SPAM_2011-03March-30_03_Analysis_comizero-co
advertisement
ORIGINAL MESSAGE including HEADER Delivered-To: zzz.zzz@gmail.com Received: by 10.231.59.143 with SMTP id l15cs57037ibh; Wed, 30 Mar 2011 02:30:17 -0700 (PDT) Received: by 10.91.99.13 with SMTP id b13mr1309891agm.48.1301477417278; Wed, 30 Mar 2011 02:30:17 -0700 (PDT) Return-Path: Received: from smtp51.winthrop.edu (smtp51.winthrop.edu [199.79.254.51]) by mx.google.com with ESMTP id c22si8110161ana.43.2011.03.30.02.30.17; Wed, 30 Mar 2011 02:30:17 0700 (PDT) Received-SPF: pass (google.com: domain of Erica.Lake@rfast.com designates 199.79.254.51 as permitted sender) client-ip=199.79.254.51; Authentication-Results: mx.google.com; spf=pass (google.com: domain of Erica.Lake@rfast.com designates 199.79.254.51 as permitted sender) smtp.mail = Erica.Lake@rfast.com Received: from berlin.win.winthrop.edu [10.2.0.22] by smtp51.winthrop.edu with ESMTP (SMTPD328.15) id A8291F650028; Wed, 30 Mar 2011 05:30:17 -0400 Received: from mail92-va3-R.bigfish.com ([216.32.180.112]) by berlin.win.winthrop.edu with Microsoft SMTPSVC(6.0.3790.4675); Wed, 30 Mar 2011 05:30:16 -0400 Received: from mail92-va3 (localhost.localdomain [127.0.0.1]) by mail92-va3-R.bigfish.com (Postfix) with ESMTP id B5116AF0300 for ; Wed, 30 Mar 2011 09:30:16 +0000 (UTC) X-BigFish: vp XForefront-Antispam-Report: KIP:(null);UIP:(null);IPVD:NLI;H:psmtp.com;RD:exprod5mx250.postini.com;EFVD:NLI Received: from mail92-va3 (localhost.localdomain [127.0.0.1]) by mail92-va3 (MessageSwitch) id 1301477415700379_6330; Wed, 30 Mar 2011 09:30:15 +0000 (UTC) Received: from VA3EHSMHS006.bigfish.com (unknown [10.7.14.245]) by mail92-va3.bigfish.com (Postfix) with ESMTP id 96A99D40054 for ; Wed, 30 Mar 2011 09:30:15 +0000 (UTC) Received: from psmtp.com (64.18.0.170) by VA3EHSMHS006.bigfish.com (10.7.99.16) with Microsoft SMTP Server id 14.1.225.8; Wed, 30 Mar 2011 09:30:13 +0000 Received: from source ([222.254.230.133]) by exprod5mx250.postini.com ([64.18.4.10]) with SMTP; Wed, 30 Mar 2011 02:30:12 PDT Received: from apache by rfast.com with local (Exim 4.63) (envelope-from ) id P2D0MS-38J0QL-CL for , , , , , , , , ; Wed, 30 Mar 2011 16:30:09 +0700 To: , , , , , , , , Subject: Feine Armbanduhren zu niedrigen Preisen Date: Wed, 30 Mar 2011 16:30:09 +0700 From: Mabel Hamm Message-ID: 6AD0A65CD23A564A82FE29627241B9AF@rfast.com X-Priority: 3 X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------07070700202050708030102" X-pstn-neptune: 0/0/0.00/0 Xpstn-levels: (S: 0.20742/99.25037 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 ) Return-Path: Erica.Lake@rfast.com X-OriginalArrivalTime: 30 Mar 2011 09:30:16.0498 (UTC) FILETIME=[142E0120:01CBEEBD] --------------07070700202050708030102 Content-TransferEncoding: 7bit Content-Type: text/plain; charset="Windows-1252" Haben Sie Probleme mit der Sichtung dieser E-Mail? Sehen Sie die online-Version durch Stilvolles aussehen soll nicht viel kosten. Beste Klonen von Chronometern online. Wenn Sie volle Kopie besorgen, Sie koennen was Sie brauchen kriegen zB stilvolles Aussehen und nicht Haufen Geld dafuer. Schalten Sie Ihren Verstand an - kaufen Sie hier. You are receiving this eNewsletter because you signed up for it, either by filling out a form, sending us an email, or subscribing via our website If you would, however, prefer not to receive these mailings in the future, you can unsubscribe here or update your email preferences. -------------07070700202050708030102 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset="usascii" Haben Sie Probleme mit der Sichtung dieser E-Mail? Sehen Sie die online-Version durch Stilvolles aussehen soll nicht viel kosten. Beste Klonen von Chronometern online. Wenn Sie volle Kopie besorgen, Sie koennen was Sie brauchen kriegen zB stilvolles Aussehen und nicht Haufen Geld dafuer. Schalten Sie Ihren Verstand an - kaufen Sie hier. You are receiving this eNewsletter because you signed up for it, either by filling out a form, sending us an email, or subscribing via our website If you would, however, prefer not to receive these mailings in the future, you can unsubscribe here or update your email preferences. --------------07070700202050708030102— ANALYSIS STEP 0: WARNING Never click on any of the links, or go to the IPs that you find in the spam message, header included. In case, you fear that this could happen inadvertently, set your browser settings to MAXIMUM security. STEP 1: General Impression The language is German: this reveals that this is a spam email, because the recipient is in the UA, does not speak German and never solicited anything from a German web site. It is one of the many spam emails sent by a mail server of www.winthrop.edu Note that Winthrop is a college with a serious institution that clearly never sends spam emails intentionally. The return address of the sender is Erica.Lake@rfast.com (199.79.254.51) We ignore Erica.Lake@rfast.com, because any return address can be faked, but the IP address of the email server the message comes from cannot be faked. The body of the message contains TWO links that go to the same web page: http://www.comizeri.co.tv Note: tv is the internet country code for: Tuvalu STEP 2: Research of information related to the sender rfast.com: nslookup of the IP of the domain Nslookup rfast.com IP 63.249.19.240 STEP 3: Research of information related to the IP 63.249.19.240 Use IP2C to do the WhoIs (this IP) http://web.newsguy.com/lmgava/code/Download.php?a=ip2c&f=ip2c_1.0.12.zip NetRange: 63.249.16.0 - 63.249.23.255 CIDR: 63.249.16.0/21 NetName: ZIPCON-SBLK9 / NetHandle: NET-63-249-16-0-1 Parent: NET-63-249-0-0-1 / NetType: Reassigned RegDate: 2000-08-22 / Updated: 2000-10-30 Ref: http://whois.arin.net/rest/net/NET-63-249-16-0-1 OrgName: The Zip Connection / OrgId: THEZIP Address: 6910 Roosevelt Way NE #122 Seattle WA 98115 US RegDate: 1999-08-09 / Updated: 2009-08-05 Ref: http://whois.arin.net/rest/org/THEZIP OrgTechHandle: DP186-ARIN / OrgTechName: Pewzner, Dan / OrgTechPhone: +1-206-524-0612 OrgTechEmail: zip@zipcon.net / OrgTechRef: http://whois.arin.net/rest/poc/DP186-ARIN NetRange: 63.249.0.0 - 63.249.31.255 CIDR: 63.249.0.0/19 NetName: SEMA-CIDR-2 / NetHandle: NET-63-249-0-0-1 / NetType: Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 1999-11-18 / Updated: 2000-12-15 Ref: http://whois.arin.net/rest/net/NET-63-249-0-0-1 Direct Allocation OrgName: Semaphore Corporation OrgId: SEMA Address: 2001 6th Avenue, Suite 1700 Seattle WA 98121 US RegDate: 1994-08-01 / Updated: 2007-11-14 OrgTechName: Brown, Garth S / OrgTechPhone: +1-206-905-5000 / garthb@semaphore.com STEP 4: Who is the company that own this block of addresses? Since, the block is not very big, it is probably not an ISP, but a web hosting service. Let’s Google for the name of the registrant, i.e., the company: “The Zip Connection” Result: Yes “The Zip Connection” is a web hosting company, and their web site is: http://www.zipcon.com/ STEP 5: Who has registered the domain name: rfast.com? Since apparently it is a US business, we can query: http://whois.domaintools.com/rfast.com http://www.whois.net/whois/rfast.com Same result: there is not much known about this domain. Registrant: Domains by Proxy, Inc. Registered through: GoDaddy.com, Inc. (http://www.godaddy.com) Domain Name: RFAST.COM Domain servers in listed order: NS1.RFAST.NET NS2.NWGRILLS.COM NS2.RFAST.NET For complete domain details go to: http://who.godaddy.com/whoischeck.aspx?Domain=RFAST.COM RESULTS at: http://who.godaddy.com/whois.aspx?domain=rfast.com&prog_id=GoDaddy Registrant: Domains by Proxy, Inc. DomainsByProxy.com / 15111 N. Hayden Rd., Ste 160, PMB 353 / Scottsdale, Arizona 85260 / United States Registered through: GoDaddy.com, Inc. (http://www.godaddy.com) Domain Name: RFAST.COM / Created on: 18-Aug-99 / Expires on: 18-Aug-11 / Last Updated on: 01-Mar-11 Administrative Contact: Private, Registration RFAST.COM@domainsbyproxy.com Domains by Proxy, Inc. / DomainsByProxy.com 15111 N. Hayden Rd., Ste 160, PMB 353 / Scottsdale, Arizona 85260 / United States / (480) 624-2599 Fax -- (480) 624-2598 Technical Contact: Private, Registration RFAST.COM@domainsbyproxy.com Domains by Proxy, Inc. (DomainsByProxy.com) 15111 N. Hayden Rd., Ste 160, PMB 353 / Scottsdale, Arizona 85260 / United States / (480) 624-2599 Fax -- (480) 624-2598 Domain servers in listed order: NS1.RFAST.NET NS2.NWGRILLS.COM NS2.RFAST.NET See Underlying Registry Data: Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: RFAST.COM Registrar: GODADDY.COM, INC. Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS1.RFAST.NET Name Server: NS2.NWGRILLS.COM Name Server: NS2.RFAST.NET Updated Date: 01-mar-2011 Creation Date: 19-aug-1999 Expiration Date: 19-aug-2011 >>> Last update of whois database: Thu, 31 Mar 2011 01:56:51 UTC <<< CONCLUSION: The answer to the question: “Who has registered the domain “rfast.com” is a company named “domainsbyproxy.com”. Domains by Proxy, Inc. DomainsByProxy.com 15111 N. Hayden Rd., Ste 160, PMB 353 / Scottsdale, Arizona 85260 / United States / (480) 624-2599 Fax -- (480) 624-2598 STEP 5: Who is domainsbyproxy? Google: domainsbyproxy.com Results: http://en.wikipedia.org/wiki/Domains_by_Proxy Domains by Proxy is an Internet company owned by Go Daddy CEO Bob Parsons. It offers domain privacy services through partner domain registrars such as Go Daddy and Wild West Domains. http://forum.spamcop.net/forums/index.php?showtopic=8926 A lot of Spammers register their DN via domainsbyproxy.com or similar services. If you report spam only, godaddy.com or whoever the official registrar is gets a mail. It would be nice if also domainsbyproxy gets a mail. CONCLUSION We do not know who is rfast, it is hiding behind Domainbyproxy. STEP 5: Who is rfast.com Google: rfast.com 1) There is a website, but it is “under construction” 2) It looks like that we are not the first to know more about rfast.com. There are pages mentioning WhoIs and DNS queries. http://www.robtex.com/dns/rfast.com.html The following pages contain combined information gathered by searching several sources. Navigate between the pages by clicking on the tabs above. Source Date Information rbls.org March 31, 2011 02:43 Blacklistings March 31, 2011 02:43 Visible DNS Information WOT March 31, 2011 02:43 Reputation Alexa Google March 22, 2011 11:48 March 22, 2011 11:48 Description, ranking and other stats Web Pages March 22, 2011 11:48 Related More pages on the Internet describing the domain rfast.com: Google Safe Browsing | Web of Trust | Alexa | More... http://rbls.org/ http://dnstree.com/ http://dnstree.com/com/rfast/ ANSWER for rfast.com. rfast.com. 3600 A 63.249.19.240 - 3600 NS ns1.rfast.net. - 3600 NS ns2.nwgrills.com. - 3600 NS ns2.rfast.net. - 3600 SOA ns1.rfast.net. admin.rfast.com. ( 2011030206 5400 600 1209600 3600 ) 3600 MX 10 mail.rfast.com. 3600 MX 20 mail2.rfast.com. 3600 MX 30 mail2.zipcon.net. 3600 TXT "v=spf1 a mx ptr mx:mail.rfast.com mx:mail.zipcon.net mx:mail2.rfast.com ip4:63.249.19.240/10 +all" ADDITIONAL for rfast.com. ns1.rfast.net. 3600 A 63.225.190.57 - ns2.nwgrills.com. 3600 A 64.122.203.134 - ns2.rfast.net. 3600 A 63.231.13.235 - mail.rfast.com. 3600 A 63.249.19.240 - mail2.rfast.com. 3600 A 63.231.13.235 - mail2.zipcon.net. 68482 A 209.221.136.9 - http://whois.gwebtools.com/rfast.com rfast.com - Websites running on the same server Domain Creation Date shopping-noemieemstech.com 2009-11-13 00:00:00 0000-00-00 bjj70xawoquhev.cn 00:00:00 0000-00-00 4iki.net 00:00:00 0000-00-00 eadq530zacakekez.cn 00:00:00 0000-00-00 debtnegotiationguide.org 00:00:00 0000-00-00 gxavd03zacakekez.cn 00:00:00 0000-00-00 arbur514zojetoliv.cn 00:00:00 0000-00-00 jbj072zojetoliv.cn 00:00:00 0000-00-00 ji-n-za-i.com 00:00:00 0000-00-00 hpqot80xawoquhev.cn 00:00:00 Expiration Date Alexa Rank PR 2011-11-13 00:00:00 0 845742 0000-00-00 00:00:00 0 0 0000-00-00 00:00:00 0 0 0000-00-00 00:00:00 0 0 0000-00-00 00:00:00 0 0 0000-00-00 00:00:00 0 0 0000-00-00 00:00:00 0 0 0000-00-00 00:00:00 0 0 0000-00-00 00:00:00 0 0 0000-00-00 00:00:00 0 0 Rfast.com - DNS Records Type NS NS NS Name ns1.rfast.net ns2.rfast.net ns2.nwgrills.com IP Address 63.225.190.57 63.231.13.235 64.122.203.134 Reverse mail.tandemelectric.com 63.231.13.235 mail2.tandemelectric.com STEP 6: Research of information related to the target website: http://www.comizeri.co.tv Nslookup www.comizeri.co.tv Name: parking.co.tv IP: 174.129.242.247 Aliases: www.comizeri.co.tv, comizeri.co.tv STEP 7: Where is 174.129.242.247 NetRange: 174.129.0.0 - 174.129.255.255 CIDR: 174.129.0.0/16 NetName: AMAZON-EC2-5 NetHandle: NET-174-129-0-0-1 Parent: NET-174-0-0-0-0 Comment: The activity you have detected originates from a dynamic hosting environment. Comment: For fastest response, please submit abuse reports at Comment: http://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/AWSAbuse Comment: For more information regarding EC2 see: Comment: http://ec2.amazonaws.com/ RegDate: 2008-08-08 Updated: 2010-05-28 Ref: http://whois.arin.net/rest/net/NET-174-129-0-0-1 OrgName: Amazon.com, Inc. OrgId: AMAZO-4 Address: Amazon Web Services, Elastic Compute Cloud, EC2 Address: 1200 12th Avenue South, Seattle, WA, 98144, US RegDate: 2005-09-29 / Updated: 2009-06-02 STEP 7: Who are the people behind parking.co.tv? Google for “parking.co.tv” Results: Several websites have information about Black listing, trustworthiness, http://support.clean-mx.de/clean-mx/viruses.php?response=alive http://support.clean-mx.de/clean-mx/viruses.php Enter the IP address (otherwise: it founds nothing if you use the domain name): The result: this website is infected with malware STEP 8: Visit to the websites that track malware websites Examples: http://www.malwaredomainlist.com/ CONCLUSION The sender “rfast.com” is a ghost company that exists on the web but for which no real information can be found. The target website “parking.co.tv” seems to be hosted in the amazon cloud and its home page has malware embedded in its HTML code. REMINDER: CAUTION: Never click on the links related to the sender and on the target links.
