Spamvert:
www.thankperiod.com => botnet
www.thankperiod.com Resolved to 222.166.213.143 to 59.149.149.191 to
61.47.212.197 to 71.170.85.91 to 75.74.178.174 to 76.102.248.125 to
76.208.36.217 to 77.244.213.52 to 78.155.205.131 to 80.6.69.31 to
80.145.64.85 to 83.170.252.133 to 85.29.203.181 to 88.134.185.93 to
89.173.43.157 to 91.67.12.24 to 118.171.41.10 to 125.14.86.162 to
213.247.172.97 to 218.254.157.62
Title: European Pharmacy aka Canadian Pharmacy
stylesheet => css/canadian_pharmacy_2_style.css
WEB:
© Copyright Canadian Pharmacy, 2003-2007. All Rights Reserved.
Much More Canadian Pharmacy sightings:
http://groups.google.com/groups/search?q=%22Canadian+Pharmacy%22+group%3A*abuse&start=0&scoring=d&
See sender identity and headers forgery by spammer.
Plenty of Forged Certificates and logos as always.
More info below:
==================X-SID-PRA: [MUNGED]
X-Message-Info: 6sSXyD95QpViC7scDao6FPUcgjkqeSlP49WHLrm6RE
+r02hLRtOco2oc9n+MdM6Z3rL2Asdp28ZoPmX9n7VQ9Q=Received: from tomts3-srv.bellnexxia.net ([209.226.175.115]) by bay0-
pamc1-f4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Sun, 16 Mar 2008 01:00:09 -0700
Received: from toip22.srvr.bell.ca ([67.69.240.24])
by toip25.srvr.bell.ca with ESMTP; 16 Mar 2008 03:59:59 -0400
Received: from [MUNGED]
by toip22.srvr.bell.ca with ESMTP; 16 Mar 2008 03:59:52 -0400
Received: (qmail 19698 invoked by uid 110); 16 Mar 2008 03:59:51 -0400
Delivered-To: [MUNGED]
Received: (qmail 19499 invoked from network); 16 Mar 2008 03:59:50
-0400
Received: from unknown (HELO yw-8f3658bced7d) (125.112.186.127)
by [MUNGED] with SMTP; 16 Mar 2008 03:59:50 -0400
Content-Return: allowed
X-Mailer: CME-V6.5.4.3; MSN
Return-Path: communication...@cimail15.msn.com
Received: (qmail 24904 by uid 621); Fri, 16 Mar 2007 04:01:01 +0800
Message-Id: <20070316120101.24906.qmail@yw-8f3658bced7d>
To: <[MUNGED]>
Subject: Discount: March 70% OFF!
From: <[MUNGED]>
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Date: Sun, 16 Mar 2008 04:05:57 -0400
X-OriginalArrivalTime: 16 Mar 2008 08:00:09.0087 (UTC)
FILETIME=[C0FFD0F0:01C8873B]
<html>
<TABLE cellSpacing="0" cellPadding="0" width="100%" bgColor="#aaccbb"
border="0">
<TBODY>
<TR>
<TD><TABLE cellSpacing="0" cellPadding="0" width="600"
align="center" bgColor="#aaccbb" border="0">
<TBODY>
<TR>
<TD>Having trouble viewing this e-mail? <A href="http://
www.thankperiod.com" target="_blank">Click here</A>. To ensure that
you keep receiving savings e-mails, please add [MUNGED] to your
Address Book. Thank you! <BR>
<BR>
<TABLE cellSpacing="0" cellPadding="3" width="602"
align="center" bgColor="#cee2d8" border="0">
<TBODY>
<TR>
<TD><TABLE cellSpacing="0" cellPadding="2"
width="600" align="center" bgColor="#aaccbb" border="0">
<TBODY>
<TR>
<TD><TABLE cellSpacing="0"
cellPadding="0" width="600" bgColor="#ffffff" border="0">
<TBODY>
<TR>
<TD bgColor="#ffffff"><TABLE
cellSpacing="0" cellPadding="0" width="600" border="0">
<TBODY>
<TR>
<TD><IMG height="1"
src="http://www2.joann-mail.com/J0734y2k/images/topnav_logo.gif"
width="300" border="0"></TD>
<TD vAlign="bottom"
align="right" width="150" bgColor="#ffffff"><IMG height="1"
src="http://www2.joann-mail.com/J0734y2k/images/topnav_7.gif"
width="150" border="0"></TD>
<TD vAlign="bottom"
align="right" width="150" bgColor="#ffffff"><IMG height="1"
src="http://www2.joann-mail.com/J0734y2k/images/topnav_8.gif"
width="150" border="0"></TD>
</TR>
</TBODY>
</TABLE></TD>
</TR>
<TR>
<TD align="middle" width="600"
bgColor="#ffffff"><IMG height="10" alt="" src="http://www2.joann-
mail.com/J0734y2k/images/topnav_bar.gif" width="600"></TD>
</TR>
<TR>
<TD colSpan="0"><IMG
height="5" alt="" src="http://www2.joann-mail.com/J0734y2k/images/
spacer.gif" width="1"></TD>
</TR>
<TR>
<TD width="600"><TABLE
cellSpacing="0" cellPadding="0" width="600" bgColor="#ffffff"
border="0">
<TBODY>
<TR>
<TD
bgColor="#ffffff"><a href="http://www.thankperiod.com"><img
src="http://www.thankperiod.com/1.gif" width="550" height="400"
border="0"></a></TD>
</TR>
</TBODY>
</TABLE></TD>
</TR>
<TR></TR>
<TR>
<TD colSpan="0"><IMG
height="5" src="http://www2.joann-mail.com/J0734y2k/images/spacer.gif"
width="1"></TD>
</TR>
<TR>
<TD width="600"
bgColor="#ffffff"><TABLE cellPadding="8" width="600" bgColor="#ffffff"
border="0">
<TBODY>
<TR></TR>
<TR>
</TR>
<TR>
<TD align="middle"
bgColor="#cee2d8"><p>We respect your right to privacy, please <A
href="http://www.thankperiod.com" target="_blank">click here</A> to
read our privacy policy. You have received this e-mail because you
are a registered member. This e-mail was sent to the following
address: [MUNGED].<BR>
<A href="http://
www.thankperiod.com" target="_blank">Click here</A> to update your e-
mail preferences or unsubscribe from e-mail**. <BR>
<BR>
* Offer valid
online only through Tue 3/16/08 10:10 PM.</p></TD>
</TR>
</TBODY>
</TABLE></TD>
</TR>
<TR>
<TD vAlign="top"
align="middle" bgColor="#cee2d8" colSpan="3"><IMG height="3" alt=""
src="http://www2.joann-mail.com/J0734y2k/images/spacer.gif"
width="1"><BR>
© 2001-2008 Pfizer Inc. All
rights reserved!<BR>
<IMG height="3" alt=""
src="http://www2.joann-mail.com/J0734y2k/images/spacer.gif"
width="1"></TD>
</TR>
</TBODY>
</TABLE></TD>
</TR>
</TBODY>
</TABLE></TD>
</TR>
</TBODY>
</TABLE></TD>
</TR>
<TR>
<TD bgColor="#aaccbb"><CENTER>
Please do not reply to this e-mail, as we are not able
to respond to messages sent to this address.<BR>
For all inquiries, <A href="http://www.thankperiod.com"
target="_blank">click here</A>. Thank you.
<BR>
</CENTER></TD>
</TR>
</TBODY>
</TABLE></TD>
</TR>
</TBODY>
</TABLE>
</html>
-- END OF SPAM --
More spammer sightings:
http://groups.google.com/groups/search?q=%22September+70%25%22+group%3A*abuse&start=0&scoring=d&
SEE sender identity and headers forgery by spammer spoofing our
domain.
OLD Listing:
SBL61248 - ROK4932 / SBL61418, SBL61896, SBL62483
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK4932
WEB:
Licensed by The College of Pharmacists of British Columbia.
If you have any questions or concerns you can contact the college at
200-1765 West 8th Ave. Vancouver, BC, Canada V6J 5C6
You may contact us at +1(210) 888-9089, please, keep your order I.D.
every time you make a call
© Copyright Canadian Pharmacy, 2003-2008. All Rights Reserved.
See also Viagra.com Inc sightings:
http://groups.google.com/groups/search?q=%22Viagra.com+Inc%22+group%3A*abuse&start=0&scoring=d&
See:
IP 125.112.186.127
http://moensted.dk/spam/?addr=125.112.186.127
inetnum: 125.112.128.0 - 125.112.255.255
netname: CHINANET-ZJ-JH
country: CN
descr: CHINANET-ZJ Jinhua node network
descr: Zhejiang Telecom
changed: auto...@dcb.hz.zj.cn
mntner: MAINT-CN-CHINANET-ZJ-JH
upd-to: mas...@dcb.hz.zj.cn
route: 125.112.0.0/12
descr: China Telecom ZheJiang province
origin: AS4134
mnt-by: MAINT-AS4134
changed: tia...@cndata.com
AS Name: CHINANET-BACKBONE No.31,Jin-rong Street
http://www.cidr-report.org/cgi-bin/as-report?as=4134
1 SBL/ROKSO listings for IPs under the responsibility of CHINANET-ZJ
http://www.spamhaus.org/sbl/listings.lasso?isp=CHINANET-ZJ
See Spamvert:
www.thankperiod.com => botnet
www.thankperiod.com Resolved to 222.166.213.143 to 59.149.149.191 to
61.47.212.197 to 71.170.85.91 to 75.74.178.174 to 76.102.248.125 to
76.208.36.217 to 77.244.213.52 to 78.155.205.131 to 80.6.69.31 to
80.145.64.85 to 83.170.252.133 to 85.29.203.181 to 88.134.185.93 to
89.173.43.157 to 91.67.12.24 to 118.171.41.10 to 125.14.86.162 to
213.247.172.97 to 218.254.157.62
www.thankperiod.com has no MX records -> thankperiod.com has no MX
records
ns0.orstensguide.com IP 118.109.78.190
ns0.onthetens.com IP 88.134.185.93
See rDNS of botnet:
222.166.213.143 = cm222-166-213-143.hkcable.com.hk
59.149.149.191 = 059149149191.ctinets.com
61.47.212.197 => no PTR Korea / SAEROMNET / epnetworks.co.kr
71.170.85.91 = static-71-170-85-91.dllstx.fios.verizon.net
75.74.178.174 = c-75-74-178-174.hsd1.fl.comcast.net
76.102.248.125 = c-76-102-248-125.hsd1.ca.comcast.net
76.208.36.217 = adsl-76-208-36-217.dsl.sbndin.sbcglobal.net
77.244.213.52 = ip-77-244-213-52.user.rsspnet.ru
78.155.205.131 = n205-metalostroy-131.rsspnet.ru
80.6.69.31 = cpc2-ashf1-0-0-cust286.asfd.cable.ntl.com
80.145.64.85 = p50914055.dip.t-dialin.net
83.170.252.133 = SOL-FTTB.133.252.170.83.sovam.net.ua
85.29.203.181 no PTR at VIRUNET / vnet.ee
88.134.185.93 = 88-134-185-93-dynip.superkabel.de
89.173.43.157 = chello089173043157.chello.sk
91.67.12.24 no PTR at kabel-bb.de
118.171.41.10 = 118-171-41-10.dynamic.hinet.net
125.14.86.162 = 125-14-86-162.rev.home.ne.jp
213.247.172.97 = host-97.mostrcenter.macomnet.net
218.254.157.62 = cm218-254-157-62.hkcable.com.hk
Let see whois.paycenter.com.cn:
Domain Name: thankperiod.com
Registrant:
liu bin
hai kou
891000
Administrative Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 898 1234567
fax: 898 1234567
cnclinp[]21cn.com
Technical Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 1234567
fax: 1234567
cnc...@21cn.com
Billing Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 1234567
fax: 1234567
cnc...@21cn.com
Registration Date: 2008-02-21
Update Date: 2008-03-10
Expiration Date: 2009-02-21
Primary DNS: ns0.orstensguide.com
Secondary DNS: ns0.onthetens.com
More thankperiod.com sightings:
http://groups.google.com/groups/search?q=thankperiod.com+group%3A*abuse*&qt_s=Search
See cnc...@21cn.com sightings:
http://groups.google.com/groups/search?q=%22cnclinp%4021cn.com%22+group%3A*abuse*&qt_s=Search
See:
ns0.orstensguide.com IP 118.109.78.190
ns0.orstensguide.com has no MX records -> orstensguide.com has no MX
records
http://moensted.dk/spam/?addr=118.109.78.190
http://cbl.abuseat.org/lookup.cgi?ip=118.109.78.190
route: 118.108.0.0/14
descr: BIGLOBE CIDR BLOCK 24
origin: AS2518
notify: n...@mesh.ad.jp
mnt-by: MESH
changed: ishino[]mesh.ad.jp
AS Name: MESH C&C Internet Service mesh(NEC Corporation)
http://www.cidr-report.org/cgi-bin/as-report?as=2518
3 SBL/ROKSO listings for IPs under the responsibility of mesh.ad.jp
http://www.spamhaus.org/sbl/listings.lasso?isp=mesh.ad.jp
Let see whois.dns.com.cn:
Domain Name.......... orstensguide.com
Creation Date........ 2008-01-27 12:53:03
Registration Date.... 2008-01-27 12:53:03
Expiry Date.......... 2009-01-27 12:53:03
Organisation Name.... SHE Company
Organisation Address. Kuantuan Holland City
Organisation Address.
Organisation Address. Kuantan
Organisation Address. 45217
Organisation Address. WG
Organisation Address. GU
Admin Name........... SHE Company
Admin Address........ Kuantuan Holland City
Admin Address........
Admin Address........ Kuantan
Admin Address........ 45217
Admin Address........ WG
Admin Address........ GU
Admin Email.......... kua...@hotmail.com
Admin Phone.......... +86.7854125
Admin Fax............ +86.7845412
Tech Name............ SHE Company
Tech Address......... Kuantuan Holland City
Tech Address.........
Tech Address......... Kuantan
Tech Address......... 45217
Tech Address......... WG
Tech Address......... GU
Tech Email........... kua...@hotmail.com
Tech Phone........... +86.7854125
Tech Fax............. +86.7845412
Bill Name............ SHE Company
Bill Address......... Kuantuan Holland City
Bill Address.........
Bill Address......... Kuantan
Bill Address......... 45217
Bill Address......... WG
Bill Address......... GU
Bill Email........... kua...@hotmail.com
Bill Phone........... +86.7854125
Bill Fax............. +86.7845412
Name Server.......... ns1.dns.com.cn
Name Server.......... ns2.dns.com.cn
More orstensguide.com sightings:
http://groups.google.com/groups/search?q=orstensguide.com+group%3A*abuse*&qt_s=Search
See:
ns0.onthetens.com IP 88.134.185.93
ns0.onthetens.com has no MX records -> onthetens.com has no MX records
http://moensted.dk/spam/?addr=88.134.185.93
http://cbl.abuseat.org/lookup.cgi?ip=88.134.185.93
inetnum: 88.134.128.0 - 88.134.191.255
netname: KABEL-DEUTSCHLAND-CUSTOMER-SERVICES-9
descr: Kabel Deutschland Breitband Customer 9
country: DE
route: 88.134.176.0/20
descr: Kabeldeutschland Route Berlin
origin: AS31334
mnt-by: MNT-KABELDEUTSCHLAND
changed: fred.mattig[]kabel-bb.de
AS Name: KABELDEUTSCHLAND-AS Kabel Deutschland Breitband Service GmbH
http://www.cidr-report.org/cgi-bin/as-report?as=31334
Let see whois.dns.com.cn:
Domain Name.......... onthetens.com
Creation Date........ 2008-01-27 12:52:45
Registration Date.... 2008-01-27 12:52:45
Expiry Date.......... 2009-01-27 12:52:45
Organisation Name.... SHE Company
Organisation Address. Kuantuan Holland City
Organisation Address.
Organisation Address. Kuantan
Organisation Address. 45217
Organisation Address. WG
Organisation Address. GU
Admin Name........... SHE Company
Admin Address........ Kuantuan Holland City
Admin Address........
Admin Address........ Kuantan
Admin Address........ 45217
Admin Address........ WG
Admin Address........ GU
Admin Email.......... kua...@hotmail.com
Admin Phone.......... +86.7854125
Admin Fax............ +86.7845412
Tech Name............ SHE Company
Tech Address......... Kuantuan Holland City
Tech Address.........
Tech Address......... Kuantan
Tech Address......... 45217
Tech Address......... WG
Tech Address......... GU
Tech Email........... kua...@hotmail.com
Tech Phone........... +86.7854125
Tech Fax............. +86.7845412
Bill Name............ SHE Company
Bill Address......... Kuantuan Holland City
Bill Address.........
Bill Address......... Kuantan
Bill Address......... 45217
Bill Address......... WG
Bill Address......... GU
Bill Email........... kua...@hotmail.com
Bill Phone........... +86.7854125
Bill Fax............. +86.7845412
Name Server.......... ns1.dns.com.cn
Name Server.......... ns2.dns.com.cn
More onthetens.com sightings:
http://groups.google.com/groups/search?q=onthetens.com+group%3A*abuse*&qt_s=Search
More spammer recent sightings:
http://groups.google.com/groups/search?q=February+75%25+OFF+group%3A*abuse&qt_s=Search
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/7f587d35d2b7fe49
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/4425369cd1f08f74
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/4895db68b0c79370
Cheers, Tomez
--
All postings to news.admin.net-abuse.sightings are unconfirmed and unverified
unless stated otherwise by the moderators. All opinions expressed above are
considered the opinions of the original poster, not the moderators or their
respective employers. For a copy of the guidelines to this group, see:
http://www.killfile.org/~tskirvin/nana/