internetserviceteam.com

[kingfreeze]

I was a member of a forum called guitarbrain.com, and we had a thriving community of guitar affectionatos the world over. I have been a professional musician for about 38 years (www.guitargument.com). Guitarbrain used PhBB software for the forum. It is owned and run by a computer savy Belgian fellow. I have participated for 3 years, and we had many posts, and I enjoyed my parent directory, storing files, and posting links where appropriate. It also was a feather in my cap, as I am a music instructor, and could send pertinate links to students who inquired through my website, the links went to guitarbrain or my parent directory. We started having bogus memberships by the 100's starting 2 years ago, eventually, the usual legitimate members stopped posting. 2 months ago, the spammers started posting in the forums. And really horrible spam too, watersports, child porn, B&D, all with images. I asked the forum master to let me monitor the site, and delete bogus memberships and spam in the forums, or I would delete my posts as I could not afford to be affiliated with a site that allowed this. I was granted administrator status, and began deleteing spam and bogus ip's and memberships, usually 3 times a day. I locked all forums, so they could not post there. But, they would create new ones, and I would delete them. It is apparent now, that these people were irritated that I would dare challenge them, and as of yesterday, the forum seems to be offline. These disgusting people, felt they were entitled to destroy this forum. I don't have a lot of knowledge regarding this, bot's and so forth that you speak of. I feel sure it has been hacked, although it is possible it is a server error, I check daily to see if the forum is online again. The webmaster, is in the process of creating a new guitar forum, and we will start over again from nothing. All my parent files are lost, and my work of 5 years was for nothing. Recently, I have been studing this spam thing, and how these people do this. So, if they did destroy the forum, then fine, I do not have to wake up in the morning and delete posts containing women urinating on each other, nor pictures of 12 year olds performing fellatio. The constant reminder of how awful the human race can be was bringing me down anyway.

[AnthonyCea]

I'm sorry to hear this, I know what it is like to contribute to a forum for years and have all your work destroyed by incompetent forum administrators who allow hackers and spammers to destroy not only your contributions, but a forum that you once loved by allowing spammers, not only those who are automated, but lowly spammers who post manually to expose signature links to destroy the editorial integrity of the forum.

Hackers and professional comment spam botnets are a major problem, they want to spam to promote affiliate programs and to drop virus links to expand their networks of zombie computers by hijacking the PC's of the average person and their respective IP addresses. This tactic allows hackers and professional spam botnet operators to commit cyber crime anonymously using these IP addresses garnered by planting scripts by viruses and spyware on computers worldwide, and most people do not even know their computers have been hijacked.

This is why it is important to go to www.download.com and get Adaware, SpyBot Search and Destroy and Spyware Blaster installed so you can use these FREE anti-spyware software to scan and remove spyware, adware and malware files and prevent hackers from taking over your computer.

Everyone should also look into a good AV program like www.nod32.com

[kingfreeze]

Thanks for your reply. I have ad-aware, and spy bot and will use them now

All the best

Kingfreeze

[AnthonyCea]

Our friends from Internetserviceteam.com are back running their spambot.

89.149.202.215 89-149-202-215.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; FDM)

[AnthonyCea]

217-20-115-118.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)

[AnthonyCea]

89.149.236.51 89-149-236-51.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

[recluse123]

Hi, I noticed them on my recents' , and wondered what internetserviceteam.com was, so I googled and found this forum, good thing from what I;ve read.

89-149-253-219.internetserviceteam.com

[AnthonyCea]

These are major comment spam operators, spamming server referral logs and comment spamming anything they can, they also engage in content scraping spam harvesting email addresses run mail servers.

89-149-253-208.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

[AnthonyCea]

89.149.254.13 89-149-254-13.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Opera 6.01 [en]

89.149.217.190 89-149-217-190.internetserviceteam.com
Mozilla/2.02 [fr] (WinNT; I)

[AnthonyCea]

89.149.217.190 89-149-217-190.internetserviceteam.com
Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2b) Gecko/20021016 K-Meleon 0.7

89.149.254.13 89-149-254-13.internetserviceteam.com
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4b) Gecko/20030516 Mozilla Firebird/0.6

[AnthonyCea]

89.149.226.207 89-149-226-207.internetserviceteam.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Wi

89.149.253.24 89-149-253-24.internetserviceteam.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Wi

[AnthonyCea]

89.149.227.193 89-149-227-193.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; WINDOWS; .NET CLR 1.1.4322)

89.149.227.202 89-149-227-202.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)

89.149.227.193 89-149-227-193.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20050207 Firefox/1.0.1

89.149.227.193 89-149-227-193.internetserviceteam.com
Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7) Gecko/20040628 Epiphany/1.2.6

89.149.227.193 89-149-227-193.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

[AnthonyCea]

It looks like Internetserviceteam spam botnet has a new set of open proxy IP's ghosting their banned IP network and running parallel to their main bots so they can get into sites that have their IP's banned.

89-149-227-202.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; TheFreeDictionary.com; .NET CLR 1.1.4322; .NET CL

58.211.78.143
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; TheFreeDictionary.com; .NET CLR 1.1.4322; .NET CL

58.208.0.0-58.223.255.255 CHINANET-JS CHINANET jiangsu province network China Telecom A12,Xin-Jie-Kou-Wai Street Beijing 100088
<<58.211.78.141 ksgm.liba.com >>58.211.78.144 mail.zhonglu.com.cn
58.208.0.0/12 China Telecom JiangSu province
AS4134 CHINA TELECOM

[AnthonyCea]

89.149.253.24 89-149-253-24.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

89.149.227.78 89-149-227-78.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051102 Firefox/1.6a1

[AnthonyCea]

89.149.236.176 89-149-236-176.internetserviceteam.com
Mozilla/4.08 [en] (X11; U; IRIX 5.3 IP5; Nav)

[AnthonyCea]

89.149.227.193 89-149-227-193.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows ME) Opera 7.11 [en]

[AnthonyCea]

89.149.227.78 89-149-227-78.internetserviceteam.com
Mozilla/4.06 [es] (Win98; I)

84.16.224.78 84-16-224-78.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.8.1b2) Gecko/20060821 Firefox/2.0b2

[AnthonyCea]

89.149.227.78 89-149-227-78.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; KTXN)

89.149.227.78 89-149-227-78.internetserviceteam.com
Mozilla/5.0 (X11; U; Linux 2.4.3-20mdk i586; en-US; rv:0.9.1) Gecko/20010611

89.149.227.78 89-149-227-78.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.6 (build 01425))

89.149.217.190 89-149-217-190.internetserviceteam.com
Mozilla/4.7C-SGI [en] (X11; I; IRIX 6.5 IP32)

[AnthonyCea]

Automated spam botnet Internetserviceteam.com is quite active today hitting the server with many connections at one time with many different user agents.

05:48 PM Guest Viewing Index
Forum Posters Union 89.149.217.190 89-149-217-190.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322)

05:48 PM Guest Viewing Index
Forum Posters Union 89.149.217.190 89-149-217-190.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060612 Minefield/3.0a1

05:48 PM Guest Viewing Index
Forum Posters Union 89.149.217.190 89-149-217-190.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

89.149.227.78 89-149-227-78.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

[AnthonyCea]

A new trend for spam botnet operators is to ghost their dedicated IP addresses with an open proxy IP to avoid getting blocked, see Internetserviceteam using this tactic below.

84.16.224.78 84-16-224-78.internetserviceteam.com
Mozilla/5.0 (Windows; U; WinNT4.0; en-CA; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1

81.74.236.38 ce-na1-3-primary.cdn.interbusiness.it
Mozilla/5.0 (Windows; U; WinNT4.0; en-CA; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1

On May 22, 2008 the Internetserviceteam spam bot attempted a log in (below) to comment spam using a posting agent script from a known open proxy IP out of Italy which happens to be the same IP listed above but with a new host name.

08:46 AM Guest Logging In 81.74.236.38 host38-236-static.74-81-b.business.telecomitalia.it
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Wi

[AnthonyCea]

89.149.217.190 89-149-217-190.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20060206 Songbird/0.1

[timz]

Hi,

I am also a new forum administrator using phpbb3.
I was curious about this internetserviceteam posting messages as a guest?
I looked and found your site. Thank god.

With a new website, and I am green about how search engine rankings work, I submitted with a directory called Mixcat.

It wasn't long before I started receiving spam emails to my inbox.

I am now blocking emails by IP address as well, because they spoof the addresses. But spam emails I am receiving are from the same IP address as the confirmation email I received from Mixcat. From Wiethold Wagner ...

These are the current internetserviceteam related IP blocks I have on my forum.

89.149.208.*
89.149.194.*
89.149.227.*
217.20.112.*
89.149.192.*
84.16.224.*
91.191.160.*
80.82.64.*

I have been through and copied the IP's of all your previous posts, and I am going to add them as well.

My concern is if I continue to use the above format with the * wildcard, how much legitimate traffic will I block?

Also, is it a better idea to block these IP's from the root directory of my site with .htaccess (.htaccess is just another new thing I have been compelled to read about because of these wankers).

Also, and I am sorry if this is off topic, but using "view who is online" on my forum, when these guys show up it says "guest replying to message".

But I thought I had it set up so you had to register to post. And I don't see any new users these guys have registered.

Sadly, it looks like this is going to be never ending the amount of time I need to spend watching who is on my forum. There must be a way to stop these fuckwits.

[AnthonyCea]

Some forum owners do not block IP's at all, but some of their forums have been taken down and offline by these spam botnets since all of them combined amount to a DDoS attack if you let them live on your server.

I simply ban their IP's as I find them, to me this is the best policy since they always change user agents to get by .htaccess blocks.

As far as blocking legitimate traffic, you have to make a choice, block the dirty blacklisted IP's or allow morons to troll on your server 24/7/365.

[AnthonyCea]

89.149.236.53 89-149-236-53.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2

[AnthonyCea]

Quote:

Originally Posted by timz

Also, is it a better idea to block these IP's from the root directory of my site with .htaccess

I had a developer code a custom an IP blocking tool that adds IP's to the .htaccess file.

But this webmaster gives some tips on how you can block IP's properly in Apache web server within his banned IP listings.

[AnthonyCea]

89.149.227.78 89-149-227-78.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322)

89.149.217.190 89-149-217-190.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Opera 6.01 [en]

89.149.217.190 89-149-217-190.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) NS8/0.9.6

84.16.224.78 84-16-224-78.internetserviceteam.com
Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit/85 (KHTML, like Gecko) OmniWeb/v558.46

[config]

Hello all. First post here. w00t

Found this thread, like most, after searching da Goog for "internetserviceteam.com"

I run a video games content website, spong.com, which is pretty ripe for harvesting, so I do a fair bit of blocking and reporting based on ip, agent and other stuff. I noticed a few days ago that these jokers got snagged by a QND honeypot I'd set up. Most comically, when I checked the logs I saw the bot was getting stuck in some sort of spider loop in out forums.

Anyway, after seeing what a bunch of downright dirty scummers they are, thanks to this thread, I decided to check the extent of the IP range that turns up their name with a host lookup.

Here's what I got - two ranges so far, below in both human and [mask] form. Add to your blacklist rules and enjoy;

89.149.192.0 - 89.149.255.255
[89.149.192.0/18]

84.16.226.0 - 84.16.255.254
[84.16.226.0/23, 84.16.228.0/22, 84.16.232.0/21, 84.16.240.0/20]

[AnthonyCea]

These guys are just one of many large spam botnets, read the rest of the threads in this forum and you will find more.

Thanks for taking the time to join us and thank you for posting your research.

[RicByrne]

I also found this forum, when I googled internetserviceteam.com. I send countless hours dealing with spammers. To prevent them from posting, I have my registrations set to Admin must authorize their account to be activated. Every day I screen between 25 - 50 new memberships. Sadly to say few are accepted. As a Forum Administrator, I feel it is necessary to protect my forum and members from bots and spammers alike. By controlling activations of new member accounts, I prevent them from posting their porn or adware virus links.

When I see internetserviceteam.com on my forums lists of hosts, I run the ip through SamSpade.Org and find the complete ip range; I than add this ip range to my forums
Ban Control list. I wonder if you blocked every Germany ip’s if this would stop this bot.

[AnthonyCea]

Do not block entire nations or Google will remove you from their search index.

This is due to equal access and common sense.

Think about it.

Why should Google list you in the search results if you have no page to offer their user base in that nation ?

In addition, most spam botnets use hijacked IP's garnered from infecting computers with viruses, these include many US based cable TV IP's and even phone company DSL accounts that ISP's provide.

First order of business is researching specific IP's to see if they are dirty, or if a range from a certain host is blacklisted ban the c-net or learn to ban CIDR ranges.

Remember spambots also use blacklisted open proxy IP's so you will have to ban those also.

Look for patterns in your who's online live list and after time you will be able to spot bad bots and posting agent script kiddies looking to spam your forums so they can dump affiliate link spam and virus links on your websites.

[RicByrne]

Oftentimes I sit and watch my admin panel to monitor guests ip’s. If I suspect an ip, I run it through the Project Honey Pot site. If they show up as bad, I was banning the ip. From the information I receive, in the membership applications, all the spam seems to be coming from a handful of individual bots. I’m at a point, where I feel their intrusion is a cost of doing business. You block one ip and they come back with yet another.

Thanks for the advice of the effects of using a nation block! I was not aware of this.

[AnthonyCea]

Read the threads on this forum and you will see all the tricks they use and find solutions to the problem of spam botnets also.

Thanks for joining and posting your experience.

[timz]

212.95.32.241 212-95-32-241.internetserviceteam.com

[AnthonyCea]

Thanks Timz, to add to what you have posted here is additional data:

212.0.0.0-213.255.255.255 EU-ZZ-212-213 RIPE NCC European Regional Registry
<<212.95.32.240 212-95-32-240.internetserviceteam.com >>212.95.32.242 212-95-32-242.internetserviceteam.com
212.0.0.0-213.255.255.255 EU-ZZ-212-213 RIPE NCC European Regional Registry
212.95.32.241
HTTP:Microsoft-IIS/6.0
SMTP:220 win2003w-434033 Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Mon, 28 Jul 2008 10:27:16 +0400 212-95-32-241.internetserviceteam.com PTR 217.20.112.72


It also seems this Internetserviceteam IP range is also blacklisted here: http://moensted.dk/spam/no-more-funn/

[AnthonyCea]

212.95.32.241 212-95-32-241.internetserviceteam.com
Opera/7.60 (Windows NT 5.2; U) [en] (IBM EVV/3.0/EAK01AG9/LE)

Internetserviceteam is turning to hiding their hostname as you can see below.

84.16.252.64 .
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Wi


84.16.251.0-84.16.252.255 NETDIRECT-NET netdirekt e.K.
<<84.16.252.63 birseyindir.org >>84.16.252.65 84-16-252-65.internetserviceteam.com
84.16.224.0/19 netdirect Frankfurt, DE
AS28753 NETDIRECT AS NETDIRECT Frankfurt, DE

[AnthonyCea]

89.149.227.78 89-149-227-78.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2

[AnthonyCea]

89.149.227.78 89-149-227-78.internetserviceteam.com
Mozilla/4.5 (compatible; iCab 2.7.1; Macintosh; I; PPC)

[AnthonyCea]

89.149.253.21 89-149-253-21.internetserviceteam.com
Opera/9.01 (Windows NT 5.1; U; en)

[AnthonyCea]

08:19 AM Guest Registering 78.159.102.66 78-159-102-66.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030504 Mozilla Firebird/0.5+

[AnthonyCea]

89.149.253.21 89-149-253-21.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)


89-149-253-21.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0; .NET CLR 1.0.2914)