[tor-relays] Spam Emails Received From This Mailing List

Mirimir mirimir at riseup.net
Fri Jun 15 03:13:16 UTC 2018 

On 06/14/2018 02:18 PM, Mirimir wrote:
> On 06/14/2018 04:33 AM, nusenu wrote:
>> this kind of spam also happens if you post emails to tor-dev.
>>
>> last spam sender address: rosegregory714756 at cc.mexyst.com
> 
> It seems that they've given up on me, after some days with no reply. So
> is that a pattern for y'all?

OK, so much for that hypothesis. Just got one from Camryn. It actually
seems responsive ...

| Hey I'm glad to see someone real responding haha

... and it appeared within minutes of my post to the list. So there's
apparently a human involved, who's actively watching the list.

Also, as before, the In-Reply-To header matches my Message-ID header.

But something interesting. The ultimate message source is "localhost
(unknown [107.178.101.4])". From https://ipinfo.io/ I get that this is
"vox21.hurters.biz". With a little work, I get to
"http://hurters.biz/?domain=hurters.biz?reqp=1&qaspoofip=206.190.145.84&reqp=1&reqr="
which shows:

| Welcome to hurters.biz
| This Web page is parked for FREE, courtesy of GoDaddy.com.

>From https://ipinfo.io/ I get to 206.190.145.84.adsl.inet-telecom.org
which looks a lot like a home ADSL account. Botnet maybe?

And what is "qaspoofip"?

Again, this is all on mellowhost.com by Input Output Flood LLC. The
abuse contact is Gabriel Ramuglia (abuse at ioflood.com).

Anyway, here's the https://ipinfo.io/ data:

Received: from us37.axiobyte.com (us37.axiobyte.com [104.161.37.171])

ip: "104.161.37.171"
hostname: "us37.axiobyte.com"
city: "Dhaka"
region: "Dhaka Division"
country: "BD"
loc: "23.7231,90.4086"
postal: "1000"
asn: Object
asn: "AS53755"
name: "Input Output Flood LLC"
domain: "ioflood.com"
route: "104.161.32.0/20"
type: "hosting"
company: Object
name: "Mellowhost"
domain: "mellowhost.com"
type: "hosting"

Received: from localhost (unknown [107.178.101.4])

ip: "107.178.101.4"
hostname: "vox21.hurters.biz"
city: "Dhaka"
region: "Dhaka"
country: "BD"
loc: "23.8179,90.4103"
postal: "1206"
asn: Object
asn: "AS53755"
name: "Input Output Flood LLC"
domain: "ioflood.com"
route: "107.178.64.0/18"
type: "hosting"
company: Object
name: "Mellowhost"
domain: "mellowhost.com"
type: "hosting"

... domain=hurters.biz ... qaspoofip=206.190.145.84 ...

ip: "206.190.145.84"
hostname: "206.190.145.84.adsl.inet-telecom.org"
city: "Providence"
region: "Utah"
country: "US"
loc: "41.6929,-111.8150"
postal: "84332"
asn: Object
asn: "AS29854"
name: "WestHost, Inc."
domain: "westhost.com"
route: "206.190.128.0/19"
type: "hosting"
company: Object
name: "Hosting Services, Inc."
domain: "banahosting.com"
type: "hosting"



> I finally did review the images, in a Debian LiveCD with no network
> connectivity. They're not bad porn, really. Images from Becky and Camryn
> have no obvious watermarks, but those from Rose are marked
> "cherryscott". And they're clearly @CherryScott23. If I could, I'd tweet
> her about the ripoff.
> 
> So anyway, our spammer is clearly using stock image libraries. And maybe
> that was obvious.
> 
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>

More information about the tor-relays mailing list