Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 27 February 2011

Dear ProBoards Abuse dept - FOCUS ON ABUSE!

I came across something a few minutes ago that absolutely disgusted me. A ProBoards user reported a fraudulent advert, being advertised through the ProBoards service, and instead of saying thank you - ProBoards abuse dept sent a warning to the USER THAT REPORTED IT, due to a simple NONE ABUSIVE message on the top of the users forums;

Little screenshot incase ProBoards takes it down;

I personally, find this absolutely abhorant. ProBoards abuse - your users can place any *warning* they wish to, as far as adverts on their forums, or anywhere else, if they feel the adverts could be malicious (and note, she never said NOT to click the adverts), especially if YOU are not going to stop the adverts being shown in the first place.

Kas: If you would like to move your forum elsewhere, drop me an e-mail.

Thursday, 24 February 2011

Money mules, downloads and Portlane

As if money mules didn't have enough to worry about, what with the risk of not only upsetting those "using" them, but their getting prosecuted for fraud - they've now got to risk not answering a questionnaire correctly and being rejected (the thought of being rejected as a money mule, due to not answering correctly, is simply, hilarious).

An MDL user pointed me to a few sites running the ever so popular money mule scams. These sites are used purely to recruit the mules, and to manage them (there's a members area once accepted, where the mule is permitted to upload files such as ID scans and whatnot).

There is however, a little difference - the presence of a download;

Below is a test prepared by professional psychologists and is required in order to be considered a competent candidate for the offered position.

After successful completion of your test, you will be asked to register on our web site. If you are not ready to register right away, please wait to take the test at a later time.

To REGISTER, simply run the test and you will be prompted to click on the "Register Now" button at any time and be redirected to the login page, without having to take the test again.

*This test is under development and we are grateful for all comments and suggestions.

Download test

*If you are having trouble running the test and your computer is requesting administrative rights, download the test and simply right-click on the Test icon and select "Run As Administrator" from the menu.

The "download" runs the potential mule through a set of questions, to which they must provide the "correct" questions to be accepted. Once accepted, they're then sent to an acceptance page on the scammers website.

You're also sent an e-mail telling you your registration request has been received;

Dear Jack Anory,
We have accepted your application for PAYMENT PROCESSING AGENT position.
To complete the registration procedure please execute two remaining steps:
• Download the contract:
Familiarize yourself with all points of agreement. Pay much attention to the following clauses:, Termination of the Agreement (11), EXHIBIT A. Fill all of the required information in the contract in the highlighted areas (your name must be filled in on the first page, Part 20 must be filled out and you must sign the agreement) and upload a scanned copy of it into your Task Manager account (use your login and password). Should any problems arise please contact our Job Department at Agreement becomes valid since the moment of your Task Manager account activation. You should be familiar with that the validity of the contract in the electronic form is completely identical to the contract signed at personal presence of both parties.
• To pass the procedure of identity verification in order to prevent fraudulent registrations, you are required to upload a scanned copy of your ID or utility bill into your Task Manager account (use your login and password). In case of any problems please contact our Job Department at
*We guarantee full confidentiality of your personal information, more details on this matter are available in our Privacy Policy
NOTE: If you're unable to scan the documents please use fax. Here is our number: +44 0208 099 7381
Your TM account will be activated in 2-48 hours after the receipt of necessary information.

Support Team
Fourth Group Ltd

This particular e-mail had the following headers;

Return-Path: <>
Delivered-To: [REMOVED]
X-Quarantine-ID: <JgUv8YSIJW4B>
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "To"
X-Spam-Flag: NO
X-Spam-Score: -0.81
X-Spam-Status: No, score=-0.81 tagged_above=-9999 required=1.3
tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377,
T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ( [])
by (Postfix) with SMTP id B65F6398110
for <[REMOVED]>; Fri, 25 Feb 2011 03:20:20 +0000 (GMT)
Received: (qmail 20212 invoked from network); 25 Feb 2011 03:19:32 -0000
Received: from (
by with SMTP; 25 Feb 2011 03:19:32 -0000
Received: from scissors by with local (Exim 4.69)
(envelope-from <>)
id 1PsoE7-0000Jl-6M; Thu, 24 Feb 2011 21:20:19 -0600
Subject: Fourth Group Ltd: Your registration request received
X-PHP-Script: for
Received: from [] (helo=localhost) by s62 with esmtpa (Exim
4.73) (envelope-from <WUMG_QUEUE@s62>) id 1PsoCd-0007HD-SK for
[REMOVED]; Thu, 24 Feb 2011 22:18:47 -0500
Subject: Fourth Group Ltd: Your registration request received
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 24 Feb 2011 22:20:17 -0500
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Message-ID: <>
Message-ID: <>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [1825 32003] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/scissors/public_html/images.php

However, this download also has a little sting in it's tail - it modifies the mules HOSTS file to include;

# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# # source server
# # x client host localhost

The sites they've chosen to block, isn't particularly surprising (sorry Brian, they really don't like you), with a few exceptions - why for example, block DomainTools, when there's a plethora of alternatives? Why block Why block SiteAdvisor when there's alternatives such as Web of Trust, and alternatives from security vendors such as Norton? Indeed, why aren't they blocking any security vendors? (that in itself is surprising).

Some of the sites identified thus far include;

And the malicious files housed there;

The IP ranges they're hosted at seem to be focused on two particularly well known players in the criminal world; (Sweden)
AS42708 PORTLANE Portlane Network (Romania)
AS39743 VOXILITY-AS Voxility SRL

Quite why Portlane still haven't been shut down is beyond me, especially given there isn't a single legit website housed over there, and to my knowledge, there never has been. Needless to say, Portlane are also heavily involved in the fake AV arena, having housed malicious goodness on virtually every single IP on the aforementioned /24, so feel free to blackhole their entire AS.

As for those of you considering a new job as a mule - is it really worth the risk of your being imprisoned away from your family, for money laundering etc?.

/edit 07:40

Few more for you ;o)

/edit 26-02-2011 19:44

The servers are extremely slow at present, so struggling to grab samples, but I've been advised of 3 more of these. The URLs are in the same format as previously;

Tuesday, 22 February 2011

Spambot Search Tool: v0.52

Release: v0.52
Date: 22-02-2011

* Fixed bug in functions.php
* Modified IsValidEmail() function
* Changed strpos() calls to substr_count()
* Fixed bug in check_spammers_plain.php that resulted in invalid e-mails being allowed
+ Added code to check for Bad Result error when querying blacklists
* Contains modifications (e.g. re-written isURLOnline() and getURL() functions) and bug fixes with thanks to Dan McCormick.

IMPORTANT: This update also includes modifications to the config.php file, which means you will also need to;

1. Backup your existing config.php file
2. Create a new config.php by copying and renaming config.sample.php
3. Enter your config/settings in the new config.php file


Live example:

Saturday, 12 February 2011

Spambot Search Tool

Finally had time for a bit of work on this.

Version: 0.51

* Fixed bug in check_spammers_plain.php
* Misc other fixes
+ Added
+ Added
+ Added
+ Added

Tuesday, 8 February 2011

hpHOSTS - UPDATED February, 2011

hpHOSTS - UPDATED February, 2011

The hpHOSTS Hosts file has been updated. There is now a total of 122,245 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 08/02/2011 21:00
  2. Last Verified: 08/02/2011 12:00
Download hpHosts now!

Wednesday, 2 February 2011

Soviet Union, fakes, phishing and spam

If x = b, what do we need numbers for?

Last time I checked, the Soviet Union didn't exist anymore, yet as we all know, the .su TLDs live on.

Random musings are great aren't they? Well not in this case. I've yet to see a .su domain that's actually legit, and this one is no different. The domain in this case, is (also known as, a domain we're all familiar with.

This particular one, was arrived at courtesy of an e-mail a friend received and forwarded to me. You'll like this, but not be surprised. The e-mail contained;

Subject: Avast, AVG and Avira Users - Your Alternative is Here
Date: Wed, 2 Feb 2011 03:00:00 -0500

The New AVG 2011 AntiVirus Alternative <>
Complete Antivirus Protection Solution<> Complete Antivirus Protection Solution
Dear valued customers,

We are pleased to announce the newest version of Antivirus 2011 for Windows which will provide you with total security against the latest spyware, malware, viruses, trojans and any other online threats.

Simply visit the link below and enter your Antivirus code:

Antivirus Code: 5014
Scan Your Computer Now! <>

See why more & more businesses and families trust their security to AV AntiVirus.

Thank you for choosing us, the worldwide leader Antivirus solutions.

Mike Robertson
Internet Security Specialist

Latest Threat Level Warning
Latest Threat Levels<>
Signs Your PC is Infected
Signs your PC is Infected<> Opening files takes forever
Signs your PC is Infected<> Pop-ups while browsing
Signs your PC is Infected<> Frequent System Warnings
Signs your PC is Infected<> Constant Program errors
Signs your PC is Infected<> Computer is running slow
Signs your PC is Infected<> Browser freezes Online
Signs your PC is Infected<> Right click menu is slow
Signs your PC is Infected<> Changed homepage Online

Awarded the Best Antivirus<>

You are enrolled to dailynews_mar09 as
Safely take me off <> from dailynews_mar09 at any time.

MEGUIDE LTD, No. 14 Robinson Road, #13-00, Far East Finance Building, Singapore 048545


X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9Ng==
X-Message-Status: n
X-SID-Result: Pass
X-Message-Info: 3c21WZ1hAltI9DuizMAEE0xwpqlHpZwfVbqMPT3BfX6RZ3W8ifONCn+eEK3mNQiHfRMXG+0h5ILm2+lZ0q/H7BUjNRw9chHPe5XUkZgAKAA=
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.4675); Wed, 2 Feb 2011 01:23:49 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; q=dns/txt; l=9156;;s=2010;
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=2010;;
From: Antivirus for Windows <>
Subject: Avast, AVG and Avira Users - Your Alternative is Here
Date: Wed, 02 Feb 2011 03:00:00 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
List-Unsubscribe: <>
Message-ID: <LYRIS-2214149-115971-2011.02.02-03.00.08--[REMOVED]>
X-time: 2214149
X-member: [REMOVED]
X-OriginalArrivalTime: 02 Feb 2011 09:23:49.0627 (UTC)

Both and are registered through GoDaddy and should be down shortly. They're housed at;

Current IP:
ASN: 8001 NET-ACCESS-CORP - Net Access Corporation

Current IP:
ASN: 6539 GT-BELL - Bell Canada


Current IP:
ASN: 21788 NOC - Network Operations Center Inc.

With the exception of, the domains are hidden behind a privacy service. The WhoIs for doesn't show much either;

phone: +1 242 502 8715
org: Media I Consultants
created: 2009.08.16
paid-till: 2011.08.16
source: RU-CENTER

Surprised there's no details? Nope, me neither.

Needless to say, ANYTHING you receive via e-mail that wants to sell you something, or has arrived without you asking for it, should be consigned straight to the junk. That also goes for anything arriving via e-mail offering so-called security software or such (legit vendors do not spam).