Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[email] [counterfeit] [85.240.127.253] (desemidp.com / finodns.com) watchezZz

0 views
Skip to first unread message

TomezNet

unread,
Sep 13, 2007, 3:30:37 PM9/13/07
to
Received From:
IP 85.240.127.253 bl7-127-253.dsl.telepac.pt
(at PT.Com)

Spamvert:
www.desemidp.com IP 58.65.238.42
(SBL52081, SBL54224, SBL54249) (now at Atrivo / hostfresh.com)

Redirected to:
http://desemidp.com/rp/index.php

counterfeit watches spam with sender identity and headers forgery.

Title: Diamond Watches (a.k.a Diamond Replicas)

More spammer sightings:
http://groups.google.com/groups/search?q=%22Diamond+Watches%22+group%3A*abuse&start=0&scoring=d&

More info below:
====================

X-SID-PRA: [MUNGED]
X-Message-Info: 6sSXyD95QpUxRuJN8TCki1bG+QKxhVdmEuW75aGQkN/tGhid/
1MWz9OGavaeb15CpzKHYJxnpjCkyvF1eqZVkA==
Received: from tomts12-srv.bellnexxia.net ([209.226.175.56]) by bay0-
pamc1-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Thu, 13 Sep 2007 10:10:26 -0700
Received: from [MUNGED]
by toip16.srvr.bell.ca with ESMTP; 13 Sep 2007 13:10:18 -0400
Received: (qmail 19988 invoked by uid 110); 13 Sep 2007 12:53:44 -0400
Delivered-To: [MUNGED]
Received: (qmail 19970 invoked from network); 13 Sep 2007 12:53:43
-0400
Received: from bl7-127-253.dsl.telepac.pt (85.240.127.253)
by [MUNGED] with SMTP; 13 Sep 2007 12:53:43 -0400
Return-path: <[MUNGED]>
X-Original-To: [MUNGED]
Delivered-To: [MUNGED]
Received: from [85.240.127.253] (port=5749
helo=bl7-127-253.dsl.telepac.pt)
by [MUNGED] with ESMTP id [MUNGED]
for <[MUNGED]>; Thu, 13 Sep 2007 17:54:06 -0000 (EET)
From: [MUNGED]
To: [MUNGED]
Subject: watchezZz
Date: Thu, 13 Sep 2007 17:54:06 -0000 (EET)
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: p1654g530TDtr5Ro73EQ673x0820oy==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
Message-ID: <714e01c7f62f$01c7f62f$fd7ff055@[MUNGED]>
Status:
X-OriginalArrivalTime: 13 Sep 2007 17:10:26.0196 (UTC)
FILETIME=[FA4F1540:01C7F628]

Do you have a special date coming up?
Maybe a wedding, anniversary or the birthday of your 15 year-old
daughter...

These are the perfect times to give them themost unforgettable gift of
all: JEWELS and WATCHES.

Nothing says "I love you" better than a 2 thousand dollar watch, BUT
you will not pay that much.
Because there is a handmade replica place just for you, all widely-
known brands and models.
For girlfriends, boyfriends, husbands and wives.
With our promotion you can even get one for your mother-in-law!

GET THE PROMOTION YOU'VE BEEN WAITING FOR! http://www.desemidp.com

-- END OF SPAM --

SEE sender identity and headers forgery by spammer spoofing our
domain.

See:
IP 85.240.127.253 bl7-127-253.dsl.telepac.pt

http://www.moensted.dk/spam/?addr=85.240.127.253
http://spamcop.net/w3m?action=checkblock&ip=85.240.127.253

More telepac.pt sightings:
http://groups.google.com/groups/search?q=telepac.pt+group%3A*abuse&start=0&scoring=d&

inetnum: 85.240.0.0 - 85.240.127.255
netname: TELEPAC-DSL
descr: Telepac - Comunicacoes Interactivas, SA
descr: DSL Service Networks
country: PT

route: 85.240.0.0/13
descr: Telepac II - Comunicacoes Interactivas, SA
origin: AS3243
mnt-by: TELEPAC-MNT
AS Name: TELEPAC PT.Com - Comunicacoes Interactivas, S.A.
http://www.cidr-report.org/cgi-bin/as-report?as=3243

17 SBL/ROKSO listings for IPs under the responsibility of charter.com
http://www.spamhaus.org/sbl/listings.lasso?isp=charter.com

Spamvert URL:
http://www.desemidp.com/

HTTP/1.1 302 Found
Date: Thu, 13 Sep 2007 10:39:25 GMT
Server: Apache/2.2.6 (FreeBSD) DAV/2 PHP/5.2.3 with Suhosin-Patch
mod_ssl/2.2.6 OpenSSL/0.9.7e-p1
X-Powered-By: PHP/5.2.3
Location: http://desemidp.com/rp/index.php?mid=10016&fid=PoWjfKskwsLFjsFlsjfe
Content-Length: 0
Connection: close
Content-Type: text/html

Redirected to:
http://desemidp.com/rp/index.php

See:
desemidp.com IP 58.65.238.42
(Spammer OLD IP 210.14.128.120 124.254.2.231, 58.83.12.6,
124.254.2.230)

ns1.finodns.com [58.83.12.6] [TTL=172800] [CN]
ns2.finodns.com [210.14.128.120] [TTL=172800] [CN]

NS records at nameservers are:
dns1.desemidp.com [no glue provided] [TTL=60]
dns2.desemidp.com [no glue provided] [TTL=60]

OLD:
ns1.modadns.com [58.83.12.6] [TTL=172800] [CN]
ns2.modadns.com [210.14.128.120, 124.254.2.231] [TTL=172800] [CN]

SOA record [TTL=2048] is:
Primary nameserver: ns1.myserver.com.
Hostmaster E-mail address: hostm...@desemidp.com
Serial #: 1189622051 (OLD 1188294464, 1186864237, 1184480567)

desemidp.com has no MX records

www.desemidp.com CNAME desemidp.com [TTL=60]

http://moensted.dk/spam/?addr=58.65.238.42
http://www.spamhaus.org/query/bl?ip=58.65.238.42

58.65.238.42 ? host42.dratiomyop.com

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL52081
58.65.232.0/21 is listed on the Spamhaus Block List (SBL)

07-Sep-2007 09:23 GMT | SR04

hostfresh.com - mass spammer hosting
Just swarming with spammers, and other cybercriminals.

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL54224
58.65.238.0/24 is listed on the Spamhaus Block List (SBL)

04-May-2007 10:15 GMT | SR02

spam sources

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL54249
58.65.238.0/23 is listed on the Spamhaus Block List (SBL)

05-May-2007 08:55 GMT | SR04

Dirty block (escalation)

Nothing but malware hosting for months. Fully criminal operation.

SEE Also:
domains sharing nameservers
modadns.com
thtechno.com
votechno.com
disrich.com
fotechno.com
lendust.com
croctam.com
sustfasc.com
ovablero.com
aceousgm.com
antlernc.com
ultrate.com

inetnum: 58.65.232.0 - 58.65.239.255
netname: HOSTFRESH
descr: HostFresh
descr: Internet Service Provider
country: HK
person: Piu Lo
nic-hdl: PL466-AP
e-mail: ipa...@hostfresh.com

route: 58.65.238.0/24
descr: Atrivo
origin: AS27595
notify: em...@atrivo.com
mnt-by: MAINT-ATRIVO
changed: em...@atrivo.com
AS Name: INTERCAGE - InterCage, Inc.
http://www.cidr-report.org/cgi-bin/as-report?as=27595

6 SBL/ROKSO listings for IPs under the responsibility of hostfresh.com
http://www.spamhaus.org/sbl/listings.lasso?isp=hostfresh.com

12 SBL listings for IPs under the responsibility of Atrivo.com
http://www.spamhaus.org/sbl/listings.lasso?isp=Atrivo.com

Let see whois:
Checking server [whois.enom.com] => who else?
Registration Service Provided By: NameCheap.com
Contact: sup...@NameCheap.com

Domain name: desemidp.com

Registrant Contact:
Technoratti Registros Civis Ltda
Marcelina Chapado (marceloguerreiro229[]yahoo.com.br)
+55.442215665
Fax: +55.442215665
R Duque de Mamona, 43
Vitoria, ES 83762
BR

Administrative Contact:
Technoratti Registros Civis Ltda
Marcelina Chapado (marcelogu...@yahoo.com.br)
+55.442215665
Fax: +55.442215665
R Duque de Mamona, 43
Vitoria, ES 83762
BR

Technical Contact:
Technoratti Registros Civis Ltda
Marcelina Chapado (marcelogu...@yahoo.com.br)
+55.442215665
Fax: +55.442215665
R Duque de Mamona, 43
Vitoria, ES 83762
BR

Status: Locked

Name Servers:
ns1.finodns.com
ns2.finodns.com

Creation date: 12 Sep 2007 08:54:26
Expiration date: 12 Sep 2008 08:54:26

See also more NameCheap.com spam support sightings:
http://groups.google.com/groups/search?q=NameCheap.com+group%3A*abuse&start=0&scoring=d&

See:
ns1.finodns.com IP 58.83.12.6

ns1.finodns.com has no MX records -> finodns.com has no MX records

http://www.moensted.dk/spam/?addr=58.83.12.6
http://www.spamhaus.org/query/bl?ip=58.83.12.6

More 58.83.12.6 sightings:
http://groups.google.com/groups/search?q=58.83.12.6+group%3A*abuse&qt_s=Search

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL51900
58.83.0.0/16 is listed on the Spamhaus Block List (SBL)

27-Apr-2007 08:03 GMT | SR02

tianjian / hylink-cn / bluesky

58.83.0.0/22 and 58.83.4.0/22 are known to be operated by spammers. It
appears the entire /16 is part of the same operation. B-class networks
registered to Hotmail addresses are not reliable.

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL53280
58.83.12.0/22 is listed on the Spamhaus Block List (SBL)

11-Jul-2007 02:28 GMT | SR02

csallnetlink-cn / BLUESKY

BLUESKY provides bulletproof spam hosting and does not reply to spam
reports or SBL listings.

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL56425
58.83.12.6/32 is listed on the Spamhaus Block List (SBL)

30-Aug-2007 02:12 GMT | SR02

bulletproof DNS and HTTP

28 SBL/ROKSO listings for IPs under the responsibility of bluesky
http://www.spamhaus.org/sbl/listings.lasso?isp=bluesky

SEE Also on the same IP:
58.83.12.6 A disrich.com
58.83.12.6 A ns1.finodns.com
58.83.12.6 A ns1.modadns.com
58.83.12.6 A ns2.papadns.com
58.83.12.6 A remtam.com
58.83.12.6 A thtechno.com
58.83.12.6 A votechno.com

hostnames sharing ip with a-records
remtam.com
ns1.modadns.com
thtechno.com
votechno.com
disrich.com
ns2.papadns.com
domains using this as nameserver
modadns.com(as ns1.modadns.com)
thtechno.com(as ns1.modadns.com)
votechno.com(as ns1.modadns.com)
disrich.com(as ns1.modadns.com)
fotechno.com(as ns1.modadns.com)
lendust.com(as ns1.modadns.com)
croctam.com(as ns1.modadns.com)
sustfasc.com
ovablero.com
aceousgm.com
desemidp.com
antlernc.com(as ns2.papadns.com)
ultrate.com(as ns2.papadns.com)

inetnum: 58.83.12.0 - 58.83.15.255
netname: csallnetlink-cn
descr: changsha allnetlink development co.,LTD
country: CN
remarks: w...@allnetlink.com.cn
person: yongcheng wang
nic-hdl: YW811-AP
e-mail: wan...@allnetlink.com.cn
address: changsha allnetlink co., LTD
person: ada chen
nic-hdl: AC893-AP
changed: BLUESKY...@163.COM

Prefix: 58.83.12.0/22
Prefix Name: error
AS: 18118
AS Name: CITICNET AP CITIC Networks Management Co ,Ltd 6 XINYUANNANLU
BEIJING
http://www.cidr-report.org/cgi-bin/as-report?as=18118

See:
ns2.finodns.com IP 210.14.128.120

http://www.moensted.dk/spam/?addr=210.14.128.120
http://www.spamhaus.org/query/bl?ip=210.14.128.120

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL56347
210.14.128.0/19 is listed on the Spamhaus Block List (SBL)

07-Jul-2007 00:04 GMT | SR02

ZBYD Technology Co.,Ltd

No response to multiple SBL listings. No response from upstream
CNCGROUP-BJ. Hosting many ROKSO and botnet spam gang's websites and
nameservers.

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL58246
210.14.128.120/32 is listed on the Spamhaus Block List (SBL)

30-Aug-2007 02:22 GMT | SR02

bulletproof spam hosting at ZBYD Technology Co.,Ltd

Same bulletproof spam hosting as:

SBL57875 202.142.21.18/32
SBL56425 58.83.12.6/32

Also see:
SBL56347 210.14.128.0/19

1 SBL listings for IPs under the responsibility of cncgroup-bj
http://www.spamhaus.org/sbl/listings.lasso?isp=cncgroup-bj

23 SBL/ROKSO listings for IPs under the responsibility of APNIC
http://www.spamhaus.org/sbl/listings.lasso?isp=APNIC

inetnum: 210.14.128.0 - 210.14.159.255
netname: ZBYD
descr: ZBYD Technology Co.,Ltd
descr: 15A build , xiyongle road ,shijingshan district ,Beijing
country: CN
person: Zheyuan Wang
nic-hdl: ZW620-AP
e-mail: wan...@zbydoffice.com.cn
person: Zhengping Wang
address: Computer Center
address: Tongji University
address: No. 1239 Siping Road
address: Shanghai(200092)
address: P.R.China
phone: +0086 21 502 5080 ext 2845
fax-no: +0086 21 502 8965
e-mail: w...@tju.ihep.ac.cn
nic-hdl: ZW2-CN
notify: address-allo...@cernic.net
changed: sz...@cernic.net
person: Lei An
nic-hdl: LA100-AP
e-mail: al...@zbydoffice.com.cn
mntner: MAINT-CN-ZBN
descr: ZBN
descr: No.499 Weilai Road,Zhengzhou, Henan
country: CN
admin-c: JZ2-CN
tech-c: LD1-CN
upd-to: liz...@vip.zzcatv.com.cn
person: Jianzhong Zhu
nic-hdl: JZ2-CN
e-mail: zhujia...@vip.zzcatv.com.cn
person: Liang Dong
nic-hdl: LD1-CN
e-mail: lian...@vip.zzcatv.com.cn
changed: ip...@cnnic.cn
changed: ip...@cnnic.net.cn

postmaster and abuse[]zbydoffice.com.cn are listed in rfc-ignorant.org
database

AS Name: BJ-GUANGHUAN-AP Beijing Guanghuan Xinwang Digital
http://www.cidr-report.org/cgi-bin/as-report?as=23844

SEE ALSO:
hostnames sharing ip indirectly via cnames
watchspammer.cornbls.com
dns1.ultrate.com
dns2.ultrate.com
hostnames sharing ip with a-records
ns2.modadns.com
sustfasc.com
fotechno.com
lendust.com
croctam.com
nocttam.com
ovablero.com
antlernc.com
ns1.papadns.com
cornbls.com
aceousgm.com
ultrate.com
domains using this as nameserver
modadns.com(as ns2.modadns.com)
thtechno.com(as ns2.modadns.com)
votechno.com(as ns2.modadns.com)
disrich.com(as ns2.modadns.com)
fotechno.com(as ns2.modadns.com)
lendust.com(as ns2.modadns.com)
croctam.com(as ns2.modadns.com)
sustfasc.com
ovablero.com
aceousgm.com
desemidp.com
antlernc.com(as ns1.papadns.com)
ultrate.com(as ns1.papadns.com)
ultrate.com(as dns1.ultrate.com)
ultrate.com(as dns2.ultrate.com)

Let see whois.enom.com] => who else?
Registration Service Provided By: NameCheap.com
Contact: sup...@NameCheap.com

Domain name: finodns.com

Registrant Contact:
Mikron Informatica Ltda
Rodolfo Jesus (falsia2007[]pop.com.br)
+55.632241143
Fax: +55.632241143
R Duque de Caxias 121
Ararauna, RJ 88362
BR

Administrative Contact:
Mikron Informatica Ltda
Rodolfo Jesus (falsi...@pop.com.br)
+55.632241143
Fax: +55.632241143
R Duque de Caxias 121
Ararauna, RJ 88362
BR

Technical Contact:
Mikron Informatica Ltda
Rodolfo Jesus (falsi...@pop.com.br)
+55.632241143
Fax: +55.632241143
R Duque de Caxias 121
Ararauna, RJ 88362
BR

Status: Locked

Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com

Creation date: 10 Aug 2007 21:29:58
Expiration date: 10 Aug 2008 21:29:58

More finodns.com sightings:
http://groups.google.com/groups/search?q=finodns.com+group%3A*abuse&start=0&scoring=d&

See also more eNom spam support sightings:
http://groups.google.com/groups/search?q=eNom+group%3A*abuse&start=0&scoring=d&

Read more:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/5a8790add0f1e2ba

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/667d6d9fa0ca0234

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/ea6d4422abca1055

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/0b9c3480406297e7

Cheers, Tomez

--
All postings to news.admin.net-abuse.sightings are unconfirmed and
unverified unless stated otherwise by the moderators. All opinions
expressed above are considered the opinions of the original poster,
not the moderators or their respective employers.

For a copy of the guidelines to this group, see:

http://www.killfile.org/~tskirvin/nana/

0 new messages