t-zones "middle dotted" trace

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

plus1six11 - 07 Jan 2007 11:37 GMT

I am an T-Mobile MVNO end-user in Portland, Oregon. I have been a
customer since 2004 and during the past year of service increasingly
find myself baffled by evidence of odd network interactions with my
handset. The most recent of such is detailed here, in hopes that you
will provide me with an explanation.

On 3 January 2006, I launched t-zones using my Siemens CF62T phone
(User-Agent: SIE-CF62/95, Profile/MIDP-1.0, Configuration/CLDC-1.0,
Browser component 1.3.0.28, Openwave version 6.1.0.7.3).

The browser was configured prior to this mobile web session (Menu > [8]
More... > [2] Settings > [4] Start with... > Resume) to open the last
page visited. When, instead, the t-zones Homepage for T-Mobile To Go
[<wap.myvoicestream.com/>] was loaded, I consulted the stored
page history (Menu > [4] Go to...) to see where previously I had been.

It was at this point that I discovered a highly unusual URL at the top
of the browser history; one that obviously was never entered by me--and
that indicates suspicious server-side activity, according to my
knowledge of HTTP and the way content is requested of webservers.

The "Go to..." index indicated that the last visited page had URL
<h·h·g·v·d·a/>.

A page titled <Access Deny> was found, when going to this page. It
read:

--------------------------------------------------
Retry
You do not have access rights to this site
URL=
h%02h%02g%02v%01d%01a/
Status-20(hex)
Details
--------------------------------------------------

As you will surely note, this URL does not follow the conventions of
DNS
for the web. If you are unable to view the characters that separate the
five (5) letters, <h> <h> <g> <v> <d> and <a> in my citation of this
suspicious URL, above, the escaped-encoded (or percent-encoded)
representation of the character string is:
<h%02h%02g%02v%01d%01a/>

This interpretation consists of the percentage character (%) followed
by
the two hexadecimal digits representing the octet code of the original
US-ASCII characters.

And, in fact, this same representation is included as reference in the
page itself, on line 4.

The first and the sixth lines of the page contain hyperlinks;
unfortunately, the browser for my phone does not include source text
necessary for debugging these links. However, I can tell you that
selecting <Retry> just brings up the same content, without change. And
that following the <Details> link results in a page that reads:

--------------------------------------------------
Access Deny
010910091| - You are
not allow to access
this site
--------------------------------------------------

Not only would it be impossible for me to enter the "middle dot"
characters that are included in this URL, there is no possibility
whatsoever of anyone using my phone to create this record.

Can anyone clue me in to the meaning of this trace of activity?

Reply to this Message

elint - 08 Jan 2007 03:08 GMT

> I am an T-Mobile MVNO end-user in Portland, Oregon. I have been a
> customer since 2004 and during the past year of service increasingly
[quoted text clipped - 66 lines]
>
> Can anyone clue me in to the meaning of this trace of activity?

Appears to be 204.204.204.204 (sprint.net)

Reply to this Message

noreply@nittmann.us - 19 Jan 2007 13:48 GMT

As a consultant I do recommend customers frequently to filter web site
access to eliminate hackers.
A hacker will come from a compromised system, or from an 'obscured' IP
with no DNS attached.
The 'obscured' ones are the ones eliminated, the taken over bots of
course say who they are.

This means on some sites, if your network address does not have reverse
DNS, then the site won't let you access anything.

t-mobile US has a grossly misconfigured Internet communication system:
they are sending from non existent domains.

while their domains are registered with some registrar, there is no DNS
service for these domains.
even the DNS servers listed in the domain registrations for tmomail.net
(that's the originating domain for email/pictures/sms from your
t-mobile phone), and, get this:
t-mobilesupport.com

That makes that messages from my phone cannot reach most (reasonable)
destinations for NXDOMAIN.

I cannot send sms to alltel, I cannot send to anyone who has not opened
up their mail server for spam by unconfiguring normal smtp header
checks (HELO/EHLO, sending system IP and domain).

Keep in mind: the new label t-mobile comes from new majority
stockholders.
It is the same idiots who run the company! Especially so it seems the
technical / Internet part.
No 'German quality' here in t-mobile US.

You can check for tmomail.net and t-mobilesupport.com using any web
site that provides DNS tools.

Here are my results (verifiable from anywhere):

tmomail.net:

domain registrar (godaddy, go figure.....) lists the following name
servers for that domain:

Domain servers in listed order:
PDNS3.ULTRADNS.ORG
PDNS6.ULTRADNS.CO.UK
PDNS5.ULTRADNS.INFO
PDNS2.ULTRADNS.NET
PDNS1.ULTRADNS.NET
PDNS4.ULTRADNS.ORG

none of these know about tmomail.net:
hquer:~ # for i in PDNS3.ULTRADNS.ORG PDNS6.ULTRADNS.CO.UK
PDNS5.ULTRADNS.INFO PDNS2.ULTRADNS.NEt PDNS1
Server: PDNS3.ULTRADNS.ORG
Address: 199.7.68.1#53

*** Can't find tmomail.net: No answer

Server: PDNS6.ULTRADNS.CO.UK
Address: 204.74.115.1#53

*** Can't find tmomail.net: No answer

Server: PDNS5.ULTRADNS.INFO
Address: 204.74.114.1#53

*** Can't find tmomail.net: No answer

Server: PDNS2.ULTRADNS.NEt
Address: 204.74.109.1#53

*** Can't find tmomail.net: No answer

Server: PDNS1.ULTRADNS.NET
Address: 204.74.108.1#53

*** Can't find tmomail.net: No answer

Server: PDNS4.ULTRADNS.ORG
Address: 199.7.69.1#53

*** Can't find tmomail.net: No answer

And the greatest joke of all: you won't see their support answers
unless you
- own your mail server and can fish it out of the 'hold' queue
- receive mail on a spam friendly server that accepts anything with
fake headers

t-mobilesupport.com registered DNS servers:
Domain servers in listed order:
NS1-AUTH.SPRINTLINK.NET
PRODNS03.VOICESTREAM.COM

and asking them for t-mobilesupport.com:
hquer:~ # for i in NS1-AUTH.SPRINTLINK.NET PRODNS03.VOICESTREAM.COM ;
do nslookup t-mobilesupport.com $i; done
Server: NS1-AUTH.SPRINTLINK.NET
Address: 206.228.179.10#53

*** Can't find t-mobilesupport.com: No answer

;; connection timed out; no servers could be reached

.... not done by t-mobile US, just to show how it should look
correctly:

f-mobile.com:
listed name servers:
Name Server: NS1-AUTH.SPRINTLINK.NET
Name Server: PRODNS03.VOICESTREAM.COM

and checking if t-mobile.com exists at all:
hquer:~ # for i in NS1-AUTH.SPRINTLINK.NET PRODNS03.VOICESTREAM.COM ;
do nslookup t-mobile.com $i; done
Server: NS1-AUTH.SPRINTLINK.NET
Address: 206.228.179.10#53

Name: t-mobile.com
Address: 65.161.188.152

;; connection timed out; no servers could be reached

... and you are right, that address is a sprintlink address,
with no reverse DNS configured....

That's why this does not work!

Don't forget: the corporate label can change, but it is still the same
idiots who did bad quality before, who continue on under the new
corporate label.
t-mobile took over a couple of ailing/failing/nonperforming US
providers.
Well, if you pick up the trash others leave, then that's what you get.
I am amazed that t-mobile does not verify quality here around....

I will switch for sure

Mike

elint schrieb:

> > I am an T-Mobile MVNO end-user in Portland, Oregon. I have been a
> > customer since 2004 and during the past year of service increasingly
[quoted text clipped - 68 lines]
> >
> Appears to be 204.204.204.204 (sprint.net)

Reply to this Message