brain-dead abuse contact abuse@es.francetelecom.com

[cleanmx]

has anyone a alternative working email of them ?

-- gerhard

Code: [Select]

Return-Path: <>
X-Original-To: abuse@clean-mx.de
Delivered-To: abuse@clean-mx.de
Received: from relayn.netpilot.net (relayn19.netpilot.net [195.214.79.19])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client
 certificate requested) by ksrv8.netpilot.net (Postfix) with ESMTPS id
 46310252C002 for <abuse@clean-mx.de>; Sun, 14 Feb 2010 16:28:15 +0100 (CET)
Received: from relayn.netpilot.net (localhost [127.0.0.1]) by
 relayn.netpilot.net (Postfix) with ESMTP id 0E03AEAC2A4 for
 <abuse@clean-mx.de>; Sun, 14 Feb 2010 16:28:15 +0100 (CET)
Received: from localhost (unknown [127.0.0.1]) by localhost (Postfix) with
 ESMTP id DF3F9EAC2A6 for <abuse@clean-mx.de>; Sun, 14 Feb 2010 15:28:14
 +0000 (UTC)
Received: from relayn.netpilot.net ([127.0.0.1]) by localhost
 (relayn.netpilot.net [127.0.0.1]) (clean-mx, port 10024) with ESMTP id
 H21OdIeGCUKR for <abuse@clean-mx.de>; Sun, 14 Feb 2010 16:28:14 +0100 (CET)
Received: from mail.amena.es (mail.amena.es [213.143.32.26]) by
 relayn.netpilot.net (Postfix) with ESMTP id A53CEEAC2A4 for
 <abuse@clean-mx.de>; Sun, 14 Feb 2010 16:28:13 +0100 (CET)
Received: from aotcoprdmzn0002.cosmos.es.ftgroup ([10.132.21.55]) by
 mail.amena.es with Microsoft SMTPSVC(6.0.3790.3959); Sun, 14 Feb 2010
 16:28:12 +0100
Received: from aotcoprsmtpn002.cosmos.es.ftgroup ([10.132.14.225]) by
 aotcoprdmzn0002.cosmos.es.ftgroup with Microsoft SMTPSVC(6.0.3790.3959);
 Sun, 14 Feb 2010 16:28:12 +0100
Received: from MAVA55BEX002P.cosmos.es.ftgroup ([10.113.57.134]) by
 aotcoprsmtpn002.cosmos.es.ftgroup with Microsoft SMTPSVC(6.0.3790.3959);
 Sun, 14 Feb 2010 16:28:12 +0100
From: postmaster@es.ftgroup
To: abuse@clean-mx.de
Date: Sun, 14 Feb 2010 16:28:12 +0100
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status; boundary="9B095B5ADSN=_01CAA07A204044A000100DECMAVA55BEX002P.co"
X-DSNContext: 7ce717b1 - 1158 - 00000002 - 00000000
Message-ID: <elEngYxrV0000c878@MAVA55BEX002P.cosmos.es.ftgroup>
Subject: Delivery Status Notification (Failure)
X-OriginalArrivalTime: 14 Feb 2010 15:28:12.0626 (UTC)
 FILETIME=[51FF5320:01CAAD8A]
X-Evolution-Source: imap://abuse%40clean-mx.de@ksrv8.netpilot.net/

This is a MIME-formatted message. 
Portions of this message may be unreadable without a MIME-capable mail program.

--9B095B5ADSN=_01CAA07A204044A000100DECMAVA55BEX002P.co
Content-Type: text/plain; charset=unicode-1-1-utf-7

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

       abuseftes.es@orange-ftgroup.com




--9B095B5ADSN=_01CAA07A204044A000100DECMAVA55BEX002P.co
Content-Type: message/delivery-status

Reporting-MTA: dns;MAVA55BEX002P.cosmos.es.ftgroup
Received-From-MTA: dns;aotcoprsmtpn002.cosmos.es.ftgroup
Arrival-Date: Sun, 14 Feb 2010 16:28:12 +0100

Final-Recipient: rfc822;abuseftes.es@orange-ftgroup.com
Action: failed
Status: 5.2.2
X-Display-Name: ES, Abuseftes


--9B095B5ADSN=_01CAA07A204044A000100DECMAVA55BEX002P.co
Content-Type: message/rfc822

Received: from aotcoprsmtpn002.cosmos.es.ftgroup ([10.132.14.225]) by
 MAVA55BEX002P.cosmos.es.ftgroup with Microsoft SMTPSVC(6.0.3790.3959); Sun,
 14 Feb 2010 16:28:12 +0100
Received: from ORANGE1 ([10.132.12.235]) by
 aotcoprsmtpn002.cosmos.es.ftgroup with Microsoft SMTPSVC(6.0.3790.3959);
 Sun, 14 Feb 2010 16:28:12 +0100
Received: from ORANGE1 (localhost.localdomain [127.0.0.1]) by
 postfix.imss70 (Postfix) with ESMTP id 1E1D640DD for
 <abuse@es.francetelecom.com>; Sun, 14 Feb 2010 16:28:12 +0100 (CET)
Received: from relayn.netpilot.net (relayn.netpilot.net [62.67.240.20]) by
 ORANGE1 (Postfix) with ESMTP id EF6C740D9 for <abuse@es.francetelecom.com>;
 Sun, 14 Feb 2010 16:28:10 +0100 (CET)
Received: from relayn.netpilot.net (localhost [127.0.0.1]) by
 relayn.netpilot.net (Postfix) with ESMTP id B1FD9EAC29A for
 <abuse@es.francetelecom.com>; Sun, 14 Feb 2010 16:28:09 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to
 :subject:mime-version:message-id:date:content-type; s=sel; bh=L4
 5Ix2wwd+0I/Nx6ZqvhGLQFoLk=; b=XOKBkxn2C4wxokliahh2oogV1NaobPl/lg
 pnsBywM08jTIuPwwDRyzvS4hnbQIxpcZPUA32URHiTVt7iX02+SN5xBOLO1DiuRT
 DQmk5ShpZz00YS2ANlbtd34VgM35QaRzD5yCn6Uunnu6T1gJvtXyP+usTCTP9RU+ BrD0nxRJE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to
 :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b=
 DOpkHt1Ip7mqVrL/vkHJn91YIfqqdOL9IF1J2BX51JTiJtlYof0gkO/AN0jV/bQz
 HIztvWErntqjI7bcw6VPFaqysaNmGDTu4R8o0V1l5ekAFYyD5qR3WcggBMEmxOJo
 ynC7sZfdQ1CLPpi1yK347bTGrsPohhFI4FYyO5aR/UQ=
Received: from dbserv.netpilot.net (unknown [195.214.79.22]) by localhost
 (Postfix) with ESMTP id 90429EAC2A9 for <abuse@es.francetelecom.com>; Sun,
 14 Feb 2010 15:28:09 +0000 (UTC)
From: abuse@clean-mx.de
to: abuse@es.francetelecom.com
Subject:
 [clean-mx-viruses-427123](62.37.237.16)-->(abuse@es.francetelecom.com)
 viruses sites (1  so far) within your network, please close them!  status:
 As of 2010-02-14 16:28:04 CET
Precedence: bulk
MIME-Version: 1.0
X-Mailer: clean mx secure mailer
X-Virus-Scanned: by netpilot GmbH at clean-mx.de
Message-Id: <20100214.1266161284@dbserv.netpilot.net>
Date: Sun, 14 Feb 2010 16:28:04 +0100
content-Type: multipart/signed; boundary="----------=_1266161289-29622-1092"; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-TM-AS-Product-Ver: SMEX-8.0.0.4160-6.000.1038-17192.007
X-TM-AS-Result: No--27.401800-8.000000-31
X-imss-scan-details: No--27.402-5.0-31-1
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
Return-Path: abuse@clean-mx.de
X-OriginalArrivalTime: 14 Feb 2010 15:28:12.0329 (UTC)
 FILETIME=[51D20190:01CAAD8A]

This is a multi-part message in MIME format.
It has been signed conforming to RFC3156.
Produced by clean-mx transparent crypt gateway.
Version: 2.01.0619 http://www.clean-mx.de
You need GPG to check the signature.


------------=_1266161289-29622-1092
Content-type: multipart/mixed;  boundary="----=_NextPart"

This is a multi-part message in MIME format.

------=_NextPart
Content-Type: text/plain; charset="iso-8859-1"

Dear abuse team,

please help to close these offending viruses sites(1) so far.

status: As of 2010-02-14 16:28:04 CET
http://support.clean-mx.de/clean-mx/viruses.php?email=abuse@es.francetelecom.com&response=alive

(for full uri, please scroll to the right end ...


We detected many active cases dated back to 2007, so please look at the date column below.
You may also subscribe to our MalwareWatch list http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch

This information has been generated out of our comprehensive real time database, tracking worldwide viruses URI's

most likely also affected pages for these ip may be found via passive dns
please have a look on these other domains correlated to these ip
example: see  http://www.bfk.de/bfk_dnslogger.html?query=62.37.237.16

If your review this list of offending site, please do this carefully, pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the issue !

Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server's owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes,
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.

DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!

You may forward my information to law enforcement, CERTs,
other responsible admins, or similar agencies.

+-----------------------------------------------------------------------------------------------

|date                           |id     |virusname      |ip             |domain         |Url|
+-----------------------------------------------------------------------------------------------
|2010-02-14 15:19:09 CET        |427123 |TR/VB.Downloader.Gen   |62.37.237.16   |gratisweb.com  |http://www.gratisweb.com/cadastrowebsite/Cadastro%20de%20e-mail.ExE
+-----------------------------------------------------------------------------------------------


Your email address has been pulled out of whois concerning this offending network block(s).
If you are not concerned with anti-fraud measurements, please forward this mail to the next responsible desk available...


If you just close(d) these incident(s) please give us a feedback, our automatic walker process may not detect a closed case

explanation of virusnames:
==========================
unknown_html_RFI_php    not yet detected by scanners as RFI, but pure php code for injection
unknown_html_RFI_perl   not yet detected by scanners as RFI, but pure perl code for injection
unknown_html_RFI_eval   not yet detected by scanners as RFI, but suspect javascript obfuscationg evals
unknown_html_RFI        not yet detected by scanners as RFI, but trapped by our honeypots as remote-code-injection
unknown_html    not yet detected by scanners as RFI, but suspious, may be in rare case false positive
unknown_exe     not yet detected by scanners as malware, but high risk!
all other names malwarename detected by scanners
==========================


yours

Gerhard W. Recher
(Geschftsfhrer)

NETpilot GmbH

Wilhelm-Riehl-Str. 13
D-80687 Mnchen

Tel: ++49 89 547182 0
Fax: ++49 89 547182 33
GSM: ++49 171 4802507

Handelsregister Mnchen: HRB 124497

w3: http://www.clean-mx.de
e-Mail:   mailto:abuse@clean-mx.de
PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552
Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc
------=_NextPart--

------------=_1266161289-29622-1092
Content-Type: application/pgp-signature; name="signature.asc"
Content-Disposition: inline; filename="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Description: Digital Signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBS3gWiRTGcx9kwGtzAQJ0MQf8DYPXyqA7YWrzNCfA0yNfQCYVKNk+dAuM
2b5BvaP4kYzo1EoEBQwHQGKX4UiR1tnXyd0ni9tqOFiP9jafqTLmi1Boj3Qq13hG
YHeImoP1cWN5tUIMaHRVUO01EI6JtKx4LntbRYxIr5F/xsfpOU9KAWXSpvdlBkSM
2Zl3Lgk1X99kvFKtOtesX/SA6CFjMyStJLIpe+Ofwv+MkdynZzONxiwm+mstBnDB
n7OI2PUrr582Og+TxNHtJ4YzwzHnAAweD3W4qmulpAoqwPh9qiHrwxuNEyA5pyL8
xhbOx4UWtLiHchakCDg2GMpeOsnx3A/QgXZ9BFAr6IzmcLSDRDpChA==
=XyXc
-----END PGP SIGNATURE-----

------------=_1266161289-29622-1092--


--9B095B5ADSN=_01CAA07A204044A000100DECMAVA55BEX002P.co--


[SysAdMini]

Hav you already tried abuse@orange.es ?

Code: [Select]

% Information related to '62.37.237.0 - 62.37.237.255'

inetnum:        62.37.237.0 - 62.37.237.255
netname:        UNI2-IBU-NET
descr:          ISP of UNI2
descr:          Spain
country:        ES
admin-c:        HTF15-RIPE
tech-c:         HTF15-RIPE
remarks:        For complaints of abuse from these
remarks:        addresses  abuse@es.francetelecom.com
status:         ASSIGNED PA
mnt-by:         FTE-GGRR-MNT
source:         RIPE # Filtered

role:           Hostmaster Technician FTE
address:        company France Telecom España
address:        Calle Meneses, 2
address:        28045
address:        Madrid, Spain
admin-c:        HT874-RIPE
admin-c:        HT876-RIPE
tech-c:         HT874-RIPE
tech-c:         HT876-RIPE
nic-hdl:        HTF15-RIPE
remarks:        spam, abuse reports....mailto:abuse@orange.es
abuse-mailbox:  abuseftes.es@orange-ftgroup.com
mnt-by:         UNI2-MNT
source:         RIPE # Filtered

% Information related to '62.37.0.0/16AS12479'

route:          62.37.0.0/16
descr:          Uni2 PA Block 1
origin:         AS12479
holes:          62.37.230.0/24
mnt-by:         UNI2-MNT
source:         RIPE # Filtered


[cleanmx]

yepp.. overquota .... anyway braindead @ all

Code: [Select]

Feb 14 17:24:40 newtunix postfix/smtp[10399]: 3230CEAC2A2: to=<abuse@orange.es>, relay=inc.wanadoo.es[62.36.20.20]:25, delay=0.6, delays=0.17/0.02/0.21/0.2, dsn=5.0.0, status=bounced (host inc.wanadoo.es[62.36.20.20] said: 550 Usuario con la quota excedida / User is over quota (in reply to RCPT TO command))
Feb 14 17:24:40 newtunix postfix/smtp[10725]: 85CF9EAC2A3: to=<abuse@orange.es>, relay=inc.wanadoo.es[62.36.20.20]:25, delay=0.46, delays=0.13/0.07/0.16/0.09, dsn=5.0.0, status=bounced (host inc.wanadoo.es[62.36.20.20] said: 550 Usuario con la quota excedida / User is over quota (in reply to RCPT TO command))


Hav you already tried abuse@orange.es ?

Code: [Select]

% Information related to '62.37.237.0 - 62.37.237.255'

inetnum:        62.37.237.0 - 62.37.237.255
netname:        UNI2-IBU-NET
descr:          ISP of UNI2
descr:          Spain
country:        ES
admin-c:        HTF15-RIPE
tech-c:         HTF15-RIPE
remarks:        For complaints of abuse from these
remarks:        addresses  abuse@es.francetelecom.com
status:         ASSIGNED PA
mnt-by:         FTE-GGRR-MNT
source:         RIPE # Filtered

role:           Hostmaster Technician FTE
address:        company France Telecom España
address:        Calle Meneses, 2
address:        28045
address:        Madrid, Spain
admin-c:        HT874-RIPE
admin-c:        HT876-RIPE
tech-c:         HT874-RIPE
tech-c:         HT876-RIPE
nic-hdl:        HTF15-RIPE
remarks:        spam, abuse reports....mailto:abuse@orange.es
abuse-mailbox:  abuseftes.es@orange-ftgroup.com
mnt-by:         UNI2-MNT
source:         RIPE # Filtered

% Information related to '62.37.0.0/16AS12479'

route:          62.37.0.0/16
descr:          Uni2 PA Block 1
origin:         AS12479
holes:          62.37.230.0/24
mnt-by:         UNI2-MNT
source:         RIPE # Filtered


[MysteryFCM]

If you've tried the following, you may want to go to either the upstream, or Ripe (tis what I do when an abuse address fails);

manuel.fuentes @ orange-ftgroup.com

[cleanmx]

Hi Steven,

ripe is no help see conversation about "TITANNET", ripe is also brain-dead if you want to complain about incomplete entries or wrong entries !!!

Code: [Select]

dear sirs,

this is *not* a complain about malware, but a complain about not working
contacts for this network published in Ripe db !


-- gerhard

-------- Original Message --------
Return-Path:     <>
X-Original-To:     abuse@clean-mx.de
Delivered-To:     abuse@clean-mx.de
Received:     from relayn.netpilot.net (relayn19.netpilot.net
[195.214.79.19]) (using TLSv1 with cipher ADH-AES256-SHA (256/256
bits)) (No client certificate requested) by ksrv8.netpilot.net
(Postfix) with ESMTPS id 43F1C252C002 for <abuse@clean-mx.de>; Fri, 2
Oct 2009 11:59:59 +0200 (CEST)
Received:     from relayn.netpilot.net (localhost [127.0.0.1]) by
relayn.netpilot.net (Postfix) with ESMTP id 92FDF1EC8011 for
<abuse@clean-mx.de>; Fri, 2 Oct 2009 11:59:57 +0200 (CEST)
Received:     from localhost (unknown [127.0.0.1]) by localhost (Postfix)
with ESMTP id 2513C1EE86D9 for <abuse@clean-mx.de>; Fri, 2 Oct 2009
09:59:56 +0000 (UTC)
Received:     from relayn.netpilot.net ([127.0.0.1]) by localhost
(relayn.netpilot.net [127.0.0.1]) (clean-mx, port 10024) with ESMTP id
Tk7r4MV3I5VG for <abuse@clean-mx.de>; Fri, 2 Oct 2009 11:59:54 +0200
(CEST)
Received:     from postgirl.ripe.net (postgirl.ripe.net [193.0.19.66])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client
certificate requested) by relayn.netpilot.net (Postfix) with ESMTPS id
32C08EAC275 for <abuse@clean-mx.de>; Fri, 2 Oct 2009 11:59:47 +0200 (CEST)
Received:     from herring.ripe.net ([193.0.1.203]) by postgirl.ripe.net
with esmtp (Exim 4.63) id 1MtevK-0003oc-69 for abuse@clean-mx.de; Fri,
02 Oct 2009 11:59:46 +0200
Received:     from owl.ripe.net (owl.ripe.net [193.0.1.100]) by
herring.ripe.net (Postfix) with ESMTP id B696B2F593 for
<abuse@clean-mx.de>; Fri, 2 Oct 2009 11:59:37 +0200 (CEST)
From:     <bit-bucket@ripe.net>
To:     abuse@clean-mx.de
Subject:     Re: NCC#2009100331 [netpilot] invalid email contacts for
"TITANNET"
In-Reply-To:     <4AC5CA78.3090708@clean-mx.de>
References:     <4AC5CA78.3090708@clean-mx.de>
Content-Type:     text/plain; charset="ISO-8859-1"
Lines:     301
Message-Id:     <mailbox-6372-1240925852@owl>
Date:     Fri, 02 Oct 2009 11:59:37 +0200
MIME-Version:     1.0
Content-Transfer-Encoding:     quoted-printable
X-RIPE-Spam-Level:     /
X-RIPE-Signature:
f85d5efa577a0f1310ceb23a83926cd66ee722e16c83336ef17fe2f116a1a6a2



THIS IS AN AUTO-REPLY.

Dear Sir / Madam,

You have sent us a complaint regarding some type of abuse (e.g., spam or
hacking).

The RIPE NCC is an independent, not-for-profit membership organisation.
We are one of the five Regional Internet Registries (RIRs) responsible
for the allocation of blocks of IP address space to Local Internet
Registries (LIRs), which are mostly Internet Service Providers. LIRs
then assign addresses to End Users.

The RIPE NCC is *NOT* a service provider and has no jurisdiction over,
or responsibility for, how the allocated IP numbers are used.

You have probably been directed to the RIPE NCC because we run a
publicly available database that allows users to look up the contact
information for the organisations responsible for particular IP address
space.

We would like to help you find the appropriate party responsible for the
address space and we therefore direct you to our database:

http://www.ripe.net/db/whois

When you enter the IP address in our database search, you will find the
party responsible for the IP address range. Please contact them
regarding your abuse complaint.

More information regarding network abuse is available on our website at:

http://www.ripe.net/info/faq/abuse/index.html
http://www.ripe.net/abuse.html
http://www.ripe.net/legal/


We hope this has clarified any misunderstanding. If this email did not
help you further, please send an e-mail to
abuse+07b1e9dc77b1646b974374d2c10d379d0abe2264@ripe.net

Kind regards,

RIPE NCC
Customer Services
> > dear sirs,
> >
> > we are unable to submit malware complains to this customer
> >
> > may you please urge them to fix their published contacts ?
> >
> > -- gerhard
> >
> >
> > http://www.db.ripe.net/whois?form_type=simple&full_query_string=&searchtext=193.169.13.6&submit.x=0&submit.y=0&submit=Search
> >
> >
> >
> > -------- Original Message --------
> > Return-Path:     <>
> > X-Original-To:     abuse@clean-mx.de
> > Delivered-To:     abuse@clean-mx.de
> > Received:     from relayn.netpilot.net (relayn19.netpilot.net
> > [195.214.79.19]) (using TLSv1 with cipher ADH-AES256-SHA (256/256
> > bits)) (No client certificate requested) by ksrv8.netpilot.net
> > (Postfix) with ESMTPS id 08EF8252C002 for <abuse@clean-mx.de>; Fri, 2
> > Oct 2009 11:13:10 +0200 (CEST)
> > Received:     from relayn.netpilot.net (localhost [127.0.0.1]) by
> > relayn.netpilot.net (Postfix) with ESMTP id CC12F1EC8022 for
> > <abuse@clean-mx.de>; Fri, 2 Oct 2009 11:12:45 +0200 (CEST)
> > Received:     from localhost (unknown [127.0.0.1]) by localhost (Postfix)
> > with ESMTP id 0BF941EE86E4 for <abuse@clean-mx.de>; Fri, 2 Oct 2009
> > 09:11:46 +0000 (UTC)
> > Received:     from relayn.netpilot.net ([127.0.0.1]) by localhost
> > (relayn.netpilot.net [127.0.0.1]) (clean-mx, port 10024) with ESMTP id
> > icB13EZce2Qp for <abuse@clean-mx.de>; Fri, 2 Oct 2009 11:11:44 +0200
> > (CEST)
> > Received:     from colo-3-da.megahoster.net (colo-3-da.megahoster.net
> > [72.36.148.122]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256
> > bits)) (No client certificate requested) by relayn.netpilot.net
> > (Postfix) with ESMTPS id 3B7F0384004 for <abuse@clean-mx.de>; Fri, 2
> > Oct 2009 11:11:40 +0200 (CEST)
> > Received:     from mail by colo-3-da.megahoster.net with local (Exim
> > 4.67) id 1Mtduh-0002wT-CW for abuse@clean-mx.de; Fri, 02 Oct 2009
> > 03:54:55 -0500
> > X-Failed-Recipients:     abuse@titanfinance.bz
> > Auto-Submitted:     auto-replied
> > From:     Mail Delivery System <Mailer-Daemon@colo-3-da.megahoster.net>
> > To:     abuse@clean-mx.de
> > Subject:     Mail delivery failed: returning message to sender
> > Message-Id:     <E1Mtduh-0002wT-CW@colo-3-da.megahoster.net>
> > Date:     Fri, 02 Oct 2009 03:54:55 -0500
> >
> >
> >
> > This message was created automatically by mail delivery software.
> >
> > A message that you sent could not be delivered to one or more of its
> > recipients. This is a permanent error. The following address(es) failed:
> >
> >   abuse@titanfinance.bz
> >     Unrouteable address
> >
> > ------ This is a copy of the message, including all the headers. ------
> >
> > Return-path: <abuse@clean-mx.de>
> > Received: from relayn.netpilot.net ([62.67.240.20])
> >     by colo-3-da.megahoster.net with esmtps (TLSv1:AES256-SHA:256)
> >     (Exim 4.67)
> >     (envelope-from <abuse@clean-mx.de>)
> >     id 1Mtduf-0002vj-F2
> >     for abuse@titanfinance.bz; Fri, 02 Oct 2009 03:54:54 -0500
> > Received: from relayn.netpilot.net (localhost [127.0.0.1])
> >     by relayn.netpilot.net (Postfix) with ESMTP id 01DC51EE86EA
> >     for <abuse@titanfinance.bz>; Fri,  2 Oct 2009 11:11:24 +0200 (CEST)
> > DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to
> >     :subject:mime-version:message-id:date:content-type; s=sel; bh=er
> >     IcSaH6fayqtDrw8NRxlEAEox8=; b=QfiCoWhFg6L6E92UxNtSYlTULMFINWtWVo
> >     cvPv9PEb8QK1S/TUwzQ5YNsOK0XWwaJqd9M/VDHw8eVe+S/R7WtJXbdc7RTFgOQt
> >     v1iQ1ZbQS/pJwshWH3iGIJ6Z++s5Witq2BiT5Muti1IUerOp7G2qdDOfnwch15n7
> >     3kdmuTHDs=
> > DomainKey-Signature: a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to
> >     :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b=
> >     IO9/ePbxBvlSQW16jWzmhSIOtjA5NFTtEDQo5QtAZ4h7PAeQhV2xgvv1jdao5Twu
> >     2FsFWExnkzrNXJAT1ucoxU9jyT1sCNDa3FELDDLzOmAZ3yfKmHKkvEZB3D7FEcS1
> >     TTkPeR6oT0fQ2/gmFkV2WZKT27gv884GuL0o5MQqH5c=
> > Received: from dbserv.netpilot.net (unknown [195.214.79.22])
> >     by localhost (Postfix) with ESMTP id BF7E11EE86E7
> >     for <abuse@titanfinance.bz>; Fri,  2 Oct 2009 09:11:20 +0000 (UTC)
> > From: abuse@clean-mx.de
> > to: abuse@titanfinance.bz
> > Subject:
> > [clean-mx-viruses-217427](193.169.13.6)-->(abuse@titanfinance.bz)
> > viruses sites (3  so far) within your network, please close them!
> > status: As of 2009-10-02 11:09:44 CEST
> > Precedence: bulk
> > MIME-Version: 1.0
> > X-Mailer: clean mx secure mailer
> > X-Virus-Scanned: by netpilot GmbH at clean-mx.de
> > Message-Id: <20091002.1254474584@dbserv.netpilot.net>
> > Date: Fri, 02 Oct 2009 11:09:44 +0200
> > content-Type: multipart/signed;
> > boundary="----------=_1254474680-7900-43000"; micalg="pgp-sha1";
> > protocol="application/pgp-signature"
> >
> > This is a multi-part message in MIME format.
> > It has been signed conforming to RFC3156.
> > Produced by clean-mx transparent crypt gateway.
> > Version: 2.01.0619 http://www.clean-mx.de
> > You need GPG to check the signature.
> >
> > ------------=_1254474680-7900-43000
> > Content-type: multipart/mixed;    boundary="----=_NextPart"
> >
> > This is a multi-part message in MIME format.
> >
> > ------=_NextPart
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > Dear abuse team,
> >
> > please help to close these offending viruses sites(3) so far.
> >
> > status: As of 2009-10-02 11:09:44 CEST
> > http://support.clean-mx.de/clean-mx/viruses.php?email=abuse@titanfinance.bz&response=alive
> >
> > (for full uri, please scroll to the right end ...
> >
> >
> > We detected many active cases dated back to 2007, so please look at
> > the date column below.
> > You may also subscribe to our MalwareWatch list
> > http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch
> >
> > This information has been generated out of our comprehensive real time
> > database, tracking worldwide viruses URI's
> >
> > most likely also affected pages for these ip may be found via passive dns
> > please have a look on these other domains correlated to these ip
> > example: see  http://www.bfk.de/bfk_dnslogger.html?query=193.169.13.6
> >
> > If your review this list of offending site, please do this carefully,
> > pay attention for redirects also!
> > Also, please consider this particular machines may have a root kit
> > installed !
> > So simply deleting some files or dirs or disabling cgi may not really
> > solve the issue !
> >
> > Advice: The appearance of a Virus Site on a server means that
> > someone intruded into the system. The server's owner should
> > disconnect and not return the system into service until an
> > audit is performed to ensure no data was lost, that all OS and
> > internet software is up to date with the latest security fixes,
> > and that any backdoors and other exploits left by the intruders
> > are closed. Logs should be preserved and analyzed and, perhaps,
> > the appropriate law enforcement agencies notified.
> >
> > DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
> > PROBLEM, THEY WILL BE BACK!
> >
> > You may forward my information to law enforcement, CERTs,
> > other responsible admins, or similar agencies.
> >
> > +-----------------------------------------------------------------------------------------------
> >
> > |date                |id    |virusname    |ip        |domain        |Url|
> > +-----------------------------------------------------------------------------------------------
> > |2009-10-01 00:00:00 CEST    |217427    |malwareurl_Trojan FraudLoad
> >  |193.169.13.6    |scan-me-now.com
> >  |http://scan-me-now.com/l/142949df89j83x6ck
> > |2009-10-01 00:00:00 CEST    |217428    |Trojan.Fakealert.5223
> >  |193.169.13.6    |scan-me-now.com
> >  |http://scan-me-now.com/s/wad972f108eo77l71p/setup.exe
> > |2009-10-01 20:58:08 CEST    |217574    |Trojan.Fakealert.5223
> >  |193.169.13.6    |scan-me-now.com
> >  |http://scan-me-now.com/s/w52720e007fz82w68g/setup.exe
> > +-----------------------------------------------------------------------------------------------
> >
> >
> > Your email address has been pulled out of whois concerning this
> > offending network block(s).
> > If you are not concerned with anti-fraud measurements, please forward
> > this mail to the next responsible desk available...
> >
> >
> > If you just close(d) these incident(s) please give us a feedback, our
> > automatic walker process may not detect a closed case
> >
> > explanation of virusnames:
> > ==========================
> > unknown_html_RFI_php    not yet detected by scanners as RFI, but pure
> > php code for injection
> > unknown_html_RFI_perl    not yet detected by scanners as RFI, but pure
> > perl code for injection
> > unknown_html_RFI_eval    not yet detected by scanners as RFI, but
> > suspect javascript obfuscationg evals
> > unknown_html_RFI    not yet detected by scanners as RFI, but trapped
> > by our honeypots as remote-code-injection
> > unknown_html    not yet detected by scanners as RFI, but suspious, may
> > be in rare case false positive
> > unknown_exe    not yet detected by scanners as malware, but high risk!
> > all other names    malwarename detected by scanners
> > ==========================
> >
> >
> > yours
> >
> > Gerhard W. Recher
> > (Geschäftsführer)
> >
> > NETpilot GmbH
> >
> > Wilhelm-Riehl-Str. 13
> > D-80687 München
> >
> > Tel: ++49 89 547182 0
> > Fax: ++49 89 547182 33
> > GSM: ++49 171 4802507
> >
> > Handelsregister München: HRB 124497
> >
> > w3: http://www.clean-mx.de
> > e-Mail:   mailto:abuse@clean-mx.de
> > PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id:
> > 0xDD0CE552
> > Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc
> > ------=_NextPart--
> >
> > ------------=_1254474680-7900-43000
> > Content-Type: application/pgp-signature; name="signature.asc"
> > Content-Disposition: inline; filename="signature.asc"
> > Content-Transfer-Encoding: 7bit
> > Content-Description: Digital Signature
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.6 (GNU/Linux)
> >
> > iQEVAwUBSsXDuBTGcx9kwGtzAQKlwwf8DzFMJWi35dLQi2EJjfnuOu8RrFO0llq6
> > UWAGW8YjrIFlRJ4EnAK5Zd82jfHVeKynHGpda9Vv2LIaXpxg65YVd9moAtd9MRah
> > +JaMpI1faYUyKH2AONuf9Jd+kiESdPXnIuCA/1o2hoUVVS+MvLbEe8UcpriA5xR2
> > YKTY5G2QkDQsJA3oMkU1aepbZzmRhk39dRO9bN+X/YYBhFbbpwhprbxYFDghEZuk
> > +kJKuh/n374Pre58G2GeT5AovSv7xgbHqsNg3X2wKSgzFTyT4KVJeVNyVBi8QytR
> > r7BxjAmddWxUxuMA8bX+TKDYkQaJbcZH07WROZJH8raznTkWBJS2DA==
> > =Ub1l
> > -----END PGP SIGNATURE-----
> >
> > ------------=_1254474680-7900-43000--


If you've tried the following, you may want to go to either the upstream, or Ripe (tis what I do when an abuse address fails);

manuel.fuentes @ orange-ftgroup.com

[MysteryFCM]

Ripe have been helpful when I've e-mailed 'em? (addresses I use are ripe-dbm @ ripe.net and hostmaster @ ripe.net, both have been helpful with regard to incomplete/invalid contact info)

[cleanmx]

Ripe have been helpful when I've e-mailed 'em? (addresses I use are ripe-dbm @ ripe.net and hostmaster @ ripe.net, both have been helpful with regard to incomplete/invalid contact info)

hmm... if you look at this ripeconversation  sent to ripe-dbm ... they refused to  urge this Networkowner to complete email contacts to a valid state ...

how do you manage these ? if have tons of networks in my database with no email or only a telefon/fax contact !

here just 8 networks currenty active in malware db ... from Ripe without mail contacts

Code: [Select]

+---------------------------------+-----------------------+----------------------------+---------------------------------------------------------------------------------------------------------+
| inetnum                         | netname               | email                      | descr                                                                                                   |
+---------------------------------+-----------------------+----------------------------+---------------------------------------------------------------------------------------------------------+
| 188.64.184.0 - 188.64.185.255   | UK-UKHOST4U-20090723  | phone: +44 (0844) 414 2240 | UKHOST4UUKHost4u                                                                                        |
| 194.185.224.0 - 194.185.224.255 | ECLASSH-NET           | fax: +39 02 58219403       | e-Class SpAVia M. Burigozzo, 5I-20122 Milano (MI)I.NET Customer Nets block                              |
| 213.171.250.32 - 213.171.250.39 | BROADNET-ES-NETMADRID | phone: +34 912214000       | NetMadrid Soluciones de RedesC\Doctor Esquerdo, 197, 5ºD28007-MadridNEO-SKY 2002Provider Local Registry |
| 217.64.112.0 - 217.64.112.127   | Wyrecompute           | phone: +44 870 741 1267    | WFCS Core NetworkWyre Forest Computer Solutions Ltd T/A WFCS                                            |
| 77.72.25.0 - 77.72.25.255       | TESENE-NET            |                            | Tesene first IP allocationTesene S.r.l.                                                                 |
| 81.29.148.0 - 81.29.148.127     | ARTERA-NET            |                            | Artera S.r.lSwitchward IP Block #1                                                                      |
| 85.192.32.0 - 85.192.33.255     | BESTHOSTING           | phone: +7 495 788 9484     | Best Hosting LLCMoscow, Russiahttp                                                                      |
| 94.230.88.0 - 94.230.95.255     | IL-XFONE              |                            | XFone 018 LtdXFONE COMMUNICATION LTDXFONE COMMUNICATION LTD                                             |
+---------------------------------+-----------------------+----------------------------+---------------------------------------------------------------------------------------------------------+


[MysteryFCM]

I'll drop 'em a note and see what can be done (I'll point 'em here too ....)