anyone up for a little spam analysis?

Gary Nichols gnichols@qwest.net
Thu, 29 Mar 2001 15:39:12 -0700


Whoops I didn't go down the header.. see what happens when I take a few days
off.  *brain lock*


-----Original Message-----
From: plug-discuss-admin@lists.PLUG.phoenix.az.us
[mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of Gorman,
John
Sent: Thursday, March 29, 2001 2:28 PM
To: 'plug-discuss@lists.PLUG.phoenix.az.us'
Subject: RE: anyone up for a little spam analysis?


What is this script doing? Going through differnt wet sites?

Anybody have more insight on this?

The "Received: from 96139.com ([202.107.34.130])" is actually coming from
China:

inetnum:     202.107.0.0 - 202.107.127.255
netname:     CHINANET-LN
descr:       CHINANET Liaoning province network
descr:       Data Communication Division
descr:       China Telecom
country:     CN
admin-c:     CH93-AP
tech-c:      ZZ49-AP
mnt-by:      MAINT-CHINANET
mnt-lower:   MAINT-CN-CHINANET-LN
changed:     weitj@cndata.com 20010307
source:      APNIC

person:      Chinanet Hostmaster
address:     A12,Xin-Jie-Kou-Wai Street
phone:       +86-10-62370437
fax-no:      +86-10-62053995
country:     CN
e-mail:      hostmaster@ns.chinanet.cn.net
nic-hdl:     CH93-AP
mnt-by:      MAINT-CHINANET
changed:     hostmaster@ns.chinanet.cn.net 20000101
source:      APNIC

person:      Zhang Tielong Zhang Tielong
address:     Liaoning Shenyang
phone:       +86-24-22801997
fax-no:      +86-24-22800376
country:     CN
e-mail:      lndcb2@pub.sy.ln.cn
nic-hdl:     ZZ49-AP
mnt-by:      MAINT-NEW
changed:     lndcb2@pub.sy.ln.cn 19990416
source:      APNIC

And
===

Domain Name:96139.com


Registrant:
Liaoning Mobile Information Industry Ltd
        No.79-1,Nan shi Road,Heping District
        Shenyang Shenyang 110005
        China


Administrative Contact:
Gao ChunLin
        ShenYang Public Information Property CO. LTD.
        NO.268 DAXI ROAD,SHENHE DISTRICT,SHENYANG,
        ShenYang Shenyang 110014
        China
        tel: 86 024 22945649
        fax: 86 024 22865151
        gcl@pub.ln.cninfo.net

Technical Contact:
Gao ChunLin
        ShenYang Public Information Property CO. LTD.
        NO.268 DAXI ROAD,SHENHE DISTRICT,SHENYANG,
        ShenYang Shenyang 110014
        China
        tel: 86 024 22945649
        fax: 86 024 22865151
        gcl@pub.ln.cninfo.net

Billing Contact:
Wang DongQi
        ShenYang Public Information Property CO. LTD.
        NO.268 DAXI ROAD,SHENHE DISTRICT,SHENYANG,
        ShenYang Shenyang 110014
        China
        tel: 86 024 22945649
        fax: 86 024 22865151
        gcl@pub.ln.cninfo.net

 Registration Date: 2000-11-03
       Update Date: 2001-02-27
   Expiration Date: 2002-11-03

    Primary DNS:  ns.sy163.net          202.96.64.84
  Secondary DNS:  ns.cn-clic.com        202.96.82.68


John

-----Original Message-----
From: Gary Nichols [mailto:gnichols@qwest.net]
Sent: Thursday, March 29, 2001 1:32 PM
To: plug-discuss@lists.PLUG.phoenix.az.us
Subject: RE: anyone up for a little spam analysis?


Forward that to abuse@home.com.  Whoever is at 24.0.95.232 is either
knowingly (or maybe unknowingly!) passing out spam.  They are good at
sticking to their AUP.



-----Original Message-----
From: plug-discuss-admin@lists.PLUG.phoenix.az.us
[mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of Lucas
Vogel
Sent: Thursday, March 29, 2001 1:27 PM
To: plug1
Subject: anyone up for a little spam analysis?


I got an interesting piece of spam today, and I'm not entirely sure what
it's doing.

the source code:

----------------------------------------------------------

Return-Path: <tomjones@otenet.gr>
Received: from mh7-sfba.mail.home.com ([24.0.95.236])
          by mail1.rdc1.az.home.com (InterMail vM.4.01.03.00 201-229-121)
          with ESMTP
          id
<20010329180004.XIVE9238.mail1.rdc1.az.home.com@mh7-sfba.mail.home.com>
          for <lucas7@mail.phnx3.az.home.com>;
          Thu, 29 Mar 2001 10:00:04 -0800
Received: from mx7-sfba.mail.home.com (mx7-sfba.mail.home.com [24.0.95.232])
	by mh7-sfba.mail.home.com (8.9.3/8.9.0) with ESMTP id KAA23931
	for <lucas7@home.com>; Thu, 29 Mar 2001 10:00:03 -0800 (PST)
From: tomjones@otenet.gr
Received: from 96139.com ([202.107.34.130])
	by mx7-sfba.mail.home.com (8.11.1/8.11.1) with ESMTP id f2TI01p20903
	for <lucas7@home.com>; Thu, 29 Mar 2001 10:00:01 -0800 (PST)
Received: from PACMAN_[207.94.232.21] [207.94.232.21] by 96139.com
  (SMTPD32-6.06 EVAL) id A4716A0114; Thu, 29 Mar 2001 20:02:57 +0800
Received: from mail-in.pol.net.uk by PACMAN with ESMTP; Thu, 29 Mar 2001
06:04:27 -0600
Message-ID: <00005e014f59$000064fc$000013d6@mail-in.pol.net.uk>
To: <sueallendo4955@desertmail.com>
Subject: The economy needs a 2nd wind                         5078
Date: Thu, 29 Mar 2001 06:04:20 -0600
MIME-Version: 1.0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
X-MSMail-Priority: Normal
Reply-To: bobsuejones454@arabia.com

<HTML>
<BODY>

<HEAD>
<meta http-equiv=3D"Page-Enter" CONTENT=3D"RevealTrans(Duration=3D4,Transi=
tion=3D10)">
<script language=3D"JavaScript"> <!--

var message=3D"Sorry, that function is disabled."; // Message for the aler=
t box

// Don't edit below!
function closeit() {

     window.close()

}
function intro()
{
	if ((navigator.appVersion.indexOf("Mac")!=3D-1) &&
(navigator.userAgent.indexOf("MSIE")!=3D-1) &&
(parseInt(navigator.appVersion)=3D=3D4))
	{
	skip()
	}
	else
	{
	popup()
	}

}
function skip()
{
	location.href=3D"http://www.hongkong.com";
}
function popup()
{
	version =3D
parseFloat(navigator.appVersion.substring(navigator.appVersio=
n.indexOf('.')-1,navigator.appVersion.length));
	if (version >=3D 4)
	version =3D
parseFloat(navigator.appVersion.substring(navigator.appVersio=
n.indexOf('.')-1,navigator.appVersion.length));
	if (version >=3D 4)

	{
	if (navigator.appName=3D=3D"Netscape")
 {
    Hello =3D window.open("http://www.members.geocities.com%40www.foreigne=
xchange.i85.net%40www.cybercafe.envy.nu:209.247.194.44=3Dredirect=3D%40www=
myplaceonthenet.hypermart.net+cgi=3DSource&Location_override=3Dwww.curren=
cyexchange.com@myside.bizland.com/=3D?redirect=3D209.185.151.131@www.curdi=
gitaldatastreamcomputernetworking.com/redirect.cgi?-refer#4908732?http://g=
eocities.net/majorcomputernetworking:endofline.com?needanumeralhexadec.com=
:1.5.4://redirect?ebay.com/hobbies/http://mnumeralhexadec.com?12.5.102.4?d=
igitaldatastreamcomputernetworking.com/main.html?http://geocities.net/majo=
rcomputernetworking:endofline.com?http://www.delhadata.com:1.5.4://redirec=
t:ebay.com/hobbies/com@myside.bizland.com/=3D?redirect=3D209.185.151.131@www.curdigitaldatast=
reamcomputernetworking.com/redirect.cgi?-refer#4908732?http://geocities.ne=
t/majorcomputernetworking:endofline.com?needanumeralhexadec.com:1.5.4://re=
direct?ebay.com/hobbies/http://mnumeralhexadec.com?12.5.102.4?digitaldatas=
treamcomputernetworking.com/main.html?http://geocities.net/majorcomputerne=
tworking:endofline.com?http://www.delhadata.com:1.5.4://redirect:ebay.com/=
hobbies/http://mnumeralhexadecimal.com?12.5.102.4/","screen","fullscreen=3D=
yes");
		}
	}
	else
	{

location.href=3D"http://www.members.geocities.com%40www.foreignexchange.=
i85.net%40www.cybercafe.envy.nu:209.247.194.44=3Dredirect=3D%40www.myplace=
onthenet.hypermart.net+cgi=3DSource&Location_override=3Dwww.currencyexchan=
ge.com@myside.bizland.com/=3D?redirect=3D209.185.151.131@www.curdigitaldat=
astreamcomputernetworking.com/redirect.cgi?-refer#4908732?http://geocities=
net/majorcomputernetworking:endofline.com?needanumeralhexadec.com:1.5.4:/=
/redirect?ebay.com/hobbies/http://mnumeralhexadec.com?12.5.102.4?digitalda=
tastreamcomputernetworking.com/main.html?http://geocities.net/majorcompute=
rnetworking:endofline.com?http://www.delhadata.com:1.5.4://redirect:ebay.c=
om/hobbies/http://mnumeralhexadecimal.com?12.5.102.4/";
	}

}
function click(e) {
if (document.all) {
if (event.button =3D=3D 2) {
alert(message);
return false;
}
}
if (document.layers) {
if (e.which =3D=3D 3) {
alert(message);
return false;
}
}
}
if (document.layers) {
document.captureEvents(Event.MOUSEDOWN);
}
document.onmousedown=3Dclick;
// --> </script>

	<META NAME=3D"GENERATOR" Content=3D"Microsoft FrontPage 4.0">
	<META HTTP-EQUIV=3D"Content-Type"
CONTENT=3D"text/html;CHARSET=3Diso-8859=
-1">
	<TITLE>Hello</TITLE>
</HEAD>

<BODY BGCOLOR=3D"#0000AA" LINK=3D"#000000" onLoad=3D"intro()">

<P><SCRIPT LANGUAGE=3D"Javascript">
</SCRIPT>


</BODY>

</HTML>
<p><p><p><p><p><p><p><p><p><p>







<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"><p><HTML><p><p><p><p>
</BODY>
</HTML>


----------------------

Lucas

________________________________________________
See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post
to the list quickly and you use Netscape to write mail.

Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


________________________________________________
See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post
to the list quickly and you use Netscape to write mail.

Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


________________________________________________
See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post
to the list quickly and you use Netscape to write mail.

Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss