internetserviceteam.com

[AnthonyCea]

03:31 PM Guest Viewing Index
89.149.244.55 89-149-244-55.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)

[AnthonyCea]

12:46 AM Guest Viewing Index
212.95.63.33 212.95.63.33.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 5.0; Windows 95) Opera 6.01 [en]

07:16 PM Guest Viewing Index
212.95.63.33 212.95.63.33.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

[AnthonyCea]

03:46 PM Guest Viewing Index
212.95.63.33.internetserviceteam.com
Mozilla/4.79 [en] (Windows NT 5.0; U)

[AnthonyCea]

10:32 AM Guest Viewing Index
212.95.58.202 212.95.58.202.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)

[AnthonyCea]

12:33 AM Guest Viewing Index
217.20.115.88 217-20-115-88.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; XMPP Tiscali Communicator

[AnthonyCea]

89.149.217.184 89-149-217-184.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows XP)

[AnthonyCea]

11:58 AM Guest Viewing Index
89.149.217.184 89-149-217-184.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

12:07 PM Guest Viewing Index
217.20.115.88 217-20-115-88.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 4.0) Opera 7.0 [en]

[AnthonyCea]

01:00 PM Guest Viewing Index
89.149.217.184 89-149-217-184.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]

[AnthonyCea]

78.159.112.179 78-159-112-179.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 5.5; Windows 95; BCD2000)

[AnthonyCea]

10:54 AM Guest Viewing Index
212.95.54.24 212-95-54-24.internetserviceteam.com
Opera/7.11 (Windows NT 5.1; U) [en]

[AnthonyCea]

08:20 PM Guest Viewing Index
89.149.226.72 89-149-226-72.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Media Center PC

[AnthonyCea]

01:21 PM Guest Viewing Index
212.95.63.244 212.95.63.244.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; (R1 1.5))

06:43 PM Guest Viewing Index
89.149.226.72 89-149-226-72.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows XP)

[AnthonyCea]

09:31 AM Guest Viewing Index
212.95.58.211 212.95.58.211.internetserviceteam.com
Opera/7.11 (Windows NT 5.1; U) [en]

10:50 AM Guest Viewing Index
78.159.112.179 78-159-112-179.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Win64; AMD64)

[AnthonyCea]

08:57 PM Guest Viewing Index
212.95.54.179 212.95.54.179.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1; .NET CLR 2.0.50727)

[no logo]

hey thanks for the heads up anthonycea just caught it on my forum and googled it which brought me here

Esselofoola (212.95.54.169)

great work mate

[AnthonyCea]

Welcome to Internetserviceteam, the Kings of spam botnet operators and welcome to the forum !!

[AnthonyCea]

07:15 AM Guest Viewing Index
212.95.54.175 212.95.54.175.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MRA 4.6 (build 01425))

09:53 AM Guest Viewing Index
212.95.63.244 212.95.63.244.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.01

[maclover201]

212.95.54.24

This guy just registered a spam account on my forums... yikes

[no logo]

212.95.54.169

god damn it i need a hard helmet these bots are attacking

[AnthonyCea]

The clever spam botnet operators at Internetserviceteam.com are trolling their automated message posting agent scripts from dedicated hosting and have open proxy IP's as a ghost, notice how they change the user agent to get past .htaccess bans.

Log of Internetserviceteam spam bot and ghost bot from blacklisted open proxy IP.

02:45 PM Guest Viewing Index
212.95.54.41 212.95.54.41.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows ME) Opera 7.11 [en]

02:44 PM Guest Viewing Index
24.138.66.233 blk-138-66-233.eastlink.ca
Mozilla/4.0 (compatible; MSIE 5.0; Windows ME) Opera 5.11 [en]

[AnthonyCea]

02:36 PM Guest Viewing Index
89.149.217.184 89-149-217-184.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1

02:36 PM Guest Viewing Index
89.149.244.209 hosted-by.celerys.net
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)

Internetserviceteam spam bot network is now running parallel ghost bots using new host names as shown above.

[AnthonyCea]

08:56 PM Guest Viewing Index
89.149.217.184 89-149-217-184.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

[AnthonyCea]

The Internetserviceteam.com automated comment spam bot network is alive and well, preparing to spam a website near you !!!

10:36 AM Guest Viewing Index
89.149.217.184 89-149-217-184.internetserviceteam.com
Mozilla/2.0 (compatible; MSIE 3.02; Windows CE; 240x320)

10:34 AM Guest Viewing Index
89.149.217.184 89-149-217-184.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ru) Opera 8.50

10:43 AM Guest Viewing Index
89-149-217-184.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

12:14 PM Guest Viewing Index
89.149.217.184 89-149-217-184.internetserviceteam.com
Mozilla/3.0 (x86 [en] Windows NT 5.1; Sun)

[AnthonyCea]

01:15 PM Guest Viewing Index
212.95.54.41 212.95.54.41.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)

[AnthonyCea]

11:59 AM Guest Viewing Index
212.95.32.241 212-95-32-241.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)

[Giu]

I'm new to bothunting, but i found some links for those guys. English is not my first language, so i apologize for all the spelling errors

Like AnthonyCea already mentioned in the thread, they use the Netdirect net. Due to their search pattern and 2 repeating names, we could identify two more ip ranges they normally use. Currently very active is the IP range 194.8.74.0 - 194.8.75.255 (Dragonara.net). But they also use the celerys.net (89.149.217.82). We were able to verify this due to a registered user, named "phottoshop" and his ips. Some google searches revealed further ip ranges from different countries which we also banned.

The pattern was always the same, the celerys net was first used to "scout", the dragonara net was used to create user accounts and to post messages. Some of the less known ips, related to the name phottoshop, were also trying to access banned users. The operator seems to be a bit lazy when choosing names. phottoshop and levitraES seem to be the same. Banning all ip ranges related to the name photoshop, including Netdirect, celerys and Dragonara sorted the problem for us... for some days. Next up was their 212.95.54.xxx range (Belarus?). This was very obvious, as they revealed their name.

As i wrote, i'm new to bothunting. So, some of my results may not be 100% confirmable, but i hope that helps.

Sorry for the copy and paste part

[Giu]

Some more informations i found about them. It's related to the eralier post.

Some of the unresolveable IPs gave me some headaches, until i stumbled across the anonymizer from blutmagie.de. This is a part of the Tor project to keep the privacy of your IP. This is not necessarily bad, but the internetserviceteam.com is running a server for them -> 78.159.100.22.internetserviceteam.com (http://anonymizer.blutmagie.de:2505/ look for anonobject) So people using this anonymizer can look like the internetserviceteam.com, or vice versa, the internetserviceteam.com can look "innocent".

[AnthonyCea]

Thanks for the data, it is time web hosting firms and data centers do something about professional spambot operators.

We need to file large class action lawsuits against the ISP firms and press for law enforcement action, like confiscation of web server hardware and seizure of entire facilities of the web hosting firms and data centers that allow spammers to buy services.

PS: Many of these spam bot operators like the people running internetserviceteam set up open proxy IP's and ghost their regular automated spam robots, that way they can get in when their hosts are banned.

[AnthonyCea]

09:36 AM zelaaverles Viewing User Profile zelaaverles
95.168.177.200 95-168-177-200.internetserviceteam.com
Opera/9.0 (Windows NT 5.1; U; en)

[Anan]

For everyone info, they are not using just bots. I've put my own question in my language (Thai) in the registration page. They can still pass through.

[AnthonyCea]

That is because there are many spam bot operators running from the same data center used by Internetserviceteam within their data center and spambot operation, they join forums manually then let the forum spam bot script run automatically from there once they create a user name and account to spam with.

I have seen the same thing here and some of these morons ghost the Internetserviceteam.com host name with blacklisted open proxy IP's to get in when the host name is banned.

[AnthonyCea]

10:18 AM Ivan Surgutov Creating Private Message
89.149.202.14 89-149-202-14.internetserviceteam.com
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1

[KirkJones]

Here is another one to add to your list, 212.95.58.208.internetserviceteam.com

[AnthonyCea]

Thanks for the input Kirk, welcome to the forum.

Internetserviceteam hit us again today.

Host: 89.149.241.118 89-149-241-118.internetserviceteam.com

Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.1.4322)

[AnthonyCea]

78.159.127.145 78.159.127.145.internetserviceteam.com
Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR

[Boss]

IP: 212.95.54.170 0 Modify
Hostname: 212.95.54.170.internetserviceteam.com 0 Modify
Email: v.b.kol.cev@gmail.com


I found this forum by searching that info.

I've been experiencing a lot of non-posting new members to our small forum recently. I would like to think word of mouth is working, however, I'm not so optimistic.

I'll try to read up some on the information you have offered. If there is anything I should be particularly watchful for, please let me know.

thanks

[AnthonyCea]

Welcome to the forum Boss !!

Don't mistake spam bot operators for legitimate members, that is mistake number 1 and a forum killer, it is so bad we are now forced to moderate ALL NEW MEMBER POSTS so no porn spam is ever posted in addition to annoying link dumping morons posting online pharmacy spam.

Our policy here is to place users into user groups, once a member is proved to be real and a viable contributor we put them in a super user group so their posts hit the forum in real time.

You are now in that user group Boss.

[Boss]

Quote:

Originally Posted by AnthonyCea

Welcome to the forum Boss !!

Don't mistake spam bot operators for legitimate members, that is mistake number 1 and a forum killer, it is so bad we are now forced to moderate ALL NEW MEMBER POSTS so no porn spam is ever posted in addition to annoying link dumping morons posting online pharmacy spam.

Our policy here is to place users into user groups, once a member is proved to be real and a viable contributor we put them in a super user group so their posts hit the forum in real time.

You are now in that user group Boss.

Thank you.

I suppose it is evident, but I am rather new at this forum managing stuff. I'll look around and see if I can figure out how to tell which is which before the porn or pharm posts

[AnthonyCea]

Well, forums are prime targets for spammers since the invention of automated message posting agent scripts, so you will have to learn a lot about stopping spam bot operators.

[Ramps]

Hello,

I am completely new to this forum so would like sone advice. I have been in communication from a Russian Lady (or purported Russian Lady who says she is from city of Penza in Russia). You know it is one of those e mails now asking for the money to pay for her travel to see me in the UK. I have managed to do a reverse IP trace by finder the sender IP server from the e mail and used Active WhoIs software for this. The sending IP was from 89.149.251.26 which when traced to an IP from Internetserviceteam with server name of whois.psi-usa.info. The trace also made out that the server was in DE (Germany, Frankfurt). As I would understand it and being an amateur in all this this person is a complete fake and her/his originating e mails are infact coming from DE, Is this correct?. Here is my trace

Active Whois 3.1.4489
Tue, 15 September 2009 17:42:08 +0000 (GMT Standard Time)
Looking for '89.149.251.26'

89-149-251-26.internetserviceteam.com [89.149.251.26] - host alive, connection speed 41ms

---
Domain owner:
Looking for 'internetserviceteam.com'
Domain zone 'COM' is for commercial purposes
URL for registration of domains: http://www.internic.net/origin.html

Server 'whois.psi-usa.info' reply [4107 bytes in raw data]:



domain: internetserviceteam.com
status: LOCK
owner-c: LULU-449414
admin-c: LULU-449414
tech-c: LULU-449414
zone-c: LULU-449414
nserver: ns9.dnspro.de
nserver: ns10.dnspro.de
nserver: tert.dnspro.de
nserver: quart.dnspro.de
created: 2002-04-24 00:00:00
expire: 2010-04-24 00:00:00 (registry time)
changed: 2009-04-26 02:59:33

Thanks for any assistance