Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[email] [drugs - Canadian Pharmacy botnet] [87.224.144.156] (liftplural.com / axrpss.com / lutrwpghd.com / sjrbofa.com / vqwgds.com / xinnetdns.com / xinnet.cn) enegraf

0 views
Skip to first unread message

TomezNet

unread,
Mar 19, 2008, 12:33:29 PM3/19/08
to
Received From:
IP 87.224.144.156 156.144-224-87.telenet.ru
(at KABINET)

Spamvert:
www.liftplural.com => botnet
liftplural.com Resolved to 222.100.5.23 to 24.38.202.179 to
58.120.141.224 to 61.64.12.176 to 68.34.45.204 to 71.7.210.253 to
84.47.19.216 to 88.206.173.72 to 91.89.22.206 to 91.89.156.151 to
99.232.153.152 to 99.246.199.118 to 118.171.54.124 to 123.98.165.113
to 123.140.78.146 to 158.195.168.218 to 202.126.117.43 to
218.253.213.197 to 218.254.115.36 to 220.149.65.194

NEW:
ns0.axrpss.com IP 222.166.132.30
ns0.lutrwpghd.com = 123.202.194.61 => New
ns0.lutrwpghd.com IP 221.126.94.65
ns0.lutrwpghd.com IP 84.245.204.131
ns0.sjrbofa.com IP 202.126.117.43
ns0.vqwgds.com IP 221.127.245.4
ns0.vqwgds.com IP 79.164.123.55 => New

ns.xinnetdns.com IP 210.51.170.66 => SBL63236 at cncgroup-bj
ns.xinnet.cn IP 210.51.171.209 => SBL63236 at cncgroup-bj

Title: European Pharmacy (aka Canadian Pharmacy)

WEB:
Å  Copyright Canadian Pharmacy, 2003-2008. All Rights Reserved.

Much More Canadian Pharmacy sightings:
http://groups.google.com/groups/search?q=%22Canadian+Pharmacy%22+group%3A*abuse&start=0&scoring=d&

Plenty of Forged Certificates and logos as always.

More info below:
==================X-SID-PRA: tini Olney <_en...@frischkost.de>
X-Message-Info: 6sSXyD95QpVyvkWxNhXHSRRS9c9RHwbQJzpbU8XFTa2xjy/
5yJInNBES9OjIYpG+6F5CMmcY2t//sBRmLevLCA=Received: from tomts2-srv.bellnexxia.net ([209.226.175.114]) by bay0-
pamc1-f1.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Tue, 18 Mar 2008 15:31:42 -0700
Received: from toip20.srvr.bell.ca ([67.69.240.22])
by toip50.srvr.bell.ca with ESMTP; 18 Mar 2008 18:31:37 -0400
Received: from [MUNGED]
by toip20.srvr.bell.ca with ESMTP; 18 Mar 2008 18:31:36 -0400
Received: (qmail 32118 invoked by uid 110); 18 Mar 2008 18:31:36 -0400
Delivered-To: [MUNGED]
Received: (qmail 32107 invoked from network); 18 Mar 2008 18:31:35
-0400
Received: from 156.144-224-87.telenet.ru (87.224.144.156)
by [MUNGED] with SMTP; 18 Mar 2008 18:31:35 -0400
Message-ID: <000f01c88947$d1e1d220$509dc152@mediapilot>
From: "tini Olney" <_en...@frischkost.de>
To: [MUNGED]
Subject: enegraf
Date: Wed, 19 Mar 2008 03:31:33 +0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--------=_NextPart_000_000B_01C88971.BAB7DA20"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Return-Path: _en...@frischkost.de
X-OriginalArrivalTime: 18 Mar 2008 22:31:43.0024 (UTC)
FILETIME=[D770DB00:01C88947]

----------=_NextPart_000_000B_01C88971.BAB7DA20
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

An amazing growth of your stick!
Your incredible new huge love-stick!
----------=_NextPart_000_000B_01C88971.BAB7DA20
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.3199" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT Arial size=3D2>An amazing growth of your stick!</FONT></
DIV>
<A href=3D"http://liftplural.com">Your incredible new huge=20
love-stick!</A></BODY></HTML>
----------=_NextPart_000_000B_01C88971.BAB7DA20--

-- END OF SPAM --

See also European Pharmacy sightings:
http://groups.google.com/groups/search?q=%22European+Pharmacy%22+group%3A*abuse*&qt_s=Search

Identical spam as for collectwhole.com, planerise.com, seapast.com,
moonshort.com, letterclock, samegentle.com => All Botnet

OLD Listing:
SBL61248 - ROK4932 / SBL61418, SBL61896, SBL62483

http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK4932

WEB:
Licensed by The College of Pharmacists of British Columbia.
If you have any questions or concerns you can contact the college at
200-1765 West 8th Ave. Vancouver, BC, Canada V6J 5C6
You may contact us at +1(210) 888-9089, please, keep your order I.D.
every time you make a call
Å  Copyright Canadian Pharmacy, 2003-2008. All Rights Reserved.

More spammer sightings:
http://groups.google.com/groups/search?q=%22September+70%25%22+group%3A*abuse&start=0&scoring=d&

See:
IP 87.224.144.156 156.144-224-87.telenet.ru

http://moensted.dk/spam/?addr=87.224.144.156
Listed in PSBL, see http://psbl.surriel.com/listing?ip=87.224.144.156

inetnum: 87.224.144.0 - 87.224.144.255
netname: KABINET
descr: Teleset-Servis Ltd.
descr: Russian Federation, Ekaterinburg
country: RU
person: Ilya Lebedev
address: Teleset-Service Ltd.
address: 13, 8 Marta st.,
address: Yekaterinburg
address: Russia
phone: +7 343 3776193
fax-no: +7 343 3776659
e-mail: i.le...@telenet.ru
person: Alex Tsarkov
address: Teleset-Servis Ltd.
address: 13-111 Antona Valeka str., Ekaterinburg, Russia
e-mail: t...@telenet.ru
person: Andrew Alcheyev
address: Teleset-Servis Ltd.
address: 13-111 Antona Valeka str.
address: Ekaterinburg, Russia
e-mail: bu...@telenet.ru

route: 87.224.128.0/17
descr: KABINET internet workspace
origin: AS35154
mnt-by: TELENET1-MNT
changed: bu...@telenet.ru
AS Name: TELENET-AS Autonomous System of Teleset-Servis Ltd.
http://www.cidr-report.org/cgi-bin/as-report?as=35154

Spamvert:
www.liftplural.com => botnet
liftplural.com Resolved to 222.100.5.23 to 24.38.202.179 to
58.120.141.224 to 61.64.12.176 to 68.34.45.204 to 71.7.210.253 to
84.47.19.216 to 88.206.173.72 to 91.89.22.206 to 91.89.156.151 to
99.232.153.152 to 99.246.199.118 to 118.171.54.124 to 123.98.165.113
to 123.140.78.146 to 158.195.168.218 to 202.126.117.43 to
218.253.213.197 to 218.254.115.36 to 220.149.65.194

liftplural.com has no MX records

ns.xinnetdns.com IP 210.51.170.66
ns.xinnet.cn IP 210.51.171.209

AND:
ns0.axrpss.com IP 222.166.132.30
ns0.lutrwpghd.com = 123.202.194.61 => New
ns0.lutrwpghd.com IP 221.126.94.65
ns0.lutrwpghd.com IP 84.245.204.131
ns0.sjrbofa.com IP 202.126.117.43
ns0.vqwgds.com IP 221.127.245.4
ns0.vqwgds.com IP 79.164.123.55 => New

See IP rDNS on botnet:
222.100.5.23 no PTR at KORnet / kt.co.kr / Korea
24.38.202.179 = static-host-24-38-202-179.patmedia.net
58.120.141.224 no PTR at HANANET / hanaro.com / Korea
61.64.12.176 no PTR at phoenix.net.tw / QTCN-ASN1 GCNet (Reach & Range
Inc.
68.34.45.204 = c-68-34-45-204.hsd1.dc.comcast.net
71.7.210.253 = blk-7-210-253.eastlink.ca
84.47.19.216 = adsl-d216.84-47-19.t-com.sk
88.206.173.72 = 88-206-173-72.highlandnet.se
91.89.22.206 = hsi-kbw-091-089-022-206.hsi2.kabelbw.de
91.89.156.151 no PTR at kabelbw.de / KabelBW / byteaction.de
99.232.153.152 = cpe0013d3e9ffdc-
cm000a73a86479.cpe.net.cable.rogers.com
99.246.199.118 = cpe000039358968-
cm000039358868.cpe.net.cable.rogers.com
118.171.54.124 = 118-171-54-124.dynamic.hinet.net
123.98.165.113 no PTR KNCTV / gsgbi.co.kr / epnetworks.co.kr / Korea
123.140.78.146 no PTR bora.net / LGDACOM / Korea
158.195.168.218 no PTR / SANET Slovak / COMUNI-NET
202.126.117.43 no PTR HAIONNET / kornet.net / Korea
218.253.213.197 = cm218-253-213-197.hkcable.com.hk
218.254.115.36 = cm218-254-115-36.hkcable.com.hk
220.149.65.194 no PTR at Hoseo Univ / KREN-HSUNI / Korea

Let see whois.paycenter.com.cn:
Domain Name: liftplural.com

Registrant:
liu bin
hai kou
891000

Administrative Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 898 1234567
fax: 898 1234567
cnclinp[]21cn.com

Technical Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 1234567
fax: 1234567
cnc...@21cn.com

Billing Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 1234567
fax: 1234567
cnc...@21cn.com

Registration Date: 2008-03-05
Update Date: 2008-03-05
Expiration Date: 2009-03-05

Primary DNS: ns.xinnetdns.com 210.51.170.66
Secondary DNS: ns.xinnet.cn 210.51.171.209

See also cnc...@21cn.com sightings:
http://groups.google.com/groups/search?q=%22cnclinp%4021cn.com%22+group%3A*abuse*&qt_s=Search

SEE ALSO:
hostnames sharing ip with a-records
*.byoperate.com
*.speeddegree.com
1495081946.ip2long.net
88-134-7-70-dynip.superkabel.de
aacsrwalty.com
aangakikam.com
az.byoperate.com
berho.com
bestmonbuy.com
byoperate.com
childthree.com
cm203-168-173-176.hkcable.com.hk
earcandlesonline.com
eggready.com
energyfromwate.com
fixyourmusic.com
genericcialisbest.com
goodtimescasino.com
greatmonrxshop.com
highqualitypharm.com
juiceandfruit.com
keyassortmen.com
letterclock.com
meds-all.com
meds-ca.com
meds-world.com
meds34.com
monrxbuy.com
monrxshopdirect.com
monrxshopworld.com
mudesire.com
muhope.com
murxshope.com
nefka.com
ns1.snowdrink.com
overheart.com
perfectionandassortmen.com
perfectmixtur.com
pill-us.com
quickfixcoffee.com
rxnicse.com
rxsblog.com
rxsweb.com
seaoffear.com
soundgave.com
speeddegree.com
subtracthat.com
theportalshop.com
vxxfg.speeddegree.com
wateryoursou.com
willwoman.com
www.thankperiod.com

See:
ns.xinnetdns.com IP 210.51.170.66

http://moensted.dk/spam/?addr=210.51.170.66
http://www.spamhaus.org/query/bl?ip=210.51.170.66

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL63236
210.51.160.0/20 is listed on the Spamhaus Block List (SBL)

10-Mar-2008 21:51 GMT | SR02

flowexpo and other bulletproof hosting (escalation)
More than 170 total SBL listings in this /16

inetnum: 210.51.160.0 - 210.51.175.255
netname: CNC-BJ-IDC2
country: CN
descr: Beijing YiZhuang IDC of China Netcom
admin-c: CH140-AP
tech-c: TJ35-AP
status: ALLOCATED NON-PORTABLE
changed: cnci...@china-netcom.com
role: CNCIDC hostmaster
address: No.1,Beihuan Donglu,BDA,Beijing,China
country: CN
phone: +8610 6787 5599
fax-no: +8610 6787 8624
e-mail: cnci...@china-netcom.com
trouble: tech-...@china-netcom.com
person: Tao Jiang
nic-hdl: TJ35-AP
e-mail: bjidc-...@cnc.cn
changed: jian...@cnc.cn
changed: zha...@china-netcom.com
mntner: MAINT-CN-BJIDC
upd-to: bjidc-...@china-netcom.com

route: 210.51.0.0/16
descr: CHINA NETCOM
origin: AS9929
mnt-by: MAINT-AS9929
changed: xu...@china-netcom.com

route: 210.51.0.0/16
descr: CNC Group CncNet
country: CN
origin: AS9929
mnt-by: MAINT-CNCGROUP-RR
changed: ab...@cnc-noc.net

route: 210.51.0.0/16
descr: CNC Route Object
origin: AS9929
member-of: rs-Secondary
mnt-by: CHINANETCOM-MNT
changed: liu...@china-netcom.com
AS Name: CNCNET-CN China Netcom Corp.
http://www.cidr-report.org/cgi-bin/as-report?as=9929

14 SBL/ROKSO listings for IPs under the responsibility of cncgroup-bj
http://www.spamhaus.org/sbl/listings.lasso?isp=cncgroup-bj

So Much More xinnetdns.com sightings:
http://groups.google.com/groups/search?q=xinnetdns.com+group%3A*abuse*&qt_s=Search

See:
ns.xinnet.cn IP 210.51.171.209

http://moensted.dk/spam/?addr=210.51.171.209
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL63236

So Much More xinnet.cn sightings:
http://groups.google.com/groups/search?q=xinnet.cn+group%3A*abuse*&qt_s=Search

See:
ns0.axrpss.com IP 222.166.132.30

ns0.axrpss.com has no MX records -> axrpss.com has no MX records

http://moensted.dk/spam/?addr=222.166.132.30

222.166.132.30 = cm222-166-132-30.hkcable.com.hk

inetnum: 222.166.0.0 - 222.166.255.255
netname: HKCABLE-HK
descr: HK Cable TV Ltd
descr: Cable Multi-Media Services
country: HK

AS Name: HKCABLE2-HK-AP HK Cable TV Ltd
http://www.cidr-report.org/cgi-bin/as-report?as=9908

Let see whois.paycenter.com.cn:
Domain Name: AXRPSS.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS2.XINNET.CN
Name Server: NS2.XINNETDNS.COM
Status: ok
Updated Date: 13-mar-2008
Creation Date: 13-mar-2008
Expiration Date: 13-mar-2009

See:
ns0.lutrwpghd.com IP 221.126.94.65

ns0.lutrwpghd.com has no MX records -> lutrwpghd.com has no MX records

inetnum: 221.124.0.0 - 221.127.255.255
netname: HGC
descr: Hutchison Global Communications
country: HK
changed: and...@hgc.com.hk

AS Name: HUTCHISON-AS-AP Hutchison Global Communications
http://www.cidr-report.org/cgi-bin/as-report?as=9304

See:
ns0.lutrwpghd.com IP 84.245.204.131

84.245.204.131 = customer-204.131.livas.lv

inetnum: 84.245.192.0 - 84.245.223.255
netname: LIVASTELECOMMUNICATION
descr: Cable Internet Home users based on DOCSIS standard.
country: LV

route: 84.245.192.0/18
descr: Livas Net SIA
origin: AS34001
mnt-by: LIVAS-MNT
changed: dja...@livas.lv
AS Name:
http://www.cidr-report.org/cgi-bin/as-report?as
Let see whois.paycenter.com.cn:
Domain Name: LUTRWPGHD.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS2.XINNET.CN
Name Server: NS2.XINNETDNS.COM
Status: ok
Updated Date: 13-mar-2008
Creation Date: 13-mar-2008
Expiration Date: 13-mar-2009

See:
ns0.sjrbofa.com IP 202.126.117.43

IPv4 Address : 202.126.117.0-202.126.117.63
Network Name : DAEWOOENGINEERING
Connect ISP Name : HAIONNET
Organization ID : ORG102436
Org Name : Daewoo-engineering
Address : Yeoksam-dong, Gangnam-gu, Seoul
E-Mail : dom...@haion.net
E-Mail : jac...@haion.net
E-Mail : sc...@haion.net
route: 202.126.112.0/21
descr: HAIONNET
origin: AS10195
mnt-by: MAINT-AS4766
changed: chs...@kornet.net

Let see whois.paycenter.com.cn:
Domain Name: SJRBOFA.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS2.XINNET.CN
Name Server: NS2.XINNETDNS.COM
Status: ok
Updated Date: 13-mar-2008
Creation Date: 13-mar-2008
Expiration Date: 13-mar-2009

See:
ns0.vqwgds.com IP 221.127.245.4

inetnum: 221.124.0.0 - 221.127.255.255
netname: HGC
descr: Hutchison Global Communications
country: HK

route: 221.124.0.0/14
descr: HutchCity
origin: AS9304
mnt-by: MAINT-AS9304
changed: ra...@hutchcity.com

Let see whois.paycenter.com.cn:
Domain Name: VQWGDS.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS2.XINNET.CN
Name Server: NS2.XINNETDNS.COM
Status: ok
Updated Date: 13-mar-2008
Creation Date: 13-mar-2008
Expiration Date: 13-mar-2009

Read more:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/01b95e17d8099c02

And:
http://groups.google.com/group/news.admin.net-abuse.email/msg/6c15c2b98d46bd38

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/dec4c60efb5f131a

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/6511468da34ed4f0

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/934518fa4c4a851d

Cheers, Tomez

--
All postings to news.admin.net-abuse.sightings are unconfirmed and unverified
unless stated otherwise by the moderators. All opinions expressed above are
considered the opinions of the original poster, not the moderators or their
respective employers. For a copy of the guidelines to this group, see:
http://www.killfile.org/~tskirvin/nana/

0 new messages