 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
olliver
Expert Developer
Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes
|
 Posted: Wed Aug 05, 2009 2:05 am Post subject: Spam list vendor |
 |
|
As the subject implies, just some spammer trying to make a buck with selling targeted spam lists.
| Quote: |
Delivered-To: <spamtrap>
Received: by 10.223.110.146 with SMTP id {snip};
Tue, 4 Aug 2009 66:66:66 -0700 (PDT)
Received: by 10.140.132.4 with SMTP id {snip};
Tue, 04 Aug 2009 66:66:66 -0700 (PDT)
Return-Path: <prudentapwruomm@gmail.com>
Received: from filrewall.inno.com ([222.117.74.125])
by mx.google.com with SMTP id {snip};
Tue, 04 Aug 2009 66:66:66 -0700 (PDT)
Received-SPF: neutral (google.com: 222.117.74.125 is neither permitted nor denied by domain of prudentapwruomm@gmail.com) client-ip=222.117.74.125;
Authentication-Results: mx.google.com; spf=neutral (google.com: 222.117.74.125 is neither permitted nor denied by domain of prudentapwruomm@gmail.com) smtp.mail=prudentapwruomm@gmail.com
Date: Tue, 04 Aug 2009 66:66:66 -0700 (PDT)
Message-Id: <{snip}SMTPIN_ADDED@mx.google.com>
From: "Sprague F Gabriela" <prudentapwruomm@gmail.com>
To: <spamtrap>
Subject: Email Directory of business owners in America
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit
many different fields such as company income, email, number of employees ETC...
2,000,000 total records all with emails
Cost just slashed - $293 - from today until this Friday
send email to: Roger@BestAccurateReliable.com
Send us an email to exit@BestAccurateReliable.com we will discontinue from the list |
222.117.74.125, the sending address is located in Korea:
| Quote: |
IPv4 Address : 222.117.74.0-222.117.74.127
Network Name : KORNET-10833278820
Connect ISP Name : KORNET
Registration Date : 20061228
Publishes : N
[ Organization Information ]
Organization ID : ORG809545
Org Name : inometal(ju)
Address : Seonggok-dong, Danwon-gu, Ansan-si, Gyeonggi-do
Zip Code : 425-110
[ Technical Contact Information ]
Org Name : inometal(ju)
Address : Seonggok-dong, Danwon-gu, Ansan-si, Gyeonggi-do
Zip Code : 425-110
E-Mail : kornet-ip {curly thing} kornet.net |
Note, that the spammer used prudentapwruomm@gmail.com as "from" and "return path" and relayed the message through this machine, rather than sending it through Google's servers. A sane mailswerver would not allow strangers to relay arbitrary messages, so it seems reasonable to assume some compromised machine that was converted to a spam zombie.
The spammer's dropbox is located in ...surprise... China of course  :
www.bestaccuratereliable.com -> 58.242.148.87
| Quote: |
inetnum: 58.242.144.0 - 58.242.159.255
netname: ANQINGUNICOM
country: CN
descr: ANHUI UNICOM
admin-c: CH445-AP
tech-c: zz1045-AP
status: ALLOCATED NON-PORTABLE
changed: wuws7 {roundabout} chinaunicom.cn 20081226
mnt-by: MAINT-CNCGROUP-AH
source: APNIC
route: 58.242.0.0/15
descr: CNC Group CHINA169 AnHui province network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse {roundabout} cnc-noc.net 20060117
source: APNIC |
The following mailswervers are handling spammy's mail traffic:
BestAccurateReliable.com mail is handled by 10 changjian1.kmip.net.
BestAccurateReliable.com mail is handled by 20 anqing123.meibu.com.
changjian1.kmip.net -> 58.242.148.177
This is in the same /24 as the dropbox domain.
anqing123.meibu.com -> 117.66.193.110
| Quote: |
inetnum: 117.64.0.0 - 117.71.255.255
netname: CHINANET-AH
descr: CHINANET anhui province network
descr: China Telecom
descr: No.31,jingrong street
descr: Beijing 100032
country: CN
admin-c: JW89-AP
tech-c: JW89-AP
remarks: service provider
mnt-by: APNIC-HM
mnt-routes: MAINT-CHINANET-AH
mnt-lower: MAINT-CHINANET-AH |
Evidently, all bulletproof offshore hosting is handled in the same Chinese province.
Related SBL records for 58.242.148.87 and 58.242.148.177:
| Quote: |
Ref: SBL71878
58.242.128.0/17 is listed on the Spamhaus Block List (SBL)
25-May-2009 22:57 GMT | SR14
Spam source and dropbox
Moving the spammer around just gets you a bigger SBL listing ... |
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL71878
the whois of the dropbox domain.
| Quote: |
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.Registrars.Registration Service Provided By: SW HOSTING & COMMUNICATIONS TECHNOLOGIES
Contact: +34.972941509
Website: http://www.swdominios.com
version: 1.0.0
query_datetime: 2009-08-05T11:59:18+2:00
domain_name: BestAccurateReliable.com
query_status: 200 Active
domain_dateregistered: 2009-07-14 15:45:08
domain_datebilleduntil: 2010-07-14 15:45:08
Registrar:
Registrant:
registrant_contact_name: Alex Marino
registrant_contact_address1: 80 Blake Street
registrant_contact_city: Toronto
registrant_contact_province: Ontario
registrant_contact_postalcode: M4J-3
registrant_contact_country: CA (Canada)
registrant_contact_phone: +416.-469-8010
registrant_contact_email: alexmarino@hushmail.com
Administrative Contact:
admin_contact_name: Alex Marino
admin_contact_address1: 80 Blake Street
admin_contact_city: Toronto
admin_contact_province: Ontario
admin_contact_postalcode: M4J-3
admin_contact_country: CA (Canada)
admin_contact_phone: +416.-469-8010
admin_contact_email: alexmarino@hushmail.com
Technical Contact:
technical_contact_name: Alex Marino
technical_contact_address1: 80 Blake Street
technical_contact_city: Toronto
technical_contact_province: Ontario
technical_contact_postalcode: M4J-3
technical_contact_country: CA (Canada)
technical_contact_phone: +416.-469-8010
technical_contact_email: alexmarino@hushmail.com |
Note, that the data is most likely fake (invented or lifted identity).
O. |
|
| Back to top |
|
 |
MysteryFCM
Malware Expert
Joined: 28 Aug 2004
Last Visit: 01 Mar 2013
Posts: 841
Location: Tyne & Wear, UK
|
| Posted: Thu Aug 06, 2009 1:53 pm Post subject: |
|
|
Got one of these "registration" forms through snail mail last week, asking me to register Ur I.T. Mate in their company directory, lol.
One I got was from;
E.C.G., SL
c/Martinez Cubells no 6, 40, pta 8
E-46002 Valencia
That's the address on the return envelope anyway .... form claims it's from "European City Guide". Fax no on the form is;
+34 902 36 34 71
Obviously not gonna return it, hehe
_________________
Regards
Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
