Fake torrents showing up
p2p news / p2pnet:- About 50 new torrents of The Wedding Crashers, Charlie and the Chocolate Factory, and the first three The OC have been released from what myBittorrent admin Rex calls "fake" trackers (~31 in total).
Is it part of a plan to infiltrate the BitTorrent community with intentionally corrupt files? Slyck thinks so.
The titles are “specifically designed to report false information to trackers, thereby gaining artificially inflated popularity” and, "In a very short period of time, these false torrents have become most of my top downloads,” it has Rex saying. “I’ve never seen anything else before like it.”
Transfers stop at around 97%-98%, says Slyck, going on, “Some titles are published as ‘DVD-rips’ while others are pushed as ‘XviDs’. Others are presented as an English or French releases to disguise the origin of the torrent, and to present "a diverse array of choices".
According to Rex, the torrent originating from false trackers are intentionally reporting false information, says the post.
“For example, a corrupt torrent will report 400 seeds with 3000 leeches. Since the more individuals having a file are indicative of the file’s download speed, it becomes a highly downloaded torrent and aids in its popularity. The ruse is additionally disguised by spreading the torrent release from over 31 different trackers. Interestingly enough, although the identified trackers have different sub domains, they all originate from the same IP address.”
Although myBittorrent has so far been on the sharp end, “ these types of corrupt torrents have begun to appear on Mininova as well,” says Slyck, adding:
“Since the threat has been identified, the administration of myBittorrent has begun eliminating any torrent files originating from the identified trackers. At this time, the origins of the attack are unknown. But their initial goal of gaining maximum exposure certainly did work, if only for a short while.”
Something you think we should know? tips[at]p2pnet.net
First they ignore you, then they laugh at you, then they fight you, then you win
- Mohandas Gandhi
See:-
Slyck – New Breed of Corrupt Torrent Infiltrates BitTorrent, September 24, 2005
September 25th, 2005 at 6:57 pm
And let’s not forget to send the responsible party for that IP address a fake DCMA take down notice to take the fake torrent down off the fake tracker.
Seriously though, this has got to be about the dumbest way of trying to hose Bit Torrent. Every avid leecher with a modicum of experience recognizes the names of the more popular real trackers and if all of the sudden there’s dozens of new ones, its going to be regarded with suspicion. If a torrent is showing 300 seeders and 2000 leechers and only 3 seeds and 20 leechers appear to be connectable, that’s going to raise even more skepticism.
The only thing this is going to do is clog up things for those who use RSS or some other kind of automated feed to populate their current torrents. In short order default deny filtering will get put in place and the fakes will be ignored.
I hope this wasn’t Movielabs first project, because if it was, it was a total bomb. Box Office Barf-O! The headline in Variety will read:
Crackjack Hackers’ Blockers Whack Tinseltown’s Fake-O Trackers
September 25th, 2005 at 9:51 pm
This was greek to me what you said. tks
September 25th, 2005 at 9:52 pm
You should check what movies have been released by what groups, and try to check the NFO that should come with it. Most of the time, groups release in 15mb or 50mb rars. There are also other telltale signs of official releases. You just have to know these things. Practice makes perfect.
September 25th, 2005 at 10:11 pm
Well then, in layman’s terms, think of it this way.
Remember when you used Kazaa, and you’d download a file, and when you’d listen to it, it would be total static, buzz, and general annoyance? That’s basically what’s happening to these torrent files. Except instead of the really annoying static, the download just stops at 97 and 98%, wasting hours of your valuable time.
September 25th, 2005 at 10:48 pm
If you go to the Slyck article, you’ll see a text file listing a bunch of bad tracker URLs.
After DNSing all those URLs, you get 5 IPs.
85.64.70.229*
71.130.203.111*
71.132.6.18*
206.81.133.67**
69.236.99.244
———————-
These 5 IPs you should add to your PeerGuardian blocklist (If you don’t know what that is, you should get it at http://peerguardian.sourceforge.net) AND to your firewall because sometimes, trackers will listen on port 80, and if you have Block HTTP unchecked in PeerGuardian, PG will let them through. The firewall will block them all, at whatever port/communication you try with it. To test your firewall, just point your favorite browser to these IPs.
Those IPs are not in the Blitzed Open Proxy Monitor (http://opm.blitzed.org) database, nor do scans on common proxy ports (80, 8080, 8000, 3128, 1080, 23, 6588) reveal anything.
More information with the DNS’s and junk at the bottom.
———————-
*
I starred 85.64.70.229, 71.130.203.111, and 71.132.6.18 because if you point your web browser to them (before you block em), they return a page that says:
[begin]
your file may exist elsewhere in the universe
but alas, not here
[end]
———————-
**
I double-starred 206.81.133.67 because something intresting was happening with it.
If you try to access 206.81.133.67 on your web browser, you get pointed to a web site at http://tracker.thompson-web.org/.
* Dns resolved 206.81.133.67 to niteshdw.com
* Dns resolved niteshdw.com to 206.81.133.67
If you try to resolve tracker.thompson-web.org, you get an IP, and if you resolve that you get perfora.net. A google of “perfora.net” reveals nothing that I can decipher. Perhaps somebody with more knowledge can help me out on this.
* Dns resolved tracker.thompson-web.org to 82.165.192.100
* Dns resolved 82.165.192.100 to perfora.net
* Dns unable to resolve perfora.net
———————-
DNS Work:
85.64.70.229
* Dns resolved 85.64.70.229 to 85-64-70-229.barak-online.net
* Dns resolved distan.servecounterstrike.com to 85.64.70.229
* Dns resolved freevideo.no-ip.info to 85.64.70.229
* Dns resolved zorba.zapto.org to 85.64.70.229
* Dns resolved fuf.zapto.org to 85.64.70.229
* Dns resolved tzar.servecounterstrike.com to 85.64.70.229
* Dns resolved whypay.servebeer.com to 85.64.70.229
* Dns resolved m0vies.servep2p.com to 85.64.70.229
* Dns resolved matha.sytes.net to 85.64.70.229
* Dns resolved tracker.workisboring.com to 85.64.70.229
* Dns resolved freemovies.serveftp.com to 85.64.70.229
71.130.203.111
* Dns resolved 71.130.203.111 to adsl-71-130-203-111.dsl.irvnca.pacbell.net
* Dns resolved chech.servequake.com to 71.130.203.111
* Dns resolved kur.servegame.com to 71.130.203.111
* Dns resolved nia.servehttp.com to 71.130.203.111
* Dns resolved torrentsource.servemp3.com to 71.130.203.111
* Dns resolved mpaa.servehttp.com to 71.130.203.111
* Dns resolved nopay.no-ip.info to 71.130.203.111
* Dns resolved prince2.bounceme.net to 71.130.203.111
* Dns resolved startracker.geekgalaxy.com to 71.130.203.111
* Dns resolved cash.servequake.com to 71.130.203.111
* Dns resolved gleneagle.damnserver.com to 71.130.203.111
* Dns resolved mpaa.servehttp.com to 71.130.203.111
71.132.6.18
* Dns resolved 71.132.6.18 to adsl-71-132-6-18.dsl.sntc01.pacbell.net
* Dns resolved zesty.no-ip.info to 71.132.6.18
* Dns resolved coolserver.servecounterstrike.com to 71.132.6.18
* Dns resolved tracker101.no-ip.info to 71.132.6.18
* Dns resolved q1.sytes.net to 71.132.6.18
* Dns resolved mishmish.servemp3.com to 71.132.6.18
* Dns resolved only-guiness.servebeer.com to 71.132.6.18
* Dns resolved gruzia.zapto.org to 71.132.6.18
206.81.133.67
Skipped because of intresting things happening. See above.
69.236.99.244
* Dns resolved 69.236.99.244 to adsl-69-236-99-244.dsl.pltn13.pacbell.net
* Dns resolved waikiki.net-freaks.com to 69.236.99.244
September 26th, 2005 at 1:22 am
To spot these fakes really. They had quite a few on torrentspy.com not long ago.
The primary means of detecting fakes (assuming video files):-
(1) The torrent contains only one file which is compressed to .zip or .rar . This screams fake straight away. Most real torrents are multi-part compressed files or just open .avi’s (which are already compressed)
(2) Rediculously high seed/downloader numbers, usually 2000/3000 +.
Although some real torrents can achieve high numbers, generally they never get this high for seeders.
(3) Remember to look at the user comments associated with it on the torrent site. These usually indicate pretty fast if it’s a fake.
Such comments usually retort:-
(a) Download percentage will not go any higher than 90-99% (ie. no one has any of those parts)
(b) Speed is extremely slow, even though high numbers of reported peers/seeders
(4) And finally you can check the network information for the tracker to confirm if it’s a faker. First copy the tracker domain/ip address from the torrent site. This will usually be in the form :-
http://tracker.sladinki007.net:6500/announce
Now you only need to copy the first part of this address up to the colon character “:” but not including it. For this example would be “tracker.sladinki007.net”. Then go to this site http://www.all-nettools.com/toolbox . In the first textbox for smart whois, paste that address you copied and press enter or click go.
This should give you the network info for this tracker. I found most of the fakers on torrentspy.com were from the TrendStep network, which is known for it’s involvement with fakes and mpaa.
September 26th, 2005 at 6:34 pm
I know that perfora.net provides email services to customers using 1and1.com for webhosting.
September 26th, 2005 at 10:55 pm
If the number of seeders looks too high and in the comments people complain it stalls at 97% , then you have a fake. The interesting thing is that this looks like an insider’s work, like someone who knows well how torrents work. An efficient system to comment on the files will help a lot.
September 27th, 2005 at 11:36 am
“206.81.133.67
Skipped because of intresting things happening. See above. ”
2 domains found on 206.81.133.67
Showing all 2.
Website
http://www.Niteshdw.com
http://www.Niteshdw.net
Hasn’t niteshdw been around for a long time now? Are you sure this is one of the IPs? Which other domain reversed to this ip?
September 28th, 2005 at 1:10 am
I don’t mean to disparage niteshdw. I visited their EFnet channel, and they seem to be pretty cool people. I’m just reporting the facts. I used the ban trackers list from http://www.mybittorrent.com/bantrackers.txt. Maybe they were innocent and got caught in the net of bad trackers? I don’t know. I told them of my findings, the ball’s in their court now.