Spamvert:
www.desemidp.com IP 58.65.238.42
(SBL52081, SBL54224, SBL54249) (now at Atrivo / hostfresh.com)
Redirected to:
http://desemidp.com/rp/index.php
counterfeit watches spam with sender identity and headers forgery.
Title: Diamond Watches (a.k.a Diamond Replicas)
More spammer sightings:
http://groups.google.com/groups/search?q=%22Diamond+Watches%22+group%3A*abuse&start=0&scoring=d&
More info below:
====================
X-SID-PRA: [MUNGED]
X-Message-Info: 6sSXyD95QpUxRuJN8TCki1bG+QKxhVdmEuW75aGQkN/tGhid/
1MWz9OGavaeb15CpzKHYJxnpjCkyvF1eqZVkA==
Received: from tomts12-srv.bellnexxia.net ([209.226.175.56]) by bay0-
pamc1-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Thu, 13 Sep 2007 10:10:26 -0700
Received: from [MUNGED]
by toip16.srvr.bell.ca with ESMTP; 13 Sep 2007 13:10:18 -0400
Received: (qmail 19988 invoked by uid 110); 13 Sep 2007 12:53:44 -0400
Delivered-To: [MUNGED]
Received: (qmail 19970 invoked from network); 13 Sep 2007 12:53:43
-0400
Received: from bl7-127-253.dsl.telepac.pt (85.240.127.253)
by [MUNGED] with SMTP; 13 Sep 2007 12:53:43 -0400
Return-path: <[MUNGED]>
X-Original-To: [MUNGED]
Delivered-To: [MUNGED]
Received: from [85.240.127.253] (port=5749
helo=bl7-127-253.dsl.telepac.pt)
by [MUNGED] with ESMTP id [MUNGED]
for <[MUNGED]>; Thu, 13 Sep 2007 17:54:06 -0000 (EET)
From: [MUNGED]
To: [MUNGED]
Subject: watchezZz
Date: Thu, 13 Sep 2007 17:54:06 -0000 (EET)
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: p1654g530TDtr5Ro73EQ673x0820oy==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
Message-ID: <714e01c7f62f$01c7f62f$fd7ff055@[MUNGED]>
Status:
X-OriginalArrivalTime: 13 Sep 2007 17:10:26.0196 (UTC)
FILETIME=[FA4F1540:01C7F628]
Do you have a special date coming up?
Maybe a wedding, anniversary or the birthday of your 15 year-old
daughter...
These are the perfect times to give them themost unforgettable gift of
all: JEWELS and WATCHES.
Nothing says "I love you" better than a 2 thousand dollar watch, BUT
you will not pay that much.
Because there is a handmade replica place just for you, all widely-
known brands and models.
For girlfriends, boyfriends, husbands and wives.
With our promotion you can even get one for your mother-in-law!
GET THE PROMOTION YOU'VE BEEN WAITING FOR! http://www.desemidp.com
-- END OF SPAM --
SEE sender identity and headers forgery by spammer spoofing our
domain.
See:
IP 85.240.127.253 bl7-127-253.dsl.telepac.pt
http://www.moensted.dk/spam/?addr=85.240.127.253
http://spamcop.net/w3m?action=checkblock&ip=85.240.127.253
More telepac.pt sightings:
http://groups.google.com/groups/search?q=telepac.pt+group%3A*abuse&start=0&scoring=d&
inetnum: 85.240.0.0 - 85.240.127.255
netname: TELEPAC-DSL
descr: Telepac - Comunicacoes Interactivas, SA
descr: DSL Service Networks
country: PT
route: 85.240.0.0/13
descr: Telepac II - Comunicacoes Interactivas, SA
origin: AS3243
mnt-by: TELEPAC-MNT
AS Name: TELEPAC PT.Com - Comunicacoes Interactivas, S.A.
http://www.cidr-report.org/cgi-bin/as-report?as=3243
17 SBL/ROKSO listings for IPs under the responsibility of charter.com
http://www.spamhaus.org/sbl/listings.lasso?isp=charter.com
Spamvert URL:
http://www.desemidp.com/
HTTP/1.1 302 Found
Date: Thu, 13 Sep 2007 10:39:25 GMT
Server: Apache/2.2.6 (FreeBSD) DAV/2 PHP/5.2.3 with Suhosin-Patch
mod_ssl/2.2.6 OpenSSL/0.9.7e-p1
X-Powered-By: PHP/5.2.3
Location: http://desemidp.com/rp/index.php?mid=10016&fid=PoWjfKskwsLFjsFlsjfe
Content-Length: 0
Connection: close
Content-Type: text/html
Redirected to:
http://desemidp.com/rp/index.php
See:
desemidp.com IP 58.65.238.42
(Spammer OLD IP 210.14.128.120 124.254.2.231, 58.83.12.6,
124.254.2.230)
ns1.finodns.com [58.83.12.6] [TTL=172800] [CN]
ns2.finodns.com [210.14.128.120] [TTL=172800] [CN]
NS records at nameservers are:
dns1.desemidp.com [no glue provided] [TTL=60]
dns2.desemidp.com [no glue provided] [TTL=60]
OLD:
ns1.modadns.com [58.83.12.6] [TTL=172800] [CN]
ns2.modadns.com [210.14.128.120, 124.254.2.231] [TTL=172800] [CN]
SOA record [TTL=2048] is:
Primary nameserver: ns1.myserver.com.
Hostmaster E-mail address: hostm...@desemidp.com
Serial #: 1189622051 (OLD 1188294464, 1186864237, 1184480567)
desemidp.com has no MX records
www.desemidp.com CNAME desemidp.com [TTL=60]
http://moensted.dk/spam/?addr=58.65.238.42
http://www.spamhaus.org/query/bl?ip=58.65.238.42
58.65.238.42 ? host42.dratiomyop.com
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL52081
58.65.232.0/21 is listed on the Spamhaus Block List (SBL)
07-Sep-2007 09:23 GMT | SR04
hostfresh.com - mass spammer hosting
Just swarming with spammers, and other cybercriminals.
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL54224
58.65.238.0/24 is listed on the Spamhaus Block List (SBL)
04-May-2007 10:15 GMT | SR02
spam sources
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL54249
58.65.238.0/23 is listed on the Spamhaus Block List (SBL)
05-May-2007 08:55 GMT | SR04
Dirty block (escalation)
Nothing but malware hosting for months. Fully criminal operation.
SEE Also:
domains sharing nameservers
modadns.com
thtechno.com
votechno.com
disrich.com
fotechno.com
lendust.com
croctam.com
sustfasc.com
ovablero.com
aceousgm.com
antlernc.com
ultrate.com
inetnum: 58.65.232.0 - 58.65.239.255
netname: HOSTFRESH
descr: HostFresh
descr: Internet Service Provider
country: HK
person: Piu Lo
nic-hdl: PL466-AP
e-mail: ipa...@hostfresh.com
route: 58.65.238.0/24
descr: Atrivo
origin: AS27595
notify: em...@atrivo.com
mnt-by: MAINT-ATRIVO
changed: em...@atrivo.com
AS Name: INTERCAGE - InterCage, Inc.
http://www.cidr-report.org/cgi-bin/as-report?as=27595
6 SBL/ROKSO listings for IPs under the responsibility of hostfresh.com
http://www.spamhaus.org/sbl/listings.lasso?isp=hostfresh.com
12 SBL listings for IPs under the responsibility of Atrivo.com
http://www.spamhaus.org/sbl/listings.lasso?isp=Atrivo.com
Let see whois:
Checking server [whois.enom.com] => who else?
Registration Service Provided By: NameCheap.com
Contact: sup...@NameCheap.com
Domain name: desemidp.com
Registrant Contact:
Technoratti Registros Civis Ltda
Marcelina Chapado (marceloguerreiro229[]yahoo.com.br)
+55.442215665
Fax: +55.442215665
R Duque de Mamona, 43
Vitoria, ES 83762
BR
Administrative Contact:
Technoratti Registros Civis Ltda
Marcelina Chapado (marcelogu...@yahoo.com.br)
+55.442215665
Fax: +55.442215665
R Duque de Mamona, 43
Vitoria, ES 83762
BR
Technical Contact:
Technoratti Registros Civis Ltda
Marcelina Chapado (marcelogu...@yahoo.com.br)
+55.442215665
Fax: +55.442215665
R Duque de Mamona, 43
Vitoria, ES 83762
BR
Status: Locked
Name Servers:
ns1.finodns.com
ns2.finodns.com
Creation date: 12 Sep 2007 08:54:26
Expiration date: 12 Sep 2008 08:54:26
See also more NameCheap.com spam support sightings:
http://groups.google.com/groups/search?q=NameCheap.com+group%3A*abuse&start=0&scoring=d&
See:
ns1.finodns.com IP 58.83.12.6
ns1.finodns.com has no MX records -> finodns.com has no MX records
http://www.moensted.dk/spam/?addr=58.83.12.6
http://www.spamhaus.org/query/bl?ip=58.83.12.6
More 58.83.12.6 sightings:
http://groups.google.com/groups/search?q=58.83.12.6+group%3A*abuse&qt_s=Search
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL51900
58.83.0.0/16 is listed on the Spamhaus Block List (SBL)
27-Apr-2007 08:03 GMT | SR02
tianjian / hylink-cn / bluesky
58.83.0.0/22 and 58.83.4.0/22 are known to be operated by spammers. It
appears the entire /16 is part of the same operation. B-class networks
registered to Hotmail addresses are not reliable.
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL53280
58.83.12.0/22 is listed on the Spamhaus Block List (SBL)
11-Jul-2007 02:28 GMT | SR02
csallnetlink-cn / BLUESKY
BLUESKY provides bulletproof spam hosting and does not reply to spam
reports or SBL listings.
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL56425
58.83.12.6/32 is listed on the Spamhaus Block List (SBL)
30-Aug-2007 02:12 GMT | SR02
bulletproof DNS and HTTP
28 SBL/ROKSO listings for IPs under the responsibility of bluesky
http://www.spamhaus.org/sbl/listings.lasso?isp=bluesky
SEE Also on the same IP:
58.83.12.6 A disrich.com
58.83.12.6 A ns1.finodns.com
58.83.12.6 A ns1.modadns.com
58.83.12.6 A ns2.papadns.com
58.83.12.6 A remtam.com
58.83.12.6 A thtechno.com
58.83.12.6 A votechno.com
hostnames sharing ip with a-records
remtam.com
ns1.modadns.com
thtechno.com
votechno.com
disrich.com
ns2.papadns.com
domains using this as nameserver
modadns.com(as ns1.modadns.com)
thtechno.com(as ns1.modadns.com)
votechno.com(as ns1.modadns.com)
disrich.com(as ns1.modadns.com)
fotechno.com(as ns1.modadns.com)
lendust.com(as ns1.modadns.com)
croctam.com(as ns1.modadns.com)
sustfasc.com
ovablero.com
aceousgm.com
desemidp.com
antlernc.com(as ns2.papadns.com)
ultrate.com(as ns2.papadns.com)
inetnum: 58.83.12.0 - 58.83.15.255
netname: csallnetlink-cn
descr: changsha allnetlink development co.,LTD
country: CN
remarks: w...@allnetlink.com.cn
person: yongcheng wang
nic-hdl: YW811-AP
e-mail: wan...@allnetlink.com.cn
address: changsha allnetlink co., LTD
person: ada chen
nic-hdl: AC893-AP
changed: BLUESKY...@163.COM
Prefix: 58.83.12.0/22
Prefix Name: error
AS: 18118
AS Name: CITICNET AP CITIC Networks Management Co ,Ltd 6 XINYUANNANLU
BEIJING
http://www.cidr-report.org/cgi-bin/as-report?as=18118
See:
ns2.finodns.com IP 210.14.128.120
http://www.moensted.dk/spam/?addr=210.14.128.120
http://www.spamhaus.org/query/bl?ip=210.14.128.120
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL56347
210.14.128.0/19 is listed on the Spamhaus Block List (SBL)
07-Jul-2007 00:04 GMT | SR02
ZBYD Technology Co.,Ltd
No response to multiple SBL listings. No response from upstream
CNCGROUP-BJ. Hosting many ROKSO and botnet spam gang's websites and
nameservers.
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL58246
210.14.128.120/32 is listed on the Spamhaus Block List (SBL)
30-Aug-2007 02:22 GMT | SR02
bulletproof spam hosting at ZBYD Technology Co.,Ltd
Same bulletproof spam hosting as:
SBL57875 202.142.21.18/32
SBL56425 58.83.12.6/32
Also see:
SBL56347 210.14.128.0/19
1 SBL listings for IPs under the responsibility of cncgroup-bj
http://www.spamhaus.org/sbl/listings.lasso?isp=cncgroup-bj
23 SBL/ROKSO listings for IPs under the responsibility of APNIC
http://www.spamhaus.org/sbl/listings.lasso?isp=APNIC
inetnum: 210.14.128.0 - 210.14.159.255
netname: ZBYD
descr: ZBYD Technology Co.,Ltd
descr: 15A build , xiyongle road ,shijingshan district ,Beijing
country: CN
person: Zheyuan Wang
nic-hdl: ZW620-AP
e-mail: wan...@zbydoffice.com.cn
person: Zhengping Wang
address: Computer Center
address: Tongji University
address: No. 1239 Siping Road
address: Shanghai(200092)
address: P.R.China
phone: +0086 21 502 5080 ext 2845
fax-no: +0086 21 502 8965
e-mail: w...@tju.ihep.ac.cn
nic-hdl: ZW2-CN
notify: address-allo...@cernic.net
changed: sz...@cernic.net
person: Lei An
nic-hdl: LA100-AP
e-mail: al...@zbydoffice.com.cn
mntner: MAINT-CN-ZBN
descr: ZBN
descr: No.499 Weilai Road,Zhengzhou, Henan
country: CN
admin-c: JZ2-CN
tech-c: LD1-CN
upd-to: liz...@vip.zzcatv.com.cn
person: Jianzhong Zhu
nic-hdl: JZ2-CN
e-mail: zhujia...@vip.zzcatv.com.cn
person: Liang Dong
nic-hdl: LD1-CN
e-mail: lian...@vip.zzcatv.com.cn
changed: ip...@cnnic.cn
changed: ip...@cnnic.net.cn
postmaster and abuse[]zbydoffice.com.cn are listed in rfc-ignorant.org
database
AS Name: BJ-GUANGHUAN-AP Beijing Guanghuan Xinwang Digital
http://www.cidr-report.org/cgi-bin/as-report?as=23844
SEE ALSO:
hostnames sharing ip indirectly via cnames
watchspammer.cornbls.com
dns1.ultrate.com
dns2.ultrate.com
hostnames sharing ip with a-records
ns2.modadns.com
sustfasc.com
fotechno.com
lendust.com
croctam.com
nocttam.com
ovablero.com
antlernc.com
ns1.papadns.com
cornbls.com
aceousgm.com
ultrate.com
domains using this as nameserver
modadns.com(as ns2.modadns.com)
thtechno.com(as ns2.modadns.com)
votechno.com(as ns2.modadns.com)
disrich.com(as ns2.modadns.com)
fotechno.com(as ns2.modadns.com)
lendust.com(as ns2.modadns.com)
croctam.com(as ns2.modadns.com)
sustfasc.com
ovablero.com
aceousgm.com
desemidp.com
antlernc.com(as ns1.papadns.com)
ultrate.com(as ns1.papadns.com)
ultrate.com(as dns1.ultrate.com)
ultrate.com(as dns2.ultrate.com)
Let see whois.enom.com] => who else?
Registration Service Provided By: NameCheap.com
Contact: sup...@NameCheap.com
Domain name: finodns.com
Registrant Contact:
Mikron Informatica Ltda
Rodolfo Jesus (falsia2007[]pop.com.br)
+55.632241143
Fax: +55.632241143
R Duque de Caxias 121
Ararauna, RJ 88362
BR
Administrative Contact:
Mikron Informatica Ltda
Rodolfo Jesus (falsi...@pop.com.br)
+55.632241143
Fax: +55.632241143
R Duque de Caxias 121
Ararauna, RJ 88362
BR
Technical Contact:
Mikron Informatica Ltda
Rodolfo Jesus (falsi...@pop.com.br)
+55.632241143
Fax: +55.632241143
R Duque de Caxias 121
Ararauna, RJ 88362
BR
Status: Locked
Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com
Creation date: 10 Aug 2007 21:29:58
Expiration date: 10 Aug 2008 21:29:58
More finodns.com sightings:
http://groups.google.com/groups/search?q=finodns.com+group%3A*abuse&start=0&scoring=d&
See also more eNom spam support sightings:
http://groups.google.com/groups/search?q=eNom+group%3A*abuse&start=0&scoring=d&
Read more:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/5a8790add0f1e2ba
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/667d6d9fa0ca0234
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/ea6d4422abca1055
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/0b9c3480406297e7
Cheers, Tomez
--
All postings to news.admin.net-abuse.sightings are unconfirmed and
unverified unless stated otherwise by the moderators. All opinions
expressed above are considered the opinions of the original poster,
not the moderators or their respective employers.
For a copy of the guidelines to this group, see: