As I normally do, I tried dropping the address listed in the net-block info an e-mail (cmueller@cronon.net and abuse@cronon.net), sadly it seems they don't want to receive abuse reports;
Mail delivery to the following recipient has finally failed:
abuse@cronon.net
Last reason: 550 5.0.0 Mailbox unavailable/command rejected for policy reasons/no
access
Explanation: host kled9.cronon.net [192.166.196.9] said: message denied by policy
[M31efc90 15611 Wed, 19 Oct 2011 02:29:34 +0200 (MEST)]
Transcript of session:
... while talking to kled9.cronon.net [192.166.196.9]:
>>> DATA (end of message)
<<< 550 message denied by policy [M31efc90 15611 Wed, 19 Oct 2011 02:29:34
+0200 (MEST)]
abuse@cronon.net
Last reason: 550 5.0.0 Mailbox unavailable/command rejected for policy reasons/no
access
Explanation: host kled9.cronon.net [192.166.196.9] said: message denied by policy
[M31efc90 15611 Wed, 19 Oct 2011 02:29:34 +0200 (MEST)]
Transcript of session:
... while talking to kled9.cronon.net [192.166.196.9]:
>>> DATA (end of message)
<<< 550 message denied by policy [M31efc90 15611 Wed, 19 Oct 2011 02:29:34
+0200 (MEST)]
Wed 2011-10-19 01:15:06: --> RCPT To:<cmueller@cronon.net>
Wed 2011-10-19 01:15:07: <-- 250 2.1.5 <cmueller@cronon.net> Recipient ok
Wed 2011-10-19 01:15:07: --> DATA
Wed 2011-10-19 01:15:07: <-- 354 Enter data for mail with id y046e6n9IM767p
Wed 2011-10-19 01:15:07: Sending <xxxxxxxxxxxxxxxxxxxxxxxx\pd50000562659.msg> to [81.169.145.102]
Wed 2011-10-19 01:15:07: Transfer Complete
Wed 2011-10-19 01:15:07: <-- 550 5.7.1 recipients have complained about included content (B-URL)
Wed 2011-10-19 01:15:07: --> QUIT
--- End Transcript ---
Wed 2011-10-19 01:15:07: <-- 250 2.1.5 <cmueller@cronon.net> Recipient ok
Wed 2011-10-19 01:15:07: --> DATA
Wed 2011-10-19 01:15:07: <-- 354 Enter data for mail with id y046e6n9IM767p
Wed 2011-10-19 01:15:07: Sending <xxxxxxxxxxxxxxxxxxxxxxxx\pd50000562659.msg> to [81.169.145.102]
Wed 2011-10-19 01:15:07: Transfer Complete
Wed 2011-10-19 01:15:07: <-- 550 5.7.1 recipients have complained about included content (B-URL)
Wed 2011-10-19 01:15:07: --> QUIT
--- End Transcript ---
And yep, I tried sending via both my Malwarebytes address and my normal it-mate.co.uk address.
Until they stop rejecting abuse reports, I'd strongly recommend you put a block on their IP range.
The offending URLs, for those wondering;
hxxp://praxisreuss.de/info/Profiel.zip - 81.169.145.66
hxxp://www.karate-shanghai.de/download/Profiel.zip - 81.169.145.164
hxxp://www.edv-xp.de/info/Profiel.zip - 81.169.145.75
hxxp://www.foodoffice.de/download/Profiel.zip - 81.169.145.65
Domains the malware contacts;
duffiduffid.ru -> /stat/stat3.php
dzmeritelshop.ru -> /dbs/0088.exe
dzmeritelshop.ru -> /dbs/images.php
dzmeritelshop.ru -> /dbs/logo84.php
Both of these are housed at;
218.24.113.3 Failed resolution 4837 4837 218.24.0.0/16 CHINA169-BACKBONE CNCGROUP China169 Backbone
197.112.2.4 Failed resolution 33774 33774 197.112.0.0/12 DJAWEB
113.161.87.176 static.vdc.vn 45899 45899 113.161.64.0/19 VNPT-AS-VN VNPT Corp
60.19.30.135 Failed resolution 4837 4837 60.16.0.0/13 CHINA169-BACKBONE CNCGROUP China169 Backbone
71.217.16.11 71-217-16-11.tukw.qwest.net 209 209 71.208.0.0/12 ASN-QWEST - Qwest Communications Company, LLC
197.112.2.4 Failed resolution 33774 33774 197.112.0.0/12 DJAWEB
113.161.87.176 static.vdc.vn 45899 45899 113.161.64.0/19 VNPT-AS-VN VNPT Corp
60.19.30.135 Failed resolution 4837 4837 60.16.0.0/13 CHINA169-BACKBONE CNCGROUP China169 Backbone
71.217.16.11 71-217-16-11.tukw.qwest.net 209 209 71.208.0.0/12 ASN-QWEST - Qwest Communications Company, LLC
luigimonaco.org -> /_private/loadera5.exe
IP: 195.110.124.133
AS: 12363 195.110.124.0/22 DADA-AS DADA S.p.a.
Registrars and hosts/ISPs have been notified.
Posts
No comments:
Post a Comment