Forum
Comments:
-
- on Mon 05 Oct 2009
- 12:40:58 AM UTC
....
I've been through the sites code, and ran it against Wepawet (just incase I missed something), and the BASE HREF is set to fsb.ru, meaning all files without an explicit URL, are loaded from the real FSB website.
I can't see anything nefarious on the secretsline.net site itself, unless the URL referenced in the e-mail you mentioned, leads to a page that is not accessible from the homepage.
In saying this, because the domain isn't owned by the FSB, or anyone involved in the Russian government, I'd still urge caution (just incase).
Regards
Steven Burn
Ur I.T. Mate Group / hpHosts
it-mate.co.uk / hosts-file.net -
- on Mon 05 Oct 2009
- 01:07:13 AM UTC
blacklisted
hpHosts has a scorecard comment as of: 08 September 2009 classified EMD (engaged in malware distribution) ?
Also listed with SURBL's website blacklist (WS), yet fsb.ru is not.
- Domains that reside on IP: 213.24.76.23
- fsb.ru
secretsline.net
- with secretsline.net name servers using freedns.afraid.org services:
- ns1.afraid.org
ns2.afraid.org
ns3.afraid.org
ns4.afraid.org
Possibly setup by someone within the FSB or having access to use fsb.ru's IP?
Are the Russians PHISHing for information?
-------
WOT Services Ltd. - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
- G7W -
- on Mon 05 Oct 2009
- 02:01:44 AM UTC
....
I'd forgotten about that.
Research shows it used to provide a proxy/VPN etc service, though I can't find my documentation on why it was listed, I'm 99% sure it would've been due to something it led to.
Regards
Steven Burn
Ur I.T. Mate Group / hpHosts
it-mate.co.uk / hosts-file.net -
- on Mon 05 Oct 2009
- 12:00:40 PM UTC
Ok I'm gonna post the email here: PROFANITY ALERT
Right, here is the spam email I got including full headers.
Note: the page advertised does not exist and if clicked results in a 404 Error.
From animal sex pictures Thu Oct 1 23:33:38 2009
X-Apparently-To: via 98.136.165.124; Thu, 01 Oct 2009 16:33:38 -0700
Return-Path:
X-YahooFilteredBulk: 85.34.59.164
X-YMailISG: IHKeaGcWLDv8D8zSuxt.kreTflV.bZDo1nDB7RktCixOxk5GiilvI63gZ3NkMFjUKq3xbdcXN8y8bIujuT1pK_htjbC0PBmfUXKrz1qUpJBARCxgGbvXVBdos_velA9gMP8A3K5dBzRUPFvOAw.cwhp_VFbvTJ3sPsKeS.15xFhZWoe9zM4zgCngevBbavFmnH1HNUItT4rYFoGYwmWd5eIjQmBZpATqDirKLChFmWJNpVG4q.8nKifFEtT1vTey3OcIlID6ho7k83wmBp7UVEuwnmx2lB9SPkizjlPR1j9bTqRCdTGC
X-Originating-IP: [85.34.59.164]
Authentication-Results: mta1056.mail.sp2.yahoo.com from=secretsline.net; domainkeys=neutral (no sig); from=secretsline.net; dkim=neutral (no sig)
Received: from 127.0.0.1 (HELO 98.137.54.238) (85.34.59.164) by mta1056.mail.sp2.yahoo.com with SMTP; Thu, 01 Oct 2009 16:33:37 -0700
From:
"animal sex pictures"
Add sender to Contacts
Reply-To: "animal sex pictures"
Subject: anal dogs
Content-Type: text; charset="windows-1251"
Content-Length: 74
Compact Headers
horse fuck videohttp://secretsline.net/porn.html
thumbnail galleries
-
- on Mon 05 Oct 2009
- 02:55:42 PM UTC
.....
Based on what I am seeing, unless the FSB have decided to go public with their questionable practices, that the site is indeed now legit and this issue was simply a case of someone hacking it or spamming a URL that existed on the previous incarnation of the site.
Regards
Steven Burn
Ur I.T. Mate Group / hpHosts
it-mate.co.uk / hosts-file.net -
- on Mon 05 Oct 2009
- 02:56:48 PM UTC
....
I've removed it from hpHosts with the following note attached;
No longer fits criteria (now owned by and hosted on, FSB (Russian government) servers)
Regards
Steven Burn
Ur I.T. Mate Group / hpHosts
it-mate.co.uk / hosts-file.net -
- on Tue 06 Oct 2009
- 12:42:34 AM UTC
re: email
The email originated from:
host164-59-static.34-85-b.business.telecomitalia.it
via this in the header: X-Originating-IP: [85.34.59.164]rate it RED
85.34.59.164 - Scorecard - robtexbecause it is definately a Spammer's haven:
LISTED IN BLACKLIST!
b.barracudacentral.org
xbl.spamhaus.org
dnsbl.sorbs.net
web.dnsbl.sorbs.net
spam.dnsbl.sorbs.net
cbl.abuseat.org
dnsbl-1.uceprotect.net
no-more-funn.moensted.dk
psbl.surriel.com
sbl-xbl.spamhaus.org-------
WOT Services Ltd. - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
- G7W -
- on Tue 06 Oct 2009
- 01:56:11 AM UTC
Right, so the site seems OK,
Right, so the site seems OK, looks like we're halfway there.
Could someone tell me how to dispute a rating on SpamCop? I'm guessing that spam rating is still dragging the site's reputation down.
-
- on Tue 06 Oct 2009
- 05:00:36 AM UTC
.....
Chances are, the SC listing is from the sites previous incarnation. To correct this, you'll need to contact SC themselves (though they'll likely require the site owners contact them)
Regards
Steven Burn
Ur I.T. Mate Group / hpHosts
it-mate.co.uk / hosts-file.net -
- on Tue 06 Oct 2009
- 06:43:02 AM UTC
Re: Right, so the site seems OK
SpamCop entries on the scorecard come from their statistics of spamvertised websites, not from their blacklist. These SpamCop entries have very little effect on the site's reputation in the first place and this one is old enough to not affect the reputation at all anymore.
-
- on Wed 07 Oct 2009
- 01:23:01 AM UTC
re: @ Sami
- SpamCop entries on the scorecard come from their statistics of spamvertised websites, not from their blacklist. These SpamCop entries have very little effect on the site's reputation in the first place
- This is Wiki material for a Trusted Sources section.
- and this one is old enough to not affect the reputation at all anymore.
- If a trusted source's comment age becomes obsolete where it has no value as is did when it was first included, shouldn't there be an auto-drop of these comments? This would relieve confusion when viewing a Scorecard, possibly save WOT Admins from manually removing via a request, and make room for a more recent entry if found, that would seem to have more relevance.
-------
WOT Services Ltd. - gives us safety through Web of Trust.
WOT Community - gives us security through unity.
Thank you all
- G7W -
- on Wed 07 Oct 2009
- 11:38:53 AM UTC
Re: Old trusted sources
If a trusted source's comment age becomes obsolete where it has no value
Well, the reputation may remain poor because of this rating if there aren't other ratings for the site, so the old comment can help explain the poor reputation. If we don't show old entries from trusted sources, it's possible that there's no explanation for the reputation.
shouldn't there be an auto-drop of these comments?
Yes, I suppose that would be less confusing. Expired entries from trusted sources are now gone from scorecards.
secretsline.net
I got a spam email recently linking to this domain, pointing to a nonexistant page therein. The site itself was in Russian.
At first it looked like a potential victim of a Joe job, so I ran the URL through Google Translator, and it appeared to belong to the Russian FSB (their national security service).
However, after further investigation (whois), I found out it belonged to someone in the Ukraine, and the domain had changed hands a number of times in the past year. Further, after I went to fsb.ru (the real FSB website, I expect) I found this site to be an almost perfect knock-off copy of it!
I'm pretty sure that this site is some sort of fraud, but I'm not sure what Aleksey Kovalenko from Odesa, Ukraine (if he's the real owner) is trying to accoplish.
Is there anyone on here who speaks Russian and/or is more familiar with the security services and cybercrime out there who could get to the bottom of it?