Spamvert botnet:
www.ironfinal.com => botnet
ironfinal.com Resolved to IP 61.92.129.101 to 82.119.108.111 to
202.162.157.5 to 59.188.131.160 to 59.148.161.206 to 59.149.121.202 to
122.18.2.8 to 122.26.194.47 to 123.220.71.196 to 124.6.11.247 to
218.191.9.179 to 219.107.160.232 to 219.254.39.142 to 220.152.70.129
to 221.125.246.101 to 221.126.120.228 to 221.127.39.105 to
59.149.47.103 to 221.127.175.71
Spamvert Image Hosting URL:
http://www.degreehalf.com/1.gif
degreehalf.com => botnet
Resolved www.degreehalf.com to IP 202.101.215.117 to 219.254.39.142 to
221.124.196.204 to 221.125.210.72 to 221.125.246.101 to
221.126.251.251 to 221.127.22.67 to 221.127.36.157 to 221.127.81.55 to
221.126.147.31 to 221.127.175.71 to 222.98.83.209 to 59.148.161.206 to
59.149.121.202 to 61.225.19.81 to 122.18.2.8 to 124.6.11.247 to
202.162.157.5 to 203.168.233.85 to 218.191.9.179 to 218.209.183.17 to
219.107.160.232
Title: Canadian Pharmacy
WEB:
© Copyright Canadian Pharmacy, 2003-2007. All Rights Reserved.
Much More Canadian Pharmacy sightings:
http://groups.google.com/groups/search?q=%22Canadian+Pharmacy%22+group%3A*abuse&start=0&scoring=d&
See sender identity and headers forgery by spammer.
Plenty of Forged Certificates and logos as always.
Much More info below:
====================
X-SID-PRA: Viagra.com Inc <[MUNGED]>
X-Message-Info: 6sSXyD95QpW/ouk6oAi5doLzmhjls/
bhSpDO17TnpCU9S3zB4lZl8DFACm3sSkp6nvtkKN6ESZjTZ0d7XpkqwQ==
Received: from tomts42-srv.bellnexxia.net ([209.226.175.99]) by bay0-
pamc1-f1.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444);
Thu, 27 Sep 2007 00:56:34 -0700
Received: from [MUNGED]
by toip19.srvr.bell.ca with ESMTP; 27 Sep 2007 03:56:24 -0400
Received: (qmail 31970 invoked by uid 110); 27 Sep 2007 03:52:46 -0400
Delivered-To: [MUNGED]
Received: (qmail 31896 invoked from network); 27 Sep 2007 03:52:43
-0400
Received: from 82-36-112-220.cable.ubr03.king.blueyonder.co.uk (HELO
pip-15fd4557c7d) (82.36.112.220)
by [MUNGED] with SMTP; 27 Sep 2007 03:52:43 -0400
Content-Return: allowed
X-Mailer: CME-V6.5.4.3; MSN
Return-Path: communication...@cimail15.msn.com
Received: (qmail 5984 by uid 841); Thu, 27 Sep 2007 08:52:42 GMT
Message-Id: <20070927085242.5990.qmail@pip-15fd4557c7d>
To: <[MUNGED]>
Subject: RE: September 70% OFF
From: Viagra.com Inc <[MUNGED]>
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
Date: Thu, 27 Sep 2007 03:56:34 -0400
X-OriginalArrivalTime: 27 Sep 2007 07:56:35.0061 (UTC)
FILETIME=[ECCACA50:01C800DB]
<style>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>
Attachments:
A Dish Network Satellite System has been reserved for you
</title>
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8" />
<link rel="stylesheet" href="http://gfx8.lpi.com/mail/
12.0.1187.0824/positioning.css" />
</head>
<body style="overflow:auto;">
<div id="PrintShellToolbar">
<div class="ContainerPadding">
<span class="FloatRight">
<a href="javascript:window.close();" >
<img alt="" src="http://gfx1.ouu.com/mail/w2/pr02/ltr/
glyph_close_rest.gif" /> Close window
</a>
</span>
<span>
<a href="javascript:PrintDocument();" > <img alt="" src="http://
gfx2.kzi.com/mail/w2/pr02/ltr/i_print.gif" /> Print
</a>
</span>
</div>
</div>
<div>
<div class="BorderContainerOutline ContainerPadding">
<div class="ClearBoth">
<span class="HeaderData" style="font-size:large;">A Dish Network
Satellite System has been reserved for youâ
</span>
</div>
<div class="ClearBoth">
<span class="HeaderLabel">
From:
</span>
<span class="HeaderData">
<b>Dish</b> (d...@sxo.com)
</span>
</div>
<div class="ClearBoth">
<span class="HeaderLabel">
Sent:
</span>
<span class="HeaderData">
Tue 9/25/07 12:02 PM
</span>
</div>
<div class="ClearBoth">
<span class="HeaderLabel">
To:
</span>
<span class="HeaderData">
#64;lho.com
</span>
</div>
<br />
</div>
</div>
<div class="MessageBody" style="">
<br />
<div id="MessageBodyText" class="ExternalClass" style="border:
1px solid
</table>
</style>
<center>
<a href="http://www.ironfinal.com"><img src="http://www.degreehalf.com/
1.gif">
<style>
<area shape=rect alt="" title="" coords="11,198,549,638"
target="_blank" onClick="onClickUnsafeLink(event);">
<area shape=rect alt="" title="" coords="462,673,524,687"
target="_blank" onClick="onClickUnsafeLink(event);">
</map>
<img src="http://gfx2.kcx.com/mail/w2/pr02/ltr/i_safe.gif"
usemap="#dig" border=0 height=765 width=599
onClick="onClickUnsafeLink(event);">.
</div>
</div>
</div>
</body>
</html>
</style>
-- END OF SPAM --
ironfinal.com is a replacement for topmedsnow.com, nearlocate.com,
toppillscollect.com and directmedmass.com
degreehalf.com is a replacement for fractionthen.com, sawread.com,
medicalplacehope.com and onlinepillact.com
Recent spammer sightings:
http://groups.google.com/groups/search?q=%22September+70%25%22+group%3A*abuse&start=0&scoring=d&
WEB:
Licensed by The College of Pharmacists of British Columbia.
If you have any questions or concerns you can contact the college at
200-1765 West 8th Ave. Vancouver, BC, Canada V6J 5C6
You may contact us at +1(210) 787-1711, please, keep your order I.D.
every time you make a call.
© Copyright Canadian Pharmacy, 2003-2007. All Rights Reserved.
See also Viagra.com Inc sightings:
http://groups.google.com/groups/search?q=%22Viagra.com+Inc%22+group%3A*abuse&start=0&scoring=d&
See:
IP 82.36.112.220 82-36-112-220.cable.ubr03.king.blueyonder.co.uk
http://moensted.dk/spam/?addr=82.36.112.220
Much more blueyonder.co.uk sightings:
http://groups.google.com/groups/search?q=blueyonder.co.uk+group%3A*abuse&start=0&scoring=d&
inetnum: 82.36.112.0 - 82.36.119.255
netname: TELEWEST
descr: BROADBAND - ubr03king
country: GB
role: Telewest Broadband IP Network Services
address: Genesis Business Park
address: Albert Drive
address: Woking
address: Surrey UK
address: GU21 5RW
route: 82.36.0.0/16
descr: Telewest Broadband
descr: UK Broadband ISP
origin: AS5462
notify: ri...@telewest.net
mnt-by: AS5462-MNT
remarks: report abuse to abuse[]blueyonder.co.uk
AS Name: CABLEINET Telewest Broadband
http://www.cidr-report.org/cgi-bin/as-report?as=5462
19 SBL/ROKSO listings for IPs under the responsibility of tpnet.pl
http://www.spamhaus.org/sbl/listings.lasso?isp=tpnet.pl
Spamver URL:
http://www.ironfinal.com/
See:
Spamvert botnet:
ironfinal.com Resolved to IP 61.92.129.101 to 82.119.108.111 to
202.162.157.5 to 59.188.131.160 to 59.148.161.206 to 59.149.121.202 to
122.18.2.8 to 122.26.194.47 to 123.220.71.196 to 124.6.11.247 to
218.191.9.179 to 219.107.160.232 to 219.254.39.142 to 220.152.70.129
to 221.125.246.101 to 221.126.120.228 to 221.127.39.105 to
59.149.47.103 to 221.127.175.71
ns0.nuspharkosa.com [61.15.244.112] [TTL=172800] [HK]
ns0.pharokufuma.com [193.77.113.201] [TTL=172800] [SI]
NS records at nameservers are:
ns0.pharokufuma.com [221.127.22.104] [TTL=300]
ns0.kopepharas.com [61.238.64.223] [TTL=300]
ns0.mukopkufude.com [202.162.157.5] [TTL=300]
ns0.nuspharkosa.com [89.176.77.56] [TTL=300]
SOA record [TTL=300] is:
Primary nameserver: ns0.kopepharas.com
Hostmaster E-mail address:
Serial #: 0
www.ironfinal.com has no MX records -> ironfinal.com has no MX records
www.ironfinal.com A records are:
www.ironfinal.com A 61.92.129.101 [TTL=300] [HK]
www.ironfinal.com A 122.18.2.8 [TTL=300] [JP]
www.ironfinal.com A 122.26.194.47 [TTL=300] [JP]
www.ironfinal.com A 123.220.71.196 [TTL=300] [JP]
www.ironfinal.com A 124.6.11.247 [TTL=300] [TW]
www.ironfinal.com A 218.191.9.179 [TTL=300] [HK]
www.ironfinal.com A 219.107.160.232 [TTL=300] [JP]
www.ironfinal.com A 219.254.39.142 [TTL=300] [KR]
www.ironfinal.com A 220.152.70.129 [TTL=300] [JP]
www.ironfinal.com A 221.125.246.101 [TTL=300] [HK]
www.ironfinal.com A 221.126.120.228 [TTL=300] [HK]
www.ironfinal.com A 221.127.39.105 [TTL=300] [HK]
www.ironfinal.com A 59.149.47.103 [TTL=300] [HK]
SEE ALSO IP rDNS:
61.92.129.101 = 061092129101.ctinets.com
122.18.2.8 = p8008-ipad301funabasi.chiba.ocn.ne.jp
122.26.194.47 = p3047-ipbf2810marunouchi.tokyo.ocn.ne.jp
123.220.71.196 = p2196-ipbf1808hodogaya.kanagawa.ocn.ne.jp
124.6.11.247 => at phoenix.net.tw / twfn.com.tw (GCNet Reach&Range
Inc.)
218.191.9.179 => at hgc.com.hk / Hutchison
219.107.160.232 = fla1aaj232.szo.mesh.ad.jp
219.254.39.142 => at Hanaro / KOREA
220.152.70.129 = 220-152-70-129.rev.home.ne.jp
221.125.246.101 => at hgc.com.hk / Hutchison
221.126.120.228 => at hgc.com.hk / Hutchison
221.127.39.105 => at hgc.com.hk / Hutchison
221.127.175.71 => hgc.com.hk / Hutchison
59.149.47.103 = 059149047103.ctinets.com
59.148.161.206 = 059148161206.ctinets.com
59.149.121.202 = 059149121202.ctinets.com
59.188.131.160 => at newworldtel.com [HK]
82.119.108.111 = chello082119108111.chello.sk
202.162.157.5 = 157.005.hinocatv.ne.jp
NS:
221.127.22.104 => at hgc.com.hk / Hutchison
61.238.64.223 = 061238064223.ctinets.com
202.162.157.5 = 157.005.hinocatv.ne.jp
89.176.77.56 = r6bz56.net.upc.cz
61.15.244.112 = cm61-15-244-112.hkcable.com.hk
193.77.113.201 = bsn-77-113-201.dial-up.dsl.siol.net
Let see whois.paycenter.com.cn:
Domain Name: ironfinal.com
Registrant:
Ying Guo
Ying Guo
610000
Administrative Contact:
Ying Guo
Ying Guo
Ying Guo
Ying Guo 610000
United Kingdom
tel: 86 028 8995562
fax: 86 028 8995562
dfer[]hotmail.com
Technical Contact:
Ying Guo
Ying Guo
Ying Guo
Ying Guo 610021
United Kingdom
tel: 86 028 8995562
fax: 86 028 8995562
df...@hotmail.com
Billing Contact:
Ying Guo
Ying Guo
Ying Guo
Ying Guo 610021
United Kingdom
tel: 86 028 8995562
fax: 86 028 8995562
df...@hotmail.com
Registration Date: 2007-09-25
Update Date: 2007-09-25
Expiration Date: 2008-09-25
Primary DNS: ns0.pharokufuma.com 210.6.33.181
Secondary DNS: ns0.nuspharkosa.com 218.209.183.17
Also much more paycenter.com.cn spam support sightings:
http://groups.google.com/groups/search?q=paycenter.com.cn+group%3A*abuse&start=0&scoring=d&
See Image hosting URL:
http://www.degreehalf.com/1.gif
See:
www.degreehalf.com => botnet
Resolved www.degreehalf.com to IP 202.101.215.117 to 219.254.39.142 to
221.124.196.204 to 221.125.210.72 to 221.125.246.101 to
221.126.251.251 to 221.127.22.67 to 221.127.36.157 to 221.127.81.55 to
221.126.147.31 to 221.127.175.71 to 222.98.83.209 to 59.148.161.206 to
59.149.121.202 to 61.225.19.81 to 122.18.2.8 to 124.6.11.247 to
202.162.157.5 to 203.168.233.85 to 218.191.9.179 to 218.209.183.17 to
219.107.160.232
ns0.nuspharkosa.com [218.209.183.17] [TTL=172800] [KR]
ns0.pharokufuma.com [210.6.33.181] [TTL=172800] [HK]
NS records at nameservers are:
ns0.nuspharkosa.com [89.176.77.56] [TTL=300]
ns0.pharokufuma.com [221.127.22.104] [TTL=300]
ns0.kopepharas.com [61.238.64.223] [TTL=300]
ns0.mukopkufude.com [202.162.157.5] [TTL=300]
SOA record [TTL=300] is:
Primary nameserver: ns0.nuspharkosa.com
Hostmaster E-mail address:
Serial #: 0
www.degreehalf.com has no MX records -> degreehalf.com has no MX
records
www.degreehalf.com A records are:
www.degreehalf.com A 221.126.147.31 [TTL=300] [HK]
www.degreehalf.com A 221.127.175.71 [TTL=300] [HK]
www.degreehalf.com A 222.98.83.209 [TTL=300] [KR]
www.degreehalf.com A 59.148.161.206 [TTL=300] [HK]
www.degreehalf.com A 59.149.121.202 [TTL=300] [HK]
www.degreehalf.com A 61.225.19.81 [TTL=300] [TW]
www.degreehalf.com A 122.18.2.8 [TTL=300] [JP]
www.degreehalf.com A 124.6.11.247 [TTL=300] [TW]
www.degreehalf.com A 202.162.157.5 [TTL=300] [JP]
www.degreehalf.com A 203.168.233.85 [TTL=300] [HK]
www.degreehalf.com A 218.191.9.179 [TTL=300] [HK]
www.degreehalf.com A 218.209.183.17 [TTL=300] [KR]
www.degreehalf.com A 219.107.160.232 [TTL=300] [JP]
SEE ALSO IP rDNS:
221.126.147.31 => at hgc.com.hk / Hutchison
221.127.175.71 => at hgc.com.hk / Hutchison
222.98.83.209 -> at kornet.net / KOREA
59.148.161.206 = 059148161206.ctinets.com
59.149.121.202 = 059149121202.ctinets.com
61.225.19.81 = 61-225-19-81.dynamic.hinet.net
122.18.2.8 = p8008-ipad301funabasi.chiba.ocn.ne.jp
124.6.11.247 => at phoenix.net.tw / twfn.com.tw (GCNet Reach&Range
Inc.)
202.162.157.5 = 157.005.hinocatv.ne.jp
203.168.233.85 = cm203-168-233-85.hkcable.com.hk
218.191.9.179 => at hgc.com.hk / Hutchison
218.209.183.17 => at TBROAD / KOREA
219.107.160.232 = fla1aaj232.szo.mesh.ad.jp
202.101.215.117 = 117.215.101.202.broad.fz.jx.dynamic.163data.com.cn
219.254.39.142 => at HANARO / KOREA
221.124.196.204 => at hgc.com.hk / Hutchison
221.125.210.72 => at hgc.com.hk / Hutchison
221.125.246.101 => at hgc.com.hk / Hutchison
221.126.251.251 => at hgc.com.hk / Hutchison
221.127.22.67 => at hgc.com.hk / Hutchison
221.127.36.157 => at hgc.com.hk / Hutchison
221.127.81.55 => at hgc.com.hk / Hutchison
SEE ALSO:
hostnames sharing ip with a-records
chuyizhu.pillexpert.org
cm61-10-122-23.hkcable.com.hk
cornproper.com
pairrain.cn
ns1.rumbaponukas.com
ns4.onlyrx.org
rxchoice.org
sensecorn.com
gladfarm.com
rangecarry.com
magicremedy.org
rxtop200.org
Let see whois.paycenter.com.cn:
Domain Name:degreehalf.com
Registrant:
Ying Guo
Ying Guo
610000
Administrative Contact:
Ying Guo
Ying Guo
Ying Guo
Ying Guo 610000
United Kingdom
tel: 86 028 8995562
fax: 86 028 8995562
dfer[]hotmail.com
Technical Contact:
Ying Guo
Ying Guo
Ying Guo
Ying Guo 610021
United Kingdom
tel: 86 028 8995562
fax: 86 028 8995562
df...@hotmail.com
Billing Contact:
Ying Guo
Ying Guo
Ying Guo
Ying Guo 610021
United Kingdom
tel: 86 028 8995562
fax: 86 028 8995562
df...@hotmail.com
Registration Date: 2007-09-25
Update Date: 2007-09-25
Expiration Date: 2008-09-25
Primary DNS: ns0.pharokufuma.com 221.127.111.185
Secondary DNS: ns0.nuspharkosa.com 77.41.82.214
See:
ns0.nuspharkosa.com [89.176.77.56] [TTL=300]
More nuspharkosa.com sightings:
http://groups.google.com/groups/search?q=nuspharkosa.com+group%3A*abuse&start=0&scoring=d&
See:
ns0.pharokufuma.com [221.127.22.104] [TTL=300]
More pharokufuma.com sightings:
http://groups.google.com/groups/search?q=pharokufuma.com+group%3A*abuse&start=0&scoring=d&
See:
ns0.kopepharas.com [61.238.64.223] [TTL=300]
More kopepharas.com sightings:
http://groups.google.com/groups/search?q=kopepharas.com+group%3A*abuse&start=0&scoring=d&
See:
ns0.mukopkufude.com [202.162.157.5] [TTL=300]
More mukopkufude.com sightings:
http://groups.google.com/groups/search?q=mukopkufude.com+group%3A*abuse&start=0&scoring=d&
Read more:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/ae0a8cc1a8b9e918
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/6cd26c793e4a5c23
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/304b0dc256d9e615
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/17cd1878f9bd53ba
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/1db3147bc2411d77
And:
http://groups.google.com/group/news.admin.net-abuse.sightings/msg/7f587d35d2b7fe49
Cheers, Tomez
--
All postings to news.admin.net-abuse.sightings are unconfirmed and
unverified unless stated otherwise by the moderators. All opinions
expressed above are considered the opinions of the original poster,
not the moderators or their respective employers.
For a copy of the guidelines to this group, see: