Spamvert:
niss.hk IP 222.173.251.54
(at chinanet-sd / dns2.ctnt.com.cn)
Yambo 1st Image hosting:
http://storkwen.net/p/images/verify.gif
And 2nd:
http://209.200.244.4:8080/p/images/arrow.gif
IP 209.200.244.4 PTR record: vps3.lunarpages.com
(at ns1.lunarpages.com)
storkwen.net
Resolved storkwen.net to 68.142.212.117 to 68.142.212.118 to
68.142.212.119 to 68.142.212.120 to 68.142.212.140 to 68.142.212.141
(at yahoo.com)
More Yambo MyCanadianPharmacy aka MyCanadian Pharmacy sightings:
http://groups.google.com/groups/search?q=%22MyCanadianPharmacy%22+group%3A*abuse&start=0&scoring=d&
Plenty of Forged Certificates and logos as always.
More info below:
====================
X-SID-PRA: Technologically H. Grapefruits <istophe...@ggteks.net>
X-Message-Info: txF49lGdW43bdsVGZFnIZko0QcGgzCdun6Hkimt
+B9TY82nns0HEatlsPH2bWWpc
Received: from tomts48-srv.bellnexxia.net ([209.226.175.192]) by bay0-
pamc1-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Wed, 18 Apr 2007 00:09:27 -0700
Received: from [MUNGED]
by toip18.srvr.bell.ca with ESMTP; 18 Apr 2007 03:09:18 -0400
Received: (qmail 3674 invoked by uid 110); 18 Apr 2007 03:09:18 -0400
Delivered-To: [MUNGED]
Received: (qmail 3642 invoked from network); 18 Apr 2007 03:09:15
-0400
Received: from unknown (HELO 142951232) (220.164.239.130)
by [MUNGED] with SMTP; 18 Apr 2007 03:09:15 -0400
Received: from ggteks.net (143206768 [143206656])
by gotzes.com (Qmailv1) with ESMTP id B93010FFE9
for <[MUNGED]>; Wed, 18 Apr 2007 08:08:14 -0400
Date: Wed, 18 Apr 2007 08:08:14 -0400
From: "Technologically H. Grapefruits" <istophe...@ggteks.net>
X-Mailer: The Bat! (v2.00.4) Personal
X-Priority: 3
Message-ID: <3001080785.2...@ggteks.net>
To: [MUNGED]
Subject: Girls don't like you?
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Norton
Return-Path: istophe...@ggteks.net
X-OriginalArrivalTime: 18 Apr 2007 07:09:27.0680 (UTC)
FILETIME=[809F3000:01C78188]
Buy top products at Canadian Pharmacy store. Legal and quality
medications at low price only. There is no need to go to your local
drug store just click here:
http://niss.hk
And no one will know that you have some problems. Absolutely
confidential and secure purchase!
-- END OF SPAM --
See:
IP 220.164.239.130
http://www.moensted.dk/spam/?addr=220.164.239.130
http://www.spamhaus.org/query/bl?ip=220.164.239.130
http://cbl.abuseat.org/lookup.cgi?ip=220.164.239.130
Escalated Listing (Spam or Spam Support) See: http://www.sorbs.net/lookup.shtml?220.164.239.130
route: 220.164.0.0/15
descr: China Telecom Yunnan Province
origin: AS4134
mnt-by: MAINT-AS4134
changed: waiti...@yahoo.com
inetnum: 220.163.0.0 - 220.165.255.255
netname: CHINANET-YN
descr: CHINANET yunnan province network
descr: China Telecom
changed: din...@cndata.com 20070416
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-YN
changed: hostm...@ns.chinanet.cn.net
person: zhiyong liu
nic-hdl: ZL48-AP
e-mail: jj...@126.com
ASN: 4134
ASN Name: CHINANET-BACKBONE (No.31,Jin-rong Street)
Country (per IP registrar): CN [China]
Country IP Range: 220.160.0.0 to 220.191.255.255
http://www.cidr-report.org/cgi-bin/as-report?as=4134
11 SBL/ROKSO listings for IPs under the responsibility of CHINANET-YN
http://www.spamhaus.org/sbl/listings.lasso?isp=CHINANET-YN
Spamvert URL:
http://niss.hk/
Redirected to:
http://niss.hk/p/?&pid=1359
Title:
My Canadian Pharmacy - Viagra, CIALIS or Super Viagra, Generic Viagra,
Cialis
See:
niss.hk IP 222.173.251.54
NS1.GODDTRAULISM.COM [85.128.113.29 (NO GLUE)] [PL]
NS2.FONDNESSYUP.COM [210.48.145.52 (NO GLUE)] [MY]
NS2.VIGILUPANKA.COM [200.63.21.230 (NO GLUE)] [AR]
NS1.CLUVDITCH.COM [201.6.123.84 (NO GLUE)] [BR]
[niss.hk has 1 MX record mail.niss.hk (10)] (?)
http://www.moensted.dk/spam/?addr=222.173.251.54
http://www.spamhaus.org/query/bl?ip=222.173.251.54
inetnum: 222.173.0.0 - 222.175.255.255
netname: CHINANET-SD
descr: CHINANET SHANDONG PROVINCE NETWORK
descr: Shandong Telecom Corporation
person: Xin Ruosheng
nic-hdl: XR55-AP
e-mail: ipre...@sdtele.com
changed: lq...@chinatelecom.com.cn 20051212
mnt-by: MAINT-CHINANET
Prefix: 222.173.240.0/20
Prefix Name: error
AS: 17633
AS Name: CHINATELECOM SD AS AP ASN for Shandong Provincial Net of CT
http://www.cidr-report.org/cgi-bin/as-report?as=17633
route: 222.173.0.0/16
descr: ChinaNet ShanDong Province Network
origin: AS4134
mnt-by: MAINT-AS4134
changed: li...@cndata.com
ASN: 4134
ASN Name: CHINANET-BACKBONE (No.31,Jin-rong Street)
Country (per IP registrar): CN [China]
Country IP Range: 222.168.0.0 to 222.175.255.255
http://www.cidr-report.org/cgi-bin/as-report?as=4134
3 SBL/ROKSO listings for IPs under the responsibility of chinanet-sd
http://www.spamhaus.org/sbl/listings.lasso?isp=chinanet-sd
See 1st Yambo Image hosting:
http://209.200.244.4:8080/p/images/arrow.gif
IP 209.200.244.4 PTR record: vps3.lunarpages.com
http://www.moensted.dk/spam/?addr=209.200.244.4
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL52057
209.200.244.4/32 is listed on the Spamhaus Block List (SBL/ROKSO)
06-Mar-2007 17:10 GMT | SR20
Yambo Financials.
Yambo botnet image proxying/hosting (compromised sytems)
3 SBL/ROKSO listings for IPs under the responsibility of
lunarpages.com
http://www.spamhaus.org/SBL/listings.lasso?isp=lunarpages.com
More 209.200.244.4 sightings:
http://groups.google.com/groups/search?q=209.200.244.4+group%3A*abuse&qt_s=Search
Yambo 2nd Image hosting:
http://storkwen.net/p/images/verify.gif
storkwen.net
Resolved storkwen.net to 68.142.212.117 to 68.142.212.118 to
68.142.212.119 to 68.142.212.120 to 68.142.212.140 to 68.142.212.141
yns1.yahoo.com [66.218.71.205] [TTL=172800] [US]
yns2.yahoo.com [216.109.116.20] [TTL=172800] [US]
SOA record [TTL=600] is:
Primary nameserver: hidden-master.yahoo.com
Hostmaster E-mail address: geo-support.yahoo-inc.com
Serial #: 2007033001
17 SBL/ROKSO listings for IPs under the responsibility of yahoo.com
http://www.spamhaus.org/SBL/listings.lasso?isp=yahoo.com
Let see whois:
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Domain Name.......... storkwen.net
Creation Date........ 2007-03-31
Registration Date.... 2007-03-31
Expiry Date.......... 2008-03-31
Organisation Name.... Wagdi Ibrahim
Organisation Email.......... welteng76[]yahoo.com
Organisation Address. 1 clinton ave
Organisation Address.
Organisation Address. Nyack
Organisation Address. 10960
Organisation Address. NY
Organisation Address. UNITED STATES
Admin Name........... Wagdi Ibrahim
Admin Address........ 1 clinton ave
Admin Address........
Admin Address........ Nyack
Admin Address........ 10960
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... welt...@yahoo.com
Admin Phone.......... +1.8453582151
Admin Fax............
Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domai...@YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax.............
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com
More storkwen.net sightings:
http://groups.google.com/groups/search?q=storkwen.net+group%3A*abuse&qt_s=Search
See:
NS1.GODDTRAULISM.COM IP 85.128.113.29 (OLD IP 83.15.82.74,
200.60.158.73)
http://www.moensted.dk/spam/?addr=85.128.113.29
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL53114
85.128.113.29/32 is listed on the Spamhaus Block List (SBL/ROKSO)
02-Apr-2007 20:53 GMT | SR20
Yambo Financials.
Yambo botnet nameservers/webservers (compromised systems)
1 SBL/ROKSO listings for IPs under the responsibility of cdp.pl
http://www.spamhaus.org/SBL/listings.lasso?isp=cdp.pl
More GODDTRAULISM.COM sightings:
http://groups.google.com/groups/search?q=GODDTRAULISM.COM+group%3A*abuse&start=0&scoring=d&
See:
NS2.FONDNESSYUP.COM IP 210.48.145.52
NS2.FONDNESSYUP.COM IP 85.185.226.162
http://www.moensted.dk/spam/?addr=210.48.145.52
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL53762
210.48.145.52/32 is listed on the Spamhaus Block List (SBL/ROKSO)
19-Apr-2007 22:39 GMT | SR20
Yambo Financials.
Yambo botnet webhosts/nameservers (compromised systems)
16 SBL/ROKSO listings for IPs under the responsibility of tm.net.my
http://www.spamhaus.org/SBL/listings.lasso?isp=tm.net.my
http://www.moensted.dk/spam/?addr=85.185.226.162
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL49356
85.185.226.162/32 is listed on the Spamhaus Block List (SBL/ROKSO)
21-Dec-2006 22:13 GMT | SR02
Yambo Financials.
spammer nameserver proxy
20 SBL/ROKSO listings for IPs under the responsibility of dci.co.ir
http://www.spamhaus.org/SBL/listings.lasso?isp=dci.co.ir
Let see whois:
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Domain Name.......... fondnessyup.com
Creation Date........ 2006-12-23 22:54:45
Registration Date.... 2006-12-23 22:54:45
Expiry Date.......... 2007-12-23 22:54:45
Organisation Name.... zhou fei
Organisation Address. fu jian xiamen
Organisation Address.
Organisation Address. xia men
Organisation Address. 321000
Organisation Address. FJ
Organisation Address. CN
Admin Name........... zhou fei
Admin Address........ fu jian xiamen
Admin Address........
Admin Address........ xia men
Admin Address........ 321000
Admin Address........ FJ
Admin Address........ CN
Admin Email.......... admin[]champakdagon.com
Admin Phone.......... +86.59232100232
Admin Fax............ +86.59232100232
Tech Name............ zhou fei
Tech Address......... fu jian xiamen
Tech Address.........
Tech Address......... xia men
Tech Address......... 321000
Tech Address......... FJ
Tech Address......... CN
Tech Email........... ad...@champakdagon.com
Tech Phone........... +86.59232100232
Tech Fax............. +86.59232100232
Bill Name............ zhou fei
Bill Address......... fu jian xiamen
Bill Address.........
Bill Address......... xia men
Bill Address......... 321000
Bill Address......... FJ
Bill Address......... CN
Bill Email........... ad...@champakdagon.com
Bill Phone........... +86.59232100232
Bill Fax............. +86.59232100232
Name Server.......... ns2.fondnessyup.com
Name Server.......... ns1.fondnessyup.com
More FONDNESSYUP.COM sightings:
http://groups.google.com/groups/search?q=FONDNESSYUP.COM+group%3A*abuse&qt_s=Search
See:
NS2.VIGILUPANKA.COM IP 200.63.21.230
http://www.moensted.dk/spam/?addr=200.63.21.230
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL53761
200.63.21.230/32 is listed on the Spamhaus Block List (SBL/ROKSO)
19-Apr-2007 22:37 GMT | SR20
Yambo Financials.
Yambo botnet webhosts/nameservers (compromised systems)
3 SBL/ROKSO listings for IPs under the responsibility of skyonline.net
http://www.spamhaus.org/SBL/listings.lasso?isp=skyonline.net
More VIGILUPANKA.COM sightings:
http://groups.google.com/groups?q=VIGILUPANKA.COM+group%3A*abuse&start=0&scoring=d&
See:
NS1.CLUVDITCH.COM IP 201.6.123.84
http://www.moensted.dk/spam/?addr=201.6.123.84
http://www.spamhaus.org/SBL/sbl.lasso?query=SBL53660
More CLUVDITCH.COM sightings:
http://groups.google.com/groups/search?q=CLUVDITCH.COM+group%3A*abuse&start=0&scoring=d&
Read more:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/021f88b11bfc1272
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/96c72f8b04a3ce99
Cheers, Tomez
--
All postings to news.admin.net-abuse.sightings are unconfirmed and
unverified unless stated otherwise by the moderators. All opinions
expressed above are considered the opinions of the original poster,
not the moderators or their respective employers.
For a copy of the guidelines to this group, see: