Results 1 to 5 of 5

Thread: Gordontower.com

  1. #1
    universal4's Avatar
    universal4 is offline Forum Administrator
    Join Date
    July 2003
    Location
    Courage is being scared to death...and saddling up anyway. John Wayne
    Posts
    27,252
    Thanks
    1,977
    Thanked 7,760 Times in 4,891 Posts

    Default Gordontower.com

    If you get any emails spamming you, that contain a link that appears to send you to gordontower.comxxx with a port address....the true sender is not necessarily the host you think it is..

    I have actually been in contact with some of the hosts and dns people involved with the host that was spoofed and whoever is behind these mailings are REALLY REALLY sneaky.

    This all started a few weeks ago with numerous emails promoting beastiallity....and I see they have moved on to the money.

    It appears they may have a handle on dns rather well as some of the research has shown...
    They have spoofed the IP making you think (A certain company) host them. They also change the IP they spoof on a day by day basis. Try again another time and you may find that they have pointed to a different IP other than ours.
    The above is a portion of an email from one of the upstream providers involved in trying to find out what is going on here....This research continued and then suddenly it got VERY interesting...(I am dropping the IP out of the post as it may be somewhere else now)


    It appears that there is a server running on port 32613 on
    xx.xxx.xxx.xxx. A port-scan reveals that the port is open, and a telnet
    session connects:

    > [ip12:~] david% telnet xx.xxx.xxx.xxx 32613
    > Trying xx.xxx.xxx.xxx...
    > Connected to ns1.domain-name.com.
    > Escape character is '^]'.
    > /
    > ^]
    > telnet>

    Although the spammer is spoofing the A-record, the above demonstrates a direct telnet connection to your server - I can't believe that they are
    capable of spoofing anything to intercept such a telnet connection.

    It would appear that the spammer is sending out emails which contain
    urls of the following type (I don't have a copy of the recent ones -
    the one below now results in a broken link):

    > http://www.gordontower.com:32613/093ap_ars/

    This is being resolved to:

    > http://xx.xxx.xxx.xxx:32613/093ap_ars/
    There is more to this reseach, but nuch of it talks about the telenet session and the get command results etc....

    I posted this in case anyone out there wanted to research this....and if you do, let me know and I will give you some of the research (so you can see what was found out before) and a few email addresses of at least one of the hosts involved...if in fact it is still the same one.

    Actually, that maty not help as current pings appear this is now being sent somewhere totally different...

    Traceroutes appear to die on the second and third hop as well..

    Rick
    Universal4
    Gambling World Online Roulette Online Blackjack Live Online Games Sports Betting Horse Racing
    Casino Affiliate Programs
    Hosting and Domain Names
    Gambling Industry Association
    GPWA Moderation by Me and My Big Bad Security Self
    If an affiliate program is not small affiliate friendly (especially small US Affiliate), then they are NOT Affiliate Friendly!

  2. #2
    Pam712's Avatar
    Pam712 is offline Assistant Manager
    Join Date
    February 2002
    Location
    England
    Posts
    2,437
    Thanks
    42
    Thanked 42 Times in 24 Posts

    Default

    The Bonus man jerk head discussed in this forum is sending mail from the Gordon Tower domain - the headers for one of his pieces of garbage (sent no less than 60 times to various harvested addresses on my sites)
    Envelope-to: prizewin@prizewin.co.uk
    Received: from ravms by mx6.global.net.uk with mail-ok (Exim 3.36 #
    id 1AGVsd-000A3D-00
    for prizewin@prizewin.co.uk; Mon, 03 Nov 2003 03:59:51 +0000
    Received: from ool-43577ce5.dyn.optonline.net ([67.87.124.229])
    by mx6.global.net.uk with smtp (Exim 3.36 #
    id 1AGVrz-0009TO-00
    for prizewin@prizewin.co.uk; Mon, 03 Nov 2003 03:59:16 +0000
    Received: from freeproblem.com (freeproblem-com-bk.mr.outblaze.com [203.86.166.78])
    by ool-43577ce5.dyn.optonline.net (Postfix) with ESMTP id 334DA438DC
    for <prizewin@prizewin.co.uk>; Sun, 02 Nov 2003 22:58:41 -0500
    From: Bonus Man &lt;snd_pcm_hw_params_get_tick_time_min@freeproble m.com>
    To: Prizewin <prizewin@prizewin.co.uk>
    Subject: 2 Minute Payouts!
    Date: Sun, 02 Nov 2003 22:58:41 -0500
    Message-ID: &lt;000001c3a1be$9059d023$df050358@freeproblem.com >
    MIME-Version: 1.0
    Content-Type: multipart/related;
    boundary="----=_NextPart_000_0031_256289F7.948C900B"
    X-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook, Build 10.0.2627
    Importance: Normal
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000
    X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.10; AVE: 6.20.0.1; VDF: 6.20.0.46; host: ool-43577ce5.dyn.optonline.net)
    X-Envelope-From: snd_pcm_hw_params_get_tick_time_min@freeproblem.co m
    It directs to the Gordon Tower domain - http://www.gordontower.com:32613/bon...BAbERZWERpCDRM. I am seriously getting pissed with this jerk sending unsolicited crap - the casinos that this dude is spamming for need really to take some action - there are going to be a whole lot of angry people receiving this unsolicited mail and it reflects on the industry as a whole.

    Here endeth my rant of the day :LOL:

  3. #3
    universal4's Avatar
    universal4 is offline Forum Administrator
    Join Date
    July 2003
    Location
    Courage is being scared to death...and saddling up anyway. John Wayne
    Posts
    27,252
    Thanks
    1,977
    Thanked 7,760 Times in 4,891 Posts

    Default

    Ahh yes...thanks for the headers...

    However, the gordontower server has been hacked once again or the jerks are just TOO STUPID to close a known vunerable port....(I suspect)....and the destination is actually located elsewhere.

    Anyone know if port 32613 has a specific use?

    Rick
    Universal4
    Gambling World Online Roulette Online Blackjack Live Online Games Sports Betting Horse Racing
    Casino Affiliate Programs
    Hosting and Domain Names
    Gambling Industry Association
    GPWA Moderation by Me and My Big Bad Security Self
    If an affiliate program is not small affiliate friendly (especially small US Affiliate), then they are NOT Affiliate Friendly!

  4. #4
    WildBill is offline Private Member
    Join Date
    December 1969
    Location
    US
    Posts
    2,217
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Obviously for the use of hackers that like to spam!!!! :rof:

  5. #5
    universal4's Avatar
    universal4 is offline Forum Administrator
    Join Date
    July 2003
    Location
    Courage is being scared to death...and saddling up anyway. John Wayne
    Posts
    27,252
    Thanks
    1,977
    Thanked 7,760 Times in 4,891 Posts

    Default

    Geez...I just checked a handfull of email accounts and I didn't get any of this drivel today, so either my addresses are on a different run...or they did some reverse ip lookups and removed most of my accounts from the list.

    When I get to the office later I will forward the headers from Pam's mail above to the guy that was doing the research on this one.

    We may actually have to signup for this jerks stuff to get more insight into who is behind this.

    This is bandwidth theft at it's near finest....

    Rick
    Universal4
    Gambling World Online Roulette Online Blackjack Live Online Games Sports Betting Horse Racing
    Casino Affiliate Programs
    Hosting and Domain Names
    Gambling Industry Association
    GPWA Moderation by Me and My Big Bad Security Self
    If an affiliate program is not small affiliate friendly (especially small US Affiliate), then they are NOT Affiliate Friendly!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •