Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

mugu mail, Feb 25 2009

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam
View previous topic :: View next topic  
Author Message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Wed Feb 25, 2009 1:18 am    Post subject: mugu mail, Feb 25 2009 Reply with quote

This is an interesting variant in that the lads involved use several throwaway domains for their dropboxes.

headers:

Quote:
Delivered-To: [spamtrap]
Received: by 10.150.215.3 with SMTP id n3cs30329ybg;
Tue, 24 Feb 2009 66:66:66 -0800 (PST)
Received: by 10.223.107.198 with SMTP id c6mr583475fap.32.6666666666666;
Tue, 24 Feb 2009 66:66:66 -0800 (PST)
Return-Path: <jhess@iol.cz>
Received: from smtp-out3.iol.cz (smtp-out3.iol.cz [194.228.2.91])
by mx.google.com with ESMTP id 5si6502807fxm.90.2009.02.24.66.66.66;
Tue, 24 Feb 2009 66:66:66 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of jhess@iol.cz designates 194.228.2.91 as permitted sender) client-ip=194.228.2.91;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of jhess@iol.cz designates 194.228.2.91 as permitted sender) smtp.mail=jhess@iol.cz
Received: from antivir5.iol.cz (unknown [192.168.30.212])
by smtp-out3.iol.cz (Postfix) with ESMTP id 90736BD06FA;
Wed, 25 Feb 2009 66:66:66 +0000 (UTC)
Received: from localhost (antivir5.iol.cz [127.0.0.1])
by antivir5.iol.cz (Postfix) with ESMTP id 6680D28007;
Wed, 25 Feb 2009 66:66:66 +0100 (CET)
X-Virus-Scanned: amavisd-new at iol.cz
Received: from antivir5.iol.cz ([127.0.0.1])
by localhost (antivir5.iol.cz [127.0.0.1]) (amavisd-new, port 10224)
with LMTP id iYxLZLuxx8AE; Wed, 25 Feb 2009 66:66:66 +0100 (CET)
Received: from smtp-out3.iol.cz (mta-out3 [192.168.30.28])
by antivir5.iol.cz (Postfix) with ESMTP id E48A92800D;
Wed, 25 Feb 2009 66:66:66 +0100 (CET)
Received: from Murphy-PC (unknown [77.208.173.214])
by smtp-out3.iol.cz (Postfix) with ESMTP id 56DB06B42C7;
Wed, 25 Feb 2009 66:66:66 +0100 (CET)

Message-ID: <xxxxxx-xxxxxxxxxxx@Murphy-PC>
To: "Award Recipient" <email_ballot@europa-swiss.info>
Reply-To: "Mrs. Michele Sorensen." <email_ballot@europa-swiss.info>
Organization: Euro Millones
From: "Mrs. Michele Sorensen." <jhess@iol.cz>
Subject: Urgent Response Required.(Congratulations)
Date: Wed, 25 Feb 2009 66:66:66 +0100
MIME-Version: 1.0
Content-type: text/plain; charset=windows-1252


body:

Quote:
Euro Millones Loteria S.A
Calle Zurbano 45
1„ Planta, 28010
Madrid, Espan a.

ATTN: WINNER,

!!!!!!!! NOTIFICATION OF AWARD WINNING PRIZE !!!!!!!!

Finally today, the result of winners of the EURO MILLONES LOTERIA E-mail program held on the 16th of February 2009 was announced. Your e-mail address attached to TICKET No: D01- 098-94-65 with REFERENCE No:A98-709-980 drew STAR No: A87-98-76-89-54 which consequently won in the 2ND CATEGORY, you have therefore been approved for a lump sum pay out of €950.000.00cents (Nine Hundred and Fifty Thousand Euro).

!!!CONGRATULATIONS!!!

The draw was carried out through random sampling (A QUATITATIVE TECHNIQUE) in our computerized email selection programme (TOPAZ) from a database of over 1,000,000 email addresses drawn from 66 Countries around the World.

The online draws was conducted by a random selection of email addresses from an exclusive list of 30,031 Email addresses of individuals and corporate bodies picked by an advanced automated random computer search from the internet. As such no tickets were sold but all email addresses were assigned to different ticket numbers for representation,identification and privacy.

This promotion is to encourage our prominent Microsoft Internet Explorer users all over the world. Microsoft Electronic Mail Loteria is approved and Licensed by the International Association of Lottery (IAL). Ensure to keep your winning information in confidence until your award is duly processed and claimed. This is part of our security measures to avoid double claiming or unwarranted advantage taking of the situation by other participants or impersonators in some cases.

To begin your claim, you will have to complete a release order form which will be enclosed in the confirmation email from the claim processing agent. Contact the claim agent immediately via email or telephone with the information below:

Euro Millones Loteria-Claim Processing Agent
Name: Mr. Patrick Hango
Email: processing_unit@euro-millonex.mobi
TELEFAX: +34-634-033-034

You are to send the information below to the CLAIM PROCESSING AGENT via email for the confirmation of your winning.

1. Your full names: 2. Your address: 3. Telephone/fax numbers: 4.
Occupation/age:
5. Amount won: 6. Reference Number: 7. Security File Number: 8. Ticket Number:
9. Reconfirm Email Address: 10. Date Notified:

Note that your SECURITY FILE NUMBER IS EML/8903-690/504 (keep personal) remember, all prize money must be claimed within two weeks. Failure to do so your winning amount will be returned to the Ministerio De Economia Y Hacienda as Un-claimed. In order to avoid unnecessary delays and complications please remember to quote your Security File Number in all correspondence with the Claim Officer.

Yours Sincerely,
Michele Sorensen.
Loteria Coordinator

Note:
- All claims are nullified after 14 working days from today.
- Do inform the claims officer of any change of Names, Address and Email.
- All winners under the age of 18 are automatically disqualified.


There are some indicators that these mugus are operating from Spain (apart from the fake lottery):

The presumble sender 77.208.173.214 belongs to a Spanish ISP
Quote:
inetnum: 77.208.128.0 - 77.208.191.255
netname: VODAFONE_SPAIN_NETWORK
descr: GLOBAL MOBILE OPERATOR
country: ES
admin-c: AIRT1-RIPE
tech-c: OPG2-RIPE
status: ASSIGNED PA
mnt-by: AIRTELNET-MNT
source: RIPE # Filtered


the dropbox domain is parked at Gandi and was registered 4 weeks ago:

Quote:
Domain ID:D4553726-MOBI
Domain Name:EURO-MILLONEX.MOBI
Created On:24-Jan-2009 13:49:13 UTC
Last Updated On:24-Jan-2009 13:49:15 UTC
Expiration Date:24-Jan-2010 13:49:13 UTC
Sponsoring Registrar:Gandi SAS (81)
Created by Registrar:Gandi SAS (81)
Last Updated by Registrar:Gandi SAS (81)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:GNR3030147-JSPR
Registrant Name:George Nerbert
Registrant Street1:Avda Novelda 123
Registrant City:Alacant
Registrant State/Province:alacant
Registrant Postal Code:03011
Registrant Country:ES
Registrant Phone:+34.634033034
Registrant Email:once_award@yahoo.com
Admin ID:GNR3030147-JSPR
Admin Name:George Nerbert
Admin Street1:Avda Novelda 123
Admin City:Alacant
Admin State/Province:alacant
Admin Postal Code:03011
Admin Country:ES
Admin Phone:+34.634033034
Admin Email:once_award@yahoo.com
Tech ID:GNR3030147-JSPR
Tech Name:George Nerbert
Tech Street1:Avda Novelda 123
Tech City:Alacant
Tech State/Province:alacant
Tech Postal Code:03011
Tech Country:ES
Tech Phone:+34.634033034
Tech Email:once_award@yahoo.com
Name Server:A.DNS.GANDI.NET
Name Server:B.DNS.GANDI.NET
Name Server:C.DNS.GANDI.NET


Note, that the phone number is the same as mentioned in the fake lottery scheme. Also the whois contact is quite a give away.

The second dropbox domain (where responses are directed to according to the "reply to" header) is europa-swiss.info, which looks pretty much anonymised and does not hold any meaningful content either.

Quote:
Domain ID:D16722917-LRMS
Domain Name:EUROPA-SWISS.INFO
Created On:04-Mar-2007 00:43:29 UTC
Last Updated On:24-Jan-2009 12:25:20 UTC
Expiration Date:04-Mar-2009 00:43:29 UTC
Sponsoring Registrar:Directi Internet Solutions Pvt. Ltd. d/b/a PublicDomainRegistry.com (R159-LRMS)
Status:OK
Registrant ID:PP-SP-001
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:P.O. Box 97
Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Registrant Street3:
Registrant City:Moergestel
Registrant State/Province:
Registrant Postal Code:5066 ZH
Registrant Country:NL
Registrant Phone:+45.36946676
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:contact add privacyprotect.org
Admin ID:PP-SP-001
Admin Name:Domain Admin
Admin Organization:PrivacyProtect.org
Admin Street1:P.O. Box 97
Admin Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Admin Street3:
Admin City:Moergestel
Admin State/Province:
Admin Postal Code:5066 ZH
Admin Country:NL
Admin Phone:+45.36946676
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:contact add privacyprotect.org
Billing ID:PP-SP-001
Billing Name:Domain Admin
Billing Organization:PrivacyProtect.org
Billing Street1:P.O. Box 97
Billing Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Billing Street3:
Billing City:Moergestel
Billing State/Province:
Billing Postal Code:5066 ZH
Billing Country:NL
Billing Phone:+45.36946676
Billing Phone Ext.:
Billing FAX:
Billing FAX Ext.:
Billing Email:contact add privacyprotect.org
Tech ID:PP-SP-001
Tech Name:Domain Admin
Tech Organization:PrivacyProtect.org
Tech Street1:P.O. Box 97
Tech Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Tech Street3:
Tech City:Moergestel
Tech State/Province:
Tech Postal Code:5066 ZH
Tech Country:NL
Tech Phone:+45.36946676
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:contact add privacyprotect.org
Name Server:NS1-MITCHELL.NSWEBHOST.COM
Name Server:NS2-MITCHELL.NSWEBHOST.COM


Quite an old domain considering its past usage:
http://www.google.com/search?q=%22europa-swiss.info%22
Well, each registrar handles such issues differently Wink

It's currently hosted at some shared hosting outfit along with a considerable number of other domains. As it is not relevant for this spam, I'm going to omit details here. Most likely the domain will move from host to host as it gets nuked due to spam complaints.

The only freemail dropbox is the one the spam was sent from, apparently accessed via the spammer's email application, which implies POP3/SMTP access as part of the freemail package. You can recognise it by the "received from" header.

A webmail interface would have added a
X-name-of-header: 1.2.3.4
header instead, as the submission protocol was HTTP (via POST)


So this would amount to the following mugu addresses:
jhess@iol.cz
once_award@yahoo.com
processing_unit@euro-millonex.mobi
email_ballot@europa-swiss.info

Gandi is said to be responsive to abuse reports, so sending an email to:
abuse add support.gandi.net

Should result in an ex-dropbox Wink.

Olliver
_________________
Petcord netlabel :: Synflict post-digital arts :: Leftob audio cast
Each click on any of the links above will save the life of a cute kitty somewhere in the universe.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group