Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[email] [drugs - Canadian Pharmacy botnet] [195.36.176.9] (nearlocate.com - sawread.com / biknasufadupo.com / markuzapilod.com / rubakopesanm.com / rumbaponukas.com / bizcn.com) RE: September 70% OFF

1 view
Skip to first unread message

TomezNet

unread,
Sep 17, 2007, 7:31:18 PM9/17/07
to
Received From:
IP 195.36.176.9 i07v-195-36-176-9.d4.club-internet.fr
(at T-ONLINEFRANCE / clubint.net / t-online.fr)

Spamvert botnet:
nearlocate.com => botnet
nearlocate.com Resolved to IP 89.139.195.238 to 203.168.237.29 to
4.228.42.253 to 79.178.73.203 to 80.178.63.184 to 80.178.136.171 to
81.183.183.229 to 84.94.182.209 to 84.187.219.98 to 85.250.211.103 to
85.250.237.196 to 87.69.101.210 to 88.153.206.195

Spamvert Image Hosting URL:
http://www.medicalplacehope.com/1.gif

sawread.com => botnet

www.sawread.com Resolved to IP 84.108.177.224 to 84.187.251.177 to
87.68.3.119 to 88.141.113.28 to 88.153.206.195 to 89.176.77.56 to
125.231.229.26 to 221.127.172.67 to 80.178.124.47 to 82.119.108.111 to
82.240.154.185 to 84.94.91.20 to 84.95.66.182 to 218.170.69.161 to
221.127.172.67 to 82.119.108.11 to 82.240.154.185 to 84.94.89.137 to
84.94.91.20 to 84.95.207.209 to 84.108.177.224 to 84.108.184.179 to
84.108.189.20 to 88.141.113.28 to 88.153.206.195 to 88.154.14.248

Title: Canadian Pharmacy

WEB:
© Copyright Canadian Pharmacy, 2003-2007. All Rights Reserved.

Much More Canadian Pharmacy sightings:
http://groups.google.com/groups/search?q=%22Canadian+Pharmacy%22+group%3A*abuse&start=0&scoring=d&

See sender identity and headers forgery by spammer.

Plenty of Forged Certificates and logos as always.

Much More info below:
====================

X-SID-PRA: Viagra.com Inc <[MUNGED]>
X-Message-Info:
6sSXyD95QpX6vuPbDDrN4cFoixcZwANCoMRXMJiJ317lsumehUiLMcVntHfilwSCSD4NxZGGYDJAqWRK4V5kJw==
Received: from tomts19-srv.bellnexxia.net ([209.226.175.73]) by bay0-
pamc1-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Mon, 17 Sep 2007 05:46:03 -0700
Received: from [MUNGED]
by toip15.srvr.bell.ca with ESMTP; 17 Sep 2007 08:45:49 -0400
Received: (qmail 32418 invoked by uid 110); 17 Sep 2007 06:37:16 -0400
Delivered-To: [MUNGED]
Received: (qmail 32401 invoked from network); 17 Sep 2007 06:37:16
-0400
Received: from i07v-195-36-176-9.d4.club-internet.fr (195.36.176.9)
by [MUNGED] with SMTP; 17 Sep 2007 06:37:16 -0400
Received: from Nicholas Duarte (10.16.11.11) by
i07v-195-36-176-9.d4.club-internet.fr (PowerMTA(TM) v3.2r4) id
[MUNGED] for <[MUNGED]>; Mon, 17 Sep 2007 12:36:09 +0100
Message-Id: <200709171336...@i07v-195-36-176-9.d4.club-
internet.fr>
To: <[MUNGED]>
Subject: RE: September 70% OFF
From: Viagra.com Inc <[MUNGED]>
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Date: Mon, 17 Sep 2007 08:45:58 -0400
Return-Path: studio[]apokork.cz
X-OriginalArrivalTime: 17 Sep 2007 12:46:03.0206 (UTC)
FILETIME=[B4E1E660:01C7F928]

<style>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
</head>
<body>
<table width="600" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<table width="600" border="0" cellpadding="0" cellspacing="0"
background="http://images.fed.com/images/email/notice2_02.jpg">
<tr>
<td width="600" height="9" colspan="2"><img src="http://
images.oer.com/images/email/notice2_01.jpg" width="600" height="9"
alt=""></td>
</tr>
<tr>
<td width="458" style="font: 12px Verdana; color: #212121; text-
align: left; padding: 10px 20px;">
<span style="font-weight: bold; font-size: 22px; color:
#6387af;">wjs <span style="font-size: 14px;">Message from Patrica
Basford</span></span><br/><br/>
Hi Mike,<br/><br/>
You have a biv message from Patrica Basford. You can view the
message at the following location:<br/><br/>
<span style="font-weight: bold; font-size: 14px;"><a href="http://
www.uur.com/friend/mail/displayInbox.do?loginid=PNMMIYXKATDA25547680&smid=20070831_100_3VBYTTIw3PvBD0SyKHyw-1113102006">View
Message»</a></span><br/><br/>
Thank you for joining us,<br>the <b>qrz</b> team
</td>
<td width="142">
<table width="100" border="0" cellpadding="0" cellspacing="0"
align="center">
<tr>
<td align="center">
<a href="http://www.jcl.com/friend/mail/displayInbox.do?
loginid=PNMMIYXKATDA25547680&smid=20070831_100_3VBYTTIw3PvBD0SyKHyw-1113102006"><img
src="http://images.dyv.com/images/nophoto_girl_100.gif" border="0"></
a>
</td>
</tr>
</table>
</style>
<center>
<a href="http://www.nearlocate.com"><img src="http://www.sawread.com/
1.gif">
<style>
</td>
</tr>
<tr>
<td width="600" height="9" colspan="2"><img src="http://
images.gwc.com/images/email/notice2_03.jpg" width="600" height="9"
alt=""></td>
</tr>
</table>
</td>
</tr>
</table>
<table width="600">
<tr>
<td style="text-align: center; font: 10px Verdana; color: #a7a7a7;
padding-left: 10px;">
<span style="color:
#333;">------------------------------------------------------</
span><br/>
Copyright 2002-2006 ywf Networks, Inc. All rights reserved.<br/>
P.O. Box 31118, San Francisco, CA 94131, USA<br/>
<a href="http://www.qnv.com/friend/displayPrivacy.do">Privacy
Policy</a> | <a href="http://www.oon.com/friend/account/
displayEditAcct.do?loginid=PNMMIYXKATDA25547680">Unsubscribe</a> | <a
href="http://www.moh.com/friend/displayTOS.do">Terms of Service</a>
<img src="http://www.lei.com/friend/to.do?
loginid=PNMMIYXKATDA25547680&smid=20070831_100_3VBYTTIw3PvBD0SyKHyw-1113102006"
align="absmiddle" border="0" height="20" width="1">
</td>
</tr>
</table>
</body>
</html>
</style>

-- END OF SPAM --

nearlocate.com is a replacement for toppillscollect.com and
directmedmass.com

sawread.com is a replacement for medicalplacehope.com and
onlinepillact.com

WEB:
Licensed by The College of Pharmacists of British Columbia.
If you have any questions or concerns you can contact the college at
200-1765 West 8th Ave. Vancouver, BC, Canada V6J 5C6
You may contact us at +1(210) 787-1711, please, keep your order I.D.
every time you make a call.
© Copyright Canadian Pharmacy, 2003-2007. All Rights Reserved.

See also Viagra.com Inc sightings:
http://groups.google.com/groups/search?q=%22Viagra.com+Inc%22+group%3A*abuse&start=0&scoring=d&

See:
IP 195.36.176.9 i07v-195-36-176-9.d4.club-internet.fr

http://moensted.dk/spam/?addr=195.36.176.9
http://www.apews.org/?page=test&C=130&E=256693&ip=195.36.176.9

Much more club-internet.fr
http://groups.google.com/groups/search?q=club-internet.fr+group%3A*abuse&start=0&scoring=d&

inetnum: 195.36.172.0 - 195.36.217.255
netname: T-ONLINEFRANCE
descr: Pools for ADSL customers
descr: Pools for Dial-Up customers
country: FR
role: Network Operation Centre T-ONLINE FRANCE
address: Club Internet - T-Online France
address: 11 rue de Cambrai
address: 75019 Paris
address: France
phone: +33 1 55 45 45 00
fax-no: +33 1 55 45 47 78
e-mail: ri...@clubint.net

abuse[]club-internet.fr is listed in rfc-ignorant.org database
abuse[]t-online.fr is listed in rfc-ignorant.org database

route: 195.36.128.0/17
descr: T-Online France - Club Internet
origin: AS5410
notify: ri...@t-online.fr
mnt-by: T-ONLINEFRANCE
changed: v...@t-online.fr
AS Name: ASN-T-ONLINEFRANCE Club-Internet
http://www.cidr-report.org/cgi-bin/as-report?as=5410

1 SBL listings for IPs under the responsibility of club-internet.fr
http://www.spamhaus.org/sbl/listings.lasso?isp=club-internet.fr

17 SBL/ROKSO listings for IPs under the responsibility of
francetelecom.com
http://www.spamhaus.org/sbl/listings.lasso?isp=francetelecom.com

Spamver URL:
http://www.nearlocate.com/

See:
www.nearlocate.com => botnet
nearlocate.com Resolved to IP 89.139.195.238 to 203.168.237.29 to
4.228.42.253 to 79.178.73.203 to 80.178.63.184 to 80.178.136.171 to
81.183.183.229 to 84.94.182.209 to 84.187.219.98 to 85.250.211.103 to
85.250.237.196 to 87.69.101.210 to 88.153.206.195

ns0.markuzapilod.com [82.240.154.185] [TTL=172800] [FR]
ns0.rumbaponukas.com [212.1.244.29] [TTL=172800] [RU]

NS records at nameservers are:
ns0.biknasufadupo.com [81.95.182.51] [TTL=300]
ns0.markuzapilod.com [69.231.219.90] [TTL=300]
ns0.rubakopesanm.com [206.74.129.248] [TTL=300]
ns0.rumbaponukas.com [85.179.106.4] [TTL=300]

SOA record [TTL=300] is:
Primary nameserver: ns0.rumbaponukas.com
Hostmaster E-mail address:
Serial #: 0

www.nearlocate.com A records are:

www.nearlocate.com A 89.139.195.238 [TTL=300] [IL]
www.nearlocate.com A 203.168.237.29 [TTL=300] [HK]
www.nearlocate.com A 4.228.42.253 [TTL=300] [US]
www.nearlocate.com A 79.178.73.203 [TTL=300] [IL]
www.nearlocate.com A 80.178.63.184 [TTL=300] [IL]
www.nearlocate.com A 80.178.136.171 [TTL=300] [IL]
www.nearlocate.com A 81.183.183.229 [TTL=300] [HU]
www.nearlocate.com A 84.94.182.209 [TTL=300] [IL]
www.nearlocate.com A 84.187.219.98 [TTL=300] [DE]
www.nearlocate.com A 85.250.211.103 [TTL=300] [IL]
www.nearlocate.com A 85.250.237.196 [TTL=300] [IL]
www.nearlocate.com A 87.69.101.210 [TTL=300] [IL]
www.nearlocate.com A 88.153.206.195 [TTL=300] [IL]

