ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
ROKSO
The Register of Known Spam Operations
Alan Ralsky

Evidence Menu:

Alan Ralsky Index


Country: United States
State: Michigan
Convicted fraudster, spams using hijacked proxies & virus infected PCs and in the past by hijacking mail servers and mail accounts. One of the first people to host spam-websites in China to evade US law. Served years in prison due to stock-fraud spamming, but soon after being released, seemed to get right back into spamming.


Alan Ralsky SBL Listings History
Current SBL Listings
Archived SBL Listings

Domains [Jan 2004]


nanae post of domains hosted in China.

Most of these are probably AlRals, but not all -

_________

I've been tracking the movements of APNIC spamvertised sites over the
last 2 months. There is a pattern emerging and I wanted to share the
data with NANAE regulars. This gets into the various spam gangs
operating in APNIC space, a subject which I am clueless about. However
what the data shows might be a clue for someone. Here are my immediate
conclusions.

1. The biggest pain/spammer during the last 2 weeks was the
pharmacourt/pharmawarehouse slob spamvertising on CQNET, but there's
enough people looking into this one, so I ignored it.

2. The spamgangs change hosting sites periodically. Spam Nest 1 is a
rotating one through Chinanet JX, GD, HA and back to JX. One quirk
which just emerged is BBTEC in Japan to which several have sought
refuge (?). Ever since I LART'ed BBTEC and received several spams back
with Swen attached, I've been very suspicious of this domain. Putting
2 and 2 together would indicate that the spam gangs operate out of
this as a home base.

3. Spam Nest 2 is Chinanet CQ and most medical scams are here. Looking
at the registrants, you'll see many common to Spamnest 1 including a
similar move to BBTEC. In general domains hosted in Chinanet CQ are a
lot longer lasting which doesn't say much about CQ. NOTE - before
anyone brings up the registrant info being arbitrary, I know that, but
it was convenient to do a sort on and who knows it might lead
somewhere else.

4. Spam Nest 3 is our long honored favorite (joke) Hinet. Not much
changes in Taiwan's Hinet space. The only changeling is
imteresting.com which is a very mobile domain and has covered more
ISP's than I've been able to keep up with plus they objuscate at times
making filtering harder.

5. Spammers move quickly, hosted sites less quickly. I think a
combination of blocking plus filtering will be most successful. For
example, block all of CQ and HINET space plus filter on the
spamvertised site names. This doesn't get the obfuscated ones,
but....it will cut the junk substantially.

Here is a listing of the three spam nests I have monitored. The ISp's
are shown in order of use, with the last one being the current one.
The registrant is that listed on the whois info for the domain.

SPAM NEST 1

DOMAIN ISP IN ORDER REGISTRANT

craigz.us JX Bill Hall
12hen.info JX GD Bill Hall
amyz.info JX GD Bill Hall
clownz.info JX GD Bill Hall
corkz.info JX GD Bill Hall
hgjkl.us JX GD Bill Hall
jonnyz.us GD Bill Hall
tupit.info JX GD Bill Hall
whokz.info JX GD Bill Hall
gold5656.com GD chang chun
dia55.us JX GD Eddie Vos
infomatrixz.us JX GD Eddie Vos
emailbroadcast.us JX Ivoire Ivoire
new36.com GD BBTEC jiu jiang
yunoz.biz JX GD HA JX John Thomson
dubnh.us JX GD JX John Thomson
kpth.us JX GD HA JX John Thomson
hfg3.biz JX Jorge Rockman
gtrrrez.us JX Kuhan Thananayagam
babz.info GD Kuhan Thananayagam
bahbah.info GD Kuhan Thananayagam
gooodz.info GD Kuhan Thananayagam
dohjk.biz JX GD Nishimura Shinichi
eddwz.biz JX GD Nishimura Shinichi
etite.biz GD Nishimura Shinichi
hgter.biz JX GD Nishimura Shinichi
snoofz.biz JX GD Nishimura Shinichi
tewqz.biz JX GD Nishimura Shinichi
whiop.biz GD Nishimura Shinichi
hpsalez.biz JX GD HA JX Paolo Sandjaja
dia9.us JX GD HA JX Paolo Sandjaja
only-best-things.com JX Sergey Pridurko
ghor.us JX Yasushi Kashima
hugoz.biz JX Yasushi Kashima
pittyu.biz JX GD HA JX Yasushi Kashima
clearz.biz JX GD HA JX Yoshihiro Yamaguchi
dillz.biz JX GD HA JX Yoshihiro Yamaguchi
dukez.biz JX GD JX Yoshihiro Yamaguchi
fisha.biz JX Yoshihiro Yamaguchi
horty.biz JX GD HA JX Yoshihiro Yamaguchi
pityz.biz JX GD HA JX Yoshihiro Yamaguchi
controlz.us JX GD HA JX Yoshihiro Yamaguchi
jamacaz.us JX GD HA JX Yoshihiro Yamaguchi
clickhrsz.com GD zhang jun
abovez4.com GD zhang jun
herbalconnection.biz JX HL CNET JX




