Spamvert:
www.liftplural.com => botnet
liftplural.com Resolved to 222.100.5.23 to 24.38.202.179 to
58.120.141.224 to 61.64.12.176 to 68.34.45.204 to 71.7.210.253 to
84.47.19.216 to 88.206.173.72 to 91.89.22.206 to 91.89.156.151 to
99.232.153.152 to 99.246.199.118 to 118.171.54.124 to 123.98.165.113
to 123.140.78.146 to 158.195.168.218 to 202.126.117.43 to
218.253.213.197 to 218.254.115.36 to 220.149.65.194
NEW:
ns0.axrpss.com IP 222.166.132.30
ns0.lutrwpghd.com = 123.202.194.61 => New
ns0.lutrwpghd.com IP 221.126.94.65
ns0.lutrwpghd.com IP 84.245.204.131
ns0.sjrbofa.com IP 202.126.117.43
ns0.vqwgds.com IP 221.127.245.4
ns0.vqwgds.com IP 79.164.123.55 => New
ns.xinnetdns.com IP 210.51.170.66 => SBL63236 at cncgroup-bj
ns.xinnet.cn IP 210.51.171.209 => SBL63236 at cncgroup-bj
Title: European Pharmacy (aka Canadian Pharmacy)
WEB:
Å Copyright Canadian Pharmacy, 2003-2008. All Rights Reserved.
Much More Canadian Pharmacy sightings:
http://groups.google.com/groups/search?q=%22Canadian+Pharmacy%22+group%3A*abuse&start=0&scoring=d&
Plenty of Forged Certificates and logos as always.
More info below:
==================X-SID-PRA: tini Olney <_en...@frischkost.de>
X-Message-Info: 6sSXyD95QpVyvkWxNhXHSRRS9c9RHwbQJzpbU8XFTa2xjy/
5yJInNBES9OjIYpG+6F5CMmcY2t//sBRmLevLCA=Received: from tomts2-srv.bellnexxia.net ([209.226.175.114]) by bay0-
pamc1-f1.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Tue, 18 Mar 2008 15:31:42 -0700
Received: from toip20.srvr.bell.ca ([67.69.240.22])
by toip50.srvr.bell.ca with ESMTP; 18 Mar 2008 18:31:37 -0400
Received: from [MUNGED]
by toip20.srvr.bell.ca with ESMTP; 18 Mar 2008 18:31:36 -0400
Received: (qmail 32118 invoked by uid 110); 18 Mar 2008 18:31:36 -0400
Delivered-To: [MUNGED]
Received: (qmail 32107 invoked from network); 18 Mar 2008 18:31:35
-0400
Received: from 156.144-224-87.telenet.ru (87.224.144.156)
by [MUNGED] with SMTP; 18 Mar 2008 18:31:35 -0400
Message-ID: <000f01c88947$d1e1d220$509dc152@mediapilot>
From: "tini Olney" <_en...@frischkost.de>
To: [MUNGED]
Subject: enegraf
Date: Wed, 19 Mar 2008 03:31:33 +0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--------=_NextPart_000_000B_01C88971.BAB7DA20"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Return-Path: _en...@frischkost.de
X-OriginalArrivalTime: 18 Mar 2008 22:31:43.0024 (UTC)
FILETIME=[D770DB00:01C88947]
----------=_NextPart_000_000B_01C88971.BAB7DA20
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
An amazing growth of your stick!
Your incredible new huge love-stick!
----------=_NextPart_000_000B_01C88971.BAB7DA20
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.3199" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT Arial size=3D2>An amazing growth of your stick!</FONT></
DIV>
<A href=3D"http://liftplural.com">Your incredible new huge=20
love-stick!</A></BODY></HTML>
----------=_NextPart_000_000B_01C88971.BAB7DA20--
-- END OF SPAM --
See also European Pharmacy sightings:
http://groups.google.com/groups/search?q=%22European+Pharmacy%22+group%3A*abuse*&qt_s=Search
Identical spam as for collectwhole.com, planerise.com, seapast.com,
moonshort.com, letterclock, samegentle.com => All Botnet
OLD Listing:
SBL61248 - ROK4932 / SBL61418, SBL61896, SBL62483
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK4932
WEB:
Licensed by The College of Pharmacists of British Columbia.
If you have any questions or concerns you can contact the college at
200-1765 West 8th Ave. Vancouver, BC, Canada V6J 5C6
You may contact us at +1(210) 888-9089, please, keep your order I.D.
every time you make a call
Å Copyright Canadian Pharmacy, 2003-2008. All Rights Reserved.
More spammer sightings:
http://groups.google.com/groups/search?q=%22September+70%25%22+group%3A*abuse&start=0&scoring=d&
See:
IP 87.224.144.156 156.144-224-87.telenet.ru
http://moensted.dk/spam/?addr=87.224.144.156
Listed in PSBL, see http://psbl.surriel.com/listing?ip=87.224.144.156
inetnum: 87.224.144.0 - 87.224.144.255
netname: KABINET
descr: Teleset-Servis Ltd.
descr: Russian Federation, Ekaterinburg
country: RU
person: Ilya Lebedev
address: Teleset-Service Ltd.
address: 13, 8 Marta st.,
address: Yekaterinburg
address: Russia
phone: +7 343 3776193
fax-no: +7 343 3776659
e-mail: i.le...@telenet.ru
person: Alex Tsarkov
address: Teleset-Servis Ltd.
address: 13-111 Antona Valeka str., Ekaterinburg, Russia
e-mail: t...@telenet.ru
person: Andrew Alcheyev
address: Teleset-Servis Ltd.
address: 13-111 Antona Valeka str.
address: Ekaterinburg, Russia
e-mail: bu...@telenet.ru
route: 87.224.128.0/17
descr: KABINET internet workspace
origin: AS35154
mnt-by: TELENET1-MNT
changed: bu...@telenet.ru
AS Name: TELENET-AS Autonomous System of Teleset-Servis Ltd.
http://www.cidr-report.org/cgi-bin/as-report?as=35154
Spamvert:
www.liftplural.com => botnet
liftplural.com Resolved to 222.100.5.23 to 24.38.202.179 to
58.120.141.224 to 61.64.12.176 to 68.34.45.204 to 71.7.210.253 to
84.47.19.216 to 88.206.173.72 to 91.89.22.206 to 91.89.156.151 to
99.232.153.152 to 99.246.199.118 to 118.171.54.124 to 123.98.165.113
to 123.140.78.146 to 158.195.168.218 to 202.126.117.43 to
218.253.213.197 to 218.254.115.36 to 220.149.65.194
liftplural.com has no MX records
ns.xinnetdns.com IP 210.51.170.66
ns.xinnet.cn IP 210.51.171.209
AND:
ns0.axrpss.com IP 222.166.132.30
ns0.lutrwpghd.com = 123.202.194.61 => New
ns0.lutrwpghd.com IP 221.126.94.65
ns0.lutrwpghd.com IP 84.245.204.131
ns0.sjrbofa.com IP 202.126.117.43
ns0.vqwgds.com IP 221.127.245.4
ns0.vqwgds.com IP 79.164.123.55 => New
See IP rDNS on botnet:
222.100.5.23 no PTR at KORnet / kt.co.kr / Korea
24.38.202.179 = static-host-24-38-202-179.patmedia.net
58.120.141.224 no PTR at HANANET / hanaro.com / Korea
61.64.12.176 no PTR at phoenix.net.tw / QTCN-ASN1 GCNet (Reach & Range
Inc.
68.34.45.204 = c-68-34-45-204.hsd1.dc.comcast.net
71.7.210.253 = blk-7-210-253.eastlink.ca
84.47.19.216 = adsl-d216.84-47-19.t-com.sk
88.206.173.72 = 88-206-173-72.highlandnet.se
91.89.22.206 = hsi-kbw-091-089-022-206.hsi2.kabelbw.de
91.89.156.151 no PTR at kabelbw.de / KabelBW / byteaction.de
99.232.153.152 = cpe0013d3e9ffdc-
cm000a73a86479.cpe.net.cable.rogers.com
99.246.199.118 = cpe000039358968-
cm000039358868.cpe.net.cable.rogers.com
118.171.54.124 = 118-171-54-124.dynamic.hinet.net
123.98.165.113 no PTR KNCTV / gsgbi.co.kr / epnetworks.co.kr / Korea
123.140.78.146 no PTR bora.net / LGDACOM / Korea
158.195.168.218 no PTR / SANET Slovak / COMUNI-NET
202.126.117.43 no PTR HAIONNET / kornet.net / Korea
218.253.213.197 = cm218-253-213-197.hkcable.com.hk
218.254.115.36 = cm218-254-115-36.hkcable.com.hk
220.149.65.194 no PTR at Hoseo Univ / KREN-HSUNI / Korea
Let see whois.paycenter.com.cn:
Domain Name: liftplural.com
Registrant:
liu bin
hai kou
891000
Administrative Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 898 1234567
fax: 898 1234567
cnclinp[]21cn.com
Technical Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 1234567
fax: 1234567
cnc...@21cn.com
Billing Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 1234567
fax: 1234567
cnc...@21cn.com
Registration Date: 2008-03-05
Update Date: 2008-03-05
Expiration Date: 2009-03-05
Primary DNS: ns.xinnetdns.com 210.51.170.66
Secondary DNS: ns.xinnet.cn 210.51.171.209
See also cnc...@21cn.com sightings:
http://groups.google.com/groups/search?q=%22cnclinp%4021cn.com%22+group%3A*abuse*&qt_s=Search
SEE ALSO:
hostnames sharing ip with a-records
*.byoperate.com
*.speeddegree.com
1495081946.ip2long.net
88-134-7-70-dynip.superkabel.de
aacsrwalty.com
aangakikam.com
az.byoperate.com
berho.com
bestmonbuy.com
byoperate.com
childthree.com
cm203-168-173-176.hkcable.com.hk
earcandlesonline.com
eggready.com
energyfromwate.com
fixyourmusic.com
genericcialisbest.com
goodtimescasino.com
greatmonrxshop.com
highqualitypharm.com
juiceandfruit.com
keyassortmen.com
letterclock.com
meds-all.com
meds-ca.com
meds-world.com
meds34.com
monrxbuy.com
monrxshopdirect.com
monrxshopworld.com
mudesire.com
muhope.com
murxshope.com
nefka.com
ns1.snowdrink.com
overheart.com
perfectionandassortmen.com
perfectmixtur.com
pill-us.com
quickfixcoffee.com
rxnicse.com
rxsblog.com
rxsweb.com
seaoffear.com
soundgave.com
speeddegree.com
subtracthat.com
theportalshop.com
vxxfg.speeddegree.com
wateryoursou.com
willwoman.com
www.thankperiod.com
See:
ns.xinnetdns.com IP 210.51.170.66
http://moensted.dk/spam/?addr=210.51.170.66
http://www.spamhaus.org/query/bl?ip=210.51.170.66
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL63236
210.51.160.0/20 is listed on the Spamhaus Block List (SBL)
10-Mar-2008 21:51 GMT | SR02
flowexpo and other bulletproof hosting (escalation)
More than 170 total SBL listings in this /16
inetnum: 210.51.160.0 - 210.51.175.255
netname: CNC-BJ-IDC2
country: CN
descr: Beijing YiZhuang IDC of China Netcom
admin-c: CH140-AP
tech-c: TJ35-AP
status: ALLOCATED NON-PORTABLE
changed: cnci...@china-netcom.com
role: CNCIDC hostmaster
address: No.1,Beihuan Donglu,BDA,Beijing,China
country: CN
phone: +8610 6787 5599
fax-no: +8610 6787 8624
e-mail: cnci...@china-netcom.com
trouble: tech-...@china-netcom.com
person: Tao Jiang
nic-hdl: TJ35-AP
e-mail: bjidc-...@cnc.cn
changed: jian...@cnc.cn
changed: zha...@china-netcom.com
mntner: MAINT-CN-BJIDC
upd-to: bjidc-...@china-netcom.com
route: 210.51.0.0/16
descr: CHINA NETCOM
origin: AS9929
mnt-by: MAINT-AS9929
changed: xu...@china-netcom.com
route: 210.51.0.0/16
descr: CNC Group CncNet
country: CN
origin: AS9929
mnt-by: MAINT-CNCGROUP-RR
changed: ab...@cnc-noc.net
route: 210.51.0.0/16
descr: CNC Route Object
origin: AS9929
member-of: rs-Secondary
mnt-by: CHINANETCOM-MNT
changed: liu...@china-netcom.com
AS Name: CNCNET-CN China Netcom Corp.
