Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[email] [drugs - USDrugs] [84.109.8.112] (onetook.hk / storkwen.net / AYAENG1N.COM / FACTSSMART.COM / BUJOEDAN.COM / JAEB6MEE.COM) check it now

0 views
Skip to first unread message

TomezNet

unread,
Apr 23, 2007, 2:00:27 AM4/23/07
to
Received From:
IP 84.109.8.112 bzq-84-109-8-112.red.bezeqint.net
(at ns3.bezeqint.net)

Spamvert:
vrldkj.onetook.hk IP 222.173.251.30
(SBL53851 - ROK3095) (at chinanet-sd / dns1.ctnt.com.cn)

Yambo Image hosting:
http://storkwen.net/usd/images/order.gif

storkwen.net
Resolved storkwen.net to 68.142.212.117 to 68.142.212.118 to
68.142.212.119 to 68.142.212.120 to 68.142.212.140 to 68.142.212.141
(at yahoo.com)

Plenty of forged site certificates and logos.

More info below:
====================

X-SID-PRA: Harry Walters <Latony...@respectanimals.com>
X-SID-Result: SoftFail
X-Message-Info: txF49lGdW40Ka3UShas+oDSjc/
YmmVx7A3gPEyTPzcMVili4Ews1M25Y05h+DJNa
Received: from tomts2-srv.bellnexxia.net ([209.226.175.114]) by bay0-
pamc1-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Sat, 21 Apr 2007 09:29:53 -0700
Received: from [MUNGED]
by toip23.srvr.bell.ca with ESMTP; 21 Apr 2007 12:29:51 -0400
Received: (qmail 3139 invoked by uid 110); 21 Apr 2007 12:29:51 -0400
Delivered-To: [MUNGED]
Received: (qmail 1893 invoked from network); 21 Apr 2007 12:29:31
-0400
Received: from bzq-84-109-8-112.red.bezeqint.net (HELO mar7)
(84.109.8.112)
by [MUNGED] with SMTP; 21 Apr 2007 12:29:31 -0400
Return-Path: <Latony...@respectanimals.com>
Received: from 209.85.133.114 (HELO ALT2.ASPMX.L.GOOGLE.com)
by [MUNGED] with esmtp (D(8)/W,5P 4,4-)
id :A2-.K-+5N78H-3(
for [MUNGED]; Sun, 22 Apr 2007 03:06:12 +0800
From: "Harry Walters" <Latony...@respectanimals.com>
To: [MUNGED]
Subject: check it now
Date: Sun, 22 Apr 2007 03:06:12 +0800
Message-ID: <01c7848b$2f09a3f0$6c822ecf@Latonyasorrel>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01C78450.82AACBF0"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1437
Thread-Index: Aca6Q+-4,10>-IQ03W8Y(;92/I*48S==
X-OriginalArrivalTime: 21 Apr 2007 16:29:53.0825 (UTC)
FILETIME=[4A9AF910:01C78432]

This is a multi-part message in MIME format.

------=_NextPart_000_0006_01C78450.82AACBF0
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: 7bit

Dear valued member!
This is a letter from United Medical Research Organization. We just
wanted to ask you to be as attentive as possible when buying drugs on
the Web.
So far, the experts of our Association has been dissatisfied with the
quality of almost all the Web pharmacies that we have been
investigating. Actually, the only pharmacy we can recommend you is
USDrugs - the only e-shop we're constantly monitoring thus reducing
the danger of drug falsification to the minimum.
Please, be more discerning when choosing your Web pharmacy.Please
click here for more information.
With Best Regards, Harry Walters
USDrugs B.V.
http://vrldkj.onetook.hk/?bnvfqzruylmt

------=_NextPart_000_0006_01C78450.82AACBF0
Content-Type: text/html;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office"=20=
xmlns:w=3D"urn:schemas-microsoft-com:office:word"=20=
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html;
charset=3Diso-8859-2">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered
medium)">
</head>
<body>
<html>
<body bgcolor=3D"#FFFFFF" link=3D"#0000FF">
Dear valued member!<br>
<br>
This is a letter from United Medical Research Organization. We
just=20=
wanted to ask you to be as attentive as possible when buying drugs on
the=20=
Web.<br>
<br>
So far, the experts of our Association has been dissatisfied with
the=20=
quality of almost all the Web pharmacies that we have been
investigating.=20=
Actually, the only pharmacy we can recommend you is <a=20=
href=3D"http://vrldkj.onetook.hk/?bnvfqzruylmt">USDrugs</a> =96 the
only=20=
e-shop we=92re constantly monitoring thus reducing the danger of
drug=20=
falsification to the minimum.<br>
<br>
Please, be more discerning when choosing your Web pharmacy.<br>
<br>
<a href=3D"http://vrldkj.onetook.hk/?bnvfqzruylmt">Please click
here=20=
for more information.</a><br>
<br><br>
With Best Regards, Harry Walters<br>
USDrugs B.V.<br>
http://vrldkj.onetook.hk/?bnvfqzruylmt
</body>
</html>

</body>
</html>

------=_NextPart_000_0006_01C78450.82AACBF0--

Web:
Copiright © 2003-2007 USDrugs. All Rights Reserved.

See:
http://vrldkj.onetook.hk/usd/?page=licence&interface=no

Minnesota board of pharmacy
DRUG RESELLING LICENsE

USDrugs Corp.
1023 Hubbard Ave,
Minneapolis, MN 55317-9315

LICENSE NO 03161490

More Fake LICENSE sightings:
http://groups.google.com/groups/search?q=%2203161490%22+group%3A*abuse&qt_s=Search

See:
IP 84.109.8.112 bzq-84-109-8-112.red.bezeqint.net

http://www.moensted.dk/spam/?addr=84.109.8.112
http://www.spamhaus.org/query/bl?ip=84.109.8.112
http://www.spamhaus.org/pbl/query/PBL043007

More bezeqint.net sightings:
http://groups.google.com/groups/search?q=bezeqint.net+group%3A*abuse&start=0&scoring=d&

inetnum: 84.109.0.0 - 84.109.128.255
netname: CABLES-CONNECTION
descr: CABLES-CUSTOMERS-CONNECTION

route: 84.109.0.0/20
descr: BEZEQINT-REDBACKS-ADSL
origin: AS8551
notify: hostm...@bezeqint.net
ASN: 8551
ASN Name: BEZEQ-INTERNATIONAL-AS (Bezeqint Internet Backbone)
Country (per IP registrar): IL [Israel]
Country IP Range: 84.108.0.0 to 84.111.255.255
Country fraud profile: High
http://www.cidr-report.org/cgi-bin/as-report?as=8551

3 SBL listings for IPs under the responsibility of bezeqint.net
http://www.spamhaus.org/sbl/listings.lasso?isp=bezeqint.net

IP 209.85.133.114
209.85.133.114 PTR record: an-in-f114.google.com

Spamvert URL:
vrldkj.onetook.hk

Redirected to:
http://vrldkj.onetook.hk/usd/

Title:
USDrugs - Viagra, CIALIS or Super Viagra, Generic Viagra, Cialis,
Valium, Tramadol

See:
vrldkj.onetook.hk IP 222.173.251.30
NS1.FACTSSMART.COM [201.6.123.84 (NO GLUE)] [BR]
NS2.BUJOEDAN.COM [200.63.21.230 (NO GLUE)] [AR]
NS2.JAEB6MEE.COM [210.48.145.52 (NO GLUE)] [MY]
NS1.AYAENG1N.COM [85.128.113.29 (NO GLUE)] [PL]

vrldkj.onetook.hk has no MX records -> [onetook.hk has 1 MX record
mail.onetook.hk (10)]

http://www.moensted.dk/spam/?addr=222.173.251.30
http://www.spamhaus.org/query/bl?ip=222.173.251.30

inetnum: 222.173.0.0 - 222.175.255.255
netname: CHINANET-SD
descr: CHINANET SHANDONG PROVINCE NETWORK
descr: Shandong Telecom Corporation
person: Xin Ruosheng
nic-hdl: XR55-AP
e-mail: ipre...@sdtele.com
changed: lq...@chinatelecom.com.cn 20051212
mnt-by: MAINT-CHINANET

route: 222.173.0.0/16
descr: ChinaNet ShanDong Province Network
origin: AS4134
mnt-by: MAINT-AS4134
changed: li...@cndata.com
ASN: 4134
ASN Name: CHINANET-BACKBONE (No.31,Jin-rong Street)
Country (per IP registrar): CN [China]
Country IP Range: 222.168.0.0 to 222.175.255.255
http://www.cidr-report.org/cgi-bin/as-report?as=4134

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL53851
222.173.251.30/32 is listed on the Spamhaus Block List (SBL/ROKSO)

22-Apr-2007 00:56 GMT | SR02

Yambo Financials.
bot

3 SBL/ROKSO listings for IPs under the responsibility of chinanet-sd
http://www.spamhaus.org/sbl/listings.lasso?isp=chinanet-sd

Let see whois:
Domain Name: ONETOOK.HK
Contract Version: HKDNR latest version

Registrant Contact Information:

Holder English Name (It should be the same as your legal name on your
HKID card or other relevant documents): HUJ NUJAZ
Holder Chinese Name:
Email: richard...@mindless.com
Domain Name Commencement Date: 11-04-2007
Country: US
Expiry Date: 11-04-2008
Re-registration Status: Complete
Name of Registrar: HKDNR
Account Name: HK1864578T

Technical Contact:
First name: MILE
Last name: ROGERS
Company Name: HUJ NUJAZ

Name Servers Information:
NS1.AYAENG1N.COM
NS2.BUJOEDAN.COM
NS1.FACTSSMART.COM
NS2.JAEB6MEE.COM

More onetook.hk sightings:
http://groups.google.com/groups/search?q=onetook.hk+group%3A*abuse&qt_s=Search

See Yambo Image hosting:

storkwen.net
Resolved storkwen.net to 68.142.212.117 to 68.142.212.118 to
68.142.212.119 to 68.142.212.120 to 68.142.212.140 to 68.142.212.141

yns1.yahoo.com [66.218.71.205] [TTL=172800] [US]
yns2.yahoo.com [216.109.116.20] [TTL=172800] [US]

SOA record [TTL=600] is:
Primary nameserver: hidden-master.yahoo.com
Hostmaster E-mail address: geo-support.yahoo-inc.com
Serial #: 2007033001

Let see whois:
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Domain Name.......... storkwen.net
Creation Date........ 2007-03-31
Registration Date.... 2007-03-31
Expiry Date.......... 2008-03-31
Organisation Name.... Wagdi Ibrahim
Organisation Email.......... welteng76[]yahoo.com
Organisation Address. 1 clinton ave
Organisation Address.
Organisation Address. Nyack
Organisation Address. 10960
Organisation Address. NY
Organisation Address. UNITED STATES

Admin Name........... Wagdi Ibrahim
Admin Address........ 1 clinton ave
Admin Address........
Admin Address........ Nyack
Admin Address........ 10960
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... welt...@yahoo.com
Admin Phone.......... +1.8453582151
Admin Fax............

Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domai...@YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax.............
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com

See:
NS1.FACTSSMART.COM IP 201.6.123.84

http://www.moensted.dk/spam/?addr=201.6.123.84
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL53660
201.6.123.84/32 is listed on the Spamhaus Block List (SBL/ROKSO)

18-Apr-2007 00:19 GMT | SR20

Yambo Financials.
Yambo botnet webhosts/nameservers (compromised systems)

9 SBL/ROKSO listings for IPs under the responsibility of virtua.com.br
http://www.spamhaus.org/sbl/listings.lasso?isp=virtua.com.br

Let see whois:
Registrar: MONIKER ONLINE SERVICES, INC.
Domain Name: FACTSSMART.COM

Registrant [628823]:
Timothy Cullity
200 Captains Row
Chelsea
MA
02150
US

Administrative Contact [628823]:
Timothy Cullity smartfacts[]yahoo.com
200 Captains Row
Chelsea
MA
02150
US
Phone: +1.6178893904

Billing Contact [628823]:
Timothy Cullity smart...@yahoo.com
200 Captains Row
Chelsea
MA
02150
US
Phone: +1.6178893904

Technical Contact [628823]:
Timothy Cullity smart...@yahoo.com
200 Captains Row
Chelsea
MA
02150
US
Phone: +1.6178893904

Domain servers in listed order:
NS1.FACTSSMART.COM 201.6.123.84
NS2.FACTSSMART.COM 201.6.123.84

Record created on: 2007-02-21 10:37:21.0
Database last updated on: 2007-04-17 09:10:55.857
Domain Expires on: 2008-02-21 10:37:44.0

More FACTSSMART.COM sightings:
http://groups.google.com/groups/search?q=FACTSSMART.COM+group%3A*abuse&start=0&scoring=d&

See:
NS2.BUJOEDAN.COM IP 200.63.21.230

http://www.moensted.dk/spam/?addr=200.63.21.230
http://www.spamhaus.org/query/bl?ip=200.63.21.230
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL53761
200.63.21.230/32 is listed on the Spamhaus Block List (SBL/ROKSO)

19-Apr-2007 22:37 GMT | SR20

Yambo Financials.
Yambo botnet webhosts/nameservers (compromised systems)

3 SBL/ROKSO listings for IPs under the responsibility of skyonline.net
http://www.spamhaus.org/SBL/listings.lasso?isp=skyonline.net

Let see whois:
Registrar: XIN NET TECHNOLOGY CORPORATION
Domain Name: bujoedan.com
Registrant:
cheng zheng
xin yu city gaoxin tech
338000


Administrative Contact:
cheng zheng
cheng zheng
xin yu city gaoxin tech
xin yu Jiangxi 338000
China
tel: 86 0790 6860686
fax: 86 0790 6860686
chenm[]lalachikla.com

Technical Contact:
cheng zheng
cheng zheng
xin yu city gaoxin tech
xin yu Jiangxi 338000
China
tel: 86 0790 6860686
fax: 86 0790 6860686
ch...@lalachikla.com

Billing Contact:
cheng zheng
cheng zheng
xin yu city gaoxin tech
xin yu Jiangxi 338000
China
tel: 86 0790 6860686
fax: 86 0790 6860686
ch...@lalachikla.com

Registration Date: 2007-03-06
Update Date: 2007-04-05
Expiration Date: 2008-03-06

Primary DNS: ns1.bujoedan.com 200.63.21.230
Secondary DNS: ns2.bujoedan.com 200.63.21.230

More BUJOEDAN.COM sightings:
http://groups.google.com/groups/search?q=BUJOEDAN.COM+group%3A*abuse&qt_s=Search

See:
NS2.JAEB6MEE.COM IP 210.48.145.52

http://www.moensted.dk/spam/?addr=210.48.145.52
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL53762
210.48.145.52/32 is listed on the Spamhaus Block List (SBL/ROKSO)

19-Apr-2007 22:39 GMT | SR20

Yambo Financials.
Yambo botnet webhosts/nameservers (compromised systems)

16 SBL/ROKSO listings for IPs under the responsibility of tm.net.my
http://www.spamhaus.org/SBL/listings.lasso?isp=tm.net.my

Let see whois:
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Domain Name.......... jaeb6mee.com
Creation Date........ 2007-03-01 00:48:08
Registration Date.... 2007-03-01 00:48:08
Expiry Date.......... 2008-03-01 00:48:08
Organisation Name.... feng ming
Organisation Address. NO.322 hong qi east road guangzhou
Organisation Address.
Organisation Address. guang zhou
Organisation Address. 510000
Organisation Address. GD
Organisation Address. CN

Admin Name........... feng ming
Admin Address........ NO.322 hong qi east road guangzhou
Admin Address........
Admin Address........ guang zhou
Admin Address........ 510000
Admin Address........ GD
Admin Address........ CN
Admin Email.......... penf[]wee2pe1t.com
Admin Phone.......... +86.2038181198
Admin Fax............ +86.2038181198

Tech Name............ feng ming
Tech Address......... NO.322 hong qi east road guangzhou
Tech Address.........
Tech Address......... guang zhou
Tech Address......... 510000
Tech Address......... GD
Tech Address......... CN
Tech Email........... pe...@wee2pe1t.com
Tech Phone........... +86.2038181198
Tech Fax............. +86.2038181198

Bill Name............ feng ming
Bill Address......... NO.322 hong qi east road guangzhou
Bill Address.........
Bill Address......... guang zhou
Bill Address......... 510000
Bill Address......... GD
Bill Address......... CN
Bill Email........... pe...@wee2pe1t.com
Bill Phone........... +86.2038181198
Bill Fax............. +86.2038181198
Name Server.......... ns2.jaeb6mee.com
Name Server.......... ns1.jaeb6mee.com

More JAEB6MEE.COM sightings:
http://groups.google.com/groups/search?q=JAEB6MEE.COM+group%3A*abuse&start=0&scoring=d&

See:
NS1.AYAENG1N.COM IP 85.128.113.29

Let see whois:
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Domain Name.......... ayaeng1n.com
Creation Date........ 2007-03-01 00:48:03
Registration Date.... 2007-03-01 00:48:03
Expiry Date.......... 2008-03-01 00:48:03
Organisation Name.... feng ming
Organisation Address. NO.322 hong qi east road guangzhou
Organisation Address.
Organisation Address. guang zhou
Organisation Address. 510000
Organisation Address. GD
Organisation Address. CN

Admin Name........... feng ming
Admin Address........ NO.322 hong qi east road guangzhou
Admin Address........
Admin Address........ guang zhou
Admin Address........ 510000
Admin Address........ GD
Admin Address........ CN
Admin Email.......... penf[]wee2pe1t.com
Admin Phone.......... +86.2038181198
Admin Fax............ +86.2038181198

Tech Name............ feng ming
Tech Address......... NO.322 hong qi east road guangzhou
Tech Address.........
Tech Address......... guang zhou
Tech Address......... 510000
Tech Address......... GD
Tech Address......... CN
Tech Email........... pe...@wee2pe1t.com
Tech Phone........... +86.2038181198
Tech Fax............. +86.2038181198

Bill Name............ feng ming
Bill Address......... NO.322 hong qi east road guangzhou
Bill Address.........
Bill Address......... guang zhou
Bill Address......... 510000
Bill Address......... GD
Bill Address......... CN
Bill Email........... pe...@wee2pe1t.com
Bill Phone........... +86.2038181198
Bill Fax............. +86.2038181198
Name Server.......... ns2.ayaeng1n.com
Name Server.......... ns1.ayaeng1n.com

More JAEB6MEE.COM sightings:
http://groups.google.com/groups/search?q=AYAENG1N.COM+group%3A*abuse&qt_s=Search

See also Much more spammer sightings:
http://groups.google.com/groups/search?q=%22175+Montreal+Road%22+group%3A*abuse&start=0&scoring=d&

Read more:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/7226e98f23097413

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/e06b4b76de154b83

Cheers, Tomez


--
All postings to news.admin.net-abuse.sightings are unconfirmed and
unverified unless stated otherwise by the moderators. All opinions
expressed above are considered the opinions of the original poster,
not the moderators or their respective employers.

For a copy of the guidelines to this group, see:

http://www.killfile.org/~tskirvin/nana/

0 new messages