Italian banking site phishing URL spoofing CartaSi is live on compromised host: – IP: which is on AS19406 (

Munged URL:


URL was already reported to Netcraft and Phishtank.


As of October 31st, 2009, the attackers were DDoSing InBoxRevenge website again. This is where the IBR anti-spam forum is hosted, though the content is definitely offline at this time.

Early morning 11/1/09 it was reported by @themarkgiles Twitter user that IBR was under a flood attack from 750 bot IPs at a rate of 50/second. Source IP countries: TH (Thailand), IN (India), BD (Bangladesh), RU (Russia), BR (Brazil), PH (the Philippines), etc.

The spammers are hitting the IBR website with IPs that are compromised and under control of a botnet. Obviously some spammer is not happy with the reporting we do of  cybercriminal activities.

We will continue to post more information as it comes available.

UPDATE on 11/1/09

Taken from the most recent IBR Blogspot entry:

Good news — DDoS attacks not over

Members may have noticed another recent outage for several hours. It was another confirmed DDoS, via a method called “syn flood.” In the past, these sorts of attacks have gone on for weeks. We just roll with it.

Why is it good news? It lets us know our efforts are worthwhile, because making internet crime less profitable is exactly what we’re trying to accomplish. If we weren’t making criminals want to attack us, we’d have to wonder what we were doing wrong. We never expect to achieve the amazing level of spammer ire that Blue Security suffered in its famous 2006 attack, but then we aren’t planning to try to keep the site on line during the attacks. We just fall back to the alternate methods of spreading information. If our attackers would like to try to simultaneously take down Google, Microsoft, Twitter, WordPress, and all the other sites we’ve established a presence on, they’ll get themselves a lot more law enforcement attention than they’re currently planning on.

Comments are open for this blog, though they have to be approved by a moderator. And if you have a comment that seems to merit its own “thread,” we can repaste it as a blog post that can get its own comments.

Remember that SiL also has his two blogs, which also accept moderated comments:

And we have our other sites for announcements:

As always, the best response to retaliation is to continue to do the reporting you were doing before — but to do more of it.  At the time of this post update, the IBR website loads as a 403 error as of 18:00 GMT on 11/1/09., the little forum that creates big headaches for internet criminals, is under another distributed denial of service (DDoS) attack. That means hundreds or thousands of zombie computers — computers like yours that have been infected by malware and put under the control of criminals — are all trying to access the site simultaneously. Websites can only handle a certain amount of traffic, so having so many requests going on continuously shuts out legitimate visitors.

Frankly, we were wondering what took them so long. We’ve been through this before. We’ve got lots of backup means for forum admins and mods to communicate with each other and with the other members.  We are prepared to just let the site be off line while these guys spend their money attacking. We’ll just chill and spend the extra time reporting their domains and bots. The difference is they don’t get to read about it.

What the rest of our members can do is take extra time reporting. Report your spam emails to, so more of their IPs are blocklisted and more of their bots are disinfected.  Fire up Complainterator and report domains and their nameservers to registrars. We are not some discrete target that can be shut down with a DDoS. We are our members, all over the world, and we’re in it for the long term.

Check out our other websites online for updates:

(edited out some sites no longer active as of 3/2012)

According to Spamcop’s Top 200 targets of spam reports, many of China Telecom’s IPs are top spam senders. Andrzej Filip posts these stats in a daily basis on the Usenet newsgroup: NANAE (, as noted here. I am posting a bit of his post below, but not the entire entry:

Top 200 targets of spam reports
For *the week* ending Sun Oct 11 07:04:14 2009 UTC
– —————————————————-
Total spam reports volume: 149533216
Top200 share of all spam reports: 1.36% (2035629/149533216)
The worst country: 39.5% CN [CHINA]
The worst ASN: 19.0% AS4134 (CN)
The worst prefix: 16.0% (CN AS4134)
The worst IP: (CN AS4134

*Top 5 IP Adresses (The Dirtiest Dozen)*
#IP;ASN;prefix; spam reports;age;duration;Country
#reverse DNS

1 AS4134 80833 3.4 d 4.0 d CN

2 AS4134 80358 3.4 d 4.0 d CN

3 AS4134 56616 3.4 d 3.9 d CN

4 AS4134 55744 3.0 h 3.1 d CN

5 AS4134 45731 3.4 d 3.9 d CN

As you see above, this netblock owner is a very large spam origin offender and has been for quite some time (spamming several years now). The top 5 spamming IPs are within the range.

The WHOIS information on this China Telecom is:

inetnum: -
netname:      CHINANET-ZJ-WZ
country:      CN
descr:        CHINANET-ZJ Wenzhou node network
descr:        Zhejiang Telecom
admin-c:      CZ4-AP
tech-c:       CW27-AP
changed: 20061031
mnt-by:       MAINT-CHINANET-ZJ
source:       APNIC

address:      No.378 Yan'an Road,Hangzhou,Zhejiang.310006
country:      CN
phone:        +86-571-87080702
fax-no:       +86-571-87027816
trouble:      send spam reports to
trouble:      and abuse reports to
trouble:      Please include detailed information and times in UTC
admin-c:      CZ61-AP
tech-c:       CZ61-AP
nic-hdl:      CZ4-AP
mnt-by:       MAINT-CHINANET-ZJ
changed: 20050914
source:       APNIC

role:         CHINANET-ZJ Wenzhou
address:      No.2-1 Huancheng Road(East),Wenzhou,Zhejiang.325000
country:      CN
phone:        +86-577-88818629
fax-no:       +86-577-88818635
trouble:      send spam reports to
trouble:      and abuse reports to
trouble:      Please include detailed information and times in UTC
admin-c:      CH117-AP
tech-c:       CH117-AP
nic-hdl:      CW27-AP
mnt-by:       MAINT-CHINANET-ZJ
changed: 20031204
source:       APNIC

According to FixedOrbit, this provider AS4134 has over 70 million IP addresses, so it is definitely one of the largest of all internet networks. The CIDR report on AS4134 shows us its IP ranges, quite a few listed. At the Internet Storm Center, where users can voluntarily submit log files from their firewalls, AS4134 has a lot of malicious activity reported.

Another blog worth reading about the “Spam Crisis in China” is that of Gary Warner’s.

This website called FIRE (FInding RoguE Networks) tracks rogue networks based on malware such as phishing, botnet activity and exploited servers. At the time of this post on September 19th, 2009, the Canadian-based provider AS23522 IPNAP-ES – GigeNET. was the top offender on One can also track this host using Google’s Safe Browsing Diagnostic page on AS23522. Further research can also show that on the Malware IRC Network activity chart that this provider, IPNAP shows up quite frequently for hosting IRC bots.


On September 6th, 2009, Spamhaus blocked a /16 which is 65,536 IPs (1 Class B) on its SBL. This listing is filed under SBL68517. The IP range that is being blocked is One can view the ASN information of at robtex. According to robtex, the upstream for this range is AS3257 which is Tinet (formerly Tiscali). There are 3 current SBLs related to this large blocking: SBL68517, SBL78348 ( of ) and SBL78350 ( of Cogentco).

If one is rusty on subnetting (how many IPs after a / listing), one can check the CIDR entry on the wiki. Having over 65,000 IPs blocked by Spamhaus is generally a big deal to ISPs and webhosts. Spamhaus in its diligent research of the worst spam ogranisations has determined that this IP range which is owned by Oracle (AS794) is hijacked. Spamhaus classifies such activitiy under ROKSO as Zombies. Nearly all Spamhaus’ ROKSO (Register of Known Spam Operations) entries are names of companies, people or something similar which are known to engage in large scale spamming activities. Spamhaus lists such groups on its ROKSO lists if the spamming operations have been terminated with at least 3 different ISPs. Zombies (the activity of hijacking networks of IP ranges) gets its own entry.

The problem of zombies (hijacked netblocks) appears to be an issue in fighting spam and blocking various rogue networks. Spamhaus updates a list of DROP (Don’t Route or Peer) networks (hijacked netblocks or zombies) on its website for network administrators to use to block unwanted traffic to their networks, firewalls or webservers.

It would seem that the Regional Internet Registries (RIRs which are LACNIC, ARIN, RIPE, AfriNIC, and APNIC ) would be more protactive in preventing hijacking from happening in the first place. The RIRs allocate the IPs to different organizations, mainly to ISPs and large corporations. Perhaps IANA (Internet Assigned Numbers Authority) which is oversees the allocations of IP addresses should take some action as well in minimizing the stealing of netblocks on the Internet by spammers. But then again, one who watches the issue of fraudulent domain name purchases knows that ICANN is not taking direct action that often in minimizing falsified domains purchased by spammers often using stolen credit cards. These fraudulent domains are then used in many spamming activities including fast flux DNS on botnets.

While going through Spamhaus SBLs, I found this updated /23 under RIPE. It would seem that most times when Spamhaus is unsure of the exact ownership of a netblock or the downstream has a small number of IPs assigned to it, the volunteers will place it under the regional registry (RIR). I researched the IP range: and found it listed under AS44557 DRAGONARA. Googling revealed this recent blog post. Tha nullroute. me author noticed in late July 2009 a lot of comment spam coming from this netblock.

Below in the Spamhaus SBL, I am referencing the netblock info and some of the nameserver information that Spamhaus discovered within the IP ranges.

Spamhaus SBL76200

Ref: SBL76200 is listed on the Spamhaus Block List (SBL)

02-Sep-2009 12:26 GMT | SR04

Spamming and now seems this place is involved in other fraud

inetnum: –
descr: Dragonara Alliance Ltd
country: GB
admin-c: AGAV2-RIPE
tech-c: AGAV2-RIPE
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: DRAGONARA-MNT
mnt-domains: DRAGONARA-MNT
source: RIPE # Filtered

organisation: ORG-DRAG1-RIPE
org-name: Dragonara Alliance Ltd
org-type: OTHER
address: Geneva Place, Waterfront Drive,
P. O. Box 3469, Road Town, Tortola,
British Virgin Islands
source: RIPE # Filtered

person: Andrey Gavrilog
address: Geneva Place, Waterfront Drive,
P. O. Box 3469, Road Town, Tortola,
British Virgin Islands
phone: +41 435.001.009
nic-hdl: AGAV2-RIPE
source: RIPE # Filtered

% Information related to ‘’

descr: Dragonara Alliance
origin: AS44557
source: RIPE # Filtered





According to the nullroute blog, the IP ranges of AS44557 are: &

At the time of this post, Spamhaus is blocking 512 IPs under the /23. Also, this host (AS44557 / DRAGONARA ) appears to be unresponsive to abuse complaints. According to FixedOrbit, this host has 1534 IP addresses and its upstream is Cogent (AS174).

Announcing SiL’s new blog on blogspot about SpamIt, called “SpamIt Must Fall” which seeks to expose info that spam organization behind Canadian Pharmacy. SiL’s other blog, I Kill Spammers, has been exposing spammer operations since 2006. The most recent post as of this posting is about Oprah Winfrey’s company, Harpo Productions going after the spamming operations of Acai Berry by filing a lawsuit.

Very recently, Swedish upstream provider, TeliaSonera, threatened cut off its direct connection to Junik (AS8206) JUNIK-RIGA-LV JUNIKNET if did not cut off its own downstream (Real Host) because of its reputation of being rogue (hosting zeus botnets). By Monday August 3rd, 2009, Real Host lost its connectivity. Jart Armin of HostExploit recently tweeted about the shutdown. At the time of this post, there was only 1 active SBL on Spamhaus ( SBL75831) a /24 blocklisting for from May 2009 – which was due to phish and malware domain hosting. According to Jar Armin, this Latvian-based host was the distributing Zero-Day Flash/PDF exploit.

Very recent detailed research on Real Host by HostExploit can be found here. Google Safebrowsing also detected lots of malware on AS8206. At the time of this post, MalwareURL website also listed even more known malware domains on

If you check the Google cache of Zeus Tracker, dated July 29th 2009, you can find several domains listed

Host A record status files online SBL level dateadded (UTC) Lastchecked (UTC) Lastupdated (UTC) online 0 SBL75831 4 2009-03-12 17:42:57 2009-07-29 04:32:34 2009-07-06 17:41:41 online 2 SBL75831 4 2009-03-20 19:19:45 2009-07-29 02:17:05 2009-07-23 16:48:53 online 0 SBL75831 4 2009-03-19 07:01:02 2009-07-29 02:18:31 2009-07-23 16:50:23 online 1 SBL75831 4 2009-03-25 17:27:08 2009-07-29 01:46:00 2009-07-11 10:47:00 online 0 SBL75831 4 2009-07-15 08:22:03 2009-07-28 15:14:01 2009-07-24 20:48:33 online 0 SBL75831 4 2009-06-26 20:37:09 2009-07-28 18:34:27 2009-07-24 23:41:39 online 0 SBL75831 4 2009-06-26 21:11:35 2009-07-28 17:46:53 2009-07-24 22:51:44 online 0 SBL75831 4 2009-06-26 21:12:56 2009-07-28 17:39:10 2009-07-24 22:44:01 online 0 SBL75831 4 2009-06-27 20:03:37 2009-07-28 17:30:02 2009-07-24 22:35:56 online 0 SBL75831 4 2009-06-27 20:47:01 2009-07-28 17:20:58 2009-07-24 22:29:42 online 0 Not listed 4 2009-07-03 08:11:24 2009-07-28 16:15:22 2009-07-24 21:36:37 online 1 SBL75831 4 2009-07-03 07:50:07 2009-07-28 16:42:32 2009-07-24 22:00:56 online 0 SBL75831 4 2009-07-03 07:58:02 2009-07-28 16:34:48 2009-07-24 21:55:14 offline 0 Not listed 4 2009-07-03 08:03:26 2009-07-28 16:33:33 2009-07-24 21:54:10 offline 0 SBL75831 4 2009-06-29 14:10:19 2009-07-28 17:20:10 2009-07-28 17:20:16 online 0 SBL75831 4 2009-06-29 14:26:04 2009-07-28 17:15:05 2009-07-24 22:27:00 online 3 SBL75831 4 2009-07-03 07:30:26 2009-07-28 16:43:03 2009-07-27 08:33:29 online 0 SBL75831 4 2009-07-13 14:19:31 2009-07-28 15:32:13 2009-07-24 21:02:51 online 0 SBL75831 4 2009-07-16 11:17:32 2009-07-28 15:10:56 2009-07-24 20:48:15 online 0 SBL75831 4 2009-07-20 17:43:29 2009-07-28 14:47:14 2009-07-24 20:22:39 online 0 SBL75831 4 2009-07-24 18:48:20 2009-07-28 14:22:15 online 0 SBL75831 4 2009-07-24 18:51:59 2009-07-28 14:11:22 2009-07-27 06:22:45 online 0 SBL75831 4 2009-07-24 19:13:14 2009-07-28 14:00:47 online 0 SBL75831 4 2009-07-26 10:35:09 2009-07-28 13:55:02

