Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Spammy making up email addresses...

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam
View previous topic :: View next topic  
Author Message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Tue Mar 17, 2009 5:09 pm    Post subject: Spammy making up email addresses... Reply with quote

Looks like some spam outfit was trying to deliver some goodies Wink

Quote:
Mar 18 00:34:39 mail sm-mta[7952]: n2HNYb8l007952: <webmaster@example.com>... User unknown
Mar 18 00:34:39 mail sm-mta[7952]: n2HNYb8l007952: from=<alex@webmasterskit.com>, size=928, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA-v4, relay=anybuyer.com [78.110.168.162]


Example.com is a placeholder for one of the domains my mailswerver is responsible for. There are some frequently abused email accounts my users are avoiding for a very obvious reason Wink

Quote:
inetnum: 78.110.168.0 - 78.110.168.255
netname: VASERVE-IP-5
descr: VASERVE LTD IP RANGE 5
country: GB
admin-c: JN1960-RIPE
tech-c: JN1960-RIPE
status: ASSIGNED PA
mnt-by: UKSERVERS-MNT
source: RIPE # Filtered

person: J Needham
address: BlueSquare House, Priors Way, Maidenhead, SL6 2HP
abuse-mailbox: abuse [ed] a2b2.com
phone: +441312082785
nic-hdl: JN1960-RIPE
source: RIPE # Filtered


VAServe is a reseller of UKservers Ltd (AS42831).

anybuyer.com looks like being owned by a spammer:

Quote:
Domain Name: ANYBUYER.COM

Registrant [1273675]:
Moniker, Privacy Services ANYBUYER.COM@domainservice.com
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US


Administrative Contact [1273675]:
Moniker, Privacy Services ANYBUYER.COM@domainservice.com
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US
Phone: +1.9549848445
Fax: +1.9549699155


Billing Contact [1273675]:
Moniker, Privacy Services ANYBUYER.COM@domainservice.com
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US
Phone: +1.9549848445
Fax: +1.9549699155


Technical Contact [1273675]:
Moniker, Privacy Services ANYBUYER.COM@domainservice.com
Moniker Privacy Services
20 SW 27th Ave.
Suite 201
Pompano Beach
FL
33069
US
Phone: +1.9549848445
Fax: +1.9549699155

Domain servers in listed order:

NS1.DOMAINSERVICE.COM 208.73.210.41
NS2.DOMAINSERVICE.COM 208.73.211.42
NS3.DOMAINSERVICE.COM 208.73.210.43
NS4.DOMAINSERVICE.COM 208.73.211.44

Record created on: 2007-12-18 14:29:45.0
Database last updated on: 2009-03-11 09:27:42.2
Domain Expires on: 2009-12-18 14:29:45.0


Anybuyer.com does not accept http traffic, so I presume it's just set up for "mailblasts"

The email domain (webmasterskit.com -> 63.246.153.14) is hosted by sago:

Quote:
%rwhois V-1.0,V-1.5:00090h:00 portal.sagonet.com (Ubersmith RWhois Server V-1.0)
autharea=63.246.153.0/24
xautharea=63.246.153.0/24
network:Class-Name:network
network:Auth-Area:63.246.153.0/24
network:ID:NET-480.63.246.153.14/31
network:Network-Name:Primary Assignment
network:IP-Network:63.246.153.14/31
network:IP-Network-Block:63.246.153.14 - 63.246.153.15
network:Org-Name:Foroquimica SL
network:Street-Address:Paratge Masos 9
network:City:Girona
network:State:Catalunya
network:Postal-Code:17162
network:Country-Code:ES
network:Tech-Contact:MAINT-480.63.246.153.14/31
network:Created:20070409205107000
network:Updated:20071119124600000



Quote:
Domain Name: WEBMASTERSKIT.COM

Registrant [1520601]:
Jovany Weber webmaster@webmasterskit.com
Poplar Street 68
Alamogordo
NM
88311
US


Administrative Contact [1520601]:
Jovany Weber webmaster@webmasterskit.com
Poplar Street 68
Alamogordo
NM
88311
US
Phone: +1.5055642808


Billing Contact [1520601]:
Jovany Weber webmaster@webmasterskit.com
Poplar Street 68
Alamogordo
NM
88311
US
Phone: +1.5055642808


Technical Contact [1520601]:
Jovany Weber webmaster@webmasterskit.com
Poplar Street 68
Alamogordo
NM
88311
US
Phone: +1.5055642808


Domain servers in listed order:

NS1.TECHSERVERDNS.COM
NS2.TECHSERVERDNS.COM

Record created on: 2007-10-19 14:46:48.0
Database last updated on: 2009-01-25 07:03:33.907
Domain Expires on: 2009-10-19 14:46:48.0


Google leaves no doubt that alex@webmasterskit.com can be associated with unsolicited advertisements:
http://www.google.com/search?q=alex@webmasterskit.com

sneak a peek at the money page:

Quote:
WebmastersKit.com - A Free & Reliable Link Exchange Service

Looking to Get More Inbound Links?
Sign up using our Fast and Free Registration to get more inbound links. But that's not all - benefits include:

Get Five Quality Links in Three Simple Step
A Free & Effective Link Exchange Service
Improve your Search Engine Rankings

source: www.webmasterskit.com

IOW, some SEO spammer believing that spam is what the other guy does and excludes his/her/its link exchange bargain offer...

rDNS scan does not reveal anything that looks like a snowshoe spammer. Perhaps it's just that one server only:
Quote:
40.168.110.78.in-addr.arpa domain name pointer mail02.jked.net.
46.168.110.78.in-addr.arpa domain name pointer NS2.INVESTPROPERTY.NET.
47.168.110.78.in-addr.arpa domain name pointer NS1.INVESTPROPERTY.NET.
54.168.110.78.in-addr.arpa domain name pointer eghamat.com.
82.168.110.78.in-addr.arpa domain name pointer vps.tribesmart.com.
120.168.110.78.in-addr.arpa domain name pointer uk16.verygoodserver.com.
122.168.110.78.in-addr.arpa domain name pointer racksters.com.
128.168.110.78.in-addr.arpa domain name pointer sds2.bcdsystems.co.uk.
130.168.110.78.in-addr.arpa domain name pointer morgan111morgan.com.
135.168.110.78.in-addr.arpa domain name pointer server.foggyfriends.org.
136.168.110.78.in-addr.arpa domain name pointer server.foggyfriends.org.
137.168.110.78.in-addr.arpa domain name pointer vps.curvedltd.com.
138.168.110.78.in-addr.arpa domain name pointer ns1.
141.168.110.78.in-addr.arpa domain name pointer ns2.jpacm.com.
142.168.110.78.in-addr.arpa domain name pointer sds1.bcdsystems.co.uk.
143.168.110.78.in-addr.arpa domain name pointer vps.curvedltd.com.
144.168.110.78.in-addr.arpa domain name pointer server.comwired.net.
145.168.110.78.in-addr.arpa domain name pointer ns2.
147.168.110.78.in-addr.arpa domain name pointer server.msmh.co.uk.
148.168.110.78.in-addr.arpa domain name pointer ns3.sm411.info.
150.168.110.78.in-addr.arpa domain name pointer snt02.vpserv.co.uk.
152.168.110.78.in-addr.arpa domain name pointer cv1.p3d.co.uk.
153.168.110.78.in-addr.arpa domain name pointer theron.nhdns.co.uk.
155.168.110.78.in-addr.arpa domain name pointer 4mediaboutique.easyukhost.com.
158.168.110.78.in-addr.arpa domain name pointer zeus.technistudios.com.
159.168.110.78.in-addr.arpa domain name pointer ptr.castironsolutions.co.uk.
-----
162.168.110.78.in-addr.arpa domain name pointer anybuyer.com.
-----
163.168.110.78.in-addr.arpa domain name pointer ns1.jpacm.com.
172.168.110.78.in-addr.arpa domain name pointer servicevpn.net.
174.168.110.78.in-addr.arpa domain name pointer ns2.sm411.info.
175.168.110.78.in-addr.arpa domain name pointer cameron.nhdns.co.uk.
176.168.110.78.in-addr.arpa domain name pointer crazypuh.org.
178.168.110.78.in-addr.arpa domain name pointer cp.wisevps.com.
180.168.110.78.in-addr.arpa domain name pointer radio.afrosom.org.
182.168.110.78.in-addr.arpa domain name pointer echo.uk-noc.net.
183.168.110.78.in-addr.arpa domain name pointer ns1.uk-name-services.net.
184.168.110.78.in-addr.arpa domain name pointer server.fcsgreeceforum.com.
187.168.110.78.in-addr.arpa domain name pointer mail2.stevenagecomputer.co.uk.
189.168.110.78.in-addr.arpa domain name pointer levi.simbahosting.co.uk.
190.168.110.78.in-addr.arpa domain name pointer jonjones.org.uk.
192.168.110.78.in-addr.arpa domain name pointer www.waveportal.co.uk.
193.168.110.78.in-addr.arpa domain name pointer 193.168.110.78.in-addr.arpa.
199.168.110.78.in-addr.arpa domain name pointer uk.tabolsky.net.
200.168.110.78.in-addr.arpa domain name pointer dnbpekseg.info.
202.168.110.78.in-addr.arpa domain name pointer cvps.tabolsky.net.
203.168.110.78.in-addr.arpa domain name pointer B-YONDER.COM.
205.168.110.78.in-addr.arpa domain name pointer billericaybaptist.net.
212.168.110.78.in-addr.arpa domain name pointer hera.limescope.net.
218.168.110.78.in-addr.arpa domain name pointer server.mailjol.net.
220.168.110.78.in-addr.arpa domain name pointer downloads.uk.stuartpreston.net.
226.168.110.78.in-addr.arpa domain name pointer dnsuk.serverfoundry.com.
227.168.110.78.in-addr.arpa domain name pointer h60x6.kompkonnect.co.uk.
228.168.110.78.in-addr.arpa domain name pointer uk.tectite.com.
231.168.110.78.in-addr.arpa domain name pointer cactus.ghxhosting.com.
233.168.110.78.in-addr.arpa domain name pointer sm411.info.
234.168.110.78.in-addr.arpa domain name pointer ukns1.3dns.ws.
235.168.110.78.in-addr.arpa domain name pointer c.mailjol.net.
236.168.110.78.in-addr.arpa domain name pointer envilleales.com.
242.168.110.78.in-addr.arpa domain name pointer 242.168.110.78.mariachismex.com.
248.168.110.78.in-addr.arpa domain name pointer ukns2.3dns.ws.
249.168.110.78.in-addr.arpa domain name pointer morgan111morgan.com.
250.168.110.78.in-addr.arpa domain name pointer kadamba.org.
251.168.110.78.in-addr.arpa domain name pointer server.flymodelcomponents.it.
252.168.110.78.in-addr.arpa domain name pointer opengear.net.
253.168.110.78.in-addr.arpa domain name pointer ns0.solvedns.com.


Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.
Back to top
View user's profile Send private message
MysteryFCM
Malware Expert


Joined: 28 Aug 2004
Last Visit: 20 Sep 2014
Posts: 851
Location: Tyne & Wear, UK

PostPosted: Wed Mar 18, 2009 12:12 pm    Post subject: Reply with quote

Nice catch Smile
_________________
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net
Back to top
View user's profile Send private message Visit poster's website
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Thu Jul 23, 2009 10:11 pm    Post subject: Look who's back.... Reply with quote

Spammy has found a new home to spam from:

Quote:
Jul 24 04:36:02 mail sm-mta[17293]: n6O2ZjVP017293: ruleset=check_rcpt, arg1=<webmaster@example.com>, relay=answersdotcom.com [93.115.249.203], reject=550 5.0.0 <webmaster@example.com>... Spam is not welcome here
Jul 24 04:36:03 mail sm-mta[17293]: n6O2ZjVP017293: from=<alex@webmasterskit.com>, size=932, class=0, nrcpts=0, bodytype=8BITMIME, proto=ESMTP, daemon=MTA-v4, relay=answersdotcom.com [93.115.249.203]


Again, trying to reach a commonly used account which does not exist on my mailswerver for obvious reasons. The ip-address is located in Romania (that alone is a sure spam sign in most cases):

Quote:
inetnum: 93.115.248.0 - 93.115.251.255
netname: SC-SIMPLIQ-SRL
descr: SC SimpliQ SRL
descr: 21 Decembrie 1989, nr. 150/55
descr: Cluj-Napoca Cluj Romania
country: ro
admin-c: SN148-RIPE
tech-c: SN148-RIPE
status: ASSIGNED PA
remarks: Registered through http://www.jump.ro/ip.html
mnt-by: RO-MNT
mnt-lower: RO-MNT
mnt-routes: SIMPLIQ-MNT
source: RIPE # Filtered

person: SimpliQ NOC
address: Fabricii de Chibrituri 13-21
address: ICPIAF Building, 1st floor
address: Cluj-Napoca
address: Romania
phone: +40-364-567080
e-mail: noc @ simpliq.com
nic-hdl: SN148-RIPE
remarks: --------------------------------
remarks: abuse reports: abuse @ simpliq.com
remarks: --------------------------------
mnt-by: SIMPLIQ-MNT
source: RIPE # Filtered

% Information related to '93.115.248.0/22AS39758'

route: 93.115.248.0/22
descr: SC SimpliQ SRL
origin: AS39758
mnt-by: SIMPLIQ-MNT
source: RIPE # Filtered


whois of the spam source:
Quote:
Domain Name: ANSWERSDOTCOM.COM
Registrar: MONIKER

Registrant [21106]:
dave rosenbom domains@3000domains.com
james
Victoria House 45
Gibraltar
Gibraltar
76432
GI


Administrative Contact [21106]:
dave rosenbom domains@3000domains.com
james
Victoria House 45
Gibraltar
Gibraltar
76432
GI
Phone: +1.57087889


Billing Contact [21106]:
dave rosenbom domains@3000domains.com
james
Victoria House 45
Gibraltar
Gibraltar
76432
GI
Phone: +1.57087889


Technical Contact [21106]:
dave rosenbom domains@3000domains.com
james
Victoria House 45
Gibraltar
Gibraltar
76432
GI
Phone: +1.57087889


Domain servers in listed order:

NS1.DOMAINSERVICE.COM 208.73.210.41
NS2.DOMAINSERVICE.COM 208.73.211.42
NS3.DOMAINSERVICE.COM 208.73.210.43
NS4.DOMAINSERVICE.COM 208.73.211.44

Record created on: 2007-11-09 14:19:10.0
Database last updated on: 2009-07-21 10:39:11.663
Domain Expires on: 2009-11-09 14:19:10.0


It seems that webmasterspam.com-Alex has relocated himself to Gibralta as "Dave Rosenbom" (From the US via Gibralta to Romania)... For reasons unknown to me (not quite, actually Wink), answersdotcom.com does not respond to HTTP requests. But it does want to receive mail, it seems:

Quote:
Trying 93.115.249.203...
Connected to answersdotcom.com.
Escape character is '^]'.
220 host.answersdotcom.com ESMTP Postfix (Debian/GNU)
quit
221 2.0.0 Bye
Connection closed by foreign host.


O.
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group