Spamvert:
lendust.com IP 210.14.128.120
(SBL56347) (at APNIC / ZBYD / zbydoffice.com.cn)
Redirected to:
http://lendust.com/rp/
counterfeit watches spam with sender identity and headers forgery.
Title: Diamond Watches (a.k.a Diamond Replicas)
More spammer sightings:
http://groups.google.com/groups/search?q=%22Diamond+Watches%22+group%3A*abuse&start=0&scoring=d&
More info below:
====================
X-SID-PRA: [MUNGED]
X-Message-Info:
6sSXyD95QpX30v40BEmfOekPM12uR7KHY9z9rLFGEk7SMUry3DBPtWQoxJ0WQGASLoutXAn/
IVTu9nkBVVynQw==
Received: from tomts11-srv.bellnexxia.net ([209.226.175.55]) by bay0-
pamc1-f2.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Wed, 29 Aug 2007 07:44:11 -0700
Received: from [MUNGED]
by toip17.srvr.bell.ca with ESMTP; 29 Aug 2007 10:43:59 -0400
Received: (qmail 23954 invoked by uid 110); 29 Aug 2007 10:24:15 -0400
Delivered-To: [MUNGED]
Received: (qmail 22198 invoked from network); 29 Aug 2007 10:24:12
-0400
Received: from softdnserror (HELO Tonys1) (24.138.237.104)
by [MUNGED] with SMTP; 29 Aug 2007 10:24:12 -0400
Return-path: <[MUNGED]>
X-Original-To: [MUNGED]
Delivered-To: [MUNGED]
Received: from [24.138.237.104] (port=28882 helo=24.138.237.104)
by [MUNGED] with ESMTP id 13331883083
for <[MUNGED]>; Wed, 29 Aug 2007 10:25:00 --400 (EET)
From: [MUNGED]
To: [MUNGED]
Subject: The Rolex U wanted
Date: Wed, 29 Aug 2007 10:25:00 --400 (EET)
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: md3G447c2572w263Sv88Ncf6f2n3n7==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
Message-ID: <2ccd01c7ea26$01c7ea26$68ed8a18@[MUNGED]>
Status:
X-Antivirus: avast! (VPS 000756-1, 07/13/2007), Outbound message
X-Antivirus-Status: Clean
X-OriginalArrivalTime: 29 Aug 2007 14:44:11.0190 (UTC)
FILETIME=[0FCD2D60:01C7EA4B]
This is the time to show a luxury look without spending too much:
-<http://lendust.com>-
The most beautiful timepieces, for a price you can afford
-- END OF SPAM --
SEE sender identity and headers forgery by spammer spoofing our
domain.
See:
IP IP 24.138.237.104
http://www.moensted.dk/spam/?addr=IP 24.138.237.104
http://spamcop.net/w3m?action=checkblock&ip=24.138.237.104
CustName: Liberty Cablevision - Vega Baja
Address: Vega Baja Industrial Park
City: Vega Baja
StateProv: PR
PostalCode: 00884
Country: PR
RegDate: 2006-08-15
Updated: 2006-08-15
NetRange: 24.138.236.0 - 24.138.239.255
CIDR: 24.138.236.0/22
NetName: LIBERTYPR
NetHandle: NET-24-138-236-0-1
Parent: NET-24-138-192-0-1
NetType: Reassigned
postmaster and abuse[]libertypr.com are listed in rfc-ignorant.org
database
route: 24.138.237.0/24
descr: PNAP-MIA asurnet
origin: AS23520
mnt-by: INAP-MAINT-RADB
changed: sh...@internap.com
AS Name: LCPR-HSD - Liberty Cablevision of Puerto Rico LTD
http://www.cidr-report.org/cgi-bin/as-report?as=14638
1 SBL listings for IPs under the responsibility of libertypr.com
http://www.spamhaus.org/sbl/listings.lasso?isp=libertypr.com
Spamvert URL:
http://lendust.com/
HTTP/1.1 302 Found
Date: Wed, 29 Aug 2007 17:24:53 GMT
Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2
PHP/5.2.3 with Suhosin-Patch
X-Powered-By: PHP/5.2.3
Location: http://lendust.com/rp/index.php?mid=10016&fid=PoWjfKskwsLFjsFlsjfe
Content-Length: 0
Connection: close
Content-Type: text/html
Redirected to:
http://lendust.com/rp/index.php
See:
lendust.com IP 210.14.128.120
(Spammer OLD IP 124.254.2.231, 58.83.12.6, 124.254.2.230)
ns1.modadns.com [58.83.12.6] [TTL=172800] [CN]
ns2.modadns.com [210.14.128.120] [TTL=172800] [CN] (OLD IP
124.254.2.231)
NS records at nameservers are:
dns1.lendust.com [no glue provided] [TTL=60]
dns2.lendust.com [no glue provided] [TTL=60]
SOA record [TTL=2048] is:
Primary nameserver: ns1.myserver.com.
Hostmaster E-mail address: hostmaster.lendust.com.
Serial #: 1188294464 (OLD 1186864237, 1184480567)
lendust.com has no MX records
www.lendust.com CNAME lendust.com [TTL=60]
http://www.moensted.dk/spam/?addr=210.14.128.120
http://www.spamhaus.org/query/bl?ip=210.14.128.120
hostnames sharing ip with a-records
ns2.modadns.com
ns2.finodns.com
sustfasc.com
fotechno.com
domains using this as nameserver
modadns.com(as ns2.modadns.com)
thtechno.com(as ns2.modadns.com)
votechno.com(as ns2.modadns.com)
disrich.com(as ns2.modadns.com)
fotechno.com(as ns2.modadns.com)
sustfasc.com(as ns2.finodns.com)
domains sharing nameservers
modadns.com
thtechno.com
votechno.com
disrich.com
fotechno.com
sustfasc.com
210.14.128.120 A fotechno.com
210.14.128.120 A lendust.com
210.14.128.120 A ns2.finodns.com
210.14.128.120 A ns2.modadns.com
210.14.128.120 A sustfasc.com
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL56347
210.14.128.0/19 is listed on the Spamhaus Block List (SBL)
07-Jul-2007 00:04 GMT | SR02
ZBYD Technology Co.,Ltd
No response to multiple SBL listings. No response from upstream
CNCGROUP-BJ. Hosting many ROKSO and botnet spam gang's websites and
nameservers.
23 SBL/ROKSO listings for IPs under the responsibility of APNIC
http://www.spamhaus.org/sbl/listings.lasso?isp=APNIC
inetnum: 210.14.128.0 - 210.14.159.255
netname: ZBYD
descr: ZBYD Technology Co.,Ltd
descr: 15A build , xiyongle road ,shijingshan district ,Beijing
country: CN
person: Zheyuan Wang
nic-hdl: ZW620-AP
e-mail: wan...@zbydoffice.com.cn
person: Zhengping Wang
address: Computer Center
address: Tongji University
address: No. 1239 Siping Road
address: Shanghai(200092)
address: P.R.China
phone: +0086 21 502 5080 ext 2845
fax-no: +0086 21 502 8965
e-mail: w...@tju.ihep.ac.cn
nic-hdl: ZW2-CN
notify: address-allo...@cernic.net
changed: sz...@cernic.net
person: Lei An
nic-hdl: LA100-AP
e-mail: al...@zbydoffice.com.cn
mntner: MAINT-CN-ZBN
descr: ZBN
descr: No.499 Weilai Road,Zhengzhou, Henan
country: CN
admin-c: JZ2-CN
tech-c: LD1-CN
upd-to: liz...@vip.zzcatv.com.cn
person: Jianzhong Zhu
nic-hdl: JZ2-CN
e-mail: zhujia...@vip.zzcatv.com.cn
person: Liang Dong
nic-hdl: LD1-CN
e-mail: lian...@vip.zzcatv.com.cn
changed: ip...@cnnic.cn
changed: ip...@cnnic.net.cn
postmaster and abuse[]zbydoffice.com.cn are listed in rfc-ignorant.org
database
AS Name: BJ-GUANGHUAN-AP Beijing Guanghuan Xinwang Digital
http://www.cidr-report.org/cgi-bin/as-report?as=23844
Let see whois:
Checking server [whois.enom.com] => who else?
Registration Service Provided By: NameCheap.com
Contact: sup...@NameCheap.com
abuse[]NameCheap.com is listed in rfc-ignorant.org database
Domain name: lendust.com
Registrant Contact:
Mikron Informatica Ltda
Rodolfo Jesus (falsia2007[]pop.com.br)
+55.632241143
Fax: +55.632241143
R Duque de Caxias 121
Ararauna, RJ 88362
BR
Administrative Contact:
Mikron Informatica Ltda
Rodolfo Jesus (falsi...@pop.com.br)
+55.632241143
Fax: +55.632241143
R Duque de Caxias 121
Ararauna, RJ 88362
BR
Technical Contact:
Mikron Informatica Ltda
Rodolfo Jesus (falsi...@pop.com.br)
+55.632241143
Fax: +55.632241143
R Duque de Caxias 121
Ararauna, RJ 88362
BR
Status: Active
Name Servers:
ns1.modadns.com
ns2.modadns.com
Creation date: 22 May 2007 15:48:19
Expiration date: 22 May 2008 15:48:19
See More disrich.com sightings:
http://groups.google.com/groups/search?q=disrich.com+group%3A*abuse&start=0&scoring=d&
See also more registrant falsia2007[]pop.com.br sightings:
http://groups.google.com/groups/search?q=%22falsia2007%22+group%3A*abuse&qt_s=Search
See also more NameCheap.com spam support sightings:
http://groups.google.com/groups/search?q=NameCheap.com+group%3A*abuse&start=0&scoring=d&
See:
ns1.modadns.com IP 58.83.12.6
ns1.modadns.com has no MX records -> modadns.com has no MX records
http://www.moensted.dk/spam/?addr=58.83.12.6
http://www.spamhaus.org/query/bl?ip=58.83.12.6
More 58.83.12.6 sightings:
http://groups.google.com/groups/search?q=58.83.12.6+group%3A*abuse&qt_s=Search
58.83.12.6 is listed in the SBL, in the following records:
* SBL51900
* SBL53280
* SBL56425
inetnum: 58.83.12.0 - 58.83.15.255
netname: csallnetlink-cn
descr: changsha allnetlink development co.,LTD
country: CN
remarks: w...@allnetlink.com.cn
person: yongcheng wang
nic-hdl: YW811-AP
e-mail: wan...@allnetlink.com.cn
address: changsha allnetlink co., LTD
person: ada chen
nic-hdl: AC893-AP
changed: BLUESKY...@163.COM
Prefix: 58.83.12.0/22
Prefix Name: error
AS: 18118
AS Name: CITICNET AP CITIC Networks Management Co ,Ltd 6 XINYUANNANLU
BEIJING
http://www.cidr-report.org/cgi-bin/as-report?as=18118
More modadns.com sightings:
http://groups.google.com/groups/search?q=modadns.com+group%3A*abuse&qt_s=Search
See also more eNom spam support sightings:
http://groups.google.com/groups/search?q=eNom+group%3A*abuse&start=0&scoring=d&
Read more:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/5a8790add0f1e2ba
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/667d6d9fa0ca0234
Cheers, Tomez
--
All postings to news.admin.net-abuse.sightings are unconfirmed and
unverified unless stated otherwise by the moderators. All opinions
expressed above are considered the opinions of the original poster,
not the moderators or their respective employers.
For a copy of the guidelines to this group, see: