Friday, 29 October 2010

"Polden Financial" / poldenfs.co.uk spam

This following spam was sent to a complete invalid email address, most likely harvested from the web. Although I suspect that the sender probably acquired the email address in good faith, it shows a complete lack of due diligence by the sender to spam random addresses like this. Given that the spammer claims to be a financial adviser, then you should draw your own conclusions about their reliability.

From: What to expect <contact@fundamentalmediasolutions.co.uk>
Reply-To: poldenfinance@gmail.com

When did you last review your pension plans?


Do you know what to expect from your pensions 

when you retire?

Was your pension set-up during a previous employment or with a financial adviser you no longer have contact with? 

Your pension may not have been reviewed for a number of years or it may NEVER have been reviewed.

Could it be worth reviewing your pensions, possibly bringing them all under �one roof�? and...

Have a better understanding of your current position as far as your retirement planning is concerned.

Receive professional advice on the levels of funding into your pension plans.

Potentially reduce the charges on your pension plans, which could help you increase your income in retirement.

Would you like a clear investment strategy that matches your own attitude towards investment risk in an economic climate, which is un-clear?

Regular reviews to keep your pension on track and access to new opportunities that might help you derive a greater income in retirement.

For simple explanations to help you understand your pension planning and how it will benefit you.

  
Telephone  01278 445968  or email  adviser@poldenfs.co.uk  today 

and we can discuss our review process in full.


PO Box 359, Bridgwater, Somerset TA6 9AS

Polden Financial   is a trading style of Rosemount Financial Solutions Ltd who are an appointed Representative of Intrinsic Financial Planning Ltd, Registered in England 5372217, Wakefield House, Aspect Park, Pipers Way, Swindon, SN3 1SA. Intrinsic Financial Services is a holding Company, subsidiaries of which are authorised and regulated by the Financial Services Authority. The information contained in this message is confidential and may be legally priviledged. If you are not the intended recipient, please do not read, copy or otherwise use it and do not disclose it to anyone else.  Please notify ! the sender of the delivery error and then delete the message from your system.  Any views or opinions expressed in this e-mail are those of the author only.  Email communications are not secure. For this reason Rosemount Financial Solutions cannot guarantee the security of the email or its contents or that it remains virus free once sent.
 I always love those self-important disclaimers at the end, especially when it comes to spam.. as I will publish details of spam as I f--king well see fit.

The spam originates from 78.109.170.7 (identifying itself as belonging to emarketingdesigndelivery.co.uk in Somerset) , and unusually for a spam it doesn't link to a website and solicits replies to adviser@poldenfs.co.uk or 01278 445968 instead. The domain poldenfs.co.uk is also registered to an individual in Somerset, so the originating IP address seems to be a close match to the business.

The WHOIS entry for the domain poldenfs.co.uk (and poldenfs.com) list their web host as the contact, not the spammer themselves. The number 01278 445968 does match a record at the FSA for Polden Financial Solutions LLC but marks them as no longer being "authorised". Companies House lists that company as being at:

POLDEN FINANCIAL SOLUTIONS LLP
40 WOODBOROUGH ROAD
WINSCOMBE
SOMERSET
BS25 1AG
Company No. OC313363


Records indicate that this business is operated by a John McBurnie who is listed as a representative of Rosemount Financial Solutions Ltd., and the email does say that Polden is a trading style of Rosemount FS, which is correct.

In fact, everything about this firm seems to check out OK apart from the fact that they send unsolicited commercial email to invalid addresses. But in my view, that's enough to avoid doing business with them.

As an aside, you might want to amuse yourself with this Google search about poldenfs.co.uk.

Rev2Share.com spam

Following one a day from this almost identical MySuperShares.com spam, this email also appears to be trying to game a "get rich quick" MLM scheme with fake signups.

From: Rev2Share.com <admin@rev2share.com>
Reply-To: admin@rev2share.com
Date: 29 October 2010 05:24
Subject: Welcome to Rev2Share.com!
   
Dear member,

Welcome to Rev2Share.com!
We are pleased that you have decided to join our fast growing community.

You can now login to your account at:
http://www.rev2share.com/login.php
Your Username: 0000_000
Your Password: 0000000

We hope you have a great time at Rev2Share.com.

Administrator
Rev2Share.com

It's not a Joe Job as such, the email originates from 174.122.225.73 which is the same server that Rev2Share.com is hosted on along with a bunch of shabby MLM sites. The domain was registered just days ago, the WHOIS details seem to be accurate:

Domain name: rev2share.com

Registrant Contact:
  
   Dustin Langley ()
  
   Fax:
   105 southpark circle
   gallatin, TN 37066
   US

Administrative Contact:
  
   Dustin Langley (dustin.langley@gmail.com)
   +1.615347925
   Fax:
   105 southpark circle
   gallatin, TN 37066
   US

Technical Contact:
  
   Dustin Langley (dustin.langley@gmail.com)
   +1.615347925
   Fax:
   105 southpark circle
   gallatin, TN 37066
   US

Status: Locked

Name Servers:
   ns1.hostingmmt.com
   ns2.hostingmmt.com
  
Creation date: 25 Oct 2010 16:18:00
Expiration date: 25 Oct 2011 11:18:00



The physical address checks out, it would be highly unusual for a deliberate scammer to post their real address (even if most MLMs do turn out to be scams in the end). So it does appear that a third party is involved, using Rev2Share.com's own systems to generate fake signups, either to shut the site down or to game the system for personal profit.



It is probably no coincidence that both Rev2Share.com (hosted on 174.122.225.73) and MySuperShares.com (174.122.14.227) have an almost identical business model that claims to be selling advertising (only on their own sites) but in fact concentrates on getting signups to generate a download instead. When you see a very thin product offering like this with an emphasis on recruiting other people, then that it usually a bad sign.. best to avoid it altogether in my opinion.

Thursday, 28 October 2010

MySuperShares.com spam

In my view, all MLM schemes are almost always scams.. and MySuperShares.com seems to be just another MLM scheme, this time selling "ads" that only seem to display on the MySuperShares.com site. But the real carrot is the promise of downlines if you sign someone else up.. in other words, a thin product offering with a concentration on signing up other members rather than selling a real product.

The scheme itself is based in Australia, and I am no expert in Australian law. So, let's assume that this type of MLM scheme is legal in Australia for now.

Still, this particular email seemed unusually brazen..

From: MySuperShares.com <webmaster@mysupershares.com>
Reply-To: webmaster@mysupershares.com
Date: 28 October 2010 13:30
Subject: MySuperShares.com Confirmation Email
   
Dear 4612_210 4080_759,

Thank you for creating your account with MySuperShares.com.

To activate your account, please click the link below:

http://www.mysupershares.com/confirm.php?username=0000_000&id=00000

Once you have completed this step, you will be able to
login to your account.

Kind regards

Eva Browne-Paterson & Jullieanne Matheson
MySuperShares.com


The originating IP is 174.122.14.226, MySuperShares.com is hosted on 174.122.14.227 (i.e. the next IP address), so it indicates that the mail is genuinely from MySuperShares.com. Let's look at the WHOIS details for that domain:


Registrant:
   EvieB.com
   1 Keswick Island Drive
   Keswick Island, Queensland 4740
   Australia

   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: MYSUPERSHARES.COM
      Created on: 13-Oct-10
      Expires on: 13-Oct-11
      Last Updated on: 13-Oct-10

   Administrative Contact:
      Browne-Paterson, Eva  evieb@evieb.com
      EvieB.com
      1 Keswick Island Drive
      Keswick Island, Queensland 4740
      Australia
      411569782      Fax -- 749658019

   Technical Contact:
      Browne-Paterson, Eva  evieb@evieb.com
      EvieB.com
      1 Keswick Island Drive
      Keswick Island, Queensland 4740
      Australia
      411569782      Fax -- 749658019

   Domain servers in listed order:
      NS1.MYFREESAFELIST.COM
      NS2.MYFREESAFELIST.COM


It's unusual for fraudsters to include their real contact details in the WHOIS, in fact everything checks out as being legitimate, it you check out the MLM business model.

There are a few possibilities:
  1. The people running the site are really stupid and think that this is a good way to get signups (rather than getting your site nuked)
  2. Someone is using MySuperShare.com's own system to perform a Joe Job with deliberately false signups.
  3. Someone thinks that they can make money by gaming MySuperShare.com's system with fake signups.
My best bet is that it is the #2 or #3 option, because I really don't think that the site operators are so stupid as to try spamming like this. Does that mean that it is a legitimate programme? Well, put it this way.. do you really think that it is feasible to make money by selling nothing of value?


Update:it does appear that someone is targetting these MLM "get rich quick" sites as another site called Rev2Share.com has also been hit.

Evil network: Alex Gorbunov / GORBY-VPN-NET AS51303 (195.226.197.0/24)

A small but nasty netblock hosting ZeuS C&C servers and Phoenix exploit kit attacks, GORBY-VPN-NET (registered to an Alex Gorbunov) seems to have no legitimate sites at all. There aren't a lot of sites in this range (I see just 24) but there does seem to be quite a lot of malicious activity. I recommend that you block access to 195.226.197.0/24.

RIPE says:

inetnum:         195.226.197.0 - 195.226.197.255
netname:         GORBY-VPN-NET
descr:           Alexandr Gorbunov
remarks:         MyVPN service
country:         UA
org:             ORG-AG58-RIPE
admin-c:         AG10224-RIPE
tech-c:          AG10224-RIPE
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          GORBY-MNT
mnt-routes:      GORBY-MNT
mnt-domains:     GORBY-MNT
source:          RIPE # Filtered
organisation:    ORG-AG58-RIPE
org-name:        Alexandr Anatolyevich Gorbunov
remarks:         MyVPN service
org-type:        OTHER
address:         Moskva, Yasniy proezd 14a, kv. 73
phone:           +79025392311
admin-c:         AAG76-RIPE
tech-c:          AAG76-RIPE
mnt-ref:         GORBY-MNT
abuse-mailbox:   gorby@land.ru
mnt-by:          GORBY-MNT
source:          RIPE # Filtered
person:          Alex Gorbunov
address:         Moskva, Yasniy proezd 14a, kv. 73
phone:           +79025392311
nic-hdl:         AG10224-RIPE
mnt-by:          GORBY-MNT
source:          RIPE # Filtered
% Information related to '195.226.197.0/24AS51303'
route:           195.226.197.0/24
descr:           GORBY-AS Route Object
origin:          AS51303
mnt-by:          GORBY-MNT
source:          RIPE # Filtered


Google says of AS51303:

Safe Browsing
Diagnostic page for AS51303


What happened when Google visited sites hosted on this network?

    Of the 23 site(s) we tested on this network over the past 90 days, none served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-10-27, and the last time suspicious content was found was on 2010-10-27.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 5 site(s) on this network, including, for example, semikemi.info/, surogatesm.info/, meinisp.info/, that appeared to function as intermediaries for the infection of 16 other site(s) including, for example, vlasti.net/, inmobiliaria-habitat.es/, inoxmarti.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 15 site(s), including, for example, semikemi.info/, terikmask.info/, qstrokes.info/, that infected 176 other site(s), including, for example, montealea.com/, ideal.es/, crosswordscrucigramas.com/.

You can see a list of domains and MyWOT reputations here [csv], the current list of domains that I can see is below:

Hello-larry.com
Reklamaservice.org
Solarisgrand.net
Bungalougrand.net
Lintuage.net
Miksint.net
Mistiriks.net
Limpop.net
Gitrometro.net
Gennuine.com
Mussiss.com
Meinisp.info
Leimdungl.info
Terikmask.info
Traveldens.info
Simanticwerd.info
Balacenewiq.info
Afishatop.com
Afishaintop.com
Inafishatop.com
Kinakoi.net
Salimko.com
Simrako.com
Sipolin.net

Tuesday, 26 October 2010

"Bikini Robot Army" spam

I've never listened to Bikini Robot Army (although for some reason I have heard of them), but this spam run I was at the wrong end of did tempt me to give them a listen, if only to hear what a spammer sounds like.. basically pretty derivative and dull but somewhat technically competent. In other words.. it sounds like the musical equivalent of spam.

This email originates from 216.92.1.93 spavertising bikinirobotarmy.com on 216.92.45.18 plus a defunct Facebook page, MySpace page and Twitter account. Frankly I'd give them a miss if they have to resort to unsolicited bulk email to drum up interest.

Slightly amusingly, their spam has this line in it: Bill Gates - "I gave Bikini Robot Army YOUR email address!” - I don't think he did.

From: robotarmy-bounces@bikinirobotarmy.com [mailto:robotarmy-bounces@bikinirobotarmy.com] On Behalf Of Bikini Robot Army
Sent: 25 October 2010 19:40
To: robotarmy@bikinirobotarmy.com
Subject: [Robotarmy] Bikini Robot Army wants YOU!

Bikini Robot Army wants YOU!

If you love the Rolling Stones, Beatles, Bowie and Beck - you will love... Bikini Robot Army.

From the mouth of David Bowie (Digivegas, 2010)
"Bikini Robot Army is a wild new band - I've never heard a song like that before"
[Joe Strummer's House]

Joe Strummer's House is the new hit by Bikini Robot Army taking the UK by storm;
you can hear it on BBC Radio One and BBC 6.

Bikini Robot Army continues to tear like a tornado through the US!

Come join us! We want YOU!
www.bikinirobotarmy.com
Available at iTunes, Amazon and all online stores.

Remember, Bikini Robot Army LOVES YOU!

Follow us for updates and special guests, radio interviews, live shows etc
Plus FREE music, FREE merchandise and regular updates.

facebook.com/bikinirobotarmy
twitter.com/bikinirobotarmy
myspace.com/bikinirobotarmy

Thanks,
www.bikinirobotarmy.com.
Available at iTunes, Amazon and all online stores.

Any questions, comments or rants, please email us at info@bikinirobotarmy.com.

If you would like to unsubscribe, please email info@bikinirobotarmy.com with Unsubscribe in the subject.
--------------------------------------------------------------------------------------------------------------

50cent - "I only listen to Bikini Robot Army

George Bush - “B.R.A. I never go running without Bikini Robot Army in my iPod”

Madonna - “Bikini Robot Army saved my life”

Elton John - “Bikini Robot Army made me gay!”

Keith Richards - "Who the F*@K is Bikini Robot Army?”

Richard Pryor - "Bikini Robot Army killed me!”

Superman - "Kryptonite? I don’t think so!”

Bill Gates - "I gave Bikini Robot Army YOUR email address!”

Bill Murray - "Stop asking me about Ghostbusters 3, I wanna hear the new Bikini Robot Army album!”

Sunday, 24 October 2010

"america-newresume.com" scam

This scam has been around for a while, strangely it spells out "NB" in the full Latin of "Nota Bene". You don't see an awful lot of Latin in spam these days. Anyway, this is a fake job offer, most likely in money laundering or receiving stolen goods. Avoid

Re: CV 69


I’m addressing you on behalf of the HR department of a large company.

Our company takes an active part in the life of its subsidiaries, for example:
-property
- bank account operations
- transportation and logistics
- private enterprise service
- etc.

We have vacancies to be filled by Europe residents only:
- salary 2.600 euro + bonus
- underemployment
- flextime


If you are ready to work as a regional manager in Europe send us the below information: Dominick@america-newresume.com
First Name:
Last name:
Country of living:
City
E-mail:
Phone:



Nota bene! Only European residents are required !

Please provide us with your Personal data (Phone number and First and Last name) and our manager will contact to you to make a brief interview.

Saturday, 23 October 2010

sshopper.net "mystery shopper" scam

We've seen this scam before, but this type the mystery shopper scam uses a domain of sshopper.net to solicit replies. Avoid.


Re: MS/Secret Shopper [$700/week]


Thank you for your interest in the MS Shopper position.
Our company conducts surveys and evaluates other companies in order to help them achieve their performance goals.
We offer an integrated suite of business solutions that enables corporations to achieve tangible results in the marketplace.

We get hired by other companies and act like customers to find out how they are handling their services in relation to their customers.
MS Shopping is the most accurate and reliable tool a business can use to gather information regarding their actual customer service performance at the moment of truth.
This moment of truth is not when the staff is on their best behavior because the boss is around - it is when they interact with customers during their normal daily routines.

This is where you, the MS Shopper, come in.
You pose as an ordinary customer and provide feedback of both factual observations (ex...the floor was free of debris)
and your own opinions (ex...I felt that the temperature in the establishment was too cold).

MS Shoppers must remain anonymous. You must act as a regular customer and be careful not to do anything that would reveal you as a shopper.
An inexperienced shopper could tip off the staff to his/her identity by asking for the manager's name for no clear or appropriate reason.
If you are going to be bringing someone with you on the shop, make sure you educate them about the process as well.
Beware that even whispers can be overheard by employees. If anyone notices you are a shopper,
you can bet that word will quickly spread around the establishment and you will get some of the best customer service in town.

No company can afford to have a gap between the promise of quality and its actual delivery, that's why leading corporations look to us,
the nation's premiere MS shopping and customer experience measurement company.

In order for a business to effectively compete in today's economy, they must be prepared to meet the challenge of increasing sales by:
* Retaining existing customers
* Acquiring new customers
* Creating word-of-mouth advocacy
* Improving customer loyalty

Once we have a contract to do so, you would be directed to the company or outlet, and you would be given
the funds you need to do the job(either purchase merchandise or require services), after which you would write a detailed report of your experience.

Examples of details you would forward to us are:
1) How long does it take to get served.
2) Politeness of the attendant.
3) Customer service professionalism.
4) Sometimes you might be required to upset the attendant, to see how they deal with difficult clients.

Then we turn the information over to the company executives and they will carry out their own duties in improving their services.
Most companies employ our assistance when people complain about their services, or when they feel there is a need for them to improve upon their customer service.
Our company partners with you to implement proven MS shop auditing and surveying strategies that provide critical information about customer experiences.

You will be paid a commission of $100 for every duty you carry out, and bonus on your transportation allowance.
Your task will be to evaluate and comment on customer service in a wide variety of restaurants, retail stores, casinos,
shopping malls, banks and hotels in your area.


Qualities of a good MS Shopper:
* Is 21 years of age or older
* Loves to go shopping
* Is fair and objective
* Is ON TIME
* Is very observant and able to focus on details
* Is fairly intelligent
* Has patience
* Is detail oriented
* Is practical
* Types well
* Is trustworthy
* Explains well in writing
* Is discreet
* Loves to learn
* Handles deadlines
* Has full internet access (at home or at work)

MS Shopping is fun and exciting but also must be approached very seriously and is definitely not for everyone.

If you are interested in applying for consideration as a MS Shopper do send in your information: Guadalupe@sshopper.net
Full Name:
Address:
City:
State:
Zip Code:
Phone Number:
Age:
Occupation:

As soon as we receive your information we will add you to our database and we will look for locations in your area that needs to be evaluated.

The possition is only available for United States.

Thank you,
Guadalupe VEYTIA

Friday, 22 October 2010

"MR.BANKY MOON" scam

This one is from "MR.BANKY MOON" who is apparently the "UN SEC.GENERAL.", but for some reason he's using a free Gmail address and is sending this email from Argentina. And an ATM card loaded with seven million dollars? If your ATM withdrawal limit is $500 per day, then it will take you 14,000 days (or 38 years, 4 months and 9 days) to get it out of the cash machine..

From: UN AUDIT DEPT. <morriswilliams01@ciudad.com.ar>
Reply-To: atmswiftdeptm@gmail.com
Date: 23 October 2010 07:15
Subject: ATM-001 CODE
UNITED NATIONS NATIONAL AUDIT OFFICE
BUCKINGHAM PALACE ROAD, VICTORIA
LONDON SW1W 9SP,
UNITED KINGDOM.


Attn: Beneficiary
We sincerely apologize for sending you this sensitive information via e-mail instead of a certified mail, phone call or a  face-to-face conversation, it is due to the urgency and importance of the security information involved. In the quest to cushion the effect of the global financial crisis, American government through the Federal Bureau of Investigation (FBI) Washington  DC, United Nations and the Internet Crime Complaint Center (ic3) has signed an agreement with Nigeria & EFCC for an immediate release of all overdue funds presently logged in their treasury and ensure it is disbursed to the rightful beneficiaries in any part of the world. If you the beneficiary would adhere to this notification it will help stabilize the various economies of the world and reduce the effect of this depressing recession.
Prior to this agreement our team of security experts has swung into action for transparency and accountability of this periodic project. The Federal Bureau of Investigation (Global Intelligence, Cyber Division) saddled with the responsibility of monitoring activities going on over the internet have discovered your name in the list of unpaid beneficiaries and it might interest you to know that we have conducted a comprehensive investigation on this discovery as stipulated on our protocol of operation and have confirmed that the funds was endorsed in your favor and it is 100% genuine and hitch free from all facets. You have the lawful right to contact the appropriate authority to claim your payment without further delay.
Under the Joint Regulatory Commission,we have appointed a sole fiduciary member of CBN that will handle the transfer of your funds through ATM CARD Payment. This card centre will send you an ATM CARD which you will use to withdraw your money in any ATM Machine located in your designation/any part of the world, the maximum amount to withdraw is three thousand dollars per day. Contact the below card payment centre for more details.
Contact person: Dr.Wilfred Bruce
Email: atmswiftdeptm@gmail.com
Tel: +2347037250822
Also send the below information to the above address to enable them start processing your ATM CARD.
1. Your full name
2. Phone number & fax
3. Address where you want them to send the ATM CARD
4. Your Age & Current Occupation
5. Attach copy of your Identification.
This ATM CARD payment centre has been mandated to issue out USD7, 000,000.00 as part payment for your Contract/Inheritance/Lottery Winnings for this fiscal year 2010. Also for your information, you have to stop any further communication with any other person (s) / office (s) to avoid any hitches in receiving your payment. For oral discussion, call or email back as soon as you receive this important message for further direction and also update me with the developments from the above mentioned office.
Note that because of impostors,we hereby issued you our code of conduct which is (ATM-001) so you have to indicate this code when contacting the card centre by using it as your subject.
Thanks.

MR.BANKY MOON
UN SEC.GENERAL.


Just silly really..

eu-ltk.com fake job offer

Another fake job offer (probably following on from this one), probably involving money laundering and other criminal support services.

Date: 22 October 2010 11:06
Subject: Civilities
   
This message was likely forged and did not originate from your account. Learn More
Greetings

I introduce a large multinational enterprise the co-worker of the HR department of which I am.

Our company takes an active part in the life of its subsidiaries, for example:
- real estate
- companies setting-up and winding-up
- bank accounts opening and maintenance
- logistics
- private undertaking services
- etc.

There are vacant positions of regional managers in Europe:
- salary 2.300 euro + bonus
- 2 - 3 working hours per day
- optimal timetable

If you are interested in this job, please, send us your contact information: Sam@eu-ltk.com
First Name:
Last name:
Country of living:
City
E-mail:
Phone:



We are looking for the people who have a right to work in Europe!

Please provide you name and contact information in order we can find you for further communication.

WHOIS details for the domain show the infamous info@JuliaNewYork76.com as the registrant.


Domain name: eu-ltk.com

Name servers:
    ns1.nameself.com
    ns2.nameself.com

Registrar: Regtime Ltd.
Creation date: 2010-10-19
Expiration date: 2011-10-19
Status: active

Registrant:
    Julia Morgan
    Email: info@JuliaNewYork76.com
    Organization: MDS LTD
    Address: 201 Varick Street
    City: New York
    State: NY
    ZIP: 10014
    Country: US
    Phone: +1.8668402756
Administrative Contact:
    Julia Morgan
    Email: info@JuliaNewYork76.com
    Organization: MDS LTD
    Address: 201 Varick Street
    City: New York
    State: NY
    ZIP: 10014
    Country: US
    Phone: +1.8668402756
Technical Contact:
    Julia Morgan
    Email: info@JuliaNewYork76.com
    Organization: MDS LTD
    Address: 201 Varick Street
    City: New York
    State: NY
    ZIP: 10014
    Country: US
    Phone: +1.8668402756
Billing Contact:
    Julia Morgan
    Email: info@JuliaNewYork76.com
    Organization: MDS LTD
    Address: 201 Varick Street
    City: New York
    State: NY
    ZIP: 10014
    Country: US
    Phone: +1.8668402756 

Thursday, 21 October 2010

Evil network: DG Holding SIA / ALTNET-LV AS41390 (195.3.144.0/22)

DG Holding SIA / ALTNET-LV is another evil network, and it's no surprise to see that it is in Latvia. The 195.3.144.0/22 hosts sites involved in hacking, malware distribution, MLM scams, fake goods and porn plus a number of ZeuS C&C servers.

There are a small number of legitimate customers in this block, but they most cater for Latvian users only.. if you are outside of Latvia, then very little will be lost by blocking this entire /22 (195.3.144.0 - 195.3.147.255).

There's a listing of domains, IPs and MyWOT ratings here [csv] if you want to probe more deeply and avoid blocking the handul of legitimate sites.. otherwise, I would recommend blocking the lot.

Wednesday, 20 October 2010

Evil network: MD-ISP-MONITORING, AS25129 (89.187.32.0/19)

AS25129 (89.187.32.0/19) features a lot of refugees from another evil network, Najada. There's nothing of value in this netblock, sites seem to feature illegal software, fake anti-virus, criminal support infrastructure, fake pharma sites and phishing.

The IP range is allocated to:


inetnum:         89.187.52.0 - 89.187.55.255
netname:         MD-ISP-MONITORING
remarks:         INFRA-AW
descr:           Hi-speed users
country:         MD
admin-c:         ABA3-RIPE
tech-c:          ABA3-RIPE
status:          ASSIGNED PA
mnt-by:          MONITORING-MNT
source:          RIPE # Filtered
person:          Alexander Basunov
address:         R&D Centre "Monitoring"
address:         Komsomolskaya 2a
address:         3200 Bendery
address:         Moldova
e-mail:          hostmaster@bendery.md
mnt-by:          MONITORING-MNT
nic-hdl:         ABA3-RIPE
phone:           +37377786335
source:          RIPE # Filtered
% Information related to '89.187.32.0/19AS25129'
route:           89.187.32.0/19
descr:           R&DC Monitoring, PA
origin:          AS25129
mnt-by:          MONITORING-MNT
source:          RIPE # Filtered

The myWOT reputation of these sites is very bad [CSV], my recommendation is that you block 89.187.52.0 - 89.187.55.255 (89.187.32.0/19) or alternatively null route the sites below.

Anonymousstats.com
Storageprotectorx.com
Hostlogarea.in
Blogblogfirst.in
Bestblogbest.in
High-blogicio.eu
High-blogster.eu
High-picicio.eu
Hostspacebest.in
Mega-blogster.eu
Mega-picicio.eu
Mega-picster.eu
Turbo-blogster.eu
Turbo-imagicio.eu
A-lot-of-appz.com
Activation-codes.net
Activationcrack.net
Any-filez.net
Check-4-apps.org
Crack-file.net
Crack-serial-numbers.net
Crack-usa.com
Crackandcrack.com
Crackcrack.net
Crackcrackcrack.net
Crackdelivery.net
Crackdownload.net
Crackkeys.net
Crackorginal.net
Crackpatch.net
Crackpatchkeygen.net
Crackprokeygen.net
Crackrapidshare.net
Cracks-explorer.net
Crackserialcode.net
Crackserialcodes.net
Crackserialkey.net
Crackserialkeygens.net
Crackserialkeys.net
Crackserialnumber.net
Crackserialnumbers.net
Crackshare.net
Cracktrial.net
Crackwin.net
Dlfeed.com
Downloadcracks.net
Fastcrack.net
Fileserialkey.net
Free-serial.net
Freecrackdownload.net
Freekeygencrack.net
Freeserialkey.net
Fullcrackserial.net
Fullkeygen.net
Fullserialcrack.net
Fullserialnumber.net
Fullserialnumbers.net
Getserial.net
Hosthosthost.net
Key-code.net
Keygen-crack.net
Keygen-serial.net
Keygenc.net
Keygencrackpatch.net
Keygenerators.net
Keygenforserial.net
Keygenkeygen.net
Keygenned.com
Keygenpatch.net
Keygens-for-soft.org
Keygenserialcrack.net
Keygenserialnumber.net
Keygenserials.net
Keygensite.net
Keygentrial.net
Keygenwin.net
Keyproduct.net
Killtrial.net
Licensekeygen.net
Maximumwarez.com
Microposters.org
Newserialcracks.net
Numberserial.net
Orginalcrack.net
Patchcrack.net
Registrationcode.net
Registrationkey.net
Registrationkeys.net
Seialkeymaker.net
Serial-codes.net
Serial-crack.net
Serial-key-generator.net
Serial-keygen.net
Serial-keygens.net
Serial-keys.net
Serial-number-crack.net
Serial-numbers-crack.net
Serialcodesfor.net
Serialcrackcodes.net
Serialcrackkeygen.net
Serialkeycodes.net
Serialkeycrack.net
Serialkeygencracks.net
Serialkeygenerator.net
Serialkeygenpro.net
Serialkeygens.net
Serialkeynumber.net
Serialkeynumbers.net
Serialnumbercode.net
Serialnumbercrack.net
Serialnumberfor.net
Serialnumberkeygen.net
Serialnumberscrack.net
Serialpost.net
Serialserial.net
Shared-fro-you.com
Shared-news.net
Soft-dont-stop.org
Softwareserialnumber.net
Softwareserialnumbers.net
Superpagehost.in
Thecrackserial.net
Trusted-warez.com
Vipcrack.net
Warezpad.net
Wincracks.net
Bestwebspace.in
Besthostfree.in
Gigimon.net
Beribegi.com
Beribegi1.com
Googlemaps5.com
Hostnetblog.in
Judatrafic.com
Trafficforalz.com
Trafficforalz.org
Blogareaweb.in
Hostfreearea.in
Firstblogbest.in
Bloghomelog.in
Netnetblog.in
Bestspacelog.in
Firstblogspace.in
Brendonlfile.org
Coderstrin.org
Codesfreling.org
Cripesload.org
Daungradeoffs.org
Falenslaodins.org
Flaasnesfile.org
Fre-lan-fileess.org
Freecodonlaans.org
Frefrefiless.org
Friilasopn.org
Frilandfile.org
Grandisfreshdown.org
Hostsuperarea.in
Internalsfile.org
Jebaunfols.org
Kachaenfailisi.org
Linefirtsfilee.org
Loadslinecod.org
Med-on-downl.org
Media-delison.org
Media-l-file.org
Medlinefils.org
Ogrisfile.org
Oldinfilefree.org
Onl-for-fils.org
Orange-flis.org
Organisupload.org
Qaredline.org
Qwerfileorg.org
Sigruiqwe.org
Skachfiles.org
Traedenopenres.org
Vades-loadec.org
Valdec-lains.org
Youfileoke.org
Allingspl.com
Superbestfirst.in
Allingtramp.com
Freespacehost.in
Statflus4.com
Webhosthost.in
Leninvgorkax.net
Storereturn.cc
Firstclassresults.cc
Fb-cdn1.com
Installs.tv
Msdefender2011.com
Creativetmx.com
Updatetechno.com
Zverolab.com
Mynewpass.com
Downloadcheapsoft.com
Trafficforalz.net
Z0g7yail0.com
Ebayinvoice.com
Ebayitemhosting.com
Paypal-moneypak-processing.com
Backstab.biz
Cardzone.cc
D-9.cc
Ebayitemhosting.net
Megavendor.biz
Check-crypt.com
Check-domain.cn
Samclubclearance.com
Sams-clearance.com
Samsclubcl.com
Samsclubsales.com
Start-domain.cn
Free-image-uploads.com
Human-nature.org
Imagesshack.net
The-imageshack.com
Gsm-seacher-v10.ru
Blackosogs.com
Riverchick.com
Gabstreamj.com
Ecurrencynews.org
Ancoraimages.com
Mmsbonus.com
Everydayer.com
Celebrition.com
Celebritylabor.com
Getimpressed.com
Goldouncemedia.com
Hollywoodmajestic.com
Lincolnfinserv.com
Mcknightportugal.org
Metacaffe.info
Misteriks.net
Nanosolutionssoft.com
Peksone.net
Peree.ru
Tv-onlines.net
Tv-world-online.net
Vaulttech13.cn
Webarh.com
Vk-base.org
Vksledi.ru
Aniroti.com
Aniroti.net
Pharmpills.net
Mediashares.org
Video-shares.com
Video-shares.net
Videoall.net

Attorney scam: Oak Spring Canola Farms

This is a type of scam email that I haven't seen before, in this case targetting lawyers.. especially dumb ones (and I certainly have seen a lot of those before).

From: Thomas Shepherd <oakspringcanolafarms@hotmail.com>
Date: 20 October 2010 02:40
Subject: Representation
   
Counsel,

The management of Oak Spring Canola Farms seek the urgent attention of your law firm in regards to a breach of sale contract. I seek your urgent intervention in this matter because of its urgency, please advise me if this is your area of law practice so i can bring you into the loop. Expect your urgent responds at your earliest time.

Yours Sincerely,

Thomas Shepherd

I don't even know what a Canola Farm is, but the IP address that this originates from is 74.210.20.6 in Canada which is blacklisted for spamming out another scam (via surriel.com)

From: "Bowen Culbert" <culbert.cosmetics@gmail.com>
Subject: JOB OFFER
Date: Mon, 4 Oct 2010 22:09:02 -0400

  CULBERT COSMETICS COMPANY
                      Culbert Cosmetics Company
                        5 Sheddingdean Business Centre
                         Burgess Hill, SussexRH15 8QY =20
                          United Kingdom  =20
                      Phone:  1273906031
Dear Sir/Madam,

I am Mr. Bowen Culbert. I represent Culbert Cosmetics Company based here in United Kingdom. We need company representatives in Europe, America, and Canada. So If you are interested in this business transaction, forward to us your contact information so we can furnish you with the job description. Please if you are interested to work with us in good faith and honesty, get back to us by filling the information below:

Full Names..................
Full Address................
City........................
State.......................
Postal Code.................
Country.....................
sex.........................
Age.........................
Home Phone..................
Cell Phone..................
Fax.........................
Occupation..................
Company Name................

Very Respectfully,

Bowen Culbert
Managing Director
Culbert Cosmetics Company
5 Sheddingdean Business Centre
Burgess Hill, SussexRH15 8QY
United Kingdom 
culbert.cosmetics@gmail.com
Phone:  1273906031

"Culbert Cosmetics Company" is more obviously a scam, so clearly "Oak Spring Canola Farms" is too.

It turns out that scammin lawyers can be quite lucrative, but they do tend to follow established patterns. There's a pretty good repository of attorney email scams, some of which are quite hard to tell apart from genuine client enquiries.

Saturday, 16 October 2010

xshopperjob.com mystery shopper scam

A mystery shopper scam to avoid, from a domain registered in Russia.


Date: 16 October 2010 15:48
Subject: Re: MS Shopper [$800/week]

Thank you for your interest in the MS Shopper position.
Our company conducts surveys and evaluates other companies in order to help them achieve their performance goals.
We offer an integrated suite of business solutions that enables corporations to achieve tangible results in the marketplace.

We get hired by other companies and act like customers to find out how they are handling their services in relation to their customers.
MS Shopping is the most accurate and reliable tool a business can use to gather information regarding their actual customer service performance at the moment of truth.
This moment of truth is not when the staff is on their best behavior because the boss is around - it is when they interact with customers during their normal daily routines.

This is where you, the MS Shopper, come in.
You pose as an ordinary customer and provide feedback of both factual observations (ex...the floor was free of debris)
and your own opinions (ex...I felt that the temperature in the establishment was too cold).

MS Shoppers must remain anonymous. You must act as a regular customer and be careful not to do anything that would reveal you as a shopper.
An inexperienced shopper could tip off the staff to his/her identity by asking for the manager's name for no clear or appropriate reason.
If you are going to be bringing someone with you on the shop, make sure you educate them about the process as well.
Beware that even whispers can be overheard by employees. If anyone notices you are a shopper,
you can bet that word will quickly spread around the establishment and you will get some of the best customer service in town.

No company can afford to have a gap between the promise of quality and its actual delivery, that's why leading corporations look to us,
the nation's premiere MS shopping and customer experience measurement company.

In order for a business to effectively compete in today's economy, they must be prepared to meet the challenge of increasing sales by:
* Retaining existing customers
* Acquiring new customers
* Creating word-of-mouth advocacy
* Improving customer loyalty

Once we have a contract to do so, you would be directed to the company or outlet, and you would be given
the funds you need to do the job(either purchase merchandise or require services), after which you would write a detailed report of your experience.

Examples of details you would forward to us are:
1) How long does it take to get served.
2) Politeness of the attendant.
3) Customer service professionalism.
4) Sometimes you might be required to upset the attendant, to see how they deal with difficult clients.

Then we turn the information over to the company executives and they will carry out their own duties in improving their services.
Most companies employ our assistance when people complain about their services, or when they feel there is a need for them to improve upon their customer service.
Our company partners with you to implement proven MS shop auditing and surveying strategies that provide critical information about customer experiences.

You will be paid a commission of $100 for every duty you carry out, and bonus on your transportation allowance.
Your task will be to evaluate and comment on customer service in a wide variety of restaurants, retail stores, casinos,
shopping malls, banks and hotels in your area.


Qualities of a good MS Shopper:
* Is 21 years of age or older
* Loves to go shopping
* Is fair and objective
* Is ON TIME
* Is very observant and able to focus on details
* Is fairly intelligent
* Has patience
* Is detail oriented
* Is practical
* Types well
* Is trustworthy
* Explains well in writing
* Is discreet
* Loves to learn
* Handles deadlines
* Has full internet access (at home or at work)

MS Shopping is fun and exciting but also must be approached very seriously and is definitely not for everyone.

If you are interested in applying for consideration as a MS Shopper do send in your information: Domiciano@xshopperjob.com
Full Name:
Address:
City:
State:
Zip Code:
Phone Number:
Age:
Occupation:

As soon as we receive your information we will add you to our database and we will look for locations in your area that needs to be evaluated.

The possition is only available for United States.

Thank you,
Domiciano MECHOSO


The domain name is registered in Russia, contact details could well be fake:

Domain Name: XSHOPPERJOB.COM

Registrant:
    Beatles Steel
    Alexey Zhukov        (oloperz@usa.com)
    Novopeschanaya 56 8
    Moscow
    Moscow,145672
    RU
    Tel. +7.4999433354

Creation Date: 15-Oct-2010 
Expiration Date: 15-Oct-2011

Domain servers in listed order:
    ns2.reg.ru
    ns1.reg.ru

Administrative Contact:
    Beatles Steel
    Alexey Zhukov        (oloperz@usa.com)
    Novopeschanaya 56 8
    Moscow
    Moscow,145672
    RU
    Tel. +7.4999433354

Technical Contact:
    Beatles Steel
    Alexey Zhukov        (oloperz@usa.com)
    Novopeschanaya 56 8
    Moscow
    Moscow,145672
    RU
    Tel. +7.4999433354

Billing Contact:
    Beatles Steel
    Alexey Zhukov        (oloperz@usa.com)
    Novopeschanaya 56 8
    Moscow
    Moscow,145672
    RU
    Tel. +7.4999433354


All mail is handled by mx.yandex.ru in Russia, so this does look like a Russian operation. No surprises there.The email address is fairly well known for fraudulent activity too. Avoid.

Friday, 15 October 2010

nttemps.net / ntmps.net / ntmps.com recruitment scam

Net-Temps, Inc is a real company, these emails do not come from Net-Temps, Inc and follow on from a series of fraudulent emails pretending to be from this company. This time around the scammers appear to be using the domains nttemps.net and ntmps.net (update: they are also using ntmps.com)

These so-called jobs are usually money mule (money laundering) operations or some other criminal "back office" activity which should be avoided at all costs.

Date: 15 October 2010 16:48
Subject: Hiring (part-time)

Looking for a job? My name is Juliette Barnes, I am a recruiting manager of NetTemps Inc, a recruiting agency for direct-hire, contract, and freelance professionals within various professions.                          

Today I would like introduce some part-time and virtual office vacancies in the spheres of Advertising, Education, Engineering, Finance, Health care, Information technology, Media, Real estate and Transportation.                                       

If you are interested to learn more about the jobs offered, please get back to me, providing your name and contact number.                        

We are eager to help you find a better job and improve your career!         
If you have questions, please do not hesitate to e-mail me on:
e u r o p e @ n t m p s . n e t      [please delete spaces in the email address before sending it to us]    

Yours sincerely,                             
Juliette Barnes                     
NetTemps Inc                                 
======================================
Mail for these two domains is handled by 67.222.149.107 [BlueSquare Data, UK], nameservers are ns1.dollar-canada.com and ns1.nevoconsulting.net both hosted on 67.23.235.236 [HostDime, Orlando] which are also used by the domains lovestorybook.net and xpharmx.com.

Monday, 11 October 2010

Evil network: Specialist Ltd / Specialist-ISP-PI2 AS48691(194.28.112.0/22)

Specialist Ltd is a fairly large netblock containing a small number of very bad hosts and nothing else. Registered to a company in Moldova, Specialist looks like another part of the Latvia / Moldovan / Bosnian black hat network which supports all sorts of organised crime.

inetnum:         194.28.112.0 - 194.28.115.255
netname:         Specialist-ISP-PI2
descr:           Specialist, Ltd.
country:         MD
org:             ORG-SL206-RIPE
admin-c:         VP2841-RIPE
tech-c:          AB16163-RIPE
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-HM-PI-MNT
mnt-lower:       RIPE-NCC-HM-PI-MNT
mnt-by:          SPECIALIST-MNT
mnt-routes:      SPECIALIST-MNT
mnt-domains:     SPECIALIST-MNT
source:          RIPE # Filtered

organisation:    ORG-SL206-RIPE
org-name:        Specialist, Ltd
org-type:        OTHER
descr:           Specialist, Ltd, Rybnitsa, MD
address:         I. Soltysa 12, Rybnitsa, MD
phone:           +373-777-12921
phone:           +373-693-18189
phone:           +373-777-65071
fax-no:          +373-555-43073
mnt-ref:         MONITORING-MNT
abuse-mailbox:   abuse@lan-rybnitsa.com
mnt-by:          SPECIALIST-MNT
source:          RIPE # Filtered

person:          Vladimir Pilan
address:         I. Soltysa 12, Rybnitsa, MD
phone:           +373-777-12921
fax-no:          +373-555-43073
nic-hdl:         VP2841-RIPE
source:          RIPE # Filtered
mnt-by:          SPECIALIST-MNT

person:          Anatoly Belitsky
address:         I. Soltysa 12, Rybnitsa, MD
phone:           +373-777-65071
fax-no:          +373-555-43073
nic-hdl:         AB16163-RIPE
source:          RIPE # Filtered
mnt-by:          SPECIALIST-MNT

% Information related to '194.28.112.0/22AS48691'

route:           194.28.112.0/22
descr:           Specialst-route2
origin:          AS48691
mnt-by:          SPECIALIST-MNT
source:          RIPE # Filtered


Google's Safe Browsing diagnostics only show part of the story:

Safe Browsing
Diagnostic page for AS48691 (SPECIALIST)

What happened when Google visited sites hosted on this network?

    Of the 28 site(s) we tested on this network over the past 90 days, none served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-10-09, and the last time suspicious content was found was on 2010-10-09.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 3 site(s) on this network, including, for example, 0jiqjmk3.ru/, fngmadopx.ru/, bingosyssaver24.com/, that appeared to function as intermediaries for the infection of 2 other site(s) including, for example, rttattorneys.com/, mygooglephotos.webs.com/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 15 site(s), including, for example, 194.28.112.0/, xebetak.ru/, bingosyssaver24.com/, that infected 865 other site(s), including, for example, slutdrive.com/, stvid.com/, amatura.com/.
The MyWOT reputation of the sites on this network is very bad [CSV]. It is unlikely that this netblock will be used for anything other than evil purposes, so blocking 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) is probably a good idea, or block the domains listed below.

Globdomain.ru
Greenter.ru
Photois.org
Style-vk.com
Vkstyle.net
07tqqwem.ru
0jiqjmk3.ru
0qhe7y6o.ru
0scoubpk.ru
0st44x7z.ru
0w6scx6a.ru
1001jimm.ru
23qjmdic.ru
27wuxt37.ru
28iue5ri.ru
28jnbuak.ru
2be-trends.ru
2poaxz3k.ru
2ti0pv3y.ru
2zm5mcep.ru
30zcz8ot.ru
32iafdnp.ru
3a0stbqe.ru
3jruf6nc.ru
40ktc2tn.ru
4hp2ag6c.ru
4jfhywir.ru
4mausx2w.ru
4y8pqcby.ru
5c4aiwcs.ru
5gsco2w5.ru
5q4eyd2w.ru
5znhff2s.ru
6dpg3khy.ru
6ojj8sks.ru
6pgsqndh.ru
777wxpc7.ru
78w88epi.ru
83qndvnj.ru
868r5e0b.ru
8n7pnyyr.ru
8reclame.ru
Alwaysprokladka.com
Artenhart.ru
Artiestenloket.ru
Ashcbzbbbz.ru
Aslkjhqeqw.ru
Atyyyopg.ru
Azaamdwo.ru
Bim6xe3t.ru
Bjpfk0rm.ru
Boskoop2nepal.info
Bossal.info
Bramrozafestival.info
Brand-central.info
Bvo62o0i.ru
Bwzz5c32.ru
C28xd2ck.ru
C6iv0x3j.ru
Cafetariaroyal.info
Cateredchaletfrankrijk.ru
Cf8sagkn.ru
Childsurvival.info
Creedenceclearwatersurvival.info
Crosslinks-services.ru
Csokolom.ru
Cw5k47ye.ru
D6vjbbv6.ru
Damesfutsal.info
Datadigital.info
Dekeukenbouwer.ru
Dotyuzcifl.ru
Duz5n2ca.ru
Dwunvuum.ru
Ea7xh4vw.ru
Ef6j6u0r.ru
F50rbdb8.ru
Farmsurvival.info
Fbbktj2z.ru
Fhlaenyxor.ru
Fimpvs8t.ru
Fppf2h28.ru
Freemobiledns.mobi
Gayq8rgx.ru
Gdwre766.ru
Gopchicken.ru
Gscrystal.info
H6poe6or.ru
Haaglandia-futsal.info
Hc6zxms4.ru
Hem3oxjh.ru
Henness.ru
Hetkwispelaartje.ru
Hotcrystal.info
Huisenenergielabel.info
Hvdwal.info
I4nhjopf.ru
I7in0b64.ru
Ic2u8kk0.ru
Ihbkbzcm.ru
Ihcswgcz.ru
Ihjddgqs.ru
Inventivecapital.info
Io060fcn.ru
Io0yfyc8.ru
J6kb3pfa.ru
J7k6xze2.ru
J7oc5v3o.ru
Jbsc.ru
Jimakolo.ru
Jimm2rusru.ru
Jimmbly.ru
Jimmdlyadjimmru.ru
Jimmdlyasamsa.ru
Jimmdns1.ru
Jimmdns3.ru
Jimmdns4.ru
Jimmdns5.ru
Jimmdnsru.ru
Jimmfanfik.ru
Jimmfantasy2.ru
Jimmfaqru.ru
Jimmforyouru.ru
Jimmfreeru.ru
Jimmgps.ru
Jimmgpsru.ru
Jimmhobbyrus.ru
Jimmhostoryru.ru
Jimmhtcru.ru
Jimmicqlop.ru
Jimmkolipo12.ru
Jimmkonstructru.ru
Jimmlocationrus.ru
Jimmlocationss.ru
Jimmlokolok.ru
Jimmmobru2.ru
Jimmmobru4.ru
Jimmnewsru.ru
Jimmokiloi.ru
Jimmonlineru.ru
Jimmonlinerus.ru
Jimmosuk.ru
Jimmplanetka.ru
Jimmpolice12.ru
Jimmpolomba.ru
Jimmpoloniy.ru
Jimmpozor.ru
Jimmprofile.ru
Jimmprofilerus.ru
Jimmrurus.ru
Jimmsamsungru.ru
Jimmtebepii.ru
Jimmtrahaet.ru
Jimmvmozg.ru
Jimmyblo.ru
Jnano5gh.ru
Jokerjokk.ru
Jongfcmp.ru
Josal.info
Joy-adventure.ru
Kadefestival.info
Kefpvbsi.ru
Kfgemaae.ru
Kleinhengstdael.info
Kojvdspw.ru
Koliander.ru
Langsdewal.info
Liononlinensd.ru
Lipsticpi.ru
Listikjimm.ru
Literatuurfestival.info
Lokipol.ru
Lopolok.ru
Macdental.info
Maruuhp2.ru
Meeenti.ru
Mipolok.ru
Mjbims7m.ru
Mokojikol.ru
Momomom.ru
Mrt0zqcb.ru
Multimediamagazine.ru
Mvanderwal.info
Mxek5t5g.ru
N7wg0g5w.ru
Naaminkristal.info
Noordelijkkoorfestival.info
Nv8os6yt.ru
Nxo48a7g.ru
O3wg4sya.ru
Ocggnaif.ru
Ofz5qzgu.ru
Oh7iumr7.ru
Ohjbkyudil.ru
Ojimmx4.ru
Ojimmx6.ru
Okiolk.ru
Onlinecheapsdo.ru
Onlinefeeds.ru
Onlinefreeze.ru
Onlinegearsd.ru
Onlinegop.ru
Onlinejimmmovse.ru
Onlinejobsfrees.ru
Onlinelongjorn.ru
Onlineonlkiok.ru
Onlinerujimm.ru
Onlineteammaster.ru
Onlinetechnicals.ru
Onlineworkers.ru
Onlinkrt.ru
Oordfestival.info
Orthocapelle.ru
Patronah.ru
Paulvosdewael.info
Petstotal.info
Piscine-ecologique.ru
Pororkol.ru
Praktijkdebergkristal.info
Prc6t7z3.ru
Psxdv0nr.ru
Pvbsiy5y.ru
Q2auv3at.ru
Q3ysg05s.ru
Q8juhmhh.ru
Qbecqe0s.ru
Qec5beqn.ru
Qzhvlpso.ru
Rebootfestival.info
Renarental.info
Retrosensual.info
Rickenchantal.info
Rietfestival.info
Rikosdhu.ru
Ronaldknol.ru
Rs3gpd0m.ru
Rudjimmdjimm.ru
Rvvcoal.info
S4gvhd35.ru
S748eop4.ru
Sadjbamn.ru
Sadjkadkasj.ru
Schutrups.ru
Selavis.ru
Sgivnn0t.ru
Smart-accountant.ru
Spankabel.info
Srowig.ru
Stichtingderevival.info
Stiltefestival.info
Stpf6qpv.ru
Sv4wmtxj.ru
T0a2afyq.ru
T3tzynvj.ru
T8hftjx8.ru
Tinkel-bel.info
Transfusionfestival.info
Trustincompanies.ru
Twqhde3i.ru
U5fyfzjt.ru
Ucf47vnu.ru
Uplcash.com
Vaxlgfsb.ru
Vdmi2fz8.ru
Vecgndv8.ru
Vetstival.info
Vgksry7k.ru
Vicl.info
Vk0urcvu.ru
Vroegop.ru
W8iroomb.ru
Webeval.info
Wiiqiieiqa.ru
Worldfuneral.info
Wsewf0rw.ru
Wyvbe7vg.ru
X7p03g0j.ru
X8zv6433.ru
Xni27ftd.ru
Xthjrgxz.ru
Xu44i03y.ru
Yearsforfan.ru
Yi0ewtmd.ru
Yldpkozfmi.ru
Yo4nyzyc.ru
Yp7o07nq.ru
Z26hggcb.ru
Z7u4wtfe.ru
Zatuhnichmo.com
Zsrd4xj5.ru
Zumbafestival.info
Zxcvsbrds.ru
Zznks8fh.ru
Fijicool.com
1l1i16b0.com
Nl6fa53.com
Fruitboss.ru
Katamizo.info
Promoup.info
Partnerspromo.info
Zumnox.info
Bingosyssaver21.com
Bingosyssaver22.com
Bingosyssaver23.com
Bingosyssaver24.com
Bingosyssaver25.com
Bingosyssaver26.com
Bingosyssaver27.com
Bingosyssaver28.com
Bingosyssaver29.com
Bingosyssaver30.com
Freerobertodefeater.com
Myrobertodefeater.com
Newrobertodefeater.com
Robertodefeater.com
Robertodefeaternow.com
Robertodefeateronline.com
Robertodefeaters.com
Robertodefeatersite.com
Robertodefeaterstore.com
Therobertodefeater.com
Claerprotection11.com
Claerprotection12.com
Claerprotection13.com
Claerprotection14.com
Claerprotection15.com
Claerprotection16.com
Claerprotection17.com
Claerprotection18.com

[Updated] Evil network: Donstroy Ltd AS29557 (194.8.250.0/23)

UPDATE:  this IP range is now used by a completely different organisation, and malicious activity no longer exists and the block is safe to use. However, the post will remain up for research purposes.

Another network worth blocking, Donstroy Ltd appears to be a Latvia entity hosting in Moldova, closely affiliate with Sagade Ltd who are one of the most scummy networks around at the moment.

The WHOIS details show a tell-tale link to Sagade in the email address:

inetnum:         194.8.250.0 - 194.8.251.255
netname:         Donstroy-1
descr:           Donstroy Ltd.
country:         LV
org:             ORG-DL107-RIPE
admin-c:         JS1050
tech-c:          JS1050
status:          ASSIGNED PI
mnt-by:          RIPE-NCC-END-MNT
mnt-lower:       RIPE-NCC-END-MNT
mnt-by:          MNT-DONSTROY
mnt-routes:      MNT-DONSTROY
mnt-domains:     MNT-DONSTROY
source:          RIPE # Filtered

organisation:    ORG-DL107-RIPE
org-name:        Donstroy Ltd.
org-type:        OTHER
address:         Kalinina 19, 6, Bendery, Moldova
e-mail:          sagade95@gmail.com
mnt-ref:         MNT-DONSTROY
mnt-by:          MNT-DONSTROY
source:          RIPE # Filtered

person:          Juris Sahurovs
address:         Rezekne Darzu iela 21
phone:           +37120034981
nic-hdl:         JS1050
e-mail:          sagade95@gmail.com
source:          RIPE # Filtered

% Information related to '194.8.250.0/23AS29557'

route:           194.8.250.0/23
descr:           donstroy-route-1
origin:          AS29557
mnt-by:          MNT-DONSTROY
source:          RIPE # Filtered

Google's Safe Browsing diagnostics are not good:

Safe Browsing
Diagnostic page for AS29557 (ASNOVIFORUM)

What happened when Google visited sites hosted on this network?

    Of the 42 site(s) we tested on this network over the past 90 days, 2 site(s), including, for example, fastprosearch.com/, twilightsex.cz.cc/, served content that resulted in malicious software being downloaded and installed without user consent.

    The last time Google tested a site on this network was on 2010-10-10, and the last time suspicious content was found was on 2010-10-10.

Has this network hosted sites acting as intermediaries for further malware distribution?

    Over the past 90 days, we found 10 site(s) on this network, including, for example, manoso.cz.cc/, noaos1.cz.cc/, sunporno.cz.cc/, that appeared to function as intermediaries for the infection of 31 other site(s) including, for example, business-standard.com/, ddl-blog.org/, onlyteensx.net/.

Has this network hosted sites that have distributed malware?

    Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 22 site(s), including, for example, 194.8.251.0/, prostodomen.in/, globalvalidator.cz.cc/, that infected 215 other site(s), including, for example, business-standard.com/, renisyqaqir.freehostking.com/, hetivilesum.freehostking.com/.

A search against MyWOT reputations reveals a concentration of very bad sites (report here), the best thing to do is to block all traffic to 194.8.250.0 - 194.8.251.255 (194.8.250.0/23) and/or the domains listed below:

Girlongirllibido.info
Homeownersinsuranceratings.com
Testertestfree.org
Vmhostingboxx.org
Dscodec.com
Fastprosearch.com
Ttyur.com
Vlopw.com
Bmlsk.com
Bumzc.com
Fjoty.com
Fruuf.com
Hjoty.com
Nwsplt.com
Palcaug.com
Potyur.com
Uoptyr.com
Uprtx.com
Medicpillsana.com
Medicpillsbba.com
Medicpillsbia.com
Medicpillsbta.com
Medicpillscaa.com
Medicpillscea.com
Medicpillscha.com
Medicpillscia.com
Medicpillscka.com
Medicshopnas.net
Medicshopnds.net
Medicshopnks.net
Medicshopnts.net
Medicshopoes.net
Asemedic.net
Astmedic.net
Encmedic.net
Enmedic.net
Frmedic.net
Hismedic.net
Icmedic.net
Intmedic.net
Krmedic.net
Letmedic.net
Medicci.net
Medicdi.net
Medicfr.net
Medicha.net
Mediclg.net
Medicni.net
Medicnr.net
Medicpo.net
Medicpu.net
Medicri.net
Ajeslovshord.com
Akvodhhead.com
Alsodhesedhoujhd.com
Aniarioli.com
Askpressjame.com
Bejokohafder.com
Blackmodhersdep.com
Bodhlearkfil.com
Busyplakdovk.com
Cutyacttin.com
Deheverbejak.com
Dhadhaveopek.com
Dheyherevhole.com
Dovkbackbord.com
Fallanlot.com
Gavilaugddiri.com
Hadakcourse.com
Hojharedokd.com
Kameuspoukd.com
Losdsodemoss.com
Lovioinwdoli.com
Medpillsna1.com
Medpillsna2.com
Medpillsna3.com
Medpillsna4.com
Medpillsna5.com
Medpillsni1.com
Medpillsni2.com
Medpillsni3.com
Medpillsni4.com
Medpillsni5.com
Minanwaut.com
Offobjecdfamoly.com
Okchfudboy.com
Oslakdexampleas.com
Pajeukdolmaok.com
Posekipbrokj.com
Pukdraokclass.com
Redovksay.com
Resdlaujhmoss.com
Savsdadeschul.com
Sduigancdangi.com
Sliicrymuli.com
Stooddandwi.com
Suchjrikoh.com
Travilfuriwdin.com
Addsecovdtook.com
Aoutdonttdrii.com
Assiafull.com
Commoklakjuajemeak.com
Dalkplakdaor.com
Deachhodkear.com
Dhadledad.com
Dhohdhokjearly.com
Dhokjbroujhdmusd.com
Dojcourseleark.com
Domesdopdhousakd.com
Dopmedic.net
Dovardhohdhoh.com
Efimedic.net
Enemedic.net
Feetdoldakayvst.com
Femedic.net
Hamedic.net
Joldiplosd.com
Kodocedoldappear.com
Launflymost.com
Lederbojdhad.com
Letdourwere.com
Lodledellmek.com
Medshopcu1.com
Medshopcu2.com
Medshopcu3.com
Medshopcu4.com
Medshopcu5.com
Medshopde1.com
Medshopde2.com
Medshopde3.com
Medshopde4.com
Medshopde5.com
Muchplakdokly.com
Okcevhekvadch.com
Oldbesdjrik.com
Passourdu.com
Pocdurejudcold.com
Rockdomeacd.com
Rockroundsung.com
Sicondkniwgo.com
Slovkevvell.com
Soldmarkacte.com
Strovkuproad.com
Ukmedicineel.com
Ukmedicineho.com
Ukmedicineit.com
Vadchdeachmokd.com
Vekdhadjrov.com
Vhadreachmusoc.com
Vholevucemay.com
Vokdercarryjod.com
Vordeachsdud.com
Ydeamavturv.com
Advsecsmart.com
Digitall-soft.com
Extrafullprotection.com
Mypc-repair.com
Payforsec.com
Secsmartsuper.com
Smartsecadv.com
Smartsecsuper.com
Smartsecurityadvisor.com
Smartsupersecurity.com
Stable-soft.com
Supersecadvizor.com
Supersecurepay.com
Supersmartantivirus.com
Supersmartsec.com
Bbnhs.com
Bumzec.com
Ddleb.com
Drutp.com
Gasdda.com
Gradtz.com
Hewraq.com
Hgptd.com
Htresq.com
Krclear.com
Nadwq.com
Nmkop.com
Utrvc.com
Vbnrte.info
Kobqq.com
Jgtee.com
Jyiop.com
Mptim.com
Nhytx.com
Ptyre.com
Woptr.com
Yopte.com
Ypuii.com
Checkingassociateeditor.com
Bestcheckingconnect.com
Checking-associate-editor.com
Checking-associate.com
Checkingassociatemembership.com
Checkingconnectdata.com
Checkingconnectnow.com
Checkingconnectshop.com
Cogus.net
Gromz.net
Mochos.net
Zorter.net
Movies-celeb.info
Onlymoviesporn.info
Porn-video-4u.info
Pornyardmovies.info
Videostreamporn.info
Moviesfreestar.info
Nanocloudcontroller.com
Iliked.org
Yougoodvideo.net
Shloesandrooneys.com
1200kb.net
Banfieldsbest.com
Btp-tags.com
Doit-4-u.com
In-ta.net
Media-share.org
Mwcdirect.com
Pixel-pie.com
Planetsoldat.com
Sainser.com
Wnizip.com
Dsfungssdfg.com
Sbgfdfsggf.com
Sportstickets.tv
Sufdngsg.com
Missing-codecs.com
Missing-codecs.net
Missing-codecs.org
Vidscentral.net
Consp.net
Thestability.com
Traffcity.com
Polytech-electronics.net
Blackmaven.in
Blueace.in
Whiteace.in
Whiteoso.in
Whitewizard.in
Globalcloudbackup.com