Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[email] [drugs - Canadian Pharmacy botnet] [85.121.14.104] (letterclock.com / axrpss.com / lutrwpghd.com / sjrbofa.com / vqwgds.com / xinnetdns.com / xinnet.cn) tnihredn

0 views
Skip to first unread message

TomezNet

unread,
Mar 18, 2008, 11:34:05 AM3/18/08
to
Received From:
IP 85.121.14.104
(at bytecont.ro)

Spamvert:
www.letterclock.com => botnet
letterclock.com Resolved to 218.254.115.36 to 59.149.48.223 to
61.15.24.204 to 61.238.9.120 to 61.254.28.94 to 65.3.138.220 to
69.86.213.81 to 71.7.210.253 to 76.169.87.161 to 78.106.211.73 to
81.17.153.94 to 84.47.22.243 to 88.206.173.35 to 91.89.211.32 to
98.204.185.40 to 123.140.78.159 to 125.130.11.140 to 125.229.170.151
to 202.67.21.141 to 202.126.117.43

NEW:
ns0.axrpss.com IP 222.166.132.30
ns0.lutrwpghd.com IP 221.126.94.65
ns0.lutrwpghd.com IP 84.245.204.131
ns0.sjrbofa.com IP 202.126.117.43
ns0.vqwgds.com IP 221.127.245.4

ns.xinnetdns.com IP 210.51.170.66 => SBL63236 at cncgroup-bj
ns.xinnet.cn IP 210.51.171.209 => SBL63236 at cncgroup-bj

Title: European Pharmacy (aka Canadian Pharmacy)

WEB:
Å  Copyright Canadian Pharmacy, 2003-2008. All Rights Reserved.

Much More Canadian Pharmacy sightings:
http://groups.google.com/groups/search?q=%22Canadian+Pharmacy%22+group%3A*abuse&start=0&scoring=d&

Plenty of Forged Certificates and logos as always.

More info below:
==================X-SID-PRA: BIAO Markus <BIAO-...@cesjose.com.br>
X-Message-Info: 6sSXyD95QpUxHCDxMU0ZLpmoIfjmn5posKH
+ZDRgUheG4apx8Mm7ewvFqOYQsCMGS4AxPGyedDMUUCB72jwfJg=Received: from tomts19-srv.bellnexxia.net ([209.226.175.73]) by bay0-
pamc1-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Mon, 17 Mar 2008 07:52:11 -0700
Received: from toip22.srvr.bell.ca ([67.69.240.24])
by toip29.srvr.bell.ca with ESMTP; 17 Mar 2008 10:52:05 -0400
Received: from [MUNGED]
by toip22.srvr.bell.ca with ESMTP; 17 Mar 2008 10:52:00 -0400
Received: (qmail 13679 invoked by uid 110); 17 Mar 2008 10:52:00 -0400
Delivered-To: [MUNGED]
Received: (qmail 13668 invoked from network); 17 Mar 2008 10:52:00
-0400
Received: from unknown (HELO ?85.121.14.104?) (85.121.14.104)
by [MUNGED] with SMTP; 17 Mar 2008 10:52:00 -0400
Message-ID: <000701c8883e$7445f1f0$680e7955@acasa498f9bd30>
From: "BIAO Markus" <BIAO-...@cesjose.com.br>
To: [MUNGED]
Subject: tnihredn
Date: Mon, 17 Mar 2008 16:51:59 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--------=_NextPart_000_0003_01C8884F.37C79600"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Return-Path: BIAO-...@cesjose.com.br
X-OriginalArrivalTime: 17 Mar 2008 14:52:11.0782 (UTC)
FILETIME=[7B497260:01C8883E]

----------=_NextPart_000_0003_01C8884F.37C79600
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Your girl can't keep her hands off you!
Approved meds available without recipe!
----------=_NextPart_000_0003_01C8884F.37C79600
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.3199" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT Arial size=2>Your girl can't keep her hands off you!</FONT></DIV>
<A href=3D"http://letterclock.com">Approved meds available without=20
recipe!</A></BODY></HTML>
----------=_NextPart_000_0003_01C8884F.37C79600--

-- END OF SPAM --

See also European Pharmacy sightings:
http://groups.google.com/groups/search?q=%22European+Pharmacy%22+group%3A*abuse*&qt_s=Search

Identical spam as for collectwhole.com, planerise.com, seapast.com,
moonshort.com => All Botnet

OLD Listing:
SBL61248 - ROK4932 / SBL61418, SBL61896, SBL62483

http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK4932

WEB:
Licensed by The College of Pharmacists of British Columbia.
If you have any questions or concerns you can contact the college at
200-1765 West 8th Ave. Vancouver, BC, Canada V6J 5C6
You may contact us at +1(210) 888-9089, please, keep your order I.D.
every time you make a call
Å  Copyright Canadian Pharmacy, 2003-2008. All Rights Reserved.

More spammer sightings:
http://groups.google.com/groups/search?q=%22September+70%25%22+group%3A*abuse&start=0&scoring=d&

See:
IP 85.121.14.104

http://moensted.dk/spam/?addr=85.121.14.104
Listed in PSBL, see http://psbl.surriel.com/listing?ip=85.121.14.104

inetnum: 85.121.14.0 - 85.121.15.255
netname: SC-BYTECONT-SRL
descr: Str. Romancierilor 5, Sector 6, 061791, Bucharest
country: ro
person: Adrian Lesovici
address: Byte Cont SRL
address: Romancierilor 5
address: C14, C, 108
address: Bucuresti
address: Romania
e-mail: adrian....@bytecont.ro

route: 85.121.14.0/23
descr: SC Byte Cont S.R.L
origin: AS39366
mnt-by: AS12310-MNT
changed: ci...@ines.ro
AS Name: BYTECONT-AS SC Byte Cont S.R.L
http://www.cidr-report.org/cgi-bin/as-report?as=39366

Spamvert:
www.moonshort.com => botnet
www.letterclock.com => botnet
letterclock.com Resolved to 218.254.115.36 to 59.149.48.223 to
61.15.24.204 to 61.238.9.120 to 61.254.28.94 to 65.3.138.220 to
69.86.213.81 to 71.7.210.253 to 76.169.87.161 to 78.106.211.73 to
81.17.153.94 to 84.47.22.243 to 88.206.173.35 to 91.89.211.32 to
98.204.185.40 to 123.140.78.159 to 125.130.11.140 to 125.229.170.151
to 202.67.21.141 to 202.126.117.43

letterclock.com has no MX records

ns.xinnetdns.com IP 210.51.170.66
ns.xinnet.cn IP 210.51.171.209

AND:
ns0.axrpss.com IP 222.166.132.30
ns0.lutrwpghd.com IP 221.126.94.65
ns0.lutrwpghd.com IP 84.245.204.131
ns0.sjrbofa.com IP 202.126.117.43
ns0.vqwgds.com IP 221.127.245.4

See IP rDNS on botnet:
218.254.115.36 = cm218-254-115-36.hkcable.com.hk
59.149.48.223 = 059149048223.ctinets.com
61.15.24.204 = cm61-15-24-204.hkcable.com.hk
61.238.9.120 = 061238009120.ctinets.com
61.254.28.94 no PTR at HANARO / HANANET / Korea
65.3.138.220 = adsl-3-138-220.mia.bellsouth.net
69.86.213.81 = user-12ldlah.cable.mindspring.com
71.7.210.253 = blk-7-210-253.eastlink.ca
76.169.87.161 = cpe-76-169-87-161.socal.res.rr.com
78.106.211.73 = 78-106-211-73.broadband.corbina.ru
81.17.153.94 = static-81-17-153-94.izmaylovo.ru
84.47.22.243 = adsl-d243.84-47-22.t-com.sk
88.206.173.35 = 88-206-173-35.highlandnet.se
91.89.211.32 no PTR at byteaction.de / KABELBW-ASN Kabel
98.204.185.40 = c-98-204-185-40.hsd1.md.comcast.net
123.140.78.159 no PTR at BORANET / LGDACOM / Korea
125.130.11.140 no PTR at KORnet / kt.co.kr / Korea
125.229.170.151 = 125-229-170-151.dynamic.hinet.net
202.67.21.141 = opt-202-67-21-141.client.pikara.ne.jp
202.126.117.43 no PTR at HAIONNET / haion.net / Korea

Let see whois.paycenter.com.cn:
Domain Name: letterclock.com

Registrant:
liu bin
hai kou
891000

Administrative Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 898 1234567
fax: 898 1234567
cnclinp[]21cn.com

Technical Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 1234567
fax: 1234567
cnc...@21cn.com

Billing Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 1234567
fax: 1234567
cnc...@21cn.com

Registration Date: 2008-03-05
Update Date: 2008-03-05
Expiration Date: 2009-03-05

Primary DNS: ns.xinnetdns.com 210.51.170.66
Secondary DNS: ns.xinnet.cn 210.51.171.209

See also cnc...@21cn.com sightings:
http://groups.google.com/groups/search?q=%22cnclinp%4021cn.com%22+group%3A*abuse*&qt_s=Search

SEE ALSO:
hostnames sharing ip with a-records
*.chancetoo.com
*.head-of-epharmacy.com
*.positionself.com
*.speakplant.com
actwill.com
adaev.gonebox.com
alternativehealth2008.com
andconsider.com
askfigure.com
atnevez.com
avotecs.com
blucpan.com
bonilt.com
bozmer.com
c-68-34-45-204.hsd1.dc.comcast.net
canwejam.com
captainsave.com
careproof.com
careset.com
carryelse.com
catcolony.com
chancetoo.com
decidecompany.com
doupsto.com
drawpress.com
earcandlesonline.com
fixyourmusic.com
friendlake.com
goneline.com
gotvab.com
grewthose.com
highqualitypharm.com
istupee.com
iu.chancetoo.com
kazinr.com
locurt.com
lotroot.com
maianor.com
manymagnet.com
measuretool.com
nuembrop.com
oceancarry.com
ocel.speakplant.com
ofbelieve.com
positionself.com
sevenhappy.com
shaesol.com
songsince.com
sonsilent.com
soonend.com
sorexan.com
soundgave.com
spammer.head-of-epharmacy.com
spammer.positionself.com
spammer.speakplant.com
spother.com
srelom.com
steamrun.com
swimlet.com
thousandseveral.com
timedistant.com
treehuge.com
tsawlon.com
typechair.com
typelook.com
typeplace.com
ufaok.positionself.com
unittrip.com
via-meds.com
wildnumeral.com
yellowmorning.com
yourfishingear.com

See:
ns.xinnetdns.com IP 210.51.170.66

http://moensted.dk/spam/?addr=210.51.170.66
http://www.spamhaus.org/query/bl?ip=210.51.170.66

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL63236
210.51.160.0/20 is listed on the Spamhaus Block List (SBL)

10-Mar-2008 21:51 GMT | SR02

flowexpo and other bulletproof hosting (escalation)
More than 170 total SBL listings in this /16

inetnum: 210.51.160.0 - 210.51.175.255
netname: CNC-BJ-IDC2
country: CN
descr: Beijing YiZhuang IDC of China Netcom
admin-c: CH140-AP
tech-c: TJ35-AP
status: ALLOCATED NON-PORTABLE
changed: cnci...@china-netcom.com
role: CNCIDC hostmaster
address: No.1,Beihuan Donglu,BDA,Beijing,China
country: CN
phone: +8610 6787 5599
fax-no: +8610 6787 8624
e-mail: cnci...@china-netcom.com
trouble: tech-...@china-netcom.com
person: Tao Jiang
nic-hdl: TJ35-AP
e-mail: bjidc-...@cnc.cn
changed: jian...@cnc.cn
changed: zha...@china-netcom.com
mntner: MAINT-CN-BJIDC
upd-to: bjidc-...@china-netcom.com

route: 210.51.0.0/16
descr: CHINA NETCOM
origin: AS9929
mnt-by: MAINT-AS9929
changed: xu...@china-netcom.com

route: 210.51.0.0/16
descr: CNC Group CncNet
country: CN
origin: AS9929
mnt-by: MAINT-CNCGROUP-RR
changed: ab...@cnc-noc.net

route: 210.51.0.0/16
descr: CNC Route Object
origin: AS9929
member-of: rs-Secondary
mnt-by: CHINANETCOM-MNT
changed: liu...@china-netcom.com
AS Name: CNCNET-CN China Netcom Corp.
http://www.cidr-report.org/cgi-bin/as-report?as=9929

14 SBL/ROKSO listings for IPs under the responsibility of cncgroup-bj
http://www.spamhaus.org/sbl/listings.lasso?isp=cncgroup-bj

So Much More xinnetdns.com sightings:
http://groups.google.com/groups/search?q=xinnetdns.com+group%3A*abuse*&qt_s=Search

See:
ns.xinnet.cn IP 210.51.171.209

http://moensted.dk/spam/?addr=210.51.171.209
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL63236

So Much More xinnet.cn sightings:
http://groups.google.com/groups/search?q=xinnet.cn+group%3A*abuse*&qt_s=Search

See:
ns0.axrpss.com IP 222.166.132.30

ns0.axrpss.com has no MX records -> axrpss.com has no MX records

http://moensted.dk/spam/?addr=222.166.132.30

222.166.132.30 = cm222-166-132-30.hkcable.com.hk

inetnum: 222.166.0.0 - 222.166.255.255
netname: HKCABLE-HK
descr: HK Cable TV Ltd
descr: Cable Multi-Media Services
country: HK

AS Name: HKCABLE2-HK-AP HK Cable TV Ltd
http://www.cidr-report.org/cgi-bin/as-report?as=9908

Let see whois.paycenter.com.cn:
Domain Name: AXRPSS.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS2.XINNET.CN
Name Server: NS2.XINNETDNS.COM
Status: ok
Updated Date: 13-mar-2008
Creation Date: 13-mar-2008
Expiration Date: 13-mar-2009

See:
ns0.lutrwpghd.com IP 221.126.94.65

ns0.lutrwpghd.com has no MX records -> lutrwpghd.com has no MX records

inetnum: 221.124.0.0 - 221.127.255.255
netname: HGC
descr: Hutchison Global Communications
country: HK
changed: and...@hgc.com.hk

AS Name: HUTCHISON-AS-AP Hutchison Global Communications
http://www.cidr-report.org/cgi-bin/as-report?as=9304

See:
ns0.lutrwpghd.com IP 84.245.204.131

84.245.204.131 = customer-204.131.livas.lv

inetnum: 84.245.192.0 - 84.245.223.255
netname: LIVASTELECOMMUNICATION
descr: Cable Internet Home users based on DOCSIS standard.
country: LV

route: 84.245.192.0/18
descr: Livas Net SIA
origin: AS34001
mnt-by: LIVAS-MNT
changed: dja...@livas.lv
AS Name:
http://www.cidr-report.org/cgi-bin/as-report?as
Let see whois.paycenter.com.cn:
Domain Name: LUTRWPGHD.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS2.XINNET.CN
Name Server: NS2.XINNETDNS.COM
Status: ok
Updated Date: 13-mar-2008
Creation Date: 13-mar-2008
Expiration Date: 13-mar-2009

See:
ns0.sjrbofa.com IP 202.126.117.43

IPv4 Address : 202.126.117.0-202.126.117.63
Network Name : DAEWOOENGINEERING
Connect ISP Name : HAIONNET
Organization ID : ORG102436
Org Name : Daewoo-engineering
Address : Yeoksam-dong, Gangnam-gu, Seoul
E-Mail : dom...@haion.net
E-Mail : jac...@haion.net
E-Mail : sc...@haion.net
route: 202.126.112.0/21
descr: HAIONNET
origin: AS10195
mnt-by: MAINT-AS4766
changed: chs...@kornet.net

Let see whois.paycenter.com.cn:
Domain Name: SJRBOFA.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS2.XINNET.CN
Name Server: NS2.XINNETDNS.COM
Status: ok
Updated Date: 13-mar-2008
Creation Date: 13-mar-2008
Expiration Date: 13-mar-2009

See:
ns0.vqwgds.com IP 221.127.245.4

inetnum: 221.124.0.0 - 221.127.255.255
netname: HGC
descr: Hutchison Global Communications
country: HK

route: 221.124.0.0/14
descr: HutchCity
origin: AS9304
mnt-by: MAINT-AS9304
changed: ra...@hutchcity.com

Let see whois.paycenter.com.cn:
Domain Name: VQWGDS.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS2.XINNET.CN
Name Server: NS2.XINNETDNS.COM
Status: ok
Updated Date: 13-mar-2008
Creation Date: 13-mar-2008
Expiration Date: 13-mar-2009

Read more:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/01b95e17d8099c02

And:
http://groups.google.com/group/news.admin.net-abuse.email/msg/6c15c2b98d46bd38

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/dec4c60efb5f131a

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/6511468da34ed4f0

Cheers, Tomez

--
All postings to news.admin.net-abuse.sightings are unconfirmed and unverified
unless stated otherwise by the moderators. All opinions expressed above are
considered the opinions of the original poster, not the moderators or their
respective employers. For a copy of the guidelines to this group, see:
http://www.killfile.org/~tskirvin/nana/

0 new messages