Shetef

From Spamhuntress

Contents 1 Summary 2 Spambots 3 Website IP 4 Whois 5 Links

Summary

A few years ago, I tracked a spammer I called the Zaharievs, from Bulgaria. They used a very specific software that had a footprint (check for pinappleproxy) we were able to follow. At some point they seemed to change some of their method. Fake whois details, usually US names and addresses, and always using the registrar Moniker. We thought it was the same spammer, because of the software we believed they used. A long time passed, and I came into possession of a piece of evidence I've promised not to disclose, that made it very likely the spammers were actually located in Israel. I read back over my notes, and found a trail I'd discounted earlier, that led to the domain shetef.com. Although the Zaharievs were spammers, they were not responsible for the spam for domains registered with Moniker.

The Israeli usually has working whois e-mail. The e-mail sent to those addresses eventually ends up with someone who calls herself Doris Young, and lives in Israel. She performs listwashing for the Israeli spammers. If you send e-mail to Moniker, complaining about their operations, the e-mail is sent to her. In other words, it's a pink contract of sorts. She's not abusive, and there's no evidence you end up on spam lists if you e-mail her. However, even when they do remove you from their lists, you might be put back on later, because the software (at least in the past) performs new searches for targeted keywords. I was recently put back on (October 2006), even though I've been listwashed before because of my blogging about them.

The recent spamming of my blog is the background for this page. Most of the people who supplied records of their domains have been listwashed long ago. I can not say for sure that the outfit that started spamming me in October is the same outfit I was spammed by before. All I can say, is that the MO is similar, though evolved, so that it's quite possible it's the same outfit. One change: I've now seen porn spam from them, which is new.

I've since gotten some info from a site owner that found their sites in his logs. I've noticed links to authority sites at the bottom of their pages. It's something I like to think of as spam poisoning (see Explanation of terms for explanation).

Spambots

• 205.134.172.131 , www131.powerstorm.ai.net
• 205.134.172.133 , www133.powerstorm.ai.net
• 205.134.172.137 , www137.powerstorm.ai.net
• 205.134.172.138 , www138.powerstorm.ai.net
• 205.134.172.139 , www139.powerstorm.ai.net
• 205.134.172.141 , www141.powerstorm.ai.net

Most recent user agent:

• Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4', , 0, 0)

Website IP

• 64.111.213.166
• 64.111.213.168
• 64.111.213.169
• 64.111.214.48
• 67.99.176.34
• 69.42.90.165
• 69.42.67.197
• 69.42.67.198
• 204.15.74.26
• 204.15.74.27
• 204.15.74.28
• 204.15.74.29
• 204.15.77.2
• 204.15.77.6
• 205.134.161.80
• 205.134.162.16
• 205.134.162.17
• 205.134.163.200
• 205.134.169.4
• 205.134.169.5
• 205.134.172.135
• 205.134.172.136
• 205.134.172.147
• 205.134.178.17
• 206.71.147.28
• 206.71.151.202
• 206.71.151.203
• 206.71.151.204
• 206.71.151.205
• 206.71.152.156
• 209.200.11.105
• 209.200.48.20
• 209.200.48.22
• 216.130.185.252
• 216.130.185.253
• 216.130.187.101

A tactic I see used today, is different IP addresses for different subdomains.

Whois

Old whois. This one has been changed to their typical Moniker fake whois by now:

shetef.com

Registrant:
Shetef Solutions Ltd.
10 Azmaut Street
Ness-Ziona, ISRAEL 74010
IL

Administrative Contact, Technical Contact:
Dascalu, Yonat ziv@web2000.us
Shetef Solutions Ltd.
21 Tlalim street
Raanana 43568
IL

Example of their current type of whois:

10/11/06 14:29:27 whois dalmortgage.com

Registrant [380896]:
       Elicia Collette
       4492 Mail Road
       Westminster
       MD
       21157
       US

Administrative Contact [380896]:
       Elicia Collette domains@dalmortgage.com
       Elicia Collette
       4492 Mail Road
       Westminster
       MD
       21157
       US
       Phone: +1.4108753728
       Fax:   +1.4108753776

Links

• New spambot set - powerstorm.ai.net - Monday, October 9th, 2006
• Powerstorm spambot hosting on ai.net - from a notepet blog
• Zahariev spam not done by Zahariev - Thursday, May 18th, 2006