"End of Aug. Statement Reqiured" spam / hiskintako.ru

This spam leads to malware on hiskintako.ru:

Date:      Tue, 19 Mar 2013 08:04:18 +0300
From:      "package update Ups" [upsdelivercompanyb@ups.com]
Subject:      Re: FW: End of Aug. Statement Reqiured
Attachments:     Invoices-CAS9927.htm

Hi,

as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)

Regards

-----------------------

Date:      Tue, 19 Mar 2013 02:18:06 +0600
From:      MyUps [ups-delivery-services@ups.com]
Subject:      Re: FW: End of Aug. Stat. Required

Hi,

as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)


Regards

The malicious payload is at [donotclick]hiskintako.ru:8080/forum/links/column.php  (report here) hosted on:
50.22.0.2 (SoftLayer, US)
89.110.131.10 (Netclusive, Germany)
132.230.75.95 (Albert-Ludwigs-Universitaet, Germany)
188.165.202.204 (OVH, France)

BLOCKLIST:
50.22.0.2
89.110.131.10
132.230.75.95
188.165.202.204
forumla.ru
gimiiiank.ru
giminanvok.ru
giminkfjol.ru
giminaaaao.ru
giimiiifo.ru
giliaonso.ru
forumny.ru
hiskintako.ru
gxnaika.ru
gulivaerinf.ru

RU:8080 Malware sites to block 15/3/13

These seem to be the currently active IPs and domains being used by the RU:8080 gang. Of these the domain gilaogbaos.ru seems to be very active this morning. Block 'em if you can:

5.9.40.136
41.72.150.100
50.116.23.204
66.249.23.64
94.102.14.239
212.180.176.4
213.215.240.24
forumilllionois.ru
foruminanki.ru
forumla.ru
forum-la.ru
forumny.ru
forum-ny.ru
giimiiifo.ru
gilaogbaos.ru
giliaonso.ru
gimiinfinfal.ru
gimilako.ru
gimimniko.ru
giminaaaao.ru
giminalso.ru
giminanvok.ru
giminkfjol.ru
gimiuitalo.ru
guioahgl.ru
guuderia.ru
forumla.ru
gimiiiank.ru
gimiinfinfal.ru
giminaaaao.ru
giminanvok.ru
giminkfjol.ru
guioahgl.ru
giminkfjol.ru
forumla.ru
gimiinfinfal.ru
giminaaaao.ru
giminanvok.ru
giminkfjol.ru
guioahgl.ru

For the record, these are the registrars either hosting the domains or offering support services. It is possible that some have been taken down already.
5.9.40.136 (Hetzner, Germany)
41.72.150.100 (Hetzner, South Africa)
50.116.23.204 (Linode, US)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)
212.180.176.4 (Supermedia, Poland)
213.215.240.24 (COLT, Italy)

"Efax Corporate" spam / gimiinfinfal.ru

This eFax-themed spam leads to malware on gimiinfinfal.ru:

Date:      Thu, 14 Mar 2013 07:39:23 +0300
From:      SarahPoncio@mail.com
Subject:      Efax Corporate
Attachments:     Efax_Corporate.htm



Fax Message [Caller-ID: 449555234]

You have received a 44 pages fax at Thu, 14 Mar 2013 07:39:23 +0300, (751)-674-3105.

* The reference number for this fax is [eFAX-263482326].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.

There's an attachment called Efax_Corporate.htm which leads to malware on [donotclick]gimiinfinfal.ru:8080/forum/links/column.php (report here) hosted on:

94.102.14.239 (Netinternet, Turkey)
50.116.23.204 (Linode, US)
213.215.240.24 (COLT, Italy)

Blocklist:
50.116.23.204
94.102.14.239
213.215.240.24
giimiiifo.ru

"Copies of policies" spam / giimiiifo.ru

This spam leads to malware on giimiiifo.ru:

Date:      Wed, 13 Mar 2013 06:49:25 +0100
From:      LinkedIn Email Confirmation [emailconfirm@linkedin.com]
Subject:      RE: Alonso - Copies of Policies.

Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy.

Here is the Package and Umbrella,

and a copy of the most recent schedule.

Alonso SAMS,

The malicious payload is at [donotclick]giimiiifo.ru:8080/forum/links/column.php hosted on two IPs we saw earlier:

94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)
 

"Wapiti Lease Corporation" spam / giminaaaao.ru

A fairly bizarre spam leading to malware on giminaaaao.ru:

From: IESHA WILLEY [mailto:AtticusRambo@tui-infotec.com]
Sent: 13 March 2013 11:22
To: Sara Smith
Subject: Fwd: Wapiti Land Corporation Guiding Principles attached

Hello,

Attached is a draft of the Guiding Principles that the Wapiti Lease Corporation (“W.L.C”) would like to publish. Prior to doing that, WLC would like you to have an opportunity for a preview and to provide any
comments that you would like to make. Please let me know that you have reviewed it and what comments you might have.

Thank you,

IESHA WILLEY
WLC 

This comes with an attachment called WLC-A0064.htm although I have another sample "from" a DEANNE AMOS with an attachment of WLC-A5779.htm. In any case, the attachment tries to direct the victim to a malware landing page at [donotclick]giminaaaao.ru:8080/forum/links/column.php (report here) hosted on:

93.174.138.48 (Cloud Next / Node4, UK)
94.102.14.239 (Netinternet , Turkey)
213.215.240.24 (COLT, Italy)

Blocklist:
93.174.138.48
94.102.14.239
213.215.240.24
giminaaaao.ru
giminkfjol.ru
giminanvok.ru

"End of Aug. Stat. Required" spam / giminkfjol.ru

This spam leads to malware on giminkfjol.ru:

From: user@victimdomain.com
Sent: 12 March 2013 04:19
Subject: Re: End of Aug. Stat. Required

Good morning,
as reqeusted I give you inovices issued to you per dec. 2012 ( Internet Explorer file)

Regards

The attachment Invoices-ATX993823.htm attempts to redirect the victim to [donotclick]giminkfjol.ru:8080/forum/links/column.php (report here) hosted on:

5.9.40.136 (Hetzner, Germany)
94.102.14.239 (Netinternet, Turkey)
213.215.240.24 (COLT, Italy)

Blocklist:
5.9.40.136
94.102.14.239
213.215.240.24
giminkfjol.ru

Wire Transfer spam / giminanvok.ru

Another wire transfer spam, this time leading to malware on giminanvok.ru:

Date:      Mon, 11 Mar 2013 02:46:19 -0300 [01:46:19 EDT]
From:      LinkedIn Connections [connections@linkedin.com]
Subject:      Fwd: Wire Transfer (5600LJ65)

Dear Bank Account Operator,


WIRE TRANSFER: FED694760330367340
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]giminanvok.ru:8080/forum/links/column.php (report pending) hosted on the same IPs used earlier today:
5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)

 I strongly recommend that you block access to these IPs if you can.

Wire Transfer spam / gimikalno.ru

This fake wire transfer spam leads to malware on gimikalno.ru:

Date:      Mon, 11 Mar 2013 04:00:22 +0000 [00:00:22 EDT]
From:      Xanga [noreply@xanga.com]
Subject:      Re: Fwd: Wire Transfer Confirmation (FED REFERENCE 16442CU385)

Dear Bank Account Operator,
WIRE TRANSFER: FED62403611378975648
CURRENT STATUS: PENDING

Please REVIEW YOUR TRANSACTION as soon as possible.

The malicious payload is at [donotclick]gimikalno.ru:8080/forum/links/column.php (report here) hosted on:

5.9.40.136 (Hetzner, Germany)
66.249.23.64 (Endurance International Group, US)
94.102.14.239 (Netinternet, Turkey)

Blocklist:
5.9.40.136
66.249.23.64
94.102.14.239
212.180.176.4
117.104.150.170
41.72.150.100
gimikalno.ru
guuderia.ru
forum-la.ru
forumla.ru
gimalayad.ru
gosbfosod.ru
ginagion.ru
giliaonso.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
forumkianko.ru

RU:8080 and Amerika spam runs

For about the past year I have seen two very persistent spam runs leading to malware, typically themed along the lines of fake emails from the BBB, LinkedIn, NACHA, USPS and ADP.

The most obvious characteristic of one of the spam runs in the use of a malware landing page containing .ru:8080, registered through NAUNET to the infamous "private person". In order to aid researchers, I have labelled this series as RU:8080. You can see some current nastiness in action at Malware Must Die.

But there's a second spam run as well, which appears to be similarly themed but using different servers. In this case, the domains registered are typically .net, .org and .com emails (with .pro and .biz used from time-to-time). These domains are registered with fake names and addresses purporting to be in the US, but indicators show that this spam may well originate from within Russia.

I've labelled this series as Amerika (yes, there was a TV show of the same name) because frankly the domains are about as American as apple pie sharlotka. The Amerika spam run is a little harder to identify, so there may be some errors in it.

I don't have any deep insight into either spam run or the payloads they deliver, but if you are interested in looking more deeply at the patterns then hopefully this will be of some use!

LinkedIn spam / giminalso.ru

This fake LinkedIn spam leads to malware on giminalso.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of LinkedIn Password
Sent: 08 March 2013 10:24
Subject: Aylin is now part of your network. Keep connecting...

     [redacted], Congratulations!
You and Aylin are now connected.

    Aylin Welsh

--
Tajikistan    

2012, LinkedIn Corporation

The malicious payload is at [donotclick]giminalso.ru:8080/forum/links/column.php (report here) hosted on the same IPs as in this other attack today:

41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)

"Your tax return appeal is declined" / gimilako.ru

This following fake IRS spam leads to malware on gimilako.ru:

From: Myspace [mailto:noreply@message.myspace.com]
Sent: 07 March 2013 20:55
Subject: Your tax return appeal is declined.

Dear Chief Account Officer,
Hereby you are notified that your Income Tax Refund Appeal id#9518045 has been REJECTED. If you believe the IRS did not properly estimate your case due to a misunderstanding of the facts, be prepared to provide additional information. You can obtain the rejection details and re-submit your appeal by using the instructions in the attachment.

Internal Revenue Service


Telephone Assistance for Businesses:
Toll-Free, 1-800-829-4933
Hours of Operation: Monday Friday, 7:00 a.m. 7:00 p.m. your local time (Alaska & Hawaii follow Pacific Time). 

The malicious payload is at [donotclick]gimilako.ru:8080/forum/links/column.php (reported here) hosted on:
41.72.150.100 (Hetzner, South Africa)
89.107.184.167 (WebhostOne, Germany)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
89.107.184.167
212.180.176.4
gimilako.ru
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
gosbfosod.ru

Adobe CS4 spam / guuderia.ru

This fake Adobe spam leads to malware on guuderia.ru:

From: messages-noreply@bounce.linkedin.com [mailto:messages-noreply@bounce.linkedin.com] On Behalf Of Donnie Cherry via LinkedIn
Sent: 07 March 2013 12:39
Subject: Order N40898

Good afternoon,

You can download your Adobe CS4 License here -

We encourage you to explore its new and enhanced capabilities with these helpful tips, tutorials, and eSeminars.
Thank you for buying Adobe InDesign CS4 software.