http://www.cidr-report.org/cgi-bin/as-report?as=9929
14 SBL/ROKSO listings for IPs under the responsibility of cncgroup-bj
http://www.spamhaus.org/sbl/listings.lasso?isp=cncgroup-bj
So Much More xinnetdns.com sightings:
http://groups.google.com/groups/search?q=xinnetdns.com+group%3A*abuse*&qt_s=Search
See:
ns.xinnet.cn IP 210.51.171.209
http://moensted.dk/spam/?addr=210.51.171.209
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL63236
So Much More xinnet.cn sightings:
http://groups.google.com/groups/search?q=xinnet.cn+group%3A*abuse*&qt_s=Search
See:
ns0.axrpss.com IP 222.166.132.30
ns0.axrpss.com has no MX records -> axrpss.com has no MX records
http://moensted.dk/spam/?addr=222.166.132.30
222.166.132.30 = cm222-166-132-30.hkcable.com.hk
inetnum: 222.166.0.0 - 222.166.255.255
netname: HKCABLE-HK
descr: HK Cable TV Ltd
descr: Cable Multi-Media Services
country: HK
AS Name: HKCABLE2-HK-AP HK Cable TV Ltd
http://www.cidr-report.org/cgi-bin/as-report?as=9908
Let see whois.paycenter.com.cn:
Domain Name: AXRPSS.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS2.XINNET.CN
Name Server: NS2.XINNETDNS.COM
Status: ok
Updated Date: 13-mar-2008
Creation Date: 13-mar-2008
Expiration Date: 13-mar-2009
See:
ns0.lutrwpghd.com IP 221.126.94.65
ns0.lutrwpghd.com has no MX records -> lutrwpghd.com has no MX records
inetnum: 221.124.0.0 - 221.127.255.255
netname: HGC
descr: Hutchison Global Communications
country: HK
changed: and...@hgc.com.hk
AS Name: HUTCHISON-AS-AP Hutchison Global Communications
http://www.cidr-report.org/cgi-bin/as-report?as=9304
See:
ns0.lutrwpghd.com IP 84.245.204.131
84.245.204.131 = customer-204.131.livas.lv
inetnum: 84.245.192.0 - 84.245.223.255
netname: LIVASTELECOMMUNICATION
descr: Cable Internet Home users based on DOCSIS standard.
country: LV
route: 84.245.192.0/18
descr: Livas Net SIA
origin: AS34001
mnt-by: LIVAS-MNT
changed: dja...@livas.lv
AS Name:
http://www.cidr-report.org/cgi-bin/as-report?as
Let see whois.paycenter.com.cn:
Domain Name: LUTRWPGHD.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS2.XINNET.CN
Name Server: NS2.XINNETDNS.COM
Status: ok
Updated Date: 13-mar-2008
Creation Date: 13-mar-2008
Expiration Date: 13-mar-2009
See:
ns0.sjrbofa.com IP 202.126.117.43
IPv4 Address : 202.126.117.0-202.126.117.63
Network Name : DAEWOOENGINEERING
Connect ISP Name : HAIONNET
Organization ID : ORG102436
Org Name : Daewoo-engineering
Address : Yeoksam-dong, Gangnam-gu, Seoul
E-Mail : dom...@haion.net
E-Mail : jac...@haion.net
E-Mail : sc...@haion.net
route: 202.126.112.0/21
descr: HAIONNET
origin: AS10195
mnt-by: MAINT-AS4766
changed: chs...@kornet.net
Let see whois.paycenter.com.cn:
Domain Name: SJRBOFA.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS2.XINNET.CN
Name Server: NS2.XINNETDNS.COM
Status: ok
Updated Date: 13-mar-2008
Creation Date: 13-mar-2008
Expiration Date: 13-mar-2009
See:
ns0.vqwgds.com IP 221.127.245.4
inetnum: 221.124.0.0 - 221.127.255.255
netname: HGC
descr: Hutchison Global Communications
country: HK
route: 221.124.0.0/14
descr: HutchCity
origin: AS9304
mnt-by: MAINT-AS9304
changed: ra...@hutchcity.com
Let see whois.paycenter.com.cn:
Domain Name: VQWGDS.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS2.XINNET.CN
Name Server: NS2.XINNETDNS.COM
Status: ok
Updated Date: 13-mar-2008
Creation Date: 13-mar-2008
Expiration Date: 13-mar-2009
Read more:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/01b95e17d8099c02
And:
http://groups.google.com/group/news.admin.net-abuse.email/msg/6c15c2b98d46bd38
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/dec4c60efb5f131a
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/6511468da34ed4f0
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/934518fa4c4a851d
Cheers, Tomez
--
All postings to news.admin.net-abuse.sightings are unconfirmed and unverified
unless stated otherwise by the moderators. All opinions expressed above are
considered the opinions of the original poster, not the moderators or their
respective employers. For a copy of the guidelines to this group, see:
http://www.killfile.org/~tskirvin/nana/