Wednesday, November 12, 2008

Internet Landfill: McColo Corporation

Brian Krebs has turned his sights on another Internet Landfill, this time the McColo Corporation. Today his column is titled: Major Source of Online Scams and Spams Knocked Offline. Later this morning, the Washington Post ran a longer story on the topic, Major Source of Internet Spam Yanked Offline: Web Hosting Firm Shuttered After Connection to Spammers is Exposed He mentions in the column that he has been researching McColo for several months, and that when he contacted McColo's upstream providers, Global Crossings and Hurricane Electric, that something interesting happened.

Hurricane Electric's Benny Ng told Krebs:

"We looked into it a bit, saw the size and scope of the problem you were reporting and said 'Holy cow! Within the hour we had terminated all of our connections to them."

Although Global Crossings declined to give Krebs a comment, apparently Krebs has once more accomplished what the entire rest of the security world has been unable to do -- removing another Internet Landfill from the world wide web.

I coined the term "Internet Landfill" in a presentation regarding Krebs earlier amazing work almost single-handedly removing Intercage from the Internet. I explained it by saying:

Every house has a trash can, and every business has a dumpster. There's a little garbage anywhere you look. But when someone buys the land in your neighborhood and decides to make it a garbage dump, or a landfill, usually the citizens in that neighborhood protest. Some places on the Internet, such as Intercage, exist solely to store filth, malware, and crime. Those places should be treated like "Internet Landfills", and their neighbors should rise up and protest their presence in their neighborhood.


In case anyone has a question about what type of organization McColo is, here is a little fact-finding adventure, using the excellent Reverse IP Tools from DomainTools.com, and the ASN information from CIDR-Report.

McColo's Autonomous System Number is AS26780.

At this time, Hurricane Electric is no longer listed as an upstream, but Global Crossing *IS* still showing a listing, connecting AS3549 (GBLX) to AS26780(MCCOLO).

The Netblocks currently published as being at McColo are:

208.66.192.0/22
208.72.168.0/21

All their other netblocks are strangely missing.

(See: http://www.cidr-report.org/cgi-bin/as-report?as=as26780)

All of McColo's "Business" webpages were on the server 208.66.192.100. That IP resolved McColo.biz, .com, .info, .net, and .org.

None of those domain names are currently resolving.


Moving through their Class C addresses . . .




208.66.193.* previously had four major domains:

proxyspy.biz
audiobookss.com
authorstore.org
gente.ru

None of those domain names are currently resolving.




208.66.194.* previously had 94 domain names. Just choosing from a few . . .

bestincestfamily dot com (registered at ESTDomains)
bestincestmovies dot com (registered at ESTDomains)
cheapincestpics dot com (registered at ESTDomains)
eliteincestsite dot com (registered at ESTDomains)
teenincestpics dot com (registered at ESTDomains)

None of those domain names are currently resolving.




208.66.195.* previously had domain names. Again, just choosing a few...

protect-access dot com (registered at ESTDomains)
downloadcopy dot com (registered at ESTDomains)
pantyhosefiesta dot com
wm-chance dot net

The pantyhose sites have been moved already to "Sago Networks, LLC".
WM-chance has also been moved to Sago (November 12th) but is not yet operational in its new location. Its a Russian language online lottery winning site. Some of the other sites in this group show signs of being "in the process" of moving.




207.72.168.* previously had 1,183 domain names. Again, just choosing a few...

Megacaptcha dot biz (registered at EstDomains)
CaptchaToMoney dot biz (registered at EstDomains)
Torrentpump dot com (registered at Directi)
FtvInnocentAngels dot net (registered at EstDomains)
Coastal-health dot com (registered at OnlineNIC, Inc)
Canadianpharmacycorp1 dot com (registered at Xin Net)
Canadianpharmacycorp2 dot com
Canadianpharmacycorp3 dot com
Canadianpharmacycorp4 dot com
(through 10)
Onlinepharmacysolutions-a dot com (registered at Directi)
Onlinepharmacysolutions-b dot com
Onlinepharmacysolutions-c dot com
Onlinepharmacysolutions-d dot com
Rxmania dot com (registered at GoDaddy)
Pay4pills dot com (registered at GoDaddy)
Asc-antispyware dot com (registered at Beijing Innovative)
A-pennystock dot com (registered at GoDaddy)
Incest-rape dot com (registered at GoDaddy)
Little-gays dot com (registered at EstDomains)
Allyoungmovies dot com (registered at EstDomains)
Smallpussy dot name (registered at EstDomains)(*1)
nymphets dot name (registered at EstDomains)
LittleCuties dot name (registered at EstDomains)

*1 - received 19,317 visitors per month according to Compete.com

None of the sites in this group are currently resolving.




208.72.169.* had 118 domains registered.

Angelgirlspic.com
Searchportalsite.com

Emailru.info
Emailrus.info
Mailfreedom4u.net
Mailblogal.info
Quickmailbox.info
Ruslandmail.info

DomainsUAgroups dot com

and some NOTORIOUS nameserver domains, which are said to belong to Leo Kuvayev, such as:

Jioketinjdesapionkderunjsa.com
Kedfinhderionkadesunpas.com
Vertunhandesikolasderun.com

None of the sites in this group are currently resolving.




208.72.170.* has 22 domain names, including:

cinema4free dot com
flashbill dot net
inc-rep dot biz
asapload dot com
theypay dot biz

playpokeronline-casinos dot com
gamble-poker-holdem dot com
texasholdem-vip dot com

None of the sites in this group are currently resolving.




208.72.171.* has only 4 domain names:

br-ladies dot com
ru-ladies dot com
kharkovblacklist dot com
uapeople dot com




208.72.172.* has 132 domain names. Most all of them have the word "sex" in the title of the domain name. Many of them have been used to fill blog comment and address books with "SEO spam" (Search Engine Optimization spam), such as the domain:

NicoleHDUncut dot com which has over 19,000 websites pointing back to it, mostly in comment spam.

Pornntube dot com
Sexntube dot com
Tubepornporn dot com
Just-sex-2008 dot com
Hot-girl2008 dot com
FtvHeavenFemme dot net
GoGetFreePorn dot com

clsoft dot net <== encryption software, makers of "cl secrets keeper" and "cl private disk"




208.72.175.* has 12 domain names:

dreamsservices dot com
FianceeOnline dot com
Rudreams dot com
Ukrainefiancee dot com
etc.

None of these sites are currently resolving




Is this the end of McColo? Probably not. Like the Intercage fiasco, we will probably see loud and public outcries of discrimination followed by mournful apologies and promises to do better, each accompanied with a short-lived resurrection, which will terminate again as soon as the new providers understand what sort of filth they are accomodating, and how the Neighbors (that's you and I, folks) feel about having this trash on OUR Internet.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.