Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[email] RE: Gucci 579047

0 views
Skip to first unread message

spam...@nil.nil

unread,
Apr 4, 2008, 1:35:10 PM4/4/08
to
SPAM: RE: Gucci 579047

Spam FROM: IP address 221.206.199.161
on cncnet.net,china-netcom.com,cnc-noc.net,cncgroup, etc., Heilongjiang
postm...@cnc-noc.net,ab...@cnc-noc.net,sup...@cnc-noc.net,
postm...@mail.hl.cn,ab...@mail.hl.cn,sup...@mail.hl.cn,ga...@mail.hl.cn

This is the modern form of email advertising, consisting
of stealing another party's content and using that as
as a framework for the spam so that the innocent, or not
so innocent, third party content helps foil anti-spam filters.

Spam CONTENTS: Web bug enabled gucci.com email promotion.
ab...@gucci.com,ab...@announcement.gucci.com,postm...@gucci.com,
postm...@announcement.gucci.com,sup...@gucci.com,
sup...@announcement.gucci.com,le...@gucci.com,le...@announcement.gucci.com,
ad...@gucci.com,ad...@announcement.gucci.com,gu...@gucci.com,
gu...@announcement.gucci.com,announ...@gucci.com,
announ...@announcement.gucci.com

Well, it is gucci.com email (spam?) but it has been recycled with
the target URLs changed to send one on a different location
(fraudulently claiming to be gucci.com, using their trademark
and their copyrighted -I assume- message), the:

Spamvertized URL: http://www.21springshoe.com
at the SPAMHAUS listed IP address 58.253.71.112
on cncnet.net,china-netcom.com,cnc-noc.net,cncgroup, etc., Guangdong
abus...@china-netcom.com,ab...@cnc-gd.net,postm...@cnc-gd.net,
sup...@cnc-gd.net,
ab...@cnc-noc.net,postm...@cnc-noc.net,
tan...@cnc-noc.net,hostm...@cnc-noc.net,
webm...@cnc-noc.net,hai...@cnc-noc.net,we...@cnc-noc.net
ad...@cnc-noc.net,
ab...@cncnet.net,postm...@cncnet.net,
hostm...@cncnet.net,webm...@cncnet.net,
ad...@cncnet.net,
gzman...@china-netcom.com,liu...@china-netcom.com,
tech-...@china-netcom.com,da...@china-netcom.com,
postm...@china-netcom.com,cncsu...@special.abuse.net,
hostm...@china-netcom.com,webm...@china-netcom.com,ma...@china-netcom.com,
at the SPAMHAUS listed IP address 116.199.135.168
on cncnet.net,china-netcom.com,cnc-noc.net,cncgroup, etc., Hunan/Newspeed
g...@21cn.com,QY...@126.com,Tiet...@k65.net,
ab...@cnc-noc.net,postm...@cnc-noc.net,
tan...@cnc-noc.net,hostm...@cnc-noc.net,
webm...@cnc-noc.net,hai...@cnc-noc.net,we...@cnc-noc.net
ad...@cnc-noc.net,
ab...@cncnet.net,postm...@cncnet.net,
hostm...@cncnet.net,webm...@cncnet.net,
ad...@cncnet.net,
gzman...@china-netcom.com,liu...@china-netcom.com,
tech-...@china-netcom.com,da...@china-netcom.com,
postm...@china-netcom.com,cncsu...@special.abuse.net,
hostm...@china-netcom.com,webm...@china-netcom.com,ma...@china-netcom.com,
at the SPAMHAUS listed IP address 116.199.135.191
on cncnet.net,china-netcom.com,cnc-noc.net,cncgroup, etc., Hunan/Newspeed
g...@21cn.com,QY...@126.com,Tiet...@k65.net,
ab...@cnc-noc.net,postm...@cnc-noc.net,
tan...@cnc-noc.net,hostm...@cnc-noc.net,
webm...@cnc-noc.net,hai...@cnc-noc.net,we...@cnc-noc.net
ad...@cnc-noc.net,
ab...@cncnet.net,postm...@cncnet.net,
hostm...@cncnet.net,webm...@cncnet.net,
ad...@cncnet.net,
gzman...@china-netcom.com,liu...@china-netcom.com,
tech-...@china-netcom.com,da...@china-netcom.com,
postm...@china-netcom.com,cncsu...@special.abuse.net,
hostm...@china-netcom.com,webm...@china-netcom.com,ma...@china-netcom.com,
at the SPAMHAUS listed IP address 116.199.136.61
on cncnet.net,china-netcom.com,cnc-noc.net,cncgroup, etc., Hunan/Newspeed
g...@21cn.com,QY...@126.com,Tiet...@k65.net,
ab...@cnc-noc.net,postm...@cnc-noc.net,
tan...@cnc-noc.net,hostm...@cnc-noc.net,
webm...@cnc-noc.net,hai...@cnc-noc.net,we...@cnc-noc.net
ad...@cnc-noc.net,
ab...@cncnet.net,postm...@cncnet.net,
hostm...@cncnet.net,webm...@cncnet.net,
ad...@cncnet.net,
gzman...@china-netcom.com,liu...@china-netcom.com,
tech-...@china-netcom.com,da...@china-netcom.com,
postm...@china-netcom.com,cncsu...@special.abuse.net,
hostm...@china-netcom.com,webm...@china-netcom.com,ma...@china-netcom.com,
at the SPAMHAUS listed IP address 116.199.138.24
on cncnet.net,china-netcom.com,cnc-noc.net,cncgroup, etc., Hunan/Newspeed
g...@21cn.com,QY...@126.com,Tiet...@k65.net,
ab...@cnc-noc.net,postm...@cnc-noc.net,
tan...@cnc-noc.net,hostm...@cnc-noc.net,
webm...@cnc-noc.net,hai...@cnc-noc.net,we...@cnc-noc.net
ad...@cnc-noc.net,
ab...@cncnet.net,postm...@cncnet.net,
hostm...@cncnet.net,webm...@cncnet.net,
ad...@cncnet.net,
gzman...@china-netcom.com,liu...@china-netcom.com,
tech-...@china-netcom.com,da...@china-netcom.com,
postm...@china-netcom.com,cncsu...@special.abuse.net,
hostm...@china-netcom.com,webm...@china-netcom.com,ma...@china-netcom.com,
at the SPAMHAUS listed IP address 118.129.65.92
on bora.net
secu...@bora.net,spa...@kisa.or.kr,ab...@bora.net,
postm...@bora.net,sup...@bora.net,ad...@bora.net,
le...@bora.net,hostm...@bora.net,webm...@bora.net,
n...@bora.net,n...@bora.net,in...@bora.net,
secu...@dacom.co.kr,ab...@dacom.co.kr,postm...@dacom.co.kr,
ab...@dacom.co.kr,le...@dacom.co.kr,hostm...@dacom.co.kr,
webm...@dacom.co.kr,n...@dacom.co.kr,n...@dacom.co.kr,in...@dacom.co.kr
at the SPAMHAUS listed IP address 211.118.190.4
on bora.net
secu...@bora.net,spa...@kisa.or.kr,ab...@bora.net,
postm...@bora.net,sup...@bora.net,ad...@bora.net,
le...@bora.net,hostm...@bora.net,webm...@bora.net,
n...@bora.net,n...@bora.net,in...@bora.net,
secu...@dacom.co.kr,ab...@dacom.co.kr,postm...@dacom.co.kr,
ab...@dacom.co.kr,le...@dacom.co.kr,hostm...@dacom.co.kr,
webm...@dacom.co.kr,n...@dacom.co.kr,n...@dacom.co.kr,in...@dacom.co.kr
at the SPAMHAUS listed IP address 218.61.22.239
on cncnet.net,china-netcom.com,cnc-noc.net,cncgroup, etc., Liaoning province
ab...@cnc-noc.net,postm...@cnc-noc.net,
tan...@cnc-noc.net,hostm...@cnc-noc.net,
webm...@cnc-noc.net,hai...@cnc-noc.net,we...@cnc-noc.net
ad...@cnc-noc.net,
ab...@cncnet.net,postm...@cncnet.net,
hostm...@cncnet.net,webm...@cncnet.net,
ad...@cncnet.net,
gzman...@china-netcom.com,liu...@china-netcom.com,
tech-...@china-netcom.com,da...@china-netcom.com,
postm...@china-netcom.com,cncsu...@special.abuse.net,
hostm...@china-netcom.com,webm...@china-netcom.com,ma...@china-netcom.com,
ab...@online.ln.cn,postm...@online.ln.cn,postm...@lntelecom.com
at the SPAMHAUS listed IP address 221.122.64.14 (moved here from 221.122.64.15)
on chinacomm.com.cn
ipma...@cetc-chinacomm.com.cn,ab...@hichina.com,
postm...@hichina.com,sup...@hichina.com,ipma...@chinacomm.com.cn,
tech-...@china-netcom.com,anti...@ns.chinanet.cn.net,
postm...@cetc-chinacomm.com.cn,g...@chinacomm.com.cn,
lime...@chinacomm.com.cn,postm...@chinacomm.com.cn,
ab...@chinacomm.com.cn,sup...@chinacomm.com.cn,
ad...@chinacomm.com.cn,ad...@cetc-chinacomm.com.cn,
webm...@chinacomm.com.cn,webm...@cetc-chinacomm.com.cn,
hostm...@cetc-chinacomm.com.cn,hostm...@chinacomm.com.cn

Upon making a selection one proceeds to the spammer's:

Spammer's ORDER SITE: https://www.designerscheckout.com/gw2/paymentgw.php
at the same IP addresses as above.

Images are loaded using absolute rather than relative URLs from the:

Spammer's IMAGE HOST: http://www.cdv084.com/affiliate/cart/images/[varies]
at the same IP addresses as above.

There is an old, unworking bookmark hostname in the javascript on the
starting page, but later pages have javascript to add the:

Spammer's BOOKMARK SITE: http://www.celebshoes21.com
guess where.

While those are the current resolutions (the above are proxies),
the back end is at:

Spammer's BACK END:
at the SPAMHAUS listed IP address 212.26.146.226
along with the Spammer's
Nameservers at the SPAMHAUS listed IP addresses 212.26.146.226 and 212.26.146.227
on adamant.net
ab...@adamant.net,ab...@adamant.ua,postm...@adamant.net,
postm...@adamant.ua,sup...@adamant.net,sup...@adamant.ua,
ad...@adamant.net,ad...@adamant.ua,webm...@adamant.net,
webm...@adamant.ua,hostm...@adamant.net,hostm...@adamant.ua
in...@adamant.ua,in...@adamant.net,he...@adamant.ua,he...@adamant.net
ma...@adamant.net,ra...@adamant.net,xe...@adamant.net,a...@adamant.net,
n...@adamant.net

These domains, designerscheckout.com, 21springshoe.com, cdv084.com
and celebshoes21.com are handled by a registrar who shows up in a
lot of spam including providing services necessary to keep (double)
fast-flux botnets in operation (the Canadian Pharmacy spam operation
in particular).

Spammer's REGISTRAR: These are serviced by by paycenter.com.cn,xinnet.cn,xinnet.com,xinnetdns.com
li...@xinnet.com,postm...@xinnet.com,ad...@xinnet.com,sup...@xinnet.com,
le...@xinnet.com,secu...@xinnet.com,he...@xinnet.com,in...@xinnet.com,
ab...@xinnet.com,n...@xinnet.com,n...@xinnet.com,ro...@xinnet.com,he...@xinnet.com
postm...@paycenter.com.cn,ad...@paycenter.com.cn,sup...@paycenter.com.cn,
le...@paycenter.com.cn,secu...@paycenter.com.cn,he...@paycenter.com.cn,
in...@paycenter.com.cn,ab...@paycenter.com.cn,n...@paycenter.com.cn,
n...@paycenter.com.cn,ro...@paycenter.com.cn,he...@paycenter.com.cn,
postm...@xinnet.cn,ad...@xinnet.cn,sup...@xinnet.cn,
le...@xinnet.cn,secu...@xinnet.cn,he...@xinnet.cn,
in...@xinnet.cn,ab...@xinnet.cn,n...@xinnet.cn,
n...@xinnet.cn,ro...@xinnet.cn,he...@xinnet.cn,
postm...@xinnetdns.com,ad...@xinnetdns.com,sup...@xinnetdns.com,
le...@xinnetdns.com,secu...@xinnetdns.com,he...@xinnetdns.com,
in...@xinnetdns.com,ab...@xinnetdns.com,n...@xinnetdns.com,
n...@xinnetdns.com,ro...@xinnetdns.com,he...@xinnetdns.com
As this is an ongoing problem, so that ICANN cannot claim
they didn't know about any problems, I will inform two members
of their board of directors as well (I would hate to have ICANN
be able to say "What botnet service?").
nj...@wananchi.com,api...@servidor.unam.mx
ic...@icann.org,comm...@icann.org,accr...@icann.org,
ad...@icann.org,le...@icann.org,ab...@icann.org,
sup...@icann.org,le...@icann.org,he...@icann.org

The secure site, designerscheckout.com, has a secure certificate
(used during the connection) but shows a different certificate on
its pages, one for the "lost" streetandstrutcheckout.com domain.
Both certificates are provided to enable the secure sale of countefeit
goods, with trademark violations, promoted by this spam which fraudulently
claims that the goods are gucci goods sold at gucci.com in email using
stolen copyrighted (I assume gucci copyrighted the text, but it also
uses their images) material. Oh, if only they were violating a patent
somewhere so they would be guilty of violatiing just about every IP
protection. The enabler of the security for this spammer is:

Spammer's SECURITY AUTHORITTY: godaddy.com
for the domains designerscheckout.com and streetandstrutcheckout.com
ab...@godaddy.com,postm...@godaddy.com,sup...@godaddy.com,
le...@godaddy.com,ad...@godaddy.com

==========
[DETAILS:]

SPAM FROM: IP address 221.206.199.161
Which forged my username in the envelope sender,
and forged my email address as the "From:" address
as well as the "X-Originating-Email:" and "X-Sender:"
addresses.

inetnum: 221.206.0.0 - 221.206.255.255
netname: CNCGROUP-HL
descr: CNCGROUP Heilongjiang Province Network
country: CN
e-mail: ab...@cnc-noc.net
e-mail: ga...@mail.hl.cn

SPAM CONTENTS: gucci.com spam. Or so it seems.

It has a gucci.com web bug at the end,
[img src="http://announcement.gucci.com/images/mlopen_post.html?rtr=on&siteid=25010&mid=189641&mlid=9247&uid=513245cf9d"]
(Naughty, **NAUGHTY** gucci.com).

Image areas (map id="guccius" name="guccius") have alt tags,
[area ...alt="gucci invites you to shop our spring men’s accessories catalog" .../]
and the image (usemap) is from gucci.com,
[img src="http://announcement.gucci.com/content/25010/Gucci/ecard_mcatalog_ss08_US_ENG_v3_00.jpg" ... usemap="#guccius"
alt="Gucci invites you to shop our spring men’s accessories catalog" ... /]
(there is also a map named guccius2 and image from gucci.com with image,
http://announcement.gucci.com/content/25010/Gucci/ecard_mcatalog_ss08_US_ENG_v3_01.jpg)

So ... surely this is a gucci.com
To ensure delivery to your inbox (not bulk or junk folders), please add
gu...@announcement.gucci.com to your address book.
email promotion (though the sender address is not gu...@announcement.gucci.com) -
originally. However, the target URLs are not gucci.com web sites but

[area href="http://www.21springshoe.com" ...]
(I had omitted the target URLs from the area tags, above)

and gucci.com's Unsubscribe and Privacy Policy have become
[a href="http://www.21springshoe.com"]Unsubscribe[/a]
[a href="http://www.21springshoe.com"]Privacy Policy[/a]
and for text browsers (or those who quite properly do NOT
allow images to be loaded by email which would allow WEB BUGS,
only very sleazy marketers use those however - marketers like gucci.com)
one has a text section (besides the alt tags),
Unable to view? Please go to [a href="http://www.21springshoe.com"]http://www.gucci.com/e/b/us/ss08mc[/a]
and of course we have gucci.com's own text,
You have subscribed to receive Gucci email communication.
US Corporate Address: 685 Fifth Avenue, New York, NY, 10022, USA
and, no, I did not subscribe to receive gucci.com email communication
(I would NEVER subscribe to anything from marketers who uses web bugs!).

So ... it is web bug enabled email marketing from gucci.com which
has been recycled by the spammer to send one on to the:

SPAMVERTIZED URL: http://www.21springshoe.com

'Please go to [a href="http://www.21springshoe.com"]http://www.gucci.com/e/b/us/ss08mc[/a]'

============================================================
For the host:
"www.21springshoe.com"

NAMESERVERS listed in the root servers for 21springshoe.com:
------------------------------------------------------------
21springshoe.com NS ns1.s4455.com
21springshoe.com NS ns2.s4455.com
21springshoe.com NS ns3.s4455.com
ns1.s4455.com A 218.61.22.239
ns2.s4455.com A 116.199.136.61
ns3.s4455.com A 116.199.135.191

[extract from dig]
------------------
dig @116.199.135.191
www.21springshoe.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.21springshoe.com A 118.129.65.92

dig @116.199.136.61
www.21springshoe.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.21springshoe.com A 118.129.65.92

dig @218.61.22.239
www.21springshoe.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.21springshoe.com A 118.129.65.92
============================================================

and a short while later,

============================================================
For the host:
"www.21springshoe.com"

NAMESERVERS listed in the root servers for 21springshoe.com:
------------------------------------------------------------
21springshoe.com NS ns1.s4455.com
21springshoe.com NS ns2.s4455.com
21springshoe.com NS ns3.s4455.com
ns1.s4455.com A 218.61.22.239
ns2.s4455.com A 116.199.136.61
ns3.s4455.com A 116.199.135.191

[extract from dig]
------------------
dig @116.199.135.191
www.21springshoe.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.21springshoe.com A 211.118.190.4

dig @116.199.136.61
www.21springshoe.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.21springshoe.com A 211.118.190.4

dig @218.61.22.239
www.21springshoe.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.21springshoe.com A 211.118.190.4
============================================================

Let's see ... when the spam was for Canadian Pharmacy (also at 116.199.136.61)
and "MaxHerbal" (at 118.129.65.81) other addresses had been involved at times,
58.20.81.169 79.143.178.2 116.199.135.167 210.51.171.209
58.20.82.188 79.143.178.3 116.199.135.168 210.245.160.192
58.20.84.92 79.143.178.4 116.199.135.191 211.118.190.12
58.211.16.223 79.143.178.5 116.199.136.61 218.61.22.78
58.211.16.227 81.222.137.17 116.199.138.23 218.106.90.228
58.211.16.228 81.222.137.18 116.199.138.24 218.106.90.230
58.211.16.229 81.222.137.19 118.129.65.81 219.251.217.133
58.253.71.92 81.222.137.20 119.18.197.233 221.5.41.9
58.253.71.112 81.222.137.21 119.18.197.236 221.5.41.10
58.253.71.121 81.222.137.22 123.100.7.202 221.5.41.17
61.139.219.56 81.222.137.23 123.100.7.203 221.5.41.19
76.76.102.122 81.222.137.24 123.111.50.158 221.5.41.20
79.135.165.2 81.222.137.25 123.111.50.187 221.5.41.28
79.135.165.3 81.222.137.26 124.42.23.115 221.5.41.35
79.135.165.4 81.222.137.27 124.42.76.56 221.5.41.37
79.135.165.5 81.222.137.28 210.14.130.45 221.122.64.14
79.135.165.6 81.222.137.29 210.14.130.48 221.122.64.15
79.135.166.2 81.222.137.30 210.14.130.212 221.130.200.179
79.135.166.50 81.222.137.31 210.21.110.105 221.130.200.182
79.135.166.51 81.222.137.32 210.21.110.150 221.130.200.189
79.135.166.52 89.187.46.4 210.51.170.48
79.135.166.53 89.187.46.23 210.51.170.66
79.135.166.54 116.122.193.194 210.51.170.67
and let me check for IP addresses near the above,
116.199.135.191, 116.199.136.61, 118.129.65.92, 211.118.189.202 and 218.61.22.239
(the spammer often has multiple usable IP addresses in a block which
he uses)
Well, 118.129.65.87 is up but that is "Diamond Replicas/Diamond Watches",
"World Phrmacy", etc. but the spamvertized site is
"Prestige Watches" (though the order form at "Diamond Replicas" also
claims/claimed to be "Prestige Replicas") and "Prestige Footwear"
and as 118.129.65.87 is Diamond Replicas, I will pass on it this time.

Checking each of the above,
58.20.81.169 79.143.178.3 116.199.135.191 210.245.160.192
58.20.82.188 79.143.178.4 116.199.136.61 211.118.190.4
58.20.84.92 79.143.178.5 116.199.138.23 211.118.190.12
58.211.16.223 81.222.137.17 116.199.138.24 218.61.22.78
58.211.16.227 81.222.137.18 118.129.65.81 218.61.22.239
58.211.16.228 81.222.137.19 118.129.65.87 218.106.90.228
58.211.16.229 81.222.137.20 118.129.65.92 218.106.90.230
58.253.71.92 81.222.137.21 119.18.197.233 219.251.217.133
58.253.71.112 81.222.137.22 119.18.197.236 221.5.41.9
58.253.71.121 81.222.137.23 123.100.7.202 221.5.41.10
61.139.219.56 81.222.137.24 123.100.7.203 221.5.41.17
76.76.102.122 81.222.137.25 123.111.50.158 221.5.41.19
79.135.165.2 81.222.137.26 123.111.50.187 221.5.41.20
79.135.165.3 81.222.137.27 124.42.23.115 221.5.41.28
79.135.165.4 81.222.137.28 124.42.76.56 221.5.41.35
79.135.165.5 81.222.137.29 210.14.130.45 221.5.41.37
79.135.165.6 81.222.137.30 210.14.130.48 221.122.64.14
79.135.166.2 81.222.137.31 210.14.130.212 221.122.64.15
79.135.166.50 81.222.137.32 210.21.110.105 221.130.200.179
79.135.166.51 89.187.46.4 210.21.110.150 221.130.200.182
79.135.166.52 89.187.46.23 210.51.170.48 221.130.200.189
79.135.166.53 116.122.193.194 210.51.170.66
79.135.166.54 116.199.135.167 210.51.170.67
79.143.178.2 116.199.135.168 210.51.171.209
(and I did) the "Prestige Watches" sites I find are:

* Connected to 58.253.71.112
GET / HTTP/1.1
Host: www.21springshoe.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Watches[/title]


* Connected to 116.199.135.168
GET / HTTP/1.1
Host: www.21springshoe.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Watches[/title]


* Connected to 116.199.135.191
GET / HTTP/1.1
Host: www.21springshoe.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Watches[/title]


* Connected to 116.199.136.61
GET / HTTP/1.1
Host: www.21springshoe.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Watches[/title]


* Connected to 116.199.138.24
GET / HTTP/1.1
Host: www.21springshoe.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Watches[/title]


* Connected to 118.129.65.92
GET / HTTP/1.1
Host: www.21springshoe.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Watches[/title]


* Connected to 211.118.190.4
GET / HTTP/1.1
Host: www.21springshoe.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Watches[/title]


* Connected to 218.61.22.239
GET / HTTP/1.1
Host: www.21springshoe.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Watches[/title]


* Connected to 221.122.64.14
GET / HTTP/1.1
Host: www.21springshoe.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Watches[/title]


and the pages obtained from each IP address are byte-for-byte identical.


IP address 58.253.71.112
------------------------
IP address 58.253.71.112 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 58.253.71.0 - 58.253.71.255
netname: QY-IDC
country: CN
admin-c: CG272-AP abus...@china-netcom.com
route: 58.252.0.0/14
descr: CNC Group CHINA169 Guangdong Province Network
country: CN
253.58.in-addr.arpa has SOA ro...@ns1.cnc-gd.net
------------------------

IP address 116.199.135.168
--------------------------
IP address 116.199.135.168 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 116.199.135.0 - 116.199.138.255
netname: Newspeed
descr: Shenzhen Newspeed Science and technology Development Limited company
descr: Shenzhen Mt. Nanshan area Nanhai main road Jinhun building B2612
country: CN
route: 116.199.135.0/24
descr: CNC Group CHINA169 Hunan Province Network
e-mail: g...@21cn.com
e-mail: Tiet...@k65.net
inetnum: 116.199.128.0 - 116.199.159.255
netname: Newspeed
descr: Shenzhen Newspeed Science and technology Development Limited company
descr: Shenzhen Mt. Nanshan area Nanhai main road Jinhun building B2612
country: CN
e-mail: g...@21cn.com
e-mail: QY...@126.com
135.199.116.in-addr.arpa has SOA [nameserver] ns1.speed-idc.com
--------------------------

IP address 116.199.135.191
--------------------------
IP address 116.199.135.191 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 116.199.135.0 - 116.199.138.255
netname: Newspeed
descr: Shenzhen Newspeed Science and technology Development Limited company
descr: Shenzhen Mt. Nanshan area Nanhai main road Jinhun building B2612
country: CN
route: 116.199.135.0/24
descr: CNC Group CHINA169 Hunan Province Network
e-mail: g...@21cn.com
e-mail: Tiet...@k65.net
inetnum: 116.199.128.0 - 116.199.159.255
netname: Newspeed
descr: Shenzhen Newspeed Science and technology Development Limited company
descr: Shenzhen Mt. Nanshan area Nanhai main road Jinhun building B2612
country: CN
e-mail: g...@21cn.com
e-mail: QY...@126.com
135.199.116.in-addr.arpa has SOA [nameserver] ns1.speed-idc.com
--------------------------

IP address 116.199.136.61
--------------------------
IP address 116.199.136.61 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 116.199.135.0 - 116.199.138.255
netname: Newspeed
descr: Shenzhen Newspeed Science and technology Development Limited company
descr: Shenzhen Mt. Nanshan area Nanhai main road Jinhun building B2612
country: CN
route: 116.199.136.0/23
descr: CNC Group CHINA169 Hunan Province Network
descr: Addresses from CNNIC(Newspeed)
e-mail: g...@21cn.com
e-mail: Tiet...@k65.net
inetnum: 116.199.128.0 - 116.199.159.255
netname: Newspeed
descr: Shenzhen Newspeed Science and technology Development Limited company
descr: Shenzhen Mt. Nanshan area Nanhai main road Jinhun building B2612
country: CN
e-mail: g...@21cn.com
e-mail: QY...@126.com
136.199.116.in-addr.arpa has SOA [nameserver] ns1.speed-idc.com
--------------------------

IP address 116.199.138.24
--------------------------
IP address 116.199.138.24 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 116.199.135.0 - 116.199.138.255
netname: Newspeed
descr: Shenzhen Newspeed Science and technology Development Limited company
descr: Shenzhen Mt. Nanshan area Nanhai main road Jinhun building B2612
country: CN
route: 116.199.138.0/24
descr: CNC Group CHINA169 Hunan Province Network
descr: Addresses from CNNIC(Newspeed)
e-mail: g...@21cn.com
e-mail: Tiet...@k65.net
inetnum: 116.199.128.0 - 116.199.159.255
netname: Newspeed
descr: Shenzhen Newspeed Science and technology Development Limited company
descr: Shenzhen Mt. Nanshan area Nanhai main road Jinhun building B2612
country: CN
e-mail: g...@21cn.com
e-mail: QY...@126.com
138.199.116.in-addr.arpa has SOA [nameserver] ns1.speed-idc.com
--------------------------

IP address 118.129.65.92
------------------------
IP address 118.129.65.92 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
Querying whois.krnic.net
inetnum: 118.128.0.0 - 118.131.255.255
netname: BORANET
descr: LG DACOM Corporation
e-mail: ip...@nic.bora.net
e-mail: ab...@bora.net
e-mail: secu...@bora.net
(prior data for 118.129.65.81)
E-Mail : shki...@chol.com
E-mail : dka...@bora.net
E-mail : secu...@bora.net
e-mail: ip...@nic.bora.net
e-mail: ab...@bora.net
e-mail: secu...@bora.net
------------------------

IP address 211.118.190.4
------------------------
IP address 211.118.190.4 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
Querying whois.nic.or.kr
Org Name : LG DACOM Corporation
Service Name : BORANET
Org Address : Seoul Gangnam-gu Yeoksam-dong
E-Mail : shki...@chol.com
E-mail : dka...@bora.net
E-mail : secu...@bora.net
-------------------------

IP address 218.61.22.239
------------------------
IP address 218.61.22.239 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 218.60.0.0 - 218.61.255.255
netname: CNCGROUP-LN
country: CN
descr: CNCGROUP Liaoning province network
e-mail: ab...@cnc-noc.net
e-mail: ab...@online.ln.cn
61.218.in-addr.arpa has SOA [omitted]@lntelecom.com
[whois.abuse.net]
ab...@cnc-noc.net (for lntelecom.com)
postm...@cnc-noc.net (for cnc-noc.net)
ab...@cnc-noc.net (for cnc-noc.net)
ab...@online.ln.cn (for online.ln.cn)
postm...@online.ln.cn (for online.ln.cn)
postm...@lntelecom.com (for lntelecom.com)
ab...@cnc-noc.net (for online.ln.cn)
ab...@online.ln.cn (for lntelecom.com)
----------------------

IP address 221.122.64.14
------------------------
IP address 221.122.64.14 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 221.122.0.0 - 221.123.255.255
netname: CHINACOMM
descr: CECT-CHINACOMM COMMUNICATIONS Co.,Ltd.
descr: INTERNET COMMUNICATIONS
country: CN
e-mail: ipma...@cect-chinacomm.com.cn
inetnum: 221.122.38.80 - 221.123.19.95
netname: CHINACOMM
country: CN
e-mail: ipma...@cect-chinacomm.com
64.122.221.in-addr.arpa has SOA ro...@mail.chinacomm.com.cn
--------------------------------------------------

Upon making an order, one submits the following,
ip=211.118.190.4
&total=169
&cart=O%3A4%3A%22cart%22%3A2%3A...
&domain=532
to https://www.designerscheckout.com/gw2/paymentgw.php
where the escaped "cart" data is (unescaped) (my indentation)
O:4:"cart":2:{s:5:"items";
a:1:{i:0;
O:4:"item":4:{s:2:"id";
i:537;
s:8:"quantity";
d:1;
s:4:"size";
s:1:"9";
s:7:"options";
a:0:{}
}
}
s:8:"previous";
a:0:{}
}
(it appears that "s:#:string" specifies a string of "#" characters
and, for example, s:4:"size";s:1:"9" represents the shoe size I
chose, a "size" parameter ("size" has four letters) of "9" (a string
of one character and the "cart" consists of just that single item.

This submission elicits a page
* Connected to 118.129.65.92
POST /gw2/paymentgw.php HTTP/1.1
Host: www.designerscheckout.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Footwear[/title]
with an order form into which one submits ones credit card
and personal data,
bill_coupon=
&bill_first_name=[victim's name: first]
&bill_last_name=[victim's name: last]
&bill_company_name=oseare aaser ltd
&bill_address1=[victim's address: street]
&bill_city=[victim's address: city]
&bill_state=[victim's address: state]
&bill_zip=[victim's address: zip code]
&bill_country=US
&bill_phone=[victim's phone number]
&bill_email=[victim's address: email
&same_as_shipping=1
&ship_first_name=[victim's name: first]
&ship_last_name=[victim's name: last]
&ship_company_name=oseare aaser ltd
&ship_address1=[victim's address: street]
&ship_city=[victim's address: city]
&ship_zip=[victim's address: zip code]
&cc_type=MC (for MASTERCARD)
&cc_number_1=[victim's credit card number: first four digits]
&cc_number_2=[victim's credit card number: second four digits]
&cc_number_3=[victim's credit card number: penultimate four digits]
&cc_number_4=[victim's credit card number: last four digits]
&cc_month=[credit card: expiration date: month]
&cc_year=[credit card: expiration date: year]
&cc_cvv=[credit card: private security number]
&ip=211.118.190.4
&total=169
&cart=O%3A4%3A... [escaped data]
&domain=532
which is submitted to https://www.designerscheckout.com/gw2/paymentgw.php
where the escaped "cart" data is the same as above.

N.B. Usually the "ip" value is that of the visitor, not the site
for most such forms I have seen.

SPAMMER's ORDER SITE: http://www.designerscheckout.com/gw2/paymentgw.php

=================================================================
For the host:
"www.designerscheckout.com"

NAMESERVERS listed in the root servers for designerscheckout.com:
-----------------------------------------------------------------
designerscheckout.com NS ns1.nodns2.com
designerscheckout.com NS ns2.nodns2.com
designerscheckout.com NS ns3.nodns2.com
ns1.nodns2.com A 218.61.22.239
ns2.nodns2.com A 116.199.135.191
ns3.nodns2.com A 116.199.136.61

[extract from dig]
------------------
dig @116.199.135.191
www.designerscheckout.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.designerscheckout.com A 118.129.65.92

dig @116.199.136.61
www.designerscheckout.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.designerscheckout.com A 118.129.65.92

dig @218.61.22.239
www.designerscheckout.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.designerscheckout.com A 118.129.65.92
=================================================================

and let me check at each of the above IP addresses to see if they provide
the order page in response to the submission of the product selection.

218.61.22.239 is not open on port 443 (for an https connection)

HTTPS:
------
* Connected to 58.253.71.112
POST /gw2/paymentgw.php HTTP/1.1
Host: www.designerscheckout.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Footwear[/title]


* Connected to 116.199.135.168
POST /gw2/paymentgw.php HTTP/1.1
Host: www.designerscheckout.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Footwear[/title]


* Connected to 116.199.135.191
POST /gw2/paymentgw.php HTTP/1.1
Host: www.designerscheckout.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Footwear[/title]


* Connected to 116.199.136.61
POST /gw2/paymentgw.php HTTP/1.1
Host: www.designerscheckout.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Footwear[/title]


* Connected to 116.199.138.24
POST /gw2/paymentgw.php HTTP/1.1
Host: www.designerscheckout.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Footwear[/title]


* Connected to 118.129.65.92
POST /gw2/paymentgw.php HTTP/1.1
Host: www.designerscheckout.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Footwear[/title]


* Connected to 211.118.190.4
POST /gw2/paymentgw.php HTTP/1.1
Host: www.designerscheckout.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Footwear[/title]


* Connected to 221.122.64.14
POST /gw2/paymentgw.php HTTP/1.1
Host: www.designerscheckout.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Footwear[/title]

BUT ... using http at 218.61.22.239 results in:

HTTP:
-----
* Connected to 218.61.22.239
POST /gw2/paymentgw.php HTTP/1.1
Host: www.designerscheckout.com

HTTP/1.0 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)
[title]Prestige Footwear[/title]

and each returns the same page with the order form for entry
of one's credit card and personal data (with varying cookies,
Set-Cookie: intersecurepay=[varies]

SPAMMER's BACK END: IP address 212.26.146.226
PLUS NAMESERVER AT 212.26.146.227

Now ... one may recall a spammer (apparently this one) who
was somewhat original, setting up a counterfeit luxury footwear
site under the name streetnstrut.com and others such as
streetandstrutcheckout.com.

This site is different.

Besides counterfeit luxury footwear it has other goods, such
as watches. Is this another spammer or has the footwear spammer
expanded?

This is the streetnstrut.com spammer as indicated in the bookmark
javascript code on the original page,
function addToFavorites(){
if (window.external){
window.external.Addfavorite('http://www.streetnstrut.com','Prestige Footwear');

streetnstrut.com currently has no nameservers listed in the root servers.
Its registration (the site is on clientHold status at its
registrar, dns.com.cn) shows two nameservers, NS{1,2}.RET53.COM
for which we have glue records in the root servers, 219.106.90.2
and 202.21.110.5 which, however, are not responding to me on port
80 and nor are they working as nameservers and I get no resolution
of www.streetnstrut.com, www.designerscheckout.com or www.21springshoe.com
from them. But this is the streetnstrut.com spammer and his order
site sets a cookie, intersecurepay=[varies].

What about intersecurepay.com?

Domain Name: INTERSECUREPAY.COM
Registrar: ESTDOMAINS, INC.
Whois Server: whois.estdomains.com
Referral URL: http://www.estdomains.com
Name Server: NS1.NSWATCHNS.NET
Name Server: NS2.NSWATCHNS.NET
Domain Name: INTERSECUREPAY.COM
Registrant:
brendac brenda (ad...@streetandstrutcheckout.com)
453 road side la
California,90210
US
Tel. +818.4876654

Well, it seems that INTERSECUREPAY.COM, the cookie used
is streetandstrutcheckout.com's site - the footwear spammer
who has expanded to other luxury goods, is also this
spammer's domain.

streetandstrutcheckout.com has no namserver records listed
in the root servers. Its nameservers, as listed in the
registration are NS{1,2}.NSWATCHNS.NET (the same as
INTERSECUREPAY.COM)

There are glue records in the root servers for those nameservers,
212.26.146.226 and 212.26.146.227 both of which are open on ports
80 and 443.

Are these authoritative nameservers for the spammer?

dig @212.26.146.226 www.streetnstrut.com A +noauth +noqu +noadd +norec
;; flags: qr <-- NO RESOLUTION

dig @212.26.146.226 www.designerscheckout.com A +noauth +noqu +noadd +norec
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
designerscheckout.com A 212.26.146.226

dig @212.26.146.226 www.21springshoe.com A +noauth +noqu +noadd +norec
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
21springshoe.com A 212.26.146.226

dig @212.26.146.226 streetandstrutcheckout.com A +noauth +noqu +noadd +norec
;; flags: qr <-- NO RESOLUTION

dig @212.26.146.226 intersecurepay.com A +noauth +noqu +noadd +norec
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
intersecurepay.com A 212.26.146.227

dig @212.26.146.227 www.streetnstrut.com A +noauth +noqu +noadd +norec
;; flags: qr <-- NO RESOLUTION

dig @212.26.146.227 www.designerscheckout.com A +noauth +noqu +noadd +norec
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
designerscheckout.com A 212.26.146.226

dig @212.26.146.227 www.21springshoe.com A +noauth +noqu +noadd +norec
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
21springshoe.com A 212.26.146.226

dig @212.26.146.227 streetandstrutcheckout.com A +noauth +noqu +noadd +norec
;; flags: qr <-- NO RESOLUTION

dig @212.26.146.227 intersecurepay.com A +noauth +noqu +noadd +norec
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
intersecurepay.com A 212.26.146.227

There are no NS records for intersecurepay.com in the root servers
(it, too, has status of clientHold).

Well, the two street and strut (lost) domains are not resolved,
but the spammer's current sites are *authoritatively resolved*.


Let me check at 212.26.146.226 and 212.26.146.227 for both the
starting spamvertized page (http://www.21springshoe.com)
and other order form (https://www.designerscheckout.com/gw2/paymentgw.php
with a POST of the product selection data).

* Connected to 212.26.146.226
GET / HTTP/1.1
Host: www.21springshoe.com

HTTP/1.1 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
[title]Prestige Watches[/title]


* Connected to 212.26.146.227
GET / HTTP/1.1
Host: www.21springshoe.com

HTTP/1.1 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
[title][/title]

The page at 212.26.146.226 is byte-for-byte identical with
those obtained from the other IP addresses but there is a
difference in the headers. Above one sees proxy type headers,
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid),
from the other sites which apparently proxy data from somewhere.
212.26.146.226 DOES NOT HAVE THE PROXY HEADERS, IT APPEARS TO
BE THE REAL LOCATION.

212.26.146.227 simply returns a blank page.


* Connected to 212.26.146.226
POST /gw2/paymentgw.php HTTP/1.1
Host: www.designerscheckout.com

HTTP/1.1 200 OK
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
[title]Prestige Footwear[/title]


* Connected to 212.26.146.227
POST /gw2/paymentgw.php HTTP/1.1
Host: www.designerscheckout.com

HTTP/1.1 404 Not Found
Server: Apache/2.0.61 (Unix) mod_ssl/2.0.61 OpenSSL/0.9.8b mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_auth_passthrough/2.1 PHP/5.2.5
[title]404 Not Found[/title]

and again, the pages obtained from the other IP addresses
are byte-for-byte identical with that obtained from
212.26.146.226 with an exception in the headers.
212.26.146.226 DOES NOT APPEAR TO BE PROXYING THE DATA
FROM ELSEWHERE!!!

IP ADDRESS 212.26.146.226 [WEB SERVER AND NAMESERVER]
IP ADDRESS 212.26.146.227 [NAMESERVER]
-----------------------------------------------------
IP address 212.26.146.226 is found listed at sbl.spamhaus.org
IP address 212.26.146.227 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 212.26.146.224 - 212.26.146.255
netname: UA-TANHOST
descr: TANHOST
country: UA
e-mail: n...@adamant.net
146.26.212.in-addr.arpa has SOA hostm...@adamant.net
[whois.abuse.net]
postm...@adamant.net (for adamant.net)
sup...@adamant.ua (for adamant.net)
ab...@adamant.net (for adamant.net)
This is on Autonomous System Number 8788
aut-num: AS8788
as-name: ADAMANT
descr: Adamant ISP autonomous System
descr: Kyiv, Ukraine
admin-c: ADAM2-RIPE n...@adamant.net
ma...@adamant.net
ra...@adamant.net
xe...@adamant.net
-----------------------------------------------------

SPAMMER'S IMAGE HOST: http://www.cdv084.com/affiliate/cart/images/[varies]

The site does not load its image using relative URLs

http://www.cdv084.com/affiliate/cart/images/products/picture_7MSH168-071212.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_7MSH168-071212.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_7MSH168-07121.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_7MSH168-08042-3.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_7MSH168-101317-BUBERRY.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_7MSH180-092826-GUCCI.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_7MSH180-10284-D&amp;G.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_7WSH152-10072-GUCCI.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_7WSH165-100718-CHANEL.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_7WSH165-100723-GUCCI-B.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_7WSH350-11154.-CHANEL-2.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_7WSH350-11158-DIOR.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_7WSH400-11152-UGG-3.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_audemars-piguet-002-T.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_breitling-120-T.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_bvlgari-115-T.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_cartier-132-T.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_ch010-T.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_chopard-106-T.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_chopard-108-T.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_franck-muller-015-T.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_franck-muller-025-T.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_gucci-360-03129-T.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_PA104-T.jpg
http://www.cdv084.com/affiliate/cart/images/products/thumb_RX0116-T.jpg

======================================================
For the host:
"www.cdv084.com"

NAMESERVERS listed in the root servers for cdv084.com:
------------------------------------------------------
cdv084.com NS ns1.talkns.com
cdv084.com NS ns2.talkns.com
cdv084.com NS ns3.talkns.com
ns1.talkns.com A 116.199.136.61
ns2.talkns.com A 218.61.22.239
ns3.talkns.com A 116.199.135.191

[extract from dig]
------------------
dig @116.199.135.191
www.cdv084.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.cdv084.com A 211.118.190.4

dig @116.199.136.61
www.cdv084.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.cdv084.com A 211.118.190.4

dig @218.61.22.239
www.cdv084.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.cdv084.com A 211.118.190.4
======================================================

Domain Name: CDV084.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS1.TALKNS.COM
Name Server: NS2.TALKNS.COM
Name Server: NS3.TALKNS.COM
Status: ok
Updated Date: 28-feb-2008
Creation Date: 15-jan-2008
Expiration Date: 15-jan-2009


Nothing new here. Let me check at the other IP addresses
by forcing the resolution and attempting to get the image
http://www.cdv084.com/affiliate/cart/images/products/thumb_7MSH168-071212.jpg


* Connected to 58.253.71.112
GET /affiliate/cart/images/products/thumb_7MSH168-071212.jpg HTTP/1.1
Host: www.cdv084.com

HTTP/1.0 200 OK
Server: Apache/1.3.37 (Unix) PHP/5.2.1 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
Content-Length: 3955
Content-Type: image/jpeg
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)


* Connected to 116.199.135.168
GET /affiliate/cart/images/products/thumb_7MSH168-071212.jpg HTTP/1.1
Host: www.cdv084.com

HTTP/1.0 200 OK
Server: Apache/1.3.37 (Unix) PHP/5.2.1 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
Content-Length: 3955
Content-Type: image/jpeg
X-Cache: HIT from loadbalancer
Via: 1.0 loadbalancer:80 (squid)


* Connected to 116.199.135.191
GET /affiliate/cart/images/products/thumb_7MSH168-071212.jpg HTTP/1.1
Host: www.cdv084.com

HTTP/1.0 200 OK
Server: Apache/1.3.37 (Unix) PHP/5.2.1 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
Content-Length: 3955
Content-Type: image/jpeg
X-Cache: HIT from loadbalancer
Via: 1.0 loadbalancer:80 (squid)


* Connected to 116.199.136.61
GET /affiliate/cart/images/products/thumb_7MSH168-071212.jpg HTTP/1.1
Host: www.cdv084.com

HTTP/1.0 200 OK
Server: Apache/1.3.37 (Unix) PHP/5.2.1 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
Content-Length: 3955
Content-Type: image/jpeg
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)


* Connected to 116.199.138.24
GET /affiliate/cart/images/products/thumb_7MSH168-071212.jpg HTTP/1.1
Host: www.cdv084.com

HTTP/1.0 200 OK
Server: Apache/1.3.37 (Unix) PHP/5.2.1 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
Content-Length: 3955
Content-Type: image/jpeg
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)


* Connected to 118.129.65.92
GET /affiliate/cart/images/products/thumb_7MSH168-071212.jpg HTTP/1.1
Host: www.cdv084.com

HTTP/1.0 200 OK
Server: Apache/1.3.37 (Unix) PHP/5.2.1 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
Content-Length: 3955
Content-Type: image/jpeg
X-Cache: MISS from loadbalancer
Via: 1.0 loadbalancer:80 (squid)


* Connected to 211.118.190.4
GET /affiliate/cart/images/products/thumb_7MSH168-071212.jpg HTTP/1.1
Host: www.cdv084.com

HTTP/1.0 200 OK
Server: Apache/1.3.37 (Unix) PHP/5.2.1 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
Content-Length: 3955
Content-Type: image/jpeg
X-Cache: HIT from loadbalancer
Via: 1.0 loadbalancer:80 (squid)


* Connected to 218.61.22.239
GET /affiliate/cart/images/products/thumb_7MSH168-071212.jpg HTTP/1.1
Host: www.cdv084.com

HTTP/1.0 200 OK
Server: Apache/1.3.37 (Unix) PHP/5.2.1 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
Content-Length: 3955
Content-Type: image/jpeg
X-Cache: HIT from loadbalancer
Via: 1.0 loadbalancer:80 (squid)


* Connected to 221.122.64.14
GET /affiliate/cart/images/products/thumb_7MSH168-071212.jpg HTTP/1.1
Host: www.cdv084.com

HTTP/1.0 200 OK
Server: Apache/1.3.37 (Unix) PHP/5.2.1 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
Content-Length: 3955
Content-Type: image/jpeg
X-Cache: HIT from loadbalancer
Via: 1.0 loadbalancer:80 (squid)


SPAM SUPPORT: REGISTRAR

The currently resolving hosts are www.21springshoe.com
and www.designerscheckout.com. There are a few registrars
who seem often to be used by spammers. One in particular,
xinnet.com,paycenter.com.cn, an accredited registrar seems
to be handling fast-flux botnet hosted spammers (in particular
the Canadian Pharmacy spammer), providing nameserver services
for others, etc. When they are involved it is hard for me
to think them innocent. They should, if involved by reported
to ICANN.

Who are the registars this time?

Domain Name: 21SPRINGSHOE.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS1.S4455.COM
Name Server: NS2.S4455.COM
Name Server: NS3.S4455.COM
Status: ok
Updated Date: 02-apr-2008
Creation Date: 01-apr-2008
Expiration Date: 01-apr-2009

Domain Name: DESIGNERSCHECKOUT.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS1.NODNS2.COM
Name Server: NS2.NODNS2.COM
Name Server: NS3.NODNS2.COM
Status: ok
Updated Date: 20-mar-2008
Creation Date: 20-mar-2008
Expiration Date: 20-mar-2009

DAMN! xinnet **AGAIN!**


SPAMMER's CERTIFICATE AUTHORITY:

Finally, the order site is secure (well, at least the transmission
of data is secure, https, though beyond that ....)
and has a godaddy security certificate

subject: /O=designerscheckout.com
/OU=Domain Control Validated
/CN=designerscheckout.com
start date: 2008-03-25 15:33:07 GMT
expire date: 2009-03-25 15:33:07 GMT
issuer: /C=US
/ST=Arizona
/L=Scottsdale/O=GoDaddy.com, Inc.
/OU=http://certificates.godaddy.com/repository
/CN=Go Daddy Secure Certification Authority
/serialNumber=07969287

but while the site has a valid godaddy certificate for its name,
it shows a different certificate on the page itself!

The site sports A GODADDY SEAL ON THE SITE ITSELF (swf format)
https://seal.godaddy.com/getSeal?sealID=38759421409affe8b1271165f3d663517d47051607070
javascript
var dn = "streetandstrutcheckout.com"
var o = "streetandstrutcheckout.com"
...
to load an SWF version and link to plain HTML,
var url = baseURL + '/verifySeal?sealID=38759421409affe8b1271165f3d663517d47051607070'
(baseURL=https://seal.godaddy.com:443)


This Web site is secured with a GoDaddy.com Web Server
Certificate. Transactions on the site are protected with up to
256-bit Secure Sockets Layer encryption.

Domain Control Verified
GoDaddy.com has verified that the certificate holder controls
the domain: streetandstrutcheckout.com

Site Name
streetandstrutcheckout.com

Certificate Status
Certificate is valid (12/12/2007 - 12/12/2008)

SPAMMER's BOOKMARK SITE: http://www.celebshoes21.com

Above I showed the code for an old URL in a Javascript bookmark function.
On the first page one finds
window.external.Addfavorite('http://www.streetnstrut.com','Prestige Footwear');
but on later pages one finds
window.external.Addfavorite('http://www.celebshoes21.com','Prestige Watches');
where:

============================================================
For the host:
"www.celebshoes21.com"

NAMESERVERS listed in the root servers for celebshoes21.com:
------------------------------------------------------------
celebshoes21.com NS ns1.talkns.com
celebshoes21.com NS ns2.talkns.com
celebshoes21.com NS ns3.talkns.com
ns1.talkns.com A 116.199.136.61
ns2.talkns.com A 218.61.22.239
ns3.talkns.com A 116.199.135.191

[extract from dig]
------------------
dig @116.199.135.191
www.celebshoes21.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.celebshoes21.com A 211.118.190.4

dig @116.199.136.61
www.celebshoes21.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.celebshoes21.com A 211.118.190.4

dig @218.61.22.239
www.celebshoes21.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.celebshoes21.com A 211.118.190.4
============================================================

Nothing new.

Domain Name: CELEBSHOES21.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS1.TALKNS.COM
Name Server: NS2.TALKNS.COM
Name Server: NS3.TALKNS.COM
Status: ok
Updated Date: 05-mar-2008
Creation Date: 05-mar-2008
Expiration Date: 05-mar-2009

===========================================================
[ORIGINAL SPAM: with angle brackets, such as "<", converted
to square brackets, such as "[", so as not
to affect HTML enabled mail/news readers.]

Return-Path: <_my_n...@landacpa.com>
Received: from CDB8C2F37DC548A ([221.206.199.161])
by _my_isp_ (xxx) with SMTP id m338cXRh095051
for <_my_email_address_>; Thu, 3 Apr 2008 04:38:41 -0400 (EDT)
(envelope-from _my_n...@landacpa.com)
Date: Thu, 3 Apr 2008 04:38:33 -0400 (EDT)
X-Originating-IP: [221.206.199.161]
X-Originating-Email: [_my_email_address_]
X-Sender: _my_email_address_
Received: (qmail 2488 by uid 381); Thu, 3 Apr 2008 04:38:41 +0800
Message-Id: <20080403123841.2490.qmail@CDB8C2F37DC548A>
To: <xxx>
Subject: RE: Gucci 579047
From: <_my_email_address_>
xxxMIME-Version: 1.0
xxxContent-Type: text/html; charset="ISO-8859-1"
xxxContent-Transfer-Encoding: 7bit
X-UIDL: :B4!!jc^!!7j_"!`3D!!
Status: RO
X-Status:
X-Keywords:
X-UID: 14

[!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"]
[html]
[head]
[meta]
[meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/]
[title]Gucci[/title]
[/head]


[div style="text-align:center;"]
[map id="guccius" name="guccius"]
[area target="_blank" href="http://www.21springshoe.com"
alt="gucci invites you to shop our spring men&#x002019;s accessories catalog" shape="rect" coords="0,30,444,0"/]
[area target="_blank" href="http://www.21springshoe.com"
alt="gucci invites you to shop our spring men&#x002019;s accessories catalog" shape="rect" coords="440,145,669,170"/]
[area target="_blank" href="http://www.21springshoe.com"
alt="complimentary shipping for all gucci.com purchases" shape="rect" coords="520,181,595,205"/]
[/map]
[map id="guccius2" name="guccius2"]
[area target="_blank" href="http://www.21springshoe.com"
alt="shop our shoe collection" shape="rect" coords="24,22,198,44"/]
[area target="_blank" href="http://www.21springshoe.com"
alt="shop our jewelry collection" shape="rect" coords="476,22,668,44"/]
[/map]
[table cellpadding="0" cellspacing="0" border="0" width="680" style="background-color:#e6e6e6;"]
[tr]
[td align="center"][span style="font-size:10px;color:#a1a1a1;font-family:arial, verdana, helvetica, sans-serif;"][br /]To ensure delivery to your inbox (not bulk or junk folders), please add gu...@announcement.gucci.com to your address book.[br/]&nbsp;[/span][/td]
[/tr]
[tr]
[td align="center" style="background-color:#e6e6e6;color:#a1a1a1;"]
[img src="http://announcement.gucci.com/content/25010/Gucci/ecard_mcatalog_ss08_US_ENG_v3_00.jpg" width="693" height="401" usemap="#guccius"
alt="Gucci invites you to shop our spring men&#x002019;s accessories catalog" style="border-width:0px;"/][/td]
[/tr]
[tr]
[td align="center" style="background-color:#e6e6e6;color:#a1a1a1;"]
[img src="http://announcement.gucci.com/content/25010/Gucci/ecard_mcatalog_ss08_US_ENG_v3_01.jpg" width="693" height="404" usemap="#guccius2"
alt="Gucci invites you to shop our spring men&#x002019;s accessories catalog" style="border-width:0px;"/][/td]
[/tr]
[tr]
[td align="left" style="background-color:#e6e6e6;"]
[table cellpadding="0" cellspacing="0" border="0" style="margin-left:30px;"]

[tr]
[td][span style="font-size:6px;"]&nbsp;[/span][/td]
[/tr] [tr]
[td][span style="font-size:10px;color:#a1a1a1;font-family:arial, verdana, helvetica, sans-serif;"][a rel="nofollow" target="_blank" href="http://www.21springshoe.com" style="color:#a1a1a1;"]Unsubscribe[/a] | [a rel="nofollow"
target="_blank" href="http://www.21springshoe.com"]Privacy Policy[/a][/span][/td]

[/tr]
[tr]
[td][span style="font-size:10px;color:#a1a1a1;font-family:arial, verdana, helvetica, sans-serif;"]Unable to view? Please go to [a rel="nofollow" target="_blank" href="http://www.21springshoe.com"
style="color:#a1a1a1;"]http://www.gucci.com/e/b/us/ss08mc[/a][/span][/td]
[/tr]
[tr]
[td][span style="font-size:10px;color:#a1a1a1;font-family:arial, verdana, helvetica, sans-serif;"]You have subscribed to receive Gucci email communication. US Corporate Address: 685 Fifth Avenue, New York, NY, 10022, USA[/span][/td]
[/tr]

[tr]
[td][span style="font-size:6px;"]&nbsp;[/span][/td]
[/tr]
[/table]
[/td]
[/tr]
[/table]
[/div]
[span class="emailversionus" style=""]&nbsp;[/span]

[img src="http://announcement.gucci.com/images/mlopen_post.html?rtr=on&siteid=25010&mid=189641&mlid=9247&uid=513245cf9d"][/html]

--
All postings to news.admin.net-abuse.sightings are unconfirmed and unverified
unless stated otherwise by the moderators. All opinions expressed above are
considered the opinions of the original poster, not the moderators or their
respective employers. For a copy of the guidelines to this group, see:
http://www.killfile.org/~tskirvin/nana/

0 new messages