Usenetharvested

Not an unusual sight from a Russian IP

route: 195.5.128.0/19
descr: CJSC "Metrocom"
descr: 29 Odoevskogo Str.
descr: 199155, Saint-Petersburg
descr: Russian Federation
origin: AS6850
mnt-by: AS6850-MNT
source: RIPE # Filtered

This started at [02/Jul/2011:00:57:11 -0500] and ended [02/Jul/2011:00:57:59 -0500]

195.5.154.130 - "GET /muieblackcat HTTP/1.1" 404
195.5.154.130 - "GET //scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //db/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //dbadmin/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //myadmin/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //mysql/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //databaseadmin/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //admm/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //admn/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //_myadmin/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //phpmya/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //#phpmyadmin_2.9.11/ HTTP/1.1" 404
195.5.154.130 - "GET //admin/my/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //mysql2/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //php1/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //sqladm/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //myAdmin/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //pmabd/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //mydb/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //mysql_administrator/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //pma_mydb/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //Myphp/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //phpas/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //_pma/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //./scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //_db/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //_dbadmin/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //_phpadmin/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //_admin/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //_phpmyadmin/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //_phpMyAdmin/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //_myphp/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //_php/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //sql/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //_sql/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //my-php/scripts/setup.php HTTP/1.1" 404
195.5.154.130 - "GET //My-php/scripts/setup.php HTTP/1.1" 404

Written by Rune

July 19, 2011 at 5:09 pm

Posted in hack

Do you know a guy called gxhnqpvqjnnh? Or bratwurst?

From todays partial email logs:

Must be a dictionary attack: Mail to “bratwurst@”, who has an email address like that?
Same goes for beasleybrushwork@, I guess.
And a lot of other guys and sausages at my domain that I have never heard of.

From westernunionresponse@[westernuniondomain] and esecure@lloydstsb.[domain].
Could not possibly be phishes, those?

These strange froms gave my tounge a job, almost knotted itself:
cnktxuill@
tttwongjxrvgb@
qxkct@
yludrpby@
ulvehmrsokjj@
d7g070jf7ublgs@
ojvxcftyqnex@
cwdvnjpbvxcqb@
gxhnqpvqjnnh@

…and on and on it goes.
Almost hurt myself trying to pronounce the last two.
I don’t know anyone sounding like those.
I don’t know any of the others either.

If you know any of them, kindly make them aware that their emails does not reach me.

Lots of stuff going behind the curtains of an email server.

Written by Rune

July 19, 2011 at 2:40 am

Posted in mailers

Tagged with , ,

Watch the backpeddling and smell the fear

Andrew Stephens (writing as “sue barrymore”) in January 2011:

Look, Bill is a poor example. He has stolen money from everyone I
have ever heard him come in contact with, from his clients to his
“protogies” to his data centers and even hardware partners…

Source:
http://groups.google.com/group/news.admin.net-abuse.email/msg/c56dec8240336116
He did not back up this with any evidence.
Which is typical for Andrew J Stephens from Integrated Business Technologies.

A few months later, In July, the backpeddling starts:

Bill, know that I am not against you. If I have missed something that I
did not know, please send me a message to clarify. I didn’t know you
actually did more than that conference. That was not an attack by any
means buddy 😉

He is reminded of his first posting about Bill, the thief and backpeddles like hell:

If I said any negative words about Bill, they were impulsive and there
were extenuating circumstances that you know nothing about, nor will you
ever know about who or what happens in my real life.

“If” he said any negative words?
Why that “if”, Andrew Jacob Stephens from IBT and Verum Media Group? It is quite obvious.
Very much like him. Extremely unstable.
Willing to take the risk and become a customer of a guy like this?

The guy he is accusing is btw another infamous spammer, Bill Waggoner.
Who of course is not especially fond of the backpeddling Andrew Stephens.

Written by Rune

July 15, 2011 at 4:02 pm

Andrew Stephens / IBT supporting blackhat tools

Let’s first go back to June 30, 2011.
Andrew J Stephens from Integrated Business Technologies answer a question (from me) about tolerating forum- and commentspammers in the newsgroup news.admin.net-abuse.email:

I believe that the attacks on media by censorship agencies like Spamhaus
and Google (as of recently) require the “little guy” to use dynamic
submission sites in order to even be in the media at all…so as long as
media is cencored, there will be a lot of ideas that I don’t consider
“the best way” but I will condone them because they are the “only way”
to reach the audience despite the censorship.

So he acknowledges the use of forumspam and commentspam.

An example of the “toolbox” from im-biz.com, a new “project” from IBT.
Tools like XRumer, ScrapeBox and his own crapware MailMascot.
All blackhat/spammer tools:

Integrated Business Technologies, Andrew Stephens shows his support for blackhat tools

Integrated Business Technologies, Andrew Stephens shows his support for blackhat tools

Also note that his own crapware MailMascot is included.

Update later in July 2011:
Another new invention is “Proxy Power Solutions”.
Payments for the various stuff at im-biz.com went earlier to Integrated Business Technologies / IBT.
Now the payment pages at Plimus says “Proxy Power Solutions”.

Written by Rune

July 12, 2011 at 12:42 am

New project: im-biz.com (now at 207.191.227.131)

im-biz.com will most likely fail, like most of his stuff does.

Registration info is hidden by privacyprotect.org.
Right now im-biz.com is hosted at 207.191.227.131, something called Pugmarks.
207.191.227.131 is not found in his ROKSO file at Spamhaus.org.
Belongs to this guy:

RAbuseHandle: PM1126-ARIN
RAbuseName: Mishra, Pravin
RAbusePhone: +1-630-579-1256
RAbuseEmail: pkm@pugmarks.com
RAbuseRef: http://whois.arin.net/rest/poc/PM1126-ARIN

High ambitions with the site it seems, being build as I write this.
But sadly for him it will most likely collapse sooner or later, like most of his ideas.
And that is totally independent of a possible SBL-listing.
He will mess it up totally, only with the help of himself.
And then blame somebody/something else for the failure.
It does not help that the little content that can be found reminds one of the work of an amateur.
But at least there are no funny blue shoes, funny costumes or anon masks this time.
Maybe he is posing in the closed member/vip area, who knows?

Maybe more later, screenshots etc (but note that “maybe”, please).
Also of other stuff from im-biz.com, which has been transferred from theydontreallycareabout.us.
theydontreallycareabout.us was hosted at 91.207.192.68. Which he seems to have lost lately.

Written by Rune

July 10, 2011 at 1:53 pm

Andrew Stephens from Verum Media on Wikipedia – for a very short moment

Andrew Stephens clarifies (well, he tries to clarify, but fails. As usual):
Quoting on of Wikipedias editors:
“Hello Stephensboy. If you are affiliated with some of the people, places or things you have written about in the article Andrew Stephens, you may have a conflict of interest”

Stephens answer:
“To clarify on the article, it was written by Michelle Kellison and Michael Medcalf and edited by myself, neither party is related to me (Michelle is my fiance however and bears 2 of my children & Michael is a lifelong friend).”

So, they are not *related* to Andrew Stephens according to himself.
The question was if any of them are *affiliated* with him.
My understanding of the english language is not good enough to make a difference between related/affiliated.
Is there any?

And Andrew Jacob Stephens is btw not worthy an entry in Wikipedia.
For a laugh or two, have a look at:
http://en.wikipedia.org/wiki/User_talk:Stephensboy

Written by Rune

July 8, 2011 at 9:09 pm

Andrew Stephens – dressing funny, without mask this time

Andrew Jacob Stephens showing his megalamonia

Andrew Stephens, the king of La-la land

Nice outfit, do you recognize it from an earlier posting?

Written by Rune

June 24, 2011 at 10:39 pm