Gordontower.com

[universal4]

If you get any emails spamming you, that contain a link that appears to send you to gordontower.comxxx with a port address....the true sender is not necessarily the host you think it is..

I have actually been in contact with some of the hosts and dns people involved with the host that was spoofed and whoever is behind these mailings are REALLY REALLY sneaky.

This all started a few weeks ago with numerous emails promoting beastiallity....and I see they have moved on to the money.

It appears they may have a handle on dns rather well as some of the research has shown...

They have spoofed the IP making you think (A certain company) host them. They also change the IP they spoof on a day by day basis. Try again another time and you may find that they have pointed to a different IP other than ours.

The above is a portion of an email from one of the upstream providers involved in trying to find out what is going on here....This research continued and then suddenly it got VERY interesting...(I am dropping the IP out of the post as it may be somewhere else now)

It appears that there is a server running on port 32613 on
xx.xxx.xxx.xxx. A port-scan reveals that the port is open, and a telnet
session connects:

> [ip12:~] david% telnet xx.xxx.xxx.xxx 32613
> Trying xx.xxx.xxx.xxx...
> Connected to ns1.domain-name.com.
> Escape character is '^]'.
> /
> ^]
> telnet>

Although the spammer is spoofing the A-record, the above demonstrates a direct telnet connection to your server - I can't believe that they are
capable of spoofing anything to intercept such a telnet connection.

It would appear that the spammer is sending out emails which contain
urls of the following type (I don't have a copy of the recent ones -
the one below now results in a broken link):

> http://www.gordontower.com:32613/093ap_ars/

This is being resolved to:

> http://xx.xxx.xxx.xxx:32613/093ap_ars/

There is more to this reseach, but nuch of it talks about the telenet session and the get command results etc....

I posted this in case anyone out there wanted to research this....and if you do, let me know and I will give you some of the research (so you can see what was found out before) and a few email addresses of at least one of the hosts involved...if in fact it is still the same one.

Actually, that maty not help as current pings appear this is now being sent somewhere totally different...

Traceroutes appear to die on the second and third hop as well..

Rick
Universal4

[Pam712]

The Bonus man jerk head discussed in this forum is sending mail from the Gordon Tower domain - the headers for one of his pieces of garbage (sent no less than 60 times to various harvested addresses on my sites)

Envelope-to: prizewin@prizewin.co.uk
Received: from ravms by mx6.global.net.uk with mail-ok (Exim 3.36 #
id 1AGVsd-000A3D-00
for prizewin@prizewin.co.uk; Mon, 03 Nov 2003 03:59:51 +0000
Received: from ool-43577ce5.dyn.optonline.net ([67.87.124.229])
by mx6.global.net.uk with smtp (Exim 3.36 #
id 1AGVrz-0009TO-00
for prizewin@prizewin.co.uk; Mon, 03 Nov 2003 03:59:16 +0000
Received: from freeproblem.com (freeproblem-com-bk.mr.outblaze.com [203.86.166.78])
by ool-43577ce5.dyn.optonline.net (Postfix) with ESMTP id 334DA438DC
for <prizewin@prizewin.co.uk>; Sun, 02 Nov 2003 22:58:41 -0500
From: Bonus Man &lt;snd_pcm_hw_params_get_tick_time_min@freeproble m.com>
To: Prizewin <prizewin@prizewin.co.uk>
Subject: 2 Minute Payouts!
Date: Sun, 02 Nov 2003 22:58:41 -0500
Message-ID: &lt;000001c3a1be$9059d023$df050358@freeproblem.com >
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0031_256289F7.948C900B"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000
X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.10; AVE: 6.20.0.1; VDF: 6.20.0.46; host: ool-43577ce5.dyn.optonline.net)
X-Envelope-From: snd_pcm_hw_params_get_tick_time_min@freeproblem.co m

It directs to the Gordon Tower domain - http://www.gordontower.com:32613/bon...BAbERZWERpCDRM. I am seriously getting pissed with this jerk sending unsolicited crap - the casinos that this dude is spamming for need really to take some action - there are going to be a whole lot of angry people receiving this unsolicited mail and it reflects on the industry as a whole.

Here endeth my rant of the day :LOL:

[universal4]

Ahh yes...thanks for the headers...

However, the gordontower server has been hacked once again or the jerks are just TOO STUPID to close a known vunerable port....(I suspect)....and the destination is actually located elsewhere.

Anyone know if port 32613 has a specific use?

Rick
Universal4

[WildBill]

Obviously for the use of hackers that like to spam!!!! :rof:

[universal4]

Geez...I just checked a handfull of email accounts and I didn't get any of this drivel today, so either my addresses are on a different run...or they did some reverse ip lookups and removed most of my accounts from the list.

When I get to the office later I will forward the headers from Pam's mail above to the guy that was doing the research on this one.

We may actually have to signup for this jerks stuff to get more insight into who is behind this.

This is bandwidth theft at it's near finest....

Rick
Universal4