Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[email] [drugs - Canadian Pharmacy botnet] [72.54.88.225] (collectwhole.com / xinnetdns.com / xinnet.cn) mnoc

0 views
Skip to first unread message

TomezNet

unread,
Mar 17, 2008, 3:46:17 AM3/17/08
to
Received From:
IP 72.54.88.225
(at cbeyond.net)

Spamvert:
www.collectwhole.com => botnet
collectwhole.com Resolved to 221.165.74.218 to 71.130.194.27 to
78.106.32.252 to 78.106.40.189 to 78.106.56.27 to 78.106.81.198 to
78.106.121.85 to 78.106.195.189 to 88.134.185.93 to 93.80.95.176 to
93.80.111.121 to 93.80.136.143 to 93.80.140.66 to 118.32.144.6 to
125.59.66.183 to 211.193.118.203 to 218.49.163.158 to 221.127.174.217
to 221.127.199.212 to 221.127.245.82

ns.xinnetdns.com IP 210.51.170.66 => SBL63236 at cncgroup-bj
ns.xinnet.cn IP 210.51.171.209 => SBL63236 at cncgroup-bj

Title: European Pharmacy (aka Canadian Pharmacy)
stylesheet => css/canadian_pharmacy_2_style.css

WEB:
© Copyright Canadian Pharmacy, 2003-2008. All Rights Reserved.

Much More Canadian Pharmacy sightings:
http://groups.google.com/groups/search?q=%22Canadian+Pharmacy%22+group%3A*abuse&start=0&scoring=d&

Plenty of Forged Certificates and logos as always.

More info below:
==================X-SID-PRA: Houxun Butany <Houxun-mmill{{p...@pumpkin-family.co.jp>
X-Message-Info: 6sSXyD95QpWaosfnfltfAEdVe8wVQS/xgjnHNCopFWvWqY9gNP2/
aXrc5tsUYFd1tx8yMWSqbLReYIQ6lp7Aag=Received: from tomts3-srv.bellnexxia.net ([209.226.175.115]) by bay0-
pamc1-f1.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Sun, 16 Mar 2008 21:39:06 -0700
Received: from toip16.srvr.bell.ca ([67.69.240.18])
by toip26.srvr.bell.ca with ESMTP; 17 Mar 2008 00:39:06 -0400
Received: from [MUNGED]
by toip16.srvr.bell.ca with ESMTP; 17 Mar 2008 00:39:05 -0400
Received: (qmail 18248 invoked by uid 110); 17 Mar 2008 00:39:04 -0400
Delivered-To: [MUNGED]
Received: (qmail 18244 invoked from network); 17 Mar 2008 00:39:04
-0400
Received: from unknown (HELO ?72.54.88.225?) (72.54.88.225)
by [MUNGED] with SMTP; 17 Mar 2008 00:39:04 -0400
Message-ID: <000b01c887e8$d3a6b720$e1583648@SERVER>
From: "Houxun Butany" <Houxun-mmill{{p...@pumpkin-family.co.jp>
To: [MUNGED]
Subject: mnoc
Date: Sun, 16 Mar 2008 23:39:03 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--------=_NextPart_000_0007_01C887BE.EAD0AF20"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Return-Path: Houxun-mmill{{p...@pumpkin-family.co.jp
X-OriginalArrivalTime: 17 Mar 2008 04:39:07.0000 (UTC)
FILETIME=[D5D92780:01C887E8]

----------=_NextPart_000_0007_01C887BE.EAD0AF20
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Gaining PE length and thickness
Bigger baby-maker is not a dream anymore!
----------=_NextPart_000_0007_01C887BE.EAD0AF20
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.3199" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT Arial size=3D2>Gaining PE length and thickness</FONT></DIV>
<A href=3D"http://collectwhole.com">Bigger baby-maker is not a
dream=20
anymore!</A></BODY></HTML>
----------=_NextPart_000_0007_01C887BE.EAD0AF20--

-- END OF SPAM --

More spammer sightings:
http://groups.google.com/groups/search?q=%22September+70%25%22+group%3A*abuse&start=0&scoring=d&

OLD Listing:
SBL61248 - ROK4932 / SBL61418, SBL61896, SBL62483

http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK4932

WEB:
Licensed by The College of Pharmacists of British Columbia.
If you have any questions or concerns you can contact the college at
200-1765 West 8th Ave. Vancouver, BC, Canada V6J 5C6
You may contact us at +1(210) 888-9089, please, keep your order I.D.
every time you make a call
© Copyright Canadian Pharmacy, 2003-2008. All Rights Reserved.

See also European Pharmacy sightings:
http://groups.google.com/groups/search?q=%22European+Pharmacy%22+group%3A*abuse*&qt_s=Search

See:
IP 72.54.88.225

More cbeyond.net sightings:
http://groups.google.com/groups/search?q=cbeyond.net+group%3A*abuse*&qt_s=Search

SEE:
http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/68c372b651c86e27/8942c3a916842e8b#8942c3a916842e8b

http://moensted.dk/spam/?addr=72.54.88.225
http://psbl.surriel.com/listing?ip=72.54.88.225

OrgName: CBEYOND COMMUNICATIONS, LLC
OrgID: CBEY
Address: 320 Interstate North Parkway
Address: Suite 300
City: Atlanta
StateProv: GA
PostalCode: 30339
Country: US
NetRange: 72.54.0.0 - 72.54.255.255
CIDR: 72.54.0.0/16
NetName: CBEY
NetHandle: NET-72-54-0-0-1
Parent: NET-72-0-0-0-0
NetType: Direct Allocation
NameServer: INFINITY.CBEYOND.NET
NameServer: BEYOND.CBEYOND.NET

whois and abuse[]cbeyond.net are listed in rfc-ignorant.org database

route: 72.54.80.0/20
descr: Cbeyond Communications DAL
origin: AS17184
notify: ip-a...@cbeyond.net
mnt-by: MAINT-CBEY
changed: ma...@cbeyond.net
AS Name: ATL-CBEYOND - CBEYOND COMMUNICATIONS, LLC
http://www.cidr-report.org/cgi-bin/as-report?as=17184

1 SBL listings for IPs under the responsibility of cbeyond.net
http://www.spamhaus.org/sbl/listings.lasso?isp=cbeyond.net

Spamvert:
www.collectwhole.com => botnet
collectwhole.com Resolved to 221.165.74.218 to 71.130.194.27 to
78.106.32.252 to 78.106.40.189 to 78.106.56.27 to 78.106.81.198 to
78.106.121.85 to 78.106.195.189 to 88.134.185.93 to 93.80.95.176 to
93.80.111.121 to 93.80.136.143 to 93.80.140.66 to 118.32.144.6 to
125.59.66.183 to 211.193.118.203 to 218.49.163.158 to 221.127.174.217
to 221.127.199.212 to 221.127.245.82

collectwhole.com has no MX records

ns.xinnetdns.com IP 210.51.170.66
ns.xinnet.cn IP 210.51.171.209

See IP rDNS on botnet:
221.165.74.218 no PTR at KORnet.net / kt.co.kr
71.130.194.27 = adsl-71-130-194-27.dsl.irvnca.pacbell.net
78.106.32.252 = 78-106-32-252.broadband.corbina.ru
78.106.40.189 = 78-106-40-189.broadband.corbina.ru
78.106.56.27 = 78-106-56-27.broadband.corbina.ru
78.106.81.198 = 78-106-81-198.broadband.corbina.ru
78.106.121.85 = 78-106-121-85.broadband.corbina.ru
78.106.195.189 = 78-106-195-189.broadband.corbina.ru
88.134.185.93 = 88-134-185-93-dynip.superkabel.de
93.80.95.176 = 93-80-95-176.broadband.corbina.ru
93.80.111.121 = 93-80-111-121.broadband.corbina.ru
93.80.136.143 = 93-80-136-143.broadband.corbina.ru
93.80.140.66 = 93-80-140-66.broadband.corbina.ru
118.32.144.6 no PTR at KORnet.net / kt.co.kr
125.59.66.183 = cm125-59-66-183.hkcable.com.hk
211.193.118.203 no PTR at KORnet.net / kt.co.kr
218.49.163.158 no PTR at HANANET / hanaro.com
221.127.174.217 no PTR at hgc.com.hk / HutchCity.com
221.127.199.212 no PTR at hgc.com.hk / HutchCity.com
221.127.245.82no PTR at hgc.com.hk / HutchCity.com

Let see whois.paycenter.com.cn:
Domain Name: collectwhole.com

Registrant:
liu bin
hai kou
891000

Administrative Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 898 1234567
fax: 898 1234567
cnclinp[]21cn.com

Technical Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 1234567
fax: 1234567
cnc...@21cn.com

Billing Contact:
liubin
liu bin
hai kou
hai kou Beijing 891000
CN
tel: 1234567
fax: 1234567
cnc...@21cn.com

Registration Date: 2008-02-21
Update Date: 2008-02-25
Expiration Date: 2009-02-21

Primary DNS: ns.xinnetdns.com 210.51.170.66
Secondary DNS: ns.xinnet.cn 210.51.171.209

More collectwhole.com sightings:
http://groups.google.com/groups/search?q=collectwhole.com+group%3A*abuse*&qt_s=Search

SEE ALSO:
hostnames sharing ip with a-records
*.betweenbe.com
*.collectdetermine.com
*.comebreak.com
*.courseblock.com
*.positionself.com
*.thankperiod.com
*.trainfinal.com
*.villagecollect.com
aaiechange.com
aarontoown.com
aaropastal.com
aboutcompare.cn
ace-assist.com
alternativehealth2008.com
avotecs.com
bestgrayso.com
betweenbe.com
bozmer.com
camedegree.com
canadianpharmsite.com
carryelse.com
catcolony.com
comebreak.com
decidecompany.com
excitemajor.com
firstclassmed.com
fourblack.com
friendlake.com
holdforward.cn
instantmonth.com
istupee.com
lernak.com
lotroot.com
magnetalways.com
manymagnet.com
merzut.com
moonshort.com
mountstream.com
nuembrop.com
oceancarry.com
ocel.speakplant.com
offar.com
opicer.com
petork.com
pharmssite.com
pharmsworld.com
plainlarge.com
planerise.com
refilp.com
rx-works.com
saidfood.com
sambinos.com
sammossguitars.com
sednip.com
shaesol.com
sideclass.com
songsince.com
sorexan.com
spammer.positionself.com
spother.com
srelom.com
thankperiod.com
thevisualear.com
toptall.com
typelook.com
typeplace.com
uilqjyl.holdforward.cn
via-meds.com
wentstore.com
willwoman.com
windowit.com
www.comebreak.com
www.thankperiod.com
www.trainfinal.com
yellowmorning.com
yourfishingear.com

domains sharing nameservers
aaiechange.com
actwill.com
atnevez.com
avotecs.com
beenliquid.com
beklom.com
blucpan.com
bonilt.com
breadbaby.com
byche.com
choosedo.com
cosamryl.com
doupsto.com
dwointa.com
eyetoear.com
famtriz.com
fedusk.com
flaxoig.com
fomtacap.com
fourblack.com
gotvab.com
growfell.com
guptane.com
istupee.com
kazinr.com
ladylate.com
lainwad.com
lernak.com
locurt.com
lometr.com
lugfeat.com
maianor.com
mainfrom.com
merzut.com
micald.com
miplor.com
moonshort.com
moreplane.com
nameedns.com
nightarrange.com
nolidv.com
nuembrop.com
ofbelieve.com
opicer.com
osterk.com
petork.com
pitebl.com
planerise.com
plogat.com
pumedr.com
raclange.com
rangorp.com
refilp.com
replythey.com
saiegfol.com
sammossguitars.com
sednip.com
shaesol.com
simepa.com
smeriv.com
softsiteprovide.com
soilear.com
soonend.com
sorexan.com
srelom.com
staget.com
steamrun.com
swaneyt.com
swimlet.com
syllabledescribe.com
symatod.com
takinov.com
tendollartech.com
tookjob.com
toutofy.com
tsawlon.com
tunecvim.com
varilo.com
vaseld.com
vokelp.com
wildnumeral.com
willwoman.com
windowit.com

See cnc...@21cn.com sightings:
http://groups.google.com/groups/search?q=%22cnclinp%4021cn.com%22+group%3A*abuse*&qt_s=Search

See:
ns.xinnetdns.com IP 210.51.170.66

http://moensted.dk/spam/?addr=210.51.170.66
http://www.spamhaus.org/query/bl?ip=210.51.170.66

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL63236
210.51.160.0/20 is listed on the Spamhaus Block List (SBL)

10-Mar-2008 21:51 GMT | SR02

flowexpo and other bulletproof hosting (escalation)
More than 170 total SBL listings in this /16

inetnum: 210.51.160.0 - 210.51.175.255
netname: CNC-BJ-IDC2
country: CN
descr: Beijing YiZhuang IDC of China Netcom
admin-c: CH140-AP
tech-c: TJ35-AP
status: ALLOCATED NON-PORTABLE
changed: cnci...@china-netcom.com
role: CNCIDC hostmaster
address: No.1,Beihuan Donglu,BDA,Beijing,China
country: CN
phone: +8610 6787 5599
fax-no: +8610 6787 8624
e-mail: cnci...@china-netcom.com
trouble: tech-...@china-netcom.com
person: Tao Jiang
nic-hdl: TJ35-AP
e-mail: bjidc-...@cnc.cn
changed: jian...@cnc.cn
changed: zha...@china-netcom.com
mntner: MAINT-CN-BJIDC
upd-to: bjidc-...@china-netcom.com

route: 210.51.0.0/16
descr: CHINA NETCOM
origin: AS9929
mnt-by: MAINT-AS9929
changed: xu...@china-netcom.com

route: 210.51.0.0/16
descr: CNC Group CncNet
country: CN
origin: AS9929
mnt-by: MAINT-CNCGROUP-RR
changed: ab...@cnc-noc.net

route: 210.51.0.0/16
descr: CNC Route Object
origin: AS9929
member-of: rs-Secondary
mnt-by: CHINANETCOM-MNT
changed: liu...@china-netcom.com
AS Name: CNCNET-CN China Netcom Corp.
http://www.cidr-report.org/cgi-bin/as-report?as=9929

14 SBL/ROKSO listings for IPs under the responsibility of cncgroup-bj
http://www.spamhaus.org/sbl/listings.lasso?isp=cncgroup-bj

So Much More xinnetdns.com sightings:
http://groups.google.com/groups/search?q=xinnetdns.com+group%3A*abuse*&qt_s=Search

See:
ns.xinnet.cn IP 210.51.171.209

http://moensted.dk/spam/?addr=210.51.171.209
http://www.spamhaus.org/sbl/sbl.lasso?query=SBL63236

So Much More xinnet.cn sightings:
http://groups.google.com/groups/search?q=xinnet.cn+group%3A*abuse*&qt_s=Search

Read more:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/2b0027b4070a07cf

And:
http://groups.google.com/group/news.admin.net-abuse.email/msg/6c15c2b98d46bd38

Cheers, Tomez

--
All postings to news.admin.net-abuse.sightings are unconfirmed and unverified
unless stated otherwise by the moderators. All opinions expressed above are
considered the opinions of the original poster, not the moderators or their
respective employers. For a copy of the guidelines to this group, see:
http://www.killfile.org/~tskirvin/nana/

0 new messages