Reverse Microsoft hijacking
I found a comment spam on a PHP-nuke site that had a typical dynamic IP site owned by Angelsfucked on this domain:
unixbrewers.org
When I loaded it, it was a Microsoft site!
So I checked the IP number:
207.46.20.30
Update June 15: 207.46.199.30
Within the official Microsoft IP block.
But, the whois info does not look like Microsoft:
Domain ID:D106126546-LROR
Domain Name:UNIXBREWERS.ORG
Created On:20-Apr-2005 23:48:03 UTC
Last Updated On:25-May-2005 06:52:44 UTC
Expiration Date:20-Apr-2006 23:48:03 UTC
Sponsoring Registrar:Direct Information PVT Ltd. (R27-LROR)
Status:TRANSFER PROHIBITED
Registrant ID:DI_1375975
Registrant Name:Nudilov, Aleksey
Registrant Organization:Nudilov
Registrant Street1:Dnepropetrovsk, Dn 45201
Registrant Street2:
Registrant Street3:
Registrant City:Dnepropetrovsk
Registrant State/Province:
Registrant Postal Code:2323434245
Registrant Country:UA
Registrant Phone:+076.34323871
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: nudilov@eblja.com
Name Server:NS.KYED.COM
Name Server:NS.PEYTZ.COM
(The name servers belong to a Danish dns service. I’ll contact them and ask them to cut him from the zone. I know they don’t like spammers any more than I do… Update Jun 15. Unfortunately, the server is still using their services. Can’t believe it, but it’s true. Get a clue, boys! )
Created On:20-Apr-2005 23:48:03 UTC
Last Updated On:25-May-2005 06:52:44 UTC
Expiration Date:20-Apr-2006 23:48:03 UTC
Sponsoring Registrar:Direct Information PVT Ltd. (R27-LROR)
You know what I think?
I think this is a reverse hijacking! The owner of the domain name want people to think it’s an honorable site, so he’s redirected it to a Microsoft page. But it’s not. It’s owned by a spammer!
Google’s cache of that site (the root site) contains links to dynamic IP sites within IP numbers used by Angelsfucked.
Search google for that domain, and you’ll see that the spammer has been VERY busy spamming his fake dynamic DNS sites lately!