anyone up for a little spam analysis?
Gorman, John
John.Gorman@pegs.com
Thu, 29 Mar 2001 14:27:39 -0700
What is this script doing? Going through differnt wet sites?
Anybody have more insight on this?
The "Received: from 96139.com ([202.107.34.130])" is actually coming from
China:
inetnum: 202.107.0.0 - 202.107.127.255
netname: CHINANET-LN
descr: CHINANET Liaoning province network
descr: Data Communication Division
descr: China Telecom
country: CN
admin-c: CH93-AP
tech-c: ZZ49-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CN-CHINANET-LN
changed: weitj@cndata.com 20010307
source: APNIC
person: Chinanet Hostmaster
address: A12,Xin-Jie-Kou-Wai Street
phone: +86-10-62370437
fax-no: +86-10-62053995
country: CN
e-mail: hostmaster@ns.chinanet.cn.net
nic-hdl: CH93-AP
mnt-by: MAINT-CHINANET
changed: hostmaster@ns.chinanet.cn.net 20000101
source: APNIC
person: Zhang Tielong Zhang Tielong
address: Liaoning Shenyang
phone: +86-24-22801997
fax-no: +86-24-22800376
country: CN
e-mail: lndcb2@pub.sy.ln.cn
nic-hdl: ZZ49-AP
mnt-by: MAINT-NEW
changed: lndcb2@pub.sy.ln.cn 19990416
source: APNIC
And
===
Domain Name:96139.com
Registrant:
Liaoning Mobile Information Industry Ltd
No.79-1,Nan shi Road,Heping District
Shenyang Shenyang 110005
China
Administrative Contact:
Gao ChunLin
ShenYang Public Information Property CO. LTD.
NO.268 DAXI ROAD,SHENHE DISTRICT,SHENYANG,
ShenYang Shenyang 110014
China
tel: 86 024 22945649
fax: 86 024 22865151
gcl@pub.ln.cninfo.net
Technical Contact:
Gao ChunLin
ShenYang Public Information Property CO. LTD.
NO.268 DAXI ROAD,SHENHE DISTRICT,SHENYANG,
ShenYang Shenyang 110014
China
tel: 86 024 22945649
fax: 86 024 22865151
gcl@pub.ln.cninfo.net
Billing Contact:
Wang DongQi
ShenYang Public Information Property CO. LTD.
NO.268 DAXI ROAD,SHENHE DISTRICT,SHENYANG,
ShenYang Shenyang 110014
China
tel: 86 024 22945649
fax: 86 024 22865151
gcl@pub.ln.cninfo.net
Registration Date: 2000-11-03
Update Date: 2001-02-27
Expiration Date: 2002-11-03
Primary DNS: ns.sy163.net 202.96.64.84
Secondary DNS: ns.cn-clic.com 202.96.82.68
John
-----Original Message-----
From: Gary Nichols [mailto:gnichols@qwest.net]
Sent: Thursday, March 29, 2001 1:32 PM
To: plug-discuss@lists.PLUG.phoenix.az.us
Subject: RE: anyone up for a little spam analysis?
Forward that to abuse@home.com. Whoever is at 24.0.95.232 is either
knowingly (or maybe unknowingly!) passing out spam. They are good at
sticking to their AUP.
-----Original Message-----
From: plug-discuss-admin@lists.PLUG.phoenix.az.us
[mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of Lucas
Vogel
Sent: Thursday, March 29, 2001 1:27 PM
To: plug1
Subject: anyone up for a little spam analysis?
I got an interesting piece of spam today, and I'm not entirely sure what
it's doing.
the source code:
----------------------------------------------------------
Return-Path: <tomjones@otenet.gr>
Received: from mh7-sfba.mail.home.com ([24.0.95.236])
by mail1.rdc1.az.home.com (InterMail vM.4.01.03.00 201-229-121)
with ESMTP
id
<20010329180004.XIVE9238.mail1.rdc1.az.home.com@mh7-sfba.mail.home.com>
for <lucas7@mail.phnx3.az.home.com>;
Thu, 29 Mar 2001 10:00:04 -0800
Received: from mx7-sfba.mail.home.com (mx7-sfba.mail.home.com [24.0.95.232])
by mh7-sfba.mail.home.com (8.9.3/8.9.0) with ESMTP id KAA23931
for <lucas7@home.com>; Thu, 29 Mar 2001 10:00:03 -0800 (PST)
From: tomjones@otenet.gr
Received: from 96139.com ([202.107.34.130])
by mx7-sfba.mail.home.com (8.11.1/8.11.1) with ESMTP id f2TI01p20903
for <lucas7@home.com>; Thu, 29 Mar 2001 10:00:01 -0800 (PST)
Received: from PACMAN_[207.94.232.21] [207.94.232.21] by 96139.com
(SMTPD32-6.06 EVAL) id A4716A0114; Thu, 29 Mar 2001 20:02:57 +0800
Received: from mail-in.pol.net.uk by PACMAN with ESMTP; Thu, 29 Mar 2001
06:04:27 -0600
Message-ID: <00005e014f59$000064fc$000013d6@mail-in.pol.net.uk>
To: <sueallendo4955@desertmail.com>
Subject: The economy needs a 2nd wind 5078
Date: Thu, 29 Mar 2001 06:04:20 -0600
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
X-MSMail-Priority: Normal
Reply-To: bobsuejones454@arabia.com
<HTML>
<BODY>
<HEAD>
<meta http-equiv=3D"Page-Enter" CONTENT=3D"RevealTrans(Duration=3D4,Transi=
tion=3D10)">
<script language=3D"JavaScript"> <!--
var message=3D"Sorry, that function is disabled."; // Message for the aler=
t box
// Don't edit below!
function closeit() {
window.close()
}
function intro()
{
if ((navigator.appVersion.indexOf("Mac")!=3D-1) &&
(navigator.userAgent.indexOf("MSIE")!=3D-1) &&
(parseInt(navigator.appVersion)=3D=3D4))
{
skip()
}
else
{
popup()
}
}
function skip()
{
location.href=3D"http://www.hongkong.com";
}
function popup()
{
version =3D
parseFloat(navigator.appVersion.substring(navigator.appVersio=
n.indexOf('.')-1,navigator.appVersion.length));
if (version >=3D 4)
version =3D
parseFloat(navigator.appVersion.substring(navigator.appVersio=
n.indexOf('.')-1,navigator.appVersion.length));
if (version >=3D 4)
{
if (navigator.appName=3D=3D"Netscape")
{
Hello =3D window.open("http://www.members.geocities.com%40www.foreigne=
xchange.i85.net%40www.cybercafe.envy.nu:209.247.194.44=3Dredirect=3D%40www=
myplaceonthenet.hypermart.net+cgi=3DSource&Location_override=3Dwww.curren=
cyexchange.com@myside.bizland.com/=3D?redirect=3D209.185.151.131@www.curdi=
gitaldatastreamcomputernetworking.com/redirect.cgi?-refer#4908732?http://g=
eocities.net/majorcomputernetworking:endofline.com?needanumeralhexadec.com=
:1.5.4://redirect?ebay.com/hobbies/http://mnumeralhexadec.com?12.5.102.4?d=
igitaldatastreamcomputernetworking.com/main.html?http://geocities.net/majo=
rcomputernetworking:endofline.com?http://www.delhadata.com:1.5.4://redirec=
t:ebay.com/hobbies/http://mnumeralhexadecimal.com?12.5.102.4/","Hello","sc=
rollbars");
Hello.focus();
}
if (navigator.appName=3D=3D"Microsoft Internet Explorer")
{
window.open("http://www.members.geocities.com%40www.foreignexchange.i85=
net%40www.cybercafe.envy.nu:209.247.194.44=3Dredirect=3D%40www.myplaceont=
henet.hypermart.net+cgi=3DSource&Location_override=3Dwww.currencyexchange.=
com@myside.bizland.com/=3D?redirect=3D209.185.151.131@www.curdigitaldatast=
reamcomputernetworking.com/redirect.cgi?-refer#4908732?http://geocities.ne=
t/majorcomputernetworking:endofline.com?needanumeralhexadec.com:1.5.4://re=
direct?ebay.com/hobbies/http://mnumeralhexadec.com?12.5.102.4?digitaldatas=
treamcomputernetworking.com/main.html?http://geocities.net/majorcomputerne=
tworking:endofline.com?http://www.delhadata.com:1.5.4://redirect:ebay.com/=
hobbies/http://mnumeralhexadecimal.com?12.5.102.4/","screen","fullscreen=3D=
yes");
}
}
else
{
location.href=3D"http://www.members.geocities.com%40www.foreignexchange.=
i85.net%40www.cybercafe.envy.nu:209.247.194.44=3Dredirect=3D%40www.myplace=
onthenet.hypermart.net+cgi=3DSource&Location_override=3Dwww.currencyexchan=
ge.com@myside.bizland.com/=3D?redirect=3D209.185.151.131@www.curdigitaldat=
astreamcomputernetworking.com/redirect.cgi?-refer#4908732?http://geocities=
net/majorcomputernetworking:endofline.com?needanumeralhexadec.com:1.5.4:/=
/redirect?ebay.com/hobbies/http://mnumeralhexadec.com?12.5.102.4?digitalda=
tastreamcomputernetworking.com/main.html?http://geocities.net/majorcompute=
rnetworking:endofline.com?http://www.delhadata.com:1.5.4://redirect:ebay.c=
om/hobbies/http://mnumeralhexadecimal.com?12.5.102.4/";
}
}
function click(e) {
if (document.all) {
if (event.button =3D=3D 2) {
alert(message);
return false;
}
}
if (document.layers) {
if (e.which =3D=3D 3) {
alert(message);
return false;
}
}
}
if (document.layers) {
document.captureEvents(Event.MOUSEDOWN);
}
document.onmousedown=3Dclick;
// --> </script>
<META NAME=3D"GENERATOR" Content=3D"Microsoft FrontPage 4.0">
<META HTTP-EQUIV=3D"Content-Type"
CONTENT=3D"text/html;CHARSET=3Diso-8859=
-1">
<TITLE>Hello</TITLE>
</HEAD>
<BODY BGCOLOR=3D"#0000AA" LINK=3D"#000000" onLoad=3D"intro()">
<P><SCRIPT LANGUAGE=3D"Javascript">
</SCRIPT>
</BODY>
</HTML>
<p><p><p><p><p><p><p><p><p><p>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"><p><HTML><p><p><p><p>
</BODY>
</HTML>
----------------------
Lucas
________________________________________________
See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post
to the list quickly and you use Netscape to write mail.
Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
________________________________________________
See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post
to the list quickly and you use Netscape to write mail.
Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss