ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
ROKSO
The Register of Known Spam Operations
Ruslan Ibragimov / send-safe.com

Evidence Menu:

Ruslan Ibragimov / send-safe.com Index


Country: Russian Federation
State:
Stealth spamware creator. One of the larger criminal spamming operations around. Runs a CGI mailer on machines in Russia and uses hijacked open proxies and virus infected PCs to flood the world with spam.


Ruslan Ibragimov / send-safe.com SBL Listings History
Current SBL Listings
Archived SBL Listings

Joker.com supports send-safe.com fast flux hosting


To: abuse@joker.com
Subject: Spamhaus SBL requests suspension of send-safe.com
From: The Spamhaus Project - SBL Removals <sbl-removals@spamhaus.org>
Date: Tue, 12 Jan 2010 13:11:07 -0800

Greetings joker.com,

Can you please suspend send-safe.com? Its purpose is the
operation of a proxy/bot spam engine. It uses "fast flux" hosting
on compromised end-user machines, as well as nameservers on
compromised static hosts, for all its hosting, so the only place
to mitigate it is at the root servers.

Here is more about the criminals behind send-safe.com:

http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Ruslan%20Ibragimov%20/%20send-safe.com

Here is a snapshot of their present DNS records:



$ dig @c.gtld-servers.net send-safe.com ns

; <<>> DiG 9.4.2-P1 <<>> @c.gtld-servers.net send-safe.com ns
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25013
;; flags: qr rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;send-safe.com. IN NS

;; ANSWER SECTION:
send-safe.com. 172800 IN NS dns.send-safe.com.
send-safe.com. 172800 IN NS dns2.send-safe.com.
send-safe.com. 172800 IN NS dns3.send-safe.com.

;; ADDITIONAL SECTION:
dns.send-safe.com. 172800 IN A 202.74.170.49
dns2.send-safe.com. 172800 IN A 221.141.3.82
dns3.send-safe.com. 172800 IN A 58.7.4.106

;; Query time: 44 msec
;; SERVER: 192.26.92.30#53(192.26.92.30)
;; WHEN: Tue Jan 12 20:01:23 2010
;; MSG SIZE rcvd: 135



202.74.170.49 is optus.net.au. No doubt it's a compromised
machine. We expect it will be secured this week.

221.141.3.82 is skbroadband.com in Korea. No doubt it's a
compromised machine. We expect it will be secured this week.

58.7.4.106 was confirmed to be a compromised server by
iinet.net.au. The NS was removed and the server secured c. 9 Jan
2010.



$ dig @202.74.170.49 send-safe.com

; <<>> DiG 9.4.2-P1 <<>> @202.74.170.49 send-safe.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58562
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 3,
ADDITIONAL: 0

;; QUESTION SECTION:
;send-safe.com. IN A

;; ANSWER SECTION:
send-safe.com. 300 IN A 217.172.243.66
send-safe.com. 300 IN A 61.46.249.111
send-safe.com. 300 IN A 77.253.177.191
send-safe.com. 300 IN A 91.139.185.134
send-safe.com. 300 IN A 123.236.110.136
send-safe.com. 300 IN A 151.65.13.68
send-safe.com. 300 IN A 187.41.112.228
send-safe.com. 300 IN A 201.222.134.38

;; AUTHORITY SECTION:
send-safe.com. 300 IN NS dns.send-safe.com.
send-safe.com. 300 IN NS dns2.send-safe.com.
send-safe.com. 300 IN NS dns3.send-safe.com.

;; Query time: 538 msec
;; SERVER: 202.74.170.49#53(202.74.170.49)
;; WHEN: Tue Jan 12 20:12:34 2010
;; MSG SIZE rcvd: 215



$ host 217.172.243.66
66.243.172.217.in-addr.arpa domain name pointer
host-217-172-243-66.gdynia.mm.pl.
$ host 61.46.249.111
111.249.46.61.in-addr.arpa domain name pointer
zaq3d2ef96f.zaq.ne.jp.
$ host 77.253.177.191
191.177.253.77.in-addr.arpa domain name pointer
77-253-177-191.adsl.inetia.pl.
$ host 91.139.185.134 <<< "CableBulgaria
address space"
Host 134.185.139.91.in-addr.arpa. not found: 3(NXDOMAIN)
$ host 123.236.110.136 <<< Reliance
Communication, Mumbai India
Host 136.110.236.123.in-addr.arpa. not found: 3(NXDOMAIN)
$ host 151.65.13.68 <<< IUnet, Milano Italy
Host 68.13.65.151.in-addr.arpa. not found: 3(NXDOMAIN)
$ host 187.41.112.228
228.112.41.187.in-addr.arpa domain name pointer
18741112228.user.veloxzone.com.br.
$ host 201.222.134.38
38.134.222.201.in-addr.arpa domain name pointer
38-134-222-201.adsl.terra.cl.
$


--
The Spamhaus Project - SBL Removals




Received: from tickets.server.csl.de ([194.245.99.128]:11240)
by smtp-ext-layer.spamhaus.org with smtp (Exim 4.69)
id 1NUo2L-000HPT-8x
for sbl-removals@spamhaus.org; Tue, 12 Jan 2010 21:12:25 +0000
Received: (qmail 20723 invoked by alias); 12 Jan 2010 21:12:18 -0000
Date: 12 Jan 2010 21:12:18 -0000
Message-ID: <20100112211218.20722.qmail@tickets.server.csl.de>
From: abuse-no-reply <bitbucket@joker.com>
X-Ticketeer-Loop: We want no mailloops
Precedence: junk
Subject: Abuse Report registered [Spamhaus SBL requests suspension of send-safe.com]
To: sbl-removals@spamhaus.org

Thank you for your report.

It will be processed and analyzed automatically, the involved Joker.com domains will be extracted.

The Ticket-ID is SPM91987176.

Please do not send a report for a domain multiple times - it will only count once.

To report a SPAM issue, you could also use our automated database frontend at https://joker.com/goto/spam.



Your team from Joker.com.




$ dig dns.send-safe.com @k.gtld-servers.net

; <<>> DiG 9.4.2-P1 <<>> dns.send-safe.com @k.gtld-servers.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1378
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;dns.send-safe.com. IN A

;; ANSWER SECTION:
dns.send-safe.com. 172800 IN A 123.212.102.86

;; AUTHORITY SECTION:
send-safe.com. 172800 IN NS dns.send-safe.com.
send-safe.com. 172800 IN NS dns2.send-safe.com.
send-safe.com. 172800 IN NS dns3.send-safe.com.

;; ADDITIONAL SECTION:
dns.send-safe.com. 172800 IN A 123.212.102.86
dns2.send-safe.com. 172800 IN A 221.141.3.82
dns3.send-safe.com. 172800 IN A 74.164.16.234

;; Query time: 151 msec
;; SERVER: 192.52.178.30#53(192.52.178.30)
;; WHEN: Sat Jan 16 05:41:24 2010
;; MSG SIZE rcvd: 151



$ dig @123.212.102.86 www.send-safe.com a

; <<>> DiG 9.4.2-P1 <<>> @123.212.102.86 www.send-safe.com a
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61243
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;www.send-safe.com. IN A

;; ANSWER SECTION:
www.send-safe.com. 300 IN A 202.69.35.46
www.send-safe.com. 300 IN A 92.124.185.165
www.send-safe.com. 300 IN A 151.65.15.217
www.send-safe.com. 300 IN A 201.222.129.12

;; AUTHORITY SECTION:
send-safe.com. 300 IN NS dns.send-safe.com.
send-safe.com. 300 IN NS dns2.send-safe.com.
send-safe.com. 300 IN NS dns3.send-safe.com.

;; Query time: 725 msec
;; SERVER: 123.212.102.86#53(123.212.102.86)
;; WHEN: Sat Jan 16 xx:xx:xx 2010
;; MSG SIZE rcvd: 155



$ host 202.69.35.46
Host 46.35.69.202.in-addr.arpa. not found: 3(NXDOMAIN)
http://www.spamhaus.org/pbl/query/PBL177206
inetnum: 202.69.35.0 - 202.69.35.255
netname: GERRYSNET
descr: Gerrys Information Technology (Pvt.) Ltd.
descr: Lahore, Pakistan
country: PK

$ host 92.124.185.165
165.185.124.92.in-addr.arpa domain name pointer host-92-124-185-165.pppoe.omsknet.ru.
http://www.spamhaus.org/pbl/query/PBL286955
inetnum: 92.124.160.0 - 92.124.191.255
netname: WEBSTREAM
descr: OJSC "Sibirtelecom"
remarks: Omsk branch
remarks: broadband service
country: RU

$ host 151.65.15.217
Host 217.15.65.151.in-addr.arpa. not found: 3(NXDOMAIN)
http://www.spamhaus.org/pbl/query/PBL181419
inetnum: 151.65.0.0 - 151.65.255.255
netname: IUNET-BNET65
descr: IUnet
descr: Via Lorenteggio 257
descr: Milano, I-20100
country: IT

$ host 201.222.129.12
12.129.222.201.in-addr.arpa domain name pointer 12-129-222-201.adsl.terra.cl.
http://www.spamhaus.org/pbl/query/PBL146807
inetnum: 201.222.128/18
status: allocated
owner: Terra Networks Chile S.A.
ownerid: CL-TNCS-LACNIC
responsible: Technical Contact
address: Avda. Vitacura, 2736, Piso 2
address: 1 - Santiago - RM
country: CL



The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is: https://www.spamhaus.org/rokso/evidence/ROK9023/

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2016 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy