Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[email] [drugs - Canadian Pharmacy botnet] [82.111.129.17] (pleaseselect.com / axrpss.com / lutrwpghd.com / sjrbofa.com / vqwgds.com / xinnetdns.com / xinnet.cn) mikrowac

0 views
Skip to first unread message

TomezNet

unread,
Mar 21, 2008, 7:05:49 PM3/21/08
to
Received From:
IP 82.111.129.17
(at easynet.net / GIGO)

Spamvert:
www.pleaseselect.com => botnet
pleaseselect.com Resolved to 219.251.130.43 to 24.38.202.179 to
24.158.158.225 to 24.168.153.46 to 61.47.212.197 to 65.3.134.105 to
68.34.45.204 to 68.43.124.193 to 69.86.213.81 to 69.245.174.253 to
72.234.213.226 to 76.102.248.125 to 78.94.101.176 to 79.164.238.130 to
98.204.185.40 to 99.225.241.28 to 118.161.179.181 to 123.140.78.146 to
123.140.78.159 to 218.232.90.249

New:
ns2.xinnetdns.com IP 210.51.170.48 => SBL63236 at cncgroup-bj
ns2.xinnet.cn IP 210.51.170.67 => SBL63236 at cncgroup-bj

Old:
ns.xinnetdns.com IP 210.51.170.66
ns.xinnet.cn IP 210.51.171.209

AND:
ns0.axrpss.com IP 222.166.132.30
ns0.axrpss.com IP 222.167.203.112 => New
ns0.axrpss.com IP 62.143.161.186 => New
ns0.lutrwpghd.com = 123.202.194.61 => New
ns0.lutrwpghd.com = 60.47.214.194 => New
ns0.lutrwpghd.com IP 221.126.94.65
ns0.lutrwpghd.com IP 84.245.204.131
ns0.sjrbofa.com IP 202.126.117.43
ns0.sjrbofa.com = 59.149.165.117 => New
ns0.sjrbofa.com = 124.218.67.36 => New
ns0.vqwgds.com IP 221.127.245.4
ns0.vqwgds.com IP 79.164.123.55 => New
ns0.vqwgds.com = 123.202.90.32 => New

Title: European Pharmacy (aka Canadian Pharmacy)

WEB:
Å  Copyright Canadian Pharmacy, 2003-2008. All Rights Reserved.

Much More Canadian Pharmacy sightings:
http://groups.google.com/groups/search?q=%22Canadian+Pharmacy%22+group%3A*abuse&start=0&scoring=d&

Plenty of Forged Certificates and logos as always.

More info below:
==================X-SID-PRA: Claudette Dowdell <Claudett...@castelbrando.com>
X-Message-Info: 6sSXyD95QpUtSZzyKfMhcYkVH7OogKR+Dgt8TVa+po/
9KiaA1wcmk0gGPu34HztqHzg8DuViIkIr/k+38w456A=Received: from tomts1-srv.bellnexxia.net ([209.226.175.113]) by bay0-
pamc1-f1.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Fri, 21 Mar 2008 14:51:26 -0700
Received: from toip15.srvr.bell.ca ([67.69.240.17])
by toip28.srvr.bell.ca with ESMTP; 21 Mar 2008 17:51:21 -0400
Received: from [MUNGED]
by toip15.srvr.bell.ca with ESMTP; 21 Mar 2008 17:51:13 -0400
Received: (qmail 31807 invoked by uid 110); 21 Mar 2008 17:51:19 -0400
Delivered-To: [MUNGED]
Received: (qmail 31803 invoked from network); 21 Mar 2008 17:51:18
-0400
Received: from unknown (HELO ?82.111.129.17?) (82.111.129.17)
by [MUNGED] with SMTP; 21 Mar 2008 17:51:18 -0400
Message-ID: <000d01c88b9e$36cb83e0$11816f52@IDNLON08>
From: "Claudette Dowdell" <Claudett...@castelbrando.com>
To: [MUNGED]
Subject: mikrowac
Date: Fri, 21 Mar 2008 21:55:02 -0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--------=_NextPart_000_0009_01C88B9E.36CB83E0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Return-Path: Claudett...@castelbrando.com
X-OriginalArrivalTime: 21 Mar 2008 21:51:26.0707 (UTC)
FILETIME=[B6716430:01C88B9D]

----------=_NextPart_000_0009_01C88B9E.36CB83E0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Nice place - cheap meds!
You won't need anything else, when you are really big!
----------=_NextPart_000_0009_01C88B9E.36CB83E0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.3199" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT Arial size=3D2>Nice place - cheap meds!</FONT></DIV>
<A href=3D"http://pleaseselect.com">You won't need anything else, when
you are=20
really big!</A></BODY></HTML>
----------=_NextPart_000_0009_01C88B9E.36CB83E0--

-- END OF SPAM --

See also European Pharmacy sightings:
http://groups.google.com/groups/search?q=%22European+Pharmacy%22+group%3A*abuse*&qt_s=Search

Identical spam as for collectwhole.com, planerise.com, seapast.com,
moonshort.com, letterclock, liftplural.com, samegentle.com => All
Botnet

OLD Listing:
SBL61248 - ROK4932 / SBL61418, SBL61896, SBL62483

http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK4932

WEB:
Licensed by The College of Pharmacists of British Columbia.
If you have any questions or concerns you can contact the college at
200-1765 West 8th Ave. Vancouver, BC, Canada V6J 5C6
You may contact us at +1(210) 888-9089, please, keep your order I.D.
every time you make a call
Å  Copyright Canadian Pharmacy, 2003-2008. All Rights Reserved.

More spammer sightings:
http://groups.google.com/groups/search?q=%22September+70%25%22+group%3A*abuse&start=0&scoring=d&

See:
IP 82.111.129.17

http://moensted.dk/spam/?addr=82.111.129.17
Listed in PSBL, see http://psbl.surriel.com/listing?ip=82.111.129.17
http://spamcop.net/w3m?action=checkblock&ip=82.111.129.17

inetnum: 82.111.129.16 - 82.111.129.23
netname: GIGO
descr: Gigo Systems Ltd - Internet City
descr: Office
descr: London
country: GB
role: Easynet Hostmaster
address: Easynet Network Operations Centre
address: Easynet Group PLC
address: 44-46 Whitfield Street
address: London W1T 2RJ
address: England

route: 82.108.0.0/14
descr: Easynet UK
origin: AS4589
mnt-by: EASYNET-UK-MNT
changed: james.samuel[]uk.easynet.net
AS Name: EASYNET Easynet Group Plc
http://www.cidr-report.org/cgi-bin/as-report?as=4589

Spamvert:
www.pleaseselect.com => botnet
pleaseselect.com Resolved to 219.251.130.43 to 24.38.202.179 to
24.158.158.225 to 24.168.153.46 to 61.47.212.197 to 65.3.134.105 to
68.34.45.204 to 68.43.124.193 to 69.86.213.81 to 69.245.174.253 to
72.234.213.226 to 76.102.248.125 to 78.94.101.176 to 79.164.238.130 to
98.204.185.40 to 99.225.241.28 to 118.161.179.181 to 123.140.78.146 to
123.140.78.159 to 218.232.90.249

pleaseselect.com has no MX records

New:
ns2.xinnetdns.com IP 210.51.170.48
ns2.xinnet.cn IP 210.51.170.67

Old:
ns.xinnetdns.com IP 210.51.170.66
ns.xinnet.cn IP 210.51.171.209

AND:
ns0.axrpss.com IP 222.166.132.30
ns0.axrpss.com IP 222.167.203.112 => New
ns0.axrpss.com IP 62.143.161.186 => New
ns0.lutrwpghd.com = 123.202.194.61 => New
ns0.lutrwpghd.com = 60.47.214.194 => New
ns0.lutrwpghd.com IP 221.126.94.65
ns0.lutrwpghd.com IP 84.245.204.131
ns0.sjrbofa.com IP 202.126.117.43
ns0.sjrbofa.com = 59.149.165.117 => New
ns0.sjrbofa.com = 124.218.67.36 => New
ns0.vqwgds.com IP 221.127.245.4
ns0.vqwgds.com IP 79.164.123.55 => New
ns0.vqwgds.com = 123.202.90.32 => New

See IP rDNS on botnet:
219.251.130.43 no PTR at HANANET / hanaro.com / Korea
24.38.202.179 = static-host-24-38-202-179.patmedia.net
24.158.158.225 = 24-158-158-225.dhcp.jcsn.tn.charter.com
24.168.153.46 = cpe-24-168-153-46.nj.res.rr.com
61.47.212.197 no PTR at SAEROMNET-AS-KR Hanvit Saerom Broadcasting /
empal.com / bora.net / epnetworks.co.kr / Korea
65.3.134.105 = adsl-3-134-105.mia.bellsouth.net
68.34.45.204 = c-68-34-45-204.hsd1.dc.comcast.net
68.43.124.193 = c-68-43-124-193.hsd1.mi.comcast.net
69.86.213.81 = user-12ldlah.cable.mindspring.com
69.245.174.253 = c-69-245-174-253.hsd1.in.comcast.net
72.234.213.226 = udp228364uds.hawaiiantel.net
76.102.248.125 = c-76-102-248-125.hsd1.ca.comcast.net
78.94.101.176 = ip-78-94-101-176.PH-1413G-BSR64K-03.ish.de
79.164.238.130 = host-79-164-238-130.qwerty.ru
98.204.185.40 = c-98-204-185-40.hsd1.md.comcast.net
99.225.241.28 = cpe0016d39a6060-
cm001947571312.cpe.net.cable.rogers.com
118.161.179.181 = 118-161-179-181.dynamic.hinet.net
123.140.78.146 no PTR bora.net / LGDACOM / chol.com / Korea
123.140.78.159 no PTR bora.net / LGDACOM / chol.com / Korea
218.232.90.249 no PTR at HANANET / hanaro.com / Korea

Let see whois.paycenter.com.cn:
Domain Name: pleaseselect.com

Registrant:
liu bin
hai kou
891000

Administrative Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 898 1234567
fax: 898 1234567
cnclinp[]21cn.com

Technical Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 1234567
fax: 1234567
cnc...@21cn.com

Billing Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 1234567
fax: 1234567
cnc...@21cn.com

Registration Date: 2008-03-05
Update Date: 2008-03-05
Expiration Date: 2009-03-05

Primary DNS: ns.xinnetdns.com 210.51.170.66
Secondary DNS: ns.xinnet.cn 210.51.171.209

See also cnc...@21cn.com sightings:
http://groups.google.com/groups/search?q=%22cnclinp%4021cn.com%22+group%3A*abuse*&qt_s=Search

SEE ALSO:
hostnames sharing ip with a-records
*.chancetoo.com
*.head-of-epharmacy.com
18meds.com
aamorphous.com
aangakikam.com
aasansabag.com
aassupload.com
adaev.gonebox.com
andconsider.com
atnevez.com
beklom.com
bigbonger.com
blucpan.com
bonilt.com
branchform.com
brownarrive.com
canadian-meds-world.com
carryelse.com
chancetoo.com
controlbread.com
cosamryl.com
dagespo.com
decidecompany.com
doctorpart.com
doupsto.com
drugtoplocate.com
dwointa.com
earcandlesonline.com
eggready.com
fixforall.com
friendlake.com
goneline.com
goodtimescasino.com
gotvab.com
grewthose.com
head-of-epharmacy.com
highqualitypharm.com
istupee.com
kazinr.com
laymoment.com
limits-on-freedom.com
locatecoast.com
lometr.com
lovemedssign.com
macesont.com
maianor.com
medruijinhasedunkingans.com
meds5.com
micald.com
millioncover.com
miplor.com
moonbefore.com
nolidv.com
ns0.xazeyunhdefunja.com
opicer.com
petork.com
pharmacy-saving.com
pitebl.com
plogat.com
refilp.com
rxnic.com
saderuikuntunyesdea.com
sambinos.com
sectiononce.com
sednip.com
seedbeat.com
sendwide.com
setunit.com
sevenhappy.com
shaesol.com
smeriv.com
soundgave.com
spammer.head-of-epharmacy.com
srelom.com
staget.com
static-host-24-38-202-179.patmedia.net
stonesingle.com
studydecimal.com
subtracthat.com
takinov.com
thegolffix.com
thousandseveral.com
toptall.com
toutofy.com
treehuge.com
tripheat.com
tunecvim.com
twoevery.com
typechair.com
typelook.com
unittrip.com
uz.wrongsame.com
woodsugar.com
wouldmusic.com
wrongsame.com
yourfishingear.com

domains using this as nameserver
6phr.com
applyforsmiles.com
assortmentandspecie.com
aztxobzipyijon.com
buycheapmeds5.com
buycheapmeds6.com
buycheapmeds7.com
buypillsonline5.com
buypillsonline6.com
buypillsonline7.com
check-this-out-a.com
cometourwells.com
discount-a.com
discount-l.com
discount-m.com
discount-n.com
discount-r.com
disscount-a.com
disscount-b.com
disscount-c.com
disscount-d.com
disscount-e.com
dodrx.com
ebadesunajisadefun.com
energyfromwate.com
enjoymorerelaxs.com
express6.net
express8.net
express9.net
fawunjunterfuyun.com
formorerelaxs.com
gudrx.com
guihgzybira.com
huteryadesunde.com
juiceandfruit.com
kanhershdepions.com
keyassortmen.com
kodrx.com
look-at-this-site.com
medic3.net
medic4.net
medic5.com
medic6.com
meds5.com
meds6.com
meds7.com
medsonline5.com
medsonline6.com
medsonline7.com
medsonline8.com
mixturejo.com
mudrx.com
no-miss-your-chance-a.com
no-miss-your-chance-b.com
no-miss-your-chance-c.com
no-miss-your-chance.net
offastdeals.com
perfectionandassortmen.com
perfectmixtur.com
pharm4.com
pharm6.com
pharm9.com
pharmacy6.net
pharmacy8.net
pharmacy9.net
pharmonline5.com
pharmonline6.com
pharmonline7.com
pharmonline8.com
pills4.net
pills5.net
pills6.net
pudrx.com
rx-information.net
rxclubdiscount.com
rxmedic.net
rxshop2.com
rxshop3.com
rxshop5.com
seeurrelaxs.com
soft-cialis-online.com
soft-vigra-online.com
upaladins10.com
upgradeeasily8.com
urbigworld7.com
urdailysmiles.com
urdelight6.com
ureasyselecteds.com
urfreshair5.com
urgoodtastes4.com
urhughsuppliy3.com
urlifeideas2.com
urmoresmiles1.com
urrelaxseens.com
vahuitnderun.com
viagra-delivery.net
wateryoursou.com
werinkiondefunhadesun.com
wonderfulassortmen.com
xodrx.com
xrzu.com
yourrelaxings.com
(only showing 100 results)

See:
ns2.xinnetdns.com IP 210.51.170.48

http://moensted.dk/spam/?addr=210.51.170.66
http://www.spamhaus.org/query/bl?ip=210.51.170.66

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL63236
210.51.160.0/20 is listed on the Spamhaus Block List (SBL)

10-Mar-2008 21:51 GMT | SR02

flowexpo and other bulletproof hosting (escalation)
More than 170 total SBL listings in this /16

inetnum: 210.51.160.0 - 210.51.175.255
netname: CNC-BJ-IDC2
country: CN
descr: Beijing YiZhuang IDC of China Netcom
admin-c: CH140-AP
tech-c: TJ35-AP
status: ALLOCATED NON-PORTABLE
changed: cnci...@china-netcom.com
role: CNCIDC hostmaster
address: No.1,Beihuan Donglu,BDA,Beijing,China
country: CN
phone: +8610 6787 5599
fax-no: +8610 6787 8624
e-mail: cnci...@china-netcom.com
trouble: tech-...@china-netcom.com
person: Tao Jiang
nic-hdl: TJ35-AP
e-mail: bjidc-...@cnc.cn
changed: jian...@cnc.cn
changed: zha...@china-netcom.com
mntner: MAINT-CN-BJIDC
upd-to: bjidc-...@china-netcom.com

route: 210.51.0.0/16
descr: CHINA NETCOM
origin: AS9929
mnt-by: MAINT-AS9929
changed: xu...@china-netcom.com

route: 210.51.0.0/16
descr: CNC Group CncNet
country: CN
origin: AS9929
mnt-by: MAINT-CNCGROUP-RR
changed: ab...@cnc-noc.net

route: 210.51.0.0/16
descr: CNC Route Object
origin: AS9929
member-of: rs-Secondary
mnt-by: CHINANETCOM-MNT
changed: liu...@china-netcom.com
AS Name: CNCNET-CN China Netcom Corp.
http://www.cidr-report.org/cgi-bin/as-report?as=9929

14 SBL/ROKSO listings for IPs under the responsibility of cncgroup-bj
http://www.spamhaus.org/sbl/listings.lasso?isp=cncgroup-bj

So Much More xinnetdns.com sightings:
http://groups.google.com/groups/search?q=xinnetdns.com+group%3A*abuse*&qt_s=Search

See:
ns2.xinnet.cn IP 210.51.170.67

http://moensted.dk/spam/?addr=210.51.170.67
http://www.spamhaus.org/query/bl?ip=210.51.170.67

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL63236

inetnum: 210.51.160.0 - 210.51.175.255
netname: CNC-BJ-IDC2
country: CN
descr: Beijing YiZhuang IDC of China Netcom
admin-c: CH140-AP
tech-c: TJ35-AP
status: ALLOCATED NON-PORTABLE
changed: cnci...@china-netcom.com

route: 210.51.0.0/16
descr: CHINA NETCOM
origin: AS9929
mnt-by: MAINT-AS9929
changed: xu...@china-netcom.com

route: 210.51.0.0/16
descr: CNC Group CncNet
country: CN
origin: AS9929
mnt-by: MAINT-CNCGROUP-RR

route: 210.51.0.0/16
descr: CNC Route Object
origin: AS9929
member-of: rs-Secondary
mnt-by: CHINANETCOM-MNT
changed: liu...@china-netcom.com
AS Name: CNCNET-CN China Netcom Corp.
http://www.cidr-report.org/cgi-bin/as-report?as=9929

So Much More xinnet.cn sightings:
http://groups.google.com/groups/search?q=xinnet.cn+group%3A*abuse*&qt_s=Search

SEE:
ns0.axrpss.com IP 222.166.132.30
ns0.axrpss.com IP 222.167.203.112 => New
ns0.axrpss.com IP 62.143.161.186 => New
ns0.lutrwpghd.com = 123.202.194.61 => New
ns0.lutrwpghd.com = 60.47.214.194 => New
ns0.lutrwpghd.com IP 221.126.94.65
ns0.lutrwpghd.com IP 84.245.204.131
ns0.sjrbofa.com IP 202.126.117.43
ns0.sjrbofa.com = 59.149.165.117 => New
ns0.sjrbofa.com = 124.218.67.36 => New
ns0.vqwgds.com IP 221.127.245.4
ns0.vqwgds.com IP 79.164.123.55 => New
ns0.vqwgds.com = 123.202.90.32 => New

See IP rDNS on botnet for DNS servers:
IP 222.166.132.30 = cm222-166-132-30.hkcable.com.hk
IP 222.167.203.112 = cm222-167-203-112.hkcable.com.hk
IP 62.143.161.186 = ip-62-143-161-186.1211F-CUD12K-02.ish.de
IP 123.202.194.61 = 123202194061.ctinets.com
IP 60.47.214.194 = i60-47-214-194.s02.a006.ap.plala.or.jp
IP 221.126.94.65 no PTR at HUTCHISON / hutchcity.com / hgc.com.hk
IP 84.245.204.131 = customer-204.131.livas.lv
IP 202.126.117.43 no PTR at HAIONNET / haion.net / Korea
IP 59.149.165.117 = 059149165117.ctinets.com
IP 124.218.67.36 = 124-218-67-36.cm.dynamic.apol.com.tw
IP 221.127.245.4 no PTR at HUTCHISON / hutchcity.com / hgc.com.hk
IP 79.164.123.55 = host-79-164-123-55.qwerty.ru at cnt.ru
IP 123.202.90.32 = 123202090032.ctinets.com

More axrpss.com sightings:
http://groups.google.com/groups/search?q=axrpss.com+group%3A*abuse*&qt_s=Search

More lutrwpghd.com sightings:
http://groups.google.com/groups/search?q=lutrwpghd.com+group%3A*abuse*&qt_s=Search

More sjrbofa.com sightings:
http://groups.google.com/groups/search?q=sjrbofa.com+group%3A*abuse*&qt_s=Search

More vqwgds.com sightings:
http://groups.google.com/groups/search?q=vqwgds.com+group%3A*abuse*&qt_s=Search

Read more:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/01b95e17d8099c02

And:
http://groups.google.com/group/news.admin.net-abuse.email/msg/6c15c2b98d46bd38

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/dec4c60efb5f131a

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/6511468da34ed4f0

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/934518fa4c4a851d

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/ad6b5d73a0f06ea9

Cheers, Tomez

--
All postings to news.admin.net-abuse.sightings are unconfirmed and unverified
unless stated otherwise by the moderators. All opinions expressed above are
considered the opinions of the original poster, not the moderators or their
respective employers. For a copy of the guidelines to this group, see:
http://www.killfile.org/~tskirvin/nana/

0 new messages