[OT?]Possible scammer using Tour De France to download dialer trojan(?)

Discussion in 'Road Cycling' started by Socks, Jul 6, 2003.

Thread Status:
Not open for further replies.
  1. Socks

    Socks Guest

    The Tour De France started yesterday. Today I wanted to check on results. Not remembering the URL
    for the official tour site, I tried http://tourdefrance.com

    Surprise, no Tour information anywhere on the site. What it tried to do instead is get me to
    download and install some software from <a href="http://217.76.135.56/[email protected]_uk">
    No explanation on the site of what the software did or why I should trust them enough to let them
    install it on my system. A parameter of "dialer" isn't something to fill an old paranoid
    schizophrenic like me with an overwhelming sense of confidence.

    Tsk, tsk. Site is registered to one M. Garcia in Espana.

    I attempted to alert the legitimate tour site. The authorized tour site is http://letour.fr

    Unfortuneately, letour's postmaster, abuse, and piracy email addresses are non functional.
    rfc-ignorant received the appropriate nominations and evidence for postmaster and abuse, and their
    upstream at oleane.net was also alerted. Perhaps that will get my note into the right hands.

    This is cross posted to rec.bicycles.racing on the theory that they may know best how to contact
    letour.fr, and may know what tourdefrance.com really is if it isn't being run by a scammer. Anyone
    reponding from rbr please leave nanae in the cross posts - I tend not to read rbr much.

    --
    In either case, the Court cautions Plaintiff's counsel not to run with a sharpened writing utensil
    in hand--he could put his eye out. (147 F.Supp.2d
    668)
     
    Tags:


  2. Inconnu

    Inconnu Guest

    On Sat, 05 Jul 2003 23:02:09 -0500, Socks wrote:

    Bullshitting, Lying, Spam Piece of Shit
     
  3. Socks

    Socks Guest

    Giving up the right to remain sillent, "inconnu" <[email protected]
    cm0f2069983361.cpe.net.cable.rogers.com> said in
    news:p[email protected] cm0f2069983361.cpe.net.cable.rogers.com:

    > On Sat, 05 Jul 2003 23:02:09 -0500, Socks wrote:
    >
    > Bullshitting, Lying, Spam Piece of Shit
    >

    >
    >

    you suppose someone's a tad upset? We don't use language like that on nanae. On nanae we usually use
    the N word when we disagree with people (no, not that N word, the other one that Godwin talks about)

    feel free to look at http://tourdefrance.com and see if you can spot any Tour de France content.

    --
    In either case, the Court cautions Plaintiff's counsel not to run with a sharpened writing utensil
    in hand--he could put his eye out. (147 F.Supp.2d
    668)
     
  4. Inconnu

    Inconnu Guest

    On Sun, 06 Jul 2003 07:55:05 -0500, Socks wrote:

    >
    > you suppose someone's a tad upset? We don't use language like that on nanae. On nanae we usually
    > use the N word when we disagree with people (no, not that N word, the other one that Godwin
    > talks about)
    >
    > feel free to look at http://tourdefrance.com and see if you can spot any Tour de France content.

    My original comments stand

    There is absolutely nothing wrong with the Tour de France official site and all the e-mail contact
    addresses are working

    You are merely attempting to harvest the address of any sucker dumb enough to go to any of the phony
    sites you gave URL/URI addresses for.

    Either that or you are _incredibly_ stupid

    Take your pick
     
  5. Socks

    Socks Guest

    Giving up the right to remain sillent, "inconnu"
    <[email protected]> said in
    news:p[email protected]net .cable.rogers.com:

    > On Sun, 06 Jul 2003 07:55:05 -0500, Socks wrote:
    >
    >
    >>
    >> you suppose someone's a tad upset? We don't use language like that on nanae. On nanae we usually
    >> use the N word when we disagree with people (no, not that N word, the other one that Godwin
    >> talks about)
    >>
    >> feel free to look at http://tourdefrance.com and see if you can spot any Tour de France content.
    >
    >
    > My original comments stand
    >
    > There is absolutely nothing wrong with the Tour de France official site and all the e-mail contact
    > addresses are working
    >
    > You are merely attempting to harvest the address of any sucker dumb enough to go to any of the
    > phony sites you gave URL/URI addresses for.
    >
    > Either that or you are _incredibly_ stupid
    >
    > Take your pick
    >
    >

    THAT'S what you're so outraged about. Well, if I'm stupid, maybe you can explain this:

    This is the Postfix program at host smtp3.fteb.net.

    I'm sorry to have to inform you that the message returned below could not be delivered to one or
    more destinations.

    For further assistance, please send mail to <postmaster>

    If you do so, please include this problem report. You can delete your own text from the message
    returned below.

    The Postfix program

    <[email protected]>: host mx.fr.oleane.com[213.56.30.75] said: 550 5.1.1 <[email protected]>...
    User unknown

    <[email protected]>: host mx.fr.oleane.com[213.56.30.75] said: 550
    5.1.1 <[email protected]>... User unknown Reporting-MTA: dns; smtp3.fteb.net Arrival-Date: Mon, 7
    Jul 2003 15:24:07 +0200 (CEST)

    Final-Recipient: rfc822; [email protected] Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix;
    host mx.fr.oleane.com[213.56.30.75] said: 550
    5.2.1 <[email protected]>... User unknown

    Final-Recipient: rfc822; [email protected] Action: failed Status: 5.0.0 Diagnostic-Code:
    X-Postfix; host mx.fr.oleane.com[213.56.30.75] said: 550
    5.3.1 <[email protected]>... User unknown

    It sure looks to me like the mandatory postmaster and abuse addresses are not in fact working.

    --
    In either case, the Court cautions Plaintiff's counsel not to run with a sharpened writing utensil
    in hand--he could put his eye out. (147
    F.Supp.2d 668)
     
  6. Inconnu

    Inconnu Guest

    On Sun, 06 Jul 2003 08:29:59 -0500, Socks wrote:

    > Well, if I'm stupid,

    Yes you are

    < maybe you can
    > explain this:
    >

    See attached - absolutely no problem contacting the Tour de France Official Site They even have a
    special address for folks who want to test the connection /and/or permissions which I used below

    From [email protected] Mon Jul 7 09:53:51 2003 Date: Mon, 7 Jul 2003 12:49:34 +0200 (CEST) From: Echo de
    Messagerie <[email protected]> To: inconnu
    <[email protected]> Subject: [Echo de Message] Votre
    message a [email protected]

    Madame, Monsieur,

    Vous avez envoye un message a l'adresse <[email protected]>. Voici donc ci-apres le message tel que nous
    l'avons recu. Verifiez notamment que les adresses d'enveloppe et dans le corps du message soient
    correctes.

    Expediteur:

    enveloppe: [email protected] entete: inconnu
    <[email protected]>

    L'automate Echo de Messagerie du NIC France .

    --------oooooooo00000000ooooooooo---------

    >From [email protected] Mon Jul 7 12:49:34 2003
    Received: from relay4.nic.fr (pipo.nic.fr [192.134.4.25]) by maya20.nic.fr (8.12.4/8.12.4) with
    ESMTP id h67AnYu91457553 for <[email protected]>; Mon, 7 Jul 2003 12:49:34 +0200 (CEST) Received: from
    localhost (localhost [127.0.0.1]) by relay4.nic.fr (Postfix) with ESMTP id C5B32280ED for
    <[email protected]>; Mon, 7 Jul 2003 12:57:13 +0200 (CEST) Received: from relay4.nic.fr ([127.0.0.1]) by
    localhost (pipo.nic.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10185-09 for
    <[email protected]>; Mon, 7 Jul 2003 12:57:12 +0200 (CEST) Received: from relay2.nic.fr (beta.nic.fr
    [192.134.4.21]) by relay4.nic.fr (Postfix) with ESMTP id CE0DB280DE for <[email protected]>; Mon, 7 Jul
    2003 12:57:12 +0200 (CEST) Received: from cpe0050da66e294-cm0f2069983361.cpe.net.cable.rogers.com
    (CPE0050da66e294-CM0f2069983361.cpe.net.cable.rogers.com [24.112.62.31]) by relay2.nic.fr (Postfix)
    with ESMTP id 9EC9CF49C for <[email protected]>; Mon, 7 Jul 2003 12:49:32 +0200 (CEST) Received: from
    cpe0050da66e294-cm0f2069983361.cpe.net.cable.rogers.com (IDENT:[email protected] [127.0.0.1]) by
    cpe0050da66e294-cm0f2069983361.cpe.net.cable.rogers.com (8.12.8/8.12.8) with ESMTP id h67AnPmM015084
    for <[email protected]>; Mon, 7 Jul 2003 06:49:26 -0400 Received: from localhost ([email protected]) by
    cpe0050da66e294-cm0f2069983361.cpe.net.cable.rogers.com (8.12.8/8.12.8/Submit) with ESMTP id
    h67AnPXI015081 for <[email protected]>; Mon, 7 Jul 2003 06:49:25 -0400 Date: Mon, 7 Jul 2003 06:49:25
    -0400 (EDT) From: inconnu <[email protected]> To:
    [email protected] Subject: Test Message-ID:
    <Pine.[email protected]et.cable.roger> MIME-Version:
    1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by amavisd-new-pipo

    Test
     
  7. "inconnu" <[email protected]> wrote in message
    news:<[email protected]e.net.cable.rogers.com>...
    > On Sat, 05 Jul 2003 23:02:09 -0500, Socks wrote:
    >
    > Bullshitting, Lying, Spam Piece of Shit
    >

    Are you accusing Socks of lying? Because he(?)'s quite a well-known and respected poster on NANAE --
    not at all the sort who would be lying to us.

    Besides, I just tried the link for myself (as I'm at a cybercafe with direct Internet connection
    (and AFAIK no telephone lines for a dialer to find anyway), it's extremely unlikely that a dialer
    could do *anything* here, much less any harm -- and in any case, any customer-installed software is
    wiped on reboot anyway), and it does *exactly* what Socks said it does...

    Hmmm, maybe inconnu is the spammer?
     
  8. Socks

    Socks Guest

    Giving up the right to remain sillent, [email protected] (Robert J Baker) said in
    news:[email protected]:

    > "inconnu" <[email protected]> wrote in message
    > news:<[email protected]e .net.cable.rogers.com>...
    >> On Sat, 05 Jul 2003 23:02:09 -0500, Socks wrote:
    >>
    >> Bullshitting, Lying, Spam Piece of Shit
    >>

    >
    > Are you accusing Socks of lying? Because he(?)'s quite a well-known and respected poster on NANAE
    > -- not at all the sort who would be lying to us.
    >

    it's he.

    > Besides, I just tried the link for myself (as I'm at a cybercafe with direct Internet connection
    > (and AFAIK no telephone lines for a dialer to find anyway), it's extremely unlikely that a dialer
    > could do *anything* here, much less any harm -- and in any case, any customer-installed software
    > is wiped on reboot anyway), and it does *exactly* what Socks said it does...
    >
    > Hmmm, maybe inconnu is the spammer?

    thanks robert.

    every news froup has its kook. maybe I found rbr's.

    fyi - i went looking for non standard addresses on letour.fr and couldn't find any on their website.
    i'm not sure which ones inconnu tested and found to be working, since obviously abuse and postmaster
    are not. only addr listed when i did a whois on ripe was their upstream at oleane. That didnt
    bounce, so I expect the problem to get sorted out. They'll need to request delisting from
    rfc-ignorant when they fix their bugs.

    This was a weird response to an attempt to tip them off to a piracy problem though. I thought
    Canadians were more relaxed than that.

    great breakaway today. Pity Finot couldn't hold it.

    --
    In either case, the Court cautions Plaintiff's counsel not to run with a sharpened writing utensil
    in hand--he could put his eye out. (147 F.Supp.2d
    668)
     
  9. inconnu wrote:
    >
    > On Sun, 06 Jul 2003 07:55:05 -0500, Socks wrote:
    >
    > >
    > > you suppose someone's a tad upset? We don't use language like that on nanae. On nanae we usually
    > > use the N word when we disagree with people (no, not that N word, the other one that Godwin
    > > talks about)
    > >
    > > feel free to look at http://tourdefrance.com and see if you can spot any Tour de France content.
    >
    > My original comments stand
    >
    > There is absolutely nothing wrong with the Tour de France official site and all the e-mail contact
    > addresses are working
    >
    > You are merely attempting to harvest the address of any sucker dumb enough to go to any of the
    > phony sites you gave URL/URI addresses for.
    >
    > Either that or you are _incredibly_ stupid
    >
    > Take your pick

    ummmmmmmmmm.. dood... I would be careful here.

    The psoter known as Socks is one of the most vicious spam-figthers I have had the pleasure of
    communicating with. They are NOT attempting to harvest addys or sites, they ARE simply trying to
    warn people of a possible problem.

    Joe
    --
    #----------------------------------------------------------# Penguinix Consulting #
    #----------------------------------------------------------# Software development, QA and testing. #
    #Linux support and training. # "Don't fear the penguin!" #
    #----------------------------------------------------------# Registered Linux user: #309247
    #http://counter.li.org # ----------------------------------------------------------#
     
  10. Spamless

    Spamless Guest

    In article <[email protected]>, Socks wrote:
    > The Tour De France started yesterday. Today I wanted to check on results. Not remembering the URL
    > for the official tour site, I tried http://tourdefrance.com
    >
    > Surprise, no Tour information anywhere on the site. What it tried to do instead is get me to
    > download and install some software from <a
    > href="http://217.76.135.56/[email protected]_uk"> No explanation on the site of what the
    > software did or why I should trust them enough to let them install it on my system.

    It does have a Tour de France related *swf file (http://tourdefrance.com/introfr2.swf) which just
    shows five items (enter in French, English, German, Spanish and Italian, I think) which invoke:

    http://217.76.135.56/[email protected]_gb
    http://217.76.135.56/[email protected]_es
    http://217.76.135.56/[email protected]_fr
    http://217.76.135.56/[email protected]_de
    http://217.76.135.56/[email protected]_it

    Not quite the location of the dialer.

    ======================================================================
    The URL: "http://217.76.135.56/[email protected]_uk" ... well, it depends on the referer ...

    If there is NO Referer: header at all, you get a redirect to:

    HTTP/1.1 302 Object moved Location: http://dialer.eurodialer.com/18452/videochat.exe
    (dialer.eurodialer.com has address 193.110.146.69)

    (58968 byte UPX executable - decompresses to 119384 bytes)

    But that is not what you get.

    If there is a Referer: header, even if it is just: "Referer:" (with no referrer actually listed) you
    get a redirect to:

    HTTP/1.1 302 Object moved Location: http://01.sharedsource.org/exe/@tour_ww.exe
    (01.sharedsource.org has address 62.175.241.134)

    (24064 executable. Attempting to run "upx -d" on it gets: "CantUnpackException: file is
    modified/protected"
    - it does not give a "not packed by UPX" message)
    =======================================================================

    On the other hand, the others (e.g. http://217.76.135.56/[email protected]_gb) just get the
    videochat.exe (no matter what the referrer).
     
  11. Davide Tosi

    Davide Tosi Guest

    Socks <[email protected]> wrote:

    >It sure looks to me like the mandatory postmaster and abuse addresses are not in fact working

    Being in France, they probably have french names for it. Remember that in France non-french names
    are forbidden for anything having legal value. For instance, for them a PC is an "ordinateur" and so
    on. So probably postmaster is "maitre de poste" or something similar.
     
  12. Socks

    Socks Guest

    Giving up the right to remain sillent, [email protected] (Davide Tosi) said in
    news:[email protected]:

    > Socks <[email protected]> wrote:
    >
    >>It sure looks to me like the mandatory postmaster and abuse addresses are not in fact working
    >
    > Being in France, they probably have french names for it. Remember that in France non-french names
    > are forbidden for anything having legal value. For instance, for them a PC is an "ordinateur" and
    > so on. So probably postmaster is "maitre de poste" or something similar.
    >

    I considered that possibility, although the obvious solution would be a functional alias file.
    They're running Apache 1.3.19 on a unix box, so they should have sendmail as part of the standard
    distro which includes postmaster and abuse defaults on the alias. I plugged postmaster into
    babelfish and got back postmaster as the french. letour has not registered an alternative address
    with abuse.net. So that leads me to my [paper] french-english dictionary, which doesn't believe that
    the word exists.

    I took a shot at abus [at] letour.fr and maitredeposte [at] letour.fr based on your suggestion. They
    bounced too, so even in French they're violating 2821 and 2142.

    fsck it. I'm trying to alert them to a possible pirate using their name to scam their fans into
    downloading a dialer, and they're doing their best to stay incommunicado. Maybe if enough places are
    using rfc- ignorant to block mail their nomination there will catch their attention. Then they'll be
    mildly curious as to how they got onto the database, and look at the record. I've given it my best
    shot and don't think it's worth the added worry any more.

    --
    In either case, the Court cautions Plaintiff's counsel not to run with a sharpened writing utensil
    in hand--he could put his eye out. (147
    F.Supp.2d 668)
     
  13. Socks ([email protected]) wrote to news.admin.net-abuse.email on Monday 07 July 2003 01:13 in
    message <[email protected]>:

    > fsck it. I'm trying to alert them to a possible pirate using their name to scam their fans into
    > downloading a dialer,

    On the whole, the French have only just started discovering what the Internet is about thanks to
    France Telecom plugging the minitel well into the late '90s and basically impeding development of
    the internet.

    You'd be surprised how many French companies/institutions will contact a service provider and say
    words to the effect of "Just do it. It looks good to have a website but I don't want to know about
    it" because they're still practically scared of the Internet. You'd also be surprised how many non
    Internet-users still think of the Internet as an almost exclusive pr0n distribution service.

    In this case, I'm sure Oleane is doing absolutely everything for the Tour de France, so maybe
    contacting *them* at hostmaster (at) oleane (dot) net is the thing to do here.

    --
    G. Stewart -- Remove .YOUR_KNICKERS to reply. Spamcop user, not an official - Registered Linux user
    #284683 DO NOT WRITE HERE: [email protected], [email protected]
    ---------------------------------------------------------------
    Mary had a little lamb which walked into a pylon Ten thousand volts went up its @$$ and turned its
    fleece to nylon
     
  14. Socks

    Socks Guest

    "inconnu" <[email protected]> wrote in message
    news:<[email protected]net.cable.rogers.com>...
    > On Sun, 06 Jul 2003 08:29:59 -0500, Socks wrote:
    >
    > > Well, if I'm stupid,
    >
    > Yes you are
    >
    > < maybe you can
    > > explain this:
    > >
    >
    > See attached - absolutely no problem contacting the Tour de France Official Site They even have a
    > special address for folks who want to test the connection /and/or permissions which I used below
    >

    uh - want to show me ANY address in the message below that belongs to letour.fr? nic.fr != letour.fr

    I'm still waiting for an explanation of why I got 550's from abuse (RFC 2142) and postmaster
    (RFC 2821)

    RFC 2821 section 4.5.1

    4.5.1 Minimum Implementation

    . . .

    Any system that includes an SMTP server supporting mail relaying or delivery MUST support the
    reserved mailbox "postmaster" as a case- insensitive local name.

    (and no, maitredeposte didnt work either)

    feel free to shoot the messenger. Download the trojan. Use it to your heart's content. And if this
    is the best you can come up with, I'm not going to waste further time with you

    > From [email protected] Mon Jul 7 09:53:51 2003 Date: Mon, 7 Jul 2003 12:49:34 +0200 (CEST) From: Echo
    > de Messagerie <[email protected]> To: inconnu
    > <[email protected]> Subject: [Echo de Message] Votre
    > message a [email protected]
    >
    > Madame, Monsieur,
    >
    > Vous avez envoye un message a l'adresse <[email protected]>. Voici donc ci-apres le message tel que nous
    > l'avons recu. Verifiez notamment que les adresses d'enveloppe et dans le corps du message soient
    > correctes.
    >
    > Expediteur:
    >
    > enveloppe: [email protected] entete: inconnu
    > <[email protected]>
    >
    > L'automate Echo de Messagerie du NIC France .
    >
    > --------oooooooo00000000ooooooooo---------
    >
    > >From [email protected] Mon Jul 7 12:49:34 2003
    > Received: from relay4.nic.fr (pipo.nic.fr [192.134.4.25]) by maya20.nic.fr (8.12.4/8.12.4) with
    > ESMTP id h67AnYu91457553 for <[email protected]>; Mon, 7 Jul 2003 12:49:34 +0200 (CEST) Received: from
    > localhost (localhost [127.0.0.1]) by relay4.nic.fr (Postfix) with ESMTP id C5B32280ED for
    > <[email protected]>; Mon, 7 Jul 2003 12:57:13 +0200 (CEST) Received: from relay4.nic.fr ([127.0.0.1]) by
    > localhost (pipo.nic.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10185-09 for
    > <[email protected]>; Mon, 7 Jul 2003 12:57:12 +0200 (CEST) Received: from relay2.nic.fr (beta.nic.fr
    > [192.134.4.21]) by relay4.nic.fr (Postfix) with ESMTP id CE0DB280DE for <[email protected]>; Mon, 7 Jul
    > 2003 12:57:12 +0200 (CEST) Received: from cpe0050da66e294-cm0f2069983361.cpe.net.cable.rogers.com
    > (CPE0050da66e294-CM0f2069983361.cpe.net.cable.rogers.com [24.112.62.31]) by relay2.nic.fr
    > (Postfix) with ESMTP id 9EC9CF49C for <[email protected]>; Mon, 7 Jul 2003 12:49:32 +0200 (CEST)
    > Received: from cpe0050da66e294-cm0f2069983361.cpe.net.cable.rogers.com (IDENT:[email protected]
    > [127.0.0.1]) by cpe0050da66e294-cm0f2069983361.cpe.net.cable.rogers.com (8.12.8/8.12.8) with ESMTP
    > id h67AnPmM015084 for <[email protected]>; Mon, 7 Jul 2003 06:49:26 -0400 Received: from localhost
    > ([email protected]) by cpe0050da66e294-cm0f2069983361.cpe.net.cable.rogers.com
    > (8.12.8/8.12.8/Submit) with ESMTP id h67AnPXI015081 for <[email protected]>; Mon, 7 Jul 2003 06:49:25
    > -0400 Date: Mon, 7 Jul 2003 06:49:25 -0400 (EDT) From: inconnu
    > <[email protected]> To: [email protected] Subject: Test
    > Message-ID: <[email protected]cpe.net.cable.roger>
    > MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by amavisd-new-pipo
    >
    > Test
     
  15. Socks wrote:

    >The Tour De France started yesterday. Today I wanted to check on results. Not remembering the URL
    >for the official tour site, I tried http://tourdefrance.com
    >
    >
    >

    Here a whois on tourdefrance.com so you know who owns the domainname:

    Domain Name................ tourdefrance.com Creation Date............ 26/09/2000 Expiry
    Date.............. 26/09/2003 Last Update Date......... 31/03/2003 Organization Contact Id....
    PROP-5974-00043566 Organization Name........ M. GARCIA Organization Org......... M. GARCIA
    Organization Street...... APARTADO DE CORREOS 5, PLAYA DEL INGLES Organization City........ GRAN
    CANARIA Organization State....... GRAN CANARIA Organization PC.......... 35100 Organization
    Country..... ES Organization Phone....... 35100 Organization e-mail...... null Administrative
    Contact Id.. 1180-00022516 Administrative Name...... M. GARCIA Administrative Org....... M. GARCIA
    Administrative Street.... APARTADO DE CORREOS 5 Administrative City...... PLAYA DEL INGLES
    Administrative State..... GRAN CANARIA Administrative PC........ E-35100 Administrative Country...
    ES Administrative Phone..... +34 629184860 Administrative e-mail.... MIGUEL[email protected] Technical
    Contact Id....... 1180-00022516 Technical Name........... M. GARCIA Technical Org............ M.
    GARCIA Technical Street......... APARTADO DE CORREOS 5 Technical City........... PLAYA DEL INGLES
    Technical State.......... GRAN CANARIA Technical PC............. E-35100 Technical Country........
    ES Technical Phone.......... +34 629184860 Technical e-mail......... [email protected]

    Domain servers in listed order:

    Name Server............. dns1.servidoresdns.net Name Server............. dns2.servidoresdns.net

    Peter.
     
  16. Socks

    Socks Guest

    Giving up the right to remain sillent, Peter Boerhof <[email protected]> said in
    news:[email protected]:

    > Socks wrote:
    >
    >>The Tour De France started yesterday. Today I wanted to check on results. Not remembering the URL
    >>for the official tour site, I tried http://tourdefrance.com
    >>
    >>
    >>
    >
    > Here a whois on tourdefrance.com so you know who owns the domainname:
    >
    > Domain Name................ tourdefrance.com

    > Administrative e-mail.... [email protected]

    Now isn't this interesting. I plugged [email protected] into the google usenet search engine, and
    found complaints on a microsoft news group back in January that a site of his had infested someone's
    machine with something suspicious. In that case, it was his gueb.com domain. Still registered to him
    too according to my whois.

    Here is what the analysts at that time said it did:

    > - it is called "@chat es.exe" , made by UDIS tm (Unified dial ... )
    > - it adds the button "erotica" to the IE toolbar
    > - it makes the default homepage ""www.gueb.com" (see whois information below)
    > - (obviously it is in spanish)
    > - it creates a folder c:\chat es, containg 2 .ico-files
    > - it placed a chat es.inf file in c;\windows\inf (you can see it at the end of this message)
    >

    Sounds suspiciously like what is on the tourdefrance.com site, although I didn't go as far as
    installing it to see.

    The group of posters discussing it were running Win98. They had directions for uninstalling it
    specific to that OS.

    Also found this about him, on that group:

    seems that the gueb.com guy has been involved in a series of domain name disputes (amongst others
    cristaindior.net)

    http://arbiter.wipo.int/domains/decisions/html/2002/d2002-0583.html

    "In light of the foregoing, the Panel decides that the Domain Name registered by the Respondent is
    identical to the Complainant’s trademark, that the Respondent has no rights or legitimate
    interests in respect of the Domain name and that the Domain Name has been registered and is being
    used in bad faith."

    So it shouldn't be too surprising that he would grab the tourdefrance.com domain without permission
    with the intent to defraud.

    Now if we can just catch the attention of letour.fr....

    --
    In either case, the Court cautions Plaintiff's counsel not to run with a sharpened writing utensil
    in hand--he could put his eye out. (147
    F.Supp.2d 668)
     
  17. BilieBob

    BilieBob Guest

    > On Tue, 08 Jul 2003 Socks wrote:

    > (snipped)

    Man oh Man!!

    You go on and on like a dripping tap.

    You know nothing and seem to be trying to show off to a bunch of bikies by attempting to deceive them into believing that you do.

    Go back and read your ~Internet for Dummies~

    That fellow that called your bluff originally had you pegged correctly. And from the posts he was making, it seems like he knew the score right off the bat.

    He even gave you the contact address for letour.fr but you spouted some derogatory verbiage effectively calling him a liar.

    If you had had enough brains to do a whois you would have had the contact addresses yourself.

    The address for internet matters for letour.fr is:

    Tests: [email protected]
    Abuse: [email protected]

    But don't waste your time. They will not be interested.

    And if you were as smart as you say you are, you would have resolved laplata.com and tourdefrance.com, as I'm sure that inconu bloke had done, and determined that they, and several other URL's that can be obtained by unassembling videochat.exe, all give the same IP - 217.76.134.241
     
Loading...
Similar Threads - ]Possible scammer using
  1. rockitj
    Replies:
    3
    Views:
    911
Thread Status:
Not open for further replies.
Loading...