[email] RE: Dear _MY_EMAIL_ADDRESS_ 72% Savings ...3 Days Only
spam...@nil.nil
Illegal sale of prescription drugs without prescription
webcom...@ora.fda.gov
---
The sites have recently removed four items,
BCAA Mass Creatine Pure
GlutaPower Loxitane
and added eighteen,
Alesse Ampicillin
Artane Aygestin
Carisoprodol Cialis Super Active
Clozaril Duetact
Glyset Home Cholesterol Test
Indinavir Januvia
Midamor Orlistat
Precose Soma
Xenical Zofran
and then added one more,
Florinef
---
Spam FROM: bzq-219-113-72.static.bezeqint.net [62.219.113.72]
ab...@bezeqint.net,postm...@bezeqint.net
This is the modern form of email advertising consisting
of a modification of an original mailer's content.
Be Green! Save Electrons! It is recycled mail with the
original content used to foil anti-spam filters.
At the least it is a copyright violation ((C)2008 Microsoft).
Spam CONTENT: Microsoft Featured Offer email promotion
ab...@microsoft.com,ad...@microsoft.com,
ab...@msadcenter.msn.com,postm...@msadcenter.msn.com,
ab...@msn.com,ad...@msn.com
The original URLs have been modified to the:
Spam CONTENT [image]: http://www.mightprocess.com/3.gif
Spamvertized URL: http://www.wellcontinue.com
Spamvertized URL: http://www.brotherjust.com
Spamvertized URL: http://www.teethfive.com
Spamvertized URL: http://www.facecontain.com
at the SPAMHAUS listed IP addresses 60.12.105.93 and 60.12.105.94
on cncnet.net,china-netcom.com,cnc-noc.net,cncgroup, etc., Zhejiang Province
ab...@cnc-noc.net,postm...@cnc-noc.net,
tan...@cnc-noc.net,hostm...@cnc-noc.net,
webm...@cnc-noc.net,hai...@cnc-noc.net,we...@cnc-noc.net
ad...@cnc-noc.net,
ab...@cncnet.net,postm...@cncnet.net,
hostm...@cncnet.net,webm...@cncnet.net,
ad...@cncnet.net,
gzman...@china-netcom.com,liu...@china-netcom.com,
tech-...@china-netcom.com,da...@china-netcom.com,
postm...@china-netcom.com,cncsu...@special.abuse.net,
hostm...@china-netcom.com,webm...@china-netcom.com,ma...@china-netcom.com,
ab...@zjnetcom.com,postm...@zjnetcom.com,sup...@zjnetcom.com,chenr...@china-netcom.com
resolved by the spammer's
Nameserver at the SPAMHAUS listed IP address 222.186.13.80
on Chinanet, Jiangsu
ab...@jlonline.com,ab...@jsinfo.net,ab...@public1.ptt.js.cn,
anti...@ns.chinanet.cn.net,ctsu...@special.abuse.net,
postm...@chinanet.cn.net,sp...@jsinfo.net,ad...@chinanet.cn.net,
ad...@jlonline.com,ad...@jsinfo.net,ad...@public1.ptt.js.cn,
ro...@jlonline.com,ro...@jsinfo.net,ro...@public1.ptt.js.cn
Nameserver at the SPAMHAUS listed IP address 222.186.67.179
on Chinanet, Jiangsu, ZHENJIANG-DANYANG-TELECOM
ab...@jlonline.com,ab...@jsinfo.net,ab...@public1.ptt.js.cn,
ab...@public.zj.js.cn,anti...@ns.chinanet.cn.net,
ctsu...@special.abuse.net,postm...@chinanet.cn.net,
postm...@nmc1.ptt.js.cn,postm...@ptt.js.cn,postm...@public.zj.js.cn,
sp...@jsinfo.net
Many of the support email address domains have been "lost"
(there are no nameserver records in the root servers) though
one can find resolutions of the MX records (the mail servers)
pointing to IP address 194.135.105.153 on relcom.{ru,net} which
is open on port 25. However, as one has to know the old nameservers
in order to find this mail server, I will pass on it this time.
The support site at canadianmeds-support.com has also been
"lost" (though, again, one can get a resolution if one knows
the nameservers to query) but we do have one site with
nameservers listed in the root servers, canadian-pharmacy-support.info,
*HOWEVER* its entries seem to have been removed from the Canadian
Pharmacy nameservers, ns[1-5].adverdomain.com, *BUT* it is up at
three of the IP addresses of the nameservers themselves, 59.37.31.66,
79.135.167.58 and 89.187.48.14, along with a few nearby IP addresses.
BACKEND REFERENCED SUPPORT SITE: http://canadian-pharmacy-support.info
(force the hostname resolution to check each IP address)
at the SPAMHAUS listed IP address 59.37.31.66
on Chinanet, Guangdong
ab...@chinanet.cn.net,ab...@gddc.com.cn,ad...@chinanet.cn.net,
ad...@gddc.com.cn,anti...@ns.chinanet.cn.net,ctsu...@special.abuse.net,
ip...@gddc.com.cn,postm...@chinanet.cn.net,postm...@gddc.com.cn,
sup...@chinanet.cn.net,sup...@gddc.com.cn,xiaob...@21cn.com
at the SPAMHAUS listed IP addresses 79.135.167.58, 79.135.167.59,
79.135.167.65, 79.135.167.66, 79.135.167.67, 79.135.167.68,
79.135.167.69 and 79.135.167.70
on ttnet.net.tr(turktelekom.com.tr),telekom.gov.tr/sistemnettelekom.com/istanbultelecom.net
ab...@ttnet.net.tr,postm...@ttnet.net.tr,sup...@ttnet.net.tr,ad...@ttnet.net.tr,
n...@ttnet.net.tr,n...@ttnet.net.tr,he...@ttnet.net.tr,in...@ttnet.net.tr,
ab...@telekom.gov.tr,sup...@telekom.gov.tr,postm...@telekom.gov.tr,
ad...@telekom.gov.tr,ab...@turktelekom.com.tr,postm...@turktelekom.com.tr,
n...@telekom.gov.tr,n...@telekom.gov.tr,he...@telekom.gov.tr,in...@telekom.gov.tr,
n...@turktelekom.com.tr,n...@turktelekom.com.tr,he...@turktelekom.com.tr,in...@turktelekom.com.tr,
sup...@turktelekom.com.tr,ad...@turktelekom.com.tr,i...@turktelekom.com.tr,
i...@telekom.gov.tr,zela....@turktelekom.com.tr,nazan....@turktelekom.com.tr,
serdar...@turktelekom.com.tr,n...@turktelekom.com.tr,n...@turktelekom.com.tr
ab...@sistemnet.com.tr,postm...@sistemnet.com.tr,hostm...@sistemnet.com.tr,webm...@sistemnet.com.tr,
ad...@sistemnet.com.tr,sup...@sistemnet.com.tr,he...@sistemnet.com.tr,
ab...@sistemnettelekom.com,postm...@sistemnettelekom.com,hostm...@sistemnettelekom.com,webm...@sistemnettelekom.com,
ab...@istanbultelecom.net,postm...@istanbultelecom.net,sup...@istanbultelecom.net,ad...@istanbultelecom.net
at the SPAMHAUS listed IP addresses 89.187.48.14, 89.187.48.15,
89.187.48.16, 89.187.48.17 and 89.187.48.18
on bendery.md
ab...@bendery.md,postm...@bendery.md,sup...@bendery.md,ad...@bendery.md,
hostm...@bendery.md,webm...@bendery.md,n...@bendery.md,al...@rambler.ru
(As the fourth nameserver at 200.46.83.200 does not resolve canadian-pharmacy-support.info
and does not host the support site, though it does resolve the alternate support
site hostname, canadianmeds-support.com, but to an IP address which does not
provide the support site pages, I will pass on notifying them this time.)
