Sponsored by..

Wednesday, 3 September 2014

Fake westlothian.gov.uk "NDR Bill" email

Sometimes spammers come up with weird approaches. This one is a bill from West Lothian Council in the UK.. well, actually it isn't a bill but it comes with a malicious attachment.

From:     Ebilling [Ebilling@westlothian.gov.uk]
Date:     3 September 2014 09:20
Subject:     NDR Bill

Please find attached your Non Domestic Rates bill.

If your account is in credit you are due a refund unless you have any other debt due to the Council.

To allow your credit to be processed please confirm:

- If you want the credit transferred to another account you have with us. Please confirm the account details.
- If you want the credit refunded by cheque, please confirm who it should be sent to and the address.

Links to Non Domestic Rates information are detailed below.

Important Note:
If you access these links using a mobile phone the network provider may charge for this service.

Yours sincerely
Scott Reid
Revenues Manager

 http://www.westlothian.gov.uk/media/downloaddoc/1799465/1851216/2395547

* PDF Viewer required.

This message, together with any attachments, is sent subject to the
following statements:

1.    It is sent in confidence for the addressee only.  It may
    contain legally privileged information.  The contents are
    not to be disclosed to anyone other than the addressee.
    Unauthorised recipients are requested to preserve this
    confidentiality and to advise the sender immediately.
2.    It does not constitute a representation which is legally
    binding on the Council or which is capable of constituting
    a contract and may not be founded upon in any proceedings
    following hereon unless specifically indicated otherwise.

http://www.westlothian.gov.uk

Attached is a file 00056468.pdf.zip which contains a malicious executable D0110109.PDF.exe (which has an icon to make it look like a PDF file). This has a low detection rate at VirusTotal of 4/55.

The Comodo CAMAS report shows that it downloads an additional component from the following locations:

paodeler.com/333
awat.ugu.pl/333
twigsite.org/333
chico-assen.nl/333
beckerseguros.com.br/333
vacacionescosta.com.ar/333
frere-bros.com/333
kaituforumas.lt/333
www.van-der-leest.nl/333
lavetrinadeimotori.it/333
uj.spexx.hu/333
hamalabeachresort.com/333
voladora.com/333
ccemanpower.com/333
tiptrans.com.tr/333
areteeventos.com.br/333
ochodiez.com.ar/333
www.alabiimoveis.com/333
www.tbdistributors.co.nz/333
itspecialist.ro/333
groupgraphic.dk/333

This second component has a VT detection rate of just 3/55. The Anubis report shows an attempted phone home to 80.94.160.129 (National Academy of Sciences of Belarus) and 92.222.46.165 (OVH, France)

Recommended blocklist:
80.94.160.129
92.222.46.165
paodeler.com
awat.ugu.pl
twigsite.org
chico-assen.nl
beckerseguros.com.br
vacacionescosta.com.ar
frere-bros.com
kaituforumas.lt
van-der-leest.nl
lavetrinadeimotori.it
uj.spexx.hu
hamalabeachresort.com
voladora.com
ccemanpower.com
tiptrans.com.tr
areteeventos.com.br
ochodiez.com.ar
alabiimoveis.com
tbdistributors.co.nz
itspecialist.ro
groupgraphic.dk



Tuesday, 2 September 2014

Something evil on 95.163.121.188 (Sweet Orange EK)

95.163.121.188 is currently hosting the Sweet Orange Exploit Kit (hat tip). The IP is allocated to Digital Networks CJSC (aka DINETHOSTING) that has featured on this blog many times before.

Currently I can see the following domains active on this IP address. Ones highlighted are flagged as malicious by Google.

cdn2.sefu.co
cdn3.sefu.co
cdn4.sefu.co
cdn5.sefu.co
cdn.seefu.co
cdn2.seefu.co
cdn3.seefu.co
cdn.seefoo.co
cdn2.seefoo.co
cdn3.seefoo.co
cdn.critico.co
cdn.easynet.co
cdn.networkguys.co
cdn.tequilacritico.es
cdn2.tequilacritico.es
cdn3.tequilacritico.es
cdn4.tequilacritico.es
cdn5.tequilacritico.es
cdn.critico.com.mx
cdn.critico.mx
cdn.thecritico.mx
cdn2.thecritico.mx
cdn4.thecritico.mx
cdn5.thecritico.mx
cdn.tequilacritico.mx
cdn2.tequilacritico.mx
cdn3.tequilacritico.mx
cdn4.tequilacritico.mx
cdn5.tequilacritico.mx
cdn.sweetip.uk.com
cdn2.sweetip.uk.com
cdn3.sweetip.uk.com
cdn4.sweetip.uk.com
cdn5.sweetip.uk.com
cdn.sweetip.com
cdn2.sweetip.com
cdn3.sweetip.com
cdn4.sweetip.com
cdn5.sweetip.com
cdn.brazitel.com
cdn.thecritico.com
cdn2.thecritico.com
cdn3.thecritico.com
cdn4.thecritico.com
cdn5.thecritico.com
google.chagwichita.com
cdn.tequilatimes.com
cdn2.tequilatimes.com
cdn3.tequilatimes.com
cdn4.tequilatimes.com
cdn5.tequilatimes.com
google.ajdistributor.com
cdn.netguysglobal.com
cdn.tequilacritics.com
cdn2.tequilacritics.com
cdn3.tequilacritics.com
cdn4.tequilacritics.com
cdn5.tequilacritics.com
cdn.mcelectricalinc.com
cdn.tequilaspectator.com
cdn2.tequilaspectator.com
cdn3.tequilaspectator.com
cdn4.tequilaspectator.com
cdn5.tequilaspectator.com
cdn.primrosebrentwood.com
cdn.tequilaguildofamerica.com
cdn2.tequilaguildofamerica.com
cdn3.tequilaguildofamerica.com
cdn4.tequilaguildofamerica.com
cdn5.tequilaguildofamerica.com
cdn.primrosenashvillemidtown.com
cdn.seefu.net
cdn2.seefu.net
cdn3.seefu.net
cdn4.seefu.net
cdn5.seefu.net
cdn.seefoo.net
cdn2.seefoo.net
cdn3.seefoo.net
cdn.sweetip.net
cdn2.sweetip.net
cdn3.sweetip.net
cdn4.sweetip.net
cdn5.sweetip.net
cdn.networkguys.net
cdn2.networkguys.net
cdn3.networkguys.net
cdn.tequilacritico.net
cdn2.tequilacritico.net
cdn3.tequilacritico.net
cdn4.tequilacritico.net
cdn5.tequilacritico.net
cdn.gandco.pro
cdn.primrosebrentwood.xyz
cdn.tequilatimes.info
cdn2.tequilatimes.info
cdn3.tequilatimes.info
cdn4.tequilatimes.info
cdn5.tequilatimes.info
cdn.georgicasweets.info
cdn.sefu.mobi
cdn2.sefu.mobi
cdn3.sefu.mobi
cdn4.sefu.mobi
cdn5.sefu.mobi
cdn.seefu.mobi
cdn2.seefu.mobi
cdn3.seefu.mobi
cdn4.seefu.mobi
cdn5.seefu.mobi
cdn.seefoo.mobi
cdn2.seefoo.mobi
cdn3.seefoo.mobi

cdn.georgika.co
cdn.georgicasuites.com
cdn.georgicasweets.com
google.vctelectronics.com
cdn.limodog.net
cdn2.limodog.net
cdn3.limodog.net
cdn4.limodog.net
cdn5.limodog.net
cdn.soundpet.net
cdn2.soundpet.net
cdn3.soundpet.net
cdn4.soundpet.net
cdn5.soundpet.net
cdn.georgicas.net
cdn.georgicasweets.net
cdn.georgicasweets.org
cdn.limodog.xyz
cdn2.limodog.xyz
cdn3.limodog.xyz
cdn4.limodog.xyz
cdn5.limodog.xyz
cdn.georgicas.mobi
cdn.georgicasweets.mobi
cdn.georgika.net

The domains appear to be legitimates ones that have been hijacked in some way.

95.163.121.188 forms part of a large netblock of 95.163.64.0/18 - I have had half of this (95.163.64.0/19) blocked for several years which has stopped a great deal of badness, so I recommend that you block either the /19 or /18 and/or the following domains:

sweetip.uk.com
critico.com.mx
critico.co
easynet.co
georgika.co
networkguys.co
seefoo.co
seefu.co
sefu.co
ajdistributor.com
brazitel.com
chagwichita.com
georgicasuites.com
georgicasweets.com
mcelectricalinc.com
netguysglobal.com
primrosebrentwood.com
primrosenashvillemidtown.com
sweetip.com
tequilacritics.com
tequilaguildofamerica.com
tequilaspectator.com
tequilatimes.com
thecritico.com
vctelectronics.com
tequilacritico.es
georgicasweets.info
tequilatimes.info
georgicas.mobi
georgicasweets.mobi
seefoo.mobi
seefu.mobi
sefu.mobi
critico.mx
tequilacritico.mx
thecritico.mx
georgicas.net
georgicasweets.net
georgika.net
limodog.net
networkguys.net
seefoo.net
seefu.net
soundpet.net
sweetip.net
tequilacritico.net
georgicasweets.org
gandco.pro
limodog.xyz
primrosebrentwood.xyz

Friday, 29 August 2014

IRMGF (Inspiration Mining Corporation) pump-and-dump spam

Here's another pump-and-dump spam pushing a stock that as far as I can see is utterly worthless.

From:     WallStreetOTC Daily
Date:     29 August 2014 13:36
Subject:     This company is about to go ten fold.

WallStreetOTC Daily

August 29, 2014

Billlions in proven reserves just found

Dear Investor,

Every once in a while a ridiculous deal presents itself. IRMGF (or inspiration miniing corporation) is a junior miining company that has properties in Ontario, Utah and Chile and has just found massive reserves of nickel, copper platinum and other rare metals. Walstreet is about to start buying up shares in IRMGF this very quickly as it is so cheap right now trading at just under 10cents. I expect to see this hit a dollar next week. Move quickly.

To end your WallStreetOTC Daily e-mail subscription and associated external offers sent from WallStreetOTC Daily, click here to unsubscribe.

If you are you having trouble receiving your WallStreetOTC Daily subscription, you can ensure its arrival in your mailbox by whitelisting Laissez Faire Today.

(c) 2014 WallStreetOTC Daily, LLC.  Reproduction, copying, or redistribution (electronic or otherwise, including on the World Wide Web), in whole or in part, is encouraged provided the attribution WallStreetOTC Daily Faire Books is preserved. 808 Saint Paul Street, Baltimore MD 21202. Nothing in this e-mail should be considered personalized

IRMGF trades on the Toronto stock exchange, it appears to have no income or cash assets but does have land holdings in Ontario. In May 2007 the share price was up to $6.82, today it is around one-hundredth of that at $0.073 a share, according to this data. There are around 75 million shares and options, which gives the firm a nominal market cap of $5.5m.

Trading levels are normally close to zero, but in late May and early June around 5.5 million shares were bought at about $0.15, since when the price halved.

Sometimes there is a pattern of share purchases just before the pump-and-dump operation, but that does not seem to be the case here.. so whoever is promoting this illegal spam run most likely already holds stock in the company.

Don't be tempted to buy stock in this company.. somebody is probably trying to cash out and is using this illegal method to try to maximise their returns. Normally when the P&D spam finishes, the stock price collapses leaving people daft enough to invest out of pocket.

UPDATE:  there have been many more of these over the weekend..

From:     SuperStocksTIPS Daily
Date:     29 August 2014 19:14
Subject:     This company just struck gold. Cashin on the rush.

SuperStocksTIPS Daily


If you are reading this now you must act very quickly.



I.R.M.G.F (inspiration.miining.corp) is about to blow up. They have just found billiions worth of minerals on their properties and the stokc is about to soar to new highs. My analyst told me that we could see shares go up by as much as 15 times in a span of days. Move fast before bargainprices run out.



This message was delivered to [redacted]
Unique ID: 2c2864c18552de62f398a858f625a48810b2dee735055839

To unsubscribe, change your due date, or change your e-mail preferences, click here

SuperStocksTIPS
4 New York Plaza
4th Floor
New York, NY 10041

2014 SuperStocksTIPS Publications, Inc. All Rights Reserved.

====================

From:     WallSt Report
Date:     30 August 2014 11:33
Subject:     (IRMGF) has produced big gains this week!

Wall St Report

If you can get sharres in this company for less than 15cents you are very lucky. It is currently at slightly under 10cents but we expect that itll soar a lot today. I.R_M_G_F (inspiration miningg corporation) just found billlions in proven reserves, special, rare and precious mettals.

We expect to see shhares cross the 2dollar range next week. Act quickly before its too late.

1d467f58c8310949c647e38f59a4ef0f030139beb824c32a

The preceding is a paid message from a Wall St Report advertiser and does
not reflect the views of nor is in any way endorsed by Wall St Report.
We do not share personal information with any third party without your permission.

This email was requested by: [redacted]
Unsubscribe, Modify or Add Newsletters: Click here.

This e-mail was sent by: Wall St Report Publishing LLC
3400 Dundee Road
Northbrook, IL 60062
United States of America

(c) 2014. Wall St Report. All rights reserved



Privacy Policy. By using this site you agree to our Terms of Service.
To learn about our email partners' privacy policies, click here.

====================

From:     TheWallStreet Journal
Date:     30 August 2014 15:46
Subject:     Critical news information read now

TheWallStreet Journal     Aug 30, 2014



If this company doesnt at least triple im retiring



My prediction is coming true.

I told you I R M,G:F, inspraition miningg corp, was going to soar to new highs.

Since the company discovered 4billion worth of proven metal reserves it has become the target of Walstreet invesstors looking to cash in on the rush.

Analysts are predicting a rise to over 1dollar in the coming weeks from a current price of 11cents.

Be swift and grab sharres first thing tuesday morning.


This email was sent to [redacted]. You are receiving this newsletter because you opted-in to receive relevant communications from TheWallStreet Journal LLC. If you would like to manage your newsletter preferences, please click here.

 WSJ LLC | 16192 Coastal Highway Lewes, DE 19958

 68aff86579d632c6a7dcbc7c6a29786c4476728b2989ac49

Unsubscribe

====================

From:     The OTC Bulletin Board
Date:     31 August 2014 18:51
Subject:     Gains of over 55 percent! Momentum is strong!

The OTC Bulletin Board®
   
Sunday, August 31, 2014


Happy labor day week end.

As you know , inspiration miniing corporation, IR:M,GF is up over 55% for the week on massive news on metals discovery.

The company is now sitting on more than 3billion worth of preciousmetals reserves. Sharess are tradinng at 11cents right now and are expected to reach more than a dollar each next week.

Move fast to grab cheapshares on tuesday while you still can.

   

About This Email:
You are signed up for this OTCBB email as [redacted].

Manage My OTCBB Mail | Unsubscribe

OTCBB Privacy Policy
OTCBB Office of Privacy | 1201 Peachtree Street, NE | 400 Colony Square, Suite 2400 | Atlanta, GA 30361
© 2014 OTCBB, LLC. All rights reserved.

====================

From:     StockWatch
Date:     1 September 2014 06:39
Subject:     Ready? Last reminder
 

cars4cashuk.com scam and Cyber Cast International (CCIHosting), Panama [190.97.160.0/21]

I spotted this scam warning on the Autotrader website:
We have received reports of customers receiving a text message asking them to visit www.cars4cashuk.com to sell their cars quickly for cash. Customers are asked to pay a deposit in order to secure the sale of their vehicle. This website is not genuine and in no way affiliated with AutoTrader. We are currently working to have this website shut down.

For more information please contact our Customer Security team on 0330 303 9001.
The site is a crude attempt to extract money from unsuspecting people trying to trade their car, but it does feature the AutoTrader logo prominently.


If you're trying to sell your car then probably all you need to know is that it's a scam, and you probably don't need to read any further. But if you read my blog regularly then you might want to read on..

The site has no ownership information, but a check of the WHOIS details show the following contacts:

Domain Name: CARS4CASHUK.COM
Registry Domain ID:
Registrar WHOIS Server: whois.1api.net
Registrar URL: http://www.1api.net
Updated Date: 2014-08-10T15:31:12Z
Creation Date: 2014-08-10T15:31:12Z
Registrar Registration Expiration Date: 2015-08-10T15:31:12Z
Registrar: 1API GmbH
Registrar IANA ID: 1387
Registrar Abuse Contact Email: abuse@1api.net
Registrar Abuse Contact Phone: +49.68416984x200
Reseller: www.sky-ip.com http://www.sky-ip.com/
Domain Status: ok - http://www.icann.org/epp#OK
Registry Registrant ID:
Registrant Name: José Castrellón
Registrant Organization: CyberCast
Registrant Street: Ricardo J. Alfaro, El Dorado
Registrant City: Panama
Registrant State/Province: Panama
Registrant Postal Code: 0819-06448
Registrant Country: PA
Registrant Phone: +507.3014841
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: domains@sky-ip.com
Registry Admin ID:
Admin Name: José Castrellón
Admin Organization: CyberCast
Admin Street: Ricardo J. Alfaro, El Dorado
Admin City: Panama
Admin State/Province: Panama
Admin Postal Code: 0819-06448
Admin Country: PA
Admin Phone: +507.3014841
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: domains@sky-ip.com
Registry Tech ID:
Tech Name: José Castrellón
Tech Organization: CyberCast
Tech Street: Ricardo J. Alfaro, El Dorado
Tech City: Panama
Tech State/Province: Panama
Tech Postal Code: 0819-06448
Tech Country: PA
Tech Phone: +507.3014841
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: domains@sky-ip.com
Name Server: ns1.cybercastco.com
Name Server: ns2.cybercastco.com


So who are José Castrellón and CyberCast (aka CyberCast International). Are they the scammers? Well, no.. CyberCast (through their website at ccihosting.com) offer anonymous offshore hosting and domain registrations. The sort of things that scammers love, although of course there are legitimate uses for such things. CyberCast presumably are not doing the actual scamming, but I'd suggest that they could be accused of some level of complicity.


So.. you can buy a domain and web hosting using an anonymous payment system like Bitcoin or Perfect Money and it seems more-or-less do what you like with it. Now, that's great if you are running a web site dedicated to overthrowing an oppressive regime (for example) but the bulk of the sites hosted by CyberCast are a lot less savoury, including phishing sites, sites selling DDOS services, counterfeit goods, trading stolen credit card information, piracy sites, spam, cybersquatting, illegal or fake pharmacies, hacking sites and a little bit of porn as well.

There may well be some legitimate sites hosted by this company, I spotted some local Panamanian sites for example, but the overwhelming majority of the CyberCast / CCIHosting address space is completely toxic, therefore I would strongly recommend that you block access to the 190.97.160.0/21 range from your network.

There is not a lot of reputation data for the sites in this /21, but I have compiled a list of sites, IPs, WOT ratings and Google and SURBL prognoses here [csv].

Wednesday, 27 August 2014

"Customer Statements" malware spam

This brief spam has a malicious PDF attachment:

Fom:     Accounts [hiqfrancistown910@gmail.com]
Date:     27 August 2014 09:51
Subject:     Customer Statements

Good morning,attached is your statement.
My regards.
W ELIAS

Attached is a file Customer Statements.PDF which has a VirusTotal detection rate of 6/55. Analysis is pending.