SEE ALSO IP rDNS:
89.139.195.238 = 89-139-195-238.bb.netvision.net.il
203.168.237.29 = cm203-168-237-29.hkcable.com.hk
4.228.42.253 = dialup-4.228.42.253.dial1.denver1.level3.net
79.178.73.203 = bzq-79-178-73-203.red.bezeqint.net
80.178.63.184 = 80.178.63.184.adsl.012.net.il
80.178.136.171 = 80.178.136.171.adsl.012.net.il
81.183.183.229 = dsl51b7b7e5.pool.t-online.hu
84.94.182.209 = 84.94.182.209.cable.012.net.il
84.187.219.98 = p54BBDB62.dip.t-dialin.net
85.250.211.103 = 85-250-211-103.bb.netvision.net.il
85.250.237.196 = 85-250-237-196.bb.netvision.net.il
87.69.101.210 => AT linux.goldenlines.net.il / ISRAEL
88.153.206.195 = bzq-88-153-206-195.red.bezeqint.net

NS:
82.240.154.185 = lau06-3-82-240-154-185.fbx.proxad.net
212.1.244.29 => AT ti.ru /RUSSIA
81.95.182.51 = c-81-95-182-51.ihome.ua
69.231.219.90 = adsl-69-231-219-90.dsl.irvnca.pacbell.net
206.74.129.248 => SUNBELT-AS / US
85.179.106.4 = e179106004.adsl.alicedsl.de

Let see whois.bizcn.com:
Domain name: nearlocate.com

Registrant Contact:
Atom Inventory
Allen Brandt atom[]atomplease.com
4809851298 fax:
6641 E. Baywood Ave. B3
Mesa AZ 85206
us

Administrative Contact:
Allen Brandt at...@atomplease.com
4809851298 fax:
6641 E. Baywood Ave. B3
Mesa AZ 85206
us

Technical Contact:
Allen Brandt at...@atomplease.com
4809851298 fax:
6641 E. Baywood Ave. B3
Mesa AZ 85206
us

Billing Contact:
Allen Brandt at...@atomplease.com
4809851298 fax:
6641 E. Baywood Ave. B3
Mesa AZ 85206
us

DNS:
ns0.rumbaponukas.com
ns0.markuzapilod.com

Created: 2007-07-10
Expires: 2008-07-10
More toppillscollect.com sightings:
http://groups.google.com/groups/search?q=toppillscollect.com+group%3A*abuse&qt_s=Search

More nearlocate.com sightings:
http://groups.google.com/groups/search?q=nearlocate.com+group%3A*abuse&qt_s=Search

Also much more bizcn.com spam support sightings:
http://groups.google.com/groups/search?q=bizcn.com+group%3A*abuse&start=0&scoring=d&

See Image hosting URL:
http://www.sawread.com/1.gif

See:
www.sawread.com => botnet

www.sawread.com Resolved to IP 84.108.177.224 to 84.187.251.177 to
87.68.3.119 to 88.141.113.28 to 88.153.206.195 to 89.176.77.56 to
125.231.229.26 to 221.127.172.67 to 80.178.124.47 to 82.119.108.111 to
82.240.154.185 to 84.94.91.20 to 84.95.66.182 to 218.170.69.161 to
221.127.172.67 to 82.119.108.11 to 82.240.154.185 to 84.94.89.137 to
84.94.91.20 to 84.95.207.209 to 84.108.177.224 to 84.108.184.179 to
84.108.189.20 to 88.141.113.28 to 88.153.206.195 to 88.154.14.248

ns0.biknasufadupo.com [121.200.140.244] [TTL=172800] [JP]
ns0.markuzapilod.com [82.240.154.185] [TTL=172800] [FR]
ns0.rubakopesanm.com [89.176.77.56] [TTL=172800] [CZ]
ns0.rumbaponukas.com [84.94.89.137] [TTL=172800] [IL]

NS records at nameservers are:
sawread.com. [218.170.69.161] [221.127.172.67] [82.119.108.111]
[82.240.154.185] [84.94.89.137] [84.94.91.20] [84.95.207.209]
[84.108.177.224] [84.108.184.179] [84.108.189.20] [88.141.113.28]
[88.153.206.195] [88.154.14.248] [89.176.77.56] [125.231.229.26]
[TTL=300]
sawread.com. [218.170.69.161] [221.127.172.67] [82.119.108.111]
[82.240.154.185] [84.94.89.137] [84.94.91.20] [84.95.207.209]
[84.108.177.224] [84.108.184.179] [84.108.189.20] [88.141.113.28]
[88.153.206.195] [88.154.14.248] [89.176.77.56] [125.231.229.26]
[TTL=300]
sawread.com. [218.170.69.161] [221.127.172.67] [82.119.108.111]
[82.240.154.185] [84.94.89.137] [84.94.91.20] [84.95.207.209]
[84.108.177.224] [84.108.184.179] [84.108.189.20] [88.141.113.28]
[88.153.206.195] [88.154.14.248] [89.176.77.56] [125.231.229.26]
[TTL=300]
sawread.com. [218.170.69.161] [221.127.172.67] [82.119.108.111]
[82.240.154.185] [84.94.89.137] [84.94.91.20] [84.95.207.209]
[84.108.177.224] [84.108.184.179] [84.108.189.20] [88.141.113.28]
[88.153.206.195] [88.154.14.248] [89.176.77.56] [125.231.229.26]
[TTL=300]
sawread.com. [218.170.69.161] [221.127.172.67] [82.119.108.111]
[82.240.154.185] [84.94.89.137] [84.94.91.20] [84.95.207.209]
[84.108.177.224] [84.108.184.179] [84.108.189.20] [88.141.113.28]
[88.153.206.195] [88.154.14.248] [89.176.77.56] [125.231.229.26]
[TTL=300]
sawread.com. [218.170.69.161] [221.127.172.67] [82.119.108.111]
[82.240.154.185] [84.94.89.137] [84.94.91.20] [84.95.207.209]
[84.108.177.224] [84.108.184.179] [84.108.189.20] [88.141.113.28]
[88.153.206.195] [88.154.14.248] [89.176.77.56] [125.231.229.26]
[TTL=300]
sawread.com. [218.170.69.161] [221.127.172.67] [82.119.108.111]
[82.240.154.185] [84.94.89.137] [84.94.91.20] [84.95.207.209]
[84.108.177.224] [84.108.184.179] [84.108.189.20] [88.141.113.28]
[88.153.206.195] [88.154.14.248] [89.176.77.56] [125.231.229.26]
[TTL=300]
sawread.com. [218.170.69.161] [221.127.172.67] [82.119.108.111]
[82.240.154.185]

SOA record [TTL=300] is:
Primary nameserver: ns0.rumbaponukas.com
Hostmaster E-mail address:
Serial #: 0

www.sawread.com A record is:

www.sawread.com A 84.108.177.224 [TTL=300] [IL]
www.sawread.com A 84.187.251.177 [TTL=300] [DE]
www.sawread.com A 87.68.3.119 [TTL=300] [IL]
www.sawread.com A 88.141.113.28 [TTL=300] [FR]
www.sawread.com A 88.153.206.195 [TTL=300] [IL]
www.sawread.com A 89.176.77.56 [TTL=300] [CZ]
www.sawread.com A 125.231.229.26 [TTL=300] [TW]
www.sawread.com A 221.127.172.67 [TTL=300] [HK]
www.sawread.com A 80.178.124.47 [TTL=300] [IL]
www.sawread.com A 82.119.108.111 [TTL=300] [SK]
www.sawread.com A 82.240.154.185 [TTL=300] [FR]
www.sawread.com A 84.94.91.20 [TTL=300] [IL]
www.sawread.com A 84.95.66.182 [TTL=300] [IL]

sawread.com A record is:

sawread.com A 218.170.69.161 [TTL=300]
sawread.com A 221.127.172.67 [TTL=300]
sawread.com A 82.119.108.111 [TTL=300]
sawread.com A 82.240.154.185 [TTL=300]
sawread.com A 84.94.89.137 [TTL=300]
sawread.com A 84.94.91.20 [TTL=300]
sawread.com A 84.95.207.209 [TTL=300]
sawread.com A 84.108.177.224 [TTL=300]
sawread.com A 84.108.184.179 [TTL=300]
sawread.com A 84.108.189.20 [TTL=300]
sawread.com A 88.141.113.28 [TTL=300]
sawread.com A 88.153.206.195 [TTL=300]
sawread.com A 88.154.14.248 [TTL=300]