This spam operation keeps registering and losing domains.
It keeps finding registrars who are willing (at least for
a time) to service its domains. Currently we have:
REGISTRAR (spamvertized web hosts): hichina.com
The spamvertized web hosts have domains
mightprocess.com wellcontinue.com brotherjust.com
teethfive.com facecontain.com
all of which are serviced by hichina.com.
Hopefully the spammer will not find them so accommodating
as he found/finds xinnet.
ab...@hichina.com,xia...@hichina.com,postm...@hichina.com,
sup...@hichina.com,ad...@hichina.com
REGISTRAR (spamvertized web hosts: nameservers): Beijing Innovative Linkage Technology Ltd. DBA DNS.COM.CN
The nameserver domain, nicepeopleworld.com, is serviced by
Beijing Innovative Linkage Technology Ltd. DBA DNS.COM.CN
Hopefully the spammer will not find dns.com.cn so accommodating as he
found xinnet.
postm...@dns.com.cn,ad...@dns.com.cn,sup...@dns.com.cn,le...@dns.com.cn,
secu...@dns.com.cn,he...@dns.com.cn,li...@dns.com.cn,
in...@dns.com.cn,ab...@dns.com.cn,n...@dns.com.cn,n...@dns.com.cn,
ro...@dns.com.cn
REGISTRAR: BACKEND SUPPORT: Media Group, Inc. (directnic.com)
The support domain, canadian-pharmacy-support.info, is serviced
by Intercosmos Media Group, Inc. (directnic.com)
b...@i-55.com,ab...@directnic.com,ab...@datasync.com,
hostm...@directnic.com,mbru...@zipa.com
REGISTRAR: BACKEND SUPPORT (nameservers): xinnet
The nameservers for the backend support are ns{1,2,3,4,5}.adverdomain.com,
serviced by
paycenter.com.cn,xinnet.cn,xinnet.com,xinnetdns.com
li...@xinnet.com,postm...@xinnet.com,ad...@xinnet.com,sup...@xinnet.com,
le...@xinnet.com,secu...@xinnet.com,he...@xinnet.com,in...@xinnet.com,
ab...@xinnet.com,n...@xinnet.com,n...@xinnet.com,ro...@xinnet.com,he...@xinnet.com
postm...@paycenter.com.cn,ad...@paycenter.com.cn,sup...@paycenter.com.cn,
le...@paycenter.com.cn,secu...@paycenter.com.cn,he...@paycenter.com.cn,
in...@paycenter.com.cn,ab...@paycenter.com.cn,n...@paycenter.com.cn,
n...@paycenter.com.cn,ro...@paycenter.com.cn,he...@paycenter.com.cn,
postm...@xinnet.cn,ad...@xinnet.cn,sup...@xinnet.cn,
le...@xinnet.cn,secu...@xinnet.cn,he...@xinnet.cn,
in...@xinnet.cn,ab...@xinnet.cn,n...@xinnet.cn,
n...@xinnet.cn,ro...@xinnet.cn,he...@xinnet.cn,
postm...@xinnetdns.com,ad...@xinnetdns.com,sup...@xinnetdns.com,
le...@xinnetdns.com,secu...@xinnetdns.com,he...@xinnetdns.com,
in...@xinnetdns.com,ab...@xinnetdns.com,n...@xinnetdns.com,
n...@xinnetdns.com,ro...@xinnetdns.com,he...@xinnetdns.com
==========
[DETAILS:]
SPAM FROM: bzq-219-113-72.static.bezeqint.net [62.219.113.72]
Which a variation on my email address as the envelope
sender and forged my email address as the "From:" address.
inetnum: 62.219.110.0 - 62.219.155.255
netname: ADSL-CONNECTION-FIXIP
country: IL
remarks: ab...@bezeqint.net
e-mail: hostm...@bezeqint.net
SPAM CONTENT: Microsoft email promotion
Often when I get spam with msadcenter material, the Microsoft
content is encapsulated within [style],[/style] tags and
invisible, leaving only another spammer's content. This time
the Microsoft material itself is shown.
Surely this is Microsoft, as we have:
Microsoft's text content,
'You are receiving this e-mail because you subscribed to MSN Featured Offers.'
'please click the "Unsubscribe" link below. This will not unsubscribe you from
e-mail communications'
along with their copyright notice and links to their option to
stop receiving "this MSN Featured Offers e-mail" (Unsubscribe),
to sign up for more email offers (More Newsletters) and to view
their privacy policy (Privacy)
Š2008 Microsoft | Unsubscribe | More Newsletters | Privacy
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052
along with their web bug, (Naughty, **NAUGHTY!!!**, Microsoft!),
[img src="http://tracking.msadcenter.msn.com/npg.gif?o=1" width=0 height=0]
Well, Microsoft's content has been replaced by
[a href="http://www.wellcontinue.com" target="_blank"]
[img src="http://www.mightprocess.com/3.gif" border=0 alt="Click Here!"][/a]
and Microsoft seems to have outsourced their subscription service
and privacy policy hosting to:
[a href="http://www.brotherjust.com" target="_blank"]Unsubscribe[/a]
[a href="http://www.teethfive.com" target="_blank"]More Newsletters[/a]
[a href="http://www.facecontain.com" target="_blank"]Privacy[/a]
- unless someone has taken their work and done what? Changed the
content and target URLs? No, Microsoft would not allow people to
send out their own copyrighted material without approving the changes.
SPAM CONTENT [image]: http://www.mightprocess.com/3.gif
SPAMVERTIZED URL: http://www.wellcontinue.com
SPAMVERTIZED URL: http://www.brotherjust.com
SPAMVERTIZED URL: http://www.teethfive.com
SPAMVERTIZED URL: http://www.facecontain.com
============================================================
For the host:
"www.mightprocess.com"
NAMESERVERS listed in the root servers for mightprocess.com:
------------------------------------------------------------
mightprocess.com NS ns1.nicepeopleworld.com
mightprocess.com NS ns2.nicepeopleworld.com
mightprocess.com NS ns3.nicepeopleworld.com
mightprocess.com NS ns4.nicepeopleworld.com
ns1.nicepeopleworld.com A 222.186.67.179
ns2.nicepeopleworld.com A 209.200.164.3
ns3.nicepeopleworld.com A 222.186.13.80
ns4.nicepeopleworld.com A 209.200.165.3
[extract from dig]
------------------
dig @209.200.164.3
www.mightprocess.com
A +noqu +noadd +noau +norec
;; flags: qr <-- NON-AUTHORITATIVE
dig @209.200.165.3
www.mightprocess.com
A +noqu +noadd +noau +norec
;; flags: qr <-- NON-AUTHORITATIVE
dig @222.186.13.80
www.mightprocess.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.mightprocess.com A 60.12.105.93
dig @222.186.67.179
www.mightprocess.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.mightprocess.com A 60.12.105.93
============================================================
The same for each.
The last time I got spam for this site (under other hostnames)
it was up at
59.63.157.80
211.33.54.139 211.33.54.143
218.61.18.139
222.186.12.235
222.186.13.80
so let me check those IP addresses as well as the IP addresses
listed for the nameservers and IP addresses nearby (often this
spammer has his site up at nearby addresses which may later be
used).
I find the site up only at IP addresses 60.12.105.93 and 60.12.105.94
as shown by (I also checked the image host hostname):
* Connected to 60.12.105.93
GET / HTTP/1.1
Host: www.mightprocess.com
HTTP/1.1 200 OK
Server: nginx/0.6.31
[title]Canadian Pharmacy[/title]
* Connected to 60.12.105.94
GET / HTTP/1.1
Host: www.mightprocess.com
HTTP/1.1 200 OK
Server: nginx/0.6.31
[title]Canadian Pharmacy[/title]
* Connected to 60.12.105.93
GET / HTTP/1.1
Host: www.wellcontinue.com
HTTP/1.1 200 OK
Server: nginx/0.6.31
[title]Canadian Pharmacy[/title]
* Connected to 60.12.105.94
GET / HTTP/1.1
Host: www.wellcontinue.com
HTTP/1.1 200 OK
Server: nginx/0.6.31
[title]Canadian Pharmacy[/title]
* Connected to 60.12.105.93
GET / HTTP/1.1
Host: www.brotherjust.com
HTTP/1.1 200 OK
Server: nginx/0.6.31
[title]Canadian Pharmacy[/title]
* Connected to 60.12.105.94
GET / HTTP/1.1
Host: www.brotherjust.com
HTTP/1.1 200 OK
Server: nginx/0.6.31
[title]Canadian Pharmacy[/title]
* Connected to 60.12.105.93
GET / HTTP/1.1
Host: www.teethfive.com
HTTP/1.1 200 OK
Server: nginx/0.6.31
[title]Canadian Pharmacy[/title]
* Connected to 60.12.105.94
GET / HTTP/1.1
Host: www.teethfive.com
HTTP/1.1 200 OK
Server: nginx/0.6.31
[title]Canadian Pharmacy[/title]
* Connected to 60.12.105.93
GET / HTTP/1.1
Host: www.facecontain.com
HTTP/1.1 200 OK
Server: nginx/0.6.31
[title]Canadian Pharmacy[/title]
* Connected to 60.12.105.94
GET / HTTP/1.1
Host: www.facecontain.com
HTTP/1.1 200 OK
Server: nginx/0.6.31
[title]Canadian Pharmacy[/title]
Except for the PHPSESSID value which appears in various places
on the pages, such as
[a href="/cart.php?PHPSESSID=[varies]"]Proceed to Checkout[/a]
and the domain name which appears in
document.write('[img src="counter.php?account_id=[domain_name]&aid=&said=&js=1'+params+'" width=1 height=1]');
(and the "noscript" version,
[noscript][img src="counter.php?account_id=[domain_name]&aid=&said=&js=0" width=1 height=1][/noscript])
the pages obtained from these IP addresses for the above
hostnames are all byte-for-byte identical.
WEB HOST: IP address 60.12.105.93
WEB HOST: IP address 60.12.105.94
---------------------------------
IP address 60.12.105.93 is found listed at sbl.spamhaus.org
IP address 60.12.105.93 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 60.12.0.0 - 60.12.255.255
netname: CNCGROUP-ZJ
descr: CNC Group Zhejiang province network
country: CN
e-mail: ab...@cnc-noc.net
e-mail: chenr...@china-netcom.com
12.60.in-addr.arpa has SOA [omitted]@hzdns.zjnetcom.com
---------------------------------
NAMESERVER: IP address 222.186.13.80
------------------------------------
IP address 222.186.13.80 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 222.184.0.0 - 222.191.255.255
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
country: CN
trouble: sp...@jsinfo.net
trouble: ab...@jsinfo.net
remarks: www.jsinfo.net
notify: i...@jsinfo.net
e-mail: anti...@ns.chinanet.cn.net
186.222.in-addr.arpa has SOA postm...@nmc1.ptt.js.cn
[whois.abuse.net]
anti...@ns.chinanet.cn.net (for jsinfo.net)
ab...@public1.ptt.js.cn (for jsinfo.net)
sp...@jsinfo.net (for jsinfo.net)
postm...@ptt.js.cn (default, no info)
ab...@jlonline.com (for jsinfo.net)
postm...@nmc1.ptt.js.cn (default, no info)
ctsu...@special.abuse.net (for jsinfo.net)
ab...@jsinfo.net (for jsinfo.net)
------------------------------------
NAMESERVER: IP address 222.186.67.179
-------------------------------------
IP address 222.186.67.179 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 222.186.67.176 - 222.186.67.191
netname: ZHENJIANG-TELECOM-DYZZYW-DEPT
descr: ZHENJIANG-DANYANG-TELECOM
descr: Zhenjiang City
descr: Jiangsu Province
country: CN
person: chinanet-js-zj hostmaster
e-mail: ip...@pub.zj.jsinfo.net
remarks: ab...@public.zj.js.cn
remarks: ab...@pub.zj.jsinfo.net
186.222.in-addr.arpa has SOA postm...@nmc1.ptt.js.cn
[whois.abuse.net]
anti...@ns.chinanet.cn.net (for jsinfo.net)
anti...@ns.chinanet.cn.net (for chinanet.cn.net)
postm...@chinanet.cn.net (for chinanet.cn.net)
ab...@public1.ptt.js.cn (for jsinfo.net)
sp...@jsinfo.net (for jsinfo.net)
postm...@public.zj.js.cn (for public.zj.js.cn)
postm...@ptt.js.cn (default, no info)
anti...@ns.chinanet.cn.net (for public.zj.js.cn)
ab...@jlonline.com (for jsinfo.net)
postm...@nmc1.ptt.js.cn (default, no info)
ctsu...@special.abuse.net (for chinanet.cn.net)
ctsu...@special.abuse.net (for jsinfo.net)
ab...@public.zj.js.cn (for public.zj.js.cn)
ab...@jsinfo.net (for jsinfo.net)
-------------------------------------
SPAM CONTENT [image]: http://www.mightprocess.com/3.gif
The image contents were:
=========================================================
BEST PRICE ON NET [diagonal banner]
[image] [image] [image] [image] [image]
VIAGRA LEVITRA CIALIS VIAGRA SOFT CIALIS SOFT
[Mastercard and Visa logos]
=========================================================
where the product names were titles of pill images and
the diagonal banner in the upper right corner had white
text, "WORLDWIDE SHIPPING", on a red background.
SPAMVERTIZED URL: http://www.wellcontinue.com
SPAMVERTIZED URL: http://www.brotherjust.com
SPAMVERTIZED URL: http://www.teethfive.com
SPAMVERTIZED URL: http://www.facecontain.com
As the pages are identical, I will check the first, the
SPAMVERTIZED SITE: http://www.wellcontinue.com
A REFRESH redirection,
[META http-equiv="refresh" content="0; url=index.php"]
sometimes appeared as the first/default page, redirecting to the
content page. Other times one receives the content immediately.
[title]Canadian Pharmacy[/title]
The starting page includes the domain name as the "account_id"
document.write('[img src="counter.php?account_id=[domain_name]&aid=&said=&js=1'+params+'" width=1 height=1]');
*** CHANGE *** VERISIGN SEAL AND ASSURANCE OF SECURITY AVAILABLE (but not on the page)
--------------
The fraudulent VeriSign seal, at http://[hostname]/img/award1.gif,
has been removed from the page but can be obtained if one checks,
GET /img/award1.gif HTTP/1.1
Host: www.wellcontinue.com
HTTP/1.1 200 OK
Server: nginx/0.6.31
Content-Type: image/gif
Content-Length: 4705
[image data]
Without the image, there is nothing on which to click to bring
up the "VeriSign" assurance of a secure site, but it can be
obtained using its URL, http://[hostname]/checker2.php.
GET /checker2.php HTTP/1.1
Host: www.wellcontinue.com
HTTP/1.1 200 OK
Server: nginx/0.6.31
Content-Type: text/html; charset=UTF-8
[TITLE]VeriSign Secure Site[/TITLE]
This page (from http://[hostname]/checker2.php) assures one that:
"[domain_name] is a VeriSign Secure Site
Name [domain_name]
Status Valid
Validity Period 30-NOV-05 - 11-JUN-09
Server ID Information
Country = CA
State = British Columbia
Organization = Canadian Pharmacy Inc.
Organizational Unit = Pharmacy On-line Store
Organizational Unit = Terms of use at www.safescrypt.com/rpa (c) 03
Organizational Unit = Authenticated by Safescrypt Limited
Organizational Unit = Member, VeriSign Trust Network
Common Name = [domain_name]"
N.B. For some time after the image was removed from the page,
it and the HTML page assuring one of a secure site could
be obtained if one checked the URLs. Then, for a time,
neither the image nor the HTML assurance were available.
They are now both available again, if one checks.
*** THE LICENSING STATEMENT ***
-------------------------------
"Licensed by The College of Pharmacists of British Columbia.
If you have any questions or concerns you can contact the college at
200-1765 West 8th Ave. Vancouver, BC, Canada V6J 5C6
You may contact us at +1(210) 888-9089, please, keep your order I.D.
every time you make a call.
(C) Copyright Canadian Pharmacy, 2003-2008. All Rights Reserved."
-------------------------------
NO LONGER APPEARS ON THE STARTING PAGE.
But the contact phone number,
"You may contact us at +1(210) 888-9089, please, keep your order I.D.
every time you make a call."
remains.
THE PHONE NUMBER CONTACT USED TO BE +1(210) 787-1711
THEN FOR TWO DAYS IT WAS +1(281) 971-9929
IT THEN RETURNED TO +1(210) 787-1711
IT THEN CHANGED TO +1(210) 888-9089
BUT the address
200-1765 West 8th Ave.
Vancouver, BC, Canada V6J 5C6
appears on later pages (when one has selected an item) *omitting*
any reference to
The College of Pharmacists of British Columbia
The site assures one of a secure purchase,
(C) 2008 Secure.Order.Form
"Rest assured that our online order system makes use of the latest
Security encryption technology to ensure that your credit card
information is submitted safely and with the highest level of
protection."
"For your safety we use highly secure order processing server with our
own secure certificate."
though one's order (including credit card) data,
item_name[299]=Viagra
&item_name[642]=Delivery type
&item_name[3945]=Viagra
&item_price[299]=34.15
&item_price[642]=10.95
&item_price[3945]=0
&item_description[299]=10 pills X 50 mg
&item_description[642]=AirMail
&item_description[3945]=2 pills X 100 mg
&item_quantity[299]=1
&item_quantity[642]=1
&item_quantity[3945]=1
&checksum=
¤cy=usd
&hash_check_cart=b718241d274f6a9bf3e6fbee27b4d94e [*]
&saved_ref= [+]
&Customer_FirstName=[victim's name: first]
&Customer_LastName=[victim's name: last]
&street=[victim's address: street]
&city=[victim's address: city]
&zip=[victim's address: zip code]
&state=[victim's address: state]
&country=USA
&phone1=[victim's phone number: country code]
&phone2=[victim's phone number: area code]
&phone3=[victim's phone number: exchange]
&phone4=[victim's phone number: number]
&Email=[victim's address: email]
&aemail=[victim's address: alternate email: optional]
&messenger=
&messenger_contact=
&birthday=
&ssn=
&client_time=1215016781 [Net time. Number of seconds since 1 January 1970]
&ship_eq= [only submitted if the "Shipping info equals to Billing Info" checkbox is checked]
&sname_first=[victim's name: first]
&sname_last=[victim's name: last]
&sstreet=[victim's address: street]
&scity=[victim's address: city]
&szip=[victim's address: zip code]
&sstate=[victim's address: state]
&scountry=USA
&method_by=CC
&cardholder=[victim's name: full: as on credit card]
&cc_type=mastercard [or other type]
&card_no=[victim's credit card number: VISA only]
&exp_m=[credit card: expiration date: month]
&exp_y=[credit card: expiration date: year]
&cvc=[credit card: private security number]
&comments=
&check_your_name=
&check_bank_name=
&check_account_owner=
&check_routing_number=
&check_account_number=
&comments1=
&renew_days=30
&chekout.x=0 [I tabbed to the submit button this time,
&chekout.y=0 so the x,y values are zero.]
&DOB_Day=1
&DOB_Month=January
&DOB_Year=
&Weight=
&Weight_Measure=lbs
&Height=4ft. 0in.
&received=
&medicalConditions=
¤tMedications=
&plannedMedications=
&allergies=
&surgeries=
&medicalHistory=
*: This "hash_check_cart" item is fairly new.
Is it an attempt to prevent visitors from changing the
values (prices, etc.) in the submitted data?
It is *not* linked to the session ID (PHPSESSID)
or personal data since making the same selection
on another date resulted in the same value.
+: A new element on the form.
This time I clicked the earlier SUBMIT button
which appears before the medical questionnaire
("Medical Questionary", the text in an image)
It seems that filling out that questionnaire
is optional.
*** CHANGE *** [MasterCard deprecated]
--------------------------------------
At times the order form has not allowed MasterCard and at other
times it indicated a problem, suggesting the use of VISA.
Today I find the request that one only use VISA,
"Please use VISA card for payment.
Mastercard may cause delays with processing of your order.",
on the page again.
--------------------------------------
is submitted unencrypted and insecurely to
http://[hostname]/process_order.php
NOTE: YOU MAY GET A SECURE ORDER PAGE.
SOME SITES MAY MODIFY THE FORM'S ACTION
SENDING YOU ON TO A SECURE BACK END.
There are two DIVs on the order form page, cc_div and echeck_div
with radio buttons which set the display to "none" for
one and "block" for the other. One can select payment
by credit card or by electronic check. The above data is
for a credit card submission. For using echeck, the credit
card data is missing (of course) and
&check_your_name=[victim's name: as on the bank account]
&check_bank_name=[checking account: bank name]
&check_account_owner=[checking account number]
&check_routing_number=[bank routing number]
&check_account_number=[check number]
is submitted. Today the divisions are still there.
There are two radio buttons on the page,
[input type="radio" class=noborder value="CC" name="method_by" checked onclick="swapCC(this.form)"]
Pay by Credit Card
and
[input type="radio" class=noborder value="ECHECK" name="method_by" onclick="swapCC(this.form)"]
Pay by eCheck (Checking Account)
************************
CHECK PAYMENT AVAILABLE
************************
For quite some time the ECHECK button had been missing and the only
radio button and payment option was for credit card payments though
the echeck_div remained on the page (and if one added an ECHECK
button one could bring up the echeck_div).
************************
The swapCC() function is defined in http://[hostname]/js/process_order.js
function swapCC(form) {
if(validate_method_by(form.elements["method_by"]) == "CC")
{document.getElementById("cc_div").style.display = "block";
document.getElementById("echeck_div").style.display = "none";}
else if(validate_method_by(form.elements["method_by"]) == "ECHECK")
{document.getElementById("cc_div").style.display = "none";
document.getElementById("echeck_div").style.display = "block";}
}
function validate_method_by(s) {
var i;
var returnMethod
if (is_empty(s)) return true;
if(s.length == undefined) returnMethod = s.value;
for (i = 0; i < s.length; i++) {
if (s[i].value=="CC" && s[i].checked== true)
{var c = s[i].value
returnMethod = c}
if (s[i].value=="ECHECK" && s[i].checked== true)
{var c = s[i].value
returnMethod = c}
}
return returnMethod;
}
This is, of course, identical to the order data format as
reported previously for other hostnames.
Upon submission of the order one receives a response:
'If you need any help, please, contact our support via e-mail:
[a href="mailto:sup...@canadianmedicationsupport.com"]sup...@canadianmedicationsupport.com[/a]'
N.B. The response page includes the address,
200-1765 West 8th Ave.
Vancouver, BC, Canada V6J 5C6,
but omits the reference to
The College of Pharmacists of British Columbia.
SPAMVERTIZED SUPPORT CONTACT [email]: sup...@canadianmedicationsupport.com
It used to be canadianpharmsupport.com.
It then changed to canadianpharmacysupport.com but just recently
that seems to have been removed from the nameservers that it
was using and now there are no NS records in the root servers
for those domains.
It is now canadianmedicationsupport.com.
=========================================================================
For the host:
"canadianmedicationsupport.com"
NAMESERVERS listed in the root servers for canadianmedicationsupport.com:
-------------------------------------------------------------------------
NONE
=========================================================================
GOOD! These used to have nameservers provided by xinnet
(ns2.xinnet.cn, ns2.xinnetdns.com) but no longer!
ON THE OTHER HAND,
dig @ns2.xinnet.cn canadianmedicationsupport.com MX +norec
returns
canadianmedicationsupport.com. 3600 IN MX 20 mail.canadianmedicationsupport.com.
and
dig @ns2.xinnet.cn mail.canadianmedicationsupport.com A +norec
returns
mail.canadianmedicationsupport.com. 3600 IN A 194.135.105.153
So, the nameserver records are no longer in the root servers (and one
cannot find the mail server for canadianmedicationsupport.com) BUT
xinnet's servers still authoritatively give us an IP address,
194.135.105.153, for the mail server.
MAIL SERVER
===========
The mailserver for canadianpharmacysupport.com was at:
mail.canadianpharmacysupport.com 600 IN A 194.135.105.195
and, at one time, there was a version (an older version) of the
Canadian Pharmacy site at IP address 194.135.105.195 (nature-meds.com)
until 194.135.105.195 started returning RESET/ACKS in response to
attempted web connections (was closed on port 80).
It was open on port 25, bannering as "220 mtw2.srvz.ru ESMTP Exim".
===========
Currently 194.135.105.153 is closed on port 80
(sending RESET/ACKs in response to attempted web connections).
As a mailserver, it is of course open on port 25
(and banners as "220 mtw2.srvz.ru ESMTP Exim").
Both 194.135.105.153 and 194.135.105.195 are open on port 25
and the matching TCP timestamps and IP IDs returned in response
to TCP/SYNs sent to port 25,
IP ADDRESS TTL IP ID FLAGS TCP-TIMESTAMP
---------- --- ----- ----- -------------
194.135.105.153 57 34222 SA 3691563201
194.135.105.195 57 34223 SA 3691563611
show them to be the same system.
It seems the mailserver is back up (if ever it was down), at the
same location, but using an alternate IP address.
IP address 194.135.105.153
--------------------------
inetnum: 194.135.104.0 - 194.135.105.255
netname: relcom
descr: "RELCOM.BUSINESS NETWORK" Ltd.
country: RU
e-mail: ad...@relcom.ru
TCPTRACEROUTE to port 25 on 194.135.105.153 shows:
...
4: nyiix.retn.net (198.32.160.182)
5: ae2-9.RT.V10.MSK.RU.retn.net (87.245.233.13)
6: kiae-spider-1.relcom.net (194.58.41.10)
7: 194.135.105.153 (194.135.105.153) [TCP Syn Ack]
--------------------------
Domain Name: CANADIANMEDICATIONSUPPORT.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS2.XINNET.CN
Name Server: NS2.XINNETDNS.COM
Status: clientHold
Updated Date: 26-jun-2008
Creation Date: 21-mar-2008
Expiration Date: 21-mar-2009
Administrative Contact: Yan Mito
Xiamen
Xiamen Fujian 331121
CN
tel: 124 1787654
ro...@canadianmedicationsupport.com
Primary DNS: ns2.xinnetdns.com 210.51.170.48
Secondary DNS: ns2.xinnet.cn 210.51.170.67
ORDER BACK END [as previously reported]: https://www.secwaybill.com/process_order.php
N.B. The spamvertized site is not configured to send the visitor
on to the backend, though I have seen a Canadian Pharmacy
site which did so redirect the visitor.
USUALLY my order data is submitted to the spamvertized site.
I have seen Canadian Pharmacy sites which redirect to the
backend (rather than accepting the data at the spamvertized
location and handling it on the server side).
THE JAVASCRIPT WHICH APPEARED AND WOULD CHANGE THE FORM's ACTION
================================================================
Previously I had noticed a bit of Javascript code on the site using
an Ajax web module. It was on the page one reaches after
one makes one's selection. This page had a form with an
image on which to click to proceed to the next step.
The code was:
function getDomain(sender) {
var frm = document.forms.main_form;
sender.disabled = true;
$.ajax({
async: false,
url: 'get_state.php',
type: 'GET',
dataType: 'text',
timeout: 6000,
error: function(){
//alert('Host not answer');
},
success: function(xml){
//alert(xml);
if(xml != '0')
frm.action = 'https://'+xml+'/process_order.php';
}
});
frm.submit();
}
Let's see ...
This calls the Ajax module's "ajax" function with
apparently a command to get
http://[hostname]/get_state.php
using an XML/HTTP get request, take the resulting text
(the "xml" variable) as the new hostname and change
the form to submit it to process_order.php,
NOT AT the current host, BUT AT THAT NEW LOCATION
(using https).
I believe the ajax material was provided by jQuery whose authors'
email addresses appeared when I grep'ped for email addresses in
the pages I had obtained.
Why was I not redirected (why was the form's "action" not modified)?
There was a "main_form" on the page,
[form action="http://[hostname]/process_order.php" name="main_form" method="POST"]
along with the Javascript code.
At SOME Canadian Pharmacy sites, the image on which one
clicks has/had an "onlick" attribute:
[INPUT TYPE="image" name="purchase" src="img/purchase.gif" value="purchase" onclick="getDomain(this)"]
BUT at this site I find,
[INPUT TYPE="image" name="purchase" src="img/purchase.gif" value="purchase" ]
and note the space between 'value="purchase"' and the closing bracket,
as if the onlick attribute, 'onclick="getDomain(this)"', had been
deleted, leaving the preceding space.
================================================================
TODAY I DO NOT SEE THE jQuery authors' names in the page data.
==============================================================
I do not see the jQuery module.
The Javascript code to change the form action is NOT on the page.
The clickable image,
[INPUT TYPE="image" name="purchase" src="img/purchase.gif" value="purchase" ]
(with the extra space between 'value="purchase"' and the closing bracket)
on the form with name, 'name="main_form"' appears.
It had been that the javascript was there and would work (if invoked, say
by adding the "onclick" action to the clickable button) though the recently
spamvertized sites were not configured to use it (no "onclick" action).
Now, besides not being configured to use the javascript, the javascript itself
is missing. So, at least at this site and this time, the form's action is not changed.
==============================================================
At a site WITH the onclick attribute I have, at times, gotten
a "zero" response, to the request for http://[hostname]/get_state.php,
HTTP/1.1 200 OK
Server: nginx/0.5.35
0
which does not produce the change in the form's action.
So this site is not configured to send one on to the back end.
However, does it provide a location for that back end?
What does it return in response to a request for http://[hostname]/get_state.php?
GET /get_state.php HTTP/1.1
Host: www.wellcontinue.com
HTTP/1.1 200 OK
Server: nginx/0.6.31
Content-Type: text/html
0
*** USUALLY THE RESPONSE IS/WAS "www.secwaybill.com" ***
I am going to check www.secwaybill.com, the previously reported
back end.
==========================================================
For the host:
"www.secwaybill.com"
NAMESERVERS listed in the root servers for secwaybill.com:
----------------------------------------------------------
NONE
==========================================================
GOOD. Again, this used to have nameservers provided by
xinnet but they are no longer resolving www.secwaybill.com.
When www.secwaybill.com did respond, the page obtained after
submitting one's order had a different email address:
From www.secwaybill.com:
[a href="mailto:sup...@canadamedsupport.com" class="link"]sup...@canadamedsupport.com[/a][/span]
[a href="mailto:sup...@canadamedsupport.com" class="link"]Contact Us[/a]
================================================================
For the host:
"canadamedsupport.com"
NAMESERVERS listed in the root servers for canadamedsupport.com:
----------------------------------------------------------------
NONE
================================================================
GOOD. Again, this used to have nameserver serviced provided by
xinnet and even now,
dig @ns2.xinnet.cn mail.canadamedsupport.com +norec
returns
mail.canadamedsupport.com. 3600 IN A 194.135.105.153
On the other hand, when www.secwaybill.com did respond at a prior
address, the security certificate was for www.euroedmeds.com.
==========================================================
For the host:
"www.euroedmeds.com"
NAMESERVERS listed in the root servers for euroedmeds.com:
----------------------------------------------------------
NONE
==========================================================
GOOD!
The www.euroedmeds.com site had a different contact email,
[a href="mailto:sup...@euromedsupport.com" class="link"]sup...@euromedsupport.com[/a][/span]
==============================================================
For the host:
"euromedsupport.com"
NAMESERVERS listed in the root servers for euromedsupport.com:
--------------------------------------------------------------
NONE
==============================================================
GOOD!
But, how abut ns2.xinnet.cn?
dig @ns2.xinnet.cn mail.euromedsupport.com +norec
returns
mail.euromedsupport.com. 3600 IN A 194.135.105.153
naturally.
Upon submitting an order to www.secwaybill.com, one got a page with:
[div]To see your order status and check all information, please visit:[br]
[a href="http://canadianmeds-support.com"]canadianmeds-support.com[/a][br]
It will appear in the system during 30 minutes.[br][br][/div]
[div style="margin-bottom:24px;"]If you need any help, please, contact our support via e-mail:
[a href="mailto:sup...@euromedsupport.com"]sup...@euromedsupport.com[/a]
HZMedia Ltd.
Suite B, 29 Harley street
London W1G9QR GB
+44.2070601525
[a href="mailto:sup...@euromedsupport.com" class="link"]Contact Us[/a]
BACKEND REFERENCED SUPPORT SITE: http://canadianmeds-support.com
====================================================================
For the host:
"canadianmeds-support.com"
NAMESERVERS listed in the root servers for canadianmeds-support.com:
--------------------------------------------------------------------
NONE
====================================================================
GOOD. But nameservers used were ns{1,2,3,4,5}.adverdomain.com for
which the root servers still have "glue" (address) records.
ns1.adverdomain.com A 89.187.48.14
ns2.adverdomain.com A 200.46.83.200
ns3.adverdomain.com A 79.135.167.58
ns4.adverdomain.com A 59.37.31.66
ns5.adverdomain.com A 200.46.83.200
which resolve canadianmeds-support.com as
dig @59.37.31.66 canadianmeds-support.com A +noauth +noqu +noadd +norec
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
canadianmeds-support.com. 60 IN A 59.37.14.247
dig @79.135.167.58 canadianmeds-support.com A +noauth +noqu +noadd +norec
;; flags: qr aa ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
canadianmeds-support.com. 60 IN A 59.37.14.247
dig @89.187.48.14 canadianmeds-support.com A +noauth +noqu +noadd +norec
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
canadianmeds-support.com. 60 IN A 59.37.14.247
dig @200.46.83.200 canadianmeds-support.com A +noauth +noqu +noadd +norec
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
canadianmeds-support.com. 60 IN A 59.37.14.247
But ...
* Connected to 59.37.14.247
GET / HTTP/1.1
Host: canadianmeds-support.com
HTTP/1.1 403 Forbidden
Server: nginx/0.6.31
[TITLE]403 Forbidden[/TITLE]
But at an earlier IP address to which www.secwaybill.com had resolved,
the support site was listed as, http://canadian-pharmacy-support.info.
BACKEND REFERENCED SUPPORT SITE: http://canadian-pharmacy-support.info
==========================================================================
For the host:
"canadian-pharmacy-support.info"
NAMESERVERS listed in the root servers for canadian-pharmacy-support.info:
--------------------------------------------------------------------------
canadian-pharmacy-support.info NS ns1.adverdomain.com
canadian-pharmacy-support.info NS ns2.adverdomain.com
canadian-pharmacy-support.info NS ns3.adverdomain.com
canadian-pharmacy-support.info NS ns4.adverdomain.com
canadian-pharmacy-support.info NS ns5.adverdomain.com
ns1.adverdomain.com A 89.187.48.14
ns2.adverdomain.com A 200.46.83.200
ns3.adverdomain.com A 79.135.167.58
ns4.adverdomain.com A 59.37.31.66
ns5.adverdomain.com A 200.46.83.200
[extract from dig]
------------------
dig @59.37.31.66
canadian-pharmacy-support.info
A +noqu +noadd +noau +norec
;; flags: qr <-- NON-AUTHORITATIVE
dig @79.135.167.58
canadian-pharmacy-support.info
A +noqu +noadd +noau +norec
;; flags: qr ra <-- NON-AUTHORITATIVE
dig @89.187.48.14
canadian-pharmacy-support.info
A +noqu +noadd +noau +norec
;; flags: qr <-- NON-AUTHORITATIVE
dig @200.46.83.200
canadian-pharmacy-support.info
A +noqu +noadd +noau +norec
;; flags: qr <-- NON-AUTHORITATIVE
==========================================================================
That is a shock. Even using recursive queries fails to resolve
canadian-pharmacy-support.info at any of the IP addresses.
The last time I had checked, the responses were:
==========================================================================
For the host:
"canadian-pharmacy-support.info"
NAMESERVERS listed in the root servers for canadian-pharmacy-support.info:
--------------------------------------------------------------------------
canadian-pharmacy-support.info NS ns1.adverdomain.com
canadian-pharmacy-support.info NS ns2.adverdomain.com
canadian-pharmacy-support.info NS ns3.adverdomain.com
canadian-pharmacy-support.info NS ns4.adverdomain.com
canadian-pharmacy-support.info NS ns5.adverdomain.com
ns1.adverdomain.com A 89.187.48.14
ns2.adverdomain.com A 200.46.83.200
ns3.adverdomain.com A 79.135.167.58
ns4.adverdomain.com A 59.37.31.66
ns5.adverdomain.com A 200.46.83.200
[extract from dig]
------------------
dig @59.37.31.66
canadian-pharmacy-support.info
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
canadian-pharmacy-support.info A 89.187.48.15
dig @79.135.167.58
canadian-pharmacy-support.info
A +noqu +noadd +noau +norec
;; flags: qr aa ra <-- AUTHORITATIVE and NON-RECURSIVE
canadian-pharmacy-support.info A 89.187.48.15
dig @89.187.48.14
canadian-pharmacy-support.info
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
canadian-pharmacy-support.info A 89.187.48.15
dig @200.46.83.200
canadian-pharmacy-support.info
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
canadian-pharmacy-support.info A 89.187.48.15
==========================================================================
Well, that's interesting ... let me check the various IP addresses
which appear above for ... canadian-pharmacy-support.info
However, the spammer also uses nearby addresses so ... let me
test those too ... The ones giving me the spammer's site are:
59.37.31.66
79.135.167.58 79.135.167.59 79.135.167.65
79.135.167.66 79.135.167.67 79.135.167.68
79.135.167.69 79.135.167.70
89.187.48.14 89.187.48.15 89.187.48.16
89.187.48.17 89.187.48.18
as shown by
* Connected to 59.37.31.66
GET / HTTP/1.1
Host: canadian-pharmacy-support.info
HTTP/1.1 200 OK
Server: nginx/0.6.31
[title]Support Center - [/title]
* Connected to 79.135.167.58
GET / HTTP/1.1
Host: canadian-pharmacy-support.info
HTTP/1.1 200 OK
Server: nginx/0.5.33
[title]Support Center - [/title]
* Connected to 79.135.167.59
GET / HTTP/1.1
Host: canadian-pharmacy-support.info
HTTP/1.1 200 OK
Server: nginx/0.5.33
[title]Support Center - [/title]
* Connected to 79.135.167.65
GET / HTTP/1.1
Host: canadian-pharmacy-support.info
HTTP/1.1 200 OK
Server: nginx/0.5.32
[title]Support Center - [/title]
* Connected to 79.135.167.66
GET / HTTP/1.1
Host: canadian-pharmacy-support.info
HTTP/1.1 200 OK
Server: nginx/0.5.32
[title]Support Center - [/title]
* Connected to 79.135.167.67
GET / HTTP/1.1
Host: canadian-pharmacy-support.info
HTTP/1.1 200 OK
Server: nginx/0.5.33
[title]Support Center - [/title]
* Connected to 79.135.167.68
GET / HTTP/1.1
Host: canadian-pharmacy-support.info
HTTP/1.1 200 OK
Server: nginx/0.5.33
[title]Support Center - [/title]
* Connected to 79.135.167.69
GET / HTTP/1.1
Host: canadian-pharmacy-support.info
HTTP/1.1 200 OK
Server: nginx/0.5.35
[title]Support Center - [/title]
* Connected to 79.135.167.70
GET / HTTP/1.1
Host: canadian-pharmacy-support.info
HTTP/1.1 200 OK
Server: nginx/0.5.35
[title]Support Center - [/title]
* Connected to 89.187.48.14
GET / HTTP/1.1
Host: canadian-pharmacy-support.info
HTTP/1.1 200 OK
Server: nginx/0.6.31
[title]Support Center - [/title]
* Connected to 89.187.48.15
GET / HTTP/1.1
Host: canadian-pharmacy-support.info
HTTP/1.1 200 OK
Server: nginx/0.6.31
[title]Support Center - [/title]
* Connected to 89.187.48.16
GET / HTTP/1.1
Host: canadian-pharmacy-support.info
HTTP/1.1 200 OK
Server: nginx/0.6.31
[title]Support Center - [/title]
* Connected to 89.187.48.17
GET / HTTP/1.1
Host: canadian-pharmacy-support.info
HTTP/1.1 200 OK
Server: nginx/0.6.31
[title]Support Center - [/title]
* Connected to 89.187.48.18
GET / HTTP/1.1
Host: canadian-pharmacy-support.info
HTTP/1.1 200 OK
Server: nginx/0.6.31
[title]Support Center - [/title]
The pages obtained from each IP address are
byte-for-byte identical.
The site's page at http://canadian-pharmacy-support.info/privacy.php
tells us that this is Canadian Pharmacy:
"... to set up a Canadian Pharmacy account."
NAMESERVERS (ns{1,2,3,4,5}.adverdomain.com) (canadian-pharmacy-support.info is no longer resolved)
-------------------------------------------
IP address 59.37.31.66
----------------------
IP address 59.37.31.66 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 59.32.0.0 - 59.42.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
e-mail: anti...@ns.chinanet.cn.net
e-mail: ip...@gddc.com.cn
31.37.59.in-addr.arpa has SOA xiaob...@21cn.com
----------------------
IP address 79.135.167.58
------------------------
IP address 79.135.167.58 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 79.135.167.0 - 79.135.167.255
netname: ISTANBUL-TELEKOM
descr: ISTANBUL TELEKOM TR
country: TR
e-mail: n...@istanbultelecom.net
This is on Autonomous System 9121
aut-num: AS9121
as-name: TTNet
descr: TTnet Autonomous System
descr: Turk Telekom A.S.
admin-c: TTBA1-RIPE
role: TT Administrative Contact Role
address: Turk Telekom
e-mail: ab...@ttnet.net.tr
e-mail: [omitted]@turktelekom.com.tr
The registration for ttnet.net.tr shows:
Registrant:
Turk Telekominikasyon A.S.
Ankara, Turkiye
i...@turktelekom.com.tr
The registration for telekom.gov.tr shows:
Registrant:
Turk Telekomunikasyon A.S.
Turk Telekomunikasyon A.S. Gen.Mud.Bilisim Aglari
Ankara, Turkiye
[omitted]@telekom.gov.tr
------------------------
IP address 89.187.48.14
-----------------------
IP address 89.187.48.14 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 89.187.48.0 - 89.187.48.255
netname: WHS-48
descr: Web Hosting Service
country: MD
e-mail: al...@rambler.ru
This is on Autonomous System Number 25129
aut-num: AS25129
as-name: MONITORING-AS
descr: Monitoring AS, Bendery, Moldova
admin-c: ABA3-RIPE hostm...@bendery.md
-----------------------
IP address 200.46.83.200 (it used to be 200.46.83.202 and 200.46.83.203)
------------------------
IP address 200.46.83.200 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 200.46.0/17
owner: Net2Net Corp.
address: 55-0779 - Panama - PA
country: PA
nserver: NS.PSINETPA.NET
nserver: NS2.PSINETPA.NET
e-mail: ipa...@NET2NET.COM.PA
Address 200.46.83.200 maps to 200-83-46-200-ip.alianzaviva.net
83.46.200.in-addr.arpa has SOA hostm...@sinfo.net
------------------------
WEB HOST:
---------
IP address 59.37.31.66
----------------------
IP address 59.37.31.66 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 59.32.0.0 - 59.42.255.255
netname: CHINANET-GD
descr: CHINANET Guangdong province network
e-mail: anti...@ns.chinanet.cn.net
e-mail: ip...@gddc.com.cn
31.37.59.in-addr.arpa has SOA xiaob...@21cn.com
----------------------
IP address 79.135.167.58
IP address 79.135.167.59
IP address 79.135.167.65
IP address 79.135.167.66
IP address 79.135.167.67
IP address 79.135.167.68
IP address 79.135.167.69
IP address 79.135.167.70
------------------------
IP address 79.135.167.58 is found listed at sbl.spamhaus.org
IP address 79.135.167.59 is found listed at sbl.spamhaus.org
IP address 79.135.167.65 is found listed at sbl.spamhaus.org
IP address 79.135.167.66 is found listed at sbl.spamhaus.org
IP address 79.135.167.67 is found listed at sbl.spamhaus.org
IP address 79.135.167.68 is found listed at sbl.spamhaus.org
IP address 79.135.167.69 is found listed at sbl.spamhaus.org
IP address 79.135.167.70 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 79.135.167.0 - 79.135.167.255
netname: ISTANBUL-TELEKOM
descr: ISTANBUL TELEKOM TR
country: TR
e-mail: n...@istanbultelecom.net
This is on Autonomous System 9121
aut-num: AS9121
as-name: TTNet
descr: TTnet Autonomous System
descr: Turk Telekom A.S.
admin-c: TTBA1-RIPE
role: TT Administrative Contact Role
address: Turk Telekom
e-mail: ab...@ttnet.net.tr
e-mail: [omitted]@turktelekom.com.tr
The registration for ttnet.net.tr shows:
Registrant:
Turk Telekominikasyon A.S.
Ankara, Turkiye
i...@turktelekom.com.tr
The registration for telekom.gov.tr shows:
Registrant:
Turk Telekomunikasyon A.S.
Turk Telekomunikasyon A.S. Gen.Mud.Bilisim Aglari
Ankara, Turkiye
[omitted]@telekom.gov.tr
------------------------
IP address 89.187.48.14
IP address 89.187.48.15
IP address 89.187.48.16
IP address 89.187.48.17
IP address 89.187.48.18
-----------------------
IP address 89.187.48.14 is found listed at sbl.spamhaus.org
IP address 89.187.48.15 is found listed at sbl.spamhaus.org
IP address 89.187.48.16 is found listed at sbl.spamhaus.org
IP address 89.187.48.17 is found listed at sbl.spamhaus.org
IP address 89.187.48.18 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 89.187.48.0 - 89.187.48.255
netname: WHS-48
descr: Web Hosting Service
country: MD
e-mail: al...@rambler.ru
This is on Autonomous System Number 25129
aut-num: AS25129
as-name: MONITORING-AS
descr: Monitoring AS, Bendery, Moldova
admin-c: ABA3-RIPE hostm...@bendery.md
-----------------------
REGISTRARS:
SPAMVERTIZED WEB HOSTS: hichina.com
mightprocess.com wellcontinue.com brotherjust.com
teethfive.com facecontain.com
Domain Name: MIGHTPROCESS.COM
Registrar: HICHINA WEB SOLUTIONS (HONG KONG) LIMITED
Whois Server: grs.hichina.com
Referral URL: http://whois.hichina.com
Name Server: NS1.NICEPEOPLEWORLD.COM
Name Server: NS2.NICEPEOPLEWORLD.COM
Name Server: NS3.NICEPEOPLEWORLD.COM
Name Server: NS4.NICEPEOPLEWORLD.COM
Status: ok
Updated Date: 01-jul-2008
Creation Date: 20-jun-2008
Expiration Date: 20-jun-2009
... THE SAME FOR EACH OF THE WEB HOSTS ...
SPAMVERTIZED NAMESERVERS: Beijing Innovative Linkage Technology Ltd. DBA DNS.COM.CN
Domain Name: NICEPEOPLEWORLD.COM
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Whois Server: whois.dns.com.cn
Referral URL: http://www.dns.com.cn
Name Server: NS1.DNS.COM.CN
Name Server: NS2.DNS.COM.CN
Status: clientTransferProhibited
Updated Date: 26-feb-2008
Creation Date: 26-feb-2008
Expiration Date: 26-feb-2009
BACKEND SUPPORT SITE (canadian-pharmacy-support.info): Intercosmos Media Group, Inc. (directnic.com)
Domain ID:D24564439-LRMS
Domain Name:CANADIAN-PHARMACY-SUPPORT.INFO
Created On:23-Apr-2008 15:02:23 UTC
Last Updated On:22-Jun-2008 20:34:27 UTC
Expiration Date:23-Apr-2009 15:02:23 UTC
Sponsoring Registrar:Intercosmos Media Group, Inc. (R152-LRMS)
Status:OK
Registrant ID:IMG-844228
Registrant Name:Andrey Smirnov
Registrant Email:andrewsm...@gmail.com
BACKEND SUPPORT NAMESERVERS (adverdomain.com): xinnet/paycenter
Domain Name: ADVERDOMAIN.COM
Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Referral URL: http://www.xinnet.com
Name Server: NS.XINNET.CN
Name Server: NS.XINNETDNS.COM
Name Server: NS2.XINNET.CN
Name Server: NS2.XINNETDNS.COM
Status: clientHold
Updated Date: 26-jun-2008
Creation Date: 26-feb-2008
Expiration Date: 26-feb-2009
===========================================================
[ORIGINAL SPAM: with angle brackets, such as "<", converted
to square brackets, such as "[", so as not
to affect HTML enabled mail/news readers.]
Return-Path: <_MY_USERNAME_geographic@_MY_ISP_>
Received: from bzq-219-113-72.static.bezeqint.net (bzq-219-113-72.static.bezeqint.net [62.219.113.72])
by _my_isp_ (xxx) with SMTP id m626OZbX036774
for <_my_email_address_>; Wed, 2 Jul 2008 02:24:41 -0400 (EDT)
(envelope-from _my_name_geographic@_my_isp_)
Date: Wed, 2 Jul 2008 02:24:35 -0400 (EDT)
X-Mailer: devMail.Net (3.0.1854.22234-2)
To: <xxx>
Message-Id: <2008070210135...@bzq-219-113-72.static.bezeqint.net>
Subject: RE: Dear _MY_EMAIL_ADDRESS_ 72% Savings ...3 Days Only
From: Mabel Henry <_my_email_address_>
xxxMIME-Version: 1.0
xxxContent-Type: text/html; charset="ISO-8859-1"
xxxContent-Transfer-Encoding: 7bit
X-UIDL: 2RF!!X';"!B=A"!~)<"!
Status: RO
X-Status:
X-Keywords:
X-UID: 29
[!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
[head]
[meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"]
[/head]
[html]
[body]
[img src="http://tracking.msadcenter.msn.com/npg.gif?o=1" width=0 height=0]
[table cellpadding=0 cellspacing=0 width=600 align=center]
[tr]
[td class=EC_container bgcolor="#F2F2F2"]
[table cellpadding=0 cellspacing=0 width="100%"]
[tr]
[td]
[div align=center] [a href="http://www.wellcontinue.com" target="_blank"][img src="http://www.mightprocess.com/3.gif" border=0 alt="Click Here!"][/a] [/div]
[/td]
[/tr]
[tr]
[td class=EC_legal]
[strong]About this mailing: [/strong][br]
You are receiving this e-mail because you subscribed to MSN Featured Offers. Microsoft respects your privacy. If you do not wish to receive this MSN Featured Offers e-mail, please click the "Unsubscribe" link below. This will not unsubscribe
you from e-mail communications from third-party advertisers that may appear in MSN Feature Offers. This shall not constitute an offer by MSN. MSN shall not be responsible or liable for the advertisers' content nor any of the goods or service
advertised. Prices and item availability subject to change without notice.[br][br]
Š2008 Microsoft | [a href="http://www.brotherjust.com" target="_blank"]Unsubscribe[/a] | [a href="http://www.teethfive.com" target="_blank"]More Newsletters[/a] | [a href="http://www.facecontain.com" target="_blank"]Privacy[/a][br][br]
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052
[/td]
[/tr]
[/table]
[/td]
[/tr]
[/table]
[/div]
[/div]
[/div]
[/body]
[/html]
--
All postings to news.admin.net-abuse.sightings are unconfirmed and unverified
unless stated otherwise by the moderators. All opinions expressed above are
considered the opinions of the original poster, not the moderators or their
respective employers. For a copy of the guidelines to this group, see:
http://www.killfile.org/~tskirvin/nana/