Saturday, 30 November 2013

Hunting down a spam host and it was M* K* CEO of Crystone AB (Sweden) (ten years ago)

==================== Update 2013 ===================
5 Days after this post, and some direct follow ups with Crystone.se, no more spam was received.
20 days (19 Dec 2013) later crystone.se was seen to have vanished from the Spamhaus ISP bad boys list.  

Thank you Crystone.se for the change in direction, Keep up the good work.

THIS POST IS OVER 10 YEARS OLD NOW Name now blanked out - statue of limitations - and they did get the problem fixed.

==================== ******** =================

In Reverse from the top ..

M* K* is CEO of Crystone AB (Sweden) Sends spam. Source Linked-in.

Crystone.se hosts spammers website and domains

Source 
Multiple Traceroutes to adriute.com and multiple other spammer domains

gannett$ traceroute adriute.com
traceroute to adriute.com (193.182.254.192), 64 hops max, 52 byte packets
 1  skyrouter.home (192.168.0.1)  1.544 ms  1.340 ms  0.871 ms
 2  * * *
 3  ip-84-38-37-16.easynet.co.uk (84.38.37.16)  21.820 ms  21.911 ms  22.029 ms
 4  ti9002b300.ti.telenor.net (195.66.237.107)  20.723 ms  20.606 ms  21.009 ms
 5  ti3003c400-ae3-0.ti.telenor.net (146.172.105.37)  62.745 ms  63.474 ms  62.462 ms
 6  ti3002c400-ae2-0.ti.telenor.net (146.172.100.69)  62.495 ms  62.093 ms  62.579 ms
 7  ti3002d400-ae0-0.ti.telenor.net (146.172.102.186)  62.145 ms  62.389 ms  62.576 ms
 8  ti3083a210-xe8-1.ti.telenor.net (146.172.107.206)  238.273 ms  170.280 ms  205.565 ms
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  60.298 ms  59.874 ms  59.797 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.240 ms  55.152 ms  55.127 ms

11  www.adriute.com (193.182.254.192)  54.996 ms !Z  54.934 ms !Z  54.741 ms !Z


Email and embedded link direct to domain adriute.com.
Source - My mail box



 This is just one of many similarly formed emails sent to the same private address from various domains hosted in the same way. Each one of these email comes from a different domain on the list below.


Luckily most of these emails are correctly recognised as junk mail, probably using internet based blacklists.

The well respected Spamhaus Agrees with this conclusion. Getting to number three on the worst ISPs in the world list does not happen overnight, that's a policy choice by Crystone. Either the CEO is in on the deal or is incompetent by not knowing how his company's reputation and therefore shareholder value is being trashed.


This particular operation is known as a "Snowshoe Spam" operation spreading out the evil across a large number of domains and IP address. Other ref.  A bit dumb/obvious to use the same hosting company.

And adriute.com is not the only domain with the same infrastructure leading directly back to crystone.se. List of bad poison spam domains:

xsmwkj.com
tmdti.com
livspan.com
jizbell.com
myilt.com
prkco.com
poszg.com
aemgt.com
urlpp.com
siinco.com
wzztq.com
ndzstzw.com
adfilmz.com
pzjdl.com
erqjgz.com
ctdserv.com
siinco.com
germanyideal.com
clickbebo.com
dealzez.com
tmacsdeal.com
tuclicka.net
marrge.com
laurabs.com
padilladeals.com
gozumuz.com
freesouzi.com
ctdserv.com
freeschin.com
cqrcity.com
gamezonefree.net
readtreefree.com
oyoob.com
ndzstzw.com
adriute.com

dommc.com

# The last couple of lines of trace routes to each of the domains above. See how the hop before the domain is se.crystone.net.

9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.938 ms  59.773 ms  60.001 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  55.242 ms  54.538 ms  54.193 ms
11  www.xsmwkj.com (192.36.142.156)  54.893 ms !Z  54.927 ms !Z  54.714 ms !Z
--
--
 5  195.66.224.243 (195.66.224.243)  19.762 ms  19.656 ms  18.724 ms
 6  crystone-hy-demarc0.cr1-r85.hy-sto.se.p80.net (83.140.244.62)  52.234 ms  52.283 ms  53.344 ms
 7  dr-8.hy-sth.se.crystone.net (83.168.243.156)  52.373 ms  52.808 ms  52.737 ms
 8  www.iyaadura.com (83.168.194.20)  52.663 ms !Z  52.856 ms !Z  52.392 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  60.007 ms  59.859 ms  59.779 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.284 ms  54.230 ms  54.971 ms
11  www.livspan.com (192.165.239.156)  54.994 ms !Z  54.860 ms !Z  55.214 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.737 ms  60.418 ms  60.507 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.324 ms  54.005 ms  54.594 ms
11  www.jizbell.com (192.165.241.236)  54.521 ms !Z  55.583 ms !Z  57.872 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.289 ms  59.946 ms  59.709 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.509 ms  54.840 ms  55.578 ms
11  www.myilt.com (192.176.207.195)  55.279 ms !Z  55.214 ms !Z  54.608 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.549 ms  59.600 ms  59.348 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  55.192 ms  54.132 ms  54.476 ms
11  www.prkco.com (193.180.252.202)  59.890 ms !Z  59.208 ms !Z  59.736 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.416 ms  59.694 ms  59.120 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.472 ms  54.137 ms  54.049 ms
11  www.poszg.com (192.71.169.205)  59.239 ms !Z  59.896 ms !Z  59.981 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.867 ms  60.153 ms  61.110 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.518 ms  54.594 ms  54.633 ms
11  www.aemgt.com (194.14.131.149)  54.495 ms !Z  54.621 ms !Z  55.185 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  58.929 ms  59.151 ms  59.249 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.759 ms  54.167 ms  54.162 ms
11  www.urlpp.com (192.176.207.194)  59.663 ms !Z  58.709 ms !Z  60.622 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.348 ms  59.144 ms  59.879 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  55.513 ms  55.052 ms  54.716 ms
11  www.siinco.com (192.36.6.139)  54.996 ms !Z  54.822 ms !Z  55.087 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.526 ms  59.423 ms  59.946 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.846 ms  54.218 ms  54.200 ms
11  www.wzztq.com (192.36.255.147)  59.913 ms !Z  59.531 ms !Z  59.834 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.765 ms  59.880 ms  59.692 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.548 ms  53.978 ms  54.033 ms
11  www.ndzstzw.com (192.36.0.158)  55.119 ms !Z  54.192 ms !Z  54.453 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  60.320 ms  59.976 ms  59.273 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.609 ms  54.403 ms  54.521 ms
11  www.adfilmz.com (192.165.1.207)  59.666 ms !Z  59.363 ms !Z  58.671 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.843 ms  59.128 ms  59.969 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  55.130 ms  54.133 ms  54.898 ms
11  www.pzjdl.com (193.182.146.177)  60.026 ms !Z  60.110 ms !Z  59.340 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.487 ms  60.069 ms  59.261 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  53.990 ms  54.784 ms  54.338 ms
11  www.erqjgz.com (193.235.158.152)  59.536 ms !Z  58.948 ms !Z  59.653 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.462 ms  58.891 ms  59.351 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.876 ms  53.835 ms  54.425 ms
11  www.ctdserv.com (193.180.122.181)  59.695 ms !Z  59.643 ms !Z  59.426 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.308 ms  59.587 ms  60.403 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  55.489 ms  55.207 ms  55.422 ms
11  www.siinco.com (192.36.6.139)  54.374 ms !Z  54.569 ms !Z  55.574 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.575 ms  60.202 ms  59.797 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.263 ms  54.152 ms  54.277 ms
11  www.germanyideal.com (193.182.118.131)  54.833 ms !Z  55.190 ms !Z  54.726 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.159 ms  59.682 ms  59.919 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  56.716 ms  54.940 ms  54.636 ms
11  www.clickbebo.com (193.234.239.143)  54.824 ms !Z  54.038 ms !Z  54.226 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.317 ms  59.761 ms  60.198 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.759 ms  54.642 ms  54.522 ms
11  www.dealzez.com (193.180.12.35)  55.268 ms !Z  55.842 ms !Z  54.634 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.464 ms  59.471 ms  59.698 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  55.286 ms  54.641 ms  54.965 ms
11  www.tmacsdeal.com (192.36.205.28)  54.647 ms !Z  54.832 ms !Z  54.307 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.997 ms  59.215 ms  59.942 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  55.138 ms  55.422 ms  54.875 ms
11  www.tuclicka.net (64.88.144.13)  60.363 ms !Z  59.824 ms !Z  59.515 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  95.477 ms  59.686 ms  60.840 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.989 ms  56.219 ms  54.925 ms
11  www.marrge.com (193.181.3.199)  55.003 ms !Z  54.725 ms !Z  54.784 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.504 ms  59.530 ms  59.129 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.260 ms  54.725 ms  55.408 ms
11  www.laurabs.com (193.235.96.178)  55.966 ms !Z  55.302 ms !Z  55.169 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  74.485 ms  59.173 ms  59.911 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.884 ms  62.431 ms  55.052 ms
11  www.padilladeals.com (64.88.140.14)  59.455 ms !Z  59.988 ms !Z  60.061 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.760 ms  59.477 ms  59.664 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.079 ms  55.013 ms  54.857 ms
11  www.gozumuz.com (193.182.163.129)  55.060 ms !Z  54.918 ms !Z  55.155 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.739 ms  59.915 ms  59.895 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.929 ms  54.641 ms  55.545 ms
11  www.freesouzi.com (209.152.170.14)  54.135 ms !Z  55.157 ms !Z  54.617 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.202 ms  59.153 ms  59.642 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.748 ms  53.843 ms  54.696 ms
11  www.ctdserv.com (193.180.122.181)  60.132 ms !Z  63.625 ms !Z  59.352 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.564 ms  59.489 ms  60.529 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.821 ms  55.380 ms  56.989 ms
11  www.freeschin.com (193.181.3.22)  59.340 ms !Z  59.794 ms !Z  59.790 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.004 ms  58.898 ms  58.860 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  55.750 ms  54.899 ms  54.764 ms
11  www.cqrcity.com (194.71.187.152)  59.678 ms !Z  60.438 ms !Z  59.383 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.361 ms  60.035 ms  59.802 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.947 ms  54.457 ms  54.142 ms
11  www.gamezonefree.net (209.152.161.14)  54.779 ms !Z  54.408 ms !Z  54.975 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.584 ms  59.536 ms  60.145 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.730 ms  54.272 ms  54.727 ms
11  www.readtreefree.com (192.165.34.72)  54.514 ms !Z  54.784 ms !Z  54.688 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.448 ms  60.417 ms  60.366 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.812 ms  54.940 ms  55.151 ms
11  www.oyoob.com (193.235.96.179)  59.646 ms !Z  58.652 ms !Z  59.216 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.437 ms  59.358 ms  58.978 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.739 ms  54.528 ms  54.172 ms
11  www.ndzstzw.com (192.36.0.158)  55.046 ms !Z  54.264 ms !Z  54.444 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.859 ms  59.425 ms  59.671 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.291 ms  54.262 ms  55.050 ms
11  www.adriute.com (193.182.254.192)  54.756 ms !Z  54.268 ms !Z  54.133 ms !Z
--
--
 9  static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44)  59.812 ms  59.230 ms  62.396 ms
10  dr-8.hy-sth.se.crystone.net (83.168.243.156)  54.874 ms  54.886 ms  54.733 ms
11  www.dommc.com (192.165.53.200)  59.172 ms !Z  59.079 ms !Z  59.369 ms !Z

5 comments:

Gannett said...

Live Support
Ask us anything
Chat started
Fred gannett
Suffering from spam

Juan joined the chat

Juan
Thank you for contacting Crystone, how can I help you today?

oh yeah?
let me have your customer ID please

sorry to hear that

Fred gannett
Here is the domain trace

gannett$ traceroute melbestdeals.com
traceroute to melbestdeals.com (64.88.141.13), 64 hops max, 52 byte packets
1 skyrouter.home (192.168.0.1) 1.910 ms 1.341 ms 1.890 ms
2 * * *
3 ip-84-38-37-16.easynet.co.uk (84.38.37.16) 25.549 ms 21.486 ms 21.104 ms
4 ti9002b300.ti.telenor.net (195.66.237.107) 21.653 ms 20.575 ms 25.764 ms
5 ti3003c400-ae3-0.ti.telenor.net (146.172.105.37) 63.468 ms 65.073 ms 62.252 ms
6 ti3002c400-ae2-0.ti.telenor.net (146.172.100.69) 61.910 ms * 64.208 ms
7 ti3002d400-ae0-0.ti.telenor.net (146.172.102.186) 62.409 ms 72.631 ms 62.234 ms
8 ti3083a210-xe8-1.ti.telenor.net (146.172.107.206) 61.514 ms 62.763 ms 62.330 ms
9 static-213-115-123-44.sme.bredbandsbolaget.se (213.115.123.44) 61.089 ms 60.468 ms 62.069 ms
10 dr-8.hy-sth.se.crystone.net (83.168.243.156) 60.198 ms 60.623 ms 60.594 ms
11 www.melbestdeals.com (64.88.141.13) 60.158 ms !Z 60.420 ms !Z 60.543 ms !Z




Here is the spam
On 6 Dec 2013, at 0806, Carolyn Howard wrote:

Just Imagine....what kind of millionaire would you be?

Play Mega Million online for a chance to win the world's biggest jackpot of $291 million.

Luck is right in front of you, play. $291,000,000 USD

http://melbestdeals.com/b/click/5457/146145409/b98ab.html

Gotta be in it to win it. This is your lucky day!

so your TOS says you will turn off a domain when spam is done

Juan
yep

send that to abuse@crystone.se
please
attach the message above

Fred gannett
This is not a new thing See http://gannett-hscp.blogspot.co.uk/2013/11/hunting-down-spam-host-and-its-mattias.html

this is classic snowshoe spam - all hosted by crystone
Juan
Most likelya hacker hacked into the system
anyways send the email to abuse@crystone.se

that should take care the issue
In addition I will send a memo to the email tech to supervise your email
please give me your customer ID

Fred gannett
for so long that Spamhaus Agrees your number 3 biggest ISP spammer
in the world -

Juan
they will handle that

Fred gannett
apparently not worse abuse handling contributes to major org fail

The World's Worst ISPs

The networks listed on this page knowingly provide service to criminal spam gangs and ignore spam reports from anti-spam systems and Internet users. These networks are defacto Spam Havens from where spammers operate freely and with the full knowledge of the network administrators and the executives. In the name of profits, these ten networks turn a blind eye to criminal spam gangs on their networks.
and your #3

Juan
Make sure you add all this on the email
can you please give me your customer ID?

Fred gannett
I see how tech support (you) is powerless in the face of business decisions made by CEO

could you even say that violating domain will be terminated ? at this time

Juan
I dont handle this

I am 1st line of support

You came to us
so I instructed what you need to do next
I still need your customer ID

Fred gannett
sure and I understand. Your active support is powerless to actually fix any thing

Juan
for this issue indeed
Is there anything else I could do for you?

Fred gannett
symphatise that one of your fuckwit customers spams the world

Juan
Again I can only tell you to send the email to abuse@crystone.se
and for me to send a memo to the email tech

Gannett said...

I am still waiting for the customer ID
so I could do it unless you cant provide that

then call tomorrow
or return when you have the information

Thank you for contacting Crystone, have a great evening!

Fred gannett
so does spam have to be reported by your customers in order to get spammer binnned ?

doh! spammer sends outward not inwards

Juan
Send the message

to that email

plus give me your ID
so I ll send email to tech email
Fred gannett
i am not customer I just suffer from your customers spamming
Juan
Alright

abuse@crystone.se

Thank you for contacting Crystone, have a great evening!

Fred gannett
and who do I call when they ignore message and fail to in force your own Terms of servicr

??????

Juan
Ghostbusters
Juan left the chat

Fred gannett
for sure :-)

Juan joined the chat

Juan
:)

Fred gannett
squirt a few spammer with gunge make them think twice
s/gunge/sh*t/


Juan
enter?

Fred gannett
have a good evening - but l8r ask friendd if working for company that shows as
http://www.spamhaus.org/statistics/networks/
is a good idea

Juan
Like I said All this information should be reported

that email they will handle this issue

I can only help problems in control panels
basic billing

Fred gannett
like they don't know $£$£$£ wins

i would make a personal $50 bet with you that if I sent all my spam info to abuse@crystone.com noting would be done against the actual customer.

Juan
I have no idea

what could happen

Fred gannett
I would dream that no more spam would come to my personal email address from your(crystone) hosted domains


i get spam only from crystone to that personal address. Lots of other spam to my "public" email addresses.

but am used to that and can handle

when it gets to personal address I act.

So looking into your customer records ( as you can ) what is common between these domains ?
marrge.com
laurabs.com
padilladeals.com
gozumuz.com
freesouzi.com
ctdserv.com
freeschin.com
cqrcity.com
gamezonefree.net
readtreefree.com
oyoob.com
ndzstzw.com
adriute.com


Juan
no records here

Like I said

send the email

return in a few minutes

Thank you for contacting Crystone, have a great evening!

Juan left the chat

Crystone Live Chat

Options•Hi, Fred gannett

Gannett said...

The above is a transcript between me and a well meaning low level employee at crystone.

It seems that the 24H support folks are not empowered to actually act against spamming domains which makes the promise in the TOS a complete sham and fraud.

http://www.crystone.com/about-crystone/hosting-terms-and-conditions/

Crash and burn this ISP.

Gannett said...

From: Abuse
Subject: Re: see
Date: 9 December 2013 09:05:19 GMT
To: ME

On 12/07/2013 12:53 AM, I wrote:
blog entry

http://gannett-hscp.blogspot.co.uk/2013/11/hunting-down-spam-host-and-its-mattias.html

any answer ?



Hi,
It seems to be one customer to us that is behind all those examples. We will investigate and put pressure on them to stop spamming

Best regards
Abuse

Gannett said...

5 Days after the original post, and some direct follow ups with Crystone.se, no more spam was received.

20 days (19 Dec 2013) later crystone.se was seen to have vanished from the Spamhaus ISP bad boys list.

Thank you Crystone.se for the change in direction, Keep up the good work.