Blog for hpHosts, and whatever else I feel like writing about ....

Wednesday, 31 March 2010 and down

Not entirely sure why at the moment, but both and ( hosting company) are down at present.

I'm still looking into why, and due to a very annoying difference in time (i.e. their being several hours behind us folk in the UK), is making contacting them a little difficult. I have ruled out an issue with DNS as they're resolving absolutely fine, and trying to load the site via IP instead of hostname, yields the same results.

Looking at a tracert result indicates the problem is inside the FluidHosting network as there's no timeouts or such.

If you've got contacts at FluidHosting that are available at this time of day, perhaps you'll have more luck contacting them than I'm having at present (as an aside, I verified the status via several routes, just to ensure the problem wasn't at this end).


Attempts to phone them via the number listed in their WhoIs (860-656-6191) results in a message telling me the number is not in service. Oh dear.

/edit 14:06 GMT London

Everything seems to be back up and running folks. A comment further down (thanks Mark_H! :o) ) suggests the problem was their entire DC going down. Again however, no idea this point as to what caused it to do so. Hopefully FluidHosting themselves will post information on what happened, to their site.

/edit 14:46 GMT London

I've just checked the FluidHosting forums and found this (posted by "FH-John"), which explains what happened;

The problem was caused by a temporary fault in our core switch. This fault resulted in the switch allowing ping, and intra-network traffic, while effecting other protocols such as HTTP from reaching our network.

The thread is at the URL below, though you've got to be registered on their forums to see it (not entirely sure why). There's nothing on their homepage about this issue.

Tuesday, 30 March 2010

vURL Server downtime

Apologies for the vURL Online server downtime earlier folks. Sadly the PSU died (was busy at the time so didn't notice right away). I've popped in an older spare PSU until I can get to the shop for a new one.

Sunday, 28 March 2010

fSpamlist: New "profile" cards

Just a note folks, there's now "profile cards" available for the IP's/email addresses, listed in fSpamList.


Note: Additional information on the domains in the e-mail addresses, should be listed on e-mail address profile/report cards, in due course

Friday, 26 March 2010 - New RSS feeds!

I am happy to announce, Josh at fSpamList has now added two RSS feeds;

Latest additions

Most reported spammers

Spambot Search Tool: v0.47

Due to a bug in the SBST UI, v0.47 has now been released. Sorry folks.

Thursday, 25 March 2010

Spambot Search Tool: v0.46R2

I've re-released v0.46 of the SBST that was released a couple or so hours ago, due to a bug in the script that produces a warning when the whitelist is empty.


Friday, 19 March 2010 A quick followup

Just an update to this folks. never responded, the support@ address didn't bounce (so presumably they did actually receive it), but the postmaster@ address did. is no longer a Paretologic affiliate, but instead, is now peddling a much much worse "fully fledged" rogue - RegTool. And what have' hosting company had to say? Well, disgustingly "Robert R., Abuse Coordinator" at DreamHost, had this to say;

Upon review of the \"regCure\" software we found none of the major anti-spyware/malware/virus providers identified the file as malicious. We will be keeping an eye on the domain and account hosting it for any signs of malicious activity and take appropriate action when sufficient evidence is present.

As for the google search result, that is something google needs to be notified of to block the domains from their search results pages in a more permanent fashion.

FYI, I never said the site WAS peddling RegCure, I said it USED TO (until Paretologic killed it). Alas, he's evidently incapable of analysis, relying solely on VT results (presumably that's what he used, find it difficult to believe he used multiple scanners himself). Oh and Robert, NOD32 blocks before the site even loads - so whilst the app itself may not yet be detected (nope, I don't know why it's taking so long either), the site certainly is ;o)

I am however, guessing our dear Robert, didn't check with Malwarebytes AntiMalware, else he'd have seen it is indeed detected by a pretty big player in the AM field;


Naming and Shaming ‘Bad’ ISPs

Roughly two years ago, I began an investigation that sought to chart the baddest places on the Internet, the red light districts of the Web, if you will. What I found in the process was that many security experts, companies and private researchers also were gathering this intelligence, but that few were publishing it. Working with several other researchers, I collected and correlated mounds of data, and published what I could verify in The Washington Post. The subsequent unplugging of malware and spammer-friendly ISPs Atrivo and then McColo in late 2008 showed what can happen when the Internet community collectively highlights centers of badness online.

Fast-forward to today, and we can see that there are a large number of organizations publishing data on the Internet’s top trouble spots. I polled some of the most vigilant sources of this information for their recent data, and put together a rough chart indicating the Top Ten most prevalent ISPs from each of their vantage points. [A few notes about the graphic below: The ISPs or hosts that show up more frequently than others on these lists are color-coded to illustrate consistency of findings. The ISPs at the top of each list are the "worst," or have the most number of outstanding abuse issues. "AS" stands for "autonomous system" and is mainly a numerical way of keeping track of ISPs and hosting providers.

Read more

Thursday, 18 March 2010

Avant Force: Development update

Avant Force, the team (well I say Team, last I knew there was actually only my friend, Anderson Che, developing both Avant Browser and Orca Browser), have published an update on the blog, giving outlines of what's going on, with regards to Avant Browser and the much anticipated v12, previously scheduled for release both in January, then February 2010.

Sadly, v12 is still not here, we're still with the 11 series (11.7 Build 46 SR3), and yes, this series has had it's problems, the biggest of which by far, being a memory leak that causes it to crash sporadically after several days of constant use (most notably when I've went upto 72 hours or so without sleep, it's got a tendancy to either crash whilst I'm finally getting sleep, or soon after I wake up). In saying this however, the latest build is by far, the most stable of the 11 series (just as well too, or I'd not be able to use it ....).

I've spoken with Anderson several times about v12, and some of the things I'm aware of, both during the course of speaking with him, and after reading the blog (yep, work/family/development/hardware issues and hpHosts etc has me busy), is v12 is a complete re-write from the ground up, complete with a re-write (obviously) of the skinning and plugin systems (themes are rumoured to be more along the lines of those that Firefox users are familiar with, though I don't have details on that yet).

I'm just rambling now though, so I'll just point you to the blog to read up on what's happening;

Full disclosure: I've been the server/forum admin for Avant/Orca browser' forums, for a few years now, and have additionally been running the AB Archives (archive of old/current Avant/Orca releases) since 2003, and being a friend of Anderson' for years, am obviously a little biased when it comes to his projects.

Tuesday, 16 March 2010

Dear Avira: Errr, say it ain't so .....

Going on a little hunt for new stuffage whilst the test machines image was restored, I stumbled upon a thread on the Avira forums, referencing hpHosts, nothing wrong there.

The post was alerting the Avira folk, to a SpyEraser variant at (post references a different IP (,AS44107 Prombuddetal LLC), but a lookup a few seconds ago, showed it residing at -, AS2588 LATNETSERVISS-AS LATNET ISP).

Given we already know SpyEraser is a rogue, I was surprised to find the following response from a member of staff on the forums;

Hang on a second .... you've admitted it's a rogue, and the program itself will be detected, but because the installer displays an EULA, the installer isn't going to be detected? Am I the only one surprised by this?

hpHOSTS - UPDATED March 16th, 2010

hpHOSTS - UPDATED March 16th, 2010

The hpHOSTS Hosts file has been updated. There is now a total of 126,051 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 16/03/2010 14:00
  2. Last Verified: 16/03/2010 13:00

Download hpHosts now!

Just a note folks, I am aware of the issues with the hpHosts website, and am working on resolving it (MySQL server keeps getting overloaded). A lesson in guaranteeing you'll be blacklisted

There's many many ways to ensure your site will be blacklisted;

1. Utilizing malware/exploits
2. Developing/distributing [1]
3. Using unethical means to promote a site or program
4. Utilizing hijacks
5. Utilizing blackhat SEO techniques
... etc etc etc etc

The list goes on and on and on.

Another method however, of ensuring you'll be blacklisted, is by spamming through compromised e-mail accounts. This is a method decided to use yesterday when either themselves, or someone associated with them, decided it a good idea to compromise my other halfs e-mail accounts (not a good idea, especially when you're going to spam everyone in her contacts list - as that includes me - woops!).

The two e-mails I received contained;

I would like to say that I am impressed with the quality and service.Always accommodating to you,please look 〖〗 <>


my boots came from εwww.nivanoland.infoε <> , they are wonderful will definatley use this site can look too,sweetie.they are gr8.

Both of these sites have one thing in common - they both redirect to Chinese owned ( -, AS36351 SOFTLAYER - SoftLayer Technologies Inc).

WhoIs for;

Domain Name .....................
Name Server .....................
Registrant ID ................... hc493605238-cn
Registrant Name ................. lei li
Registrant Organization ......... lilei
Registrant Address .............. taipingqu2haolou604
Registrant City ................. nanchang
Registrant Province/State ....... jiangxi
Registrant Postal Code .......... 521000
Registrant Country Code ......... CN
Registrant Phone Number ......... +86.02063088768 -
Registrant Fax .................. +86.02063088768 -
Registrant Email ................
Administrative ID ............... hc493605238-cn
Administrative Name ............. lei li
Administrative Organization ..... lilei
Administrative Address .......... taipingqu2haolou604
Administrative City ............. nanchang
Administrative Province/State ... jiangxi
Administrative Postal Code ...... 521000
Administrative Country Code ..... CN
Administrative Phone Number ..... +86.02063088768 -
Administrative Fax .............. +86.02063088768 -
Administrative Email ............
Billing ID ...................... hichina001-cn
Billing Name .................... hichina
Billing Organization ............ HiChina Web Solutions Limited
Billing Address ................. 3/F., HiChina Mansion
No.27 Gulouwai Avenue
Dongcheng District
Billing City .................... Beijing
Billing Province/State .......... Beijing
Billing Postal Code ............. 100011
Billing Country Code ............ CN
Billing Phone Number ............ +86.01064242299 -
Billing Fax ..................... +86.01064258796 -
Billing Email ...................
Technical ID .................... hichina001-cn
Technical Name .................. hichina
Technical Organization .......... HiChina Web Solutions Limited
Technical Address ............... 3/F., HiChina Mansion
No.27 Gulouwai Avenue
Dongcheng District
Technical City .................. Beijing
Technical Province/State ........ Beijing
Technical Postal Code ........... 100011
Technical Country Code .......... CN
Technical Phone Number .......... +86.01064242299 -
Technical Fax ................... +86.01064258796 -
Technical Email .................
Expiration Date ................. 2010-08-26 17:24:02

Thursday, 11 March 2010 OI! Anyone awake over there?

I am writing this because you evidently couldn't be bothered to conform to the RFC's and have an active ABUSE@ address!!!

When will these companies realise, if they're offering a service such as hosting, connectivity, they MUST provide a WORKING abuse@ address for abuse complaints.


I've already had Paretologic kill off the affiliate that was using blackhat SEO tactics to peddle the program, so the abuse report is a little irrelevant now, but the point isn't (I've re-sent the report to postmaster@ and support@, so we'll see if they get rejected too).

Crimeware friendly ISP's: VITAL TEKNOLOJI (AS44565)

Turkish based ISP, VITAL TEKNOLOJI (AS44565) have been appearing on my radar for quite some time, and not under the most flattering of terms - they've been and continue to be, home to a major source of badness. Namely, exploits and fake AV's.

They actually have several ranges under their control, the most active of which are;

I can't say which has been the worst of the lot, as there's been badness across every single one so far. has been the least active of the 3 over the past week or three.

By far the biggest problem across these ranges has been with fake AV's and exploits, just some of which includes;












































































Rather interestingly, I have noticed they've stopped bothering trying to make it a challenge to identify the payloads when it comes to the fake AV's. No longer do I have to actually decode anything or run anything, I just grab the source and look for a line such as the following;

dl_755e = '7_755eab.html';

Replace .html (also seen as .jpg and .php) with .php and voila, you've got your payload (had to point that out to Jerome at Paratologic last month incidentally).

They also seem to be keeping the redirection domains in place a little longer than previously. For example;

All of which, still reside at, which I'm sure you'll recognize as being from the equally crimeware friendly Eveloz.

Annoyingly however, there's still a plethora of this to be found via the likes of Google (yep I know, surprise surprise).

Microsoft Tech Days: Are you going?

A week of free technology events for developers,
IT professionals and IT managers

What's on for Developers?

We'll be updating the agenda and session information over the coming days.
Follow @uktechdays to be the first in the know.

We're going back to basics and have hired two London cinemas during the week so we can deliver the kind of content you've been asking to hear about. Please note that we'll only be able to provide light refreshments during the day - so don't forget your pack lunch!

Featured speakers: Jason Zander, General Manager; Ingo Rammer, Thinktecture,
Ian Griffiths, Interact Software and Mike Taulty, Microsoft UK

What's on for IT Professionals and IT Managers?

We'll be updating the agenda and session information over the coming days.
Follow @uktechdays to be the first in the know.

We're going back to basics and have hired two London cinemas during the week so we can deliver the kind of content you've been asking to hear about. Please note that we'll only be able to provide light refreshments during the day - so don't forget your pack lunch!

Featured speakers: Chris Jackson, Microsoft Consulting Services, Corp; Gordon McKenna, Inframon; James O'Neill, Microsoft UK and Andrew Townhill, UK Technology Director, Microsoft.

Where is it?

The developer days are being held at;

Vue Cinema Fulham Broadway, Screen 6

And the IT Professional days are being held at;

Vue Cinema Shepherds Bush, Screen 9

You can find directions to both, over at the Microsoft website;


IT Professional

Great!, where do I register?

You can register for attendance at;

(the question nobody is asking) Are you going to be there?

I'm not, no. Work, family and finances dictate I can't go to this one. But do let me know how it goes!

Spambot Search Tool: offline

I have had a few users telling me they were having problems both contacting me, and using the SBST. One user narrowed it down to, and I stupidly didn't think to check the site myself at the time.

Checking today shows the site is offline. It's still resolving to, but no content is there, so it's failing to connect. There's no contact information in the WhoIs for the site so I've no way of contacting the sites owner to find out whats going on.

Until the site is back, those of you using the Spambot Search Tool should disable the check by changing the following in config.php;

$bBlockDisposable = TRUE; //


$bBlockDisposable = FALSE; //

Wednesday, 10 March 2010

Pinball Publisher Network: Yet more blackhat SEO goodness

Going through the latest Google results for new malicious goodness, I stumbled upon a URL I was fully expecting to be serving me with a fake AV (the last 10 or so I'd checked had done), but alas no, not this time. This time I was to be served a page that led me to a fake search results page (PPC fraud);

And from there, on to, which leads you to Pinball Publisher Network.

Where we're offered the SeekMo toolbar, BarDiscover*, and ShopperReports.

* BarDiscover comes courtesy of and Both sites live at (AS40634 FIRSTLOOK-COM - FirstLook, Inc.) and also have a history tied to the infamous NewDotNet

The full redirection results (inclusive of my clicking all URL's on the "results" page) are;¶meter=sex+videos's%20First%20Scene_medium.jpg;ro=1;rc=2;digest=5b589ef2c2186c2b7999a55fc2752b62;kid=4af930d14d071dbe0ed7bafa3af48e34;t=1268232880;v=8;data=bZ5ZpZGpHISrP1CBWo6cn6PvDaLpEra8VwW1tLpU_fg4r01Nve51dwTCHUZG5z8ju2T0rcBJj_z80-7ck4Ai53fUIzG26lYkQSQcIShxIBKkPaIglMO9DdALNFkLge4Rno5MnrC10-YHvs-_mvkcDZoTQqP2PWYm93oyfB95v8jpeShe0vb30A;uh=156x1141429177654101675;la=770129;lm=1016658;ad=667108128;ag=667108128;kw=504643474;qt=sex%20videos;vr=1;lt=BM;ip=;pt=;st=;os=326.;sy=keyword;my=smart;geo=894269;vid=0;subid=176132-3360601274;opi=adks1;ii=9c4.1eff.4b97b2b0.16a3;pn=;to=;tc=2;po=1;pc=2;pi=adks1:adult;ts=;rm=|

As an aside, and have been appearing in quite a few blackhat campaigns over the last few month or so. Perhaps it's time they got a kick in the behind too.

Tuesday, 2 March 2010

Server downtime

Sorry for the downtime folks. ( decided it would be fun to constantly flood the server.

/edit 01:20 03-03-2010

This little bugger is back, this time using (