BLACKHOLED ISP PRODUCTIONS PRESENTS
"THE BEST XXX SITE ON THE NET, GUARANTEED"
now hosted on Verio NTT's unnamed ip 161.58.8.150
coming soon to a desktop near you
The following constitutes convincing proof that Verio NTT hosts clandestine porn operators on unnamed static ips behind their firewall, who advertise through spam (the worst kind). We do expect the site to disappear immediately after this page is published, just as they took leet-glare.com off the air after the evidence was presented HERE. That's why we documented everything and made a local copy of the offending material. We waited 3 days to make sure that it was no accident, and allow other spam recipients to complain to Verio (we can't, they refuse our mail). The porn site still operates, so we published the following evidence.
NOTE: a second incident of the same porn spammer with a web site on the same Verio unnamed ip 161.58.8.150 was documented one week later!
the spam
From marsha3@nowcom.co.kr Sat Nov 4 12:39:56 2000 Received: from ns ([195.88.32.13]) by netside.net (8.8.8/8.7.3) with ESMTP id MAA22897; Sat, 4 Nov 2000 12:39:03 -0500 (EST) From: marsha3@nowcom.co.kr Message-Id: <200011041739.MAA22897@netside.net> Received: from 38.38.3.221 - 38.38.3.221 by ns with Microsoft SMTPSVC(5.5.1775.675.6); Sat, 4 Nov 2000 18:30:34 +0100 Subject: ARE YOU HORNY? Date: Sun, 05 Nov 00 01:09:49 Eastern Standard Time X-Priority: 3 X-MSMailPriority: Normal Importance: Normal Status: O X-Status: Bcc: Return-Path: marsha3@nowcom.co.kr Message-ID: <0527e34301704b0NS@ns> Date: 4 Nov 2000 18:30:50 +0100 GOTO http://2704935062/choneycutt/teen.html CUM SEE THE BEST XXX SITE ON THE NET GUARANTEED CLICK HERE FOR A FREE PEEK!! SEE THE MOST BEAUTIFUL WOMEN ON EARTH DOING EVERYTHING GOTO http://2704935062/choneycutt/teen.html SEE WHAT EVERYONE IS TALKING ABOUT CLICK HERE TO SEE IT NOW!! WARNING: THIS SITE IS VERY HARDCORE SO YOU MUST BE OF LEGAL AGE
the spammer's throw-away account
The porn spam was sent from ip221.raleigh13.nc.pub-ip.psi.net [38.38.3.221]. We complained to abuse@psi.com, and they disconnected the spammer. Below is PSI's reply:
From abuse@psi.com Mon Nov 6 14:47:07 2000 Received: from relay1.mail.troy.psi.com (relay1.mail.troy.psi.com [38.223.235.12]) by netside.net (8.8.8/8.7.3) with ESMTP id OAA06702 forthe Verio connection; Mon, 6 Nov 2000 14:47:06 -0500 (EST) Received: from [136.161.2.33] (helo=db3.troy.psi.com) by relay1.mail.troy.psi.com with esmtp (Exim 1.90 #1) for root@netside.net id 13ssEX-0005wB-00; Mon, 6 Nov 2000 14:47:09 -0500 Received: by db3.troy.psi.com (8.8.5/SMI-5.4-PSI) id OAA22362; Mon, 6 Nov 2000 14:47:09 -0500 (EST) Date: Mon, 6 Nov 2000 14:47:09 -0500 (EST) Message-Id: <200011061947.OAA22362@db3.troy.psi.com> X-Loop-Detect: PSINet/nab From: Net Abuse Team To: "sunny-Admin(0000)" Subject: Re: spam from ip221.raleigh13.nc.pub-ip.psi.net [38.38.3.221] #nab-2858436 Status: RO X-Status: Hello, Please be advised that the account used to violate our Net-Abuse Policy has been disabled. If you receive any further correspondence from this source, please let us know. When you report an abuse issue to PSINet, please use our on-line reporting site at http://www.support.psinet.com/PSIabusetik/ or send a complaint to abuse@psi.com. If it is a spam incident, please put the subject of the spam in your subject line. Thank you. Net-Abuse Team PSINet, Inc. abuse@psi.com http://www.psinet.com/legalinfo/netabusepolicy.html
The spam advertises a cloaked ip (2704935062), which resolves to 161.58.8.150, which is in NET-VRIO-161-058
Verio, Inc. (NET-VRIO-161-058) 8005 South Chester Street Englewood, CO 80112 US Netname: VRIO-161-058 Netblock: 161.58.0.0 - 161.58.255.255 Maintainer: VRIO Coordinator: Verio IP Address Requests (VIA4-ORG-ARIN) vipar@VERIO.NET 303-792-9300 Fax- 303-792-3869 Domain System inverse mapping provided by: NS0.VERIO.NET 129.250.15.61 NS1.VERIO.NET 204.91.99.140 NS2.VERIO.NET 129.250.31.190 ******************************************** Reassignment information for this block is available at rwhois.verio.net port 4321 ******************************************** Record last updated on 11-Jul-2000. Database last updated on 6-Nov-2000 06:06:07 EDT.The entire class C 161.58.8.0/24 is assigned to Verio Web Hosting in Vienna, VA:
# telnet rwhois.verio.net 4321 Trying 129.250.15.38... Connected to rwhois.verio.net. Escape character is '^]'. %rwhois V-1.5:0078b6:00 rwhois.verio.net (Vipar 0.1a. Comments to vipar@verio.net) 161.58.8.150 network:Class-Name:network network:Auth-Area:161.58.0.0/17 network:ID:NETBLK-VRIO-161-058-008.127.0.0.1/32 network:Handle:NETBLK-VRIO-161-058-008 network:Network-Name:VRIO-161-058-008 network:IP-Network:161.58.8.0/24 network:In-Addr-Server;I:NS8629-HST.127.0.0.1/32 network:In-Addr-Server;I:NS8629-HST.127.0.0.1/32 network:IP-Network-Block:161.58.8.0 - 161.58.8.255 network:Org-Name:Verio Web Hosting - Vienna network:Street-Address:1921 Gallows Road network:City:Vienna network:State:VA network:Postal-Code:22182 network:Country-Code:US network:Tech-Contact;I:WA575-VRIO.127.0.0.1/32 network:Created:2000-10-20 17:21:32+00 network:Updated:2000-10-20 17:21:32+00 %ok Connection closed by foreign host.The actual ip 161.58.8.150 is behind Verio's firewall and cannot be traced to the actual host (that's what those * * * stars mean), but it's there allright, because it shows alive when pinged:
# traceroute 161.58.8.150 traceroute to 161.58.8.150 (161.58.8.150) 30 hops max, 40 byte packets 1 ethernet0.netside.net (205.159.140.1) 3 ms 2 ms 2 ms 2 border3-serial2-2-0.PompanoBeach.cw.net (204.70.95.17) 4 ms 4 ms 4 ms 3 core1-fddi-0.PompanoBeach.cw.net (204.70.92.17) 4 ms 5 ms 4 ms 4 bordercore3.PompanoBeach.cw.net (166.48.152.1) 5 ms 5 ms 5 ms 5 204.70.12.5 (204.70.12.5) 60 ms 42 ms 34 ms 6 cw-ip-eng-interconnects.Dallas.cw.net (204.70.10.78) 60 ms 51 ms 56 ms 7 p4-1-2-0.r00.stngva01.us.bb.verio.net (129.250.4.26) 55 ms (ttl=241!) 54 ms (ttl=241!) 55 ms (ttl=241!) 8 p4-3-0.r01.stngva01.us.bb.verio.net (129.250.3.142) 54 ms (ttl=243!) 55 ms (ttl=243!) 57 ms (ttl=243!) 9 p4-0-3.r00.mclnva02.us.bb.verio.net (129.250.2.105) 55 ms (ttl=244!) 55 ms (ttl=244!) 55 ms (ttl=244!) 10 vwh0.dca.verio.net (129.250.30.166) 55 ms (ttl=243!) 55 ms (ttl=243!) 56 ms (ttl=243!) 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * # ping 161.58.8.150 161.58.8.150 is alivethe porn
WARNING: Adult content material. Do NOT connect to any of the links for the site in question if you are a minor, or find adult content objectionable. We are providing these links only as necessary evidence to support our findings.
The whole thing is set up pretty sneaky. If you were to connect to http://161.58.8.150, you would get the home.verio.net web site. The offending porn site is at
so what's the big deal?
Is it bad that Verio hosts adult content sites? Not really, many other ISPs do, and it's perfectly legal.
The big deal is that Verio NTT has given an adult content site an unnamed static ip on their web servers, that keeps their nose clean, and makes all this tracking purposely difficult for the average user. Why is that a bad thing, Masanobu? Care to explain? We leave it to Vixie to enlighten you further.
SECOND PORN SPAM COUNT (ONE WEEK LATER)
WITH WEB SITE ON SAME UNNAMED VERIO IP 161.58.8.150
the spam
From debby2@solihull.ac.uk Sat Nov 11 18:00:09 2000 Received: from ns ([195.88.32.13]) by netside.net (8.8.8/8.7.3) with ESMTP id RAA18014; Sat, 11 Nov 2000 17:59:39 -0500 (EST) From: debby2@solihull.ac.uk Message-Id: <200011112259.RAA18014@netside.net> Received: from 38.38.3.49 - 38.38.3.49 by ns with Microsoft SMTPSVC(5.5.1775.675.6); Sat, 11 Nov 2000 23:51:31 +0100 Subject: SEE BEST ADULT SITE ON THE NET NOW!! Date: Sat, 11 Nov 00 17:04:31 Eastern Standard Time X-Priority: 3 X-MSMailPriority: Normal Importance: Normal Status: O X-Status: Bcc: Return-Path: debby2@solihull.ac.uk Message-ID: <0aa163051220bb0NS@ns> Date: 11 Nov 2000 23:51:36 +0100 SEE BEST ADULT SITE ON THE NET NOW!! GOTO http://2704935062/jul69/sex.html TO SEE THE BEST HARDCORE ADULT FUN ON THE WEB!! GUARANTEED TO GET YOU OFF NOW!! VOTED THE #1 ADULT SEX SPOT http://2704935062/jul69/sex.html SEE WHAT EVERYONE IS TALKING ABOUT DONT MISS OUT CLICK HERE NOW!! GET COCKED AND READY!!the porn
WARNING: Adult content material. Do NOT connect to any of the links for the site in question if you are a minor, or find adult content objectionable. We are providing these links only as necessary evidence to support our findings.
|