Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Looking for more website links?

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam
View previous topic :: View next topic  
Author Message
olliver
Expert Developer


Joined: 27 Jan 2006
Last Visit: 02 Dec 2010
Posts: 1157
Location: yes

PostPosted: Wed Aug 05, 2009 12:33 am    Post subject: Looking for more website links? Reply with quote

Some "Jeff" wants to exchange links with my spamtrap and leave the impression that his spam isn't spam because it's a one-time mailing. Of course, a one-time mailing sent to 30,000,000 addresses is still spam, because it was sent in bulk and to addresses that did not ask for it.

Headers:
Quote:
Delivered-To: <spamtrap>
Received: by 10.223.110.146 with SMTP id {snip};
Tue, 4 Aug 2009 04:04:19 -0700 (PDT)
Received: by 10.103.174.18 with SMTP id {snip};
Tue, 04 Aug 2009 66:66:66 -0700 (PDT)
Return-Path: <signup@linksroom.com>
Received: from artemis.krystal.co.uk (artemis.krystal.co.uk [77.72.0.162])
by mx.google.com with ESMTP id g1si5908289muf.16.2009.08.04.66.66.66;
Tue, 04 Aug 2009 66:66:66 -0700 (PDT)
Received-SPF: neutral (google.com: 77.72.0.162 is neither permitted nor denied by best guess record for domain of signup@linksroom.com) client-ip=77.72.0.162;
Authentication-Results: mx.google.com; spf=neutral (google.com: 77.72.0.162 is neither permitted nor denied by best guess record for domain of signup@linksroom.com) smtp.mail=signup@linksroom.com
Message-Id: <{snip}SMTPIN_ADDED@mx.google.com>
Received: from [92.2.166.44] (helo=JEFF-DESKTOPPC)
by artemis.krystal.co.uk with esmtpa (Exim 4.69)
(envelope-from <signup@linksroom.com>)
id {snip}
for <spamtrap>; Tue, 04 Aug 2009 66:66:66 +0100
From: "Jeff" <signup@linksroom.com>
Subject: Looking for more website links?
To: <spamtrap>
Content-Type: multipart/alternative; charset="utf-8"; boundary="{snip}"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Organization: LinksRoom.com
Date: Tue, 4 Aug 2009 66:66:66 +0100
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - artemis.krystal.co.uk
X-AntiAbuse: Original Domain - {snip}
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - linksroom.com
X-Source:
X-Source-Args:
X-Source-Dir:


The mail body:
Quote:
This is a multi-part message in MIME format

--{snip}
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

We're giving away FREE 'Unlimited Link Exchange' accounts. Just use t=
he following link within the next 7 days to create your FREE account, =
on registration you will automatically be upgraded.=20
http://www.linksroom.com/?pg=3Dregister=20
Please note - You may register up to 10 domains on a single account an=
d our directory will be made available from Monday 10th August.=20
Regards
Registration Team
www.linksroom.com
This is a one time email, you will not receive any further corresponde=
nce from us.=20

--{snip}
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>
<META content=3D"text/html; charset=3Dutf-8" http-equiv=3DContent-Type=
>
<META name=3DGENERATOR content=3D"MSHTML 8.00.6001.18813"></HEAD>
<BODY>
<P>We're giving away FREE 'Unlimited Link Exchange' accounts.&nbsp; Ju=
st use the following link <FONT color=3D#ff0000><STRONG>within the nex=
t 7 days</STRONG></FONT> to create your FREE account, on registration =
you will&nbsp;automatically be upgraded. </P><A href=3D"http://www.lin=
ksroom.com/?pg=3Dregister">http://www.linksroom.com/?pg=3Dregister</A>=
=20
<P><STRONG>Please note</STRONG> - You may register up to 10 domains on=
a single account and our directory will be made available from Monday=
10th August. </P>
<P>Regards</P>
<P>Registration Team<BR><A href=3D"http://www.linksroom.com">www.links=
room.com</A></P>
<P><FONT color=3D#0000ff size=3D2>This is a one time email, you will n=
ot receive any further correspondence from us.</FONT>&nbsp;</P></BODY>=
</HTML>

--{snip}--


If it's such an irresistible offer, then I ask myself why "Jeff" has to hide behind the usual spammer shield:

Quote:
Domain name: linksroom.com

Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent ()

Fax:
PMB 368, 14150 NE 20th St - F1
C/O linksroom.com
Bellevue, WA 98007
US

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (tjjldqnm@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O linksroom.com
Bellevue, WA 98007
US

Technical Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (tjjldqnm@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O linksroom.com
Bellevue, WA 98007
US

Status: Locked

Name Servers:
ns1.krystal.co.uk
ns2.krystal.co.uk


The sending address is home to quite a few domains:
http://www.robtex.com/ip/77.72.0.162.html

mailswerver:
77.72.0.162 -> artemis.krystal.co.uk
spam domain:
linksroom.com -> 77.72.0.162

So we have the problem that for blocking one spammer, there are hundreds of legitimate domains that would be affected, too. Spammers love this sort of setup, because it provides them with a human shield

Quote:
inetnum: 77.72.0.0 - 77.72.1.255
netname: KRYSTAL
descr: Olympians
country: GB
admin-c: KNOC3-RIPE
tech-c: KNOC3-RIPE
status: ASSIGNED PA
mnt-by: KRYSTAL-MNT
source: RIPE # Filtered

role: Krystal NOC
address: Alta Vista, Hr Warberry Rd, Torquay, Devon, TQ1 1SD
e-mail: noc {curly sign} krystal.co.uk
admin-c: KRYS1-RIPE
admin-c: KRYS2-RIPE
tech-c: KRYS1-RIPE
tech-c: KRYS2-RIPE
mnt-by: KRYSTAL-MNT
nic-hdl: KNOC3-RIPE
source: RIPE # Filtered


"Jeff"'s home connection:
92.2.166.44 -> host-92-2-166-44.as43234.net

Quote:
inetnum: 92.0.0.0 - 92.15.255.255
netname: CPWBBSERV-NET
descr: Carphone Warehouse Broadband Services
country: GB
admin-c: GJB18-RIPE
admin-c: PM58-RIPE
tech-c: GJB18-RIPE
tech-c: PM58-RIPE
status: ASSIGNED PA
mnt-by: OPAL-MNT
source: RIPE # Filtered


Quote:
Welcome to LinksRoom.com

Sign up to our spam free link exchange service and within minutes you’ll be logged into your FREE unlimited link exchange account with full access to our link exchange directory (from 10th August).

(emphasis mine)
source: www.linksroom.com

A spammer advertising a spam-free link exchange and using spam to build up the site... Wink

O.
Back to top
View user's profile Send private message
MysteryFCM
Malware Expert


Joined: 28 Aug 2004
Last Visit: 21 Mar 2014
Posts: 849
Location: Tyne & Wear, UK

PostPosted: Thu Aug 06, 2009 1:49 pm    Post subject: Reply with quote

Ya gotta love these idiots, lol
_________________
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Spam All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group