http://softzion.net/faq.php Why is the software so inexpensive? We offer the software for downloading only, it means that you do not receive a fancy package, a printed manual and license that actually aggregate the largest part of the retail price. In this situation we are restricted in selling the products for private purposes only! You will not be able to get a technical support and different rebates from the manufacturer. Updates are available for the most of our products (you may ask our support staff for the exceptions) that make them fully functional and operating. Additionally you save the delivery cost. whois -h whois.directi.com softzion.net ... Registration Service Provided By: ESTDOMAINS Contact: +372.55647646 Website: http://www.estdomains.com Domain Name: SOFTZION.NET Registrant: Neo net ltd John Hopking (soft@lastsoft.biz) PO box 675 , denver .co Denver CO,188101 US Tel. +1.2372732 Creation Date: 21-Apr-2005 Expiration Date: 21-Apr-2006 Domain servers in listed order: ns1.soft-ns.com ns2.soft-ns.com Administrative Contact: Neo net ltd John Hopking (soft@lastsoft.biz) PO box 675 , denver .co Denver CO,188101 US Tel. +1.2372732 Technical Contact: Neo net ltd John Hopking (soft@lastsoft.biz) PO box 675 , denver .co Denver CO,188101 US Tel. +1.2372732 Billing Contact: Neo net ltd John Hopking (soft@lastsoft.biz) PO box 675 , denver .co Denver CO,188101 US Tel. +1.2372732 Status:ACTIVE --------------------------- compare the above with: http://lastsoft.biz/ lastsoft.biz has address 195.206.123.50 http://www.spamhaus.org/sbl/sbl.lasso?query=SBL27034 195.206.120.0/22 is listed on the Spamhaus Block List (SBL) 24-Aug-2005 15:08 GMT | SR04 Telecom Point Company JSC (AS34373) Domain Name: LASTSOFT.BIZ Domain ID: D7325903-BIZ Sponsoring Registrar: CRITICAL INTERNET, INC Sponsoring Registrar IANA ID: 832 Domain Status: ok Registrant ID: DI_1700129 Registrant Name: Dima Churjumov Registrant Organization: NA Registrant Address1: Nolvaku 11-15 Registrant City: Tartu Registrant State/Province: Jögevamsa Registrant Postal Code: 50309 Registrant Country: Estonia Registrant Country Code: EE Registrant Phone Number: +372.51342367 Registrant Email: expired@estdomains.com Administrative Contact ID: DI_1700129 Administrative Contact Name: Dima Churjumov Administrative Contact Organization: NA Administrative Contact Address1: Nolvaku 11-15 Administrative Contact City: Tartu Administrative Contact State/Province: Jögevamsa Administrative Contact Postal Code: 50309 Administrative Contact Country: Estonia Administrative Contact Country Code: EE Administrative Contact Phone Number: +372.51342367 Administrative Contact Email: expired@estdomains.com Billing Contact ID: DI_1700129 Billing Contact Name: Dima Churjumov Billing Contact Organization: NA Billing Contact Address1: Nolvaku 11-15 Billing Contact City: Tartu Billing Contact State/Province: Jögevamsa Billing Contact Postal Code: 50309 Billing Contact Country: Estonia Billing Contact Country Code: EE Billing Contact Phone Number: +372.51342367 Billing Contact Email: expired@estdomains.com Technical Contact ID: DI_1700129 Technical Contact Name: Dima Churjumov Technical Contact Organization: NA Technical Contact Address1: Nolvaku 11-15 Technical Contact City: Tartu Technical Contact State/Province: Jögevamsa Technical Contact Postal Code: 50309 Technical Contact Country: Estonia Technical Contact Country Code: EE Technical Contact Phone Number: +372.51342367 Technical Contact Email: expired@estdomains.com Name Server: NS1.1STSOTF-NS.COM Name Server: NS2.1STSOTF-NS.COM Created by Registrar: DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM) Last Updated by Registrar: CRITICAL INTERNET, INC Last Transferred Date: Mon Aug 15 14:36:57 GMT 2005 Domain Registration Date: Wed Jul 07 20:44:54 GMT 2004 Domain Expiration Date: Thu Jul 06 23:59:59 GMT 2006 Domain Last Updated Date: Mon Aug 15 14:59:48 GMT 2005 -------------------------- Domain Name: 911-SOFT-SHOP.BIZ Domain ID: D7926654-BIZ Sponsoring Registrar: ENOM, INC. Sponsoring Registrar IANA ID: 48 Domain Status: clientHold Domain Status: clientTransferProhibited Registrant ID: D16DAE3E8DF27EC3 Registrant Name: STEVE MILLER Registrant Organization: Swebsoft commun. Registrant Address1: PO Box 7361-101540 Registrant City: San Francisco Registrant State/Province: CA Registrant Postal Code: 94120 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +1.5555555555 Registrant Email: 911shop@lastsoft.biz Administrative Contact ID: 13AF41486A6AB5C6 Administrative Contact Name: STEVE MILLER Administrative Contact Organization: Swebsoft commun. Administrative Contact Address1: PO Box 7361-101540 Administrative Contact City: San Francisco Administrative Contact State/Province: CA Administrative Contact Postal Code: 94120 Administrative Contact Country: United States Administrative Contact Country Code: US Administrative Contact Phone Number: +1.5555555555 Administrative Contact Email: 911shop@lastsoft.biz Billing Contact ID: 19B654315BF6F9FF Billing Contact Name: STEVE MILLER Billing Contact Organization: Swebsoft commun. Billing Contact Address1: PO Box 7361-101540 Billing Contact City: San Francisco Billing Contact State/Province: CA Billing Contact Postal Code: 94120 Billing Contact Country: United States Billing Contact Country Code: US Billing Contact Phone Number: +1.5555555555 Billing Contact Email: 911shop@lastsoft.biz Technical Contact ID: 29E2CAB732B307DB Technical Contact Name: STEVE MILLER Technical Contact Organization: Swebsoft commun. Technical Contact Address1: PO Box 7361-101540 Technical Contact City: San Francisco Technical Contact State/Province: CA Technical Contact Postal Code: 94120 Technical Contact Country: United States Technical Contact Country Code: US Technical Contact Phone Number: +1.5555555555 Technical Contact Email: 911shop@lastsoft.biz Name Server: NS1.ALL4ALL.BIZ.DIRECTIDELETEDDOMAIN.COM Name Server: NS2.ALL4ALL.BIZ.DIRECTIDELETEDDOMAIN.COM Created by Registrar: ENOM, INC. Last Updated by Registrar: ENOM, INC. Domain Registration Date: Sun Oct 10 21:38:05 GMT 2004 Domain Expiration Date: Sun Oct 09 23:59:59 GMT 2005 Domain Last Updated Date: Tue Oct 26 17:24:35 GMT 2004 --------------------------- http://groups.google.com/groups?q=s-redirect.com http://www.google.com/search?&sa=G&q=%22newiframe.biz%22 Domain Name: S-REDIRECT.COM Registrant: Hikesi me Abdula J () Tartu Peapostkontor, pk. 12 Tartu null,50001 EE Tel. +372.55647646 Creation Date: 18-May-2004 Expiration Date: 18-May-2005 Domain servers in listed order: ns1.pukkasearch.net ns2.pukkasearch.net --------------- http://www.google.com/search?num=100&sa=G&q=%22Adwaredelete.com%22 whois -h whois.directi.com adwaredelete.com ... Registration Service Provided By: ESTDOMAINS Contact: +372.55647646 Website: http://www.estdomains.com Domain Name: ADWAREDELETE.COM Registrant: GSPAY LIMITED GSPAY LIMITED (support@adwaredelete.com) Tooley 88a London null,EC1Y 1BL GB Tel. +507.7923612 Creation Date: 23-Jun-2004 Expiration Date: 23-Jun-2006 Domain servers in listed order: ns1.klikfeed.com ns2.klikfeed.com Administrative Contact: GSPAY LIMITED GSPAY LIMITED (support@adwaredelete.com) Tooley 88a London null,EC1Y 1BL GB Tel. +507.7923612 Technical Contact: GSPAY LIMITED GSPAY LIMITED (support@adwaredelete.com) Tooley 88a London null,EC1Y 1BL GB Tel. +507.7923612 Billing Contact: GSPAY LIMITED GSPAY LIMITED (support@adwaredelete.com) Tooley 88a London null,EC1Y 1BL GB Tel. +507.7923612 Status:ACTIVE ------------------- http://www.google.com/search?num=100&q=%22soviet-tanks.com%22&btnG=Search Registration Service Provided By: ESTHOST Contact: sales@esthost.com Domain Name: SOVIET-TANKS.COM Registrant: Esthost Philip Lawrence (admin@18to21sex.com) Peapostkontor, pk. 12 Tartu null, 50001 EE Tel. +372.55647646 Creation Date: 12-Mar-2004 Expiration Date: 12-Mar-2005 Domain servers in listed order: ns1.1800callsex.com ns2.1800callsex.com Administrative Contact: Esthost Philip Lawrence (admin@18to21sex.com) Peapostkontor, pk. 12 Tartu null, 50001 EE Tel. +372.55647646 Technical Contact: Esthost Philip Lawrence (admin@18to21sex.com) Peapostkontor, pk. 12 Tartu null, 50001 EE Tel. +372.55647646 Billing Contact: Esthost Philip Lawrence (admin@18to21sex.com) Peapostkontor, pk. 12 Tartu null, 50001 EE Tel. +372.55647646 ---------------- http://www.google.com/search?num=100&sa=G&q=%22techstarlab.com%22 whois -h whois.criticalinternet.com techstarlab.com ... Registration Service Provided By: ESTDOMAINS Contact: +372.55647646 Website: http://www.estdomains.com Domain Name: TECHSTARLAB.COM Registrant: Domreg Inc. Philip Roettger (philiproettger@yahoo.com) 12524 Gladecrest Drive Carmel IN,46033 US Tel. +618.4575921 Creation Date: 15-Jul-2005 Expiration Date: 15-Jul-2006 Domain servers in listed order: ns.informtelecom.ru ns1.informtelecom.ru Administrative Contact: Domreg Inc. Philip Roettger (philiproettger@yahoo.com) 12524 Gladecrest Drive Carmel IN,46033 US Tel. +618.4575921 Technical Contact: Domreg Inc. Philip Roettger (philiproettger@yahoo.com) 12524 Gladecrest Drive Carmel IN,46033 US Tel. +618.4575921 Billing Contact: Domreg Inc. Philip Roettger (philiproettger@yahoo.com) 12524 Gladecrest Drive Carmel IN,46033 US Tel. +618.4575921 Status:SUSPENDED Note: This Domain Name is Suspended. In this status the domain name is InActive and will not function. --------------- http://www.google.com/search?q=%22xawm.biz%22 [DOMAIN whois information for XAWM.BIZ ] Domain Name: XAWM.BIZ Namespace: ICANN Unsponsored Generic TLD - http://www.icann.org TLD Info: See IANA Whois - http://www.iana.org/root-whois/biz.htm Registry: NeuLevel - http://www.neulevel.biz Registrar: DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM) - http://www.directi.com Whois Server: whois.biz Name Server[from whois, whois+dns ip]: NS1.JETSEARCH.ORG 69.50.177.101 Name Server[from whois, whois+dns ip]: NS2.JETSEARCH.ORG 69.50.177.102 Status: clientHold Status: clientTransferProhibited Status: clientDeleteProhibited Status: clientUpdateProhibited Creation Date: Fri Sep 24 16:21:51 GMT 2004 Expiration Date: Fri Sep 23 23:59:59 GMT 2005 Updated Date: Wed Mar 16 15:07:22 GMT 2005 [whois.biz] Domain Name: XAWM.BIZ Domain ID: D7815249-BIZ Sponsoring Registrar: DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM) Sponsoring Registrar IANA ID: 303 Domain Status: clientHold Domain Status: clientTransferProhibited Domain Status: clientDeleteProhibited Domain Status: clientUpdateProhibited Registrant ID: DI_795860 Registrant Name: Max Registrant Organization: xawm Registrant Address1: Marata 90-35 Registrant City: S. Petersburg Registrant Postal Code: 193001 Registrant Country: Russian Federation Registrant Country Code: RU Registrant Phone Number: +7.9213732308 Registrant Email: jove@mail.ru Administrative Contact ID: DI_795860 Administrative Contact Name: Max Administrative Contact Organization: xawm Administrative Contact Address1: Marata 90-35 Administrative Contact City: S. Petersburg Administrative Contact Postal Code: 193001 Administrative Contact Country: Russian Federation Administrative Contact Country Code: RU Administrative Contact Phone Number: +7.9213732308 Administrative Contact Email: jove@mail.ru Billing Contact ID: DI_795860 Billing Contact Name: Max Billing Contact Organization: xawm Billing Contact Address1: Marata 90-35 Billing Contact City: S. Petersburg Billing Contact Postal Code: 193001 Billing Contact Country: Russian Federation Billing Contact Country Code: RU Billing Contact Phone Number: +7.9213732308 Billing Contact Email: jove@mail.ru Technical Contact ID: DI_795860 Technical Contact Name: Max Technical Contact Organization: xawm Technical Contact Address1: Marata 90-35 Technical Contact City: S. Petersburg Technical Contact Postal Code: 193001 Technical Contact Country: Russian Federation Technical Contact Country Code: RU Technical Contact Phone Number: +7.9213732308 Technical Contact Email: jove@mail.ru Name Server: NS1.JETSEARCH.ORG Name Server: NS2.JETSEARCH.ORG Created by Registrar: DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM) Last Updated by Registrar: DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM) Domain Registration Date: Fri Sep 24 16:21:51 GMT 2004 Domain Expiration Date: Fri Sep 23 23:59:59 GMT 2005 Domain Last Updated Date: Wed Mar 16 15:07:22 GMT 2005 [whois.publicinterestregistry.net] Domain ID: D104481463-LROR Domain Name: JETSEARCH.ORG Created On: 31-May-2004 23:25:15 UTC Last Updated On: 17-May-2005 22:47:02 UTC Expiration Date: 31-May-2006 23:25:15 UTC Sponsoring Registrar: Direct Information PVT Ltd. (R27-LROR) Status: OK Registrant ID: DI_1328979 Registrant Name: Dmitry Kuznetsov Registrant Organization: Deviate inc Registrant Street1: Jukova ave 180-75 Registrant Street2: Registrant Street3: Registrant City: S. Petersburg Registrant State/Province: Registrant Postal Code: 190005 Registrant Country: RU Registrant Phone: +7.9213149676 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email: deviative@mail.ru Admin ID: DI_1328979 Admin Name: Dmitry Kuznetsov Admin Organization: Deviate inc Admin Street1: Jukova ave 180-75 Admin Street2: Admin Street3: Admin City: S. Petersburg Admin State/Province: Admin Postal Code: 190005 Admin Country: RU Admin Phone: +7.9213149676 Admin Phone Ext.: Admin FAX: Admin FAX Ext.: Admin Email: deviative@mail.ru Tech ID: DI_1328979 Tech Name: Dmitry Kuznetsov Tech Organization: Deviate inc Tech Street1: Jukova ave 180-75 Tech Street2: Tech Street3: Tech City: S. Petersburg Tech State/Province: Tech Postal Code: 190005 Tech Country: RU Tech Phone: +7.9213149676 Tech Phone Ext.: Tech FAX: Tech FAX Ext.: Tech Email: deviative@mail.ru Name Server: NS1.JETSEARCH.ORG Name Server: NS2.JETSEARCH.ORG --------------- whois -h rwhois.intercage.com 69.50.191.68 network:IP-Network:69.50.191.64/29 network:IP-Network-Block:69.50.191.64 - 69.50.191.71 network:Org-Name:Coteco, LLC. network:Street-Address:73 GreenTree Drive #36 whois -h rwhois.intercage.com 69.50.191.133 network:IP-Network:69.50.191.128/29 network:IP-Network-Block:69.50.191.128 - 69.50.191.135 network:Org-Name:Coteco, LLC. network:Street-Address:73 GreenTree Drive #36 whois -h rwhois.intercage.com 69.50.189.119 network:IP-Network:69.50.189.112/29 network:IP-Network-Block:69.50.189.112 - 69.50.189.119 network:Org-Name:Coteco, LLC. network:Street-Address:73 GreenTree Drive #36 whois -h rwhois.intercage.com 69.50.179.217 network:IP-Network:69.50.179.208/28 network:IP-Network-Block:69.50.179.208 - 69.50.179.223 network:Org-Name:Coteco, LLC. network:Street-Address:73 GreenTree Drive #36 whois -h rwhois.intercage.com 69.50.177.102 network:IP-Network:69.50.177.96/29 network:IP-Network-Block:69.50.177.96 - 69.50.177.103 network:Org-Name:Coteco, LLC. network:Street-Address:73 GreenTree Drive #36 whois -h rwhois.intercage.com 69.50.177.104 network:IP-Network:69.50.177.104/29 network:IP-Network-Block:69.50.177.104 - 69.50.177.111 network:Org-Name:Coteco, LLC. network:Street-Address:73 GreenTree Drive #36 whois -h rwhois.intercage.com 69.50.191.28 network:IP-Network:69.50.191.24/29 network:IP-Network-Block:69.50.191.24 - 69.50.191.31 network:Org-Name:Coteco, LLC. network:Street-Address:73 GreenTree Drive #36 whois -h rwhois.intercage.com 69.50.187.26 network:IP-Network:69.50.187.24/29 network:IP-Network-Block:69.50.187.24 - 69.50.187.31 network:Org-Name:Coteco, LLC. network:Street-Address:73 GreenTree Drive #36 whois -h rwhois.intercage.com 69.50.180.186 network:IP-Network:69.50.180.184/29 network:IP-Network-Block:69.50.180.184 - 69.50.180.191 network:Org-Name:Coteco, LLC. network:Street-Address:73 GreenTree Drive #36 whois -h rwhois.intercage.com 69.50.179.210 network:IP-Network:69.50.179.208/28 network:IP-Network-Block:69.50.179.208 - 69.50.179.223 network:Org-Name:Coteco, LLC. network:Street-Address:73 GreenTree Drive #36 > I believe an investigation by law enforcement is a very corrective > step... That would definately clean Esthost up. > > I can honestly say, there are 2 of our major clients who are very > successful... and with both of those comes occasional abuse. On one, > it's the occasional spam via exploit. The other... Esthost... Well... A > lot worse abuse then just spam. Yes, fraud, scam, proxy hijack, browser hijack, all sorts of CRIMINAL acctivity. > If I had the ability... I would cut Esthost as a client... But, in > doing so, it causes nearly a quarter if not half of the company's > monthly revenue to be cut. That is not too good of a move nor > reasonably possible ;) So, you admit that serving the spammer is a better choice. Well, your net, your rules. But what are you doing here then? -- Yes, I do have a spellchequer -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === People report dealing with Esthost === Newsgroups: news.admin.net-abuse.blocklisting From: "Spamhuntress" Subject: Re: Atrivo/InterCage Abuse Approved: NANAB Moderators Injection-Info: g47g2000cwa.googlegroups.com; posting-host=217.212.249.25; posting-account=pYzhaA0AAAB9xdIn18bWMs58j6LRcW1D Content-Type: text/plain; charset="iso-8859-1" X-Greylisting: NO DELAY (Relay+Sender autoqualified); processed by UCSD_GL-v2.1 on mailbox4.ucsd.edu; Sun, 04 September 2005 05:24:34 -0700 (PDT) X-Complaints-To: groups-abuse@google.com User-Agent: G2/0.2 Complaints-To: groups-abuse@google.com Sender: nanab@zorch.sf-bay.org (Charlie Root) Nntp-Posting-Date: Sun, 4 Sep 2005 12:24:33 +0000 (UTC) Nntp-Posting-Host: 217.212.249.25 X-Http-Useragent: Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6,gzip(gfe),gzip(gfe) Organization: http://groups.google.com Message-ID: <1125836668.376735.118240@g47g2000cwa.googlegroups.com> X-Spamscanner: mailbox4.ucsd.edu (v1.6 Aug 4 2005 15:27:38, -2.8/5.0 3.0.4) References: <1125616541.094735.138810@z14g2000cwz.googlegroups.com> X-Spam-Level: Level X-Trace: posting.google.com 1125836673 8331 127.0.0.1 (4 Sep 2005 12:24:33 GMT) Mime-Version: 1.0 X-Mailscanner: PASSED (v1.2.8 59912 j84COXAC066810 mailbox4.ucsd.edu) Date: Sun, 4 Sep 2005 17:31:13 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 30 Path: x-privat.org!news.glorb.com!news.kjsl.com!zorac!blocklisting.com!robomod !not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16922 ESThost is worse than ever. I've had extensive dealings with their abuse/support department. They will occasionally terminate a domain registered with ESTdomains. But most of their clients lease or cohost servers from them. Most of the linkspam is by now using subdomains at dyndns providers, pointing to boxes on ESThost. And ESThost do NOT terminate service to spammers. Their techs will say outright that they refuse because of the revenue. I'm wondering if blacking out specific IP numbers would be possible from Atrivo? Say if one of the ESThost IP numbers was caught doing something nefarious (linkspam, mailspam or virii dropping), you blackhole it for a month. Include in the agreement with ESThost that you can do that, without any remuneration to them. Just a suggestion. Having ESThost cut off at major intersect points on the net would work too? -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === Esthost is linked to the direct participation in bulletproof spam and === === fraud/scam domain registration === Newsgroups: news.admin.net-abuse.blocklisting From: Anri Erinin Subject: Re: Atrivo/InterCage Abuse Approved: NANAB Moderators Content-Type: text/plain; charset=us-ascii; format=flowed X-Accept-Language: en-us, en X-Complaints-To: staff@sunsite.dk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) Sender: nanab@zorch.sf-bay.org (Charlie Root) Nntp-Posting-Host: 212.50.17.121 Content-Transfer-Encoding: 7bit Organization: SunSITE.dk - Supporting Open source Message-ID: <431b5dee$0$18642$14726298@news.sunsite.dk> References: <1125616541.094735.138810@z14g2000cwz.googlegroups.com> <1125836668.376735.118240@g47g2000cwa.googlegroups.com> X-Trace: news.sunsite.dk DXC==5K`2UYHPAT5LoVIWDNeH\YSB=nbEKnk[B1HQahRcW_9UDbheZ]jQ_8>MKP;j KK[lehNBL\^V2P2N2d5S\iQ7Zhf2iVJbagf] Mime-Version: 1.0 Date: Sun, 4 Sep 2005 20:32:49 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 37 Path: x-privat.org!news.glorb.com!news.kjsl.com!zorac!blocklisting.com!robomod !not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16923 Spamhuntress wrote: > ESThost is worse than ever. > > I've had extensive dealings with their abuse/support department. I monitor them from the times they were name15.com and actively participated in the carderplanet's forum. > > They will occasionally terminate a domain registered with ESTdomains. This is the modus operandi for a buletproof domain registrar: 30 days for a spam domain and 7 days for fraud/scam domain. > But most of their clients lease or cohost servers from them. > > Most of the linkspam is by now using subdomains at dyndns providers, > pointing to boxes on ESThost. And ESThost do NOT terminate service to > spammers. Their techs will say outright that they refuse because of the > revenue. see above. -- Yes, I do have a spellchequer -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === Atrivo replies again === Newsgroups: news.admin.net-abuse.blocklisting From: Russ@Atrivo.com Subject: Re: Atrivo/InterCage Abuse Approved: NANAB Moderators Injection-Info: g14g2000cwa.googlegroups.com; posting-host=67.120.99.146; posting-account=2w8xwQ0AAADzda9cIvAir5JUpndTEjLg Content-Type: text/plain; charset="iso-8859-1" X-Complaints-To: groups-abuse@google.com User-Agent: G2/0.2 Complaints-To: groups-abuse@google.com Sender: nanab@zorch.sf-bay.org (Charlie Root) Nntp-Posting-Date: Mon, 5 Sep 2005 02:24:13 +0000 (UTC) Nntp-Posting-Host: 67.120.99.146 X-Http-Useragent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322),gzip(gfe),gzip(gfe) Organization: http://groups.google.com Message-ID: <1125887043.200632.17730@g14g2000cwa.googlegroups.com> References: <1125616541.094735.138810@z14g2000cwz.googlegroups.com> <1125836668.376735.118240@g47g2000cwa.googlegroups.com> <431b5dee$0$18642$14726298@news.sunsite.dk> X-Trace: posting.google.com 1125887053 4307 127.0.0.1 (5 Sep 2005 02:24:13 GMT) Mime-Version: 1.0 Date: Mon, 5 Sep 2005 01:33:55 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 64 Path: x-privat.org!news.moat.net!news-out.newsfeeds.com !propagator3-LAX.newsfeeds.com!news-in.usenet.com!rahul.net!wasp.rahul.net !rahul.net!news.kjsl.com!zorac!blocklisting.com!robomod!not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16925 Hello Spamhuntress, As I've stated in the past, we've been working to get InterCage launched. With InterCage will come new policies, TOS/AUP/Privacy/SPAM. These policies will be STRICTLY enforced. Right now, We believe in working with the client to get abuse on their machine(s) dealt with. Because of that, one of the abuser's site(s) is shutdown while other's he may have stay live. This is the most recent case with Peter Severa, now listed on ROKSO. They dropped his domain rain-mailer.com, but stated to me that he was completely removed, then later stated they still provide him with a server. I made it very clear that if a ROKSO spammer is on the network under ANY client's space, I will start terminating machine's. I am not happy myself with the current avenues we have to take to get an abuser dealt with. While InterCage will come with new policies enforcing our action on abuse, it will also come with new timeframes for abuse to be dealt with by the client. These timeframes will allow us definitive action without any problem to deal with abuse. On another note: I do not run Atrivo/InterCage. If I did, abuse would be dealt with when we receive word and correct information regarding it. I do not care how much money anyone has in services from Atrivo/InterCage, nor does Emil. It's not a matter of money, it's a matter of working with the client to get things dealt with. Presently, they state how long they'll give the client before they take action themselves. Their action taken generally isn't the correct one. As we can see that attempting to work with the client to handle abuse on their machines has clearly proven ineffective, that will be changing very soon. I believe myself that a very clear message has been sent by nLayer recently, a DMCA claim was made to them, though, we never received any word on it. nLayer apparently sent us a notice regarding action required or they would drop traffic to the IP, I myself never saw it. So 24 hours later, when a second notice gets sent, it states that they've nulled the IP at their router. Now that I myself have reviewed the notice, we're working to get corrective action taken. Though since the IP is nulled already, it all relies on how soon the client wants to take action to get their client back online. One thing that bothers me with trying to assist in these groups is the fact that people give great collateral to use with their abuse reporting, though they don't send it to where it would really make a difference. Reporting to the open world is ok ofcourse, but expecting us to participate in these groups while you continually provide rude remarks or senseless attacks is rediculous. It makes me feel like this is a childs club. I'm sure many of you are of-age, so why not act like adults. Any kind of abuse is bad yes, but constant attacks doesn't get it dealt with any faster, it pushes ISP's like us to simply cease contact with you. Sure, we'll still handle your reports, but we won't communicate back with you. Hopefully some of you REALLY understand what I've said and take it to heart. Perhaps things would go alot smoother. Thanks for reading all, Russell Mitchell - Russ[at]Atrivo.com Atrivo Technologies -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === Reply === Newsgroups: news.admin.net-abuse.blocklisting From: fhh Subject: Re: Atrivo/InterCage Abuse Approved: NANAB Moderators Content-Type: text/plain; charset=us-ascii X-Complaints-To: abuse@supernews.com Sender: nanab@zorch.sf-bay.org (Charlie Root) Content-Transfer-Encoding: 7Bit Organization: Posted via Supernews, http://www.supernews.com Message-ID: <11hoks2gevt7vb8@corp.supernews.com> References: <1125616541.094735.138810@z14g2000cwz.googlegroups.com> <1125836668.376735.118240@g47g2000cwa.googlegroups.com> <431b5dee$0$18642$14726298@news.sunsite.dk> <1125887043.200632.17730@g14g2000cwa.googlegroups.com> Mime-Version: 1.0 Date: Mon, 5 Sep 2005 14:58:04 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 66 Path: x-privat.org!news.newsland.it!newshub.sdsu.edu!newsfeed.news2me.com !arclight.uoregon.edu!canoe.uoregon.edu!newsfeed.news.ucla.edu !newsfeed.stanford.edu!zorac!blocklisting.com!robomod!not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16929 Russ@Atrivo.com wrote: > As I've stated in the past, we've been working to get InterCage > launched. With InterCage will come new policies, TOS/AUP/Privacy/SPAM. > These policies will be STRICTLY enforced. Right now, We believe in > working with the client to get abuse on their machine(s) dealt with. > Because of that, one of the abuser's site(s) is shutdown while other's > he may have stay live. This is the most recent case with Peter Severa, > now listed on ROKSO. They dropped his domain rain-mailer.com, but > stated to me that he was completely removed, then later stated they > still provide him with a server. I made it very clear that if a ROKSO > spammer is on the network under ANY client's space, I will start > terminating machine's. I am not happy myself with the current avenues > we have to take to get an abuser dealt with. As far as I know Mr Severa has used IP space of Atrivo/Esthost and Pilosoft since november 2004. > On another note: I do not run Atrivo/InterCage. If I did, abuse would > be dealt with when we receive word and correct information regarding > it. I do not care how much money anyone has in services from > Atrivo/InterCage, nor does Emil. It's not a matter of money, it's a > matter of working with the client to get things dealt with. This is in contradiction with what you said in message <1125683278.320264.138150@f14g2000cwb.googlegroups.com> : | If I had the ability... I would cut Esthost as a client... But, in | doing so, it causes nearly a quarter if not half of the company's | monthly revenue to be cut. That is not too good of a move nor | reasonably possible ;) > One thing that bothers me with trying to assist in these groups is the > fact that people give great collateral to use with their abuse > reporting, though they don't send it to where it would really make a > difference. Reporting to the open world is ok ofcourse, but expecting > us to participate in these groups while you continually provide rude > remarks or senseless attacks is rediculous. It makes me feel like this > is a childs club. I'm sure many of you are of-age, so why not act like > adults. Any kind of abuse is bad yes, but constant attacks doesn't get > it dealt with any faster, it pushes ISP's like us to simply cease > contact with you. Sure, we'll still handle your reports, but we won't > communicate back with you. Hopefully some of you REALLY understand what > I've said and take it to heart. Perhaps things would go alot smoother. I am sorry, but I think these remarks are *not* appropriate. As far as I know you have not been flamed in this moderated group. Also, I have no intention to attack you personally or behave like a child. I don't envy your (probably difficult) job, I do understand that you may have a hard time when reading your inbox filled with nasty and useless emails etc, but please don't say that people in this group are acting like children. If you really want to clean up your network I am willing to help you. But so far I feel that all abuse reports I have sent to abuse@atrivo.com were not acted upon properly. -- feike -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === Point about the money Atrivo gets from the abuse supporters - Esthost === Newsgroups: news.admin.net-abuse.blocklisting From: Morely Dotes Subject: Re: Atrivo/InterCage Abuse Approved: NANAB Moderators X-Greylisting: NO DELAY (Relay+Sender autoqualified); processed by UCSD_GL-v2.1 on mailbox4.ucsd.edu; Fri, 02 September 2005 15:15:14 -0700 (PDT) User-Agent: Xnews/5.04.25 Hamster/2.0.6.0 Sender: nanab@zorch.sf-bay.org (Charlie Root) NNTP-Posting-Host: news.newsdawg.com Organization: SpamBlocked.com and Kryptonite Hosting Message-ID: X-Spamscanner: mailbox4.ucsd.edu (v1.6 Aug 4 2005 15:27:38, 0.0/5.0 3.0.4) References: <1125616541.094735.138810@z14g2000cwz.googlegroups.com> <11hgs71j941hs0a@corp.supernews.com> <1125683278.320264.138150@f14g2000cwb.googlegroups.com> X-Spam-Level: Level X-Mailscanner: PASSED (v1.2.8 19514 j82MFDeb033825 mailbox4.ucsd.edu) Date: Sun, 4 Sep 2005 07:48:08 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 26 Path: x-privat.org!area.cu.mi.it!nntp.eutelia.it!itgate.net!news.rh-tec.net !newsfeed01.sul.t-online.de!t-online.de!newsfeed.arcor.de!newsfeed.icl.net !newsfeed.fjserv.net!newsfeed.news2me.com!headwall.stanford.edu !newsfeed.stanford.edu!zorac!blocklisting.com!robomod!not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:16918 Russ@Atrivo.com wrote in news:1125683278.320264.138150 @f14g2000cwb.googlegroups.com: > If I had the ability... I would cut Esthost as a client... But, in > doing so, it causes nearly a quarter if not half of the company's > monthly revenue to be cut. That is not too good of a move nor > reasonably possible ;) If 100% of the company's revenue will be cut off when the Feds decide there's conspiracy to violate the CAN-SPAM going on, will that be good? Look at this week's issue of _Computerworld_ for an article by John Columbus, entitled "Good Numbers And Bad." -- Tired of spam in your mailbox? Come to http://www.spamblocked.com Who is Brad Jesness? http://www.wilhelp.com/bj_faq/ To the spammers, my motto: FABRICATI DIEM, PVNC. -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === And here Atrivo again. Now they try to "work with SPEWS"! Don't they === === sound JUST like HostNOC/BURSTnet did before?! === Newsgroups: news.admin.net-abuse.blocklisting From: Russ@Atrivo.com Subject: InterCage Abuse - ATTN: All Approved: NANAB Moderators Injection-Info: g44g2000cwa.googlegroups.com; posting-host=69.107.73.156; posting-account=2w8xwQ0AAADzda9cIvAir5JUpndTEjLg Content-Type: text/plain; charset="iso-8859-1" X-Complaints-To: groups-abuse@google.com User-Agent: G2/0.2 Complaints-To: groups-abuse@google.com Sender: nanab@zorch.sf-bay.org (Charlie Root) Nntp-Posting-Date: Thu, 15 Sep 2005 19:01:34 +0000 (UTC) Nntp-Posting-Host: 69.107.73.156 X-Http-Useragent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322),gzip(gfe),gzip(gfe) Organization: http://groups.google.com Message-ID: <1126808395.861641.78660@g44g2000cwa.googlegroups.com> X-Trace: posting.google.com 1126810894 29188 127.0.0.1 (15 Sep 2005 19:01:34 GMT) Mime-Version: 1.0 Date: Thu, 15 Sep 2005 20:35:16 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 82 Path: x-privat.org!news.glorb.com!news.kjsl.com!zorac!blocklisting.com!robomod !not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:17005 Hello All, Over the past 6 months of working with SORBS, I'm finding it quite clear that SORBS is not willing to work with us at all, atleast certain admin's who pertain to these groups don't. We were recently re-listed for our 69.50.160.0/19 block: --- Netblock: 69.50.160.0/19 (69.50.160.0-69.50.191.255) Record Created: Fri Nov 26 16:58:52 2004 GMT Record Updated: Tue Sep 13 12:58:32 2005 GMT Additional Information: estdomains.com/esthost.com/estboxes.com --- We were listed in: 69.50.160.0 listed in the Database of servers sending to spamtrap addresses Though upon trying to get information on what the abusing servers/ips were, I was told it wasn't from abuse they had encountered, but from public postings of abuse notifications here by SORBS Admin's under alternate names. With this being the case, I find that a bit similiar to how SPEWS presently operates. We've tried to work with SPEWS and failed there hard since there's no one to communicate with. I do not understand how SORBS or any block list expects us or any Server Provider for that matter to support their work in the blocklisting if it's going to result by their admins hiding under alternate names to make attacks against companies that are supposed to be working with them. They try and belittle and defame a company in which is supposed to support them. I myself started supporting SORBS after a short talk with Matthew (SORBS Founder). He stepped up to the plate and explained certain aspects of our listings at that time and set us up with their ISP Reports so that we could monitor our IP Blocks. With all that being said, perhaps some of you understand and have encountered this same problem in SORBS. SpamHuntress, fhh, Shmuel, Rich, Others, I hope you continue to report on abuse you encounter. Your work is very much appreciated. I will no longer continue to pull reports out of these newsgroups because of the certain few SORBS Admins who seem to be set to attack companies such as Atrivo/InterCage. If you would like to report abuse, send it to abuse[at]intercage.com. Considering the amount of spam we encounter on these addresses, we may soon change abuse reporting to being site based such as Earthlink currently does. This will allow us to get the information we need to investigate and review a machine(s)/client(s) abusive actions. I still can't believe some of SORBS' Admin's remarks under alternate names on these groups. To come out when I contact a SORBS Staff member who recently assisted me with some block listings to say "This is who I am, your listed until you remove Esthost and it's other companies completely, and your other blocks will be listed too if you don't do it! You better not tell anyone.". Give me a break... If your going to make remarks and attack a company under alternate names, don't hide. You talk about getting spammed in the past when your true identity was leaked, after your remarks about us, I don't understand why you were spammed, I'll just cease contact completely with you. No spamming is needed. If you want to contact me for whatever reasons, contact me via email. If you want to report abusive activity on our network, contact us via abuse[at]intercage.com. Include the proper evidences for the abuse, headers/email, firewall logs, apache logs, etc. Thank you all very much for your time and support here. Have a great day. Sincerely, Russell Mitchell - Russ[at]InterCage.com InterCage, Inc. -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === SORBS replies === Newsgroups: news.admin.net-abuse.blocklisting From: Matthew Sullivan Subject: Re: InterCage Abuse - ATTN: All Approved: NANAB Moderators Resent-From: news@nemesis.sorbs.net X-Accept-Language: en-us, en Content-Type: text/plain; charset=us-ascii; format=flowed X-Complaints-To: usenet@nemesis.sorbs.net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Sender: nanab@zorch.sf-bay.org (Charlie Root) Nntp-Posting-Host: 137.92.9.213 Nntp-Posting-Date: Thu, 15 Sep 2005 23:36:49 +0000 (UTC) Content-Transfer-Encoding: 7BIT Organization: A poorly-installed InterNetNews site Message-ID: Resent-Date: Fri, 16 Sep 2005 09:36:51 +1000 (EST) Resent-Message-Id: <20050915233723.6A94DA6CE4@scorpion.sorbs.net> References: <1126808395.861641.78660@g44g2000cwa.googlegroups.com> Mime-Version: 1.0 X-Trace: nemesis.sorbs.net 1126827409 11023 137.92.9.213 (15 Sep 2005 23:36:49 GMT) Date: Fri, 16 Sep 2005 13:17:47 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 103 Path: x-privat.org!news.glorb.com!newshub.sdsu.edu!headwall.stanford.edu !newsfeed.stanford.edu!zorac!blocklisting.com!robomod!not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:17014 Russ@Atrivo.com wrote: > Hello All, > > Over the past 6 months of working with SORBS, I'm finding it quite > clear that SORBS is not willing to work with us at all, atleast certain > admin's who pertain to these groups don't. We were recently re-listed > for our 69.50.160.0/19 block: You know sometimes I am encouraged to help people, sometimes the opposite. Let make this a little clear - I have been offline (intermittently online is probably a better way to describe it) due to moving house and getting a new Internet connection along with a new DSL line... it's taken 7 weeks to get online at all, and a further week trying to get the damn modem to work longer than be locked up... (Hopefully a new router is being delivered today).... In the mean time I received your mail and I haven't had time to reply. We have 2 investigations happening at the moment. The first regarding Atrivo, the second regarding Esthost.... > --- > Netblock: 69.50.160.0/19 (69.50.160.0-69.50.191.255) > Record Created: Fri Nov 26 16:58:52 2004 GMT > Record Updated: Tue Sep 13 12:58:32 2005 GMT > Additional Information: estdomains.com/esthost.com/estboxes.com > --- > > We were listed in: > 69.50.160.0 listed in the Database of servers sending to spamtrap > addresses > > Though upon trying to get information on what the abusing servers/ips > were, I was told it wasn't from abuse they had encountered, but from > public postings of abuse notifications here by SORBS Admin's under > alternate names. > > With this being the case, I find that a bit similiar to how SPEWS > presently operates. We've tried to work with SPEWS and failed there > hard since there's no one to communicate with. > > I do not understand how SORBS or any block list expects us or any > Server Provider for that matter to support their work in the > blocklisting if it's going to result by their admins hiding under > alternate names to make attacks against companies that are supposed to > be working with them. They try and belittle and defame a company in > which is supposed to support them. I myself started supporting SORBS > after a short talk with Matthew (SORBS Founder). He stepped up to the > plate and explained certain aspects of our listings at that time and > set us up with their ISP Reports so that we could monitor our IP > Blocks. > > With all that being said, perhaps some of you understand and have > encountered this same problem in SORBS. > > SpamHuntress, fhh, Shmuel, Rich, Others, I hope you continue to report > on abuse you encounter. Your work is very much appreciated. > > I will no longer continue to pull reports out of these newsgroups > because of the certain few SORBS Admins who seem to be set to attack > companies such as Atrivo/InterCage. If you would like to report abuse, > send it to abuse[at]intercage.com. Considering the amount of spam we > encounter on these addresses, we may soon change abuse reporting to > being site based such as Earthlink currently does. This will allow us > to get the information we need to investigate and review a > machine(s)/client(s) abusive actions. > > I still can't believe some of SORBS' Admin's remarks under alternate > names on these groups. To come out when I contact a SORBS Staff member > who recently assisted me with some block listings to say "This is who I > am, your listed until you remove Esthost and it's other companies > completely, and your other blocks will be listed too if you don't do > it! You better not tell anyone.". Give me a break... If your going to > make remarks and attack a company under alternate names, don't hide. > You talk about getting spammed in the past when your true identity was > leaked, after your remarks about us, I don't understand why you were > spammed, I'll just cease contact completely with you. No spamming is > needed. As far as I am aware there is one SORBS admin that uses an alias when posting here, he will not hide the fact. > If you want to contact me for whatever reasons, contact me via email. > If you want to report abusive activity on our network, contact us via > abuse[at]intercage.com. Include the proper evidences for the abuse, > headers/email, firewall logs, apache logs, etc. > > Thank you all very much for your time and support here. Have a great > day. Please be assure that I am looking into the issue, however until such time as my Internet connection at home is stable, it is very difficult and time consuming. Regards, Mat @ SORBS -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === Point on "working with SPEWS" === Newsgroups: news.admin.net-abuse.blocklisting From: i_will_tossit@yahoo.com Subject: Re: InterCage Abuse - ATTN: All Approved: NANAB Moderators Content-Type: text/plain; charset=us-ascii X-Accept-Language: en X-Complaints-To: abuse@supernews.com Sender: nanab@zorch.sf-bay.org (Charlie Root) Content-Transfer-Encoding: 7bit Organization: Posted via Supernews, http://www.supernews.com Message-ID: <432A00F2.C8352F73@yahoo.com> References: <1126808395.861641.78660@g44g2000cwa.googlegroups.com> Mime-Version: 1.0 Date: Fri, 16 Sep 2005 12:29:46 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 17 Path: x-privat.org!news-out.tin.it!news-in.tin.it!news.glorb.com!news.kjsl.com !zorac!blocklisting.com!robomod!not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:17012 Russ@Atrivo.com wrote: >We've tried to work with SPEWS In and of itself this single statement negates anything else you have to say. One doesn't work with SPEWS, one boots the offender(s) and posts that fact. Your 10 SBL listings don't say much for you, either-- http://www.spamhaus.org/sbl/listings.lasso Spamhaus _will_ work with you, what's your excuse there? -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === Another reply === Newsgroups: news.admin.net-abuse.blocklisting From: Atro Tossavainen Subject: Re: InterCage Abuse - ATTN: All Approved: NANAB Moderators Content-Type: text/plain; charset=ISO-8859-15 X-Newsreader: Gnus v5.3/Emacs 19.34 X-Complaints-To: abuse@helsinki.fi Sender: nanab@zorch.sf-bay.org (Charlie Root) Nntp-Posting-Date: 16 Sep 2005 08:14:40 GMT Content-Transfer-Encoding: 8bit Nntp-Posting-Host: kruuna.helsinki.fi Mail-Copies-To: nobody Organization: Puutavarakartelli (EOMPTK) Message-ID: References: <1126808395.861641.78660@g44g2000cwa.googlegroups.com> X-Trace: oravannahka.helsinki.fi 1126858480 12495 128.214.205.14 (16 Sep 2005 08:14:40 GMT) Date: Fri, 16 Sep 2005 12:24:17 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 48 Path: x-privat.org!news-out.tin.it!news-in.tin.it!news.glorb.com!news.kjsl.com !newsfeed.stanford.edu!zorac!blocklisting.com!robomod!not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:17011 Russ@Atrivo.com writes: > With this being the case, I find that a bit similiar to how SPEWS > presently operates. We've tried to work with SPEWS and failed there > hard since there's no one to communicate with. Russ, Don't you think everybody should just re-read http://groups.google.com/group/news.admin.net-abuse.blocklisting/msg/2f06411be47 16608 and decide for themselves. As far as I understand it from the SPEWS FAQ, the basic deal is that if the abuse stops, the listing will eventually go away. You cannot "work with" SPEWS any more than that. Now, SORBS is not SPEWS nor vice versa, but why should "working with" SORBS entail anything less than stopping the abuse? Distributing trojans from your network qualifies as abuse, I believe. It continues even today, I've just downloaded a Windows trojan from your network an hour ago to confirm this. (Don't worry, I don't use Windows at all, I got it using wget on a UNIX platform, it won't be able to do me any harm. But analysis of the trojan reveals that it would download more trojan content from an Estonian network that is directly controlled by Esthost.) You yourself have stated in this newsgroup (see URL above) that the problems you have with Esthost are far worse than spam but that you aren't willing to do anything about it because Esthost constitutes such a large part of your business's income. How do you expect anybody to "work with" you under such circumstances? -- Atro Tossavainen (Mr.) / The Institute of Biotechnology at Systems Analyst, Techno-Amish & / the University of Helsinki, Finland, +358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own. < URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting. === And another === Newsgroups: news.admin.net-abuse.blocklisting From: Morely Dotes Subject: Re: InterCage Abuse - ATTN: All Approved: NANAB Moderators User-Agent: Xnews/5.04.25 Hamster/2.0.6.0 Sender: nanab@zorch.sf-bay.org (Charlie Root) Nntp-Posting-Host: news.newsdawg.com Organization: SpamBlocked.com And Kryptonite Hosting Message-ID: References: <1126808395.861641.78660@g44g2000cwa.googlegroups.com> Date: Fri, 16 Sep 2005 10:28:08 GMT X-Robomod: STUMP, ichudov@algebra.com (Igor Chudov), C++/Perl/Unix Consulting Lines: 18 Path: x-privat.org!texta.sil.at!newscore.univie.ac.at!newsserver.news.garr.it !newsfeed.stanford.edu!zorac!blocklisting.com!robomod!not-for-mail Xref: x-privat.org news.admin.net-abuse.blocklisting:17008 Russ@Atrivo.com wrote in news:1126808395.861641.78660 @g44g2000cwa.googlegroups.com: > Over the past 6 months of working with SORBS, I'm finding it quite > clear that SORBS is not willing to work with us at all If you're still providing *ANY* service to Esthost, no one should be allowing email from you. SORBS merely reflects their best estimate of the current situation. Period. -- Comments posted to news.admin.net-abuse.blocklisting are solely the responsibility of their author. Please read the news.admin.net-abuse.blocklisting FAQ at http://www.blocklisting.com/faq.html before posting.