| View previous topic :: View next topic |
| Author |
Message |
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
 Posted: Fri Jun 29, 2007 12:38 pm Post subject: *.hk Pharma spam from Leo... |
 |
|
Leo Kuvayev loves my spamtrap, so it seems...
Headers:
| Quote: |
Return-Path: <gpj@bouncefm.com>
X-Flags: 1001
Delivered-To: <spamtrap>
Received: (qmail invoked by alias); 29 Jun 2007 08:56:20 -0000
Received: from 94.165.52.59.broad.nc.jx.dynamic.163data.com.cn (EHLO 94.165.52.59.broad.nc.jx.dynamic.163data.com.cn) [59.52.165.94]
by mx0.gmx.net (mx092) with SMTP; 29 Jun 2007 10:56:20 +0200
Received: from [59.52.165.94] by bouncefm.com; Fri, 29 Jun 2007 08:56:20 -0800
From: Lee <gpj@bouncefm.com>
To: <spamtrap>
Subject: check out our bid
Date: Fri, 29 Jun 2007 08:56:20 -0800
Message-ID: <01c7ba2b$5c73ee10$5ea5343b@gpj>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01C7BA6E.6A972E10"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4927.1200
Importance: Normal |
(emphasis added by me)
The sender's ip address 59.52.165.94 is on multiple blacklists like Spamcop, Spamhaus' XBL, APEWS and others
Message body:
| Quote: |
http ://agreeput.hk
Viagra10 pills x 100mg$34.49$3.45 per item 30 pills x 100mg$88.5$2.95 per itemYour save: $1530 pills x 50mg$60.23$2.01 per itemYour save: $3060 pills x 50mg$111.65$1.86 per itemYour save: $7060 pills x 100mg$141$2.35 per itemYour save: $6610 pills x 50mg$30.22$3.03 per item 90 pills x 100mg$176.4$1.96 per itemYour save: $134
spam Soft Tabs
10 pills x 100mg $37.94 $3.8 per item 30 pills x 50mg $66.28 $2.21 per item Your save: $34 60 pills x 50mg $123.2 $2.05 per item Your save: $77 10 pills x 50mg $33.25 $3.33 per item 30 pills x 100mg $97.35 $3.25 per item Your save: $16 60 pills x 100mg $155.1 $2.59 per item Your save: $72 90 pills x 100mg $194.04 $2.16 per item Your save: $147
Cialis Soft Tabs 60 pills x 20mg $260.53 $4.34 per item Your save: $136 30 pills x 20mg $131.97 $4.4 per item Your save: $66 90 pills x 20mg $353.62 $3.93 per item Your save: $240 10 pills x 20mg $65.97 $6.6 per item 20 pills x 20mg $109.73 $5.49 per item Your save: $22
Cialis 60 pills x 20mg $180.15 $3 per item Your save: $55 30 pills x 20mg $104.66 $3.49 per item Your save: $13 10 pills x 20mg $39.19 $3.92 per item 20 pills x 20mg $76.68 $3.83 per item Your save: $2 90 pills x 20mg $242.06 $2.69 per item Your save: $111
spam Jelly
90 pills x 100mg $207.9 $2.31 per item Your save: $74 60 pills x 100mg $187.97 $3.14 per item Your save: $1 10 pills x 100mg $30.02 $3 per item Your save: $1 30 pills x 100mg $92.4 $3.08 per item Your save: $1
Levitra 90 pills x 20mg $246.57 $2.74 per item Your save: $1 60 pills x 20mg $164.36 $2.74 per item Your save: $1 30 pills x 20mg $82.01 $2.73 per item Your save: $1 20 pills x 20mg $54.99 $2.75 per item 10 pills x 20mg $27.08 $2.71 per item http ://agreeput.hk |
agreeput.hk lists some well known name servers:
| Quote: |
[olliver@bunkiten ~]$ host -t ns agreeput.hk
agreeput.hk name server ns0.gedsactunjerion.com.
agreeput.hk name server ns0.fionkunjerunhedase.com.
agreeput.hk name server ns0.piotiongandesunkdes.com.
agreeput.hk name server ns0.chitionkdetunlionpsa.com. |
Of course the well trained eye immediately recognises Leo Kuvayev's kinky naming convention for name servers  . Some of them have already been known for a while:
http://spamtrackers.eu/wiki/index.php?title=Pharmacy_Express
The domain resolves to quite a few ip-addresses (that's what *I* call redundency...).
| Quote: |
[olliver@bunkiten ~]$ host agreeput.hk
agreeput.hk has address 84.133.37.22
agreeput.hk has address 89.133.46.29
agreeput.hk has address 89.169.143.5
agreeput.hk has address 91.122.80.200
agreeput.hk has address 218.255.211.180
agreeput.hk has address 220.121.183.150
agreeput.hk has address 221.127.229.96
agreeput.hk has address 222.167.199.80
agreeput.hk has address 61.93.56.118
agreeput.hk has address 75.28.97.41
agreeput.hk has address 75.39.219.71
agreeput.hk has address 75.131.200.99
agreeput.hk has address 78.84.159.14
agreeput.hk has address 81.226.63.252
agreeput.hk has address 82.131.51.134 |
Name servers are shuffled every 5 minutes:
| Quote: |
[...]
agreeput.hk. 300 IN NS ns0.chitionkdetunlionpsa.com.
agreeput.hk. 300 IN NS ns0.gedsactunjerion.com.
agreeput.hk. 300 IN NS ns0.fionkunjerunhedase.com.
agreeput.hk. 300 IN NS ns0.piotiongandesunkdes.com. |
And so are the participating zombies:
| Quote: |
[...]agreeput.hk. 300 IN A 59.149.108.166
agreeput.hk. 300 IN A 61.93.56.118
agreeput.hk. 300 IN A 61.217.245.65
agreeput.hk. 300 IN A 70.50.174.120
agreeput.hk. 300 IN A 75.28.97.41
agreeput.hk. 300 IN A 75.131.200.99
agreeput.hk. 300 IN A 81.210.145.95
agreeput.hk. 300 IN A 81.226.63.252
agreeput.hk. 300 IN A 84.245.195.99
agreeput.hk. 300 IN A 87.122.114.164
agreeput.hk. 300 IN A 89.169.143.5
agreeput.hk. 300 IN A 218.255.211.180
agreeput.hk. 300 IN A 220.121.183.150
agreeput.hk. 300 IN A 221.127.239.180
agreeput.hk. 300 IN A 222.167.199.80 |
Smells like b0tnet, doesn't it? 
For the records, here's the fake whois registration:
| Quote: |
Domain Name: AGREEPUT.HK
Contract Version: HKDNR latest version
Registrant Contact Information:
Holder English Name (It should be the same as your legal name on your HKID card or other relevant documents): MR TIM FLOCK
Holder Chinese Name:
Email: paulabmamayek@iname.com
Domain Name Commencement Date: 13-06-2007
Country: US
Expiry Date: 13-06-2008
Re-registration Status: Complete
Name of Registrar: HKDNR
Account Name: HK1911483T
Technical Contact:
First name: TIM
Last name: FLOCK
Company Name: TIM FLOCK
Name Servers Information:
NS0.FIONKUNJERUNHEDASE.COM
NS0.GEDSACTUNJERION.COM
NS0.PIOTIONGANDESUNKDES.COM
NS0.CHITIONKDETUNLIONPSA.COM |
Email remains unmunged, since it can be assumed that Leo Kuvayev loves spam and certainly wants to stay informed about latest updates from his fellow spammers
Olliver |
|
| Back to top |
|
 |
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sun Jul 01, 2007 2:44 pm Post subject: |
|
|
The following is not exactly a *.hk domain, but Leo Kuvayev nonetheless: The spam features a neat image as part from his current pharma site containing the url meds21.com. Contrary to my usual habit I'm going to munge the from address as well. the reason is that Leo used a tagging here and leaving it intact would reveal my spamtrap, which resulted in listwashing...
| Quote: |
Return-Path: <[munged]@comcast.net>
X-Flags: 1001
Delivered-To: <spamtrap>
Received: (qmail invoked by alias); 29 Jun 2007 21:24:15 -0000
Received: from wsip-72-215-1-52.ok.ok.cox.net (EHLO wsip-72-215-1-52.ok.ok.cox.net) [72.215.1.52]
by mx0.gmx.net (mx028) with SMTP; 29 Jun 2007 23:24:15 +0200
Received: from nxque ([192.229.122.63])
by wsip-72-215-1-52.ok.ok.cox.net (8.13.4/8.13.4) with SMTP id o5512626284813w8Fg112400
for <spamtrap>; Fri, 29 Jun 2007 16:24:21 -0600 (CDT)
(envelope-from [munged]@comcast.net)
Message-ID: <02f501c7ba93$dc16f780$3401d748@nxque>
From:<[munged]@comcast.net>
To: <spamtrap>
Subject: mysterious grand piano
Date: Fri, 29 Jun 2007 23:18:51 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_02F2_01C7BA69.F3179590";
type="multipart/alternative"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3028
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 |
(emphasis added by me)
The spam was sent from a b0tted machine somewhere in Oklohoma City/OK, as wsip-72-215-1-52.ok.ok.cox.net reveals.
The usual sure signs of Leo Kuvayev spam follow:
| Quote: |
[olliver@bunkiten ~]$ host -t ns meds21.com
meds21.com name server ns0.piotiongandesunkdes.com.
meds21.com name server ns0.chitionkdetunlionpsa.com.
meds21.com name server ns0.gedsactunjerion.com.
meds21.com name server ns0.fionkunjerunhedase.com. |
I take it that those name servers are his trademark and he wants to let people know who he is (spam as performance art?)
| Quote: |
[olliver@bunkiten ~]$ host meds21.com
meds21.com has address 24.127.246.103
meds21.com has address 59.112.171.209
meds21.com has address 65.92.204.225
meds21.com has address 75.34.224.231
meds21.com has address 81.226.63.252
meds21.com has address 82.131.26.220
meds21.com has address 84.112.141.4
meds21.com has address 88.134.199.140
meds21.com has address 89.103.55.182
meds21.com has address 89.178.154.135
meds21.com has address 89.179.46.71
meds21.com has address 218.255.211.180
meds21.com has address 220.121.183.150
meds21.com has address 221.126.157.245
meds21.com has address 222.166.216.28 |
Now serving from 15 zombies...
And as usual a Chinese registrar:
| Quote: |
Domain name: meds21.com
Registrant Contact:
Meds For The Masses
Garry Rosselot meds@meds21.com
503-245-2575 fax:
4704 SW 25th Ave
Portland OR 97239
us
Administrative Contact:
Garry Rosselot meds@meds21.com
503-245-2575 fax:
4704 SW 25th Ave
Portland OR 97239
us
Technical Contact:
Garry Rosselot meds@meds21.com
503-245-2575 fax:
4704 SW 25th Ave
Portland OR 97239
us
Billing Contact:
Garry Rosselot meds@meds21.com
503-245-2575 fax:
4704 SW 25th Ave
Portland OR 97239
us
DNS:
ns0.gedsactunjerion.com
ns0.piotiongandesunkdes.com
Created: 2007-05-29
Expires: 2008-05-29 |
Whois contact should be not genuine and probably another stolen identity, but the email should deliver, so I leave it intact for his spam buddies to harvest .
Olliver |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sun Jul 01, 2007 3:55 pm Post subject: |
|
|
This is another pharma spam from the *.hk series
Headers:
| Quote: |
Return-Path: <mattyboy@photo-amateurs.net>
X-Flags: 1001
Delivered-To: <spamtrap>
Received: (qmail invoked by alias); 30 Jun 2007 21:52:54 -0000
Received: from hn.kd.ny.adsl (EHLO hn.kd.ny.adsl) [125.47.36.155]
by mx0.gmx.net (mx034) with SMTP; 30 Jun 2007 23:52:54 +0200
Received: from [125.47.36.155] by fwd0.hosts.co.uk; Sat, 30 Jun 2007 22:04:34 -0800
Message-ID: <01c7bb62$a4598db0$9b242f7d@mattyboy>
From: "Barbara Maloney" <mattyboy@photo-amateurs.net>
To: <spamtrap>
Subject: spam 50mg x 10 pills $59.95 buy now
Date: Sat, 30 Jun 2007 22:04:34 -0800
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="windows-1250";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1807
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807 |
Sent via a compromised machine somewhere in the Henan province of China:
| Quote: |
[olliver@bunkiten tmp]$ host 125.47.36.155
155.36.47.125.in-addr.arpa domain name pointer hn.kd.ny.adsl. |
Note the utterly meaningful rDNS name .
Name servers:
| Quote: |
[olliver@bunkiten tmp]$ host -t ns betweenshine.hk
betweenshine.hk name server ns0.piotiongandesunkdes.com.
betweenshine.hk name server ns0.chitionkdetunlionpsa.com.
betweenshine.hk name server ns0.gedsactunjerion.com.
betweenshine.hk name server ns0.fionkunjerunhedase.com. |
Zombie hosting, again 15 machines:
| Quote: |
[olliver@bunkiten tmp]$ host betweenshine.hk
betweenshine.hk has address 59.112.171.209
betweenshine.hk has address 61.238.167.250
betweenshine.hk has address 65.92.204.225
betweenshine.hk has address 75.34.224.231
betweenshine.hk has address 79.178.49.121
betweenshine.hk has address 82.131.26.220
betweenshine.hk has address 84.112.141.4
betweenshine.hk has address 85.250.171.130
betweenshine.hk has address 89.179.46.71
betweenshine.hk has address 122.123.129.211
betweenshine.hk has address 218.253.30.203
betweenshine.hk has address 218.255.211.180
betweenshine.hk has address 220.121.183.150
betweenshine.hk has address 220.131.70.39
betweenshine.hk has address 221.126.157.245 |
Whois info:
| Quote: |
Domain Name: BETWEENSHINE.HK
Contract Version: HKDNR latest version
Registrant Contact Information:
Holder English Name (It should be the same as your legal name on your HKID card or other relevant documents): MR JOSEPH MCCRELESS
Holder Chinese Name:
Email: andrelecann@gmail.com
Domain Name Commencement Date: 26-06-2007
Country: US
Expiry Date: 26-06-2008
Re-registration Status: Complete
Name of Registrar: HKDNR
Account Name: HK1920037T
Technical Contact:
First name: JOSEPH
Last name: MCCRELESS
Company Name: JOSEPH MCCRELESS
Name Servers Information:
NS0.FIONKUNJERUNHEDASE.COM
NS0.GEDSACTUNJERION.COM
NS0.PIOTIONGANDESUNKDES.COM
NS0.CHITIONKDETUNLIONPSA.COM |
Olliver |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Mon Jul 02, 2007 2:26 pm Post subject: |
|
|
Today's featured *.hk domain is earthgame.hk
Headers:
| Quote: |
Return-Path: <bfanget@optitechinc.com>
X-Flags: 1001
Delivered-To: <spamtrap>
Received: (qmail invoked by alias); 02 Jul 2007 21:12:57 -0000
Received: from host196.190-136-129.telecom.net.ar (EHLO host196.190-136-129.telecom.net.ar) [190.136.129.196]
by mx0.gmx.net (mx058) with SMTP; 02 Jul 2007 23:12:57 +0200
Received: from [190.136.129.196] by MAIL.optitechinc.com; Sun, 1 Jul 2007 16:13:09 -0100
Message-ID: <01c7bbfa$b7162b50$c48188be@bfanget>
From: "Miranda Hurd" <bfanget@optitechinc.com>
To: <spamtrap>
Subject: spam (spam) 100mg x 10 pills $69.95 buy now
Date: Sun, 1 Jul 2007 16:13:09 -0100
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 |
host196.190-136-129.telecom.net.ar appears to be a compromised home user machine in Argentina that adds to the spew coming from LACNIC's ranges.
Body:
| Quote: |
Price for spam 100mg x 30 pills US $ 99.95
http ://earthgame.hk |
Points to the usual Pharma botnet site:
| Quote: |
[olliver@bunkiten ~]$ host earthgame.hk
earthgame.hk has address 122.123.128.253
earthgame.hk has address 217.144.19.86
earthgame.hk has address 218.255.211.180
earthgame.hk has address 220.131.88.85
earthgame.hk has address 221.126.158.203
earthgame.hk has address 61.92.16.45
earthgame.hk has address 77.182.61.243
earthgame.hk has address 81.226.63.252
earthgame.hk has address 82.131.108.33
earthgame.hk has address 84.23.37.68
earthgame.hk has address 84.217.26.221
earthgame.hk has address 85.29.224.163
earthgame.hk has address 89.103.55.182
earthgame.hk has address 89.103.61.253
earthgame.hk has address 89.133.46.29 |
And Leo Kuvayev's well familiar name servers:
| Quote: |
[olliver@bunkiten ~]$ host -t ns earthgame.hk
earthgame.hk name server ns0.gedsactunjerion.com.
earthgame.hk name server ns0.fionkunjerunhedase.com.
earthgame.hk name server ns0.piotiongandesunkdes.com.
earthgame.hk name server ns0.chitionkdetunlionpsa.com. |
Whois data:
| Quote: |
Domain Name: EARTHGAME.HK
Contract Version: HKDNR latest version
Registrant Contact Information:
Holder English Name (It should be the same as your legal name on your HKID card or other relevant documents): MR JOSEPH MCCRELESS
Holder Chinese Name:
Email: john_cerrone11@hotmail.com
Domain Name Commencement Date: 26-06-2007
Country: US
Expiry Date: 26-06-2008
Re-registration Status: Complete
Name of Registrar: HKDNR
Account Name: HK1919753T
Technical Contact:
First name: JOSEPH
Last name: MCCRELESS
Company Name: JOSEPH MCCRELESS
Name Servers Information:
NS0.FIONKUNJERUNHEDASE.COM
NS0.GEDSACTUNJERION.COM
NS0.PIOTIONGANDESUNKDES.COM
NS0.CHITIONKDETUNLIONPSA.COM |
Olliver |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Mon Jul 02, 2007 2:45 pm Post subject: |
|
|
Fresh from my inbox the latest from Leo Kuvayev on likesettle.hk:
Headers:
| Quote: |
Return-Path: <mars@soft-ita.net>
X-Flags: 1001
Delivered-To:<spamtrap>
Received: (qmail invoked by alias); 02 Jul 2007 12:24:45 -0000
Received: from vybor.ett.com.ua (EHLO vybor.ett.com.ua) [80.93.113.214]
by mx0.gmx.net (mx009) with SMTP; 02 Jul 2007 14:24:45 +0200
Received: from [80.93.113.214] by mailserver.ssnet.it; Mon, 2 Jul 2007 11:24:45 -0300
Message-ID: <01c7bc9b$97715c10$d6715d50@mars>
From: "Alyce Oneil182220" <mars@soft-ita.net>
To: <spamtrap>
Subject: Alyce, You live just once - try it.
Date: Mon, 2 Jul 2007 11:24:45 -0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C7BCBD.1E82FC10"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.2106.4
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 |
Body:
| Quote: |
Opinion of our customers:
Thank you for magic things which I ordered for the first time. Meanwhile I could check the result of these tabs....unbelievable, they help just in that way I hoped they would do, and more than that, very impressive !! I think I will order soon the next portion. Again, thank you for the excellent service and keep up the good work! Roy Peterson, Apalachin, NY
Our prices do not know competitors
- fast delivery
- without the recipe!
- confidential delivery
- confidential payment
- telephone support
- VISA certificated Onlineshop
Order now and receive 4 tablets for free![1]
to do instead). You wantshall be pleased to by its very nature , had gone will be provides a . by either the FSA or by its very nature can be awarded will be provides a else. Something more and credible investigation data, recommended by including registration of corporation, such an attitude . withthe Firm to theout my final challenging. Something of clarity I think against the firm and, which details the decision on the . the documentation the investments within shall be pleased to recompense. I note texts. If you've read a recommended by A consequence of these that I have been liquidation and .A consequence of these of every internal industry |
[1] denotes link pointing to likesettle.hk
| Quote: |
Domain Name: LIKESETTLE.HK
Contract Version: HKDNR latest version
Registrant Contact Information:
Holder English Name (It should be the same as your legal name on your HKID card or other relevant documents): MR JOSEPH MCCRELESS
Holder Chinese Name:
Email: Mark_David_nest@hotmail.com
Domain Name Commencement Date: 26-06-2007
Country: US
Expiry Date: 26-06-2008
Re-registration Status: Complete
Name of Registrar: HKDNR
Account Name: HK1919661T
Technical Contact:
First name: JOSEPH
Last name: MCCRELESS
Company Name: JOSEPH MCCRELESS
Name Servers Information:
NS0.FIONKUNJERUNHEDASE.COM
NS0.GEDSACTUNJERION.COM
NS0.PIOTIONGANDESUNKDES.COM
NS0.CHITIONKDETUNLIONPSA.COM |
(emphasis added by me)
At the time of writing the site had connectivity problems (no responding name servers), but that's probably just of temporary nature.
Olliver |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Wed Jul 04, 2007 10:58 am Post subject: |
|
|
New variation with the date set back to March 2002. Also a good opportunity to add the output of a newly discovered toy .
| Quote: |
Return-Path: <tequan@eau.net>
X-Flags: 1001
Delivered-To: <spamtrap>
Received: (qmail invoked by alias); 28 Jun 2007 06:17:22 -0000
Received: from 58.69.75.124.pldt.net (EHLO 58.69.75.124.pldt.net) [58.69.75.124]
by mx0.gmx.net (mx077) with SMTP; 28 Jun 2007 08:17:22 +0200
Received: from [58.69.75.124] by b.mx.voyager.net; Sat, 2 Mar 2002 14:37:40 +0800
Date: Sat, 2 Mar 2002 14:37:40 +0800
From: Chase <tequan@eau.net>
X-Mailer: The Bat! (v3.51.10) Professional
Reply-To: tequan@eau.net
X-Priority: 3 (Normal)
Message-ID: <158672964.54550628580433@eau.net>
To: <spamtrap>
Subject: look-out our pricing
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------7291CE6721CED3B" |
The sender 58.69.75.124 is some hijacked DSL machine in the Philipines:
| Quote: |
inetnum: 58.69.74.0 - 58.69.75.255
netname: MyDSLPro
country: PH
descr: MGOC10K02_MyDSLProfessional
admin-c: HM8-AP
tech-c: NS141-AP
tech-c: NT31-AP
tech-c: SS843-AP
status: ASSIGNED NON-PORTABLE
changed: wasison <> pldt.com.ph 20061025
mnt-by: PHIX-NOC-AP
source: APNIC |
(emphasis added by me)
Mail body:
| Quote: |
http ://dogflat.hk
Viagra60 pills x 50mg$111.65$1.86 per itemYour save: $7010 pills x 100mg$34.49$3.45 per item 30 pills x 100mg$88.5$2.95 per itemYour save: $1560 pills x 100mg$141$2.35 per itemYour save: $6610 pills x 50mg$30.22$3.03 per item 30 pills x 50mg$60.23$2.01 per itemYour save: $3090 pills x 100mg$176.4$1.96 per itemYour save: $134
spam Soft Tabs
30 pills x 100mg $97.35 $3.25 per item Your save: $16 10 pills x 50mg $33.25 $3.33 per item 60 pills x 100mg $155.1 $2.59 per item Your save: $72 10 pills x 100mg $37.94 $3.8 per item 30 pills x 50mg $66.28 $2.21 per item Your save: $34 60 pills x 50mg $123.2 $2.05 per item Your save: $77 90 pills x 100mg $194.04 $2.16 per item Your save: $147
Cialis Soft Tabs 60 pills x 20mg $260.53 $4.34 per item Your save: $136 90 pills x 20mg $353.62 $3.93 per item Your save: $240 10 pills x 20mg $65.97 $6.6 per item 20 pills x 20mg $109.73 $5.49 per item Your save: $22 30 pills x 20mg $131.97 $4.4 per item Your save: $66
Cialis 90 pills x 20mg $242.06 $2.69 per item Your save: $111 60 pills x 20mg $180.15 $3 per item Your save: $55 30 pills x 20mg $104.66 $3.49 per item Your save: $13 10 pills x 20mg $39.19 $3.92 per item 20 pills x 20mg $76.68 $3.83 per item Your save: $2
spam Jelly
60 pills x 100mg $187.97 $3.14 per item Your save: $1 10 pills x 100mg $30.02 $3 per item Your save: $1 30 pills x 100mg $92.4 $3.08 per item Your save: $1 90 pills x 100mg $207.9 $2.31 per item Your save: $74
Levitra 10 pills x 20mg $27.08 $2.71 per item 20 pills x 20mg $54.99 $2.75 per item 30 pills x 20mg $82.01 $2.73 per item Your save: $1 60 pills x 20mg $164.36 $2.74 per item Your save: $1 90 pills x 20mg $246.57 $2.74 per item Your save: $1
http ://dogflat.hk |
So dogflat.hk is today's featured Leo Kuvayev domain. Let's see what we can find there:
| Quote: |
dogflat.hk. 28800 IN NS NS0.CHITIONKDETUNLIONPSA.COM.
dogflat.hk. 28800 IN NS NS0.GEDSACTUNJERION.COM.
dogflat.hk. 28800 IN NS NS0.FIONKUNJERUNHEDASE.COM.
dogflat.hk. 28800 IN NS NS0.PIOTIONGANDESUNKDES.COM.
;; Received 179 bytes from 202.12.28.140#53(SEC3.APNIC.NET) in 274 ms
dogflat.hk. 300 IN A 24.85.143.76
dogflat.hk. 300 IN A 59.188.131.94
dogflat.hk. 300 IN A 76.181.136.0
dogflat.hk. 300 IN A 81.226.63.252
dogflat.hk. 300 IN A 89.103.55.182
dogflat.hk. 300 IN A 89.178.86.162
dogflat.hk. 300 IN A 89.178.196.134
dogflat.hk. 300 IN A 89.179.8.38
dogflat.hk. 300 IN A 89.245.17.46
dogflat.hk. 300 IN A 122.123.140.136
dogflat.hk. 300 IN A 125.225.77.223
dogflat.hk. 300 IN A 221.126.9.236
dogflat.hk. 300 IN A 221.127.95.141
dogflat.hk. 300 IN A 221.127.156.40
dogflat.hk. 300 IN A 221.127.162.191
dogflat.hk. 300 IN NS ns0.fionkunjerunhedase.com.
dogflat.hk. 300 IN NS ns0.piotiongandesunkdes.com.
dogflat.hk. 300 IN NS ns0.chitionkdetunlionpsa.com.
dogflat.hk. 300 IN NS ns0.gedsactunjerion.com.
;; Received 483 bytes from 212.54.29.109#53(NS0.CHITIONKDETUNLIONPSA.COM) in 65 ms |
The usual botnet signs and name server domains. Now let's see what other domains these name servers are responsible for:
anystood.hk
basicrx.org
behinddry.hk
blocubs.hk
bluebuzz.hk
boardpattern.hk
burnshout.hk
callrain.hk
catcentury.hk
chartheld.hk
cikal.hk
colonysent.hk
datacolumn.hk
degreeinch.hk
distantleg.hk
divamia.hk
downobserve.hk
drylike.hk
eightposition.hk
fivetag.hk
flippulses.hk
heartspeak.hk
hundredanger.hk
instantheat.hk
kaylane.hk
lastlift.hk
levelside.hk
masterheart.hk
mountchance.hk
mouthpound.hk
neighborled.hk
nineshall.hk
pharmlove.hk
repeatphrase.hk
repeatwide.hk
riverbought.hk
ropeminute.hk
sendmark.hk
shapefamily.hk
specialsecond.hk
speedthank.hk
stationweather.hk
thousandhundred.hk
topfinal.hk
whencompare.hk
Registration data for whois:
| Quote: |
Domain Name: DOGFLAT.HK
Contract Version: HKDNR latest version
Registrant Contact Information:
Holder English Name (It should be the same as your legal name on your HKID card or other relevant documents): MR TIM FLOCK
Holder Chinese Name:
Email: harveyxkoloms1956@yahoo.com
Domain Name Commencement Date: 16-06-2007
Country: US
Expiry Date: 16-06-2008
Re-registration Status: Complete
Name of Registrar: HKDNR
Account Name: HK1913620T
Technical Contact:
First name: TIM
Last name: FLOCK
Company Name: TIM FLOCK
Name Servers Information:
NS0.FIONKUNJERUNHEDASE.COM
NS0.GEDSACTUNJERION.COM
NS0.PIOTIONGANDESUNKDES.COM
NS0.CHITIONKDETUNLIONPSA.COM |
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 18 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Wed Jul 04, 2007 11:01 am Post subject: |
|
|
Wow... good list.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Wed Jul 04, 2007 11:11 am Post subject: |
|
|
Yes, it's a neat toy  . It can gather domains that are using the same name server and this way you may wind up with new domains that Leo Kuvayev hasn't used for spamming yet.
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
Chao284
Warrior
Joined: 06 Sep 2004
Last Visit: 06 Aug 2011
Posts: 220
Location: Bremerton, WA
|
| Posted: Thu Jul 05, 2007 3:01 pm Post subject: |
|
|
Well I do know one thing, he is apparently trying to take revenge for Robert Soloway's Arrest, by spamming and DDoSing certian sites, right now Spamhaus is having access problems in the event his Spam Group might have taken it down once again,
Also on other things related to this, he is becomming more diffcult to track as well as China refuses to respond to US and UK based Anti-Spam sites if Bad Cow/Kuvayev is currently #1 on the Rosko list. |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sat Jul 07, 2007 11:35 am Post subject: |
|
|
| Chao284 wrote: |
| Well I do know one thing, he is apparently trying to take revenge for Robert Soloway's Arrest |
Why would Leo care about Bobby's sorry existence? I've never come across any evidence they had worked together before he was arrested.
| Quote: |
| by spamming and DDoSing certian sites, right now Spamhaus is having access problems in the event his Spam Group might have taken it down once again, |
I'd found it more plausible if it were for his "bidniz" buddies RBN and Yambo (first by hosting, the latter with his pharma botnet operations). It's true though that a particular group is behind Spamhaus' DoS issues, Steve Linford himself once made such a remark, but who it actually be is not known to the public at the moment. Only that Law Enforcement is helping track them down.
| Quote: |
| Also on other things related to this, he is becomming more diffcult to track as well as China refuses to respond to US and UK based Anti-Spam sites if Bad Cow/Kuvayev is currently #1 on the Rosko list. |
That some networks in China are aiding and abetting his operation isn't a likely consequence of him being the number one on the ROKSO list but rather him paying them a lot and in time. Greed is what either end is connecting to each other and what will eventually drag them down in misery.
To me it looks like the pharma branch of Yambo and Leo is one and the same operation. I've already seen ip addresses known to belong to Kuvayev also harbouring "My Canadian Ph.armacy" sites and his name servers resolving other Yambo operations as well. This becomes apparent with domains registrations too as some "agents" appear for both operations. This may be one of the reasons why spamtrackers.eu is a bit inconsistent with its writings about Leo and Yambo. But in cases like this Spamhaus is still the authorative source (Spamtrackers.eu is a hobby project by an employee of Gandi, a French registrar).
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sat Jul 07, 2007 3:41 pm Post subject: |
|
|
Leo's latest take on *.hk pharma domains:
gottall.hk:
ns0.chitionkdetunlionpsa.com
ns0.gedsactunjerion.com
ns0.fionkunjerunhedase.com.
ns0.piotiongandesunkdes.com
equateflat.hk:
ns0.gedsactunjerion.com.
ns0.fionkunjerunhedase.com.
ns0.piotiongandesunkdes.com.
ns0.chitionkdetunlionpsa.com.
objectfood.hk:
ns0.gedsactunjerion.com.
ns0.fionkunjerunhedase.com.
ns0.piotiongandesunkdes.com.
ns0.chitionkdetunlionpsa.com
massin.hk:
ns0.gedsactunjerion.com.
ns0.fionkunjerunhedase.com.
ns0.piotiongandesunkdes.com.
ns0.chitionkdetunlionpsa.com
sheetview.hk:
ns0.gedsactunjerion.com.
ns0.fionkunjerunhedase.com.
ns0.piotiongandesunkdes.com.
ns0.chitionkdetunlionpsa.com
Other domains the current zombie battery is serving for Leo Kuvayev:
bestcanadianrxstore.com
loudlow.com
rxcare.org
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
|