Adobe Systems Incorporated

The malicious payload is at [donotclick]guuderia.ru:8080/forum/links/column.php (report here) hosted on:

41.72.150.100 (Hetzner, South Africa)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
212.180.176.4
forum-la.ru
forumla.ru
gimalayad.ru
ginagion.ru
giliaonso.ru
forum-ny.ru
forumny.ru
guuderia.ru
gosbfosod.ru

Pizza spam / gimalayad.ru

Cheese Lover's Pizza with no cheese?! Chicken pizza with three lots of extra ham?? This spam actually leads to malware on gimalayad.ru:

Date:      Wed, 6 Mar 2013 12:22:04 +0330
From:      Tagged [Tagged@taggedmail.com]
Subject:      Fwd: Order confirmation

You??™ve just ordered pizza from our site

Pizza Ultimate Cheese Lover's with extras:
- Bacon Pieces
- Ham
- Bacon Pieces
- Jalapenos
- Black Olives
- No Cheese
- Easy On Sauce
Pizza Chicken Supreme with extras:
- Ham
- Ham
- Ham
- Jalapenos
- Green Peppers
- Diced Tomatoes
- Extra Cheese
- Extra Sauce
Pizza Hawaiian Luau with extras:
- Ham
- Green Peppers
- Jalapenos
- Pineapple
- Extra Cheese
- No Sauce
Pizza Pepperoni Lover's with extras:
- Beef
- Ham
- Green Peppers
- Onions
- Green Peppers
- Extra Cheese
- Easy On Sauce
Pizza Spicy Sicilian with extras:
- Chicken
- Ham
- Bacon Pieces
- Pineapple
- Easy On Cheese
- Easy On Sauce
Drinks
- Grolsch x 6
- 7up x 3
- Budweiser x 4
- Carling x 2
Total Charge:    232.33$



If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!

If you don??™t do that shortly, the order will be confirmed and delivered to you.


With respect to you
ALBERTO`s Pizzeria

================================


Date:      Wed, 6 Mar 2013 09:16:56 +0100
From:      "Xanga" [noreply@xanga.com]
Subject:      Re: Fwd: Order confirmation

You??™ve just ordered pizza from our site

Pizza Ultimate Cheese Lover's with extras:
- Beef
- Pepperoni
- Diced Tomatoes
- Easy On Cheese
- Extra Sauce
Pizza Italian Trio with extras:
- Beef
- Black Olives
- Black Olives
- Onions
- Extra Cheese
- Extra Sauce
Pizza Triple Meat Italiano with extras:
- Bacon Pieces
- Ham
- Onions
- Green Peppers
- Diced Tomatoes
- Extra Cheese
- Extra Sauce
Drinks
- Simply Orange x 4
- Fanta x 2
- 7up x 2
- Heineken x 2
- Lift x 5
- Pepsi x 4
- Budweiser x 4
Total Charge:    242.67$



If you haven??™t made the order and it??™s a fraud case, please follow the link and cancel the order.
CANCEL ORDER NOW!

If you don??™t do that shortly, the order will be confirmed and delivered to you.


With Respect
PIERO`s Pizzeria

The malicious payload is at [donotclick]gimalayad.ru:8080/forum/links/column.php (report here) hosted on the same IPs used in this attack:


41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4
forum-la.ru
gosbfosod.ru
giliaonso.ru
forum-ny.ru
ginagion.ru
gimalayad.ru

BT Business Direct Order Spam / ginagion.ru

This fake BT spam leads to malware on ginagion.ru:

From: Bebo Service [mailto:service=noreply.bebo.com@bebo.com] On Behalf Of Bebo Service
Sent: 05 March 2013 21:22
Subject: BT Business Direct Order


Notice of delivery

Hi,

We're pleased to confirm that we have now accepted and despatched your order on Wed, 6 Mar 2013 03:21:30 +0600.

Unless you chose a next day or other premium delivery service option, then in most cases your order will arrive within 1-3 days. If we despatched your order via Letterpost, it may take a little longer.

***Please note that your order may have shipped in separate boxes and this means that separate consignment numbers may be applicable***

We've despatched...

..using the attached shipment details...
Courier     Ref     Carriage method
Royal Mail     FM320725534     1-3 Days

Please note that you will only be able to use this tracking reference once the courier has scanned the parcel into their depot. Please allow 24 hours from the date of this email before tracking your parcel online.

For information on how track your delivery, please follow to attached file.

Important information for Yodel deliveries:

If your consignment number starts with 3S3996956 your delivery will require a signature. If there is no-one at the delivery address to sign for the goods a card will be left containing the contact details of the courier so that you can re-arrange delivery or arrange a collection.

The malicious payload is at [donotclick]ginagion.ru:8080/forum/links/column.php (report here) hosted on:
41.72.150.100 (Hetzner, South Africa)
117.104.150.170 (NTT, Japan)
212.180.176.4 (Supermedia, Poland)

Blocklist:
41.72.150.100
117.104.150.170
212.180.176.4
gosbfosod.ru
giliaonso.ru
forum-ny.ru
ginagion.ru

Sendspace spam / forumkianko.ru

This fake Sendspace spam leads to malware on forumkianko.ru:

Date:      Tue, 5 Mar 2013 06:52:10 +0100
From:      AyanaLinney@[redacted]
Subject:      You have been sent a file (Filename: [redacted]-51153.pdf)

Sendspace File Delivery Notification:

You've got a file called [redacted]-01271.pdf, (797.4 KB) waiting to be downloaded at sendspace.(It was sent by DEON VANG).

You can use the following link to retrieve your file:

Download Link

The file may be available for a limited time only.

Thank you,

sendspace - The best free file sharing service.

----------------------------------------------------------------------

Please do not reply to this email. This auto-mailbox is not monitored and you will not receive a response.

The malicious payload is at [donotclick]forumkianko.ru:8080/forum/links/column.php (report here) hosted on:
 
46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)

These IPs are the same as used in this attack.

"Scan from a Hewlett-Packard ScanJet" spam / giliaonso.ru

This fake HP printer spam leads to malware on giliaonso.ru:

Date:      Tue, 5 Mar 2013 12:53:40 +0500
From:      "Classmates . com" [classmatesemail@accounts.classmates.com]
Subject:      Fwd: Re: Scan from a Hewlett-Packard ScanJet #161051
Attachments:     HP_Scan.htm

Attached document was scanned and sent

to you using a HP A-16292P.

SENT BY : Landon
PAGES : 6
FILETYPE: .HTML [INTERNET EXPLORER/MOZILLA FIREFOX]

The attachment leads to malware on [donotclick]giliaonso.ru:8080/forum/links/column.php (report here) hosted on the following IPs:

46.4.77.145 (Hetzner, Germany)
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)

Blocklist:
46.4.77.145
198.104.62.49
210.71.250.131
forum-la.ru
forumla.ru
forumilllionois.ru
forumny.ru
forum-la.ru
forumla.ru
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
giliaonso.ru

"British Airways E-ticket receipts" spam / forum-la.ru

This fake British Airways spam leads to malware on forum-la.ru:

From:     LiveJournal.com [do-not-reply@livejournal.com]
Date:     4 March 2013 12:17
Subject:     British Airways E-ticket receipts

e-ticket receipt
Booking reference: 9AZ3049885
Dear,

Thank you for booking with British Airways.

Ticket Type: e-ticket
This is your e-ticket receipt. Your ticket is held in our systems, you will not receive a paper ticket for your booking.

Your itinerary is attached (Internet Exlplorer/Mozilla Firefox file)


Yours sincerely,

British Airways Customer Services

British Airways may monitor email traffic data and also the content of emails, where permitted by law, for the purposes of security and staff training and in order to prevent or detect unauthorised use of the British Airways email system.

British Airways Plc is a public limited company registered in England and Wales. Registered number: 79805156. Registered office: Waterside, PO Box 365, Harmondsworth, West Drayton, Middlesex, England, UB7 0GB.

How to contact us
Although we are unable to respond to individual replies to this email we have a comprehensive section that may help you if you have a question about your booking or travelling with British Airways.


If you require further assistance you may contact us

If you have received this email in error
This is a confidential email intended only for the British Airways Customer appearing as the addressee. If you are not the intended recipient please delete this email and inform the snder as soon as possible. Please note that any copying, distribution or other action taken or omitted to be taken in reliance upon it is prohibited and may be unlawful.

The email has an attachment named E-Ticket-N93892PK.htm which attempts to direct the victim to a malware page at [donotclick]forum-la.ru:8080/forum/links/column.php (report here) hosted on:
198.104.62.49 (NTT America, US)
210.71.250.131 (Chungwa Telecom, Taiwan)


Blocklist:
198.104.62.49
210.71.250.131
forumla.ru
forumny.ru
forum-la.ru
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru

eFax spam / forumla.ru

This fake eFax spam leads to malware on forumla.ru:

Date:      Mon, 4 Mar 2013 08:53:20 +0300
From:      LinkedIn [welcome@linkedin.com]
Subject:      Efax Corporate
Attachments:     Efax_Corporate.htm



Fax Message [Caller-ID: 646370000]

You have received a 57 pages fax at Mon, 4 Mar 2013 08:53:20 +0300, (213)-406-0113.

* The reference number for this fax is [eFAX-336705661].

View attached fax using your Internet Browser.


© 2013 j2 Global Communications, Inc. All rights reserved.
eFax ® is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax ® Customer Agreement.

The malicious payload is at [donotclick]forumla.ru:8080/forum/links/column.php (report here) hosted on 210.71.250.131 (Chungwa Telecom, Taiwan). These other sites are also visible on the same IP:
foruminanki.ru
ny-news-forum.ru
forumilllionois.ru
forum-ny.ru
forumny.ru
forumla.ru

"Contract of 09.07.2011" spam / forumny.ru

This contracts-themed spam leads to malware on forumny.ru:

Date:      Thu, 28 Feb 2013 11:43:15 +0400
From:      "LiveJournal.com" [do-not-reply@livejournal.com]
Subject:      Fw: Contract of 09.07.2011
Attachments:     Contract_Scan_IM0826.htm

Dear Sirs,

In the attached file I am forwarding you the Translation of the Loan Contract that I have just received a minute ago. I am really sorry for the delay.

Best regards,

SHERLENE DARBY, secretary

The attachment Contract_Scan_IM0826.htm leads to malware on [donotclick]forumny.ru:8080/forum/links/column.php (report here) on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
carmennavarro.es
eiiiioovvv.ru
ejjiipprr.ru
emmmhhh.ru
errriiiijjjj.ru
famagatra.ru
filialkas.ru
finalions.ru
forumbmwr.ru
forumkinza.ru
forumligandaz.ru
forummersedec.ru
forummoskowciti.ru
forumny.ru
forumrogario.ru
forumusaaa.ru
forumvvz.ru
fuigadosi.ru
fzukungda.ru

"End of Aug. Statement" spam / forumusaaa.ru

This invoice-themed spam leads to malware on forumusaaa.ru:

Date:      Thu, 28 Feb 2013 06:04:08 +0530
From:      "Lisa HAGEN" [WilsonVenditti@ykm.com.tr]
Subject:      Re: FW: End of Aug. Statement
Attachments:     Invoice_JAN-2966.htm

Good day,

as reqeusted I give you inovices issued to you per jan. (Microsoft Internet Explorer).

Regards

Lisa HAGEN

The malware is hosted at [donotclick]forumusaaa.ru:8080/forum/links/column.php (report here) hosted on:

31.200.240.153 (Unelink Telecom, Spain)
83.169.41.58 (Host Europe, Germany)

Blocklist:
31.200.240.153
83.169.41.58
fzukungda.ru
famagatra.ru
forumkinza.ru
forummersedec.ru
emmmhhh.ru
fuigadosi.ru
forummoskowciti.ru
errriiiijjjj.ru
forumrogario.ru
ejjiipprr.ru
forumbmwr.ru
filialkas.ru
finalions.ru
eiiiioovvv.ru
forumligandaz.ru
forumvvz.ru
forumusaaa.ru