Some 'infringement notices' arrived in our abuse folder this week.
Instead of pressing the DEL key I've been investigating some of these.
I have obfuscated some of the following abuse notice
Notice of Claimed Infringement - Case ID XX
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Notice ID: XX
Notice Date: 2021-07-20TXX:XX:XXZ
ISP PARENTCO INC.
Dear Sir or Madam:
I cert.ify und.er pena.lty of per.jury that I am au.thoriz.ed to ac.t on beh.alf of the Vi@c_omC?S Inc. compa.nies C?S Broa.dcasting Inc., CB? Stu?dios Inc., Para_mount Pi_ctures Corpora_tion, Sh-ow-time Netw-orks Inc., Vi com Intern-ational, Inc., and oth.er V-i-@-c-omC-B-S Inc. subsid.iaries and affil.iates (collecti.vely, the "Rig.hts Own.ers"), th.e ow.ners o.f cert.ain exclu.sive inte.llectual prop.erty ri.ghts in the cop.yrighted wo.rk(s) ident.ified in this noti.ce. I h.ave a go.od fai.th bel.ief th.at the inform.ation in this not.ice is accu..rate.
BS BS BS BS BS and more BS
OK, so lets see how they send these notices
Spin up a clean Win10 instance, install v2.84 and see what happens:
paste in the infohash reported...
Some 100% seeders looks good... some partials with bi-directional traffic, and some SCUMBAG IP's "lurking" with NO FILES!
This is an Anti-P2P enforcement bot - and again looks like they need two positive hits as evidence.
88.208.201.113 :51500 Location: United Kingdom ISP: F_a_s_t_h_o_s_t_s UK
185.107.94.48 :51500 Location: Netherlands ISP: N_F_O_r_c_e NL
Again more dumbass stupid config, Port 51500 giving the game away on a massive range of their machines.
Probe some of the NL machines
IP RDNS PORT P2P_handshake_true
185.107.94.5 185.107.94.5 51500 True
185.107.94.13 185.107.94.13 51500 True
185.107.94.14 185.107.94.14 51500 True
185.107.94.47 185.107.94.47 51500 True
185.107.94.48 185.107.94.48 51500 True
185.107.94.58 185.107.94.58 51500 True
185.107.94.59 185.107.94.59 51500 True
185.107.94.62 185.107.94.62 51500 True
This is definitely dodgy AF!
Block it folks!
Tixati IP FILTER FILE:
# f_a_s_t_hosts and nfo_rce
FAASTHSTS:70.35.192.0-70.35.207.255
FAASTHSTS:77.68.32.0-77.68.63.255
FAASTHSTS:79.99.40.0-79.99.47.255
FAASTHSTS:88.208.192.0-88.208.251.255
FAASTHSTS:109.228.0.0-109.228.63.255
FAASTHSTS:213.171.192.0-213.171.223.255
FAASTHSTS:217.174.240.0-217.174.255.255
N_F_O_RCE:185.107.94.0-185.107.95.255
Going further, constantly probing these machines for handshakes, I found they often identify differently
They have gone to significant effort to "hide" the identifiers:
AND it seems this has been here a long time. Judging by some of the ANCIENT software versions
Bitcomet 1.35
uTorrent 3.1.3
Mainline 7.4.1
Transmission 2.61
Azureus 5.2.0
Vuze 5.2.0.1
+more
Interesting!
I'm ALWAYS logging... ;-D
