Spamvert:
vrldkj.onetook.hk IP 222.173.251.30
(SBL53851 - ROK3095) (at chinanet-sd / dns1.ctnt.com.cn)
Yambo Image hosting:
http://storkwen.net/usd/images/order.gif
storkwen.net
Resolved storkwen.net to 68.142.212.117 to 68.142.212.118 to
68.142.212.119 to 68.142.212.120 to 68.142.212.140 to 68.142.212.141
(at yahoo.com)
Plenty of forged site certificates and logos.
More info below:
====================
X-SID-PRA: Harry Walters <Latony...@respectanimals.com>
X-SID-Result: SoftFail
X-Message-Info: txF49lGdW40Ka3UShas+oDSjc/
YmmVx7A3gPEyTPzcMVili4Ews1M25Y05h+DJNa
Received: from tomts2-srv.bellnexxia.net ([209.226.175.114]) by bay0-
pamc1-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Sat, 21 Apr 2007 09:29:53 -0700
Received: from [MUNGED]
by toip23.srvr.bell.ca with ESMTP; 21 Apr 2007 12:29:51 -0400
Received: (qmail 3139 invoked by uid 110); 21 Apr 2007 12:29:51 -0400
Delivered-To: [MUNGED]
Received: (qmail 1893 invoked from network); 21 Apr 2007 12:29:31
-0400
Received: from bzq-84-109-8-112.red.bezeqint.net (HELO mar7)
(84.109.8.112)
by [MUNGED] with SMTP; 21 Apr 2007 12:29:31 -0400
Return-Path: <Latony...@respectanimals.com>
Received: from 209.85.133.114 (HELO ALT2.ASPMX.L.GOOGLE.com)
by [MUNGED] with esmtp (D(8)/W,5P 4,4-)
id :A2-.K-+5N78H-3(
for [MUNGED]; Sun, 22 Apr 2007 03:06:12 +0800
From: "Harry Walters" <Latony...@respectanimals.com>
To: [MUNGED]
Subject: check it now
Date: Sun, 22 Apr 2007 03:06:12 +0800
Message-ID: <01c7848b$2f09a3f0$6c822ecf@Latonyasorrel>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01C78450.82AACBF0"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437
Thread-Index: Aca6Q+-4,10>-IQ03W8Y(;92/I*48S==
X-OriginalArrivalTime: 21 Apr 2007 16:29:53.0825 (UTC)
FILETIME=[4A9AF910:01C78432]
This is a multi-part message in MIME format.
------=_NextPart_000_0006_01C78450.82AACBF0
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
Dear valued member!
This is a letter from United Medical Research Organization. We just
wanted to ask you to be as attentive as possible when buying drugs on
the Web.
So far, the experts of our Association has been dissatisfied with the
quality of almost all the Web pharmacies that we have been
investigating. Actually, the only pharmacy we can recommend you is
USDrugs - the only e-shop we're constantly monitoring thus reducing
the danger of drug falsification to the minimum.
Please, be more discerning when choosing your Web pharmacy.Please
click here for more information.
With Best Regards, Harry Walters
USDrugs B.V.
http://vrldkj.onetook.hk/?bnvfqzruylmt
------=_NextPart_000_0006_01C78450.82AACBF0
Content-Type: text/html;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office"=20=
xmlns:w=3D"urn:schemas-microsoft-com:office:word"=20=
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html;
charset=3Diso-8859-2">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered
medium)">
</head>
<body>
<html>
<body bgcolor=3D"#FFFFFF" link=3D"#0000FF">
Dear valued member!<br>
<br>
This is a letter from United Medical Research Organization. We
just=20=
wanted to ask you to be as attentive as possible when buying drugs on
the=20=
Web.<br>
<br>
So far, the experts of our Association has been dissatisfied with
the=20=
quality of almost all the Web pharmacies that we have been
investigating.=20=
Actually, the only pharmacy we can recommend you is <a=20=
href=3D"http://vrldkj.onetook.hk/?bnvfqzruylmt">USDrugs</a> =96 the
only=20=
e-shop we=92re constantly monitoring thus reducing the danger of
drug=20=
falsification to the minimum.<br>
<br>
Please, be more discerning when choosing your Web pharmacy.<br>
<br>
<a href=3D"http://vrldkj.onetook.hk/?bnvfqzruylmt">Please click
here=20=
for more information.</a><br>
<br><br>
With Best Regards, Harry Walters<br>
USDrugs B.V.<br>
http://vrldkj.onetook.hk/?bnvfqzruylmt
</body>
</html>
</body>
</html>
------=_NextPart_000_0006_01C78450.82AACBF0--
Web:
Copiright © 2003-2007 USDrugs. All Rights Reserved.
See:
http://vrldkj.onetook.hk/usd/?page=licence&interface=no
Minnesota board of pharmacy
DRUG RESELLING LICENsE
USDrugs Corp.
1023 Hubbard Ave,
Minneapolis, MN 55317-9315
LICENSE NO 03161490
More Fake LICENSE sightings:
http://groups.google.com/groups/search?q=%2203161490%22+group%3A*abuse&qt_s=Search
See:
IP 84.109.8.112 bzq-84-109-8-112.red.bezeqint.net
http://www.moensted.dk/spam/?addr=84.109.8.112
http://www.spamhaus.org/query/bl?ip=84.109.8.112
http://www.spamhaus.org/pbl/query/PBL043007
More bezeqint.net sightings:
http://groups.google.com/groups/search?q=bezeqint.net+group%3A*abuse&start=0&scoring=d&
inetnum: 84.109.0.0 - 84.109.128.255
netname: CABLES-CONNECTION
descr: CABLES-CUSTOMERS-CONNECTION
route: 84.109.0.0/20
descr: BEZEQINT-REDBACKS-ADSL
origin: AS8551
notify: hostm...@bezeqint.net
ASN: 8551
ASN Name: BEZEQ-INTERNATIONAL-AS (Bezeqint Internet Backbone)
Country (per IP registrar): IL [Israel]
Country IP Range: 84.108.0.0 to 84.111.255.255
Country fraud profile: High
http://www.cidr-report.org/cgi-bin/as-report?as=8551
3 SBL listings for IPs under the responsibility of bezeqint.net
http://www.spamhaus.org/sbl/listings.lasso?isp=bezeqint.net
IP 209.85.133.114
209.85.133.114 PTR record: an-in-f114.google.com
Spamvert URL:
vrldkj.onetook.hk
Redirected to:
http://vrldkj.onetook.hk/usd/
Title:
USDrugs - Viagra, CIALIS or Super Viagra, Generic Viagra, Cialis,
Valium, Tramadol
See:
vrldkj.onetook.hk IP 222.173.251.30
NS1.FACTSSMART.COM [201.6.123.84 (NO GLUE)] [BR]
NS2.BUJOEDAN.COM [200.63.21.230 (NO GLUE)] [AR]
NS2.JAEB6MEE.COM [210.48.145.52 (NO GLUE)] [MY]
NS1.AYAENG1N.COM [85.128.113.29 (NO GLUE)] [PL]
vrldkj.onetook.hk has no MX records -> [onetook.hk has 1 MX record
mail.onetook.hk (10)]
http://www.moensted.dk/spam/?addr=222.173.251.30
http://www.spamhaus.org/query/bl?ip=222.173.251.30
inetnum: 222.173.0.0 - 222.175.255.255
netname: CHINANET-SD
descr: CHINANET SHANDONG PROVINCE NETWORK
descr: Shandong Telecom Corporation
person: Xin Ruosheng
nic-hdl: XR55-AP
e-mail: ipre...@sdtele.com
changed: lq...@chinatelecom.com.cn 20051212
mnt-by: MAINT-CHINANET
route: 222.173.0.0/16
descr: ChinaNet ShanDong Province Network
origin: AS4134
mnt-by: MAINT-AS4134
changed: li...@cndata.com
ASN: 4134
ASN Name: CHINANET-BACKBONE (No.31,Jin-rong Street)
Country (per IP registrar): CN [China]
Country IP Range: 222.168.0.0 to 222.175.255.255
http://www.cidr-report.org/cgi-bin/as-report?as=4134
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL53851
222.173.251.30/32 is listed on the Spamhaus Block List (SBL/ROKSO)
22-Apr-2007 00:56 GMT | SR02
Yambo Financials.
bot
3 SBL/ROKSO listings for IPs under the responsibility of chinanet-sd
http://www.spamhaus.org/sbl/listings.lasso?isp=chinanet-sd
Let see whois:
Domain Name: ONETOOK.HK
Contract Version: HKDNR latest version
Registrant Contact Information:
Holder English Name (It should be the same as your legal name on your
HKID card or other relevant documents): HUJ NUJAZ
Holder Chinese Name:
Email: richard...@mindless.com
Domain Name Commencement Date: 11-04-2007
Country: US
Expiry Date: 11-04-2008
Re-registration Status: Complete
Name of Registrar: HKDNR
Account Name: HK1864578T
Technical Contact:
First name: MILE
Last name: ROGERS
Company Name: HUJ NUJAZ
Name Servers Information:
NS1.AYAENG1N.COM
NS2.BUJOEDAN.COM
NS1.FACTSSMART.COM
NS2.JAEB6MEE.COM
More onetook.hk sightings:
http://groups.google.com/groups/search?q=onetook.hk+group%3A*abuse&qt_s=Search
See Yambo Image hosting:
storkwen.net
Resolved storkwen.net to 68.142.212.117 to 68.142.212.118 to
68.142.212.119 to 68.142.212.120 to 68.142.212.140 to 68.142.212.141
yns1.yahoo.com [66.218.71.205] [TTL=172800] [US]
yns2.yahoo.com [216.109.116.20] [TTL=172800] [US]
SOA record [TTL=600] is:
Primary nameserver: hidden-master.yahoo.com
Hostmaster E-mail address: geo-support.yahoo-inc.com
Serial #: 2007033001
Let see whois:
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Domain Name.......... storkwen.net
Creation Date........ 2007-03-31
Registration Date.... 2007-03-31
Expiry Date.......... 2008-03-31
Organisation Name.... Wagdi Ibrahim
Organisation Email.......... welteng76[]yahoo.com
Organisation Address. 1 clinton ave
Organisation Address.
Organisation Address. Nyack
Organisation Address. 10960
Organisation Address. NY
Organisation Address. UNITED STATES
Admin Name........... Wagdi Ibrahim
Admin Address........ 1 clinton ave
Admin Address........
Admin Address........ Nyack
Admin Address........ 10960
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... welt...@yahoo.com
Admin Phone.......... +1.8453582151
Admin Fax............
Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domai...@YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax.............
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com
See:
NS1.FACTSSMART.COM IP 201.6.123.84
http://www.moensted.dk/spam/?addr=201.6.123.84
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL53660
201.6.123.84/32 is listed on the Spamhaus Block List (SBL/ROKSO)
18-Apr-2007 00:19 GMT | SR20
Yambo Financials.
Yambo botnet webhosts/nameservers (compromised systems)
9 SBL/ROKSO listings for IPs under the responsibility of virtua.com.br
http://www.spamhaus.org/sbl/listings.lasso?isp=virtua.com.br
Let see whois:
Registrar: MONIKER ONLINE SERVICES, INC.
Domain Name: FACTSSMART.COM
Registrant [628823]:
Timothy Cullity
200 Captains Row
Chelsea
MA
02150
US
Administrative Contact [628823]:
Timothy Cullity smartfacts[]yahoo.com
200 Captains Row
Chelsea
MA
02150
US
Phone: +1.6178893904
Billing Contact [628823]:
Timothy Cullity smart...@yahoo.com
200 Captains Row
Chelsea
MA
02150
US
Phone: +1.6178893904
Technical Contact [628823]:
Timothy Cullity smart...@yahoo.com
200 Captains Row
Chelsea
MA
02150
US
Phone: +1.6178893904
Domain servers in listed order:
NS1.FACTSSMART.COM 201.6.123.84
NS2.FACTSSMART.COM 201.6.123.84
Record created on: 2007-02-21 10:37:21.0
Database last updated on: 2007-04-17 09:10:55.857
Domain Expires on: 2008-02-21 10:37:44.0
More FACTSSMART.COM sightings:
http://groups.google.com/groups/search?q=FACTSSMART.COM+group%3A*abuse&start=0&scoring=d&
See:
NS2.BUJOEDAN.COM IP 200.63.21.230
http://www.moensted.dk/spam/?addr=200.63.21.230
http://www.spamhaus.org/query/bl?ip=200.63.21.230
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL53761
200.63.21.230/32 is listed on the Spamhaus Block List (SBL/ROKSO)
19-Apr-2007 22:37 GMT | SR20
Yambo Financials.
Yambo botnet webhosts/nameservers (compromised systems)
3 SBL/ROKSO listings for IPs under the responsibility of skyonline.net
http://www.spamhaus.org/SBL/listings.lasso?isp=skyonline.net
Let see whois:
Registrar: XIN NET TECHNOLOGY CORPORATION
Domain Name: bujoedan.com
Registrant:
cheng zheng
xin yu city gaoxin tech
338000
Administrative Contact:
cheng zheng
cheng zheng
xin yu city gaoxin tech
xin yu Jiangxi 338000
China
tel: 86 0790 6860686
fax: 86 0790 6860686
chenm[]lalachikla.com
Technical Contact:
cheng zheng
cheng zheng
xin yu city gaoxin tech
xin yu Jiangxi 338000
China
tel: 86 0790 6860686
fax: 86 0790 6860686
ch...@lalachikla.com
Billing Contact:
cheng zheng
cheng zheng
xin yu city gaoxin tech
xin yu Jiangxi 338000
China
tel: 86 0790 6860686
fax: 86 0790 6860686
ch...@lalachikla.com
Registration Date: 2007-03-06
Update Date: 2007-04-05
Expiration Date: 2008-03-06
Primary DNS: ns1.bujoedan.com 200.63.21.230
Secondary DNS: ns2.bujoedan.com 200.63.21.230
More BUJOEDAN.COM sightings:
http://groups.google.com/groups/search?q=BUJOEDAN.COM+group%3A*abuse&qt_s=Search
See:
NS2.JAEB6MEE.COM IP 210.48.145.52
http://www.moensted.dk/spam/?addr=210.48.145.52
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL53762
210.48.145.52/32 is listed on the Spamhaus Block List (SBL/ROKSO)
19-Apr-2007 22:39 GMT | SR20
Yambo Financials.
Yambo botnet webhosts/nameservers (compromised systems)
16 SBL/ROKSO listings for IPs under the responsibility of tm.net.my
http://www.spamhaus.org/SBL/listings.lasso?isp=tm.net.my
Let see whois:
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Domain Name.......... jaeb6mee.com
Creation Date........ 2007-03-01 00:48:08
Registration Date.... 2007-03-01 00:48:08
Expiry Date.......... 2008-03-01 00:48:08
Organisation Name.... feng ming
Organisation Address. NO.322 hong qi east road guangzhou
Organisation Address.
Organisation Address. guang zhou
Organisation Address. 510000
Organisation Address. GD
Organisation Address. CN
Admin Name........... feng ming
Admin Address........ NO.322 hong qi east road guangzhou
Admin Address........
Admin Address........ guang zhou
Admin Address........ 510000
Admin Address........ GD
Admin Address........ CN
Admin Email.......... penf[]wee2pe1t.com
Admin Phone.......... +86.2038181198
Admin Fax............ +86.2038181198
Tech Name............ feng ming
Tech Address......... NO.322 hong qi east road guangzhou
Tech Address.........
Tech Address......... guang zhou
Tech Address......... 510000
Tech Address......... GD
Tech Address......... CN
Tech Email........... pe...@wee2pe1t.com
Tech Phone........... +86.2038181198
Tech Fax............. +86.2038181198
Bill Name............ feng ming
Bill Address......... NO.322 hong qi east road guangzhou
Bill Address.........
Bill Address......... guang zhou
Bill Address......... 510000
Bill Address......... GD
Bill Address......... CN
Bill Email........... pe...@wee2pe1t.com
Bill Phone........... +86.2038181198
Bill Fax............. +86.2038181198
Name Server.......... ns2.jaeb6mee.com
Name Server.......... ns1.jaeb6mee.com
More JAEB6MEE.COM sightings:
http://groups.google.com/groups/search?q=JAEB6MEE.COM+group%3A*abuse&start=0&scoring=d&
See:
NS1.AYAENG1N.COM IP 85.128.113.29
Let see whois:
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Domain Name.......... ayaeng1n.com
Creation Date........ 2007-03-01 00:48:03
Registration Date.... 2007-03-01 00:48:03
Expiry Date.......... 2008-03-01 00:48:03
Organisation Name.... feng ming
Organisation Address. NO.322 hong qi east road guangzhou
Organisation Address.
Organisation Address. guang zhou
Organisation Address. 510000
Organisation Address. GD
Organisation Address. CN
Admin Name........... feng ming
Admin Address........ NO.322 hong qi east road guangzhou
Admin Address........
Admin Address........ guang zhou
Admin Address........ 510000
Admin Address........ GD
Admin Address........ CN
Admin Email.......... penf[]wee2pe1t.com
Admin Phone.......... +86.2038181198
Admin Fax............ +86.2038181198
Tech Name............ feng ming
Tech Address......... NO.322 hong qi east road guangzhou
Tech Address.........
Tech Address......... guang zhou
Tech Address......... 510000
Tech Address......... GD
Tech Address......... CN
Tech Email........... pe...@wee2pe1t.com
Tech Phone........... +86.2038181198
Tech Fax............. +86.2038181198
Bill Name............ feng ming
Bill Address......... NO.322 hong qi east road guangzhou
Bill Address.........
Bill Address......... guang zhou
Bill Address......... 510000
Bill Address......... GD
Bill Address......... CN
Bill Email........... pe...@wee2pe1t.com
Bill Phone........... +86.2038181198
Bill Fax............. +86.2038181198
Name Server.......... ns2.ayaeng1n.com
Name Server.......... ns1.ayaeng1n.com
More JAEB6MEE.COM sightings:
http://groups.google.com/groups/search?q=AYAENG1N.COM+group%3A*abuse&qt_s=Search
See also Much more spammer sightings:
http://groups.google.com/groups/search?q=%22175+Montreal+Road%22+group%3A*abuse&start=0&scoring=d&
Read more:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/7226e98f23097413
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/e06b4b76de154b83
Cheers, Tomez
--
All postings to news.admin.net-abuse.sightings are unconfirmed and
unverified unless stated otherwise by the moderators. All opinions
expressed above are considered the opinions of the original poster,
not the moderators or their respective employers.
For a copy of the guidelines to this group, see: