Blog for hpHosts, and whatever else I feel like writing about ....

Sunday, 27 February 2011

Dear ProBoards Abuse dept - FOCUS ON ABUSE!

I came across something a few minutes ago that absolutely disgusted me. A ProBoards user reported a fraudulent advert, being advertised through the ProBoards service, and instead of saying thank you - ProBoards abuse dept sent a warning to the USER THAT REPORTED IT, due to a simple NONE ABUSIVE message on the top of the users forums;

http://kasha-against-spam.proboards.com/index.cgi?board=kasscams&action=display&thread=82

Little screenshot incase ProBoards takes it down;



I personally, find this absolutely abhorant. ProBoards abuse - your users can place any *warning* they wish to, as far as adverts on their forums, or anywhere else, if they feel the adverts could be malicious (and note, she never said NOT to click the adverts), especially if YOU are not going to stop the adverts being shown in the first place.

Kas: If you would like to move your forum elsewhere, drop me an e-mail.

Thursday, 24 February 2011

Money mules, downloads and Portlane

As if money mules didn't have enough to worry about, what with the risk of not only upsetting those "using" them, but their getting prosecuted for fraud - they've now got to risk not answering a questionnaire correctly and being rejected (the thought of being rejected as a money mule, due to not answering correctly, is simply, hilarious).

An MDL user pointed me to a few sites running the ever so popular money mule scams. These sites are used purely to recruit the mules, and to manage them (there's a members area once accepted, where the mule is permitted to upload files such as ID scans and whatnot).



There is however, a little difference - the presence of a download;

Below is a test prepared by professional psychologists and is required in order to be considered a competent candidate for the offered position.

After successful completion of your test, you will be asked to register on our web site. If you are not ready to register right away, please wait to take the test at a later time.

To REGISTER, simply run the test and you will be prompted to click on the "Register Now" button at any time and be redirected to the login page, without having to take the test again.

*This test is under development and we are grateful for all comments and suggestions.

Download test

*If you are having trouble running the test and your computer is requesting administrative rights, download the test and simply right-click on the Test icon and select "Run As Administrator" from the menu.


The "download" runs the potential mule through a set of questions, to which they must provide the "correct" questions to be accepted. Once accepted, they're then sent to an acceptance page on the scammers website.



You're also sent an e-mail telling you your registration request has been received;

Dear Jack Anory,
We have accepted your application for PAYMENT PROCESSING AGENT position.
To complete the registration procedure please execute two remaining steps:
• Download the contract: http://fourthgroup-ltd.cc/agreement.pdf
Familiarize yourself with all points of agreement. Pay much attention to the following clauses:, Termination of the Agreement (11), EXHIBIT A. Fill all of the required information in the contract in the highlighted areas (your name must be filled in on the first page, Part 20 must be filled out and you must sign the agreement) and upload a scanned copy of it into your Task Manager account (use your login and password). Should any problems arise please contact our Job Department at job@fourthgroup-ltd.cc. Agreement becomes valid since the moment of your Task Manager account activation. You should be familiar with that the validity of the contract in the electronic form is completely identical to the contract signed at personal presence of both parties.
• To pass the procedure of identity verification in order to prevent fraudulent registrations, you are required to upload a scanned copy of your ID or utility bill into your Task Manager account (use your login and password). In case of any problems please contact our Job Department at job@fourthgroup-ltd.cc.
*We guarantee full confidentiality of your personal information, more details on this matter are available in our Privacy Policy
NOTE: If you're unable to scan the documents please use fax. Here is our number: +44 0208 099 7381
Your TM account will be activated in 2-48 hours after the receipt of necessary information.
Sincerely,

Support Team
Fourth Group Ltd
support@fourthgroup-ltd.cc


This particular e-mail had the following headers;

Return-Path: <scissors@jalpa.websitewelcome.com>
Delivered-To: [REMOVED]
X-Quarantine-ID: <JgUv8YSIJW4B>
X-Amavis-Alert: BAD HEADER SECTION, Duplicate header field: "To"
X-Spam-Flag: NO
X-Spam-Score: -0.81
X-Spam-Level:
X-Spam-Status: No, score=-0.81 tagged_above=-9999 required=1.3
tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377,
MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001,
T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from gateway08.websitewelcome.com (gateway08.websitewelcome.com [69.93.106.23])
by mail4.emailconfig.com (Postfix) with SMTP id B65F6398110
for <[REMOVED]>; Fri, 25 Feb 2011 03:20:20 +0000 (GMT)
Received: (qmail 20212 invoked from network); 25 Feb 2011 03:19:32 -0000
Received: from jalpa.websitewelcome.com (174.132.147.98)
by gateway08.websitewelcome.com with SMTP; 25 Feb 2011 03:19:32 -0000
Received: from scissors by jalpa.websitewelcome.com with local (Exim 4.69)
(envelope-from <scissors@jalpa.websitewelcome.com>)
id 1PsoE7-0000Jl-6M; Thu, 24 Feb 2011 21:20:19 -0600
To: [REMOVED]
Subject: Fourth Group Ltd: Your registration request received
X-PHP-Script: 174.132.147.125/~scissors/images.php for 174.132.147.125
Received: from [193.105.134.230] (helo=localhost) by s62 with esmtpa (Exim
4.73) (envelope-from <WUMG_QUEUE@s62>) id 1PsoCd-0007HD-SK for
[REMOVED]; Thu, 24 Feb 2011 22:18:47 -0500
To: [REMOVED]
From: noreply@fourthgroup-ltd.cc
Subject: Fourth Group Ltd: Your registration request received
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 24 Feb 2011 22:20:17 -0500
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Message-ID: <945151.20110224221848@fourthgroup-ltd.cc>
Message-ID: <945151.20110224221848@fourthgroup-ltd.cc>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - jalpa.websitewelcome.com
X-AntiAbuse: Original Domain - it-mate.co.uk
X-AntiAbuse: Originator/Caller UID/GID - [1825 32003] / [47 12]
X-AntiAbuse: Sender Address Domain - jalpa.websitewelcome.com
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/scissors/public_html/images.php
X-Source-Dir: sherunswithscissors.com:/public_html


However, this download also has a little sting in it's tail - it modifies the mules HOSTS file to include;

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

127.0.0.1 www.complaintsboard.com
127.0.0.1 complaintsboard.com
127.0.0.1 www.bobbear.co.uk
127.0.0.1 bobbear.co.uk
127.0.0.1 www.bobbear.com
127.0.0.1 bobbear.com
127.0.0.1 www.419legal.org
127.0.0.1 419legal.org
127.0.0.1 www.scam.com
127.0.0.1 scam.com
127.0.0.1 www.anti-scam.org
127.0.0.1 anti-scam.org
127.0.0.1 www.consumerfraudreporting.org
127.0.0.1 consumerfraudreporting.org
127.0.0.1 www.ripoffreport.com
127.0.0.1 ripoffreport.com
127.0.0.1 www.tjshome.com
127.0.0.1 tjshome.com
127.0.0.1 www.scamfraudalert.wordpress.com
127.0.0.1 scamfraudalert.wordpress.com
127.0.0.1 www.fraudwatchers.org
127.0.0.1 fraudwatchers.org
127.0.0.1 www.scamfraudalert.com
127.0.0.1 scamfraudalert.com
127.0.0.1 www.emailscammers.com
127.0.0.1 emailscammers.com
127.0.0.1 www.phishbucket.org
127.0.0.1 phishbucket.org
127.0.0.1 www.delphifaq.com
127.0.0.1 delphifaq.com
127.0.0.1 www.flakelist.org
127.0.0.1 flakelist.org
127.0.0.1 www.scamwarners.com
127.0.0.1 scamwarners.com
127.0.0.1 www.harvardbenefits.biz
127.0.0.1 harvardbenefits.biz
127.0.0.1 www.joewein.net
127.0.0.1 joewein.net
127.0.0.1 www.workathometruth.com
127.0.0.1 workathometruth.com
127.0.0.1 www.brainhandles.com
127.0.0.1 www.siteadvisor.com
127.0.0.1 www.fbi.gov
127.0.0.1 fbi.gov
127.0.0.1 forums.careerbuilder.com
127.0.0.1 krebsonsecurity.com
127.0.0.1 whois.domaintools.com
127.0.0.1 domaintools.com
127.0.0.1 www.domaintools.com
127.0.0.1 db.aa419.org
127.0.0.1 www.cybercrimeops.com
127.0.0.1 cybercrimeops.com
127.0.0.1 www.fraud-news.com
127.0.0.1 fraud-news.com
127.0.0.1 forums.moneysavingexpert.com


The sites they've chosen to block, isn't particularly surprising (sorry Brian, they really don't like you), with a few exceptions - why for example, block DomainTools, when there's a plethora of alternatives? Why block delphifaq.com? Why block SiteAdvisor when there's alternatives such as Web of Trust, and alternatives from security vendors such as Norton? Indeed, why aren't they blocking any security vendors? (that in itself is surprising).

Some of the sites identified thus far include;

fourth-ukltd.net/registration/need_quiz/?reg
fourthgroup-ltd.cc/registration/need_quiz/?reg
squitgroup-llc.net/registration/need_quiz/?reg
westview-art.net/registration/need_quiz/?reg
west-view-art.cc/registration/need_quiz/?reg
qead-groupllc.net/registration/need_quiz/?reg
artmarket-llc.net/registration/need_quiz/?reg
art-marketllc.cc/registration/need_quiz/?reg
helby-groupltd.biz/registration/need_quiz/?reg
qead-groupllc.net/registration/need_quiz/?reg
qead-llc.biz/registration/need_quiz/?reg
generationgroup-ltd.net/registration/need_quiz/?reg


And the malicious files housed there;

fourth-ukltd.net/files/fourthukltd.exe
fourthgroup-ltd.cc/files/fourthukltd.exe
squitgroup-llc.net/files/squitgroupllc.exe
westview-art.net/files/westviewart.exe
west-view-art.cc/files/westviewart.exe
qead-groupllc.net/files/qeadgroupllc.exe
artmarket-llc.net/files/artmarketllc.exe
art-marketllc.cc/files/artmarketllc.exe
generationgroup-ltd.net/files/qeadgroupllc.exe
helby-groupltd.biz/files/qeadgroupllc.exe
qead-groupllc.net/files/qeadgroupllc.exe
qead-llc.biz/files/qeadgroupllc.exe


The IP ranges they're hosted at seem to be focused on two particularly well known players in the criminal world;

193.105.134.0/24 (Sweden)
AS42708 193.105.134.0/24 PORTLANE Portlane Network

93.114.40.0/24 (Romania)
AS39743 93.114.40.0/21 VOXILITY-AS Voxility SRL

Quite why Portlane still haven't been shut down is beyond me, especially given there isn't a single legit website housed over there, and to my knowledge, there never has been. Needless to say, Portlane are also heavily involved in the fake AV arena, having housed malicious goodness on virtually every single IP on the aforementioned /24, so feel free to blackhole their entire AS.

As for those of you considering a new job as a mule - is it really worth the risk of your being imprisoned away from your family, for money laundering etc?.

/edit 07:40

Few more for you ;o)

acoon-groupllc.cc/files/acoongroupllc.exe
aimic-groupllc.asia/files/aimicgroupllc.exe
aimic-groupllc.at/files/aimicgroupllc.exe
aimic-groupllc.cc/files/aimicgroupllc.exe
aimicgroup-main.asia/files/aimicgroupllc.exe
aramategroup-first.cc/files/aramategroupfirst.exe
artsolveltd.cc/files/artsolveltd.exe
artsolveltdco.at/files/artsolveltd.exe
astech-groupde.cc/files/astechdeltd.exe
atlant-groupinc.cc/files/atlantgroupmain.exe
atlant-usainc.net/files/atlantgroupmain.exe
bredgarcorp-ant.be/files/bredgargroupllc.exe
bredgar-groupllc.cc/files/bredgargroupllc.exe
creatence-groupllc.asia/files/createncegroupllc.exe
creatence-groupllc.at/files/createncegroupllc.exe
creatence-groupllc.cc/files/createncegroupllc.exe
devasteam-ant.ws/files/devasllc.exe
dogo-group.cc/files/dogogroup.exe
dogo-group.net/files/dogogroup.exe
drysdale-antcorp.at/files/drysdalegroupinc.exe
drysdale-group-inc.cc/files/drysdalegroupinc.exe
duncroft-group-inc.cc/files/duncroftgroupinc.exe
fintec-ltd.cc/files/fintecltd.exe
fintec-ukltd.ws/files/fintecltd.exe
gogo-group-inc.cc/files/gogogroupinc.exe
gogo-teamant.com/files/gogogroupinc.exe
lilac-groupllc.cc/files/lilacantique.exe
millennial-artco.biz/files/millennialartco.exe
millennial-maingrop.net/files/millennialartco.exe
mimosa-groupus.cc/files/mimosagroupus.exe
nimrodltd-uk.net/files/nimrodinc.exe
online-solutionsllc.cc/files/onlinesolutionsllc.exe
paultonsgroup-ltd.info/files/paultonsgroupltd.exe
renaissancellc.be/files/renaissancellc.exe
renaissance-llc.cc/files/renaissancellc.exe
royalthelmas-group-llc.cc/files/royalthelmasgroupllc.exe
royalthelmas-teamant.asia/files/royalthelmasgroupllc.exe
stile-groupllc.net/files/stilegroupllc.exe
stilegroup-llc.ws/files/stilegroupllc.exe
techadv-inc.cc/files/techsoftadvinc.exe
techouse-group.cc/files/ukhousegroupnet.exe
throne-groupllc.cc/files/thronegroupllc.exe
throne-uk.at/files/thronegroupllc.exe
tinassanserviceant-antteam.net/files/tinassanservicegroupllc.exe
tinassanservice-groupllc.cc/files/tinassanservicegroupllc.exe
vintage-groupco.biz/files/vintagegroupinc.exe
vintagegroup-inc.com/files/vintagegroupinc.exe
worldofart-ltd.info/files/worldofartltd.exe

acoon-groupllc.cc/registration/need_quiz/?reg
aimic-groupllc.asia/registration/need_quiz/?reg
aimic-groupllc.at/registration/need_quiz/?reg
aimic-groupllc.cc/registration/need_quiz/?reg
aimicgroup-main.asia/registration/need_quiz/?reg
aramategroup-first.cc/registration/need_quiz/?reg
artsolve-ltd.at/registration/need_quiz/?reg
artsolveltd.cc/registration/need_quiz/?reg
artsolveltdco.at/registration/need_quiz/?reg
astech-groupde.cc/registration/need_quiz/?reg
atlant-groupinc.cc/registration/need_quiz/?reg
atlant-usainc.net/registration/need_quiz/?reg
bredgarcorp-ant.be/registration/need_quiz/?reg
bredgar-groupllc.cc/registration/need_quiz/?reg
creatence-groupllc.asia/registration/need_quiz/?reg
creatence-groupllc.at/registration/need_quiz/?reg
creatence-groupllc.cc/registration/need_quiz/?reg
devasteam-ant.ws/registration/need_quiz/?reg
dogo-group.cc/registration/need_quiz/?reg
dogo-group.net/registration/need_quiz/?reg
drysdale-antcorp.at/registration/need_quiz/?reg
drysdale-antcorp.biz/registration/need_quiz/?reg
drysdale-group-inc.cc/registration/need_quiz/?reg
duncroft-group-inc.cc/registration/need_quiz/?reg
fintec-ltd.cc/registration/need_quiz/?reg
fintec-ukltd.ws/registration/need_quiz/?reg
gogo-group-inc.cc/registration/need_quiz/?reg
gogo-teamant.com/registration/need_quiz/?reg
lilac-groupllc.cc/registration/need_quiz/?reg
millennial-artco.biz/registration/need_quiz/?reg
millennial-maingrop.net/registration/need_quiz/?reg
mimosa-groupus.cc/registration/need_quiz/?reg
nimrodltd-uk.net/registration/need_quiz/?reg
oliver-sonsinc.cc/registration/need_quiz/?reg
online-solutionsllc.cc/registration/need_quiz/?reg
paultonsgroup-ltd.info/registration/need_quiz/?reg
pegasltdunion.cc/registration/need_quiz/?reg
renaissancellc.be/registration/need_quiz/?reg
renaissance-llc.cc/registration/need_quiz/?reg
royalthelmas-group-llc.cc/registration/need_quiz/?reg
royalthelmas-teamant.asia/registration/need_quiz/?reg
stile-groupllc.net/registration/need_quiz/?reg
stilegroup-llc.ws/registration/need_quiz/?reg
techadvinc.cc/registration/need_quiz/?reg
techadv-inc.cc/registration/need_quiz/?reg
techouse-group.cc/registration/need_quiz/?reg
throne-groupllc.cc/registration/need_quiz/?reg
throne-uk.at/registration/need_quiz/?reg
tinassanserviceant-antteam.net/registration/need_quiz/?reg
tinassanservice-groupllc.cc/registration/need_quiz/?reg
us-acoongroup.net/registration/need_quiz/?reg
vintage-groupco.biz/registration/need_quiz/?reg
vintagegroup-inc.com/registration/need_quiz/?reg
worldofart-ltd.info/registration/need_quiz/?reg


/edit 26-02-2011 19:44

The servers are extremely slow at present, so struggling to grab samples, but I've been advised of 3 more of these. The URLs are in the same format as previously;

schwartz-brothers-llc.net/registration/need_quiz/?reg
schwartz-brothers-llc.net/files/schwartzbrothersllc.exe

generalabbrialgroup-ltd.net/registration/need_quiz/?reg
generalabbrialgroup-ltd.net/files/generalabbrialgroupltd.exe

generalabbrial-group-ltd.cc/registration/need_quiz/?reg
generalabbrial-group-ltd.cc/files/generalabbrialgroupltd.exe

Tuesday, 22 February 2011

Spambot Search Tool: v0.52

Release: v0.52
Date: 22-02-2011

* Fixed bug in functions.php
* Modified IsValidEmail() function
* Changed strpos() calls to substr_count()
* Fixed bug in check_spammers_plain.php that resulted in invalid e-mails being allowed
+ Added code to check for Bad Result error when querying blacklists
* Contains modifications (e.g. re-written isURLOnline() and getURL() functions) and bug fixes with thanks to Dan McCormick.

http://www.cedit.biz/joomla-extensions/18-registration-validator/22-block-disposable-email-addresses

IMPORTANT: This update also includes modifications to the config.php file, which means you will also need to;

1. Backup your existing config.php file
2. Create a new config.php by copying and renaming config.sample.php
3. Enter your config/settings in the new config.php file


Download:
http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

Live example:
http://temerc.com/Check_Spammers/

Saturday, 12 February 2011

Spambot Search Tool

Finally had time for a bit of work on this.

Version: 0.51

* Fixed bug in check_spammers_plain.php
* Misc other fixes
+ Added drone.abuse.ch
+ Added zeustracker.abuse.ch
+ Added spam.abuse.ch
+ Added httpbl.abuse.ch

http://support.it-mate.co.uk/?mode=Products&p=spambotsearchtool

Tuesday, 8 February 2011

hpHOSTS - UPDATED February, 2011

hpHOSTS - UPDATED February, 2011

The hpHOSTS Hosts file has been updated. There is now a total of 122,245 listed hostsnames.

If you are NOT using the installer, please read the included Readme.txt file for installation instructions. Enjoy! :)
  1. Latest Updated: 08/02/2011 21:00
  2. Last Verified: 08/02/2011 12:00
Download hpHosts now!
http://hosts-file.net/?s=Download

Wednesday, 2 February 2011

Soviet Union, fakes, phishing and spam

If x = b, what do we need numbers for?

Last time I checked, the Soviet Union didn't exist anymore, yet as we all know, the .su TLDs live on.

Random musings are great aren't they? Well not in this case. I've yet to see a .su domain that's actually legit, and this one is no different. The domain in this case, is officialversion.su (also known as officialversion.ru), a domain we're all familiar with.

This particular one, was arrived at courtesy of an e-mail a friend received and forwarded to me. You'll like this, but not be surprised. The e-mail contained;

From: reply@inbox-mediaone.com
To: [REMOVED]
Subject: Avast, AVG and Avira Users - Your Alternative is Here
Date: Wed, 2 Feb 2011 03:00:00 -0500


The New AVG 2011 AntiVirus Alternative <http://list.traclickmedia.com/t/115971/2214149/756/0/>
Complete Antivirus Protection Solution<http://i27.tinypic.com/2928g37.jpg> Complete Antivirus Protection Solution
Dear valued customers,

We are pleased to announce the newest version of Antivirus 2011 for Windows which will provide you with total security against the latest spyware, malware, viruses, trojans and any other online threats.

Simply visit the link below and enter your Antivirus code:

Antivirus Code: 5014
Scan Your Computer Now! <http://list.traclickmedia.com/t/115971/2214149/755/0/>

See why more & more businesses and families trust their security to AV AntiVirus.

Thank you for choosing us, the worldwide leader Antivirus solutions.

Mike Robertson
Internet Security Specialist


Latest Threat Level Warning
Latest Threat Levels<http://i32.tinypic.com/34s2bl0.jpg>
Signs Your PC is Infected
Signs your PC is Infected<http://i30.tinypic.com/bg21zo.jpg> Opening files takes forever
Signs your PC is Infected<http://i30.tinypic.com/bg21zo.jpg> Pop-ups while browsing
Signs your PC is Infected<http://i30.tinypic.com/bg21zo.jpg> Frequent System Warnings
Signs your PC is Infected<http://i30.tinypic.com/bg21zo.jpg> Constant Program errors
Signs your PC is Infected<http://i30.tinypic.com/bg21zo.jpg> Computer is running slow
Signs your PC is Infected<http://i30.tinypic.com/bg21zo.jpg> Browser freezes Online
Signs your PC is Infected<http://i30.tinypic.com/bg21zo.jpg> Right click menu is slow
Signs your PC is Infected<http://i30.tinypic.com/bg21zo.jpg> Changed homepage Online

Awarded the Best Antivirus<http://i27.tinypic.com/2hegjdd.jpg>

<http://list.traclickmedia.com/db/115971/2214149/1.gif>
You are enrolled to dailynews_mar09 as tictestbox@hotmail.com
Safely take me off <http://list.traclickmedia.com/u?id=2214149.7e18cbbc99c77d1101b922bc434401cd&n=T&l=dailynews_mar09&o=115971> from dailynews_mar09 at any time.

MEGUIDE LTD, No. 14 Robinson Road, #13-00, Far East Finance Building, Singapore 048545


Headers:

X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9Ng==
X-Message-Status: n
X-SID-PRA: dailynews_mar09@m0.bm02.net
X-SID-Result: Pass
X-AUTH-Result: PASS
X-Message-Info: 3c21WZ1hAltI9DuizMAEE0xwpqlHpZwfVbqMPT3BfX6RZ3W8ifONCn+eEK3mNQiHfRMXG+0h5ILm2+lZ0q/H7BUjNRw9chHPe5XUkZgAKAA=
Received: from m0.bm02.net ([209.123.39.23]) by bay0-mc1-f47.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 2 Feb 2011 01:23:49 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; q=dns/txt; l=9156;
d=m0.bm02.net;s=2010;
h=from;
bh=HeXqN8zEUr9+/9Ny9x4Hrxf1DPuA1M2Ey1ouZmRrR7A=;
b=nobK4cMg+6LsDosZC3cf/42+ogXEtmGu0Bz2UwEyAru+OExkjFNcPMv9+bOWz4MPfqMPcLsNvNtRogFzjuifSYs92xG1I6HVsrG/pOXI/FqoGOxXscD2XOjNBFU/wq1ISSfnS9wmRQw3DGgVmogLVO5fw/zO9JBepDFjpr/WMxc=;
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=2010; d=m0.bm02.net;
h=sender;
b=RLEQSfBQ/GoXrTXT+j6k79stZSyVCctOhkXupTAHU9w+r60pfF5qMTj95cQi0EfQ3wITsPkKAWLh4tQ9fZF44xHLOcVk3SsHQ4KA62WoR/28gnMLISeYeBcpm1hyPaPMD/g87dZQQHBb3EY7UVrzBxPk97XS25gDzM519tPUJ4w=
Sender: dailynews_mar09@m0.bm02.net
From: Antivirus for Windows <reply@inbox-mediaone.com>
To: [REMOVED]
Subject: Avast, AVG and Avira Users - Your Alternative is Here
Date: Wed, 02 Feb 2011 03:00:00 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="MIMEBoundarya987aea7ba47630da82c5ba8fd5d8a31"
List-Unsubscribe: <mailto:leave-115971-2214149.7e18cbbc99c77d1101b922bc434401cd@m0.bm02.net>
Reply-To: reply@inbox-mediaone.com
Message-ID: <LYRIS-2214149-115971-2011.02.02-03.00.08--[REMOVED]@m0.bm02.net>
X-time: 2214149
X-member: [REMOVED]
X-unsub: leave-115971-2214149.7e18cbbc99c77d1101b922bc434401cd@m0.bm02.net
Return-Path: bounce-115971-2214149@m0.bm02.net
X-OriginalArrivalTime: 02 Feb 2011 09:23:49.0627 (UTC)
FILETIME=[E6742CB0:01CBC2BA]


Both traclickmedia.com and secure-signupway.com are registered through GoDaddy and should be down shortly. They're housed at;

Current IP: 209.123.39.20
IP PTR: m0.bm02.net
ASN: 8001 209.123.0.0/16 NET-ACCESS-CORP - Net Access Corporation

Current IP: 216.18.20.224
IP PTR: kenya.lexiearzabalanix.net
ASN: 6539 216.18.0.0/19 GT-BELL - Bell Canada

And officialversion.su;

Current IP: 66.197.222.182
IP PTR: reverse.sysnoc.com
ASN: 21788 66.197.128.0/17 NOC - Network Operations Center Inc.

With the exception of officialversion.su, the domains are hidden behind a privacy service. The WhoIs for officialversion.su doesn't show much either;

domain: OFFICIALVERSION.SU
nserver: ns10.dnsmadeeasy.com
nserver: ns11.dnsmadeeasy.com
nserver: ns12.dnsmadeeasy.com
nserver: ns13.dnsmadeeasy.com
nserver: ns14.dnsmadeeasy.com
nserver: ns15.dnsmadeeasy.com
state: REGISTERED, DELEGATED
phone: +1 242 502 8715
e-mail: markpetersemail@gmail.com
org: Media I Consultants
registrar: RUCENTER-REG-FID
created: 2009.08.16
paid-till: 2011.08.16
source: RU-CENTER


Surprised there's no details? Nope, me neither.

Needless to say, ANYTHING you receive via e-mail that wants to sell you something, or has arrived without you asking for it, should be consigned straight to the junk. That also goes for anything arriving via e-mail offering so-called security software or such (legit vendors do not spam).