Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

[email] March 83% Off

0 views

Skip to first unread message

spam...@nil.nil

unread,

Mar 3, 2008, 7:50:27 PM3/3/08

SPAM: March 83% Off

Illegal sale of prescription drugs without prescription
webcom...@ora.fda.gov
---
The phone contact at the site, +1(210) 787-1711,
had changed to +1(281) 971-9929 for about two days,
then returned to +1(210) 787-1711 and has recently
changed to +1(210) 888-9089.
---
The sites have recently added eleven products,
Erythromycin Haldol Ortho Tri-Cyclen
Provera Pyridium Robaxin
Strattera Tegretol Toradol
VPXL Zestoretic
---
The sites have removed the various seals and "awards"
(VeriSign, CIPA, PharmacyChecker.com, etc.).
---
The contact email has changed from canadianpharmsupport.com
to canadianpharmACYsupport.com.
---

Spam FROM: ppp91-76-104-250.pppoe.mtu-net.ru [91.76.104.250]
ab...@mtu-net.ru,ab...@mtu.ru,
postm...@mtu-net.ru,postm...@mtu.ru

This is the modern form of email advertising, consisting
of stealing another party's content and using that as
as a framework for the spam so that the innocent third
party content helps foil anti-spam filters.

Spam CONTENT: apparently what Microsoft will call an uninvited email promotion.
This has been misappropriated by a spammer for his own purposes.
This spammer seems really to like Microsoft email as spam transport.
ab...@microsoft.com,postm...@microsoft.com,
ab...@msn.com,postm...@msn.com

The third party material is masked out with the
only effective content being the:

Spam CONTENT [image]: http://www.duckwindow.com/1.gif
Spamvertized URL: http://www.duckwindow.com
at the SPAMHAUS listed IP address 76.76.102.122
on mtotelecom.com/existservers.com,existhosting.com
ab...@mtotelecom.com,ab...@existservers.com,ab...@existhosting.com,
postm...@mtotelecom.com,postm...@existservers.com,
postm...@existhosting.com,sup...@mtotelecom.com,
sup...@existservers.com,sup...@existhosting.com,
ad...@mtotelecom.com,ad...@existservers.com,ad...@existhosting.com,
webm...@mtotelecom.com,webm...@existservers.com,
webm...@existhosting.com,hostm...@mtotelecom.com,
hostm...@existservers.com,hostm...@existhosting.com
at the SPAMHAUS listed IP address 218.61.22.78
on cncnet.net,china-netcom.com,cnc-noc.net,cncgroup, etc., Liaoning province
ab...@cnc-noc.net,postm...@cnc-noc.net,
tan...@cnc-noc.net,hostm...@cnc-noc.net,
webm...@cnc-noc.net,hai...@cnc-noc.net,we...@cnc-noc.net
ad...@cnc-noc.net,
ab...@cncnet.net,postm...@cncnet.net,
hostm...@cncnet.net,webm...@cncnet.net,
ad...@cncnet.net,
gzman...@china-netcom.com,liu...@china-netcom.com,
tech-...@china-netcom.com,da...@china-netcom.com,
postm...@china-netcom.com,cncsu...@special.abuse.net,
hostm...@china-netcom.com,webm...@china-netcom.com,ma...@china-netcom.com,
ab...@online.ln.cn,postm...@online.ln.cn,postm...@lntelecom.com
resolved by the spammer's
Nameservers: ns.xinnet.cn, ns2.xinnet.cn, ns.xinnetdns.com, ns2.xinnetdns.com
provided by paycenter.com.cn,xinnet.cn,xinnet.com,xinnetdns.com
li...@xinnet.com,postm...@xinnet.com,ad...@xinnet.com,sup...@xinnet.com,
le...@xinnet.com,secu...@xinnet.com,he...@xinnet.com,in...@xinnet.com,
ab...@xinnet.com,n...@xinnet.com,n...@xinnet.com,ro...@xinnet.com,he...@xinnet.com
postm...@paycenter.com.cn,ad...@paycenter.com.cn,sup...@paycenter.com.cn,
le...@paycenter.com.cn,secu...@paycenter.com.cn,he...@paycenter.com.cn,
in...@paycenter.com.cn,ab...@paycenter.com.cn,n...@paycenter.com.cn,
n...@paycenter.com.cn,ro...@paycenter.com.cn,he...@paycenter.com.cn,
postm...@xinnet.cn,ad...@xinnet.cn,sup...@xinnet.cn,
le...@xinnet.cn,secu...@xinnet.cn,he...@xinnet.cn,
in...@xinnet.cn,ab...@xinnet.cn,n...@xinnet.cn,
n...@xinnet.cn,ro...@xinnet.cn,he...@xinnet.cn,
postm...@xinnetdns.com,ad...@xinnetdns.com,sup...@xinnetdns.com,
le...@xinnetdns.com,secu...@xinnetdns.com,he...@xinnetdns.com,
in...@xinnetdns.com,ab...@xinnetdns.com,n...@xinnetdns.com,
n...@xinnetdns.com,ro...@xinnetdns.com,he...@xinnetdns.com

Upon submitting an order, the response page provides a:

SPAMVERTIZED SUPPORT CONTACT [email]: support_AT_canadianpharmacysupport.com
with MX listed at mail.canadianpharmacysupport.com
at IP address 194.135.105.195
This was nature-meds.com where http://nature-meds.com is
a variation on the spamvertized site - but 194.135.105.195 is
not open on port 80 today. It also served as an authoritative
nameserver for the spam operation awhile ago, but not today.
This may no longer be involved (or may only be providing the
spammer's mailbox).
on relcom.{ru,net}.
ab...@relcom.net
at IP address 82.146.53.121
which is not responding on port 25 or 80
on nac.net/ispserver.com (coming up? just taken down? ??)
ab...@nac.net,ab...@ispserver.com
where the registrar (and SOA) for canadianpharmacysupport.com is BIZCN.COM.
ab...@fjdcb.fz.fj.cn,postm...@bizcn.com,
ab...@bizcn.com,sup...@bizcn.com,le...@bizcn.com,
ad...@bizcn.com,secu...@bizcn.com,n...@bizcn.com,
n...@bizcn.com,ro...@bizcn.com,he...@bizcn.com

==========
[DETAILS:]

SPAM FROM: ppp91-76-104-250.pppoe.mtu-net.ru [91.76.104.250]
Which forged a variation on my email address as
the envelope sender and forged my email address
as the "From:" address.

inetnum: 91.76.0.0 - 91.78.127.255
netname: MTU-PPPOE
descr: ZAO MTU-Intel
descr: Russia
country: RU
remarks: spam & security ab...@mtu.ru
remarks: mail postm...@mtu.ru
remarks: customer service sup...@stream.ru
104.76.91.in-addr.arpa has SOA hostmaster.mtu.ru

SPAM CONTENTS: Microsoft "email promotion"

This is the modern version of email advertising.
It consists in stealing/misappropriating another mailer's
newsletter and modifying it to send one on to the spammer's
site. Anti-spam filters see innocent content (the original
third-party's content) and, the spammer hopes, passes it
on to the addressee as non-spam.

I have seen cases where all the original content (images,
etc.) has remained with just the target links changed.
I have seen cases where the original content remains, but is
masked out (white text on a white background, almost white
text in a very tiny font on a white background, embedded in
[style],[/style] or [script],[/script] or [title],[/title]
tags, etc.)

In other cases the original text remains but the images
and targets can change.

*This* spammer has been replacing the original third-party's
URLs with junk (three random letters as the new domain name,
such as http://mail.xxx.com, http://site.axz.com, etc.),
embedding the third party's content in [style],[/style] tags
and inserting in the middle one line, with its associated
target link, of his own. Often this is a clickable image,
either hosted on the fast-flux botnet itself with target link
pointing to the site or on a compromised system with a target
link pointing to another compromised system which has a
redirecting page to the final site. A few times it has been
clickable text instead of an image. Fast-flux? Yes. Sometimes
the Canadian Pharmacy sites are up with static hosting and
sometimes they use a fast-flux botnet.

Let's see what we have this time.

Amazing. In recent spam I got with this type of content,
the spammer had not bothered to mung the third party
content, simply encapsulating it in [style],[/style] tags
and the URLs were of the form "http://microsoft.msn.com/..."
but today the domain name ("msn.com") *has* been converted
to a string of three random characters.

The third party content is
You are receiving this message from mbil or Windows Live because
you are a valued member. Microsoft respects your privacy.
To learn more, please read our online Privacy Statement.
[I believe the "mbil," above, was originally "msn" and has been "munged."]
if you would prefer to no longer receive promotional offers or
research emails from cjl please visit our Marketing Preferences.
[I believe the "cjl," above, was originally "msn" and has been "munged."]
Microsoft Corporation,One Microsoft Way, Redmond, WA 98052
with URLs
[a href="http://microsoft.duo.com/Key=8919.CCD3Q.C.D1.NqdlsZ"]
[img src="http://ads1.plt.com/ads/pronws/CIQ4975/en_UK/images/ie7m25ans.jpg"][/a]
[a href="http://microsoft.bcsc.com/Key=8919.CCD3Q.G.D1.H0j82F"]Privacy Statement[/a]
[a href="http://microsoft.dzqz.com/Key=8919.CCD3Q.H.D1.C65KGn"]Marketing Preferences[/a]
[img src="http://microsoft.terz.com/images/blankpixel.gif/Key=8919.CCD3Q..D1.FrwdkP"] <-- WEB BUG!! Naughty Microsoft!
(with the domain, "msn.com," having been "munged")
De-mung'ing the URLs, we find the image at
http://ads1.msn.com/ads/pronws/CIQ4975/en_UK/images/ie7m25ans.jpg
where the spam contains the image URL
http://ads1.[MUNGED].com/ads/pronws/CIQ4975/en_UK/images/ie7m25ans.jpg
(it seems that they did not further "mung" the image name itself this time)
to be a promotion suggesting that one download Internet Explorer 7
since it has
"Increased security[*]"
with the footnote,
"* Compared to Internet Explorer 6"
while the message itself has the text "*Compared to Internet Explorer 6"
and so this appears really to be from msn.com.
The other URLs are (after de-munging)

* Connected to 207.46.119.102
GET /Key=8919.CCD3Q.C.D1.NqdlsZ HTTP/1.1
Host: microsoft.msn.com

HTTP/1.1 302 Object Moved
Location: http://newsletterredirect.uk.msn.com/detect_en_uk.asp
Content-type: text/html

* Connected to 213.199.162.86
GET /detect_en_uk.asp HTTP/1.1
Host: newsletterredirect.uk.msn.com

HTTP/1.1 302 Object moved
Location: http://g.msn.com/1me10engb/2
Content-Length: 175

* Connected to 65.54.195.188
GET /1me10engb/2 HTTP/1.1
Host: g.msn.com

HTTP/1.1 301 Moved Permanently
Location: http://download.microsoft.com/download/9/3/a/93a877ae-c5cc-4b7a-aed5-91cc732cc876/EN-GB/32B/XPVIS/Setup.exe

* Connected to 216.213.98.248
GET /download/9/3/a/93a877ae-c5cc-4b7a-aed5-91cc732cc876/EN-GB/32B/XPVIS/Setup.exe HTTP/1.1
Host: download.microsoft.com

HTTP/1.1 200 OK
Content-Length: 3093288
Content-Type: application/octet-stream

* Connected to 207.46.119.102
GET /Key=8919.CCD3Q.G.D1.H0j82F HTTP/1.1
Host: microsoft.msn.com

HTTP/1.1 302 Object Moved
Location: http://go.microsoft.com/fwlink/?Linkid=74170

* Connected to 207.46.250.101
GET /fwlink/?Linkid=74170 HTTP/1.1
Host: go.microsoft.com

HTTP/1.1 302 Found
Location: http://privacy.microsoft.com/en-us/default.aspx

* Connected to 65.54.152.119
GET /en-us/default.aspx HTTP/1.1
Host: privacy.microsoft.com

HTTP/1.1 200 OK
[title]Microsoft Online Privacy Notice Highlights[/title]

* Connected to 207.46.119.102
GET /Key=8919.CCD3Q.H.D1.C65KGn HTTP/1.1
Host: microsoft.msn.com

HTTP/1.1 302 Object Moved
Location: http://go.microsoft.com/fwlink/?Linkid=78430

* Connected to 207.46.250.101
GET /fwlink/?Linkid=78430 HTTP/1.1
Host: go.microsoft.com

HTTP/1.1 302 Found
Location: https://accountservices.msn.com/MarketingPreference.srf?id=9&ru=

* Connected to 65.54.183.194
GET /MarketingPreference.srf?id=9&ru= HTTP/1.1
Host: accountservices.msn.com

HTTP/1.1 302 Found
Location: https://login.live.com/ppsecure/secure.srf?lc=1033&id=9&ru=https://accountservices.msn.com/MarketingPreference.srf%3Fid%3D9%26amp%24ru%3D%26vv%3D550%26lc%3D1033&tw=20&kv=9&ct=1204540690&cb=&ems=1&kpp=1&seclog=10&ver=5.500.9402.0&tpf=fbb542aaf81f5f9357e5a79e9677deb5

* Connected to 65.54.179.203
GET /ppsecure/secure.srf?lc=1033&id=9&ru=https://accountservices.msn.com/MarketingPreference.srf%3Fid%3D9%26amp%24ru%3D%26vv%3D550%26lc%3D1033&tw=20&kv=9&ct=1204540690&cb=&ems=1&kpp=1&seclog=10&ver=5.500.9402.0&tpf=fbb542aaf81f5f9357e5a79e9677deb5 HTTP/1.1
Host: login.live.com

HTTP/1.1 200 OK
[title]Sign In[/title]

So, the original content is a Microsoft Windows Live promotion for
Internet Explorer 7 and appears to be an "opt-out" email promotion
("We hope you find these communications valuable.
However, if you would prefer to no longer receive
promotional offers or research emails ...")
which Microsoft may call an uninvited email promotion.
Others may call it spam.
They should be informed of this misuse of their (I assume)
copyrighted material.

The format of the spam is:
[!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
[html]
[head]
[meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"] [/head]
[style]
... [third party content: Microsoft promotion]
[/style]
[a href="http://www.duckwindow.com"]
[img src="http://www.duckwindow.com/1.gif"] <-- NO CLOSING [/a] TAG.
[style]
... [third party content: Microsoft promotion] [/style] [a
[/body]
[/html]
[/style]

SPAM CONTENT [image]: http://www.duckwindow.com/1.gif
SPAMVERTIZED URL: http://www.duckwindow.com

'[a href="http://www.duckwindow.com"]
[img src="http://www.duckwindow.com/1.gif"]' <-- NO CLOSING [/a] TAG.

==========================================================
For the host:
"www.duckwindow.com"

NAMESERVERS listed in the root servers for duckwindow.com:
----------------------------------------------------------
duckwindow.com NS ns2.xinnet.cn
duckwindow.com NS ns2.xinnetdns.com
duckwindow.com NS ns.xinnet.cn
duckwindow.com NS ns.xinnetdns.com
ns2.xinnet.cn A 210.51.170.67
ns2.xinnetdns.com A 210.51.170.48
ns.xinnet.cn A 210.51.171.209
ns.xinnetdns.com A 210.51.170.66

[extract from dig]
------------------
dig @210.51.170.48
www.duckwindow.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.duckwindow.com A 218.61.22.78

dig @210.51.170.66
www.duckwindow.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.duckwindow.com A 218.61.22.78

dig @210.51.170.67
www.duckwindow.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.duckwindow.com A 218.61.22.78

dig @210.51.171.209
www.duckwindow.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
www.duckwindow.com A 218.61.22.78
==========================================================

Prior to this the site had moved around with nameservers and
webhosts recently appearing at
58.20.81.169 58.20.82.188 58.20.84.92 58.253.71.92
58.253.71.112 58.253.71.121 61.139.219.56 76.76.102.122
79.135.165.2 79.135.165.3 79.135.165.4 79.135.165.5
79.135.165.6 79.135.166.2 79.135.166.50 79.135.166.51
79.135.166.52 79.135.166.53 79.135.166.54 79.143.178.2
79.143.178.3 79.143.178.4 79.143.178.5 81.222.137.17
81.222.137.18 81.222.137.19 81.222.137.20 81.222.137.21
81.222.137.22 81.222.137.23 81.222.137.24 81.222.137.25
81.222.137.26 81.222.137.27 81.222.137.28 81.222.137.29
81.222.137.30 81.222.137.31 81.222.137.32 89.187.46.4
89.187.46.23 116.122.193.194 116.199.135.167 116.199.135.168
116.199.135.191 116.199.136.61 116.199.138.23 116.199.138.24
123.111.50.158 123.111.50.187 210.21.110.105 210.21.110.150
210.51.170.48 210.51.170.66 210.51.170.67 210.51.171.209
210.245.160.192 218.61.22.78 218.106.90.228 218.106.90.230
219.251.217.133 221.5.41.9 221.5.41.10 221.5.41.17
221.5.41.19 221.5.41.20 221.5.41.28 221.5.41.35
221.5.41.37 221.122.64.14 221.122.64.15 221.130.200.179
221.130.200.182 221.130.200.189
most recently up at
76.76.102.122 79.135.165.2 79.135.165.6
79.135.166.2 89.187.46.4 89.187.46.23
210.51.170.48 210.51.170.66 210.51.170.67
210.51.171.209 218.61.22.78

of which (the recent IP addresses)
76.76.102.122 79.135.165.2 79.135.165.6
79.135.166.2 89.187.46.4 89.187.46.23
and 218.61.22.78 are open on port 80.

Let me check the recent list for the website by
forcing the hostname resolution to each in succession.

* Connected to 76.76.102.122
GET / HTTP/1.1
Host: www.duckwindow.com

HTTP/1.1 200 OK
Server: nginx/0.5.35
[title]Canadian Pharmacy[/title]

* Connected to 79.135.165.2
GET / HTTP/1.1
Host: www.duckwindow.com

HTTP/1.1 200 OK
Server: nginx/0.5.32
Content-Type: text/html
Content-Length: 18
[h1]It works![/h1]

* Connected to 79.135.165.6
GET / HTTP/1.1
Host: www.duckwindow.com

HTTP/1.1 200 OK
Server: nginx/0.5.32
Content-Type: text/html
Content-Length: 18
[h1]It works![/h1]

* Connected to 79.135.166.2
GET / HTTP/1.1
Host: www.duckwindow.com

HTTP/1.1 403 Forbidden
Server: nginx/0.5.35
[TITLE]403 Forbidden[/TITLE]

* Connected to 89.187.46.4
GET / HTTP/1.1
Host: www.duckwindow.com

HTTP/1.1 200 OK
Server: nginx/0.5.33
Content-Type: text/html
Content-Length: 6
online

* Connected to 89.187.46.23
GET / HTTP/1.1
Host: www.duckwindow.com

HTTP/1.1 200 OK
Server: nginx/0.5.33
Content-Type: text/html
Content-Length: 6
online

* Connected to 218.61.22.78
GET / HTTP/1.1
Host: www.duckwindow.com

HTTP/1.1 200 OK
Server: nginx/0.5.35
[title]Canadian Pharmacy[/title]

The two responding IP addresses provided, except
for the variable session ID which appears in
various places, such as
[a href="/cart.php?PHPSESSID=[varies]"]Proceed to Checkout[/a]
byte-for-byte identical pages.

IP address 76.76.102.122
------------------------
IP address 76.76.102.122 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
OrgName: InterWeb Media
OrgID: INTER-280
City: Montreal
StateProv: QC
Country: CA
CIDR: 76.76.96.0/19
NetName: INTERWEB-MEDIA
NameServer: NS.EXISTSERVERS.COM
NameServer: NS2.EXISTSERVERS.COM
OrgAbuseEmail: ab...@existhosting.com
Address 76.76.102.122 maps to reverse-mtl-76-76-102-122.existservers.com
BUT reverse-mtl-76-76-102-122.existservers.com has IP address 208.65.63.173
102.76.76.in-addr.arpa has SOA [omitted]@existservers.com
This is on Autonomous System Number 21548
aut-num: AS21548
as-name: MTO
descr: MTO Telecom Inc.
changed: [omitted]@mtotelecom.com 20070528
Registrar: DOTSTER
Domain Name: MTOTELECOM.COM
Administrative Contact: [omitted]@mtotelecom.com
MTO Telecom
Montreal, Quebec h2k 4k4
CA
------------------------

IP addess 218.61.22.78
----------------------
IP address 218.61.22.78 is found listed at sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services."
inetnum: 218.60.0.0 - 218.61.255.255
netname: CNCGROUP-LN
country: CN
descr: CNCGROUP Liaoning province network
e-mail: ab...@cnc-noc.net
e-mail: ab...@online.ln.cn
61.218.in-addr.arpa has SOA ro...@lntelecom.com
[whois.abuse.net]
ab...@cnc-noc.net (for lntelecom.com)
postm...@cnc-noc.net (for cnc-noc.net)
ab...@cnc-noc.net (for cnc-noc.net)
ab...@online.ln.cn (for online.ln.cn)
postm...@online.ln.cn (for online.ln.cn)
postm...@lntelecom.com (for lntelecom.com)
ab...@cnc-noc.net (for online.ln.cn)
ab...@online.ln.cn (for lntelecom.com)
----------------------

SPAM CONTENT [image]: http://www.duckwindow.com/1.gif

The contents of the image are:
=====================================================
CHEAPEST PRICES

We are the only store wich Save huge 70 %
gives this great deal! on all the orders with us!

VIAGRA VIAGRA SOFT CIALIS CIALIS SOFT
SOMA TRAMADOL
=====================================================
(The product names were titles of small pill images.)

This is the short version, smaller than the prior:
=====================================================
CHEAPEST PRICES

We are the only store wich
gives this great deal you!

The USA Licensed Save huge 70 %
Online Pharmacy on all the orders with us!

VIAGRA VIAGRA SOFT CIALIS CIALIS SOFT
XANAX SOMA AMBIEN TRAMADOL
VALIUM MERIDIA
=====================================================
(The product names were titles of small pill images.)

SPAMVERTIZED SITE: http://www.duckwindow.com/

A (recent) REFRESH redirection,
[META http-equiv="refresh" content="0; url=index.php"]
sometimes appears as the first/default page, redirecting to the
content page. Other times one receives the content immediately.

[title]Canadian Pharmacy[/title]

The starting page includes the domain name as the "account_id"
document.write('[img src="counter.php?account_id=[domain_name]&aid=&said=&js=1'+params+'" width=1 height=1]');

*** CHANGE ***
--------------
The VeriSign seal, at http://[hostname]/img/award1.gif, has been removed
from the page, but not the site (it can still be obtained).
The "VeriSign" assurance of a secure site can still be found using
http://[hostname]/checker2.php and it assures us that:
"duckwindow.com is a VeriSign Secure Site
Name duckwindow.com
Status Valid
Validity Period 30-NOV-05 - 11-JUN-09
Server ID Information
Country = CA
State = British Columbia
Organization = Canadian Pharmacy Inc.
Organizational Unit = Pharmacy On-line Store
Organizational Unit = Terms of use at www.safescrypt.com/rpa (c) 03
Organizational Unit = Authenticated by Safescrypt Limited
Organizational Unit = Member, VeriSign Trust Network
Common Name = duckwindow.com"
even though there is no image on the page which one can
click to bring up this fraudulent assurance.

--------------
"Licensed by The College of Pharmacists of British Columbia.
If you have any questions or concerns you can contact the college at
200-1765 West 8th Ave. Vancouver, BC, Canada V6J 5C6
You may contact us at +1(210) 888-9089, please, keep your order I.D.
every time you make a call.
(C) Copyright Canadian Pharmacy, 2003-2008. All Rights Reserved."
--------------
THE PHONE NUMBER CONTACT USED TO BE +1(210) 787-1711
THEN FOR TWO DAYS IT WAS +1(281) 971-9929
IT THEN RETURNED TO +1(210) 787-1711
IT THEN CHANGED TO +1(210) 888-9089

The site assures one of a secure purchase,
(C) 2008 Secure.Order.Form
"Rest assured that our online order system makes use of the latest
Security encryption technology to ensure that your credit card
information is submitted safely and with the highest level of
protection."
"For your safety we use highly secure order processing server with our
own secure certificate."
though one's order (including credit card) data,
item_name[299]=Viagra
&item_name[642]=Delivery type
&item_name[3945]=Viagra
&item_price[299]=34.15
&item_price[642]=10.95
&item_price[3945]=0
&item_description[299]=10 pills X 50 mg
&item_description[642]=AirMail
&item_description[3945]=2 pills X 100 mg
&item_quantity[299]=1
&item_quantity[642]=1
&item_quantity[3945]=1
&checksum=
&currency=usd
&Customer_FirstName=[victim's name: first]
&Customer_LastName=[victim's name: last]
&street=[victim's address: street]
&city=[victim's address: city]
&zip=[victim's address: zip code]
&state=[victim's address: state]
&country=USA
&phone1=[victim's phone number: country code]
&phone2=[victim's phone number: area code]
&phone3=[victim's phone number: exchange]
&phone4=[victim's phone number: number]
&Email=[victim's address: email]
&aemail=[victim's address: alternate email: optional]
&messenger=
&messenger_contact=
&birthday=
&ssn=
&client_time=1204543326 [Net time. Number of seconds since 1 January 1970]
&ship_eq= [only submitted if the "Shipping info equals to Billing Info" checkbox is checked]
&sname_first=[victim's name: first]
&sname_last=[victim's name: last]
&sstreet=[victim's address: street]
&scity=[victim's address: city]
&szip=[victim's address: zip code]
&sstate=[victim's address: state]
&scountry=USA
&method_by=CC
&cardholder=[victim's name: full: as on credit card]
&cc_type=mastercard [or other type] [&]
&card_no=[victim's credit card number: VISA only]
&exp_m=[credit card: expiration date: month]
&exp_y=[credit card: expiration date: year]
&cvc=[credit card: private security number]
&comments=
&check_your_name=
&check_bank_name=
&check_account_owner=
&check_routing_number=
&check_account_number=
&comments1=
&renew_days=30
&chekout.x=0 [I tabbed to the submit button this time,
&chekout.y=0 so the x,y values are zero.]
&DOB_Day=1
&DOB_Month=January
&DOB_Year=
&Weight=
&Weight_Measure=lbs
&Height=4ft. 0in.
&received=
&medicalConditions=
&currentMedications=
&plannedMedications=
&allergies=
&surgeries=
&medicalHistory=

There is no change in the above data, but
until quite recently the order of the first
dozen entries was different,"3945" prededed "642":
item_name[299]=Viagra
&item_name[3945]=Viagra
&item_name[642]=Delivery type
&item_price[299]=34.15
&item_price[3945]=0
&item_price[642]=10.95
&item_description[299]=10 pills X 50 mg
&item_description[3945]=2 pills X 100 mg
&item_description[642]=AirMail
&item_quantity[299]=1
&item_quantity[3945]=1
&item_quantity[642]=1

This time I clicked the earlier SUBMIT button
which appears before the medical questionnaire
("Medical Questionary", the text in an image)
It seems that filling out that questionnaire
is optional.

is submitted unencrypted and insecurely to
http://[hostname]/process_order.php

There are two DIVs on the page, cc_div and echeck_div
with radio buttons which set the display to "none" for
one and "block" for the other. One can select payment
by credit card or by electronic check. The above data is
for a credit card submission. For using echeck, the credit
card data is missing (of course) and
&check_your_name=[victim's name: as on the bank account]
&check_bank_name=[checking account: bank name]
&check_account_owner=[checking account number]
&check_routing_number=[bank routing number]
&check_account_number=[check number]
is submitted. Today the divisions are still there.
There are two radio buttons on the page,
[input type="radio" class=noborder value="CC" name="method_by" checked onclick="swapCC(this.form)"]
Pay by Credit Card
and
[input type="radio" class=noborder value="ECHECK" name="method_by" onclick="swapCC(this.form)"]
Pay by eCheck (Checking Account)
************************
*** THIS IS A CHANGE ***
************************
For quite some time the ECHECK button had been missing and the only
radio button and payment option was for credit card payments though
the echeck_div remained on the page (and if one added an ECHECK
button one could bring up the echeck_div).
*****************************************************
*** THE CHECK PAYMENT SECTION IS AGAIN ACCESSIBLE ***
*****************************************************

The swapCC() function is defined in http://[hostname]/js/process_order.js
function swapCC(form) {
if(validate_method_by(form.elements["method_by"]) == "CC")
{document.getElementById("cc_div").style.display = "block";
document.getElementById("echeck_div").style.display = "none";}
else if(validate_method_by(form.elements["method_by"]) == "ECHECK")
{document.getElementById("cc_div").style.display = "none";
document.getElementById("echeck_div").style.display = "block";}
}
function validate_method_by(s) {
var i;
var returnMethod
if (is_empty(s)) return true;
if(s.length == undefined) returnMethod = s.value;
for (i = 0; i < s.length; i++) {
if (s[i].value=="CC" && s[i].checked== true)
{var c = s[i].value
returnMethod = c}
if (s[i].value=="ECHECK" && s[i].checked== true)
{var c = s[i].value
returnMethod = c}
}
return returnMethod;
}

This is, of course, identical to the order data format as
reported previously for other hostnames.

*** CHANGE ***
--------------
Upon submission of the order one receives a response:
"If you need any help, please, contact our support via e-mail:
[a href="mailto:sup...@canadianpharmacysupport.com"]sup...@canadianpharmacysupport.com[/a]

SPAMVERTIZED SUPPORT CONTACT [email]: sup...@canadianpharmacysupport.com

It used to be canadianpharmsupport.com

=======================================================================
For the host:
"canadianpharmacysupport.com"

NAMESERVERS listed in the root servers for canadianpharmacysupport.com:
-----------------------------------------------------------------------
canadianpharmacysupport.com NS ns3.cnmsn.com
canadianpharmacysupport.com NS ns4.cnmsn.com
ns3.cnmsn.com A 66.79.172.49
ns4.cnmsn.com A 61.152.169.14

[extract from dig]
------------------
dig @61.152.169.14
canadianpharmacysupport.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE

dig @66.79.172.49
canadianpharmacysupport.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
=======================================================================

=======================================================================
For the host:
"www.canadianpharmacysupport.com"

[extract from dig]
------------------
dig @61.152.169.14
www.canadianpharmacysupport.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE

dig @66.79.172.49
www.canadianpharmacysupport.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
=======================================================================
CHANGE!!! ns3.cnmsn.com had been at 204.13.67.108

Hmmm ... the SOA for canadianpharmacysupport.com is
ns3.cnmsn.com dnsc...@bizcn.com (from 66.79.172.49)
ns4.cnmsn.com dnsc...@bizcn.com (from 61.152.169.14)
(authoritatively).

They have no address record for either canadianpharmacysupport.com or
www.canadianpharmacysupport.com (well, older versions had a link
to a support page at www.globalpharmsupport.com but the current sites
only have an email link). They do give an MX record,
dig @66.79.172.49 canadianpharmacysupport.com mx +norec +noauth +noadd
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
canadianpharmacysupport.com. 600 IN MX 10 mail.canadianpharmacysupport.com.
dig @61.152.169.14 canadianpharmacysupport.com mx +norec +noauth +noadd
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
canadianpharmacysupport.com. 600 IN MX 10 mail.canadianpharmacysupport.com.
and address for mail.canadianpharmacysupport.com.
dig @66.79.172.49 mail.canadianpharmacysupport.com a +norec +noauth +noadd
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
mail.canadianpharmacysupport.com. 600 IN A 82.146.53.121
dig @61.152.169.14 mail.canadianpharmacysupport.com a +norec +noauth +noadd
;; flags: qr aa <-- AUTHORITATIVE AND NON-RECURSIVE
mail.canadianpharmacysupport.com. 600 IN A 194.135.105.195

CHANGE: Both nameservers resolved mail.canadianpharmsupport.com to 194.135.105.195.
Now we have the alternate IP address, 82.146.53.121

The new
IP address 82.146.53.121
------------------------
82.146.53.121 is not responding to attempted web connections
(TCP/SYN to port 80) nor to attempted mail (SMTP) connections
(TCP/SYN to port 25). But what is it doing listed as a mailserver
for canadianpharmacysupport.com?

inetnum: 82.146.48.0 - 82.146.55.255
netname: ISPSYSTEM
descr: ISPsystem at NAC
country: US
remarks: ab...@ispserver.com
This is on Autonomous System Number 8001
ASNumber: 8001
ASName: NET-ACCESS-CORP
RTechEmail: [omitted]@nac.net

Not open on ports 80 or 25. Listed as mailserver for
canadianpharmacysupport.com.

The older
IP address 194.135.105.195
--------------------------
We had a host at 194.135.105.195:

===========================================================
For the host:
"nature-meds.com"

NAMESERVERS listed in the root servers for nature-meds.com:
-----------------------------------------------------------
nature-meds.com NS ns1.nature-meds.com
nature-meds.com NS ns2.nature-meds.com
ns1.nature-meds.com A 89.248.99.118
ns2.nature-meds.com A 89.248.100.134

[extract from dig]
------------------
dig @89.248.99.118
nature-meds.com
A +noqu +noadd +noau +norec
connection timed out

dig @89.248.100.134
nature-meds.com
A +noqu +noadd +noau +norec
connection timed out
===========================================================

That's a pleasant change (but not wholly unexpected as various
nameservers in this region, in particular the one at
89.248.99.118, are no longer responding). When the
nameservers had responded, they resolved nature-meds.com to
IP address 194.135.105.195.

Currently 194.135.105.195 is closed on port 80
(sending RESET/ACK in response to attempted web connections).
As a mailserver, it is of course open on port 25
(and banners as "220 mtw2.srvz.ru ESMTP Exim").

It used to be open on port 80 and one used to be able to find
nature-meds.com, an older version of the Canadian Pharmacy
site at 194.135.105.195.

IP address 194.135.105.195
--------------------------
inetnum: 194.135.104.0 - 194.135.105.255
netname: relcom
descr: "RELCOM.BUSINESS NETWORK" Ltd.
country: RU
e-mail: ad...@relcom.ru
TCPTRACEROUTE to port 25 on 194.135.105.195 shows:
...
4: nyiix.retn.net (198.32.160.182)
5: ae0-3.RT504-002.msk.retn.net (81.222.15.33)
6: kiae-spider-1.relcom.net (194.58.41.10)
7: 194.135.105.195 (194.135.105.195) [TCP Syn Ack]
--------------------------

Not open on port 80 (it used to host an old copy of the spamvertized site).
Open on port 25, but it may be a mailserver for other domains/users.
This may no longer be involved (or may still provide the spammer's mailbox.

Domain Name: CANADIANPHARMACYSUPPORT.COM
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Updated Date: 25-feb-2008
Creation Date: 06-jun-2007
Expiration Date: 06-jun-2008
Domain name: canadianpharmacysupport.com
Registrant Contact:
Direct Pharmacy Support
Tony Estoque dir...@directpharmacysupport.com
5629268569 fax:
17639 Gerritt Avenue
Cerritos CA 90703
us
DNS: ns3.cnmsn.com ns4.cnmsn.com
Created: 2007-06-06
Expires: 2008-06-06

Well, another domain ... directpharmacysupport.com.

=====================================================================
For the host:
"directpharmacysupport.com"

NAMESERVERS listed in the root servers for directpharmacysupport.com:
---------------------------------------------------------------------
directpharmacysupport.com NS ns3.cnmsn.com
directpharmacysupport.com NS ns4.cnmsn.com
ns3.cnmsn.com A 66.79.172.49
ns4.cnmsn.com A 61.152.169.14

[extract from dig]
------------------
dig @61.152.169.14
directpharmacysupport.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE

dig @66.79.172.49
directpharmacysupport.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
=====================================================================

=====================================================================
For the host:
"www.directpharmacysupport.com"

[extract from dig]
------------------
dig @61.152.169.14
www.directpharmacysupport.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE

dig @66.79.172.49
www.directpharmacysupport.com
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
=====================================================================

The mailserver for directpharmacysupport.com is listed as
mail.directpharmacysupport.com at both authoritative
nameservers and they resolve it to 82.146.53.121 and
194.135.105.195 - just as for canadianpharmacysupport.com.

A few drugs:
------------
2 Complete Professional Whitening Kits
2 Sets of Moldable Mouth Trays
Abana
Abilify
Accupril
Accutane
Aceon
Aciphex
Acomplia
Acompliex
Acticin
Actonel
ActoPlus Met
Actos
Adalat
Advair Diskus
Advantage Carb Blocker
Aldactone
Aleve
Allegra
Alli
Altace
Amaryl
Amoxil
Anabol-AMP
Anacin
Anafranil
Ansaid
Antabuse
Arava
Aricept
Arimidex
Aristocort
Ashwagandha
Astelin
Atacand
Atarax
Atrovent
Augmentin
Avalide
Avandamet
Avandia
Avapro
Avodart
AyurSlim
Azulfidine
Baclofen
Bactrim
Bactroban
BCAA
Beconase AQ
Benadryl
Benemid
Benicar
Bentyl
Betnovate
Biaxin
Brafix
Brahmi
Breast Augmentation
Breast Enhancement
Breast Enhancement Gel
Breast Sculptor
Buspar
Bust Enhancer
Cafergot
Calan
Calcium Carbonate
Capoten
Carafate
CarboXactin
CarboZyne
Cardizem
Cardura
Casodex
Ceftin
Celebrex
Celexa
Cephalexin
Cha De Bugre
Chloromint
ChromoNexin
Chrysin-XY
Cialis
Cialis Jelly
Cialis Professional
Cialis Soft Tabs
Cipro
CLA
Clarinex
Claritin
Cleocin
Clomid
Clonidine
Colchicine
Colostrum-800
Combivent
Confido
Copegus
Coral Calcium
Cordarone
Coreg
Corticyn Trimplex
Coumadin
Cozaar
Creatine-1200
Cree-1200
Crestor
Cyklokapron
Cymbalta
Cystone
Cytotec
Cytoxan
Danazol
Decadron
Deltasone
Deluxe Handheld Plasma Whitening Tool
Deluxe Whitening System with Plasma Lamp
Depakote
Desyrel
Detrol
DHEA
Diabecon
Diamox
Diclofenac
Didronel
Differin
Diflucan
Diovan
Ditropan
Dostinex
Doxycycline
Dramamine
Dulcolax
Echinacea
Effexor
Elavil
Elimite
Emsam
Endep
Epivir-HBV
Erexin-V
Erexor
Erythromycin [*]
Eulexin
Eurax
Evecare
Evegen
Evista
Exelon
Extendaquin
Extreme Detox
Extreme Thyrocin
Famvir
Fatblast Extreme
Feldene
Female Sexual Oil
Female Sexual Tonic
Female Viagra
Femara
Femcare
Flagyl ER
Flexisyn
Flomax
Flonase
Fosamax
Fucidin
Furosemide
GABA (HGH Booster)
Gasex
Geodon
Geriforte
Ginseng
Glucophage
Glucotrol XL
Gluta-PEP
Glycemil
Green tea
Grifulvin V
Gyne-Lotrimin
Hair Loss Cream
Haldol [*]
Hangover Helper
Head Strong
Herbal Phentermine
Herbal Testosterone
Herbolax
Himcolin
Himplasia
Hoodia
Hoodia Gordonii HG p57
Horny Goat Weed
Hydrea
Hytrin
Hyzaar
Imdur
Imitrex
Imuran
Inderal
Indocin
InnoPran XL
Ismo
Isoptin
Kamagra
Karela
Keftab
Kytril
Lamictal
Lamisil
L-Arginine
Lariam
Lasix
Lasuna
L-Carnitine
Leukeran
Levaquin
Levitra
Levlen
Levothroid
Lexapro
L-Glutamine
Lincocin
Lioresal
Lipitor
Liponexol
LipoSafe
Lipostatin
Lipothin
Lipotrexate
Lisinopril
Lopid
Lopressor
Lotensin
Lotrisone
Loxitane
Lozol
Lukol
Luvox
Lynoral
Male Enhancement Oil
Male Enhancement Pills
Male Sexual Tonic
Manhood Enhancer
Maxalt
Maxaman
Maxaquin
Maximum Lipotropics
Medithin
Medrol
Melatonin
Men Attracting Pheromones
Menosan
Mental Booster
Mentat
Mentax
Mestinon
Metabo925
Metabo Extreme
MetaboSafe
Metabo UltraMax
Methox-400
Mevacor
Mexitil
Micardis
Microlean
Mircette
Mobic
Monoket
Motilium
Motrin
Myambutol
Mycelex-G
Mysoline
Naprosyn
Neurontin
Nexium
Nicotinell
Nimotop
Nirdosh
Nizoral
Nolvadex
Noroxin
Norpace CR
Norvasc
Noxide
Nutridrine
Nymphomax
Omnicef
Ophthacare
Orgasm Enhancer
Ortho Tri-Cyclen [*]
Oxytrol
Pamelor
Parlodel
Paxil
Penis Extender Deluxe
Penis Extender Deluxe Girth
Penis Extender Deluxe Gold
Penis Extender Standard
Penis Extender Starter
Penis Growth Oil
Penis Growth Patch
Penis Growth Pills
Penisole
Periactin
Phenergan
Phentrimine
Plan B
Plavix
Plendil
Pletal
Ponstel
Prandin
Pravachol
Prednisone
Premarin
Premature Ejaculation Cure
Prevacid
Prilosec
Prinivil
Probalan
Procardia
Pro-Erex
Professional Plasma Tooth Whitening Kit
Prograf
Prometrium
Propecia
Proscar
Protonix
Proventil
Provera [*]
Prozac
Pulmicort inhaler
Purim
Purinethol
Pyridium [*]
PyruVitol
Quibron-T
QuickBust
Reglan
Relafen
Remeron
Requip
Retin-A
Revia
Rhinocort
RiboCREE
Ribose-ATP
Rimonabant
Risperdal
Robaxin [*]
Rocaltrol
Rogaine
Rumalaya
Rythmol SR
Sarafem
Saw Palmetto
Septilin
Serevent
Serophene
Seroquel
Shallaki
Shoot
Shuddha Guggulu
Sinemet
Sinequan
Singulair
Skelaxin
SleepWell (Herbal XANAX)
Slimpulse
Snoroff
Soma
Soothenol
Speman
Starlix
Stop Smoking
Stop Smoking Patch
Strattera [*]
Stress Relief
Stromectol
Study Habits
Styplon
Sumycin
Sustiva
Synaral
Synthroid
Tazorac
Tegretol [*]
Tenormin
Tentex Royal
Testo-Rex
Thyroid Booster
Tofranil
Topamax
Toprol XL
Toradol [*]
Touch-Up Kit
Tramaden
Tramadol
Trandate
Tribulus
Tricor
Trileptal
Trimox
Triphala
Tulasi
Ultimate Male Enhancer
Ultracet
Ultram
Urispas
Uroxatral
Valtrex
Vanadyl
Vantin
Vasodilan
Vasotec
Ventolin
Vermox
Viagra
Viagra Jelly
Viagra Professional
Viagra Soft Tabs
Viramune
Vitaliq
Vitamin A & D
Voltaren
VPXL [*]
Vytorin
Weight Loss
Wellbutrin SR
Women Attracting Pheromones
Women's Intimacy Enhancer
Women's Intimacy Enhancer Cream
Xeloda
Yerba Diet
Yohimbe-1200
Zanaflex
Zantac
Zebeta
Zelnorm
Zerit
Zestoretic [*]
Zestril
Zetia
Zimulti
Zithromax
ZMA-Power
Zocor
Zoloft
Zovirax
Zyban
Zyloprim
Zyprexa
Zyrtec
Zyvox

*: Recent additions

===========================================================
[ORIGINAL SPAM: with angle brackets, such as "<", converted
to square brackets, such as "[", so as not
to affect HTML enabled mail/news readers.]

Return-Path: <_my_name_intruded@_my_isp_>
Received: from ppp91-76-104-250.pppoe.mtu-net.ru (ppp91-76-104-250.pppoe.mtu-net.ru [91.76.104.250])
by _my_isp_ (xxx) with SMTP id m237qCS7086450
for <_my_email_address_>; Mon, 3 Mar 2008 02:52:18 -0500 (EST)
(envelope-from _my_name_intruded@_my_isp_)
Date: Mon, 3 Mar 2008 02:52:12 -0500 (EST)
Content-Return: allowed
X-Mailer: CME-V6.5.4.3; MSN
Message-Id: <200803031352...@ppp91-76-104-250.pppoe.mtu-net.ru>
To: <xxx>
Subject: March 83% Off
From: _my_email_address_
Reply-to: MSN Featured Offers <lk...@mail.msadcenter.msn.com>
xxxMIME-Version: 1.0
xxxContent-Type: text/html; charset="ISO-8859-1"
xxxContent-Transfer-Encoding: 7bit
X-UIDL: ]+<!!"P7!![_e!!m"o"!
Status: RO
X-Status:
X-Keywords:
X-UID: 13

[!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"]
[html]
[head]
[meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"]
[/head]
[style]
[body]
[table cellpadding=0 cellspacing=0 width=620]
[tr]
[td][a href="http://microsoft.duo.com/Key=8919.CCD3Q.C.D1.NqdlsZ" target="_blank"][img src="http://ads1.plt.com/ads/pronws/CIQ4975/en_UK/images/ie7m25ans.jpg" width=620 height=515 border=0][/a][/td]
[/tr]
[tr]
[td]
[div style="padding:10px"]
[font face="Tahoma,Arial,sans-serif" size=1]
You are receiving this message from mbil or Windows Live because you
are a valued member. Microsoft respects your privacy. To learn more,
please read our online [a href="http://microsoft.bcsc.com/Key=8919.CCD3Q.G.D1.H0j82F" target="_blank"]Privacy
Statement[/a].
[br]
[br]
We hope you find these communications valuable. However, if you
would prefer to no longer receive promotional offers or research emails
from cjl please visit our [a href="http://microsoft.dzqz.com/Key=8919.CCD3Q.H.D1.C65KGn" target="_blank"]Marketing
Preferences[/a].
[br]
[br]
*Compared to Internet Explorer 6
[br]
[br]
Microsoft Corporation,One Microsoft Way, Redmond, WA
98052[/font][/div]
[/td]
[/tr]
[/table]
[/style]
[center]
[a href="http://www.duckwindow.com"][img src="http://www.duckwindow.com/1.gif"]
[style]
[br]..
[20080103064150.4...@microsoft.kokk.com][/font]
[br]
[img src="http://microsoft.terz.com/images/blankpixel.gif/Key=8919.CCD3Q..D1.FrwdkP"]

[/div]
[/div]

[/div]

[/body]
[/html]
[/style]

--
All postings to news.admin.net-abuse.sightings are unconfirmed and unverified
unless stated otherwise by the moderators. All opinions expressed above are
considered the opinions of the original poster, not the moderators or their
respective employers. For a copy of the guidelines to this group, see:
http://www.killfile.org/~tskirvin/nana/

Tamesha

unread,

Mar 4, 2008, 5:25:26 AM3/4/08

Mail received on spamtrap. This spamtrap mail has been redacted, the
mail was not really sent to <Tames...@users.spamikaze.org>.
URLs have been stripped of the parts before and after the host name.

>From 1...@ncc.co.uk Tue Mar 04 05:25:25 2008
Return-path: <1...@ncc.co.uk>
Received: from [mail.victim.example] (helo=humbolt.mail.victim.example)
by shelob.surriel.com with esmtp (Exim 4.63)
(envelope-from <1...@ncc.co.uk>)
id 1JWUKo-0000j5-Ns
for Tames...@users.spamikaze.org; Tue, 04 Mar 2008 05:25:23 -0500
Received: from host86-146-125-87.range86-146.btcentralplus.com ([86.146.125.87])
by humbolt.mail.victim.example with smtp (Exim 4.22)
id 1JWUKn-0004gH-GZ
for Tames...@users.spamikaze.org; Tue, 04 Mar 2008 11:25:21 +0100

Content-Return: allowed
X-Mailer: CME-V6.5.4.3; MSN

Message-Id: <200803041025...@host86-146-125-87.range86-146.btcentralplus.com>
To: Tames...@users.spamikaze.org (Tames...@users.spamikaze.org)
Subject: March 83% Off
From: Tames...@users.spamikaze.org
Reply-to: MSN Featured Offers <as...@mail.msadcenter.msn.com>
MIME-Version: 1.0
Date: Tue, 04 Mar 2008 11:25:21 +0100

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<style>
<body>
<table cellpadding=0 cellspacing=0 width=620>
<tr>

</tr>
<tr>
<td>
<div style="padding:10px">
<font face="Tahoma,Arial,sans-serif" size=1>

You are receiving this message from miwx or Windows Live because you

are a valued member. Microsoft respects your privacy. To learn more,

please read our online <a href="http://microsoft.goxa.com8919.CCD3Q.G.D1.H0j82F" target="_blank">Privacy

Statement</a>.
<br>
<br>
We hope you find these communications valuable. However, if you
would prefer to no longer receive promotional offers or research emails

from lxh please visit our <a href="http://microsoft.moqx.com8919.CCD3Q.H.D1.C65KGn" target="_blank">Marketing

Preferences</a>.
<br>
<br>
*Compared to Internet Explorer 6
<br>
<br>
Microsoft Corporation,One Microsoft Way, Redmond, WA
98052</font></div>
</td>
</tr>
</table>
</style>
<center>

0 new messages