Most of that recent evidence on ZeuS tracker mirrors the only SBL listing. It is believed that this rogue host was part or a variant of the Russian Business Network. It is curious to note that rogue domain listed above was using the outdated Soviet Union TLD (.su). Over a year ago there were a rash of phishing domains on fast flux DNS using the .su extension.

Earlier in the week, some spam investigators had noticed a drop in spam volumes. A few even wondered openly if a rogue ISP was taken down. Now that it is known that Real Host was disabled by its direct connection, According to this insightful blog, Real Host had only 256 IPs:

Further Reading (select blogs and news sources) :

Reference: Cybercrime Hotspot: Real Host Ltd. by Jart Armin

Reference: Real Host, Latvia – RBN Resurgence or Clone by Andrew Martin

Reference: After Links to Cybercrime, Latvian ISP Is Cut off – PC World

Reference: Swedish telco disconnects fraud hub – Financial Times

Good news for service provider Tata Communications (AS4755) and Spamhaus and some bad news for Tiscali (now Tinet – AS3257). For approximately a month, the large Indian-based provider, Tata Communications, has been still working on its SBL (Spamhaus Block List) by resolving its listings. This means the administrators at Tata Communications have been ending services for some spammers on its network. While definite progress has been made, the employees at Tata Communications have more work to do. At the time of this blog post, August 1st, 2009, Tata Communications (formerly VSNL) is now down to 16 SBLs. Our earlier blog post on 14th of June 2009 had noted that Tata Communications was the top Network offender on Spamhaus SBL.

We at InBoxRevenge hope that other providers who have large numbers of SBLs will follow suit with Tata Communications and remove spammers from their networks. Hopefully Tata Communications will have few or no SBLs to deal with in the near future and continue to respond to Spamhaus’ blacklistings or blocklistings. The majority of the SBLs on Spamhaus are /32 meaning one IP blacklisted at a time. For larger spam problems, Spamhaus will typically list a /24 or /29 depending on the severity of the issue.

Here is the top 10 list on Spamhaus by Networks (ISPs) as of August 1st 2009. Most of the other large ISPs mentioned back in June are still on top of the list: some of the ongoing offenders: Tiscali [now Tinet (AS3257) ] , Covad,, Verizon and OVH.

The 10 Worst Spam Service ISPs
As of 01 August 2009
Rank / ISP / Network Number of Current Known Spam Issues
1 51
2 43
3 38
4 30
5 27
6 26
7 26
8 25
9 25
10 24

Top SBL Offender is Italian Backbone Provider Tiscali / TINET / AS3257


European-based Tiscali (TINET on AS3257 ) is still hosting many ROKSO spammers, such as Fabio Petta – Jnternet and Sergio Livrieri / NonSolo-Web. ROKSO spammers as most our readers would already know are the most prolific and consistent spammers who have had their services terminated from ISPs at least 3 times. Also Zombies (rogue networks) appear to be a problem on Tinet as there a /16 blocklisting on SBL (SBL69354) from November 2008. It does not appear that Tinet’s administrators are proactive with their spamming problem on their large network which specialises in the IP/MPLS wholesale market. Tinet apparently has had an ongoing problem with attracting spammers of a while on its network AS3257.

A few top ISP offenders to note on the SBL Top 10 Networks are Asian-based: (AS9979)- [] and (AS4134) – [China Telecom] and (AS3786) [ LGDACOM on in Korea]. China Netcom is currently hosting a fair number of the Acai Berry landing pages from Yahoo Groups redirects mentioned in more detail in IBR’s previous blog entry from July 31st.

And lastly, we have some South American offenders: (AS10429) Telefonica of Brazil and (AS16814) [ LACNIC-16814 / NSS S.A] Iplan of Argentina.