Let see whois.dns.com.cn:
Domain Name.......... sawread.com
Creation Date........ 2007-08-16 01:03:05
Registration Date.... 2007-08-16 01:03:05
Expiry Date.......... 2008-08-16 01:03:05
Organisation Name.... happyinternational.inc
Organisation Address. chaoyang avenue 468
Organisation Address.
Organisation Address. beijing
Organisation Address. 100438
Organisation Address. BJ
Organisation Address. CN

Admin Name........... huan huan
Admin Address........ chaoyang avenue 468
Admin Address........
Admin Address........ beijing
Admin Address........ 100438
Admin Address........ BJ
Admin Address........ CN
Admin Email.......... dfeendlo...@hotmail.com
Admin Phone.......... +86.1045875892
Admin Fax............ +86.1093859833

Tech Name............ he sir
Tech Address......... shennanzhong rd
Tech Address.........
Tech Address......... Shenzhen
Tech Address......... 518031
Tech Address......... GD
Tech Address......... CN
Tech Email........... admins...@126.com
Tech Phone........... +86.75583233325
Tech Fax............. +86.75583233325

Bill Name............ he sir
Bill Address......... shennanzhong rd
Bill Address.........
Bill Address......... Shenzhen
Bill Address......... 518031
Bill Address......... GD
Bill Address......... CN
Bill Email........... admins...@126.com
Bill Phone........... +86.75583233325
Bill Fax............. +86.75583233325
Name Server.......... ns0.rubakopesanm.com
Name Server.......... ns0.markuzapilod.com
Name Server.......... ns0.biknasufadupo.com
Name Server.......... ns0.rumbaponukas.com

More sawread.com sightings:
http://groups.google.com/groups/search?q=sawread.com+group%3A*abuse&qt_s=Search

See also Registrant E-mail contact adminspeed123[]126.com sightings:
http://groups.google.com/groups/search?q=%22adminspeed123%40126.com%22+group%3A*abuse&qt_s=Search

See also Registrant E-mail contact at atomplease.com sightings:
http://groups.google.com/groups/search?q=atomplease.com+group%3A*abuse&qt_s=Search

Let see whois.bizcn.com:
Domain name: atomplease.com

Registrant Contact:
Atom Inventory
Allen Brandt atom[]atomplease.com
4809851298 fax:
6641 E. Baywood Ave. B3
Mesa AZ 85206
us

Administrative Contact:
Allen Brandt at...@atomplease.com
4809851298 fax:
6641 E. Baywood Ave. B3
Mesa AZ 85206
us

Technical Contact:
Allen Brandt at...@atomplease.com
4809851298 fax:
6641 E. Baywood Ave. B3
Mesa AZ 85206
us

Billing Contact:
Allen Brandt at...@atomplease.com
4809851298 fax:
6641 E. Baywood Ave. B3
Mesa AZ 85206
us

DNS:
ns0.rumbaponukas.com
ns0.markuzapilod.com

Created: 2007-07-10
Expires: 2008-07-10

Read more:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/ae0a8cc1a8b9e918

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/6cd26c793e4a5c23

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/304b0dc256d9e615

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/17cd1878f9bd53ba

Cheers, Tomez


--
All postings to news.admin.net-abuse.sightings are unconfirmed and
unverified unless stated otherwise by the moderators. All opinions
expressed above are considered the opinions of the original poster,
not the moderators or their respective employers.

For a copy of the guidelines to this group, see:

http://www.killfile.org/~tskirvin/nana/

0 new messages