 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
 Posted: Thu Jul 05, 2007 12:12 pm Post subject: 0em down1oadz with Leo.... |
 |
|
So Mister Kuvayev thinks I'm in interested in Adobe Suite 3 Design Premium download? Not quite, but I take the bait anyway and write about the spam  .
The spam itself contains a hashbuster in plain text and an inline gif with one of those highlighted shiny software boxes. Also on that gif is the destination url for this spam, so the prospective customer can get there by typing the url and - at least as the spammer hopes - with the itching desire to be part of the chosen few who can afford to work with a premium software.
Hashbuster (for the records):
| Quote: |
As distant memories, through the fog-dimmed light,
He never even dreams, being sheer snow;
Wheezing ravens, when
The mortal architect had brought to life,
Traces of those deep cuts lie thickly upon
I. Arctic Scenery
XI. Franklin's Last Voyage
VI. Smeerenburg and the Whale-Oil Rush
XVIII. The Northeast and Northwest Passages
Right, and appears from here to be overcome
A rabbit carcass in its stiffened fur.
I. Arctic Scenery
The face of a Quos ego),
In stone waves and rock waters, far from day,
He never even dreams, being sheer snow;
II. Quest and Conquest
A frame of glided twilight—I
Cascading snowflakes settle in the pines,
will come, blighting our harbingers of spring, |
Headers:
| Quote: |
Delivered-To: <redacted>
Received: by 10.70.26.12 with SMTP id 12cs361093wxz;
Thu, 5 Jul 2007 06:57:02 -0700 (PDT)
Received: by 10.90.63.16 with SMTP id l16mr7720430aga.1183643822388;
Thu, 05 Jul 2007 06:57:02 -0700 (PDT)
Return-Path: <rbala @ annemariecooke.com>
Received: from samsung-xbdw7ni ([210.0.40.54])
by mx.google.com with ESMTP id q26si12753062ele.2007.07.05.06.56.04;
Thu, 05 Jul 2007 06:57:02 -0700 (PDT)
Received-SPF: neutral (google.com: 210.0.40.54 is neither permitted nor denied by best guess record for domain of rbala @ annemariecooke.com)
Return-Path: <rbala @ annemariecooke.com>
Received: from 208.65.144.3 (HELO annemariecooke.com.inbound10.mxlogic.net)
by googlemail.com with esmtp (1;<=TPWE:E1 M3(J4W)
id :.'T84-.+/:ED-97
for <redacted>; Thu, 5 Jul 2007 13:57:01 -0900
Message-ID: <01c7bf0c$5c495110$6c822ecf@rbala>
From: "Jeff Sinclair" <rbala @ annemariecooke.com>
To: <redacted>
Subject: Adobe Suite 3 Design Premium download
Date: Thu, 5 Jul 2007 13:57:01 -0900
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_000F_01C7BF57.CC30F910"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437 |
The sender 210.0.40.54 is a hijacked machine somewhere in Korea and hasn't got a meaningful rDNS name:
| Quote: |
IPv4 Address : 210.0.32.0-210.0.47.255
Network Name : DREAMPLUS-INFRA
Connect ISP Name : DREAMPLUS
Registration Date : 20060703
Publishes : Y
[ Organization Information ]
Organization ID : ORG230332
Org Name : DreamcityMedia
Address : Songnae-dong, Sosa-gu, Bucheon-ci
Detail address : 423-6
Zip Code : 422-041
[ Technical Contact Information ]
Name : wooyoung Kil
Org Name : DreamcityMedia
Address : Songnae-dong, Sosa-gu, Bucheon-ci
Detail address : 423-6
Zip Code : 422-041
Phone : +82-32-668-0441
E-Mail : abuse at dreamcity.co.kr |
Fortunately it's already listed on Spamhaus, Spamcop, UCEprotect and others.
The spamvertised link goes to:
http ://www.oem-os.com/
oem-os.com resolves to 193.33.193.65 which is situated in Russia:
| Quote: |
inetnum: 193.33.192.0 - 193.33.193.255
netname: Torgcentermet
descr: "Torgcentermet" Ltd.
country: RU
org: ORG-TL78-RIPE
admin-c: VLA12-RIPE
tech-c: VLA12-RIPE
status: ASSIGNED PI
remarks: SPAM issues: abuse at torgcentermet.ru
remarks: SPAM issues: abuse at torgcentermet.ru
remarks: General information: info at torgcentermet.ru
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-by: HOSTER-RIPE-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: HOSTER-RIPE-MNT
mnt-domains: HOSTER-RIPE-MNT
source: RIPE # Filtered |
This ip address is also listed in Spamhaus' SBL who associate it with Leo Kuvayev:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL56297
Name servers are not laga-soft.com for a change  :
| Quote: |
[olliver@bunkiten ~]$ host -t ns oem-os.com
oem-os.com name server ns1.oem-os.com.
oem-os.com name server ns2.oem-os.com. |
Now it gets interesting as ns1.oem-os.com resolves to 195.114.16.1 and is yet again another blacklisted address associated with Leo Kuvayev:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL54564
195.114.16.1 is also known to be part of the rogue Russian Business Network, best known for habouring iframedollars.biz et al.
| Quote: |
inetnum: 195.114.16.0 - 195.114.17.255
netname: MICRONNET-NET
descr: Micronnet LTD network
country: RU
org: ORG-MICR1-RIPE
admin-c: MICR1-RIPE
tech-c: MICR1-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-by: MICRONNET-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-routes: MICRONNET-MNT
mnt-domains: MICRONNET-MNT
source: RIPE # Filtered
organisation: ORG-MICR1-RIPE
org-name: Micronnet LTD
org-type: OTHER
address: Reshetnikova str. HSE 9
address: 197119 St. Petersburg , Russia
e-mail: info@micronnet.net
mnt-ref: MICRONNET-MNT
mnt-by: MICRONNET-MNT
source: RIPE # Filtered
person: Main Technichal Account
address: Reshetnikova str. HSE 9
address: 197119 St. Petersburg , Russia
phone: +78127853699
nic-hdl: MICR1-RIPE
source: RIPE # Filtered |
(note "Micronet" is just an alias, similar to Inhoster/Cernel for Esthost)
Spamhaus considers RBN and their morphs a criminal spam operation and lists them in their ROKSO register (currently ranking at 4th position of their worst spammers top ten):
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL51155
Ok, now let's see what else ns1.oem-os.com will resolve to:
heropopotamus.com
leoemch.com
nemudnasdak.com
ns1.heropopotamus.com
ns1.laga-soft.com
ns1.sobaka-soft.com
ns2.oem-os.com
oem-os.com
vo-oem.com
Et voila, we've got the trademark of Leo Kuvayev's 0em warez production line (marked in bold).
This address serves as name server for the following domains:
heropopotamus.com
laga-soft.com
nemudnasdak.com
oem-os.com
sobaka-soft.com
vo-oem.com
Again, Leo's trademark is marked in bold, and if you look closely, you'll also find the spamvertised domain in our neat little list .
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
 |
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sat Jul 07, 2007 4:11 am Post subject: |
|
|
More 0emz from Leo Kuvayev....
Since these are a lot of new spams I'm only restricting myself to those that contain a not previously mentioned domain.
vo-oem.com
domain registration data:
| Quote: |
[whois.dns.com.cn]
Domain Name.......... vo-oem.com
Creation Date........ 2007-05-15 10:28:03
Registration Date.... 2007-05-15 10:28:03
Expiry Date.......... 2008-05-15 10:28:03
Organisation Name.... liu dong
Organisation Address. chang an dong ming jie
Organisation Address.
Organisation Address. Dongguan
Organisation Address. 518000
Organisation Address. GD
Organisation Address. CN
Admin Name........... liu dong
Admin Address........ chang an dong ming jie
Admin Address........
Admin Address........ Dongguan
Admin Address........ 518000
Admin Address........ GD
Admin Address........ CN
Admin Email.......... adminf@vo-oem.com
Admin Phone.......... +86.74632123223
Admin Fax............ +86.74632123223
Tech Name............ liu dong
Tech Address......... chang an dong ming jie
Tech Address.........
Tech Address......... Dongguan
Tech Address......... 518000
Tech Address......... GD
Tech Address......... CN
Tech Email........... adminf@vo-oem.com
Tech Phone........... +86.76932123223
Tech Fax............. +86.76932123223
Bill Name............ liu dong
Bill Address......... chang an dong ming jie
Bill Address.........
Bill Address......... Dongguan
Bill Address......... 518000
Bill Address......... GD
Bill Address......... CN
Bill Email........... adminf@vo-oem.com
Bill Phone........... +86.74632123223
Bill Fax............. +86.74632123223
Name Server.......... ns2.laga-soft.com
Name Server.......... ns1.laga-soft.com |
address:
195.114.16.1 (see previous post)
name servers:
ns1.vo-oem.com -> 116.199.133.60 (CN, AS18118)*
ns2.vo-oem.com -> 195.114.16.1
There seems to be an inconsistency between the domain whois data and the actual NS records pointing to different name servers, but a trace quickly shows how it works:
| Quote: |
vo-oem.com. 172800 IN NS ns1.laga-soft.com.
vo-oem.com. 172800 IN NS ns2.laga-soft.com.
;; Received 106 bytes from 192.55.83.30#53(M.GTLD-SERVERS.NET) in 241 ms
vo-oem.com. 3600 IN A 195.114.16.1
vo-oem.com. 3600 IN NS ns1.vo-oem.com.
vo-oem.com. 3600 IN NS ns2.vo-oem.com.
;; Received 112 bytes from 195.114.16.1#53(ns1.laga-soft.com) in 81 ms |
The ns[12].laga-soft.com name servers determine which ip address is used for vo-oem.com
Leo Kuvyev's name server in China doesn't resolve for anything else but vo-oem.com at this moment. But there's a Spamhaus listing for it:
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL55799
Note that the 0em warez domain mentioned in this entry has been moved to 195.114.16.1:
| Quote: |
$ host ulsoftse.com
ulsoftse.com has address 195.114.16.1
ulsoftse.com mail is handled by 10 mail.ulsoftse.com.
$ host sto.ulsoftse.com
sto.ulsoftse.com has address 195.114.16.1 |
* Whois data for this name server:
| Quote: |
inetnum: 116.199.128.0 - 116.199.159.255
netname: Newspeed
descr: Shenzhen Newspeed Science and technology Development Limited company
descr: Shenzhen Mt. Nanshan area Nanhai main road Jinhun building B2612
country: CN
admin-c: YW929-AP
tech-c: YL1534-AP
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
status: ALLOCATED PORTABLE
changed: hm-changed at apnic.net 20070420
source: APNIC |
spam headers:
| Quote: |
Delivered-To: [redacted]
Received: by 10.70.26.12 with SMTP id 12cs403072wxz;
Fri, 6 Jul 2007 02:47:52 -0700 (PDT)
Received: by 10.141.83.15 with SMTP id k15mr131248rvl.1183715271685;
Fri, 06 Jul 2007 02:47:51 -0700 (PDT)
Return-Path: <dca2 @ urbanlivingtour.com>
Received: from ip90-176-166-62.adsl.versatel.nl (ip90-176-166-62.adsl.versatel.nl [62.166.176.90])
by mx.google.com with ESMTP id g6si1519585rvb.2007.07.06.02.46.41;
Fri, 06 Jul 2007 02:47:51 -0700 (PDT)
Received-SPF: neutral (google.com: 62.166.176.90 is neither permitted nor denied by best guess record for domain of dca2 @ urbanlivingtour.com)
Received: from [62.166.176.90] by smtp.secureserver.net; Fri, 6 Jul 2007 09:47:47 -0100
Message-ID: <01c7bfb2$b5d9c420$5ab0a63e@dca2>
From: "Sonya Chavez" <dca2 @ urbanlivingtour.com>
To: [redacted]
Subject: Autodesk Autocad download
Date: Fri, 6 Jul 2007 09:47:47 -0100
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_0006_01C7BFC3.79629420"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1158 |
Sent by a trojanned machine somewhere in the Netherlands.
the Mail body is again some hashbuster while the actual payload is in the attached image (recipient has to type the url manually):
| Quote: |
That rings, with faithful tongue, its pious note
And up there I cannot tell if it is still
It is as though I were at a second threshold.
Come, swallows, it's good-bye.
With a hand freed from weight,
Along the walls are only empty niches,
Traces of those deep cuts lie thickly upon
And beyond, the same sound of bees
Toward . . . that seems to be the whispered question
That patch of white at the very end of the road
giddy as good kids playing hookey. Now,
XVI. Laying a Ghost: The Jeannette and the Fram
What I have in my hands, these flowers, these shadows,
What is there in the depths of these walls
Of observation lying on the ground
Shadows keep piling up as surfaces
Everywhere, utterly.
To a higher level of appearance.
Will sound, then the Lord's face will luminesce |
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sat Jul 07, 2007 5:06 am Post subject: |
|
|
So far the majority of those spams are merely spamvertising oem-os.com so it's not really interesting to repeat the analysis again. But here's one that doesn't contain a gif for a change but uses a creative way of mixing up hash-buster and marketing drivel with a link to neostanusnah.com at the bottom.
Mail headers:
| Quote: |
Delivered-To: [redacted]
Received: by 10.70.26.12 with SMTP id 12cs446112wxz;
Fri, 6 Jul 2007 22:54:38 -0700 (PDT)
Received: by 10.82.126.5 with SMTP id y5mr3288929buc.1183787677572;
Fri, 06 Jul 2007 22:54:37 -0700 (PDT)
Return-Path: <staff @ leasingoptionsllc.com>
Received: from 137.Red-81-32-122.dynamicIP.rima-tde.net (137.Red-81-32-122.dynamicIP.rima-tde.net [81.32.122.137])
by mx.google.com with ESMTP id k9si3437318nfh.2007.07.06.22.53.36;
Fri, 06 Jul 2007 22:54:37 -0700 (PDT)
Received-SPF: neutral (google.com: 81.32.122.137 is neither permitted nor denied by best guess record for domain of staff @ leasingoptionsllc.com)
Received: from [81.32.122.137] by smtp.secureserver.net; Sat, 7 Jul 2007 05:54:35 -0100
Message-ID: <01c7c05b$4bed5370$897a2051@staff>
From: "Duane Nicholas" <staff @ leasingoptionsllc.com>
To: [redacted]
Subject: Retail price $1199.00 Our price $149 Adobe Creative 2 Premium
Date: Sat, 7 Jul 2007 05:54:35 -0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C7C063.ADB1BB70"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2527
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 |
Origin is some b0tted end-user machine in Spain.
Mail body:
| Quote: |
The form sought for centuries by
Microsoft Windows Vista Business Retail Price $299.00 Our Price $79.95 You save $219.05
Are gliding toward me on the ice into
Adobe Dreamweaver CS3 Retail Price $399.00 Our Price $59.95 You save $339.05
watching calisthenics from the grandstands.
Autodesk AutoCAD 2008 Retail Price $6720.00 Our Price $129.95 You save $6590.05
No name, no meaning. Oh my friends,
Adobe Creative Suite 3 Design Premium Retail Price $1799.00 Our Price $269.90 You save $1529.1
Glimmering of light:
Adobe Photoshop CS3 Extended Retail Price $999.00 Our Price $89.95 You save $909.05
Shadows keep piling up as surfaces
CorelDraw Graphics Suite X3 Retail Price $399.00 Our Price $59.95 You save $339.05
I seek, above all, in the wandering
Adobe Acrobat 8.0 Professional Retail Price $449.00 Our Price $79.95 You save $369.05
watching calisthenics from the grandstands.
Microsoft Office 2007 Enterprise Retail Price $899.00 Our Price $79.95 You save $819.05
Not daring to oppose
Microsoft Windows Vista Ultimate Retail Price $399.95 Our Price $89.95 You save $310
http ://neostanusnah.com |
Whois is interesting, as its data is not available (0-day):
| Quote: |
[whois.internic.net]
Whois Server Version 1.3
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http ://www.internic.net
for detailed information.
No match for domain "NEOSTANUSNAH.COM".
>>> Last update of whois database: Fri, 6 Jul 2007 20:30:14 UTC <<< |
Yet it happily resolves to something meaningful:
| Quote: |
$ host neostanusnah.com
neostanusnah.com has address 195.114.16.1
neostanusnah.com mail is handled by 10 mail.neostanusnah.com |
As we already know the ip address from the initial post I'm not going to waste much time on it and move on to the name servers instead.
| Quote: |
neostanusnah.com. 172800 IN NS ns1.laga-soft.com.
neostanusnah.com. 172800 IN NS ns2.laga-soft.com.
;; Received 112 bytes from 192.41.162.30#53(L.GTLD-SERVERS.NET) in 133 ms
neostanusnah.com. 3600 IN A 195.114.16.1
neostanusnah.com. 3600 IN NS ns1.neostanusnah.com.
neostanusnah.com. 3600 IN NS ns2.neostanusnah.com.
;; Received 118 bytes from 195.114.16.1#53(ns1.laga-soft.com) in 82 ms |
both ns1 and ns2.neostanusnah.com resolve to 195.114.16.1 so there's not much new to discover
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sat Jul 07, 2007 5:36 am Post subject: |
|
|
yazabirudome.com is another 0-day domain without any whois data:
| Quote: |
[olliver@bunkiten ~]$ host yazabirudome.com
yazabirudome.com has address 195.114.16.1
yazabirudome.com mail is handled by 10 mail.yazabirudome.com. |
name servers:
| Quote: |
yazabirudome.com. 172800 IN NS ns1.laga-soft.com.
yazabirudome.com. 172800 IN NS ns2.laga-soft.com.
;; Received 112 bytes from 192.12.94.30#53(E.GTLD-SERVERS.NET) in 195 ms
yazabirudome.com. 3600 IN A 195.114.16.1
yazabirudome.com. 3600 IN NS ns1.yazabirudome.com.
yazabirudome.com. 3600 IN NS ns2.yazabirudome.com.
;; Received 118 bytes from 195.114.16.1#53(ns1.laga-soft.com) in 81 ms |
ns[12].yazabirudome.com resolve to 195.114.16.1 so let's focus on the laga-soft.com name servers instead. ns2.laga-soft.com is situated in Malaysia and resolves different domains than ns1.laga-soft.com
ns2.laga-soft.com -> 203.223.150.35 (MY, AS17992)
other domains resolving on 203.223.150.35:
flodiny.com
laga-soft.com
mail.locu.st
neholnasdak.com
ns1.nemudnasdak.com
ns2.locu.st
ns2.sobaka-soft.com
razdeltruda.com
locu.st is another trademark of Leo Kuvayev
203.223.150.35 is used as name server for the following domains:
flodiny.com
laga-soft.com
locu.st
neholnasdak.com
nemudnasdak.com
razdeltruda.com
sobaka-soft.com
Interestingly it hasn't caught Spamhaus' attention as of now, maybe because it has been added very recently.
The spam itself is of the same type as mentioned in the previous post.
Headers:
| Quote: |
Delivered-To: [redacted]
Received: by 10.70.26.12 with SMTP id 12cs448544wxz;
Sat, 7 Jul 2007 01:02:34 -0700 (PDT)
Received: by 10.35.78.9 with SMTP id f9mr2748664pyl.1183795354642;
Sat, 07 Jul 2007 01:02:34 -0700 (PDT)
Return-Path: <egeslien @ canakkale2night.com>
Received: from ?61.173.75.244? ([61.173.75.244])
by mx.google.com with ESMTP id 38si40056473nzk.2007.07.07.01.01.49;
Sat, 07 Jul 2007 01:02:34 -0700 (PDT)
Received-SPF: fail
Received: from [61.173.75.244] by smtp.secureserver.net; Sat, 7 Jul 2007 08:02:46 -0800
Message-ID: <01c7c06d$346f5bf0$f44bad3d@egeslien>
From: "Penny Hutton" <egeslien @ canakkale2night.com>
To: [redacted]
Subject: Our price: $269.90 save: $1529 PHOTOSHOP CS3 READY TO DOWNLOAD $89.95 ONLY!
Date: Sat, 7 Jul 2007 08:02:46 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C7C0B0.42929BF0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2741.2600
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2741.2600 |
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sat Jul 07, 2007 5:53 am Post subject: |
|
|
dadaidom.com is the next in line, the spam is again of the same type as the previous two:
| Quote: |
Domain name: dadaidom.com
Registrant Contact:
-
Alex Rodrigez domains@preved.cd
+358-30-5563 fax:
po box 445
Laapentranta Laapentranta 12700
fi
Administrative Contact:
Alex Rodrigez domains@preved.cd
+358-30-5563 fax:
po box 445
Laapentranta Laapentranta 12700
fi
Technical Contact:
Alex Rodrigez domains@preved.cd
+358-30-5563 fax:
po box 445
Laapentranta Laapentranta 12700
fi
Billing Contact:
Alex Rodrigez domains@preved.cd
+358-30-5563 fax:
po box 445
Laapentranta Laapentranta 12700
fi
DNS:
ns1.laga-soft.com
ns2.laga-soft.com
Created: 2007-07-06
Expires: 2008-07-06 |
Alex Rodrigez is a pseudonym quite frequently used by Leo Kuvayev, including his famous locu.st domain.
Name servers:
| Quote: |
dadaidom.com. 172800 IN NS ns1.laga-soft.com.
dadaidom.com. 172800 IN NS ns2.laga-soft.com.
;; Received 108 bytes from 192.54.112.30#53(H.GTLD-SERVERS.NET) in 28 ms
dadaidom.com. 3600 IN A 195.114.16.1
dadaidom.com. 3600 IN NS ns1.dadaidom.com.
dadaidom.com. 3600 IN NS ns2.dadaidom.com.
;; Received 114 bytes from 195.114.16.1#53(ns1.laga-soft.com) in 67 ms |
Everything is on 195.114.16.1 again, so there's nothing really new to discover.
Mail headers:
| Quote: |
Delivered-To: [redacted]
Received: by 10.70.26.12 with SMTP id 12cs453266wxz;
Sat, 7 Jul 2007 03:52:43 -0700 (PDT)
Received: by 10.82.111.8 with SMTP id j8mr3756521buc.1183805563193;
Sat, 07 Jul 2007 03:52:43 -0700 (PDT)
Return-Path: <rjack @ evilgeniusclothes.com>
Received: from 82-170-210-160.dsl.ip.tiscali.nl (82-170-210-160.dsl.ip.tiscali.nl [82.170.210.160])
by mx.google.com with ESMTP id 35si4812726nfu.2007.07.07.03.52.15;
Sat, 07 Jul 2007 03:52:43 -0700 (PDT)
Received-SPF: neutral (google.com: 82.170.210.160 is neither permitted nor denied by best guess record for domain of rjack @ evilgeniusclothes.com)
Received: from [82.170.210.160] by mail.dieselhost.com; Sat, 7 Jul 2007 10:52:43 -0100
Message-ID: <01c7c084$f25b8a50$a0d2aa52@rjack>
From: "Marissa Carpenter" <rjack @ evilgeniusclothes.com>
To: [redacted]
Subject: You save: US $ 1049.05 ADOBE CREATIVE SUITE 2 PREMIUM
Date: Sat, 7 Jul 2007 10:52:43 -0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C7C095.B5E45A50"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2905
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2905 |
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
| Posted: Sat Jul 07, 2007 6:09 am Post subject: |
|
|
Just arrived, style is the text version of the spam as mentioned in the previous posts.
domenadavatel.com
Whois:
| Quote: |
Domain name: domenadavatel.com
Registrant Contact:
-
Alex Rodrigez domains@preved.cd
+358-30-5563 fax:
po box 445
Laapentranta Laapentranta 12700
fi
Administrative Contact:
Alex Rodrigez domains@preved.cd
+358-30-5563 fax:
po box 445
Laapentranta Laapentranta 12700
fi
Technical Contact:
Alex Rodrigez domains@preved.cd
+358-30-5563 fax:
po box 445
Laapentranta Laapentranta 12700
fi
Billing Contact:
Alex Rodrigez domains@preved.cd
+358-30-5563 fax:
po box 445
Laapentranta Laapentranta 12700
fi
DNS:
ns1.laga-soft.com
ns2.laga-soft.com
Created: 2007-07-06
Expires: 2008-07-06 |
Name servers:
| Quote: |
domenadavatel.com. 172800 IN NS ns1.laga-soft.com.
domenadavatel.com. 172800 IN NS ns2.laga-soft.com.
;; Received 113 bytes from 192.42.93.30#53(G.GTLD-SERVERS.NET) in 184 ms
domenadavatel.com. 3600 IN A 195.114.16.1
domenadavatel.com. 3600 IN NS ns1.domenadavatel.com.
domenadavatel.com. 3600 IN NS ns2.domenadavatel.com.
;; Received 119 bytes from 195.114.16.1#53(ns1.laga-soft.com) in 67 ms |
Again, everything's on 195.114.16.1, so there's no need for any further details.
email headers:
| Quote: |
Delivered-To: [redacted]
Received: by 10.70.26.12 with SMTP id 12cs459042wxz;
Sat, 7 Jul 2007 06:56:01 -0700 (PDT)
Received: by 10.78.147.6 with SMTP id u6mr766140hud.1183816560635;
Sat, 07 Jul 2007 06:56:00 -0700 (PDT)
Return-Path: <hardeep @ dhssolution.com>
Received: from 87.97.32.38.pool.invitel.hu (87.97.32.38.pool.invitel.hu [87.97.32.38])
by mx.google.com with ESMTP id f6si5810536nfh.2007.07.07.06.55.32;
Sat, 07 Jul 2007 06:56:00 -0700 (PDT)
Received-SPF: neutral (google.com: 87.97.32.38 is neither permitted nor denied by best guess record for domain of hardeep @ dhssolution.com)
Received: from [87.97.32.38] by mxpu00.ispgateway.de; Sat, 7 Jul 2007 13:55:56 -0100
Message-ID: <01c7c09e$8a80a180$26206157@hardeep>
From: "Gregorio Ho" <hardeep @ dhssolution.com>
To: [redacted]
Subject: ADOBE CS3
Date: Sat, 7 Jul 2007 13:55:56 -0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0007_01C7C0AF.4E097180"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2663
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663 |
Ok. There's still a load of pharma spams, I'm going to look into them later during the evening hours (CEST, that is).
Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
