Look here, Masanobu:

BLACKHOLED ISP PRODUCTIONS PRESENTS



"THE BEST XXX SITE ON THE NET, GUARANTEED"
now hosted on Verio NTT's unnamed ip 161.58.8.150
coming soon to a desktop near you

The following constitutes convincing proof that Verio NTT hosts clandestine porn operators on unnamed static ips behind their firewall, who advertise through spam (the worst kind). We do expect the site to disappear immediately after this page is published, just as they took leet-glare.com off the air after the evidence was presented HERE. That's why we documented everything and made a local copy of the offending material. We waited 3 days to make sure that it was no accident, and allow other spam recipients to complain to Verio (we can't, they refuse our mail). The porn site still operates, so we published the following evidence.

NOTE: a second incident of the same porn spammer with a web site on the same Verio unnamed ip 161.58.8.150 was documented one week later!

the spam

From marsha3@nowcom.co.kr Sat Nov  4 12:39:56 2000
Received: from ns ([195.88.32.13]) by netside.net (8.8.8/8.7.3) with ESMTP id MAA22897; Sat, 4 Nov 2000 12:39:03 -0500 (EST)
From: marsha3@nowcom.co.kr
Message-Id: <200011041739.MAA22897@netside.net>
Received: from 38.38.3.221 - 38.38.3.221 by ns  with Microsoft SMTPSVC(5.5.1775.675.6);
	 Sat, 4 Nov 2000 18:30:34 +0100
Subject: ARE YOU HORNY?
Date: Sun, 05 Nov 00 01:09:49 Eastern Standard Time
X-Priority: 3
X-MSMailPriority: Normal
Importance: Normal
Status: O
X-Status: 


Bcc:
Return-Path: marsha3@nowcom.co.kr
Message-ID: <0527e34301704b0NS@ns>
Date: 4 Nov 2000 18:30:50 +0100

GOTO http://2704935062/choneycutt/teen.html CUM SEE THE
BEST XXX SITE ON THE NET GUARANTEED CLICK HERE FOR A FREE PEEK!!
SEE THE MOST BEAUTIFUL WOMEN ON EARTH DOING EVERYTHING

GOTO  http://2704935062/choneycutt/teen.html SEE WHAT EVERYONE
IS TALKING ABOUT CLICK HERE TO SEE IT NOW!!
WARNING: THIS SITE IS VERY HARDCORE SO YOU
MUST BE OF LEGAL AGE

the spammer's throw-away account

The porn spam was sent from ip221.raleigh13.nc.pub-ip.psi.net [38.38.3.221]. We complained to abuse@psi.com, and they disconnected the spammer. Below is PSI's reply:


From abuse@psi.com Mon Nov  6 14:47:07 2000
Received: from relay1.mail.troy.psi.com (relay1.mail.troy.psi.com [38.223.235.12]) by netside.net (8.8.8/8.7.3) with ESMTP id OAA06702 for ; Mon, 6 Nov 2000 14:47:06 -0500 (EST)
Received: from [136.161.2.33] (helo=db3.troy.psi.com)
	by relay1.mail.troy.psi.com with esmtp (Exim 1.90 #1)
	for root@netside.net
	id 13ssEX-0005wB-00; Mon, 6 Nov 2000 14:47:09 -0500
Received: by db3.troy.psi.com (8.8.5/SMI-5.4-PSI)
	id OAA22362; Mon, 6 Nov 2000 14:47:09 -0500 (EST)
Date: Mon, 6 Nov 2000 14:47:09 -0500 (EST)
Message-Id: <200011061947.OAA22362@db3.troy.psi.com>
X-Loop-Detect: PSINet/nab
From: Net Abuse Team 
To: "sunny-Admin(0000)" 
Subject: Re: spam from ip221.raleigh13.nc.pub-ip.psi.net [38.38.3.221] #nab-2858436
Status: RO
X-Status: 

Hello,    

Please be advised that the account used to violate our Net-Abuse 
Policy has been disabled. If you receive any further correspondence 
from this source, please let us know.

When you report an abuse issue to PSINet, please use our 
on-line reporting site at http://www.support.psinet.com/PSIabusetik/ 
or send a complaint to abuse@psi.com. 

If it is a spam incident, please put the subject of the spam in your 
subject line. 
  
Thank you. 

Net-Abuse Team
PSINet, Inc.
abuse@psi.com
http://www.psinet.com/legalinfo/netabusepolicy.html

the Verio connection

The spam advertises a cloaked ip (2704935062), which resolves to 161.58.8.150, which is in NET-VRIO-161-058

Verio, Inc. (NET-VRIO-161-058)
   8005 South Chester Street
   Englewood, CO 80112
   US

   Netname: VRIO-161-058
   Netblock: 161.58.0.0 - 161.58.255.255
   Maintainer: VRIO

   Coordinator:
      Verio IP Address Requests  (VIA4-ORG-ARIN)  vipar@VERIO.NET
      303-792-9300
Fax- 303-792-3869

   Domain System inverse mapping provided by:

   NS0.VERIO.NET		129.250.15.61
   NS1.VERIO.NET		204.91.99.140
   NS2.VERIO.NET		129.250.31.190

   ********************************************
   Reassignment information for this block is
   available at rwhois.verio.net port 4321
   ********************************************

   Record last updated on 11-Jul-2000.
   Database last updated on 6-Nov-2000 06:06:07 EDT.

The entire class C 161.58.8.0/24 is assigned to Verio Web Hosting in Vienna, VA:

# telnet rwhois.verio.net 4321
Trying 129.250.15.38...
Connected to rwhois.verio.net.
Escape character is '^]'.
%rwhois V-1.5:0078b6:00 rwhois.verio.net (Vipar 0.1a. Comments to vipar@verio.net)
161.58.8.150
network:Class-Name:network
network:Auth-Area:161.58.0.0/17
network:ID:NETBLK-VRIO-161-058-008.127.0.0.1/32
network:Handle:NETBLK-VRIO-161-058-008
network:Network-Name:VRIO-161-058-008
network:IP-Network:161.58.8.0/24
network:In-Addr-Server;I:NS8629-HST.127.0.0.1/32
network:In-Addr-Server;I:NS8629-HST.127.0.0.1/32
network:IP-Network-Block:161.58.8.0 - 161.58.8.255
network:Org-Name:Verio Web Hosting - Vienna
network:Street-Address:1921 Gallows Road
network:City:Vienna
network:State:VA
network:Postal-Code:22182
network:Country-Code:US
network:Tech-Contact;I:WA575-VRIO.127.0.0.1/32
network:Created:2000-10-20 17:21:32+00
network:Updated:2000-10-20 17:21:32+00

%ok
Connection closed by foreign host.

The actual ip 161.58.8.150 is behind Verio's firewall and cannot be traced to the actual host (that's what those * * * stars mean), but it's there allright, because it shows alive when pinged:

# traceroute 161.58.8.150
traceroute to 161.58.8.150 (161.58.8.150) 30 hops max, 40 byte packets
 1  ethernet0.netside.net (205.159.140.1)  3 ms  2 ms  2 ms
 2  border3-serial2-2-0.PompanoBeach.cw.net (204.70.95.17)  4 ms  4 ms  4 ms
 3  core1-fddi-0.PompanoBeach.cw.net (204.70.92.17)  4 ms  5 ms  4 ms
 4  bordercore3.PompanoBeach.cw.net (166.48.152.1)  5 ms  5 ms  5 ms
 5  204.70.12.5 (204.70.12.5)  60 ms  42 ms  34 ms
 6  cw-ip-eng-interconnects.Dallas.cw.net (204.70.10.78)  60 ms  51 ms  56 ms
 7  p4-1-2-0.r00.stngva01.us.bb.verio.net (129.250.4.26)  55 ms (ttl=241!)  54 ms (ttl=241!)  55 ms (ttl=241!)
 8  p4-3-0.r01.stngva01.us.bb.verio.net (129.250.3.142)  54 ms (ttl=243!)  55 ms (ttl=243!)  57 ms (ttl=243!)
 9  p4-0-3.r00.mclnva02.us.bb.verio.net (129.250.2.105)  55 ms (ttl=244!)  55 ms (ttl=244!)  55 ms (ttl=244!)
10  vwh0.dca.verio.net (129.250.30.166)  55 ms (ttl=243!)  55 ms (ttl=243!)  56 ms (ttl=243!)
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

# ping 161.58.8.150
161.58.8.150 is alive

the porn

WARNING: Adult content material. Do NOT connect to any of the links for the site in question if you are a minor, or find adult content objectionable. We are providing these links only as necessary evidence to support our findings.

The whole thing is set up pretty sneaky. If you were to connect to http://161.58.8.150, you would get the home.verio.net web site. The offending porn site is at

As we expect Verio to pull the site off the air when they are made aware of our complaint, we have saved a local copy, and will honor serious requests that need to see the actual site. Take our word for it, it's very hard core. E-mail us for details.

so what's the big deal?

Is it bad that Verio hosts adult content sites? Not really, many other ISPs do, and it's perfectly legal.

The big deal is that Verio NTT has given an adult content site an unnamed static ip on their web servers, that keeps their nose clean, and makes all this tracking purposely difficult for the average user. Why is that a bad thing, Masanobu? Care to explain? We leave it to Vixie to enlighten you further.

___________________________________

Look here, Masanobu:

SECOND PORN SPAM COUNT (ONE WEEK LATER)
WITH WEB SITE ON SAME UNNAMED VERIO IP 161.58.8.150

the spam

From debby2@solihull.ac.uk Sat Nov 11 18:00:09 2000
Received: from ns ([195.88.32.13]) by netside.net (8.8.8/8.7.3) with ESMTP id RAA18014; Sat, 11 Nov 2000 17:59:39 -0500 (EST)
From: debby2@solihull.ac.uk
Message-Id: <200011112259.RAA18014@netside.net>
Received: from 38.38.3.49 - 38.38.3.49 by ns  with Microsoft SMTPSVC(5.5.1775.675.6);
	 Sat, 11 Nov 2000 23:51:31 +0100
Subject: SEE BEST ADULT SITE ON THE NET NOW!!
Date: Sat, 11 Nov 00 17:04:31 Eastern Standard Time
X-Priority: 3
X-MSMailPriority: Normal
Importance: Normal
Status: O
X-Status: 


Bcc:
Return-Path: debby2@solihull.ac.uk
Message-ID: <0aa163051220bb0NS@ns>
Date: 11 Nov 2000 23:51:36 +0100
SEE BEST ADULT SITE ON THE NET NOW!!

GOTO http://2704935062/jul69/sex.html  TO SEE THE
BEST HARDCORE ADULT FUN ON THE WEB!!
GUARANTEED TO GET YOU OFF NOW!!
VOTED THE #1 ADULT SEX SPOT
http://2704935062/jul69/sex.html SEE WHAT EVERYONE IS
TALKING ABOUT DONT MISS OUT CLICK HERE NOW!!
GET COCKED AND READY!!

the porn

WARNING: Adult content material. Do NOT connect to any of the links for the site in question if you are a minor, or find adult content objectionable. We are providing these links only as necessary evidence to support our findings.

___________________________________

All material published on this site is for information purposes only, and should not be considered legal advice.
This page is fully compatible with text-only browsers such as lynx.
Copyright © 1995-2000 NetSide Corporation - All rights reserved

[ dotcomeon.com ]