Customize

Twitter bot spamming spy harvesting website

Discussion in 'Help Iran Online' started by Unregistered, Jun 24, 2009.

  1. xyz305, xyz308 and such are spamming tweets (promising to tell about Tor/anonymous email/Neda) which redirect from bit.ly to http://www.r.ieves.com/b1.aspx and http://www.r.ieves.com/a1.aspx

    Presumably, these are websites harvesting information about Iranian users.


    WHOIS information for ieves.com :

    [Querying whois.internic.net]
    [Redirected to whois.tucows.com]
    [Querying whois.tucows.com]
    [whois.tucows.com]
    Registrant:
    William Freeman
    2 Savoy Crt
    Kingaroy, QLD 4610
    AU

    Domain name: IEVES.COM


    Administrative Contact:
    Freeman, William joenobody@lizzy.com.au
    2 Savoy Crt
    Kingaroy, QLD 4610
    AU
    +61.41623438
    Technical Contact:
    Freeman, William joenobody@lizzy.com.au
    2 Savoy Crt
    Kingaroy, Queensland 4610
    AU
    +61.0741623438


    Registration Service Provider:
    Easy CGI, support@easycgi.com
    866-327-9244
    EasyCGI
    This company may be contacted for domain login/passwords,
    DNS/Nameserver changes, and general domain support questions.


    Registrar of Record: TUCOWS, INC.
    Record last updated on 13-May-2009.
    Record expires on 03-Sep-2009.
    Record created on 03-Sep-2006.

    Registrar Domain Name Help Center:
    Tucows Domain Name Help Center

    Domain servers in listed order:
    NS2.JJPUTX.COM
    NS1.JJPUTX.COM


    Domain status: clientTransferProhibited
    clientUpdateProhibited
  2. Jaymax Moderator

  3. someone tweet that Iranians are only click links from trusted sources and advise caution about irgov bots ASAP
  4. [MODEDIT: Thread spamming]
  5. Jaymax Moderator

    I really don't think it's related to Iran.

    eg: Scientology - www.information.is-the-coolest.com

    The site is just pulling down any Wikipedia content and putting Google ads next to it - most likely just a money making scam.
  6. Hechicera Member

    New Bots qpr321

    qpr321: #IranElection Tehran Mousavi Iran #neda Neda - How to bypass Internet blocking ... - http://r.ieves.com/a1.aspx
  7. The Australian Fed Police have been contacted about this.
  8. Vee Member

    Hopefully there not busy with Utegate :p
  9. Srpska Member

    The authorities will take fucking ages to do anything, if they do it at all. In the meantime, please tweet warnings about these sites.
  10. r.ieves.com links

    If you are not in Iran and you click on them does it just confuse the Iran government or does it still endanger?
  11. Web-Source of r.ieves

    The http result of r.ieves.com doesn't give so much more details:

    Code:
    HTTP/1.1 302 Found
    Date: Mon, 06 Jul 2009 13:14:12 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 2.0.50727
    Location: http://www.information.is-the-coolest.com/x/Tor_(anonymity_network).ht
    m
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    Content-Length: 188
    
    <html><head><title>Object moved</title></head><body>
    <h2>Object moved to <a href="http://www.information.is-the-coolest.com/x/Tor_(an
    onymity_network).htm">here</a>.</h2>
    </body></html>
    
  12. The is-the-coolest site is registered to the same people as the ieves.com.

    Bogus info in the registration details - the phone numbers are not even complete.
    I know as I thought - hey why not give 'em a call...

    The street address is probably BS too - google map it and streetview - just someones house in Kingaroy QLD...
  13. Oh and the server is also the same according to the traceroute.
  14. ahh landline number not mobile - the registered owner of the domain has a whitepages listing in Australia - if they were bad guys - would they do that ?.. Are we sure there is something sinister going on beyond a simple spam bot ?
  15. It may not be a government agent, but at the very least it is someone using the blood of people fighting for their freedom to grease the wheels of their own enterprise. Really, worst case or best case, I have yet to see a good reason NOT to lambaste these people all to hell.

    Additionally, whoever this is goes a bit out of their way to cover the tracks of a simple spam bot operation, and so following the links seems anything but advisable for anyone inside Iran.
  16. i did a little poking around...

    it looks like .asp will also get the windows logon name from the client.

    mix that with geolocating from an IP address, and now you have a name and a city.

    scary stuff.
  17. all the twitter accounts mentioned have been closed

    well, one way or another, twitter shut these accounts down. something tells me the twitter founders have a favorite side here . . .
  18. Twitter shut them down as they were provided with the IP etc to block 'em.
    Sometimes the simplest things work best.

Share This Page

Customize Theme Colors

Close

Choose a color via Color picker or click the predefined style names!

Primary Color :

Secondary Color :
Predefined Skins