Actually, in the case of the wired article (removeform.com), it seems
to be
connected to a site in Florida. I asked my programmer
(gabor@sentex.net)
to decode the obfuscated java script/page that is served up by one of
the
zombies (On FreeBSD fetch -B 18192 -o danger.html
http://www.removeform.com/d - I got it from 207.5.215.72 at the
time). I
have attached it as a zip file with its contents. You will note that
the
form post goes back to
form action="http://207.36.47.68/cgi-bin/addinfo.cgi"
OrgName: CyberGate, Inc.
OrgID: CYBG
Address: 3250 W. Commercial Blvd. Suite 200
City: Ft. Lauderdale
StateProv: FL
PostalCode: 33309
Country: US
This appears to be a rather prolific spammer. At first I thought they
were affiliated with www.skynetweb.com because they have the same
address, including suite number, but it now appears that they are really
affiliated with these guys:
http://www.affinity.com/about/our_team/our_team.htm
John
Doing some Googling on tubul I found:
WAP S.A.
Katarzyna Piatek (tubul at wp.pl)
+48.327811019
FAX- +48.327811025
Opolska 22
Katowice, 40-084
PL
-Hank
>Actually, in the case of the wired article (removeform.com), it seems
to be
>connected to a site in Florida.I asked my programmer
(gabor@sentex.net)
>to decode the obfuscated java script/page that is served up by one of
the
>zombies (On FreeBSD fetch -B 18192 -o danger.html
>http://www.removeform.com/d - I got it from 207.5.215.72at the
time).I
>have attached it as a zip file with its contents. You will note that
the
>form post goes back to
>
>form action="http://207.36.47.68/cgi-bin/addinfo.cgi"
>
>
>OrgName: CyberGate, Inc.
>OrgID: CYBG
>Address: 3250 W. Commercial Blvd. Suite 200
>City: Ft. Lauderdale
>StateProv:FL
>PostalCode: 33309
>Country: US
This appears to be a rather prolific spammer. At first I thought they
were affiliated with www.skynetweb.com because they have the same
address, including suite number, but it now appears that they are really
affiliated with these guys:
http://www.affinity.com/about/our_team/our_team.htm
John
--
Hank Nussbacher
John Neiberger writes on 10/10/2003 1:12 AM:
This appears to be a rather prolific spammer. At first I thought they
were affiliated with www.skynetweb.com because they have the same
address, including suite number, but it now appears that they are really
affiliated with these guys:
http://www.affinity.com/about/our_team/our_team.htm
Affinity is a large - and extremely spammer infested - webhost. They do happen to have quite a few legitimate customers though.
That's simple to over come. You notify those legitimate customers that
they are doing business with an irresponsible provider. Surely there
are providers on this list that would welcome the legitimate customers
with open arms.
-Jim P.