SPAM NEST 2

DOMAIN ISP IN ORDER REGISTRANT

atlast7.com GD CQ chang sha
back56.com CQ chang sha
final55.com CQ chang sha
of990.com CQ chang sha
high6f.com CQ GD chang sha
48hourdelivery.com CQ Circle Hosting
ccs56g.com CQ BBTEC jiu jiang
rxperfectmeds.biz CQ lopui Yeni
rxstoreusa.biz CQ lopui Yeni
rxfastbuy.biz CQ lopui Yeni
hardwood4.com CQ BBTEC ma anshan
vcv3dsx.com CQ BBTEC ma anshan
fedmeds.biz CQ Mar A. De Castro
greathealthoffers.biz CQ Mike Summer
ddd77.com CQ nan chang
dddff.com CQ nan chang
dddvvvtt.com CQ nan chang
meds-n-meds.com CQ Rahul Ent
meds-sold-online.com CQ Rahul Ent
vow-meds.com CQ Rahul Ent
kimsolutions.com CQ Vong Junjie
wsntv7511.com CQ yunhee Kim
nepzzz.com CQ zhang jun
newzb.com CQ zhang jun
phonezz5.com CQ zhang jun
recordcc.com CQ zhang jun
comzz.com CQ zhang jun
creatreconn.com CQ zhang jun
eventyy.com CQ zhang jun
exerff.com CQ zhang jun
guzzdia.com CQ zhang jun
orderzz.com CQ zhang jun
plabetss.com CQ zhang jun
qualityrrtt.com CQ zhang jun
streemdd.com CQ zhang jun
veclocitz.com CQ zhang jun
boxsalz.com CQ zhang jun
usefushop.com CQ GD zhang jun
air5566.com CQ BBTEC zheng zhou
min7788.com CQ BBTEC zheng zhou
34ex4.com CQ BBTEC zhong zhou
6gf6g.com CQ Zun Yi




SPAM NEST 3

DOMAIN ISP IN ORDER REGISTRANT

countupandlookaway.com HINET Adam Love
happpynewyearz.com HINET Adam Love
hoppinonin.com HINET Adam Love
partnerprorgamz.com HINET Adam Love
sabletimesaround.com HINET Adam Love
timezsquarepatry.com HINET Adam Love
cisetefuts.com HINET Frank White
trymetodey.com HINET Frank White
happynewyaer.com HINET Frank White
holdontrywow.com HINET Frank White
newholdersbarz.com HINET Frank White
turnmarketset.com HINET Frank White
imteresting.com HINET JX LN HINET Kahatani LTD.
netgios.com HINET Mahrashtra Comm
wbegeds.com HINET Mahrashtra Comm
nitefurdet.com HINET Thomas Baker
poeunsec.com HINET Thomas Baker
judfexts.com HINET Thomas Baker
saetritu.com HINET Thomas Baker


I took off the IP addresses to fit in the 80 column format. Comments
welcome.

Thane
aka Woody Bonker
Not a Member of the Lumber Cartel
(TINLC)

__________________________________

From: m964@ix.netcom.com (Thane)
Newsgroups: news.admin.net-abuse.email
Subject: Re: Heads up - APNIC spam gangs on the move again
Date: 19 Jan 2004 05:38:33 -0800
Organization: http://groups.google.com
Lines: 148
Message-ID: <e5f3cce0.0401190538.4f472273@posting.google.com>
References: <e5f3cce0.0401181053.56b83ae2@posting.google.com> <kcjm00di1eh4boitq4ges95qbs9unlggtf@4ax.com>
NNTP-Posting-Host: 68.164.84.220
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1074519513 594 127.0.0.1 (19 Jan 2004 13:38:33 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: Mon, 19 Jan 2004 13:38:33 +0000 (UTC)


Jeff Higgins <JHiggins@Polarbay.com> wrote in message news:<kcjm00di1eh4boitq4ges95qbs9unlggtf@4ax.com>...
> Very nice work on the data ...
> > Do you have IP addresses for each of the Nests?
> > Did you ever encounter crossover between the nests?
> > Did you ever encounter PILLSDOCZ.BIZ?
> > Jeff

Thanks. I did collect the IP's but couldn't fit it all into the 80
chars for the posting. Here they are in somewhat random order. Sorry
for the lack of coherence. These IP's are what the domains currently
are set at. Remember only some of these sites send spam, so blocking
for this will not help your spam count. There is considerable
crossover netween nests, not in the IP's but in the content and
registry etc. It's largely the same spam gang between Spamnests 1 and
2. I've not seen PILLSDOCZ.BIZ although it currently resolves to
202.9.156.58, Dishnet, India.

Spam Nest 1
craigz.us 218.65.86.25
12hen.info 61.143.182.147
amyz.info 61.143.182.147
clownz.info 61.143.182.147
corkz.info 61.143.182.147
hgjkl.us 61.143.182.147
jonnyz.us 61.143.182.147
tupit.info 61.143.182.147
whokz.info 61.143.182.147
gold5656.com 218.19.7.47
dia55.us 61.143.182.147
infomatrixz.us 61.143.182.147
emailbroadcast.us 218.65.86.24
new36.com 218.20.60.81
yunoz.biz 218.65.86.25
dubnh.us 218.65.86.41
kpth.us 218.65.86.41
hfg3.biz 218.65.86.41
gtrrrez.us 218.65.86.41
babz.info 61.143.182.146
bahbah.info 61.143.182.146
gooodz.info 61.143.182.146
dohjk.biz 61.143.182.147
eddwz.biz 61.143.182.147
etite.biz 61.143.182.147
hgter.biz 61.143.182.147
snoofz.biz 61.143.182.147
tewqz.biz 61.143.182.147
whiop.biz 61.143.182.147
hpsalez.biz 218.65.86.25
dia9.us 218.65.86.41
only-best-things.com 218.65.86.24
ghor.us 218.65.86.41
hugoz.biz 218.65.86.41
pittyu.biz 218.65.86.41
clearz.biz 218.65.86.25
dillz.biz 218.65.86.25
dukez.biz 218.65.86.25
fisha.biz 218.65.86.25
horty.biz 218.65.86.25
pityz.biz 218.65.86.25
controlz.us 218.65.86.41
jamacaz.us 218.65.86.41
clickhrsz.com 218.16.121.67
abovez4.com 218.19.7.47
herbalconnection.biz 218.65.86.24




Spam nest 2

atlast7.com 219.153.4.10
back56.com 219.153.4.10
final55.com 219.153.4.10
of990.com 61.128.193.123
high6f.com 61.141.32.68
48hourdelivery.com 219.153.1.141
ccs56g.com 219.0.0.0
rxperfectmeds.biz 219.153.2.139
rxstoreusa.biz 219.153.2.139
rxfastbuy.biz 219.153.5.91
hardwood4.com 219.0.0.0
vcv3dsx.com 219.0.0.0
fedmeds.biz 219.153.2.139
greathealthoffers.biz 219.153.5.8
ddd77.com 219.153.1.202
dddff.com 61.128.193.123
dddvvvtt.com 61.128.193.123
meds-n-meds.com 219.153.1.142
meds-sold-online.com 219.153.1.142
vow-meds.com 219.153.1.142
kimsolutions.com 219.153.5.8
wsntv7511.com 219.153.1.142
nepzzz.com 219.153.1.202
newzb.com 219.153.4.10
phonezz5.com 219.153.4.10
recordcc.com 219.153.4.10
comzz.com 61.128.193.124
creatreconn.com 61.128.193.124
eventyy.com 61.128.193.124
exerff.com 61.128.193.124
guzzdia.com 61.128.193.124
orderzz.com 61.128.193.124
plabetss.com 61.128.193.124
qualityrrtt.com 61.128.193.124
streemdd.com 61.128.193.124
veclocitz.com 61.128.193.124
boxsalz.com 61.128.193.48
usefushop.com 61.141.32.68
air5566.com 219.0.0.0
min7788.com 219.0.0.0
34ex4.com 219.0.0.0
6gf6g.com 219.153.4.10




Spam nest 3

countupandlookaway.com 220.130.31.42
happpynewyearz.com 220.130.31.42
hoppinonin.com 220.130.31.42
partnerprorgamz.com 220.130.31.42
sabletimesaround.com 220.130.31.42
timezsquarepatry.com 220.130.31.42
cisetefuts.com 211.22.31.230
trymetodey.com 211.22.31.230
happynewyaer.com 220.130.31.42
holdontrywow.com 220.130.31.44
newholdersbarz.com 220.130.31.44
turnmarketset.com 220.130.31.44
imteresting.com 220.130.1.12
netgios.com 211.21.81.202
wbegeds.com 211.21.81.202
nitefurdet.com 211.22.31.230
poeunsec.com 211.22.31.230
judfexts.com 220.130.31.44
saetritu.com 220.130.31.44
netking.com.tw 211.20.152.11





The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is: https://www.spamhaus.org/rokso/evidence/ROK3181/

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2016 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy