 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
 Posted: Sat Aug 18, 2007 1:46 pm Post subject: Even CEOs consult us |
 |
|
Long time since the last University degree spam...
Headers:
| Quote: |
Delivered-To: <snipped>
Received: by 10.115.90.9 with SMTP id s9cs426234wal;
Sat, 18 Aug 2007 05:38:28 -0700 (PDT)
Received: by 10.65.15.19 with SMTP id s19mr7036080qbi.1187440708000;
Sat, 18 Aug 2007 05:38:28 -0700 (PDT)
Return-Path: <rkribell@heroesofae.com>
Received: from dialup-134.acc-kom.ru ([89.237.33.134])
by mx.google.com with ESMTP id f16si1813129qba.2007.08.18.05.37.57;
Sat, 18 Aug 2007 05:38:28 -0700 (PDT)
Received-SPF: neutral (google.com: 89.237.33.134 is neither permitted nor denied by best guess record for domain of rkribell@heroesofae.com) client-ip=89.237.33.134;
Authentication-Results: mx.google.com; spf=neutral (google.com: 89.237.33.134 is neither permitted nor denied by best guess record for domain of rkribell@heroesofae.com) smtp.mail=rkribell@heroesofae.com
Received: from [89.237.33.134] by mail-fwd.mx.g19.rapidsite.net; Sat, 18 Aug 2007 12:38:24 -0500
Message-ID: <01c7e194$aadd7cc0$8621ed59@rkribell>
From: "Darius Gamble" <rkribell@heroesofae.com>
To: <snipped>
Subject: Even CEOs consult us.
Date: Sat, 18 Aug 2007 12:38:24 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C7E1C6.F577ECC0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1506
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 |
The sender 89.237.33.134 is already blocked in CBL and SBL (others may follow later). As this is not the type of spam usually sent via botnets, I'm not too sure about a compromised user machine. This could as well be some small scale chickenboner in Russia sending junk from a dialup line.
Mail body:
| Quote: |
F A S T T R A C K D E G R E E P R O G R A M
Obtain the degree you deserve, based on your present knowledge and life experience.
A prosperous future, money earning power, and the Admiration of all.
Degrees from an Established, Prestigious, Leading Institution.
Your Degree will show exactly what you really can do.
Get the Job, Promotion, Business Opportunity
and Social Advancement you Desire!
Eliminates classrooms and traveling.
Achieve your Bachelors, Masters, MBA, or PhD
in the field of your expertise
Professional and affordable
Call now - your Graduation is a phone call away.
Please call:
1-206-350-2402 |
The phone number has already left a trace in search engines:
http://www.google.com/search?q=1-206-350-2402
Note the vast amount of blogspam for this programme, but also this interesting link:
| Quote: |
I checked the online white pages for a reverse look-up.
Results:
(206) 350-2402
Type: Land Line
Provider: International Telcom, Ltd
Location: Seattle, WA
Caller ID: unavailable
Caller: Fast Track Degree Program
Caller Type: Telemarketer |
source: http://800notes.com/Phone.aspx/1-206-350-2402
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
 |
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sun Aug 19, 2007 9:37 am Post subject: |
|
|
A follow-up is necessary. This time with the subject line:
FW: Your university degree
Content is identical to the previous advertisement, therefore it's sufficient to post the headers only:
| Quote: |
Delivered-To: <snipped>
Received: by 10.115.90.9 with SMTP id s9cs463764wal;
Sat, 18 Aug 2007 23:05:31 -0700 (PDT)
Received: by 10.70.100.14 with SMTP id x14mr8111351wxb.1187503527367;
Sat, 18 Aug 2007 23:05:27 -0700 (PDT)
Return-Path: <brionh@angstmagazine.com>
Received: from ?67.132.147.54? ([67.132.147.54])
by mx.google.com with ESMTP id 34si12509739nza.2007.08.18.23.04.59;
Sat, 18 Aug 2007 23:05:27 -0700 (PDT)
Received-SPF: fail
Authentication-Results: mx.google.com; spf=hardfail smtp.mail=brionh@angstmagazine.com
Received: from [67.132.147.54] by mx1.biz.mail.yahoo.com; Sun, 19 Aug 2007 06:03:51 +0600
Message-ID: <01c7e226$b75fec20$36938443@brionh>
From: "Adrian Diamond" <brionh@angstmagazine.com>
To: <snipped>
Subject: FW: Your university degree
Date: Sun, 19 Aug 2007 06:03:51 +0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C7E1FC.CE89E420"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2527
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 |
This time it's quite clear that the spam originated from an exploitable server (67.132.147.54) and it's also reported by SORBS this way (listed in the database of vulnerable/exploitable servers). Further listings in CBL/Spamhaus XBL, Spamcop and UCEprotect.
Whois:
| Quote: |
OrgName: FIRST METHODIST - HOUSTON
OrgID: FMH-11
Address: 1320 MAIN ST
City: HOUSTON
StateProv: TX
PostalCode: 77002
Country: US
NetRange: 67.132.147.48 - 67.132.147.63
CIDR: 67.132.147.48/28
NetName: Q0602-67-132-147-48
NetHandle: NET-67-132-147-48-1
Parent: NET-67-128-0-0-1
NetType: Reassigned
Comment:
RegDate: 2004-06-03
Updated: 2004-06-03
RAbuseHandle: SPH22-ARIN
RAbuseName: PHILPOTT, STEPHEN
RAbusePhone: +1-713-652-2999
RAbuseEmail: sphilpott at firstfamily.info
OrgTechHandle: SPH22-ARIN
OrgTechName: PHILPOTT, STEPHEN
OrgTechPhone: +1-713-652-2999
OrgTechEmail: sphilpott at firstfamily.info |
I tried to get the SMTP banner but it appears the port is firewalled now, so it seems the admin finally noticed there's something wrong and is occupied with fixing the machine.
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Mon Aug 20, 2007 1:40 pm Post subject: |
|
|
It turns out these morons are quite tenacious in regard to their campaign, as two more "ads" hit one of my email accounts:
| Quote: |
Delivered-To: <snipped>
Received: by 10.115.90.9 with SMTP id s9cs502009wal;
Sun, 19 Aug 2007 17:17:01 -0700 (PDT)
Received: by 10.90.73.7 with SMTP id v7mr1886857aga.1187569017868;
Sun, 19 Aug 2007 17:16:57 -0700 (PDT)
Return-Path: <jns@betweenzeros.com>
Received: from 61-250-217-97.rev.krline.net (61-250-217-97.rev.krline.net [61.250.217.97])
by mx.google.com with ESMTP id 66si6153889wra.2007.08.19.17.16.35;
Sun, 19 Aug 2007 17:16:57 -0700 (PDT)
Received-SPF: neutral (google.com: 61.250.217.97 is neither permitted nor denied by best guess record for domain of jns@betweenzeros.com) client-ip=61.250.217.97;
Authentication-Results: mx.google.com; spf=neutral (google.com: 61.250.217.97 is neither permitted nor denied by best guess record for domain of jns@betweenzeros.com) smtp.mail=jns@betweenzeros.com
Received: from [61.250.217.97] by smtp.secureserver.net; Mon, 20 Aug 2007 00:16:39 -0900
Message-ID: <01c7e2bf$60b0d120$61d9fa3d@jns>
From: "John Sprague" <jns@betweenzeros.com>
To: <snipped>
Subject: Order a Ph.D
Date: Mon, 20 Aug 2007 00:16:39 -0900
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C7E30A.D0987920"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1807
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807 |
| Quote: |
Delivered-To: <snipped>
Received: by 10.115.90.9 with SMTP id s9cs560594wal;
Mon, 20 Aug 2007 12:47:34 -0700 (PDT)
Received: by 10.35.10.13 with SMTP id n13mr7800236pyi.1187639252805;
Mon, 20 Aug 2007 12:47:32 -0700 (PDT)
Return-Path: <sibaclub@259oak.com>
Received: from p508ABF83.dip.t-dialin.net (p508ABF83.dip.t-dialin.net [80.138.191.131])
by mx.google.com with ESMTP id f60si9245429pyh.2007.08.20.12.47.02;
Mon, 20 Aug 2007 12:47:32 -0700 (PDT)
Received-SPF: neutral (google.com: 80.138.191.131 is neither permitted nor denied by best guess record for domain of sibaclub@259oak.com) client-ip=80.138.191.131;
Authentication-Results: mx.google.com; spf=neutral (google.com: 80.138.191.131 is neither permitted nor denied by best guess record for domain of sibaclub@259oak.com) smtp.mail=sibaclub@259oak.com
Received: from [80.138.191.131] by smtp.secureserver.net; Mon, 27 Aug 2007 19:45:09 -0100
Message-ID: <01c7e8e2$c69a6a90$83bf8a50@sibaclub>
From: "Chadwick Ratliff" <sibaclub@259oak.com>
To: <snipped>
Subject: We need Ph.d nominees
Date: Mon, 27 Aug 2007 19:45:09 -0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C7E8F3.8A233A90"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1506
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 |
It appears as if both spam sources are compromised machines, the last one may even b0tted (*dip.t-dialin.net are DSL costumers of German T-online). I once read that would violate the CAN spam act, but have no link for that at hand (the posting was from a reputable source in NANAE, perhaps even Steve Linford).
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
