Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[email] [counterfeit] [58.17.3.48] (potechno.com / modadns.com) Look who's the new American Idol

0 views
Skip to first unread message

TomezNet

unread,
Jul 22, 2007, 6:31:20 AM7/22/07
to
Received From:
IP 58.17.3.48
(at china-netcom.com)

qbh.potechno.com Resolved to potechno.com to IP 124.254.2.230
(SBL48585 / SBL56318) (at THBA / gwbn.net.cn)

Spamvert URL
http://qbh.potechno.com/

Redirected to:
http://potechno.com/rp/index.php

counterfeit watches spam.
Title: Diamond Watches (a.k.a Diamond Replicas)

More spammer sightings:
http://groups.google.com/groups/search?q=%22Diamond+Watches%22+group%3A*abuse&start=0&scoring=d&

More info below:
====================

X-SID-PRA: Stacy <iodl...@oxon.blackwellpublishing.com>
X-Message-Info: txF49lGdW415WB1jd+lIkr5cSaw8Ig9KFx84ZlX
+0etcQ09mXrGgTCW/rPh7bkaS
Received: from tomts39-srv.bellnexxia.net ([209.226.175.96]) by bay0-
pamc1-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Sat, 21 Jul 2007 12:35:19 -0700
Received: from [MUNGED]
by toip19.srvr.bell.ca with ESMTP; 21 Jul 2007 15:35:13 -0400
Received: (qmail 5497 invoked by uid 110); 21 Jul 2007 15:35:12 -0400
Delivered-To: [MUNGED]
Received: (qmail 5214 invoked from network); 21 Jul 2007 15:35:11
-0400
Received: from unknown (HELO oxon.blackwellpublishing.com)
(58.17.3.48)
by [MUNGED] with SMTP; 21 Jul 2007 15:35:11 -0400
Received: by 10.70.58.16 with SMTP id 81cs65FoG68D3Z;
Sat, 21 Jul 2007 12:26:21 -0800
Received: by 10.70.11.4 with SMTP id Np9uK5RLg4ZHr.8783124667103;
Sat, 21 Jul 2007 13:15:08 -0800
Return-Path: <[MUNGED]>
Received: from [MUNGED] ([MUNGED] [224.242.61.88])
by [MUNGED] with SMTP id pHU488MEMTozvJwCqkE8XP3mr3RvhDW6;
Sat, 21 Jul 2007 13:17:52 -0800
Received-SPF: neutral (oxon.blackwellpublishing.com: 98.143.42.223 is
neither permitted nor denied by best guess record for domain of
[MUNGED])
DomainKey-Status: good (test mode)
Received: (qmail 731 invoked from network); Sat, 21 Jul 2007 12:45:00
-0800
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=oxon.blackwellpublishing.com;
h=Received:X-YMail-OSG:Message-ID:Reply-
To:From:To:References:Subject:Date:MIME-Version:Content-Type:X-
Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE;

b=9l56MmdM3wJ5NVtaLP23IQwKS5l6R27a924jTLp2Z9C7wUr97G6GT85f7I9FI0mx7D9AmBx8jnJY0qb51EojOh15VJYk5aBtgGq055F9LopSc925F9Y65XVc4yNGY9b51iGU2M5RJJ0184LbB2SOso4Loi4rc9KQu1zq1l6j4= ;
Received: from unknown (HELO CCRNFqq1ioDpT) (nfuw...@155.27.98.109
with login)
by [MUNGED] with SMTP; Sat, 21 Jul 2007 12:28:05 -0800
X-YMail-OSG:
8244jEQJCS5e22y0yZ6GyBt4CXYZeVTE9g885zs1.IVq2YrJvC2t9V6ppZ4lihjFJDFgGW3N16khGtHtj7BmbAn5Ycl9bT3cK0.c3hO4v02fDpcb5YROMjQPl8xO36g4L46y--
Message-ID: <05e001c7cbce$3f812c00$189cfa95@mmqk>
Reply-To: "Stacy" <iodl...@oxon.blackwellpublishing.com>
From: "Stacy" <iodl...@oxon.blackwellpublishing.com>
To: <[MUNGED]>
References: <aP87OySB7D9sCY3VGJ7riZmYJ9oz4Rw1@com>
<7sM81WwfyaaYKz9f6R9EW2VZEQxi3REkKuEe7sChVaQbwR@5Bf6r1u6Dq05>
<OKycCfaqpag3bfE4rlnQ148p3AP76MG6he7@o3n6IW>
Subject: Look who's the new American Idol
Date: Sat, 21 Jul 2007 13:01:14 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_05DD_01C7CB93.93225400"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3028
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
X-OriginalArrivalTime: 21 Jul 2007 19:35:19.0349 (UTC)
FILETIME=[45867650:01C7CBCE]

This is a multi-part message in MIME format.

------=_NextPart_000_05DD_01C7CB93.93225400
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Is buttrick siliceous the hold
siliceous discussion or deniable gluey?

The gimpy debug not classic
but discuss timber bruegel and eyeful arab.
Sometimes johannesburg is siliceous but combustion, katharine homemake
softball blur fraser katharine region thymus!

How juvenile? medicinal! crypt
cloister aztec sepulchral!

Is rica nash the detriment
dictum gilligan or procter dictum?

The rica fanny not dictum
but cloister detriment gaffe and barrymore canto.
Sometimes augustus is generate but arab, sepulchral enzyme
gluey hold fink cameo secret generate!

How ganglion? alton! winchester
runabout procter cameo!

------=_NextPart_000_05DD_01C7CB93.93225400
Content-Type: text/html;;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered
medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Texto de bal\00E3o Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EstiloDeEmail17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.TextodebaloChar
{mso-style-name:"Texto de bal\00E3o Char";
mso-style-priority:99;
mso-style-link:"Texto de bal\00E3o";
font-family:"Tahoma","sans-serif";}
MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>

<body lang=3DPT-BR link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><a href=3D"http://qbh.potechno.com "><IMG
alt=3D"" =
hspace=3D0 src=3D"cid:M5KbIkhnk5ZDcJO97751tGXBlswsxX" align=3Dbaseline
=
border=3D0></a><o:p></o:p></p>

<p class=3DMsoNormal><span lang=3DEN-US>Is buttrick siliceous the hold
siliceous discussion or deniable gluey?<o:p></o:p></span></p>

<p class=3DMsoNormal><span lang=3DEN-US>The gimpy debug not classic
but discuss timber bruegel and eyeful arab.
Sometimes johannesburg is siliceous but combustion, katharine homemake
softball blur fraser katharine region thymus!<o:p></o:p></span></p>

<p class=3DMsoNormal><span lang=3DEN-US>How juvenile? medicinal! crypt
cloister aztec sepulchral!<o:p></o:p></span></p>

<p class=3DMsoNormal><span lang=3DEN-US>Is rica nash the detriment
dictum gilligan or procter dictum?<o:p></o:p></span></p>

<p class=3DMsoNormal><span lang=3DEN-US>The rica fanny not dictum
but cloister detriment gaffe and barrymore canto.
Sometimes augustus is generate but arab, sepulchral enzyme
gluey hold fink cameo secret generate!<o:p></o:p></span></p>

<p class=3DMsoNormal><span lang=3DEN-US>How ganglion? alton!
winchester
runabout procter cameo!<o:p></o:p></span></p>

<p class=3DMsoNormal><span lang=3DEN-US><o:p> </o:p></span></p>
</div>
</body>
</html>

------=_NextPart_000_05DD_01C7CB93.93225400
Content-Type: image/gif;
Content-Transfer-Encoding: base64
Content-ID: <M5KbIkhnk5ZDcJO97751tGXBlswsxX>

------=_NextPart_000_05DD_01C7CB93.93225400--

-- END OF SPAM --

SEE sender identity and headers forgery by spammer spoofing our
domain.

See:
IP 58.17.3.48

http://www.moensted.dk/spam/?addr=58.17.3.48
http://www.spamhaus.org/query/bl?ip=58.17.3.48
http://www.spamhaus.org/pbl/query/PBL010289
Spam source - http://wpbl.info/record?ip=58.17.3.48
http://spamcop.net/w3m?action=checkblock&ip=58.17.3.48

inetnum: 58.17.3.48 - 58.17.3.63
netname: JIANGLONG-CAFE
country: CN
descr: Jianglong Internet Cafe of Wenjiao Road
admin-c: CH444-AP
tech-c: CH444-AP
status: ASSIGNED NON-PORTABLE
mntner: MAINT-CNCGROUP-JX
upd-to: wuh...@china-netcom.com
changed: wuji...@china-netcom.com

route: 58.17.0.0/17
descr: China Netcom Corporation
origin: AS9929
mnt-by: MAINT-AS9929
changed: liu...@china-netcom.com
Prefix: 58.17.0.0/17
Prefix Name: China Netcom Corporation CNC Group CHINA169 Jiangxi
Province Network CNCGroup JiangXi province network
AS: 4837
AS Name: China Network Communications Group China Network
Communications (CNC Group)
http://www.cidr-report.org/cgi-bin/as-report?as=4837

13 SBL/ROKSO listings for IPs under the responsibility of china-
netcom.com
http://www.spamhaus.org/sbl/listings.lasso?isp=china-netcom.com

3 SBL/ROKSO listings for IPs under the responsibility of CNCGROUP-JX
http://www.spamhaus.org/sbl/listings.lasso?isp=CNCGROUP-JX

SEE Spamvert URL
http://qbh.potechno.com/

Redirected to:
http://potechno.com/rp/index.php

HTTP/1.1 302 Found
Date: Sat, 21 Jul 2007 20:25:00 GMT
Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2
PHP/5.2.3 with Suhosin-Patch
X-Powered-By: PHP/5.2.3
Location: http://potechno.com/rp/index.php?mid=10002&fid=hGfWs4dGvdWs
Content-Length: 0
Connection: close
Content-Type: text/html

See:
potechno.com IP 124.254.2.230
ns1.modadns.com [58.83.12.6] [TTL=172800] [CN]
ns2.modadns.com [124.254.2.230] [TTL=172800] [CN]

dns1.potechno.com [no glue provided] [TTL=60]
dns2.potechno.com [no glue provided] [TTL=60]

SOA record [TTL=2048] is:
Primary nameserver: ns1.myserver.com
Hostmaster E-mail address: hostm...@potechno.com
Serial #: 1184942353

qbh.potechno.com has no MX records -> potechno.com has no MX records

http://www.moensted.dk/spam/?addr=124.254.2.230
http://www.spamhaus.org/query/bl?ip=124.254.2.230

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL48585
124.254.0.0/18 is listed on the Spamhaus Block List (SBL)

21-Jul-2007 01:36 GMT | SR02

THBA, gwbn.net.cn

Spam haven, bulletproof hosting for spammers.

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL56318
124.254.2.230/32 is listed on the Spamhaus Block List (SBL)

06-Jul-2007 06:55 GMT | SR02

stflu.com etc.

32 SBL/ROKSO listings for IPs under the responsibility of gwbn.net.cn
http://www.spamhaus.org/sbl/listings.lasso?isp=gwbn.net.cn

a 124.254.2.230 (CN) undefined.bjgwbn.net.cn

inetnum: 124.254.0.0 - 124.254.63.255
netname: THBA
descr: Beijing THBA Technology Co,.Ltd.
descr: No68 WanQuanHe road ,Haidian district ,Beijing
country: CN
person: Song Wang
nic-hdl: SW623-AP
e-mail: luy...@163.com
person: Shilie Weng
address: 1954 Huashan Rd.
address: Shanghai Jiaotong University
address: Shanghai, 200030, CN
phone: +86-21-4310310 ext 2236
e-mail: slw...@sjtu.edu.cn
nic-hdl: SW1-CN
notify: dm...@apnic.net
changed: hostm...@apnic.net
mntner: MAINT-CN-THBA
descr: Beijing THBA Technology Co,.Ltd.
descr: No68 WanQuanHe road ,Haidian district ,Beijing
upd-to: bkson...@msn.com

IP: 124.254.2.230
Reverse: undefined.bjgwbn.net.cn

Aliases:
trarich.com
takewflu.com
behflu.com
ephflu.com
potechno.com
aftflu.com
picrich.com
entrflu.com
disrich.com
stflu.com

Prefix: 124.254.0.0/18
Prefix Name: error
AS: 4847
AS Name: CHINANET BJ METRO BeijingTelecom
http://www.cidr-report.org/cgi-bin/as-report?as=4847

Let see whois.enom.com:
Registration Service Provided By: NameCheap.com
Contact: sup...@NameCheap.com

Domain name: potechno.com

Registrant Contact:
Mikron Informatica Ltda
Rodolfo Jesus (falsia2007[]pop.com.br)
+55.632241143
Fax: +55.632241143
R Duque de Caxias 121
Ararauna, RJ 88362
BR

Administrative Contact:
Mikron Informatica Ltda
Rodolfo Jesus (falsi...@pop.com.br)
+55.632241143
Fax: +55.632241143
R Duque de Caxias 121
Ararauna, RJ 88362
BR

Technical Contact:
Mikron Informatica Ltda
Rodolfo Jesus (falsi...@pop.com.br)
+55.632241143
Fax: +55.632241143
R Duque de Caxias 121
Ararauna, RJ 88362
BR

Status: Locked

Name Servers:
ns1.modadns.com
ns2.modadns.com

Creation date: 19 Jul 2007 23:03:37
Expiration date: 19 Jul 2008 23:03:37

See:
ns1.modadns.com IP 58.83.12.6

ns1.modadns.com has no MX records -> modadns.com has no MX records

http://www.moensted.dk/spam/?addr=58.83.12.6
http://www.spamhaus.org/query/bl?ip=58.83.12.6

More 58.83.12.6 sightings:
http://groups.google.com/groups/search?q=58.83.12.6+group%3A*abuse&qt_s=Search

58.83.12.6 is listed in the SBL, in the following records:
* SBL51900
* SBL53280
* SBL56425

inetnum: 58.83.12.0 - 58.83.15.255
netname: csallnetlink-cn
descr: changsha allnetlink development co.,LTD
country: CN
remarks: w...@allnetlink.com.cn
person: yongcheng wang
nic-hdl: YW811-AP
e-mail: wan...@allnetlink.com.cn
address: changsha allnetlink co., LTD
person: ada chen
nic-hdl: AC893-AP
changed: BLUESKY...@163.COM

Aliases:
leoemch.com
entrflu.com
ns1.leoemch.com
ns1.modadns.com
flshey.com
ns2.leoemch.com

Prefix: 58.83.12.0/22
Prefix Name: error
AS: 18118
AS Name: CITICNET AP CITIC Networks Management Co ,Ltd 6 XINYUANNANLU
BEIJING
http://www.cidr-report.org/cgi-bin/as-report?as=18118

24 SBL listings for IPs under the responsibility of BLUESKY
http://www.spamhaus.org/sbl/listings.lasso?isp=BLUESKY

More modadns.com sightings:
http://groups.google.com/groups/search?q=modadns.com+group%3A*abuse&qt_s=Search

Read more:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/356e07a43227bfe6

Cheers, Tomez

--
All postings to news.admin.net-abuse.sightings are unconfirmed and
unverified unless stated otherwise by the moderators. All opinions
expressed above are considered the opinions of the original poster,
not the moderators or their respective employers.

For a copy of the guidelines to this group, see:

http://www.killfile.org/~tskirvin/nana/

0 new messages