Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[email] February 75% OFF

0 views
Skip to first unread message

Piedad

unread,
Feb 13, 2008, 3:39:39 AM2/13/08
to
Mail received on spamtrap. This spamtrap mail has been redacted, the
mail was not really sent to <Pieda...@users.spamikaze.org>.
URLs have been stripped of the parts before and after the host name.

>From rd...@humbolt1.com Wed Feb 13 03:39:39 2008
Return-path: <rd...@humbolt1.com>
Received: from [mail.victim.example] (helo=humbolt.mail.victim.example)
by shelob.surriel.com with esmtp (Exim 4.63)
(envelope-from <rd...@humbolt1.com>)
id 1JPD9W-00050f-8L
for Pieda...@users.spamikaze.org; Wed, 13 Feb 2008 03:39:38 -0500
Received: from [196.1.107.251] (helo=Romano)
by humbolt.mail.victim.example with smtp (Exim 4.22)
id 1JPD9U-0001Ip-U0
for Pieda...@users.spamikaze.org; Wed, 13 Feb 2008 09:39:37 +0100
Received: (qmail 14673 by uid 664); Wed, 13 Feb 2008 04:39:35 -0400
Message-Id: <20080213003935.14675.qmail@Romano>
To: <Pieda...@users.spamikaze.org>
Subject: February 75% OFF
From: <Pieda...@users.spamikaze.org>
MIME-Version: 1.0
Date: Wed, 13 Feb 2008 09:39:37 +0100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org>
<html dir="ltr">
<style>
<img id=EC_freeWelcomeCgif alt="" src="http://h.hddbf.com&amp;PI=44364&amp;DI=5707&amp;PS=94669" width=1 height=1>


<table width=550 border=0 cellspacing=0 cellpadding=0 align=center>
<tr>
<td colspan=3 bgcolor="#CCCCCC"><img border=0 height=1 src="http://gfx2.aeffn.com alt="" width=550></td>
</tr>
<tr>
<td bgcolor="#CCCCCC" width=1><img border=0 height=1 src="http://gfx2.jkfoe.com alt="" width=1></td>
<td width=548 align=left valign=top>

<table align=center cellpadding=0 cellspacing=0 width=548 bgcolor="#FFFFFF">
<tr valign=top>
<td>
<table align=center border=0 cellpadding=0 cellspacing=0 width=548 bgcolor="#FFFFFF">
<tr valign=top>
<td valign=top><table width="100%" border=0 cellspacing=0 cellpadding=0>
<tr>
<td valign=top><table width="100%" border=0 cellspacing=0 cellpadding=0>
<tr>
<td><img src="http://gfx1.xwzzy.com width=339 height=111 alt=""></td>
</tr>
<tr>
<td><table width="100%" border=0 cellspacing=0 cellpadding=0>
<tr>
<td><img border=0 height=1 src="http://gfx2.atcoe.com alt="" width=16></td>
<td><font size=4 color="#0099ff">Hello and Welcome to Windows Live Hotmail<span style="font-size:10px;vertical-align:super">®</span><br>
</font>
<img border=0 height=5 src="http://gfx2.zaceg.com alt="" width=1><br>
<font color="#000000">
Congratulations! The next generation of MSN® Hotmail is in your hands - fast, simple, and safer than ever before.<br>• Bookmark this link to login to your <a href="http://mail.ipscu.com target="_blank">Windows Live Hotmail</a>
</font></td>
</tr>
</table></td>
</tr>
</table>
</td>
<td valign=top><img src="http://gfx1.afswe.com width=211 height=223></td>
</tr>
</table></td>
</tr>
<tr valign=top>
<td colspan=3 bgcolor="#CCCCCC"><img border=0 height=1 src="http://gfx2.oqxob.com alt="" width=548></td>
</tr>
</table>

<table align=center border=0 cellpadding=5 cellspacing=0 width="100%" bgcolor="#FFFFFF">
<tr valign=top>
<td width=180>

<a href="http://mail.joxvi.com25" target="_blank">

<img src="http://gfx1.jzrnm.com widt

--
All postings to news.admin.net-abuse.sightings are unconfirmed and unverified
unless stated otherwise by the moderators. All opinions expressed above are
considered the opinions of the original poster, not the moderators or their
respective employers. For a copy of the guidelines to this group, see:
http://www.killfile.org/~tskirvin/nana/

spam...@nil.nil

unread,
Feb 14, 2008, 9:10:40 PM2/14/08
to
SPAM: February 75% OFF

Illegal sale of prescription drugs without prescription
webcom...@ora.fda.gov
---
Fraudulent VeriSign seal at http://www.oncewere.com/img/award1.gif
ab...@verisign.com,ab...@verisign.org
---
The phone contact at the site, +1(210) 787-1711,
had changed to +1(281) 971-9929 for about two days,
then returned to +1(210) 787-1711 and has recently
changed to +1(210) 888-9089.
---
The sites have recently added eighteen items to their product list:
Baclofen Benadryl Bentyl
Carafate Cha De Bugre Cleocin
DHEA Diclofenac Ditropan
Doxycycline Dramamine Furosemide
Periactin Sinemet Tazorac
Thyroid Booster Trileptal Voltaren
and renamed "GABA" to "GABA (HGH Booster)" and then added
Brafix SleepWell (Herbal XANAX).
---
They have updated "2007" which appeared in a few places,
such as "(C) 2007 Secure.Order.Form", to 2008.
---
Yesterday this site (IP addresses) seemed only to be able to
access an older version of the framework pages (but containing
the latest drug list). Perhaps the most current site(s) was (were)
not available at the time. This time I got what I think is one
of the latest versions (it has the updates to "2008") but is
still a very slight variation on what I usually see (on the first
page, the "account_id" is set with Javascript).
---

Spam FROM: IP address 41.251.96.172
on iam.ma,iam.net.ma
ab...@casanet.ma,ab...@iam.ma,ab...@iam.net.ma,ab...@menara.ma,
ela...@menara.ma,men...@casanet.ma,oum...@iam.net.ma,
postm...@iam.ma,postm...@iam.net.ma,s...@casanet.net.ma,webm...@iam.ma

This is the modern form of email advertising consisting
of using stolen content to mask the nature of the spam.

Spam CONTENTS: Stolen email apparently from bankone.com
ab...@bankone.com,postm...@bankone.com,sup...@bankone.com

The only effective content in the spam is the:

Spam CONTENT [image]: http://www.oncewere.com/1.gif
Spamvertized URL: http://www.oncewere.com
at the SPAMHAUS listed IP addresses 79.135.165.2 and 79.135.165.6
on ttnet.net.tr(turktelekom.com.tr),telekom.gov.tr/sistemnettelekom.com
ab...@ttnet.net.tr,postm...@ttnet.net.tr,sup...@ttnet.net.tr,ad...@ttnet.net.tr,
n...@ttnet.net.tr,n...@ttnet.net.tr,he...@ttnet.net.tr,in...@ttnet.net.tr,
ab...@telekom.gov.tr,sup...@telekom.gov.tr,postm...@telekom.gov.tr,
ad...@telekom.gov.tr,ab...@turktelekom.com.tr,postm...@turktelekom.com.tr,
n...@telekom.gov.tr,n...@telekom.gov.tr,he...@telekom.gov.tr,in...@telekom.gov.tr,
n...@turktelekom.com.tr,n...@turktelekom.com.tr,he...@turktelekom.com.tr,in...@turktelekom.com.tr,
sup...@turktelekom.com.tr,ad...@turktelekom.com.tr,i...@turktelekom.com.tr,
i...@telekom.gov.tr,zela....@turktelekom.com.tr,nazan....@turktelekom.com.tr,
serdar...@turktelekom.com.tr,n...@turktelekom.com.tr,n...@turktelekom.com.tr
ab...@sistemnet.com.tr,postm...@sistemnet.com.tr,hostm...@sistemnet.com.tr,webm...@sistemnet.com.tr,
ad...@sistemnet.com.tr,sup...@sistemnet.com.tr,he...@sistemnet.com.tr,
ab...@sistemnettelekom.com,postm...@sistemnettelekom.com,hostm...@sistemnettelekom.com,webm...@sistemnettelekom.com,
ad...@sistemnettelekom.com,sup...@sistemnettelekom.com,he...@sistemnettelekom.com
with resolved by the spammer's
Nameservers: ns.xinnet.cn, ns2.xinnet.cn, ns.xinnetdns.com, ns2.xinnetdns.com
provided by paycenter.com.cn,xinnet.cn,xinnet.com,xinnetdns.com
li...@xinnet.com,postm...@xinnet.com,ad...@xinnet.com,sup...@xinnet.com,
le...@xinnet.com,secu...@xinnet.com,he...@xinnet.com,in...@xinnet.com,
ab...@xinnet.com,n...@xinnet.com,n...@xinnet.com,ro...@xinnet.com,he...@xinnet.com
postm...@paycenter.com.cn,ad...@paycenter.com.cn,sup...@paycenter.com.cn,
le...@paycenter.com.cn,secu...@paycenter.com.cn,he...@paycenter.com.cn,
in...@paycenter.com.cn,ab...@paycenter.com.cn,n...@paycenter.com.cn,
n...@paycenter.com.cn,ro...@paycenter.com.cn,he...@paycenter.com.cn,
postm...@xinnet.cn,ad...@xinnet.cn,sup...@xinnet.cn,
le...@xinnet.cn,secu...@xinnet.cn,he...@xinnet.cn,
in...@xinnet.cn,ab...@xinnet.cn,n...@xinnet.cn,
n...@xinnet.cn,ro...@xinnet.cn,he...@xinnet.cn,
postm...@xinnetdns.com,ad...@xinnetdns.com,sup...@xinnetdns.com,
le...@xinnetdns.com,secu...@xinnetdns.com,he...@xinnetdns.com,
in...@xinnetdns.com,ab...@xinnetdns.com,n...@xinnetdns.com,
n...@xinnetdns.com,ro...@xinnetdns.com,he...@xinnetdns.com

Upon submitting an order, the response page provides a:

SPAMVERTIZED SUPPORT CONTACT [email]: support_AT_canadianpharmsupport.com
with MX listed at mail.canadianpharmsupport.com
at IP address 194.135.105.195
This was nature-meds.com where http://nature-meds.com is
a variation on the spamvertized site - but 194.135.105.195 is
not open on port 80 today. It also served as an authoritative
nameserver for the spam operation awhile ago, but not today.
This may no longer be involved (or may only be providing the
spammer's mailbox).
on relcom.{ru,net}.
ab...@relcom.net
where the registrar (and SOA) for canadianpharmsupport.com is BIZCN.COM.
ab...@fjdcb.fz.fj.cn,postm...@bizcn.com,
ab...@bizcn.com,sup...@bizcn.com,le...@bizcn.com,
ad...@bizcn.com,secu...@bizcn.com,n...@bizcn.com,
n...@bizcn.com,ro...@bizcn.com,he...@bizcn.com

==========
[DETAILS:]

SPAM FROM: IP address 41.251.96.172
Which forged an email address at my ISP as the envelope
sender, forged my email address as the "From:" address
and addressed the spam to an old format of my email
address used some years ago for USENET posting.

inetnum: 41.251.0.0 - 41.251.255.255
netname: IAM
descr: ADSL subscriber - CASA and SOUTH morocoo
country: MA
e-mail: [omitted]@iam.ma
e-mail: oum...@iam.net.ma
[whois.abuse.net]
ab...@menara.ma (for iam.ma)
s...@casanet.net.ma (for iam.ma)
webm...@iam.ma (for iam.ma)
postm...@iam.ma (for iam.ma)
ela...@menara.ma (for iam.net.ma)
ab...@iam.ma (for iam.ma)
men...@casanet.ma (for iam.ma)
ela...@menara.ma (for iam.ma)
ab...@casanet.ma (for iam.ma)
oum...@iam.net.ma (for iam.ma)
postm...@iam.net.ma (for iam.net.ma)
ab...@iam.net.ma (for iam.ma)
oum...@iam.net.ma (for iam.net.ma)

SPAM CONTENTS: "recycled" third-party email

This is the modern version of email advertising.
It consists in stealing/misappropriating another mailer's
newsletter and modifying it to send one on to the spammer's
site. Anti-spam filters see innocent content (the original
third-party's content) and, the spammer hopes, passes it
on to the addressee as non-spam.

I have seen cases where all the original content (images,
etc.) has remained with just the target links changed.
I have seen cases where the original content remains, but is
masked out (white text on a white background, almost white
text in a very tiny font on a white background, embedded in
[style],[/style] or [script],[/script] or [title],[/title]
tags, etc.)

In other cases the original text remains but the images
and targets can change.

*This* spammer has been replacing the original third-party's
URLs with junk (three random letters as the new domain name,
such as http://mail.xxx.com, http://site.axz.com, etc.),
embedding the third party's content in [style],[/style] tags
and inserting in the middle one line, with its associated
target link, of his own. Often this is a clickable image,
either hosted on the fast-flux botnet itself with target link
pointing to the site or on a compromised system with a target
link pointing to another compromised system which has a
redirecting page to the final site. A few times it has been
clickable text instead of an image.

Let's see what we have this time.
Thank you for scheduling your recent credit card payment online.
Now that you're making your payment online, are you aware of all
the convenient ways you can manage your account online?
Schedule alerts to be reminded of key account activity.
Thanks again for using online payments.
If you have any problems or questions, please call the
Customer Service number on the back of your credit card.
and we have what appears to be an bank's email to one of their credit
card holders about their onlline services.

The URL,
http://kanaweb.nufc.com/notifications/events/ccs_epay/images/wdfr.gif
has appeared before (with the same dimensions, width="610" height="1")
with (then) and unmunged image name, "blue.gif".
The hostname is obfuscated, but a google search shows a match:
http://kanaweb.bankone.com/notifications/events/ccs_epay/images/blue.gif
produces a 1x1 blue image (scaled to the dimensions, 610x1, in the
original email as a separating horizontal line).
This seems to be email sent by bankone.com to one of its customers.
They should be informed.

The format of the spam is:
[!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
[html]
[head]
[meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"] [/head]
[style]
... [third party content - apparently a bankone.com notice to a customer]
[/style]
[a href="http://www.oncewere.com"]
[img src="http://www.oncewere.com/1.gif"] <-- NO CLOSING [/a] TAG
[style]
... [third party content - apparently a bankone.com notice to a customer]
This email was sent to: _MY_EMAIL_ADDRESS_
[/style]
with the only effective content being the spammer's:


SPAM CONTENT [image]: http://www.oncewere.com/1.gif
SPAMVERTIZED URL: http://www.oncewere.com

'[a href="http://www.oncewere.com"]
[img src="http://www.oncewere.com/1.gif"]' <-- NO CLOSING [/a] TAG

========================================================
For the host:
"www.oncewere.com"

NAMESERVERS listed in the root servers for oncewere.com:
--------------------------------------------------------
oncewere.com NS ns2.xinnet.cn
oncewere.com NS ns2.xinnetdns.com
oncewere.com NS ns.xinnet.cn
oncewere.com NS ns.xinnetdns.com
ns2.xinnet.cn A 210.51.170.67
ns2.xinnetdns.com A 210.51.170.48
ns.xinnet.cn A 210.51.171.209
ns.xinnetdns.com A 210.51.170.66

[extract from dig]
------------------
dig @210.51.170.48
www.oncewere.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.oncewere.com A 79.135.165.6

dig @210.51.170.66
www.oncewere.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.oncewere.com A 79.135.165.6

dig @210.51.170.67
www.oncewere.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.oncewere.com A 79.135.165.6

dig @210.51.171.209
www.oncewere.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.oncewere.com A 79.135.165.6
========================================================

Prior to this we had a nameserver, first at 221.5.41.10,
then at 221.5.41.28, then at 221.5.41.35, then at 221.5.41.20,
then at 221.5.41.9 and then at 221.5.41.19 and then at 221.5.41.37
then at 221.5.41.17
(it also once appeared as 221.4.41.20, which appears to have
been a typo on the spammer's part when entering data for a
new domain name:
13 January: Nameservers: ns{1,2,3,4}.slam12.com
ns1.slam12.com A 221.122.64.15
ns2.slam12.com A 116.199.138.23
ns3.slam12.com A 58.253.71.92
ns4.slam12.com A 221.5.41.20
but later when the domain name of the nameservers was changed:
13 January: Nameservers: ns{1,2,3,4}.pong55.com
ns1.pong55.com A 116.199.138.23
ns2.pong55.com A 221.122.64.15
ns3.pong55.com A 61.139.219.56
ns4.pong55.com A 221.4.41.20
and later the nameserver was back in the 221.5.41.xxx C-block).

We also had a nameserver at 221.122.64.15 which moved to 221.122.64.14
and another at 221.130.200.179, moving on to 221.130.200.189 and then
on to 221.130.200.182.

The hosts resolved to IP address 79.143.178.5 and were
also up at 79.143.178.[2-4] as, checking addresses contiguous
with those of interest showed:

IP ADDRESS TTL IP ID FLAGS TCP-TIMESTAMP
---------- --- ----- ----- -------------
79.143.178.2 49 0 SA 751727743
79.143.178.3 49 0 SA 751727830
79.143.178.4 49 0 SA 751727915
79.143.178.5 49 0 SA 751727999

but now shows:

IP ADDRESS TTL IP ID FLAGS TCP-TIMESTAMP
---------- --- ----- ----- -------------
79.143.178.2 No response.
79.143.178.3 No response.
79.143.178.4 No response.
79.143.178.5 No response.

and the matching TCP-Timestamps strongly suggests that each
of these four IP addresses reaches/reached the same system.

Then the host resolved to 116.122.193.194 and then moved
back to 79.143.178.5 (79.143.178.[2-5]) (sometimes resolving
to 116.122.193.194) and then to 81.222.137.32 and, like
79.143.178.[2-5], this appears to be one IP address among
many reaching the spammer's site. Naturally, the host has
also resolved to other IP address[es] in this range, such as
81.222.137.17 and 81.222.137.18.

IP ADDRESS TTL IP ID FLAGS TCP-TIMESTAMP
---------- --- ----- ----- -------------
81.222.137.17 58 61102 SA 938358789
81.222.137.18 58 61103 SA 938359264
81.222.137.19 58 61107 SA 938359604
81.222.137.20 58 61108 SA 938359926
81.222.137.21 58 61111 SA 938360280
81.222.137.22 58 61113 SA 938360605
81.222.137.23 58 61115 SA 938360929
81.222.137.24 58 61118 SA 938361253
81.222.137.25 58 61119 SA 938361589
81.222.137.26 58 61121 SA 938361912
81.222.137.27 58 61122 SA 938362221
81.222.137.28 58 61123 SA 938362545
81.222.137.29 58 61125 SA 938362866
81.222.137.30 58 61126 SA 938363191
81.222.137.31 58 61128 SA 938363511
81.222.137.32 58 61129 SA 938363836

and the matching TCP-Timestamps and IP ID sequences strongly
suggest that each of these sixteen (when 81.222.137.[17-32]
where all accessible) IP addresses reaches the same system.
It seems that the host finally blocked 81.222.137.32 so the
spammer moved it to 81.222.137.17 and the host more quickly
blocked that. What then? Why, 81.222.137.18 of course!
Then 81.222.137.17 and 81.222.137.32 came back online.

It then resolved to 79.135.166.54 (I guess they moved here
from 79.143.178.[2-5]) which, like those above, appears to be
but one of several IP addresses to which the site resolves
(and perhaps, soon, another of the possible IP addresses will
be used as has happened with 79.143.178.[2-5]):

IP ADDRESS TTL IP ID FLAGS TCP-TIMESTAMP
---------- --- ----- ----- -------------
79.135.166.50 40 12314 SA 43289165
79.135.166.51 40 12414 SA 43289582
79.135.166.52 40 12478 SA 43289997
79.135.166.53 40 12547 SA 43290413
79.135.166.54 40 12609 SA 43290830

and then it moved to 79.135.165.6 where, again, we seem to
have a block ...

IP ADDRESS TTL IP ID FLAGS TCP-TIMESTAMP
---------- --- ----- ----- -------------
79.135.165.2 40 22810 SA 1037801647
79.135.165.6 40 25358 SA 1037805009
(attempts to reach the other IP addresses from 79.135.165.3
through 79.135.165.5 currently elicit ICMP error messages,
Host Unreachable sent from what claims to be IP address
8.8.8.2 but as this may be a temporary problem I will include
them in my list of IP addresses "of interest").

A nameserver appeared at 116.199.138.23 and then moved
to 116.199.135.167 and then to 116.199.135.191 and
116.199.136.61 and then 116.199.135.168.

It then resolved to 123.111.50.158 which moved to 123.111.50.187,
followed by new hosting at 219.251.217.133 and then 210.245.160.192.

There was also a nameserver and web host at 61.139.219.56
which replaced the one at 58.253.71.92 which latter IP address
then reappeared and then changed to 58.253.71.112 along with
another (currently only an open recursive resolver) at 58.20.81.138
then one nameserver went back to 58.253.71.xxx, appearing
at 58.253.71.121 and one appeared at 58.20.81.169 (not just
a recursive resolver) which later appeared to be secured and
functioned only as a recursive resolver but which then appeared
at 58.20.82.188 (not just a recursive resolver) and then at
58.20.84.92.

Then a nameserver appeared at 218.106.90.230 and then
one at 210.21.110.150 while the nameserver at 218.106.90.230
moved to 218.106.90.228 and 210.21.110.150 moved to 210.21.110.105.

We thus have sixty-five IP addresses of interest (I have removed
the probable typo, 221.4.41.20 and the open resolver at 58.20.81.138):
58.20.81.169 58.20.82.188 58.20.84.92 58.253.71.92
58.253.71.112 58.253.71.121 61.139.219.56 79.135.165.2
79.135.165.3 79.135.165.4 79.135.165.5 79.135.165.6
79.135.166.50 79.135.166.51 79.135.166.52 79.135.166.53
79.135.166.54 79.143.178.2 79.143.178.3 79.143.178.4
79.143.178.5 81.222.137.17 81.222.137.18 81.222.137.19
81.222.137.20 81.222.137.21 81.222.137.22 81.222.137.23
81.222.137.24 81.222.137.25 81.222.137.26 81.222.137.27
81.222.137.28 81.222.137.29 81.222.137.30 81.222.137.31
81.222.137.32 116.122.193.194 116.199.135.167 116.199.135.168
116.199.135.191 116.199.136.61 116.199.138.23 116.199.138.24
123.111.50.158 123.111.50.187 210.21.110.105 210.21.110.150
210.245.160.192 218.106.90.228 218.106.90.230 219.251.217.133
221.5.41.9 221.5.41.10 221.5.41.17 221.5.41.19
221.5.41.20 221.5.41.28 221.5.41.35 221.5.41.37
221.122.64.14 221.122.64.15 221.130.200.179 221.130.200.182
221.130.200.189

N.B. At this time I have not moved all of xinnet.cn, xinnetdns.com
into my list of spammer hosts and spam support sites.

Let me check the ones which were not responding nameservers *as*
nameservers by querying each for the IP address of the hostname[s]

NONE RESOLVE IT! Why? As mentioned above often these sites use a
fast-flux botnet for web sites and nameservers (and I have seen
cases where a site moved from this static hosting to fast-flux).
Often xinnet/paycenter is used as the registrar for the fast-flux
websites or nameservers. In this case, they are more directly
involved as they here provide nameserver resolution and the spammer
is not using his other resources for nameservers at the moment,
at least for this host/domain.


Let me check all sixty-five IP addresses for the web site
by forcing the resolution of the host[s] to each in succession:

The only ones providing the spamvertized site are:

* Connected to 79.135.165.2
GET / HTTP/1.1
Host: www.oncewere.com

HTTP/1.1 200 OK
Server: nginx/0.5.32
[title]Canadian Pharmacy[/title]


* Connected to 79.135.165.6
GET / HTTP/1.1
Host: www.oncewere.com

HTTP/1.1 200 OK
Server: nginx/0.5.32
[title]Canadian Pharmacy[/title]


SPAM CONTENT [image]: http://www.oncewere.com/1.gif

The contents of the image are:
=====================================================
CHEAPEST PRICES

We are the only store wich
gives this great deal you!

The USA Licensed Save huge 70 %
Online Pharmacy on all the orders with us!

VIAGRA VIAGRA SOFT CIALIS CIALIS SOFT
XANAX SOMA AMBIEN TRAMADOL
VALIUM MERIDIA
=====================================================
(The product names were titles of small pill images.)


Ah ... this is more like it. Yesterday, this host (IP address) could
only connect to an old, backup(?) site with old Javascript and with
the year, "2006", appearing in various places on the pages. This
time it seems to be new, but not the "usual" version as on the first
page the account_id is set with Javascript. But that may be the only
difference between this and the "usual" version.
--------------------------------------------------------------------
SPAMVERTIZED SITE: http://www.oncewere.com

A (recent) REFRESH redirection,
[META http-equiv="refresh" content="0; url=index.php"]
sometimes appears as the first/default page, redirecting to the
content page. Other times one receives the content immediately.

[title]Canadian Pharmacy[/title]

The starting page includes the domain name as the "account_id"
document.write('[img src="counter.php?account_id='+str_loc+'&aid=&said=&js=1'+params+'" width=1 height=1]');
where str_loc is the hostname,
var str_loc = window.document.location.toString();
str_loc = str_loc.substring(7, str_loc.length);
slash = str_loc.indexOf('/');
if (slash != 0) str_loc = str_loc.substring(0, slash);
(for the more common, usual sites, PHP is apparently used
to set the account_id to the domain name -not the hostname- directly).

As is common for these spamvertized pharmacy sites, this one
has a fraudulent VeriSign seal, http://[hostname]/img/award1.gif.
This is clickable resulting in "VeriSign's" assurance that:
"oncewere.com is a VeriSign Secure Site
Name oncewere.com
Status Valid
Validity Period 30-NOV-05 - 11-JUN-09
Server ID Information
Country = CA
State = British Columbia
Organization = Canadian Pharmacy Inc.
Organizational Unit = Pharmacy On-line Store
Organizational Unit = Terms of use at www.safescrypt.com/rpa (c) 03
Organizational Unit = Authenticated by Safescrypt Limited
Organizational Unit = Member, VeriSign Trust Network
Common Name = oncewere.com"

** CHANGE!! **
--------------
"Licensed by The College of Pharmacists of British Columbia.
If you have any questions or concerns you can contact the college at
200-1765 West 8th Ave. Vancouver, BC, Canada V6J 5C6
You may contact us at +1(210) 888-9089, please, keep your order I.D.
every time you make a call.
(C) Copyright Canadian Pharmacy, 2003-2008. All Rights Reserved." <-- CHANGE: It used to be 2003-2007.
--------------
THE PHONE NUMBER CONTACT USED TO BE +1(210) 787-1711
THEN FOR TWO DAYS IT WAS +1(281) 971-9929
IT THEN RETURNED TO +1(210) 787-1711
IT THEN CHANGED TO +1(210) 888-9089

The site assures one of a secure purchase,
(C) 2008 Secure.Order.Form <-- CHANGE: It used to be 2007.
"Rest assured that our online order system makes use of the latest
Security encryption technology to ensure that your credit card
information is submitted safely and with the highest level of
protection."
"For your safety we use highly secure order processing server with our
own secure certificate."
though one's order (including credit card) data,
item_name[299]=Viagra
&item_name[3945]=Viagra [*]
&item_name[642]=Delivery type
&item_price[299]=34.15 [+]
&item_price[3945]=0 [*]
&item_price[642]=10.95 [-]
&item_description[299]=10 pills X 50 mg
&item_description[3945]=2 pills X 100 mg [*]
&item_description[642]=AirMail [-]
&item_quantity[299]=1
&item_quantity[3945]=1 [*]
&item_quantity[642]=1
&checksum=
&currency=usd
&Customer_FirstName=[victim's name: first]
&Customer_LastName=[victim's name: last]
&street=[victim's address: street]
&city=[victim's address: city]
&zip=[victim's address: zip code]
&state=[victim's address: state]
&country=USA
&phone1=[victim's phone number: country code]
&phone2=[victim's phone number: area code]
&phone3=[victim's phone number: exchange]
&phone4=[victim's phone number: number]
&Email=[victim's address: email]
&aemail=[victim's address: alternate email: optional]
&messenger=
&messenger_contact=
&birthday=
&ssn=
&client_time=1203028261 [Net time. Number of seconds since 1 January 1970]
&ship_eq= [only submitted if the "Shipping info equals to Billing Info" checkbox is checked]
&sname_first=[victim's name: first]
&sname_last=[victim's name: last]
&sstreet=[victim's address: street]
&scity=[victim's address: city]
&szip=[victim's address: zip code]
&sstate=[victim's address: state]
&scountry=USA
&method_by=CC
&cardholder=[victim's name: full: as on credit card]
&cc_type=mastercard [or other type] [&]
&card_no=[victim's credit card number: VISA only]
&exp_m=[credit card: expiration date: month]
&exp_y=[credit card: expiration date: year]
&cvc=[credit card: private security number]
&comments=
&check_your_name=
&check_bank_name=
&check_account_owner=
&check_routing_number=
&check_account_number=
&comments1=
&renew_days=30
&chekout.x=0 [I tabbed to the submit button this time,
&chekout.y=0 so the x,y values are zero.]
&DOB_Day=1
&DOB_Month=January
&DOB_Year=
&Weight=
&Weight_Measure=lbs
&Height=4ft. 0in.
&received=
&medicalConditions=
&currentMedications=
&plannedMedications=
&allergies=
&surgeries=
&medicalHistory=

*: This used to be item_name[1947]. This item represents
the extra free pills. For this product order
(10 50mg Viagra) it used to be that one received
four free pills ("item_name[1947]=Viagra,"
"item_price[1947]=0," "item_description[1947]=4 pills X 100 mg"
and it seems that they have cut back on the
extra pills for now it is "item_name[3945]=Viagra"
which consists of two free pills (100mg).
+: item_price[299] (the product price) has recently
increased substantially. It was 30.22 and
changed to 45.33. It has now been reduced.
-: item_price[642] (shipping) for AirMail has recently
increased substantially. It was 6.95.
&: This change is a new drop down list for the
selection of the credit card type. Prior to this
only the number was required.

This time I clicked the earlier SUBMIT button
which appears before the medical questionnaire
("Medical Questionary", the text in an image)
It seems that filling out that questionnaire
is optional.

is submitted unencrypted and insecurely to
http://[hostname]/process_order.php

There are two DIVs on the page, cc_div and echeck_div
with radio buttons which set the display to "none" for
one and "block" for the other. One can select payment
by credit card or by electronic check. The above data is
for a credit card submission. For using echeck, the credit
card data is missing (of course) and
&check_your_name=[victim's name: as on the bank account]
&check_bank_name=[checking account: bank name]
&check_account_owner=[checking account number]
&check_routing_number=[bank routing number]
&check_account_number=[check number]
is submitted. Today the divisions are still there.
There are two radio buttons on the page,
[input type="radio" class=noborder value="CC" name="method_by" checked onclick="swapCC(this.form)"]
Pay by Credit Card
and
[input type="radio" class=noborder value="ECHECK" name="method_by" onclick="swapCC(this.form)"]
Pay by eCheck (Checking Account)
************************
*** THIS IS A CHANGE ***
************************
For quite some time the ECHECK button had been missing and the only
radio button and payment option was for credit card payments though
the echeck_div remained on the page (and if one added an ECHECK
button one could bring up the echeck_div).
*****************************************************
*** THE CHECK PAYMENT SECTION IS AGAIN ACCESSIBLE ***
*****************************************************

The swapCC() function is defined in http://[hostname]/js/process_order.js
function swapCC(form) {
if(validate_method_by(form.elements["method_by"]) == "CC")
{document.getElementById("cc_div").style.display = "block";
document.getElementById("echeck_div").style.display = "none";}
else if(validate_method_by(form.elements["method_by"]) == "ECHECK")
{document.getElementById("cc_div").style.display = "none";
document.getElementById("echeck_div").style.display = "block";}
}
function validate_method_by(s) {
var i;
var returnMethod
if (is_empty(s)) return true
if(s.length == undefined) returnMethod = s.value;
for (i = 0; i < s.length; i++) {
if (s[i].value=="CC" && s[i].checked== true)
{var c = s[i].value
returnMethod = c}
if (s[i].value=="ECHECK" && s[i].checked== true)
{var c = s[i].value
returnMethod = c}
}
return returnMethod;
}

Today the warning that the use of MasterCard may delay processing,
"Please use VISA card for payment.
Mastercard may cause delays with processing of your order."
is missing.

This is, of course, identical to the order data format as
reported previously for other hostnames.

Upon submission of the order one receives a response:
"If you need any help, please, contact our support via e-mail:
[a href="mailto:sup...@canadianpharmsupport.com"]sup...@canadianpharmsupport.com[/a]'


SPAMVERTIZED SUPPORT CONTACT [email]: sup...@canadianpharmsupport.com

====================================================================
For the host:
"canadianpharmsupport.com"

NAMESERVERS listed in the root servers for canadianpharmsupport.com:
--------------------------------------------------------------------
canadianpharmsupport.com NS ns3.cnmsn.com
canadianpharmsupport.com NS ns4.cnmsn.com
ns3.cnmsn.com A 204.13.67.108
ns4.cnmsn.com A 61.152.169.14

[extract from dig]
------------------
dig @61.152.169.14
canadianpharmsupport.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE

dig @204.13.67.108
canadianpharmsupport.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
====================================================================

====================================================================
For the host:
"www.canadianpharmsupport.com"

NAMESERVERS listed in the root servers for canadianpharmsupport.com:
--------------------------------------------------------------------
canadianpharmsupport.com NS ns3.cnmsn.com
canadianpharmsupport.com NS ns4.cnmsn.com
ns3.cnmsn.com A 204.13.67.108
ns4.cnmsn.com A 61.152.169.14

[extract from dig]
------------------
dig @61.152.169.14
www.canadianpharmsupport.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE

dig @204.13.67.108
www.canadianpharmsupport.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
====================================================================

Hmmm ... the SOA for canadianpharmsupport.com is
ns3.cnmsn.com dnsc...@bizcn.com (from 204.13.67.108)
ns4.cnmsn.com dnsc...@bizcn.com (from 61.152.169.14)
(authoritatively).

They have no address record for either canadianpharmsupport.com or
www.canadianpharmsupport.com (well, older versions had a link
to a support page at www.globalpharmsupport.com but the current sites
only have an email link). They do give an MX record,
dig @204.13.67.108 canadianpharmsupport.com mx +norec +noauth +noadd
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
canadianpharmsupport.com. 600 IN MX 10 mail.canadianpharmsupport.com.
dig @61.152.169.14 canadianpharmsupport.com mx +norec +noauth +noadd
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
canadianpharmsupport.com. 600 IN MX 10 mail.canadianpharmsupport.com.
and address for mail.canadianpharmsupport.com.
dig @204.13.67.108 mail.canadianpharmsupport.com a +norec +noauth +noadd
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
mail.canadianpharmsupport.com. 600 IN A 194.135.105.195
dig @61.152.169.14 mail.canadianpharmsupport.com a +norec +noauth +noadd
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
mail.canadianpharmsupport.com. 600 IN A 194.135.105.195

We had a host at 194.135.105.195:

===========================================================
For the host:
"nature-meds.com"

NAMESERVERS listed in the root servers for nature-meds.com:
-----------------------------------------------------------
nature-meds.com NS ns1.nature-meds.com
nature-meds.com NS ns2.nature-meds.com
ns1.nature-meds.com A 89.248.99.118
ns2.nature-meds.com A 89.248.100.134

[extract from dig]
------------------
dig @89.248.99.118
nature-meds.com
A +noqu +noadd +noau +norec
connection timed out

dig @89.248.100.134
nature-meds.com
A +noqu +noadd +noau +norec
connection timed out
===========================================================

That's a pleasant change (but not wholly unexpected as various
nameservers in this region, in particular the one at
89.248.99.118, are no longer responding). When the
nameservers had responded, they resolved nature-meds.com to
IP address 194.135.105.195.

Currently 194.135.105.195 is closed on port 80
(sending RESET/ACK in response to attempted web connections).
As a mailserver, it is of course open on port 25
(and banners as "220 mtw2.srvz.ru ESMTP Exim").

It used to be open on port 80 and one used to be able to find
nature-meds.com, an older version of the Canadian Pharmacy
site at 194.135.105.195.

IP address 194.135.105.195
--------------------------
inetnum: 194.135.104.0 - 194.135.105.255
netname: relcom
descr: "RELCOM.BUSINESS NETWORK" Ltd.
country: RU
e-mail: ad...@relcom.ru
TCPTRACEROUTE to port 25 on 194.135.105.195 shows:
...
4: nyiix.retn.net (198.32.160.182)
5: ae0-3.RT504-002.msk.retn.net (81.222.15.33)
6: kiae-spider-1.relcom.net (194.58.41.10)
7: 194.135.105.195 (194.135.105.195) [TCP Syn Ack]
--------------------------

Not open on port 80 (it used to host an old copy of the spamvertized site).
Open on port 25, but it may be a mailserver for other domains/users.
This may no longer be involved (or may still provide the spammer's mailbox.

Domain Name: CANADIANPHARMSUPPORT.COM
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Domain name: canadianpharmsupport.com
Registrant Contact:
CanadianRX ltd
Alan Tompson ro...@canadianpharmsupport.com
4169264684 fax:
208 Douglas Dr
Toronto Toronto M4W 2B8
ca
DNS: ns3.cnmsn.com ns4.cnmsn.com
Created: 2007-04-25
Expires: 2008-04-25


A few drugs:
------------
2 Complete Professional Whitening Kits
2 Sets of Moldable Mouth Trays
Abana
Accupril
Accutane
Aceon
Aciphex
Acomplia
Acompliex
Acticin
Actonel
ActoPlus Met
Actos
Adalat
Advair Diskus
Advantage Carb Blocker
Aldactone
Aleve
Allegra
Altace
Amaryl
Amoxil
Anabol-AMP
Ansaid
Antabuse
Arava
Aricept
Arimidex
Aristocort
Ashwagandha
Atacand
Atarax
Atrovent
Augmentin
Avandamet
Avandia
Avapro
Avodart
AyurSlim
Azulfidine
Baclofen [+]
Bactrim
Bactroban
BCAA
Beconase AQ
Benadryl [+]
Benemid
Bentyl [+]
Biaxin
Brafix [*]
Brahmi
Breast Augmentation
Breast Enhancement
Breast Enhancement Gel
Breast Sculptor
Brite
Buspar
Bust Enhancer
Cafergot
Calan
Calcium Carbonate
Capoten
Carafate [+]
CarboXactin
CarboZyne
Cardizem
Cardura
Casodex
Celebrex
Celexa
Cephalexin
Cha De Bugre [+]
Chloromint
ChromoNexin
Chrysin-XY
Cialis
Cialis Jelly
Cialis Professional
Cialis Soft Tabs
Cipro
CLA
Clarinex
Claritin
Cleocin [+]
Clomid
Colchicine
Colostrum-800
Combivent
Confido
Copegus
Coral Calcium
Cordarone
Coreg
Corticyn Trimplex
Coumadin
Cozaar
Creatine-1200
Cree-1200
Crestor
Cyklokapron
Cymbalta
Cystone
Cytotec
Cytoxan
Danazol
Deltasone
Deluxe Handheld Plasma Whitening Tool
Deluxe Whitening System with Plasma Lamp
Depakote
Desyrel
Detrol
DHEA [+]
Diabecon
Diamox
Diclofenac [+]
Didronel
Differin
Diflucan
Diovan
Ditropan [+]
Dostinex
Doxycycline [+]
Dramamine [+]
Echinacea
Effexor
Elavil
Elimite
Emsam
Endep
Epivir-HBV
Erexin-V
Erexor
Eulexin
Eurax
Evecare
Evegen
Evista
Exelon
Extendaquin
Extreme Detox
Extreme Thyrocin
Famvir
Fatblast Extreme
Feldene
Female Sexual Oil
Female Sexual Tonic
Female Viagra
Femara
Femcare
Flagyl ER
Flexisyn
Flextra
Flomax
Flonase
Fosamax
Furosemide [+]
GABA (HGH Booster) [-]
Gasex
Geodon
Geriforte
Ginseng
Glucophage
Glucotrol XL
Gluta-PEP
Glycemil
Green tea
Grifulvin V
Gyne-Lotrimin
Hair Loss Cream
Hangover Helper
Head Strong
Herbal Phentermine
Herbal Testosterone
Herbolax
Himcolin
Himplasia
Hoodia
Hoodia Gordonii HG p57
Hoodia Weight Loss Patch
Horny Goat Weed
Hydrea
Hytrin
Hyzaar
Imdur
Imitrex
Inderal
Indocin
InnoPran XL
Ismo
Isoptin
Kamagra
Karela
Keftab
Kytril
Lamictal
Lamisil
L-Arginine
Lariam
Lasix
Lasuna
L-Carnitine
Leukeran
Levaquin
Levitra
Levitra Professional
Levlen
Levothroid
Lexapro
L-Glutamine
Lincocin
Lioresal
Lipitor
Liponexol
LipoSafe
Lipostatin
Lipothin
Lipotrexate
Lisinopril
Lopid
Lopressor
Loprox
Lotensin
Lotrisone
Loxitane
Lozol
Lukol
Lynoral
Male Enhancement Oil
Male Enhancement Pills
Male Sexual Tonic
Manhood Enhancer
Maxalt
Maxaman
Maxaquin
Maximum Lipotropics
Medithin
Medrol
Melatonin
Men Attracting Pheromones
Menosan
Mental Booster
Mentat
Mentax
Mestinon
Metabo925
Metabo Extreme
MetaboSafe
Metabo UltraMax
Methox-400
Mevacor
Mexitil
Micardis
Microlean
Mircette
Mobic
Monoket
Motilium
Motrin
Myambutol
Mycelex-G
Mysoline
Naprosyn
Neurontin
Nexium
Nicotinell
Nimotop
Nirdosh
Nizoral
Nolvadex
Noroxin
Norpace CR
Norvasc
Noxide
Nutridrine
Nymphomax
Omnicef
Ophthacare
Orgasm Enhancer
Oxytrol
Pamelor
Parlodel
Paxil
Penis Extender Deluxe
Penis Extender Deluxe Girth
Penis Extender Deluxe Gold
Penis Extender Standard
Penis Extender Starter
Penis Growth Oil
Penis Growth Patch
Penis Growth Pills
Penisole
Periactin [+]
Phentrimine
Plan B
Plavix
Plendil
Pletal
Ponstel
Prandin
Pravachol
Prednisone
Premarin
Premature Ejaculation Cure
Premium Diet Patch
Prevacid
Prilosec
Prinivil
Probalan
Procardia
Pro-Erex
Professional Plasma Tooth Whitening Kit
Prograf
Prometrium
Propecia
Proscar
Protonix
Proventil
Prozac
Pulmicort inhaler
Purim
Purinethol
PyruVitol
Quibron-T
QuickBust
Reglan
Relafen
Remeron
Requip
Retin-A
Revia
Rhinocort
RiboCREE
Ribose-ATP
Rimonabant
Risperdal
Rocaltrol
Rogaine
Rumalaya
Rythmol SR
Sarafem
Saw Palmetto
Septilin
Serevent
Serophene
Seroquel
Shallaki
Shoot
Shuddha Guggulu
Sinemet [+]
Sinequan
Singulair
Skelaxin
SleepWell (Herbal XANAX) [*]
Slimpulse
Snoroff
Soma
Soothenol
Speman
Starlix
Stop Smoking
Stop Smoking Patch
Stress Relief
StretchNil
Stromectol
Study Habits
Styplon
Sumycin
Sustiva
Synthroid
Tazorac [+]
Tenormin
Tentex Royal
Testo-Rex
Thyroid Booster [+]
Topamax
Toprol XL
Touch-Up Kit
Tramaden
Tramadol
Trandate
Tribulus
Tricor
Trileptal [+]
Trimox
Triphala
Tulasi
Ultimate Male Enhancer
Ultracet
Ultram
Urispas
Valtrex
Vanadyl
Vantin
Vasodilan
Vasotec
Ventolin
Vermox
Viagra
Viagra Jelly
Viagra Professional
Viagra Soft Tabs
Viramune
Vitaliq
Vitamin A & D
Voltaren [+]
Vytorin
Weight Loss
Wellbutrin SR
Women Attracting Pheromones
Women's Intimacy Enhancer
Women's Intimacy Enhancer Cream
Xeloda
Yerba Diet
Yohimbe-1200
Zanaflex
Zantac
Zebeta
Zelnorm
Zerit
Zestril
Zetia
Zimulti
Zithromax
ZMA-Power
Zocor
Zoloft
Zovirax
Zyban
Zyloprim
Zyprexa
Zyrtec
Zyvox

*: Most recent additions.
+: Recent additions.
-: Name change from "GABA".

===========================================================
[ORIGINAL SPAM: with angle brackets, such as "<", converted
to square brackets, such as "[", so as not
to affect HTML enabled mail/news readers.]

Return-Path: <kath@_my_isp_>
X-Spam-DCC: _DCCB_: _DCCR_
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on
_my_isp_
X-Spam-Level: ****************************
X-Spam-Status: Yes, score=28.7 required=5.0 tests=BAYES_99,DK_POLICY_SIGNSOME,
HTML_90_100,HTML_MESSAGE,INCH_RCVD_IN_XBL,MIME_HTML_ONLY,NO_REAL_NAME,
RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,RCVD_IN_PBL,
RCVD_IN_XBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,
URIBL_WS_SURBL autolearn=spam version=3.1.8
X-Spam-Report:
* 1.0 NO_REAL_NAME From: does not include a real name
* 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails
* 0.1 HTML_90_100 BODY: Message is 90% to 100% HTML
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 2.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
* above 50%
* [cf: 100]
* 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
* [cf: 100]
* 2.0 INCH_RCVD_IN_XBL RBL: Received via a relay in Exploits Block List
* [<http://www.spamhaus.org/query/bl?ip=41.251.96.172>]
* 3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
* [41.251.96.172 listed in zen.spamhaus.org]
* 0.0 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
* [41.251.96.172 listed in zen.spamhaus.org]
* 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: oncewere.com]
* 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
* [URIs: oncewere.com]
* 4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
* [URIs: oncewere.com]
* 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
* [URIs: oncewere.com]
* 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
* [URIs: oncewere.com]
Received: from cybernizar ([41.251.96.172])
by _my_isp_ (xxx) with SMTP id m1EKND17024090
for <_my_email_address_>; Thu, 14 Feb 2008 15:23:19 -0500 (EST)
(envelope-from kath@_my_isp_)
Date: Thu, 14 Feb 2008 15:23:13 -0500 (EST)
X-Mailer: CME-V6.5.4.3; MSN
Received: (qmail 4431 by uid 249); Thu, 14 Feb 2008 08:23:17 GMT
Message-Id: <20080214082317.4433.qmail@cybernizar>
To: <xxx>
Subject: February 75% OFF
From: <_my_email_address_>
xxxMIME-Version: 1.0
xxxContent-Type: text/html; charset="ISO-8859-1"
xxxContent-Transfer-Encoding: 7bit
X-IMAPbase: 1203021847 4
X-UIDL: dn/!!+Fj!!8F(!!aZR!!
Status: RO
X-Status:
X-Keywords:
X-UID: 3

[!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
[html]
[head]
[meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"]
[/head]
[style]
[body]
[table width="600" border="0" cellpadding="0" cellspacing="0"]
[tr]
[td]
[!-- Notice: If this text is displayed, your email client cannot display properly the format we've sent you. You may want to consider upgrading to a more recent version of your email client. If you would like to receive only plain text messages, please reply to this message and put "Change to text" in the subject.--]
[/HEAD]
[BODY]
[TABLE border="0" align="center" width="610" cellPadding="0" cellSpacing="0"]
[TBODY]
[TR]
[td width="610" height="39" valign="top"]
[div align="right"]
[img src="http://kanaweb.odrz.com/notifications/events/ccs_epay/images/mmfw_e-mail_header_610x51.gif" width="610" height="51" border="0"][/div]
[/td]
[/TR]
[tr]
[td height="1"][img src="http://kanaweb.nufc.com/notifications/events/ccs_epay/images/wdfr.gif" width="610" height="1"][/td]
[/tr]
[TR]
[td width="135"]&nbsp;[/td]
[/TR]
[TR]
[TD]
[FONT size="2" face="Arial, Helvetica, sans-serif"]
Dear Carol Witt,[br]
[br]
Thank you for scheduling your recent credit card payment online. Your payment will post to your account on 149464149711/09/2008.
[BR]
[BR]
Now that you're making your payment online, are you aware of all the convenient ways you can manage your account online?
[BR]
[BR]
Just log in to www.ybry.com today. Using the "I'd like to..." links for your credit card account, you can access more than a dozen features, including links to:
[UL]
[LI]
[B]See Statements[/B] - View your statement and choose to stop receiving paper statements.[/LI]
[/style]
[center]
[a href="http://www.oncewere.com"][img src="http://www.oncewere.com/1.gif"]
[style]
[LI]
[B]Manage automatic payments[/B] - Set up monthly payments to be made automatically.[/LI]
[LI]
[B]Transfer a balance[/B] - Transfer a balance to your credit card account.[/LI]
[LI]
[B]Go to Free Alerts[/B] - Schedule alerts to be reminded of key account activity.[/LI]
[/UL]

You can also view past payments you have made online by logging on to www.vqrz.com and clicking "See payment history" under "I'd like to ..." .
[BR]
[BR]
If you have any problems or questions, please call the Customer Service number on the back of your credit card. [BR]
[BR]
Thanks again for using online payments.
[br]
[br]
Sincerely,
[br]
Cardmember Services

[/FONT]
[/TD]
[/TR]
[/TBODY]
[/TABLE]
[TABLE border="0" align="center" width="610" cellPadding="0" cellSpacing="0"]
[tr]
[td height="1"][img src="http://kanaweb.diqf.com/notifications/events/ccs_epay/images/fgyb.gif" width="610" height="1"][/td]
[/tr]
[TR]
[TD]
[br]
[FONT size="1" face="Arial, Helvetica, sans-serif"]
This email was sent to: _my_email_address_[br]
[/style]

spam...@nil.nil

unread,
Feb 14, 2008, 10:39:13 PM2/14/08
to
SPAM: February 75% OFF

page, the "account_id" is set with Javascript, the [noscript]
version of the "account_id" logger is missing, though the
*unclosed* opening [noscript] tag remains, there is no
PHPSESSID variable or cookie, the VeriSign seal may just have
been removed from the "usual" sites - at least from the fast-flux
botnet hosted one which I just checked).
---

Spam FROM: IP address 87.205.252.105
on inetia.pl
ab...@inetia.pl,postm...@inetia.pl,ab...@swiat.pl

==========
[DETAILS:]

SPAM FROM: IP address 87.205.252.105
Which forged my username in the envelope sender and
forged my email address as the "From:" address.

inetnum: 87.204.0.0 - 87.205.255.255
org: ORG-NTS2-RIPE
netname: PL-NETIA-20050706
descr: Netia SA
country: PL
remarks: ab...@inetia.pl
Address 87.205.252.105 maps to 87-205-252-105.adsl.inetia.pl
Checking 87-205-252-105.adsl.inetia.pl address 87.205.252.105
[whois.abuse.net]
ab...@inetia.pl (for inetia.pl)
postm...@inetia.pl (for inetia.pl)
ab...@swiat.pl (for inetia.pl)

The URL,
http://kanaweb.umhu.com/notifications/events/ccs_epay/images/aoeo.gif

but now shows:

page the account_id is set with Javascript. This is quite similar to
the "usual" version, but not identical.

[title]Canadian Pharmacy[/title]

&client_time=1203042452 [Net time. Number of seconds since 1 January 1970]

Return-Path: <_my_n...@harveylumber.com>
Received: from _my_isp_ (_my_isp_ [xxx.xxx.xxx.xxx])
by _my_isp_ (xxx) with ESMTP id m1F0nFuD064224
for <_my_email_address_>; Thu, 14 Feb 2008 19:49:15 -0500 (EST)
(envelope-from _my_n...@harveylumber.com)
Date: Thu, 14 Feb 2008 19:49:15 -0500 (EST)
Received: from [87.205.252.105] (helo=aleksand-61e7d9)
by _my_isp_ with smtp (Exim 4.66 (FreeBSD))
(envelope-from <_my_n...@harveylumber.com>)
id 1JPoka-000LTT-OO
for _my_email_address_; Thu, 14 Feb 2008 19:48:25 -0500
X-Mailer: CME-V6.5.4.3; MSN
Received: (qmail 27367 by uid 852); Fri, 15 Feb 2008 01:49:12 +0100
Message-Id: <20080215024912.27369.qmail@aleksand-61e7d9>


To: <xxx>
Subject: February 75% OFF
From: <_my_email_address_>
xxxMIME-Version: 1.0
xxxContent-Type: text/html; charset="ISO-8859-1"
xxxContent-Transfer-Encoding: 7bit

X-UIDL: ;@X"!!c0"!KI]"!p?&"!
Status: RO
X-Status:
X-Keywords:
X-UID: 7

[!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
[html]
[head]
[meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"]
[/head]
[style]
[body]
[table width="600" border="0" cellpadding="0" cellspacing="0"]
[tr]
[td]
[!-- Notice: If this text is displayed, your email client cannot display properly the format we've sent you. You may want to consider upgrading to a more recent version of your email client. If you would like to receive only plain text messages, please reply to this message and put "Change to text" in the subject.--]
[/HEAD]
[BODY]
[TABLE border="0" align="center" width="610" cellPadding="0" cellSpacing="0"]
[TBODY]
[TR]
[td width="610" height="39" valign="top"]
[div align="right"]

[img src="http://kanaweb.aevo.com/notifications/events/ccs_epay/images/rfbx_e-mail_header_610x51.gif" width="610" height="51" border="0"][/div]
[/td]
[/TR]
[tr]
[td height="1"][img src="http://kanaweb.umhu.com/notifications/events/ccs_epay/images/aoeo.gif" width="610" height="1"][/td]


[/tr]
[TR]
[td width="135"]&nbsp;[/td]
[/TR]
[TR]
[TD]
[FONT size="2" face="Arial, Helvetica, sans-serif"]

Dear Minnie Pratt,[br]
[br]
Thank you for scheduling your recent credit card payment online. Your payment will post to your account on 087939557520/00/2008.


[BR]
[BR]
Now that you're making your payment online, are you aware of all the convenient ways you can manage your account online?
[BR]
[BR]

Just log in to www.hike.com today. Using the "I'd like to..." links for your credit card account, you can access more than a dozen features, including links to:


[UL]
[LI]
[B]See Statements[/B] - View your statement and choose to stop receiving paper statements.[/LI]
[/style]
[center]
[a href="http://www.oncewere.com"][img src="http://www.oncewere.com/1.gif"]
[style]
[LI]
[B]Manage automatic payments[/B] - Set up monthly payments to be made automatically.[/LI]
[LI]
[B]Transfer a balance[/B] - Transfer a balance to your credit card account.[/LI]
[LI]
[B]Go to Free Alerts[/B] - Schedule alerts to be reminded of key account activity.[/LI]
[/UL]

You can also view past payments you have made online by logging on to www.rfjh.com and clicking "See payment history" under "I'd like to ..." .


[BR]
[BR]
If you have any problems or questions, please call the Customer Service number on the back of your credit card. [BR]
[BR]
Thanks again for using online payments.
[br]
[br]
Sincerely,
[br]
Cardmember Services

[/FONT]
[/TD]
[/TR]
[/TBODY]
[/TABLE]
[TABLE border="0" align="center" width="610" cellPadding="0" cellSpacing="0"]
[tr]

[td height="1"][img src="http://kanaweb.hijg.com/notifications/events/ccs_epay/images/hzgq.gif" width="610" height="1"][/td]

spam...@nil.nil

unread,
Feb 17, 2008, 12:33:10 PM2/17/08
to
SPAM: February 75% OFF

1 FOR 3: I received three copies of this and am
posting one to NANAS.

Illegal sale of prescription drugs without prescription
webcom...@ora.fda.gov
---

The phone contact at the site, +1(210) 787-1711,
had changed to +1(281) 971-9929 for about two days,
then returned to +1(210) 787-1711 and has recently
changed to +1(210) 888-9089.
---
The sites have recently added eighteen items to their product list:
Baclofen Benadryl Bentyl
Carafate Cha De Bugre Cleocin
DHEA Diclofenac Ditropan
Doxycycline Dramamine Furosemide
Periactin Sinemet Tazorac
Thyroid Booster Trileptal Voltaren
and renamed "GABA" to "GABA (HGH Booster)" and then added
Brafix SleepWell (Herbal XANAX).
---

Spam FROM: ppp212-48-211-88.avans-iat.spbnit.ru [212.48.211.88]
ab...@dtd.ptn.ru,ab...@ptn.ru,ab...@rtcomm.ru,ab...@spbnit.ru,
ab...@telegraph.spb.ru,n...@dtd.ptn.ru,postm...@dtd.ptn.ru,
postm...@spbnit.ru

This is the modern form of email advertising, consisting
of stealing another party's content and using that as
as a framework for the spam so that the innocent third
party content helps foil anti-spam filters.

Spam CONTENT: A Microsoft Featured Offer promotion
("MSN shall not be responsible or liable ..."
"This will not unsubscribe you from e-mail communications ...")
via wjadserver.com for aboutonlinecolleges.com, education180.com.
allalliedhealthschools.com
ab...@allalliedhealthschools.com,ab...@wjadserver.com,
ab...@msn.com,ab...@microsoft.com,ab...@aboutonlinecolleges.com,
ab...@education180.com,
ad...@allalliedhealthschools.com,ad...@wjadserver.com,
ad...@msn.com,ad...@microsoft.com,ad...@aboutonlinecolleges.com,
ad...@education180.com

The only effective content in the spam is the:

Spam CONTENT [image]: http://www.roundpast.com/1.gif
Spamvertized URL: http://www.roundpast.com

==========
[DETAILS:]

SPAM FROM: ppp212-48-211-88.avans-iat.spbnit.ru [212.48.211.88]
Which forged my username in the envelope sender,


forged my email address as the "From:" address

and addressed the spam to a very old format of
my email address used years ago for USENET posting.

inetnum: 212.48.210.0 - 212.48.211.255
netname: RU-SPBNIT-IAT
descr: "St.Petersburg Telephone Network"
country: RU
remarks: trouble: n...@dtd.ptn.ru
[whois.abuse.net]
ab...@spbnit.ru (for dtd.ptn.ru)
postm...@dtd.ptn.ru (for dtd.ptn.ru)
ab...@ptn.ru (for dtd.ptn.ru)
postm...@spbnit.ru (for spbnit.ru)
ab...@dtd.ptn.ru (for dtd.ptn.ru)
ab...@telegraph.spb.ru (for dtd.ptn.ru)
ab...@spbnit.ru (for spbnit.ru)
n...@dtd.ptn.ru (for dtd.ptn.ru)
ab...@ptn.ru (for spbnit.ru)
ab...@rtcomm.ru (for dtd.ptn.ru)
ab...@rtcomm.ru (for spbnit.ru)

SPAM CONTENTS: Apparently a Microsoft, msadcenter mailing.

clickable text instead of an image. Fast flux? Yes.
Canadian Pharmacy sites may use static hosting or fast flux
and I have seen hosts move from one to the other.

Let's see what we have this time.

Well, I have gotten Microsoft email (repurposed by this spammer
as spam transport) for hotmail and for IE7 and something else
and then a different HOTMAIL promotion.
What is this one? Well, it is Microsoft again, that's for sure!
[title]Windows Live Hotmail Print Message[/title]
You are receiving this e-mail because you subscribed to MSN Featured Offers.
If you do not wish to receive this MSN Featured Offers e-mail, please click
the "Unsubscribe" link below.
This will not unsubscribe you from e-mail communications ...
MSN shall not be responsible or liable ...
(C)2008 Microsoft | Unsubscribe | More Nejnletters | Privacy
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052
and we have munged image locations
[img src="http://track.msadcenter.lrw.com/qlooaza-ovatpimxtn.gif" ... ]
[img src="http://track.msadcenter.ide.com/beccvhz-ovatpimxtn.gif" ... ]
and target URLs
[a href="http://track.msadcenter.eyk.com/wwfdtge_ovatpimxtn.html" ... ]Click here to get enrolled for your czlr ![/a]
[area ... href="http://track.msadcenter.wih.com/bzreick_ovatpimxtn.html" ... ]
[area ... href="http://track.msadcenter.xvv.com/eubwmrr_ovatpimxtn.html" ... ]
[a href="http://track.msadcenter.bmj.com/tevkzuk_ovatpimxtn.html" ... ]Click here to get enrolled for your ibct ![/a]
[a href="http://track.msadcenter.scj.com/tevkzuc_ovatpimxtn.html" ... ]Unsubscribe[/a]
[a href="http://track.msadcenter.ksm.com/nodznrp_ovatpimxtn.html" ... ]More Newsletters[/a]
[a href="http://track.msadcenter.ykx.com/bzreicr_ovatpimxtn.html" ... ]Privacy[/a]
where the domain name, msn.com, has been munged ([random_letters].com)
and changing the hostnames to track.msadcenter.msn.com we see that the
original email promotion ("MSN shall not be responsible or liable ...")
is for:

... headers from each URL omitted ...

where the images show "Health and Wellness" and an add for:

Get your Degree in
Medical Billing and Coding

and this is (originally) a Microsoft Feature Offer promotion
via wjadserver.com for aboutonlinecolleges.com, education180.com,
allalliedhealthschools.com who should be informed (Bayesian email
filters may notice the spam and block email containing "ovatpimxtn"
and this Featured Promotion). Heck, the way this spammer operates,
with a seeming preference for "msadcenter" mail, it may be a good
idea to block all mail containing "msadcenter" for most of it may
be spam and not from Microsoft.

Well, whether it originally was spam or not, the email promotion
has been recycled by (another) spammer with the original content
encapsulated in [style],[/style] tags and the format of the spam is:
[!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"]
[html dir="ltr"]
[head]
[title]Windows Live Hotmail Print Message[/title] [/head]
[style]
... [third party content: Microsoft featured promotion for aboutonlinecolleges.com, education180.com, allalliedhealthschools.com]
[/style]
[a href="http://www.roundpast.com"]
[img src="http://www.roundpast.com/1.gif"] <-- NO CLOSING [/a] TAG.
[style]
... [third party content: Microsoft featured promotion for aboutonlinecolleges.com, education180.com, allalliedhealthschools.com]


[/style]
with the only effective content being the spammer's:


SPAM CONTENT [image]: http://www.roundpast.com/1.gif
SPAMVERTIZED URL: http://www.roundpast.com

=========================================================
For the host:
"www.roundpast.com"

NAMESERVERS listed in the root servers for roundpast.com:
---------------------------------------------------------
roundpast.com NS ns2.xinnet.cn
roundpast.com NS ns2.xinnetdns.com
roundpast.com NS ns.xinnet.cn
roundpast.com NS ns.xinnetdns.com


ns2.xinnet.cn A 210.51.170.67
ns2.xinnetdns.com A 210.51.170.48
ns.xinnet.cn A 210.51.171.209
ns.xinnetdns.com A 210.51.170.66

[extract from dig]
------------------
dig @210.51.170.48

www.roundpast.com


A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE

www.roundpast.com A 79.135.165.6

dig @210.51.170.66
www.roundpast.com


A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE

www.roundpast.com A 79.135.165.6

dig @210.51.170.67
www.roundpast.com


A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE

www.roundpast.com A 79.135.165.6

dig @210.51.171.209
www.roundpast.com


A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE

www.roundpast.com A 79.135.165.6
=========================================================

Prior to this the site had moved around with nameservers and
webhosts appearing at


58.20.81.169 58.20.82.188 58.20.84.92 58.253.71.92
58.253.71.112 58.253.71.121 61.139.219.56 79.135.165.2
79.135.165.3 79.135.165.4 79.135.165.5 79.135.165.6
79.135.166.50 79.135.166.51 79.135.166.52 79.135.166.53
79.135.166.54 79.143.178.2 79.143.178.3 79.143.178.4
79.143.178.5 81.222.137.17 81.222.137.18 81.222.137.19
81.222.137.20 81.222.137.21 81.222.137.22 81.222.137.23
81.222.137.24 81.222.137.25 81.222.137.26 81.222.137.27
81.222.137.28 81.222.137.29 81.222.137.30 81.222.137.31
81.222.137.32 116.122.193.194 116.199.135.167 116.199.135.168
116.199.135.191 116.199.136.61 116.199.138.23 116.199.138.24
123.111.50.158 123.111.50.187 210.21.110.105 210.21.110.150
210.245.160.192 218.106.90.228 218.106.90.230 219.251.217.133
221.5.41.9 221.5.41.10 221.5.41.17 221.5.41.19
221.5.41.20 221.5.41.28 221.5.41.35 221.5.41.37
221.122.64.14 221.122.64.15 221.130.200.179 221.130.200.182
221.130.200.189

while we currently have 79.135.165.6 as the IP address to which the
host resolves. Often there are multiple nearby addresses (e.g. when
the site resolved to 81.222.137.32 and then 81.222.137.17 and then
81.222.137.18 it could be found at each IP address from 81.222.137.17
through 81.222.137.32). Let me check a few addresses near the resolution,
79.135.165.6.

IP ADDRESS TTL IP ID FLAGS TCP-TIMESTAMP
---------- --- ----- ----- -------------

79.135.165.2 40 17584 SA 1263248993
79.135.165.6 40 18009 SA 1263249521

where the matching TCP-timestamps and IP ID sequences
(it is, after all, a busy system) strongly suggest that
these IP addresses reach the same system. Let me check
by forcing the hostname to resolve to both IP addresses
in sequence and see what they return for the URL,
http://www.roundpast.com.

* Connected to 79.135.165.2
GET / HTTP/1.1

Host: www.roundpast.com

HTTP/1.1 200 OK
Server: nginx/0.5.32
[title]Canadian Pharmacy[/title]


* Connected to 79.135.165.6
GET / HTTP/1.1

Host: www.roundpast.com

HTTP/1.1 200 OK
Server: nginx/0.5.32
[title]Canadian Pharmacy[/title]

and the pages obtained from these IP addresses are, except for
the session id which appears in various locations on the pages,
such as, '[a href="/cart.php?PHPSESSID=[varies]"]Proceed to Checkout[/a]',
byte-for-byte identical.


IP address 79.135.165.2 [WEB HOST ONLY]
IP address 79.135.165.6 [WEB HOST ONLY]
---------------------------------------
IP address 79.135.165.2 is found listed at spamhaus.org.
IP address 79.135.165.6 is found listed at spamhaus.org.
Lists "known spammers, spam gangs or spam support services."
That's strange ... it used to be
inetnum: 79.135.165.0 - 79.135.166.255
netname: AbdAllah_Internet
descr: Jamhid AbdAllah dedicated servers provider
descr: Al Basra
remarks: NOC administrator: ipa...@ahlen.biz
remarks: abuse mailbox: ab...@ahlen.biz
but now is:
inetnum: 79.135.165.0 - 79.135.166.255
netname: Sistemnet-Telecom-Blackholed-IP
country: TR
address: Sistemnet Telecom
abuse-mailbox: ab...@sistemnet.com.tr
165.135.79.in-addr.arpa has SOA ad...@sistemnet.com.tr
This is on Autonomous System Number 9121 (routing for 79.135.160.0/19)
aut-num: AS9121
as-name: TTNet
descr: TTnet Autonomous System
descr: Turk Telekom A.S.
admin-c: TTBA1-RIPE ab...@ttnet.net.tr
The registration for ttnet.net.tr shows:
Registrant:
Turk Telekominikasyon A.S.
Ankara, Turkiye
i...@turktelekom.com.tr
The registration for telekom.gov.tr shows:
Registrant:
Turk Telekomunikasyon A.S.
Turk Telekomunikasyon A.S. Gen.Mud.Bilisim Aglari
Ankara, Turkiye
[omitted]@telekom.gov.tr
---------------------------------------

NAMESERVERS: ns.xinnet.cn ns2.xinnet.cn ns.xinnetdns.com ns2.xinnetdns.com
--------------------------------------------------------------------------


SPAM CONTENT [image]: http://www.roundpast.com/1.gif

The contents of the image are:
=====================================================
CHEAPEST PRICES

We are the only store wich
gives this great deal you!

The USA Licensed Save huge 70 %
Online Pharmacy on all the orders with us!

VIAGRA VIAGRA SOFT CIALIS CIALIS SOFT
XANAX SOMA AMBIEN TRAMADOL
VALIUM MERIDIA
=====================================================
(The product names were titles of small pill images.)


SPAMVERTIZED URL: http://www.roundpast.com

A (recent) REFRESH redirection,
[META http-equiv="refresh" content="0; url=index.php"]
sometimes appears as the first/default page, redirecting to the
content page. Other times one receives the content immediately.

[title]Canadian Pharmacy[/title]

The starting page includes the domain name as the "account_id"

document.write('[img src="counter.php?account_id=[domain_name]&aid=&said=&js=1'+params+'" width=1 height=1]');

*** CHANGE ***
--------------
The VeriSign seal, at http://[hostname]/img/award1.gif, has been removed
from the page, but not the site (it can still be obtained).
The "VeriSign" assurance of a secure site can still be found using
http://[hostname]/checker2.php and it assures us that:
"roundpast.com is a VeriSign Secure Site
Name roundpast.com


Status Valid
Validity Period 30-NOV-05 - 11-JUN-09
Server ID Information
Country = CA
State = British Columbia
Organization = Canadian Pharmacy Inc.
Organizational Unit = Pharmacy On-line Store
Organizational Unit = Terms of use at www.safescrypt.com/rpa (c) 03
Organizational Unit = Authenticated by Safescrypt Limited
Organizational Unit = Member, VeriSign Trust Network

Common Name = roundpast.com"
even though there is no image on the page which one can
click to bring up this fraudulent assurance.

** CHANGE!! **
--------------
"Licensed by The College of Pharmacists of British Columbia.
If you have any questions or concerns you can contact the college at
200-1765 West 8th Ave. Vancouver, BC, Canada V6J 5C6
You may contact us at +1(210) 888-9089, please, keep your order I.D.
every time you make a call.
(C) Copyright Canadian Pharmacy, 2003-2008. All Rights Reserved."

--------------
THE PHONE NUMBER CONTACT USED TO BE +1(210) 787-1711
THEN FOR TWO DAYS IT WAS +1(281) 971-9929
IT THEN RETURNED TO +1(210) 787-1711
IT THEN CHANGED TO +1(210) 888-9089

The site assures one of a secure purchase,
(C) 2008 Secure.Order.Form

"Rest assured that our online order system makes use of the latest
Security encryption technology to ensure that your credit card
information is submitted safely and with the highest level of
protection."
"For your safety we use highly secure order processing server with our
own secure certificate."
though one's order (including credit card) data,
item_name[299]=Viagra
&item_name[3945]=Viagra

&item_name[642]=Delivery type
&item_price[299]=34.15

&item_price[3945]=0
&item_price[642]=10.95


&item_description[299]=10 pills X 50 mg
&item_description[3945]=2 pills X 100 mg

&item_description[642]=AirMail


&item_quantity[299]=1
&item_quantity[3945]=1

&item_quantity[642]=1
&checksum=
&currency=usd
&Customer_FirstName=[victim's name: first]
&Customer_LastName=[victim's name: last]
&street=[victim's address: street]
&city=[victim's address: city]
&zip=[victim's address: zip code]
&state=[victim's address: state]
&country=USA
&phone1=[victim's phone number: country code]
&phone2=[victim's phone number: area code]
&phone3=[victim's phone number: exchange]
&phone4=[victim's phone number: number]
&Email=[victim's address: email]
&aemail=[victim's address: alternate email: optional]
&messenger=
&messenger_contact=
&birthday=
&ssn=

&client_time=1203256411 [Net time. Number of seconds since 1 January 1970]

This time I clicked the earlier SUBMIT button

Return-Path: <_my_n...@rodenstockusa.com>


X-Spam-DCC: _DCCB_: _DCCR_
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on
_my_isp_

X-Spam-Level: *********************************
X-Spam-Status: Yes, score=33.2 required=5.0 tests=BAYES_99,DK_POLICY_SIGNSOME,
HELO_DYNAMIC_IPADDR,HTML_90_100,HTML_IMAGE_ONLY_32,HTML_MESSAGE,
MIME_HTML_ONLY,NO_REAL_NAME,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PBL,SARE_UNI,
URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,
URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=spam version=3.1.8


X-Spam-Report:
* 1.0 NO_REAL_NAME From: does not include a real name

* 4.2 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
* 1)


* 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails

* 1.1 HTML_IMAGE_ONLY_32 BODY: HTML: images with 2800-3200 bytes of words


* 0.1 HTML_90_100 BODY: Message is 90% to 100% HTML
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 2.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

* 0.6 SARE_UNI RAW: SARE_UNI
* 1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
* [Blocked - see <http://www.spamcop.net/bl.shtml?212.48.211.88>]


* 0.0 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL

* [212.48.211.88 listed in zen.spamhaus.org]
* 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist
* [URIs: roundpast.com]


* 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist

* [URIs: roundpast.com]


* 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist

* [URIs: roundpast.com]
* 3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
* [URIs: roundpast.com]


* 4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist

* [URIs: roundpast.com]


* 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist

* [URIs: roundpast.com]


* 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist

* [URIs: roundpast.com]
Received: from ppp212-48-211-88.avans-iat.spbnit.ru (ppp212-48-211-88.avans-iat.spbnit.ru [212.48.211.88])
by _my_isp_ (xxx) with SMTP id m1HEdYNH004829
for <_my_email_address_>; Sun, 17 Feb 2008 09:39:41 -0500 (EST)
(envelope-from _my_n...@rodenstockusa.com)
Date: Sun, 17 Feb 2008 09:39:34 -0500 (EST)
X-Mailer: CME-V6.5.4.3; MSN
Received: (qmail 26983 by uid 194); Sun, 17 Feb 2008 05:39:40 +0300
Message-Id: <2008021708394...@ppp212-48-211-88.avans-iat.spbnit.ru>


To: <xxx>
Subject: February 75% OFF
From: <_my_email_address_>
xxxMIME-Version: 1.0
xxxContent-Type: text/html; charset="ISO-8859-1"
xxxContent-Transfer-Encoding: 7bit

X-IMAPbase: 1203259155 2
X-UIDL: LY'#!#Dd!!D3W!!9mf!!
Status: RO
X-Status:
X-Keywords:
X-UID: 2

[!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"]
[html dir="ltr"]
[head]
[title]Windows Live Hotmail Print Message[/title]
[/head]
[style]
[img src="http://track.msadcenter.uwz.com/ufbjwqw_ovatpimxtn.gif&amp;o=1" width=0 height=0]
[table cellpadding=0 cellspacing=0 width=600 align=center]
[tr]
[td][img src="http://track.msadcenter.ide.com/beccvhz-ovatpimxtn.gif" border=0][/td]
[/tr]
[tr]
[td class=EC_container bgcolor="#F2F2F2"]
[table cellpadding=0 cellspacing=0 width="100%"]
[tr]
[td]

[div align=center]


[meta http-equiv=Content-Type content="text/html; charset=unicode"]
[meta name=Generator content="Microsoft SafeHTML"]

[title]Untitled Document[/title]


[center]


[a href="http://track.msadcenter.eyk.com/wwfdtge_ovatpimxtn.html" target="_blank"]Click here to get enrolled for your czlr ![/a][br][br]
[img src="http://track.msadcenter.lrw.com/qlooaza-ovatpimxtn.gif" border=0 usemap="#Map"]

[map name=Map id=Map]
[area shape=rect coords="282,157,497,265" href="http://track.msadcenter.wih.com/bzreick_ovatpimxtn.html" target="_blank"]
[area shape=rect coords="282,264,498,374" href="http://track.msadcenter.xvv.com/eubwmrr_ovatpimxtn.html" target="_blank"]
[/map]
[br][a href="http://track.msadcenter.bmj.com/tevkzuk_ovatpimxtn.html" target="_blank"]Click here to get enrolled for your ibct ![/a]
[/center]
[/style]
[center]
[a href="http://www.roundpast.com"][img src="http://www.roundpast.com/1.gif"]
[style]
[/div]

[/td]
[/tr]
[tr]
[td class=EC_legal]
[strong]About this mailing: [/strong][br]
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the &quot;Unsubscribe&quot; link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.[br][br]

©2008 Microsoft | [a href="http://track.msadcenter.scj.com/tevkzuc_ovatpimxtn.html" target="_blank"]Unsubscribe[/a] | [a href="http://track.msadcenter.ksm.com/nodznrp_ovatpimxtn.html" target="_blank"]More Newsletters[/a] | [a href="http://track.msadcenter.ykx.com/bzreicr_ovatpimxtn.html" target="_blank"]Privacy[/a][br][br]
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052

[/td]
[/tr]
[/table]
[/td]
[/tr]
[/table]

[/div]
[/div]

[/div]

[/body]

sigh...@this-is.invalid.com

unread,
Feb 16, 2008, 11:19:47 AM2/16/08
to
Received: from [221.125.18.122] by openbrick.kicks-ass.net
(ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.6.0)); Sat, 16 Feb 2008 11:19:45 -0500
X-Mailer: CME-V6.5.4.3; MSN
Return-Path: <dev...@hacksaw.org>
Received: (qmail 25369 by uid 784); Sun, 17 Feb 2008 12:18:21 +0800
Message-Id: <20080217201821.25371.qmail@GHOST>
To: <[devnull]>
Subject: February 75% OFF
From: <[devnull]>
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Antivirus: avast! (VPS 080215-0, 2008/02/15), Outbound message
X-Antivirus-Status: Clean
Date: Sat, 16 Feb 2008 11:19:45 -0500

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html dir="ltr">
<head>
<title>Windows Live Hotmail Print Message</title>
</head>
<style>

<img src="http://track.msadcenter.vkd.com/ufbjwqw_ovatpimxtn.gif&amp;o=1" width=0 height=0>


<table cellpadding=0 cellspacing=0 width=600 align=center>
<tr>

<td><img src="http://track.msadcenter.cpq.com/beccvhz-ovatpimxtn.gif" border=0></td>


</tr>
<tr>
<td class=EC_container bgcolor="#F2F2F2">
<table cellpadding=0 cellspacing=0 width="100%">
<tr>
<td>

<div align=center>


<meta http-equiv=Content-Type content="text/html; charset=unicode">
<meta name=Generator content="Microsoft SafeHTML">

<title>Untitled Document</title>


<center>


<a href="http://track.msadcenter.kmz.com/wwfdtge_ovatpimxtn.html" target="_blank">Click here to get enrolled for your gubb !</a><br><br>
<img src="http://track.msadcenter.okr.com/qlooaza-ovatpimxtn.gif" border=0 usemap="#Map">

<map name=Map id=Map>
<area shape=rect coords="282,157,497,265" href="http://track.msadcenter.oio.com/bzreick_ovatpimxtn.html" target="_blank">
<area shape=rect coords="282,264,498,374" href="http://track.msadcenter.mry.com/eubwmrr_ovatpimxtn.html" target="_blank">
</map>
<br><a href="http://track.msadcenter.wtf.com/tevkzuk_ovatpimxtn.html" target="_blank">Click here to get enrolled for your ndcm !</a>


</center>
</style>
<center>
<a href="http://www.roundpast.com"><img src="http://www.roundpast.com/1.gif">
<style>
</div>

</td>
</tr>
<tr>
<td class=EC_legal>
<strong>About this mailing: </strong><br>
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the &quot;Unsubscribe&quot; link below. This will not unsubscribe you

©2008 Microsoft | <a href="http://track.msadcenter.vzb.com/tevkzuc_ovatpimxtn.html" target="_blank">Unsubscribe</a> | <a href="http://track.msadcenter.hih.com/nodznrp_ovatpimxtn.html" target="_blank">More Newsletters</a> | <a href="http://track.msadcent

sigh...@this-is.invalid.com

unread,
Feb 16, 2008, 3:10:33 PM2/16/08
to
Received: from [60.31.203.203] by openbrick.kicks-ass.net
(ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.6.0)); Sat, 16 Feb 2008 15:10:30 -0500
X-Mailer: CME-V6.5.4.3; MSN
Return-Path: <jason_...@georgiasouthern.edu>
Received: (qmail 3697 by uid 251); Sat, 17 Feb 2007 04:10:27 +0800
Message-Id: <20070217121027.3699.qmail@DE5BB879CF4E44C>
To: <[removed]>
Subject: February 75% OFF
From: <[removed]>

MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Date: Sat, 16 Feb 2008 15:10:30 -0500

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html dir="ltr">
<head>
<title>Windows Live Hotmail Print Message</title>
</head>
<style>

<img src="http://track.msadcenter.ufx.com/ufbjwqw_ovatpimxtn.gif&amp;o=1" width=0 height=0>


<table cellpadding=0 cellspacing=0 width=600 align=center>
<tr>

<td><img src="http://track.msadcenter.mfe.com/beccvhz-ovatpimxtn.gif" border=0></td>


</tr>
<tr>
<td class=EC_container bgcolor="#F2F2F2">
<table cellpadding=0 cellspacing=0 width="100%">
<tr>
<td>

<div align=center>


<meta http-equiv=Content-Type content="text/html; charset=unicode">
<meta name=Generator content="Microsoft SafeHTML">

<title>Untitled Document</title>


<center>


<a href="http://track.msadcenter.kxk.com/wwfdtge_ovatpimxtn.html" target="_blank">Click here to get enrolled for your xdlb !</a><br><br>
<img src="http://track.msadcenter.gds.com/qlooaza-ovatpimxtn.gif" border=0 usemap="#Map">

<map name=Map id=Map>
<area shape=rect coords="282,157,497,265" href="http://track.msadcenter.cpf.com/bzreick_ovatpimxtn.html" target="_blank">
<area shape=rect coords="282,264,498,374" href="http://track.msadcenter.xcd.com/eubwmrr_ovatpimxtn.html" target="_blank">
</map>
<br><a href="http://track.msadcenter.ydh.com/tevkzuk_ovatpimxtn.html" target="_blank">Click here to get enrolled for your dbco !</a>


</center>
</style>
<center>
<a href="http://www.roundpast.com"><img src="http://www.roundpast.com/1.gif">
<style>
</div>

</td>
</tr>
<tr>
<td class=EC_legal>
<strong>About this mailing: </strong><br>
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the &quot;Unsubscribe&quot; link below. This will not unsubscribe you

©2008 Microsoft | <a href="http://track.msadcenter.woq.com/tevkzuc_ovatpimxtn.html" target="_blank">Unsubscribe</a> | <a href="http://track.msadcenter.etn.com/nodznrp_ovatpimxtn.html" target="_blank">More Newsletters</a> | <a href="http://track.msadcent

sigh...@this-is.invalid.com

unread,
Feb 18, 2008, 4:25:44 AM2/18/08
to
Received: from [220.94.167.31] by openbrick.kicks-ass.net
(ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.6.0)); Mon, 18 Feb 2008 04:25:41 -0500
X-Mailer: CME-V6.5.4.3; MSN
Return-Path: <jason...@aspect.com>
Received: (qmail 3570 by uid 818); Mon, 18 Feb 2008 06:25:37 +0900
Message-Id: <20080218152537.3572.qmail@VUMINHCHIEN_300>

To: <[removed]>
Subject: February 75% OFF
From: <[removed]>
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Date: Mon, 18 Feb 2008 04:25:41 -0500

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html dir="ltr">
<head>
<title>Windows Live Hotmail Print Message</title>
</head>
<style>

<img src="http://track.msadcenter.yxd.com/ufbjwqw_ovatpimxtn.gif&amp;o=1" width=0 height=0>


<table cellpadding=0 cellspacing=0 width=600 align=center>
<tr>

<td><img src="http://track.msadcenter.dhe.com/beccvhz-ovatpimxtn.gif" border=0></td>


</tr>
<tr>
<td class=EC_container bgcolor="#F2F2F2">
<table cellpadding=0 cellspacing=0 width="100%">
<tr>
<td>

<div align=center>


<meta http-equiv=Content-Type content="text/html; charset=unicode">
<meta name=Generator content="Microsoft SafeHTML">

<title>Untitled Document</title>


<center>


<a href="http://track.msadcenter.pan.com/wwfdtge_ovatpimxtn.html" target="_blank">Click here to get enrolled for your jcqp !</a><br><br>
<img src="http://track.msadcenter.fdj.com/qlooaza-ovatpimxtn.gif" border=0 usemap="#Map">

<map name=Map id=Map>
<area shape=rect coords="282,157,497,265" href="http://track.msadcenter.kvo.com/bzreick_ovatpimxtn.html" target="_blank">
<area shape=rect coords="282,264,498,374" href="http://track.msadcenter.egb.com/eubwmrr_ovatpimxtn.html" target="_blank">
</map>
<br><a href="http://track.msadcenter.reb.com/tevkzuk_ovatpimxtn.html" target="_blank">Click here to get enrolled for your xpkn !</a>


</center>
</style>
<center>
<a href="http://www.roundpast.com"><img src="http://www.roundpast.com/1.gif">
<style>
</div>

</td>
</tr>
<tr>
<td class=EC_legal>
<strong>About this mailing: </strong><br>
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the &quot;Unsubscribe&quot; link below. This will not unsubscribe you

©2008 Microsoft | <a href="http://track.msadcenter.wpi.com/tevkzuc_ovatpimxtn.html" target="_blank">Unsubscribe</a> | <a href="http://track.msadcenter.fge.com/nodznrp_ovatpimxtn.html" target="_blank">More Newsletters</a> | <a href="http://track.msadcent

Rachele

unread,
Feb 19, 2008, 9:15:15 AM2/19/08
to
Mail received on spamtrap. This spamtrap mail has been redacted, the
mail was not really sent to <Rac...@users.spamikaze.org>.

URLs have been stripped of the parts before and after the host name.

>From 2...@jbdistributors.com Tue Feb 19 09:15:15 2008
Return-path: <2...@jbdistributors.com>


Received: from [mail.victim.example] (helo=humbolt.mail.victim.example)
by shelob.surriel.com with esmtp (Exim 4.63)

(envelope-from <2...@jbdistributors.com>)
id 1JRTFZ-0003qE-Ja
for Rac...@users.spamikaze.org; Tue, 19 Feb 2008 09:15:14 -0500
Received: from [92.112.128.56] (helo=kom)


by humbolt.mail.victim.example with smtp (Exim 4.22)

id 1JRTFV-0006z0-7z
for Rac...@users.spamikaze.org; Tue, 19 Feb 2008 15:15:09 +0100
X-Mailer: CME-V6.5.4.3; MSN
Received: (qmail 4511 by uid 290); Tue, 19 Feb 2008 04:14:55 +0300
Message-Id: <20080219071455.4513.qmail@kom>
To: <Rac...@users.spamikaze.org>
Subject: February 75% OFF
From: <Rac...@users.spamikaze.org>
MIME-Version: 1.0
Date: Tue, 19 Feb 2008 15:15:09 +0100

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org>

<html dir="ltr">
<head>
<title>Windows Live Hotmail Print Message</title>
</head>
<style>

<img src="http://track.msadcenter.xkj.com1" width=0 height=0>


<table cellpadding=0 cellspacing=0 width=600 align=center>
<tr>

<td><img src="http://track.msadcenter.nqb.com border=0></td>


</tr>
<tr>
<td class=EC_container bgcolor="#F2F2F2">
<table cellpadding=0 cellspacing=0 width="100%">
<tr>
<td>

<div align=center>


<meta http-equiv=Content-Type content="text/html; charset=unicode">
<meta name=Generator content="Microsoft SafeHTML">

<title>Untitled Document</title>


<center>


<a href="http://track.msadcenter.xmv.com target="_blank">Click here to get enrolled for your cnce !</a><br><br>
<img src="http://track.msadcenter.rpn.com border=0 usemap="#Map">

<map name=Map id=Map>
<area shape=rect coords="282,157,497,265" href="http://track.msadcenter.yfp.com target="_blank">
<area shape=rect coords="282,264,498,374" href="http://track.msadcenter.aeh.com target="_blank">
</map>
<br><a href="http://track.msadcenter.oeh.com target="_blank">Click here to get enrolled for your rjxp !</a>


</center>
</style>
<center>
<a href="http://www.roundpast.com><img src="http://www.roundpast.com>

<style>
</div>

</td>
</tr>
<tr>
<td class=EC_legal>
<strong>About this mailing: </strong><br>

You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the &quot;Unsubscribe&quot; link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.<br><br>

©2008 Microsoft | <a href="http://track.msadcenter.jgc.com target="_blank">Unsubscribe</a> | <a href="http://track.msadcenter.wpi.com target="_blank">More Newsletters</a> | <a href="http://track.msadcenter.blk.com target="_blank">Privacy</a><br><br>

spam...@nil.nil

unread,
Feb 20, 2008, 9:03:36 PM2/20/08
to
SPAM: February 75% OFF

Illegal sale of prescription drugs without prescription
webcom...@ora.fda.gov
---
The phone contact at the site, +1(210) 787-1711,
had changed to +1(281) 971-9929 for about two days,
then returned to +1(210) 787-1711 and has recently
changed to +1(210) 888-9089.
---

Most sites (but not all) have recently removed six products,
Brite Flextra
Hoodia Weight Loss Patch Premium Diet Patch
StretchNil Ultracet
---
Most sites have removed the various seals and "awards"
(CIPA, PharmacyChecker.com, VeriSign, etc.).
---

Spam FROM: 77-253-245-13.adsl.inetia.pl [77.253.245.13]
ab...@inetia.pl,postm...@inetia.pl,ab...@swiat.pl

This is the modern form of email advertising, consisting
of stealing another party's content and using that as
as a framework for the spam so that the innocent third
party content helps foil anti-spam filters.

Spam CONTENT: A Microsoft Featured Offer promotion
("MSN shall not be responsible or liable ..."
"This will not unsubscribe you from e-mail communications ...")
via wjadserver.com for aboutonlinecolleges.com,

allalliedhealthschools.com, education180.com
ad...@aboutonlinecolleges.com,ad...@allalliedhealthschools.com,
ad...@education180.com,ad...@wjadserver.com,ad...@microsoft.com,
ad...@msn.com,ab...@aboutonlinecolleges.com,ab...@allalliedhealthschools.com,
ab...@education180.com,ab...@wjadserver.com,ab...@microsoft.com,ab...@msn.com
N.B. The envelope sender was also forged as [MY_USERNAME]_AT_msn.com,
yet another forgery of Microsoft's identity.

The only effective content in the spam is the:

Spam CONTENT [image]: http://www.successtone.com/1.gif
Spamvertized URL: http://www.successtone.com
at the SPAMHAUS listed IP addresses 79.135.165.2, 79.135.165.6 and 79.135.166.2

at the SPAMHAUS listed IP addresses 89.187.46.4 and 89.187.46.23
on bendery.md,monitoring.md
ab...@monitoring.md,ab...@bendery.md,postm...@monitoring.md,
postm...@bendery.md,sup...@monitoring.md,sup...@bendery.md,
ad...@monitoring.md,ad...@bendery.md,webm...@monitoring.md,
webm...@bendery.md,hostm...@monitoring.md,hostm...@bendery.md

==========
[DETAILS:]

SPAM FROM: 77-253-245-13.adsl.inetia.pl [77.253.245.13]
Which forged my username (and msn.com as the ISP)


in the envelope sender, forged my email address
as the "From:" address and addressed the spam
to a very old format of my email address used
years ago for USENET posting.

inetnum: 77.252.0.0 - 77.255.255.255
org: ORG-NTS2-RIPE
netname: PL-NETIA-20070201


descr: Netia SA
country: PL

remarks: trouble: ab...@inetia.pl

SPAM CONTENTS: Apparently a Microsoft, msadcenter mailing.

[title]Windows Live Hotmail Print Message[/title]


You are receiving this e-mail because you subscribed to MSN Featured Offers.

If you do not wish to receive this MSN Featured Offers e-mail, please click

the "Unsubscribe" link below.
This will not unsubscribe you from e-mail communications ...
MSN shall not be responsible or liable ...

(C)2008 Microsoft | Unsubscribe | More Newsletters | Privacy


Microsoft Corporation, One Microsoft Way, Redmond, WA 98052

and we have munged image locations

[img src="http://track.msadcenter.hum.com/qlooaza-ovatpimxtn.gif" ... ]
[img src="http://track.msadcenter.sly.com/beccvhz-ovatpimxtn.gif" ... ]
and target URLs
[a href="http://track.msadcenter.cic.com/wwfdtge_ovatpimxtn.html" ... ]Click here to get enrolled for your icod ![/a]
[area ... href="http://track.msadcenter.obw.com/bzreick_ovatpimxtn.html" ... ]
[area ... href="http://track.msadcenter.sng.com/eubwmrr_ovatpimxtn.html" ... ]
[a href="http://track.msadcenter.yhi.com/tevkzuk_ovatpimxtn.html" ... ]Click here to get enrolled for your wqyb ![/a]
[a href="http://track.msadcenter.rxt.com/tevkzuc_ovatpimxtn.html" ... ]Unsubscribe[/a]
[a href="http://track.msadcenter.lbp.com/nodznrp_ovatpimxtn.html" ... ]More Newsletters[/a]
[a href="http://track.msadcenter.ezt.com/bzreicr_ovatpimxtn.html" ... ]Privacy[/a]


where the domain name, msn.com, has been munged ([random_letters].com)
and changing the hostnames to track.msadcenter.msn.com we see that the

original email promotion ("MSN shall not be responsible or liable ...")
is for:

* Connected to 207.46.179.249
GET /wwfdtge_ovatpimxtn.html HTTP/1.1
Host: track.msadcenter.msn.com

HTTP/1.1 302 Moved Temporarily
Location: http://www.wjadserver.com/marketplace/event?t=s2&o=121&a=164&s=1&u=-1&sid=msn_edu_mb_yellow_healthandwell_02132008


* Connected to 208.84.28.9
GET /marketplace/event?t=s2&o=121&a=164&s=1&u=-1&sid=msn_edu_mb_yellow_healthandwell_02132008 HTTP/1.1
Host: www.wjadserver.com

HTTP/1.1 302 Found
Location: http://www.aboutonlinecolleges.com/a.php?o=edumbill1&r=1


* Connected to 208.109.90.217
GET /a.php?o=edumbill1&r=1 HTTP/1.1
Host: www.aboutonlinecolleges.com

HTTP/1.1 200 OK
[title]About Online Colleges[/title]
[title]This page has moved...[/title]
[meta http-equiv="Refresh" content="0;
URL=http://www.education180.com/FindYourDegree/schoolForm?school=aiu&name=AIU+Online&program=Associate%27s+%28AABA%29+-+Medical+Coding+and+Billing&version=c&schoolSeq=aiu-uoponline-suo&rm=stleo&campaign=mbill1&source=wj&i=billing&keywords="]


* Connected to 72.3.135.237
GET /FindYourDegree/schoolForm?school=aiu&name=AIU+Online&program=Associate%27s+%28AABA%29+-+Medical+Coding+and+Billing&version=c&schoolSeq=aiu-uoponline-suo&rm=stleo&campaign=mbill1&source=wj&i=billing&keywords= HTTP/1.1
Host: www.education180.com

HTTP/1.1 200 OK
Server: Resin/3.0.23
[title]Education180.com[/title]


* Connected to 207.46.179.249
GET /bzreick_ovatpimxtn.html HTTP/1.1
Host: track.msadcenter.msn.com

HTTP/1.1 302 Moved Temporarily
Location: http://www.wjadserver.com/marketplace/event?t=s2&o=121&a=164&s=1&u=-1&sid=msn_edu_mb_yellow_healthandwell_02132008


* Connected to 208.84.28.9
GET /marketplace/event?t=s2&o=121&a=164&s=1&u=-1&sid=msn_edu_mb_yellow_healthandwell_02132008 HTTP/1.1
Host: www.wjadserver.com

HTTP/1.1 302 Found
Location: http://www.aboutonlinecolleges.com/a.php?o=edumbill1&r=1


* Connected to 208.109.90.217
GET /a.php?o=edumbill1&r=1 HTTP/1.1
Host: www.aboutonlinecolleges.com

HTTP/1.1 200 OK
[title]About Online Colleges[/title]
[title]This page has moved...[/title]
[meta http-equiv="Refresh" content="0;
URL=http://www.education180.com/FindYourDegree/schoolForm?school=aiu&name=AIU+Online&program=Associate%27s+%28AABA%29+-+Medical+Coding+and+Billing&version=c&schoolSeq=aiu-uoponline-suo&rm=stleo&campaign=mbill1&source=wj&i=billing&keywords="]


* Connected to 72.3.135.237
GET /FindYourDegree/schoolForm?school=aiu&name=AIU+Online&program=Associate%27s+%28AABA%29+-+Medical+Coding+and+Billing&version=c&schoolSeq=aiu-uoponline-suo&rm=stleo&campaign=mbill1&source=wj&i=billing&keywords= HTTP/1.1
Host: www.education180.com

HTTP/1.1 200 OK
Server: Resin/3.0.23
[title]Education180.com[/title]


* Connected to 207.46.179.249
GET /eubwmrr_ovatpimxtn.html HTTP/1.1
Host: track.msadcenter.msn.com

HTTP/1.1 302 Moved Temporarily
Location: http://www.wjadserver.com/marketplace/event?t=s2&o=121&a=164&s=2&u=-1&sid=msn_edu_mb_yellow_healthandwell_02132008


* Connected to 208.84.28.9
GET /marketplace/event?t=s2&o=121&a=164&s=2&u=-1&sid=msn_edu_mb_yellow_healthandwell_02132008 HTTP/1.1
Host: www.wjadserver.com

HTTP/1.1 302 Found
Location: http://www.allalliedhealthschools.com/featured/medical-billing-coding/?src=wjm_ahs_medbill_20080103_1


* Connected to 208.39.44.69
GET /featured/medical-billing-coding/?src=wjm_ahs_medbill_20080103_1 HTTP/1.1
Host: www.allalliedhealthschools.com

HTTP/1.1 200 OK
[title]Medical Insurance Billing &amp; Coding Schools[/title]


* Connected to 207.46.179.249
GET /tevkzuk_ovatpimxtn.html HTTP/1.1
Host: track.msadcenter.msn.com

HTTP/1.1 302 Moved Temporarily
Location: http://www.wjadserver.com/marketplace/event?t=s2&o=121&a=164&s=1&u=-1&sid=msn_edu_mb_yellow_healthandwell_02132008


* Connected to 208.84.28.9
GET /marketplace/event?t=s2&o=121&a=164&s=1&u=-1&sid=msn_edu_mb_yellow_healthandwell_02132008 HTTP/1.1
Host: www.wjadserver.com

HTTP/1.1 302 Found
Location: http://www.aboutonlinecolleges.com/a.php?o=edumbill1&r=1


* Connected to 208.109.90.217
GET /a.php?o=edumbill1&r=1 HTTP/1.1
Host: www.aboutonlinecolleges.com

HTTP/1.1 200 OK
[title]About Online Colleges[/title]
[title]This page has moved...[/title]
[meta http-equiv="Refresh" content="0;
URL=http://www.education180.com/FindYourDegree/schoolForm?school=aiu&name=AIU+Online&program=Associate%27s+%28AABA%29+-+Medical+Coding+and+Billing&version=c&schoolSeq=aiu-uoponline-suo&rm=stleo&campaign=mbill1&source=wj&i=billing&keywords="]


* Connected to 72.3.135.237
GET /FindYourDegree/schoolForm?school=aiu&name=AIU+Online&program=Associate%27s+%28AABA%29+-+Medical+Coding+and+Billing&version=c&schoolSeq=aiu-uoponline-suo&rm=stleo&campaign=mbill1&source=wj&i=billing&keywords= HTTP/1.1
Host: www.education180.com

HTTP/1.1 200 OK
Server: Resin/3.0.23
[title]Education180.com[/title]


* Connected to 207.46.179.249
GET /tevkzuc_ovatpimxtn.html HTTP/1.1
Host: track.msadcenter.msn.com

HTTP/1.1 302 Moved Temporarily
Location: http://newsletters.msn.com/us.asp?NID=1535&VN=1


* Connected to 207.68.167.30
GET /us.asp?NID=1535&VN=1 HTTP/1.1
Host: newsletters.msn.com

HTTP/1.1 200 OK
[TITLE]MSN Newsletters Communication Preferences Page[/TITLE]


* Connected to 207.46.179.249
GET /nodznrp_ovatpimxtn.html HTTP/1.1
Host: track.msadcenter.msn.com

HTTP/1.1 302 Moved Temporarily
Location: http://newsletters.msn.com/home.asp


* Connected to 207.68.167.30
GET /home.asp HTTP/1.1
Host: newsletters.msn.com

HTTP/1.1 302 Object moved
Location: http://newsletters.msn.com/signin.asp?SN=11


* Connected to 207.68.167.30
GET /signin.asp?SN=11 HTTP/1.1
Host: newsletters.msn.com

HTTP/1.1 200 OK
[TITLE]MSN Newsletters Sign-In Page[/TITLE]


* Connected to 207.46.179.249
GET /bzreicr_ovatpimxtn.html HTTP/1.1
Host: track.msadcenter.msn.com

HTTP/1.1 302 Moved Temporarily
Location: http://go.microsoft.com/fwlink/?LinkId=74170


* Connected to 207.46.250.101
GET /fwlink/?LinkId=74170 HTTP/1.1
Host: go.microsoft.com

HTTP/1.1 302 Found
Location: http://privacy.microsoft.com/en-us/default.aspx


* Connected to 65.54.152.119
GET /en-us/default.aspx HTTP/1.1
Host: privacy.microsoft.com

HTTP/1.1 200 OK
[title]Microsoft Online Privacy Notice Highlights[/title]


where the images show a Microsoft header "Health and Wellness"
(including Micrsoft's trademarked ferocious butterfly) and an add for:

Get your Degree in
Medical Billing and Coding

and this is (originally) a Microsoft Feature Offer promotion
via wjadserver.com for aboutonlinecolleges.com,

allalliedhealthschools.com and education180.com


who should be informed (Bayesian email filters may notice the spam
and block email containing "ovatpimxtn" and this Featured Promotion).
Heck, the way this spammer operates, with a seeming preference for
"msadcenter" mail, it may be a good idea to block all mail containing
"msadcenter" for most of it may be spam and not from Microsoft.

Well, whether it originally was spam or not, the email promotion
has been recycled by (another) spammer with the original content
encapsulated in [style],[/style] tags and the format of the spam is:

[!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"]
[html dir="ltr"]


[head]
[title]Windows Live Hotmail Print Message[/title] [/head]

[style]
... [third party content: Microsoft featured promotion for findtherightschool.com, ...]
[/style]
[a href="http://www.successtone.com"]
[img src="http://www.successtone.com/1.gif"] <-- NO CLOSING [/a] TAG.
[style]
... [third party content: Microsoft featured promotion for findtherightschool.com, ...]


[/style]
with the only effective content being the spammer's:


SPAM CONTENT [image]: http://www.successtone.com/1.gif
SPAMVERTIZED URL: http://www.successtone.com

===========================================================
For the host:
"www.successtone.com"

NAMESERVERS listed in the root servers for successtone.com:
-----------------------------------------------------------
successtone.com NS ns2.xinnet.cn
successtone.com NS ns2.xinnetdns.com
successtone.com NS ns.xinnet.cn
successtone.com NS ns.xinnetdns.com


ns2.xinnet.cn A 210.51.170.67
ns2.xinnetdns.com A 210.51.170.48
ns.xinnet.cn A 210.51.171.209
ns.xinnetdns.com A 210.51.170.66

[extract from dig]
------------------
dig @210.51.170.48

www.successtone.com


A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE

www.successtone.com A 79.135.166.2

dig @210.51.170.66
www.successtone.com


A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE

www.successtone.com A 79.135.166.2

dig @210.51.170.67
www.successtone.com


A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE

www.successtone.com A 79.135.166.2

dig @210.51.171.209
www.successtone.com


A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE

www.successtone.com A 79.135.166.2
===========================================================

Prior to this the site had moved around with nameservers and

webhosts recently appearing at


58.20.81.169 58.20.82.188 58.20.84.92 58.253.71.92
58.253.71.112 58.253.71.121 61.139.219.56 79.135.165.2
79.135.165.3 79.135.165.4 79.135.165.5 79.135.165.6

79.135.166.2 79.135.166.50 79.135.166.51 79.135.166.52


79.135.166.53 79.135.166.54 79.143.178.2 79.143.178.3
79.143.178.4 79.143.178.5 81.222.137.17 81.222.137.18
81.222.137.19 81.222.137.20 81.222.137.21 81.222.137.22
81.222.137.23 81.222.137.24 81.222.137.25 81.222.137.26
81.222.137.27 81.222.137.28 81.222.137.29 81.222.137.30

81.222.137.31 81.222.137.32 89.187.46.4 89.187.46.23


116.122.193.194 116.199.135.167 116.199.135.168 116.199.135.191
116.199.136.61 116.199.138.23 116.199.138.24 123.111.50.158
123.111.50.187 210.21.110.105 210.21.110.150 210.245.160.192
218.106.90.228 218.106.90.230 219.251.217.133 221.5.41.9
221.5.41.10 221.5.41.17 221.5.41.19 221.5.41.20
221.5.41.28 221.5.41.35 221.5.41.37 221.122.64.14
221.122.64.15 221.130.200.179 221.130.200.182 221.130.200.189

and most recently up at
79.135.165.2 79.135.165.6 79.135.166.2
89.187.46.4 89.187.46.23

The site moves around, so let me check for its presence at the list
of most recent IP addresses by forcing the hostname to resolve to
each in turn and seeing what they return for the URL,
http://www.successtone.com.

* Connected to 79.135.165.2
GET / HTTP/1.1

Host: www.successtone.com

HTTP/1.1 200 OK
Server: nginx/0.5.32
[title]Canadian Pharmacy[/title]


* Connected to 79.135.165.6
GET / HTTP/1.1

Host: www.successtone.com

HTTP/1.1 200 OK
Server: nginx/0.5.32
[title]Canadian Pharmacy[/title]


* Connected to 79.135.166.2
GET / HTTP/1.1
Host: www.successtone.com

HTTP/1.1 200 OK
Server: nginx/0.5.35
[title]Canadian Pharmacy[/title]


* Connected to 89.187.46.4
GET / HTTP/1.1
Host: www.successtone.com

HTTP/1.1 200 OK
Server: nginx/0.5.33
[title]Canadian Pharmacy[/title]


* Connected to 89.187.46.23
GET / HTTP/1.1
Host: www.successtone.com

HTTP/1.1 200 OK
Server: nginx/0.5.33
[title]Canadian Pharmacy[/title]

The site is up ... but slightly different versions are found
in each group, 79.135.165.{2,6}, 79.135.166.2 and 89.187.46.{4,23}
(besides the variable PHPSESSID which is found in various locations
on each page).

The pages obtained from 79.135.165.{2,6}, 79.135.166.2 are byte-for-byte
identical (with the exception of the variable PHPSESSID).
NOTE: The first time I accessed the pages, the systems at 79.135.165.2
and 79.135.165.6 returned slightly different pages though the
matching IP ID sequences and TP-TIMESTAMPS in response to
TCP/SYNs sent to port 80,


IP ADDRESS TTL IP ID FLAGS TCP-TIMESTAMP
---------- --- ----- ----- -------------

79.135.165.2 40 23086 SA 166426770
79.135.165.6 40 23088 SA 166427356


strongly suggest that these IP addresses reach the same system.

It seems that the sites proxy data from back ends and may or may
not access the same backend from time to time.

The pages obtained from 89.187.46.{4,23} are byte-for-byte identical
(with the exception of the variable PHPSESSID).

The order of the products on the pages from 89.187.46.{4,23} differs
from the order on the pages from 79.135.165.{2,6}, 79.135.166.2
and all the "group_id=143" items are at 89.187.46.{4,23} but missing
from the pages from 79.135.165.{2,6}, 79.135.166.2
[a href="item.php?group_id=143&id=3274"]Nicotinell[/a]
[a href="item.php?group_id=143&id=3422"]Penis Growth Patch[/a]
[a href="item.php?group_id=143&id=3433"]Premium Diet Patch[/a]
[a href="item.php?group_id=143&id=3434"]Hoodia Weight Loss Patch[/a]
[a href="item.php?group_id=143&id=3436"]Stop Smoking Patch[/a]
but these are duplicates and some appear at all sites as
[a href="item.php?group_id=140&id=3274"]Nicotinell[/a]
[a href="item.php?group_id=131&id=3422"]Penis Growth Patch[/a]
[a href="item.php?group_id=131&id=3436"]Stop Smoking Patch[/a]
though the others do not appear on the starting pages from
79.135.165.{2,6}, 79.135.166.2 and the starting pages from 89.187.46.{4,23}
have six more items
Brite, Flextra, Hoodia Weight Loss Patch, Premium Diet Patch, StretchNil, Ultracet
than those from 79.135.165.{2,6}, 79.135.166.2.

On the pages from 89.187.46.{4,23} the "add" value (as in
[a href="cart.php?add=201&PHPSESSID=[varies]"][img src="img/viagra.gif"][/a])
is "201" while on the other pages it is "3309" (as in
[a href="cart.php?add=3309&PHPSESSID=[varies]"][img src="img/viagra.gif"][/a])

The pages from 89.187.46.{4,23} still have the "img/award{2,3,4,5}.gif" images
on the starting page "We Ship Worldwide", "FDA: Approved by American Drug Administration",
"Certified Canadian International Pharmacy: CIPA",
"Pharmacy Checker.com: Five Check Pharmacy - *** Highest Rating ***"
(but not the VeriSign seal, img/award1.gif which is still available, see below).

It is the same site, but with very minor variations (I have come
across spam which sent one on to old, backup(?) versions of the sites)
and I have seen hostnames resolving to one of the IP address
blocks only to change to another (one day, 79.135.165.6;
the next morning, 89.187.46.23; that evening, 79.135.166.2).
The product listings (http://www.successtone.com/all_products.php,
forcing the hostname to resolve to each of the five IP addresses
in succession) give identical lists of products except that pages
at 89.187.46.{4,23} retain six products,
Brite, Flextra, Hoodia Weight Loss Patch, Premium Diet Patch, StretchNil, Ultracet
which have been removed from the listings at the other sites.
which have been removed from the listing (they were on the list
from 79.135.165.6 a few days ago).

I suspect that 89.187.46.{4,23} are behind and when they update the
local database of products, these will be removed at that site as well.


So, the site is currently up at the following (and I am sure
other) IP addresses:

IP address 79.135.165.2
IP address 79.135.165.6
IP address 79.135.166.2


-----------------------
IP address 79.135.165.2 is found listed at spamhaus.org.
IP address 79.135.165.6 is found listed at spamhaus.org.

IP address 79.135.166.2 is found listed at spamhaus.org.

IP address 89.187.46.4
IP address 89.187.46.23
-----------------------
IP address 89.187.46.4 is found listed at spamhaus.org.
IP address 89.187.46.23 is found listed at spamhaus.org.


Lists "known spammers, spam gangs or spam support services."

inetnum: 89.187.32.0 - 89.187.47.255
netname: MD-ISP-MONITORING
descr: R&DC Monitoring
country: MD
e-mail: hostm...@bendery.md
Address 89.187.46.4 maps to host4-46.monitoring.md
Checking host4-46.monitoring.md address 89.187.46.4
-----------------------

NAMESERVERS: ns.xinnet.cn ns2.xinnet.cn ns.xinnetdns.com ns2.xinnetdns.com
--------------------------------------------------------------------------


SPAM CONTENT [image]: http://www.successtone.com/1.gif

* Connected to 79.135.166.2
GET /1.gif HTTP/1.1
Host: www.successtone.com

HTTP/1.1 200 OK
Server: nginx/0.5.35
Content-Type: image/gif
Content-Length: 17240

The contents of the image are:
=====================================================
CHEAPEST PRICES

We are the only store wich
gives this great deal you!

The USA Licensed Save huge 70 %
Online Pharmacy on all the orders with us!

VIAGRA VIAGRA SOFT CIALIS CIALIS SOFT
XANAX SOMA AMBIEN TRAMADOL
VALIUM MERIDIA
=====================================================
(The product names were titles of small pill images.)


SPAMVERTIZED SITE: http://www.successtone.com

* Connected to 79.135.166.2
GET / HTTP/1.1
Host: www.successtone.com

HTTP/1.1 200 OK
Server: nginx/0.5.35
[title]Canadian Pharmacy[/title]

A (recent) REFRESH redirection,
[META http-equiv="refresh" content="0; url=index.php"]
sometimes appears as the first/default page, redirecting to the
content page. Other times one receives the content immediately.

[title]Canadian Pharmacy[/title]

The starting page includes the domain name as the "account_id"
document.write('[img src="counter.php?account_id=[domain_name]&aid=&said=&js=1'+params+'" width=1 height=1]');

*** CHANGE ***
--------------
The VeriSign seal, at http://[hostname]/img/award1.gif, has been removed
from the page, but not the site (it can still be obtained).
The "VeriSign" assurance of a secure site can still be found using
http://[hostname]/checker2.php and it assures us that:

"successtone.com is a VeriSign Secure Site
Name successtone.com


Status Valid
Validity Period 30-NOV-05 - 11-JUN-09
Server ID Information
Country = CA
State = British Columbia
Organization = Canadian Pharmacy Inc.
Organizational Unit = Pharmacy On-line Store
Organizational Unit = Terms of use at www.safescrypt.com/rpa (c) 03
Organizational Unit = Authenticated by Safescrypt Limited
Organizational Unit = Member, VeriSign Trust Network

Common Name = successtone.com"


even though there is no image on the page which one can
click to bring up this fraudulent assurance.

--------------

&client_time=1203543531 [Net time. Number of seconds since 1 January 1970]

reported reviously for other hostnames.

7: 194.135.105.195 (194.135.105.195) [TCP Ack Reset]
--------------------------

Bactrim
Bactroban
BCAA
Beconase AQ
Benadryl

Benemid
Bentyl
Biaxin
Brafix


Brahmi
Breast Augmentation
Breast Enhancement
Breast Enhancement Gel
Breast Sculptor

Buspar
Bust Enhancer
Cafergot
Calan
Calcium Carbonate
Capoten
Carafate

CarboXactin
CarboZyne
Cardizem
Cardura
Casodex
Celebrex
Celexa
Cephalexin
Cha De Bugre

Chloromint
ChromoNexin
Chrysin-XY
Cialis
Cialis Jelly
Cialis Professional
Cialis Soft Tabs
Cipro
CLA
Clarinex
Claritin
Cleocin

Diabecon
Diamox
Diclofenac


Didronel
Differin
Diflucan
Diovan
Ditropan

Dostinex
Doxycycline
Dramamine

Flomax
Flonase
Fosamax
Furosemide
GABA (HGH Booster)


Gasex
Geodon
Geriforte
Ginseng
Glucophage
Glucotrol XL
Gluta-PEP
Glycemil
Green tea
Grifulvin V
Gyne-Lotrimin
Hair Loss Cream
Hangover Helper
Head Strong
Herbal Phentermine
Herbal Testosterone
Herbolax
Himcolin
Himplasia
Hoodia
Hoodia Gordonii HG p57

Phentrimine
Plan B
Plavix
Plendil
Pletal
Ponstel
Prandin
Pravachol
Prednisone
Premarin
Premature Ejaculation Cure

Sinequan
Singulair
Skelaxin
SleepWell (Herbal XANAX)

Slimpulse
Snoroff
Soma
Soothenol
Speman
Starlix
Stop Smoking
Stop Smoking Patch
Stress Relief

Stromectol
Study Habits
Styplon
Sumycin
Sustiva
Synthroid
Tazorac

Tenormin
Tentex Royal
Testo-Rex
Thyroid Booster

Topamax
Toprol XL
Touch-Up Kit
Tramaden
Tramadol
Trandate
Tribulus
Tricor
Trileptal

Trimox
Triphala
Tulasi
Ultimate Male Enhancer

Ultram
Urispas
Valtrex
Vanadyl
Vantin
Vasodilan
Vasotec
Ventolin
Vermox
Viagra
Viagra Jelly
Viagra Professional
Viagra Soft Tabs
Viramune
Vitaliq
Vitamin A & D
Voltaren

Most (but not all) sites have recently removed
Brite Flextra
Hoodia Weight Loss Patch Premium Diet Patch
StretchNil Ultracet
(as reflected in the above listing).

===========================================================
[ORIGINAL SPAM: with angle brackets, such as "<", converted
to square brackets, such as "[", so as not
to affect HTML enabled mail/news readers.]

Return-Path: <_my_n...@msn.com>


X-Spam-DCC: _DCCB_: _DCCR_
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on
_my_isp_
X-Spam-Level: ******************************

X-Spam-Status: Yes, score=30.7 required=5.0 tests=BAYES_99,DK_POLICY_SIGNSOME,
DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,HTML_90_100,HTML_IMAGE_ONLY_32,
HTML_MESSAGE,MIME_HTML_ONLY,NO_REAL_NAME,RCVD_IN_PBL,SARE_UNI,SPF_SOFTFAIL,


URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,
URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=spam version=3.1.8
X-Spam-Report:
* 1.0 NO_REAL_NAME From: does not include a real name

* 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails

* 1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
* [SPF failed: Please see http://www.openspf.org/why.html?sender=_my_name__my_isp_]


* 1.1 HTML_IMAGE_ONLY_32 BODY: HTML: images with 2800-3200 bytes of words
* 0.1 HTML_90_100 BODY: Message is 90% to 100% HTML
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 2.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 0.6 SARE_UNI RAW: SARE_UNI

* 0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in abuse.rfc-ignorant.org
* 1.7 DNS_FROM_RFC_POST RBL: Envelope sender in
* postmaster.rfc-ignorant.org


* 0.0 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL

* [77.253.245.13 listed in zen.spamhaus.org]


* 1.6 URIBL_SBL Contains an URL listed in the SBL blocklist

* [URIs: successtone.com]


* 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist

* [URIs: successtone.com]


* 4.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist

* [URIs: successtone.com]


* 4.1 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist

* [URIs: successtone.com]


* 3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist

* [URIs: successtone.com]


* 2.1 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist

* [URIs: successtone.com]


* 3.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist

* [URIs: successtone.com]
Received: from zeus (77-253-245-13.adsl.inetia.pl [77.253.245.13])
by _my_isp_ (xxx) with SMTP id m1KCt8sI051937
for <_my_email_address_>; Wed, 20 Feb 2008 07:55:15 -0500 (EST)
(envelope-from _my_n...@msn.com)
Date: Wed, 20 Feb 2008 07:55:08 -0500 (EST)
X-Mailer: CME-V6.5.4.3; MSN
Received: (qmail 6476 by uid 233); Wed, 20 Feb 2008 01:55:20 +0100
Message-Id: <20080220025520.6478.qmail@zeus>
To: <xxx>
Subject: February 75% OFF


From: <_my_email_address_>
xxxMIME-Version: 1.0
xxxContent-Type: text/html; charset="ISO-8859-1"
xxxContent-Transfer-Encoding: 7bit

X-UIDL: 8VN"!j54"!)'K"!\6_!!
Status: O
X-Status:
X-Keywords:
X-UID: 2

[!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"]
[html dir="ltr"]


[head]
[title]Windows Live Hotmail Print Message[/title]
[/head]
[style]

[img src="http://track.msadcenter.tur.com/ufbjwqw_ovatpimxtn.gif&amp;o=1" width=0 height=0]


[table cellpadding=0 cellspacing=0 width=600 align=center]
[tr]

[td][img src="http://track.msadcenter.sly.com/beccvhz-ovatpimxtn.gif" border=0][/td]


[/tr]
[tr]
[td class=EC_container bgcolor="#F2F2F2"]
[table cellpadding=0 cellspacing=0 width="100%"]
[tr]
[td]

[div align=center]


[meta http-equiv=Content-Type content="text/html; charset=unicode"]
[meta name=Generator content="Microsoft SafeHTML"]

[title]Untitled Document[/title]


[center]


[a href="http://track.msadcenter.cic.com/wwfdtge_ovatpimxtn.html" target="_blank"]Click here to get enrolled for your icod ![/a][br][br]
[img src="http://track.msadcenter.hum.com/qlooaza-ovatpimxtn.gif" border=0 usemap="#Map"]

[map name=Map id=Map]
[area shape=rect coords="282,157,497,265" href="http://track.msadcenter.obw.com/bzreick_ovatpimxtn.html" target="_blank"]
[area shape=rect coords="282,264,498,374" href="http://track.msadcenter.sng.com/eubwmrr_ovatpimxtn.html" target="_blank"]
[/map]
[br][a href="http://track.msadcenter.yhi.com/tevkzuk_ovatpimxtn.html" target="_blank"]Click here to get enrolled for your wqyb ![/a]
[/center]
[/style]
[center]
[a href="http://www.successtone.com"][img src="http://www.successtone.com/1.gif"]
[style]
[/div]

[/td]
[/tr]
[tr]
[td class=EC_legal]
[strong]About this mailing: [/strong][br]
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the &quot;Unsubscribe&quot; link below. This will not unsubscribe you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service advertised. Prices and item availability subject to change without notice.[br][br]

©2008 Microsoft | [a href="http://track.msadcenter.rxt.com/tevkzuc_ovatpimxtn.html" target="_blank"]Unsubscribe[/a] | [a href="http://track.msadcenter.lbp.com/nodznrp_ovatpimxtn.html" target="_blank"]More Newsletters[/a] | [a href="http://track.msadcenter.ezt.com/bzreicr_ovatpimxtn.html" target="_blank"]Privacy[/a][br][br]

sigh...@this-is.invalid.com

unread,
Feb 22, 2008, 4:43:48 PM2/22/08
to
Received: from [64.236.170.228] by openbrick.kicks-ass.net
(ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.6.0)); Fri, 22 Feb 2008 16:43:45 -0500
X-Mailer: CME-V6.5.4.3; MSN
Return-Path: <ke...@hansons-running.com>
Received: (qmail 116828 by uid 527); Fri, 22 Feb 2008 05:03:40 -0800
Message-Id: <20080222-3034...@nyc228.turner.com>
To: <[devnull]>
Subject: February 75% OFF
From: <[devnull]>

MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Date: Fri, 22 Feb 2008 16:43:44 -0500

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html dir="ltr">
<head>
<title>Windows Live Hotmail Print Message</title>
</head>
<style>

<img src="http://track.msadcenter.cws.com/ufbjwqw_ovatpimxtn.gif&o=1" width=0 height=0>


<table cellpadding=0 cellspacing=0 width=600 align=center>
<tr>

<td><img src="http://track.msadcenter.bfo.com/beccvhz-ovatpimxtn.gif" border=0></td>


</tr>
<tr>
<td class=EC_container bgcolor="#F2F2F2">
<table cellpadding=0 cellspacing=0 width="100%">
<tr>
<td>

<div align=center>


<meta http-equiv=Content-Type content="text/html; charset=unicode">
<meta name=Generator content="Microsoft SafeHTML">

<title>Untitled Document</title>


<center>


<a href="http://track.msadcenter.cwg.com/wwfdtge_ovatpimxtn.html" target="_blank">Click here to get enrolled for your szty !</a><br><br>
<img src="http://track.msadcenter.chm.com/qlooaza-ovatpimxtn.gif" border=0 usemap="#Map">

<map name=Map id=Map>
<area shape=rect coords="282,157,497,265" href="http://track.msadcenter.xgy.com/bzreick_ovatpimxtn.html" target="_blank">
<area shape=rect coords="282,264,498,374" href="http://track.msadcenter.mnv.com/eubwmrr_ovatpimxtn.html" target="_blank">
</map>
<br><a href="http://track.msadcenter.uph.com/tevkzuk_ovatpimxtn.html" target="_blank">Click here to get enrolled for your bebz !</a>
</center>
</style>
<center>
<a href="http://www.kilingeru.com"><img src="http://www.kilingeru.com/2.gif">
<style>
</div>

</td>
</tr>
<tr>
<td class=EC_legal>
<strong>About this mailing: </strong><br>

You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe you from e-ma

©2008 Microsoft | <a href="http://track.msadcenter.jos.com/tevkzuc_ovatpimxtn.html" target="_blank">Unsubscribe</a> | <a href="http://track.msadcenter.opi.com/nodznrp_ovatpimxtn.html" target="_blank">More Newsletters</a> | <a href="http://track.msadcent

0 new messages