"Morupule Coal Mine" malware spam

This fake invoice spam claims to be from a (real) coal mine in Botswana. But in fact the PDF file attached to the message is malicious.

From:     Madikwe, Gladness [GMadikwe@mcm.co.uk]
Date:     27 August 2014 10:43
Subject:     Tax Invoice for Delivery Note 11155 dated 22.08.14

Hello ,   

Please find attached the invoice for delivery note 11155 which was created on the 22 . 08. 14 after a system error to process this tax invoice.

Thank you      
Regards

Gladness B Madikwe
Sales & Marketing Clerk
Morupule Coal Mine
Private Bag 35
Palapye,Botswana
Tel:  +267 494 1204
Cell: +267 71373569
Fax:  +267 4920643


Debswana Diamond Company Email Disclaimer: The information contained in this e-mail is confidential and may be subject to legal privilege. If you are not the intended recipient, you must not use, copy, distribute or disclose the e-mail or any part of its contents or take any action in reliance on it. If you have received this e-mail in error, please e-mail the sender by replying to this message. All reasonable precautions have been taken to ensure no viruses are present in this e-mail and the sender cannot accept responsibility for loss or damage arising from the use of this e-mail or attachments.


Neither the Morupule Coal Mine nor the Debswana Diamond Company mentioned in the disclaimer are anything to do with this spam email, in fact it originates from a hacked machine in India.

The attachment has a VirusTotal detection rate of 5/54. My PDF-fu isn't good enough to tell you what this malware actually does, but you can definitely guarantee that it is malicious.

Tuesday, 26 August 2014

Vodafone MMS service malware spam

This fake Vodafone spam comes with a malicious attachment. There is not body text as such, the header reads:
From:     Vodafone MMS service [mms813562@vodafone.co.uk]
Date:     26 August 2014 12:00
Subject:     IMG Id 813562-PictQbmR TYPE--MMS
The version I had was mangled and the attachment was just called noname which required a bit of work to turn into a ZIP file IMG Id 813562-PicYbgRr TYPE--MMS.zip which in turn contains a malicious executable Picture Id 550125-PicSfdce TYPE-MMS.exe

This .EXE file has a VirusTotal detection rate of 3/55. The malware then attempts to download additional components from the following locations:

lovina.co.id/333
swfilms.co.nz/333
terria.ch/333
everlandvn.vn/333
custy.org/333
applnw.com/333
bodypro.co.nz/333
trafacs.com/333
pocketapps.co/333
opencart.guru/333
btw.co.il/~btwcoil/333
panaceamediacorp.com/333
trijayadi.net/333
muabandiaoc.vn/333
yamahamatsakti.com/333
smk-assaabiq.sch.id/333
vinamex.com/333
lindy.co.id/333
webpixsolutions.com/333
tnk-sat.com/333
vinaconexmec.vn/333
192.254.186.106/333
diennhest.vn/333
shiftgears.com.au/333
datrix-news.com/333
localnewshost.com/333
dp37198306.lolipop.jp/333
kampungnasi.com/333
www.devdemoz.com/333

This second component has a VirusTotal detection rate of 3/53. The CAMAS report for that component is here.

If you can block your network perimeter by pattern, then the "/333" string might be good to look for. Else I would recommend the following blocklist:

192.254.186.106
lovina.co.id
swfilms.co.nz
terria.ch
everlandvn.vn
custy.org
applnw.com
bodypro.co.nz
trafacs.com
pocketapps.co
opencart.guru
btw.co.il
panaceamediacorp.com
trijayadi.net
muabandiaoc.vn
yamahamatsakti.com
smk-assaabiq.sch.id
vinamex.com
lindy.co.id
webpixsolutions.com
tnk-sat.com
vinaconexmec.vn
diennhest.vn
shiftgears.com.au
datrix-news.com
localnewshost.com
dp37198306.lolipop.jp
kampungnasi.com
devdemoz.com

Tuesday, 12 August 2014

Aggressive scumbag spam 2014-08-12

More from this prolific spammer that I'm calling F3Y for the moment (because the fake email address in the WHOIS details always consists of a Female name plus 3 numbers and is hosted by Yahoo!).

IP address belong to Global Layer BV in the US who say that they have already terminated them.

IPs:
162.222.193.53
162.222.193.54
162.222.193.55
162.222.193.56
162.222.193.58

Domains:
improvewindowshutters.mobi
entirerussianbrides.mobi
med-enrollmentpick.mobi
starmiraclecure.mobi
mostasiandating.mobi

Example subjects:
Re: Timberlane - The World???s Finest Handcrafted Shutters Catalog: 5825659
Hey, Ilsa, Sasha, Sonya and others want to say Hello
Re: Are you still eligible to change your Medicare Plan? Find out today. Notice #3850150
Fwd: 5 Diseases You Thought Couldn't Be Cured, Blog: 16602444
Hey, Meet Ming our top pick of the week. No. 15318724

Fake WHOIS details:
Registrant ID:657a6ba9372a5461
Registrant Name:Alisons Foley
Registrant Organization:n/a
Registrant Street1:6418 N Us Highway 41
Registrant City:Jacksonville
Registrant State/Province:FL
Registrant Postal Code:33572
Registrant Country:US
Registrant Phone:+1.8136490339
Registrant Email:alisonsfoleym634@yahoo.com

Monday, 11 August 2014

Aggressive scumbag spam 2014-08-11

These prolific scumbag spammers [1] [2] [3] [4] [5] [6] [7] [8] are back again.. this time pumping out masses of spam from two different IP ranges.

The first batch is Terratransit Ag/ Kodos in Belize. The web host has reported that they have terminated the spammers.

IPs:
31.220.40.40
31.220.40.41
31.220.40.42
31.220.40.43
31.220.40.46
31.220.40.49
31.220.40.51

Domains:
unitemedicarehelp.us
fineeuropeansbrides.us
foundmiraclecure.us
leadingcasualmeet.us
survivalbracelettry.us
preparedlanguage.us
greatfloorcoating.us

Sample subjects:
Re: Unhappy with your Plan? Notice #18093831
Hi, Ilsa, Sasha, Sonya and others want to say Hello
Re: 5 Diseases You Thought Couldn't Be Cured, See Article 4093078
Hi, Hook-up with sexy people looking for fun? Invite No. 11413790
Fwd: New Survival Bracelet Sample. Gift: 18003902
Hey, 1 Sneaky Linguistic Secret to Learning a Foreign Language. No. 12072666
Re: Garage Floor Coatings before Winter Rain and Snow

The second batch belongs to Nforce in the US. The spammers have been using this web host repeatedly, and since their abuse@ email address bounces I would suggest blocking the entire /24.

IPs:
46.166.178.34
46.166.178.35
46.166.178.37
46.166.178.38
46.166.178.41
46.166.178.42
46.166.178.43

Domains:
completelydroplbs.us
showmedicarehelp.us
seekeuropeansbrides.us
imiraclecure.us
behindpaleo.us
improvehomeshutters.us
asianbridesluv.us

Example subjects:
Hi, Foreskolin - Recently reviewed on The Dr. Oz Show. Order: 4735337
Re: Unhappy with your Plan? Notice #3414040
Hi, Ilsa, Sasha, Sonya and others want to say Hello
Re: 5 Diseases You Thought Couldn't Be Cured, See Article 4023242
Re: "Ancient" Nutrition Plan - Look and Feel Amazing. Video: 10558123
Fwd: Timberlane - The World???s Finest Handcrafted Shutters Catalog: 2640878
Re: It's Communication Week. Ting and her friends want to say Hi No: 14630251

"Ministerio Publico federal 11 08 2014 07:35" spam / informativoministeriopublico.info

This Portuguese-language spam originates from a Brazilian-IP address and has a somewhat convincing domain of informativoministeriopublico.info - but in fact it simply leads to a  malicious attachment.

From:     [victim]
To:     [victim]
Date:     11 August 2014 14:33
Subject:     Ministerio Publico federal 11 08 2014 07:35



VISUALIZAR-PROCESSO-MPF
Scan Security Avast, NOD 100% Seguro.
The link in the email goes to a bit.ly address that forwards to [donotclick]informativoministeriopublico.info/2014-20090717094507AAtpljuX&ei=sVblU7RHpd-wBKbhgZgG&ved=0CBsQvwUoAAqid=20090717094507AAtpljuX&ei=sVblU7RHpd-wBKbhgZgG&ved=0CBsQvwUoAA.html which has garnered a fair number of clicks according to the bit.ly statistics:

From there the victim goes to a download page (it tries to start automatically) which downloads MPF-747-53.2014.5.01.0466.pdf.zip which contains a malicious executable MPF-747-53.2014.5.01.0466.pdf.cpl which has a VirusTotal detection rate of 16/54.

This trojan downloads other components, although at the moment I am not sure what (you can guarantee it will be nothing good).

The malware site informativoministeriopublico.info has been created specifically for this purpose with anonymous registration details, and is hosted on 192.3.129.10 (ClearVPS / ColoCrossing, US). This IP address has been used for a number of other similar sites:

informativoministeriopublico.info
spc-cobrancas.net
ministeriopublico.net
serasaexperian.biz

The 192.3.129.0/25 range has some questionable sites in it, and you might want to block the whole lot as a precaution. You should definitely block 192.3.129.10 though. 

The originating IP is 200.219.245.194 (Alog-02 Solucoes De Tecnologia Em Informatica S.a., Brazil). The presence of a Brazilian IP address as the sender is interesting, because it does make the email look more legitimate if the headers are examined.


Friday, 8 August 2014

"Security concern on your AmericanExpress Account" spam

This fake AmEx spam appears to lead to a phishing site on multiple URLs:

From:     American Express [AmericanExpress@welcome.aexp.com]
Date:     24 July 2014 10:35
Subject:     Security concern on your AmericanExpress Account   

Dear Customer:

We are writing to you because we need to speak with you regarding a security concern on your account. Our records indicate that you recently used your American Express card on August 8, 2014.

For your security, new charges on the accounts listed above may be declined. If applicable, you should advise any Additional Card Member(s) on your account that their new charges may also be declined.

To secure your account , please click log on to : http://americanexpress.com

Your prompt response regarding this matter is appreciated.

Sincerely,

American Express Identity Protection Team   
   
Please do not reply to this e-mail. This customer service e-mail was sent to you by American Express. You may receive customer service e-mails even if you have unsubscribed from marketing e-mails from American Express.

Contact Customer Service | View our Privacy Statement | Opt Out

This email was sent to [redacted].

American Express Customer Service Department
P.O. Box 297817 | Ft. Lauderdale, FL 33329-7817

2014 American Express Company. All rights reserved.

In this case the link goes to a phishing site at anerican-fortress.com/americanexpress/ but there seem to be a bunch of them at the moment:

anerikan-regress.com/americanexpress/
american-progrecs.com/americanexpress/
anerican-fortress.com/americanexpress/
amerikan-sunfacess.com/americanexpress/

IPs in use are:
91.219.29.35 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
188.240.32.75 (SC CH-NET SRL, Romania)

I recommend blocking these IPs (
91.219.29.35
188.240.32.75

Aggressive scumbag spam 2014-08-08

More aggressive spam from the scumbag spammers I have been tracking for a few days [1] [2] [3] [4] [5] [6] [7].. this time spamming from ColoCrossing IPs. I daresay they will have another spam run starting soon from a completely new IP range.

IPs:
198.23.159.51
198.23.159.52
198.23.159.53
198.23.159.54
198.23.159.55
198.23.159.56

Domains:
clubbrides.com
extremeconcretecoating.com
propermedicare.com
anyonegetskinny.com
rarecure.com
denynervepain.com

Sample subjects:
Hey, Ilsa, Sasha, Sonya and others want to say Hello
Re: Garage Floor Coatings before Winter Rain and Snow
Unhappy with your Plan? Notice #12942715
Hey, Foreskolin - Recently reviewed on The Dr. Oz Show. Order: 11343923
Fwd: 5 Diseases You Thought Couldn't Be Cured, See Article 18871602
Hey, SUFFERING? New Neuropathy Curing Breakthrough Revealed

Fake WHOIS:
Registrant Name: JENNY DAVIES
Registrant Organization:
Registrant Street: 17260 HARBOUR POINTE DR
Registrant City: JACKSONVILLE
Registrant State/Province: FL
Registrant Postal Code: 33908
Registrant Country: US
Registrant Phone: +1.8888961959
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: jennydavies386@yahoo.com


I'm currently working on some leads as to which particular scumbags are behind this..

UPDATE 1:

The pattern continues, still on ColoCrossing..

IPs:
198.23.159.57
198.23.159.58
198.23.159.59

Domains:
factsautowarranty.com
textasianbrides.com
useharprefi.com

Sample subjects:
Re: Expiration Notice: Keep Your Auto Warranty. Notice#5527104
Fwd: It's Communication Week. Ting and her friends want to say Hi No: 9183446
Fwd: Save-Thousands on Your Home Loan. Rpt: 7977757

UPDATE 2:

ColoCrossing seem unresponsive to the problem, here is another batch from the same range.

IPs:
198.23.159.60
198.23.159.61
198.23.159.62

Domains:
yeswalkintubs.com
secretlocalsingles.com
epichomesiding.com

Example subjects:
Hi, Learn about the Versatility of a Walk in Bathtub Message: 24268321
Hey, Hook-up with sexy people looking for fun? Invite No. 9938717
Hey, New siding can increase the value of your home. Correspondence: 12613390

Given the volume of spam and lack of action from ColoCrossing, perhaps blocking 198.23.159.0/24 is the best bet.

"FW: Resume" spam has a malicious attachment

This terse spam is malicious:

Date:      Fri, 8 Aug 2014 05:57:02 +0700 [08/07/14 18:57:02 EDT]
From:      Janette Sheehan [Janette.Sheehan@linkedin.com]
Subject:      FW: Resume

Attached is my resume, let me know if its ok.

Thanks,
Janette Sheehan 

Attached is an archive Resume.zip which in turn contains a malicious executable Resume.scr. This has a VirusTotal detection rate of 24/54. The CAMAS report shows that the malware attempts to phone home to the following locations:

94.23.247.202/0708stat/SANDBOXA/0/51-SP2/0/
94.23.247.202/0708stat/SANDBOXA/1/0/0/
hngdecor.com/wp-content/uploads/2013/10/cw2800.zip
welfareofmankind.com/underconst/css/cw2800.zip

Recommended blocklist:
94.23.247.202
hngdecor.com
welfareofmankind.com

RBS "RE: Incident IM03393549" spam

This fake RBS spam has a malicious attachment:

Date:      Thu, 24 Jul 2014 09:33:37 GMT [07/24/14 05:33:37 EDT]
From:      Annie Wallace[Annie.Wallace@rbs.co.uk]
Subject:      RE: Incident IM03393549

Good Afternoon ,

Attached are more details regarding your account incident. Please extract the attached
content and check the details.

Please be advised we have raised this as a high priority incident and will endeavour to
resolve it as soon as possible. The incident reference for this is IM03393549.

We would let you know once this issue has been resolved, but with any further questions
or issues, please let me know.

Kind Regards,

Annie Wallace Level 2 Adviser | Customer Experience Team, IB Service & Operations 7th
Floor, 1 Hardman Boulevard | Manchester | M3 3AQ | Depot code: 049
Tel: 0845 300 4108 |Email: Annie.Wallace@rbs.co.uk The content of this e-mail is
CONFIDENTIAL unless stated otherwise 
The attachment is IM03393549.zip containing a malicious executable IM008082014.scr which has a VirusTotal detection rate of 15/42. The CAMAS report shows that the malware connects to the following locations to download additional components:

94.23.247.202/n0808uk/SANDBOXA/0/51-SP2/0/
94.23.247.202/n0808uk/SANDBOXA/1/0/0/
quesoslaespecialdechia.com/Scripts/n0808uk.zip
energysavingproductsinfo.com/wp-content/uploads/2014/08/n0808uk.zip

The exact nature of the malware is not known, but it is most likely a banking Trojan or Cryptowall.

Recommended blocklist:
94.23.247.202
quesoslaespecialdechia.com
energysavingproductsinfo.com

Spammers probing with "How are you doing?" / poorname.us attack

The particularly aggressive spammers that I have covered recently [1] [2] [3] [4] [5] [6] launched another probing attack overnight, trying to collect email addresses by using an embedded image (the principles of the attack are described here).

The spam looks like this:

Received: from murch.greatsill.info (HELO find-your-perfect-bride-russians.us) (94.102.56.147)
  by [redacted] with SMTP; 8 Aug 2014 00:36:28 -0000
Date: Thu, 07 Aug 2014 17:34:22 -0700
Subject: How are you doing?
From: Stewart [stewart@find-your-perfect-bride-russians.us]
The body text is just HTML:




The originating IP is 94.102.56.147 (Ecatel, Netherlands). The spamvertised site is hosted on 143.95.32.129 (michael.asmallorange.com) although it is currently 403ing.

I don't know the origins of this spam, but it is being investigated.


Thursday, 7 August 2014

Aggressive scumbag spammers strike again

The very aggressive scumbag snowshoe spammers [1] [2] [3] [4] [5] strike again, this time burning through a bunch of email servers belonging to Serverel Corp in the Czech Republic:

IPs:
109.206.177.121
109.206.177.122
109.206.177.123
109.206.177.124
109.206.177.125
109.206.177.126

Spamvertised domains:
newfreecredit.com
here-medicaresignup.com
lean-slim-down.com
best-cheap-ins.com
oddmiracle.com
true-refihouse.com

Subjects:
RE: Your TransUnion Score may have recently changed.
Hey, Unhappy with your Plan? Notice #3550165
Re: Foreskolin - Recently featured on The Dr. Oz Show. Order: 22232150
Fwd: Your AutoInsurance-Policy can be lower. Notice #20768701
Fwd: 5 Diseases You Thought Couldn't Be Cured, See Article 24300322
Fwd: How much can you save by lowering our house payment?

Domain registration details:
Registrant Name: BENITA DUFFY
Registrant Organization: MARY KIMBREL
Registrant Street: 1031 WOODLEY RD
Registrant City: MONTGOMERY
Registrant State/Province: AL
Registrant Postal Code: 36106
Registrant Country: US
Registrant Phone: +1.3348343223
Registrant Phone Ext:
Registrant Fax: +1.5555555555
Registrant Fax Ext:
Registrant Email: benitaduffy918@yahoo.com


UPDATE 1:

More from the same spammer, same host but different IP range:

IPs:
109.206.177.151
109.206.177.152
109.206.177.153
109.206.177.154
109.206.177.155
109.206.177.156

Spamvertised domains:
foxy-russianbrides.com
fine-walkintubs.com
many-asianbrides.com
near-enroll-medicare.com
easy-vinylsiding.com
all-rent2own.com

Subjects:
Re: Ilsa, Sasha, Sonya and others want to say Hello
Hey, Learn about the Versatility of a Walk in Bathtub Message: 7541884
Fwd: It's Communication Week. Ting and her friends want to say Hi No: 13142142
Hey, Attention: Medicare Open Enrollment Begins Soon Notice: 12453216
Hey, Help your home keep its value Tip: 21978846
Hi, Stop paying rent! Pymts can go toward owning Notice: 11516529

UPDATE 2:

Yet more but from a different Serverel range..

IPs:
109.206.177.194
109.206.177.195
109.206.177.196

Domains:
woodsurface.com
true-harp-save.com
star-auto-ins.com

Example subjects:
Re: Garage Floor Coatings before Winter Rain and Snow
Fwd: Save Thousands on Your Home Loan. Rpt: 1400334
Re: Are you overpaying for your auto insurance? Msg ID.11929129

And now a batch from Nforce IPs who were seen yesterday, but these are different servers..

IPs:
109.201.148.82
109.201.148.90
109.201.148.178
109.201.148.179

Domains:
protect-home-surfaces01.mobi
instant-oninebackgrounds101.mobi
how-low-mortgage-go.mobi
right-plan-medicare101.mobi

Example subjects:
Garage Floor Coatings before Winter Rain and Snow
Fwd: Safety Notice: Can you trust your friends? Notice: 23746989
Fwd: Save Thousands on Your Home Loan. Rpt: 1455838

These domains have a new fake registrant:
Registrant ID:aab597ea681630c5
Registrant Name:Zoe Clemons
Registrant Organization:n/a
Registrant Street1:21257 N Black Canyon Hwy
Registrant City:Phoenix
Registrant State/Province:AZ
Registrant Postal Code:85027
Registrant Country:US
Registrant Phone:+1.6234347727
Registrant Email:zoeclemons906@yahoo.com

Vawtrak sites to block

I found these domains and IPs today while investigating a machine apparently infected with Vawtrak (aka Tepfer), most of them seem to be active:

http://80.243.184.239/posting.php
http://80.243.184.239/viewforum.php
http://146.185.233.97/posting.php
http://146.185.233.97/viewforum.php
http://ipubling.com/posting.php
http://ipubling.com/viewforum.php
http://magroxis.com/posting.php
http://magroxis.com/viewforum.php
http://maxigolon.com/viewforum.php
http://terekilpane.com/viewforum.php

Some of these domains are associated with the email address ctouma2@gmail.com.

You could block the sites individually, but because the sites are not isolated, I would personally recommend using the following blocklist:
146.185.233.0/24
80.243.184.224/27


The 146.185.233.0/24 range is allocted to "Cherepanova" in Russia. 80.243.184.224/27 is Redstation in the UK.

CDS Group (cdsgroup.co.uk) fake invoice spam

This spam email pretends to be from the CDS Group. CDS are a wholly legitimate company and are NOT sending these emails, and their computer systems have NOT been compromised. However, the emails do contain a malicious attachment and should be deleted.

It is trivially easy to fake who an email is "From". That is what is happening in this case. CDS are an innocent victim of whoever is perpetrating this spam run. Please do not take your frustrations out on CDS. CDS have a notice about these emails on their site.

This is a sample email:

Date:      Thu, 07 Aug 2014 10:41:48 +0100 [05:41:48 EDT]
From:      Nancy Tyler CDS Group [accounts@cdsgroup.co.uk]
Subject:      CDS Invoice: 241-28195

CDS Group


Dear client,

Please find attached your invoice number 241-28195

If you have any queries with this invoice, please email us at accounts@cdsgroup.co.uk or call us on 020 8752 8040



The CDS Group of Companies, Passenger Car Services Same Day UK Couriers TV Support Units Overnight & International



Tel: 020 8752 8040
Email: accounts@cdsgroup.co.uk



Please consider the environment before printing this email.

This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.

If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person. This e-mail or any attachments are for information purpose only and does not form any part of an agreement, contract or fact.

The contents of an attachment to this e-mail may contain software viruses, which could damage your own computer system. Whilst The CDS Group has taken every reasonable precaution to minimise the risk, we do not accept liability for any damage, which you sustain as a result of software viruses. You should carry out your own virus checks before opening any attachment to this e-mail.

This email has been scanned by iomartcloud.
http://www.iomartcloud.com

Attached is a archive file CDS_241-28195.zip which contains a folder invoice_cdsgroup_799543.xls which in turn contains a malicious executable invoice_cdsgroup_799543.xls.scr which has a very low detection rate at VirusTotal of 3/54.

Automated analysis tools are inconclusive at the moment [1] [2] but I will add more details if I find them.

Wednesday, 6 August 2014

Companies House "Case 4620571" spam

This fake Companies House spam has a malicious attachment:

Date:      Wed, 6 Aug 2014 19:45:59 +0700 [08:45:59 EDT]
From:      Companies House [WebFiling@companieshouse.gov.uk]
Subject:      RE: Case 4620571

The submission number is: 4620571

For more details please check attached file.

Please quote this number in any communications with Companies House.

All Web Filed documents are available to view / download for 10 days after their
original submission. However it is not possible to view copies of accounts that
were downloaded as templates.

Companies House Executive Agency may use information it holds to prevent
and detect fraud. We may also share such information, for the same purpose,
with other Organizations that handle public funds.

If you have any queries please contact the Companies House Contact Centre
on +44 (0)303 1234 500 or email enquiries@companies-house.gov.uK

Note: This email was sent from a notification-only email address which cannot
accept incoming email. Please do not reply directly to this message.

Companies House
4 Abbey Orchard Street
Westminster
London
SW1P 2HT
Tel +44 (0)303 1234 500 
Attached is a file Case_4620571.zip which in turn contains a malicious executable Case_4620571.scr which has a VirusTotal detection rate of 11/53. Automated analysis tools [1] [2] show that the malware reaches out to the following locations which are good candidates for blocking:

64.191.43.150
94.23.247.202
feelgoodframesstore.com
beeprana.com
upscalebeauty.com

.us and .me scumbag spammers are now .mobi scumbag spammers

That didn't take long these scumbag spammers I've been tracking over the past couple of days have a new set of mail servers and domains for pumping out their useless affiliate crap.

Sending IPs:
69.39.238.200
69.39.238.201
69.39.238.202
69.39.238.203
69.39.238.204

These IPs belong to GigeNET in the US.

Spamvertised domains:
getitnow.find-cars-here-4u.mobi
trynow.safty-first-walkin-tubs.mobi
startnow.get-medicare-for-less4u.mobi
lower-your-payments-wHARP.mobi
safe.cure-most-diseases01.mobi

Sample emails:
From:     Best_AutoPrice [carsalesevent101@find-cars-here-4u.mobi]
Date:     6 August 2014 15:27
Subject:     Hi, Summer Price Reduction on All New Vehicles. Notice: 14359709

Local Auto Notice:  14359709
*****************************************

US Car and Truck Dealer are Liquidating Auto Inventories

Shopping for a new or used car?

Now is the time to take advantage of Summer Discounted Automotive Prices:

Go Here To View what's in-stock near you: http://getitnow.find-cars-here-4u.mobi


Modify_your notification_preferences: http://stop.find-cars-here-4u.mobi
PO Box No. 6498
PELAYO_ 80
-28004--MADRID--MADRID

=========================================

From:     Walk.In.Bathtub.2855074 [bathtub.safety@safty-first-walkin-tubs.mobi]
Date:     6 August 2014 15:34
Subject:     Hi, Learn about the Versatility of a Walk in Bathtub Message: 21036031

Enjoy Safe, Comfortable-Bathing in your Home
---------------------------------------------------------
[redacted],

Whether you are looking for a Walk-in Tub for Safety or Therapeutic reasons for yourself or a loved-one, we can help.

We can help you find Professional, Affordable Service Contractors near you.

Find a safe and comfortable walk-in tub online Today:
http://trynow.safty-first-walkin-tubs.mobi


Message: 21036031


Modify_your advertising_preference  here; http://leave.safty-first-walkin-tubs.mobi
QuinStreet, Inc. 950 Tower Lane_ Foster City, CA 94404

=========================================

From:     enrollment-period.9138765 [future.enrollment.451@get-medicare-for-less4u.mobi]
Date:     6 August 2014 15:40
Subject:     Hi, Medicare Enrollment Begins Soon. Notice #24458838

Notice: 24458838
**********************************************************
Medicare Recipient:  [redacted]

Open Enrollment for 2015 Medicare Programs begins
October 15, 2014 to December 7, 2014.

You can only change your Medicare or Prescription Drug plan
during this Annual Election Period.

Find the best, most affordable Medicare plan.

**Aetna, Humana, BlueCross, AARP and more**


Don't Miss Your Chance to Change Plans.

Find the Best Plan & Save up to 40% Online: http://startnow.get-medicare-for-less4u.mobi


Opt-off this_request: http://exit.get-medicare-for-less4u.mobi
Dundrum Town Centre,Dundrum
Dublin 16, Ireland
PO Box_ No. 309

===============================================

From:     HARP-Qualify.4642746 [Andrea.Casey1254@lower-your-payments-wharp.mobi]
Date:     6 August 2014 15:46
Subject:     Re: HARP Program: Lower Rates May Be Available Rpt: 13849540

[redacted],

Are your home payments weighing you down?

This may be your last-chance to Re-mortgage. Lock in a low -rate today before rates rise.

Find out how you may be Eligible to lower your monthly-payment. No -registration or -login necessary.


Get competitive rates quotes from Top Lenders and Save --
http://save.lower-your-payments-wHARP.mobi


Andrea Casey
Harp Eligibility Team

Report: 13849540


If you would like to update settings please go here: http://halt.lower-your-payments-wHARP.mobi
8776 [East-Shea_Blvd. #B3A-462_Scottsdale, AZ 85260]

===============================================

From:     Ultimate_Cure.5798463 [your.miracle.cure@cure-most-diseases01.mobi]
Date:     6 August 2014 15:54
Subject:     Re: Doctor Jailed for CURING Cancer (see why), Article No. 5615302


Today, you have a 95% chance of eventually dying from a disease or condition for which there is already a known cure right at your fingertips.

Well-respected doctors have been attacked, threatened with losing their licenses and even JAILED for sharing the information you are about to discover...

If you or a your loved one is suffering from ANY, and we mean ANY illness, chronic or acute, especially if you've been told it is incurable, then this is the most important message you will hear today.


View This SHOCKING Health Alert in your Browser: http://safe.cure-most-diseases01.mobi
(they don't want you to know about this)


Article No. 5615302


Modify_your_preferences here- http://hold.cure-most-diseases01.mobi
PO Box: #678
Calle Arturo Rodriguez- 17--23410 Sabiote
Ja??n, Spain
Sample click paths:

http://getitnow.find-cars-here-4u.mobi/
http://affiliate.adgtracker.com/rd/r.php?sid=6358&pub=331259&c1=ggn806
http://www.auto-price-finder.com/welcome?id=544&subid=273748921&affid=331259&depid=
http://pixel.autoaffiliatenetwork.com/d/?id=544&dest=apf&landing=nonbrand&rh=www.auto-price-finder.com&c1=
http://www.auto-price-finder.com/new/car?dest=apf&c1=&rh=www.auto-price-finder.com&id=544&landing=nonbrand&li=3&alt_exp=new&alt_ab=&rd=1

http://trynow.safty-first-walkin-tubs.mobi/
http://navytrkn.com/?a=125&c=9258&s1=ggn806
http://genetix420.com/?a=125&c=9258&s1=ggn806&ckmguid=e37b2ccf-28b9-4fc1-922d-72ccfbee9e55
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389

http://startnow.get-medicare-for-less4u.mobi/
http://affiliate.adgtracker.com/rd/r.php?sid=7748&pub=331259&c1=ggn806
http://www.medicare-providers.net/plans/index.php?Referrer=FM&Subreferrer=331259&Subid=273750538&utm_source=flex&utm_medium=email&utm_content=medicare&utm_campaign=24560

http://save.lower-your-payments-wharp.mobi/
http://navytrkn.com/?a=125&c=9244&s1=ggn806
http://ckthinmints.com/?a=125&c=9244&s1=ggn806&ckmguid=89d0208b-baec-4765-b88f-de84125ebff6
http://www.267555domain.com/click.ashx?CID=182639&AFID=267555&ADID=625699&SID=125
http://EVERYDAYOFFERSJUSTFORME.COM/go/c/537/4vars?sid=
http://njk0.HI5LINKS.com/?&s1=535_1750_GB_
http://zCRzz.download.awardhall.eu/?sov=63762401&hid=gkisukqomsiwykig&redid=7312&id=XNSX.535_1750_GB_-r7312

http://safe.cure-most-diseases01.mobi/
http://navytrkn.com/?a=125&c=10590&s1=ggn806
http://genetix420.com/?a=125&c=10590&s1=ggn806&ckmguid=27f625a1-56a4-46fa-8c81-2cace4c7473d
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=201700&subid2=6389

WHOIS details for the domains are fake:

Registrant ID:bdb01b76634ea4b7
Registrant Name:Kiera Gladdish
Registrant Street1:2123 Edison Rd
Registrant City:South Bend
Registrant State/Province:IN
Registrant Postal Code:46637
Registrant Country:US
Registrant Phone:+1.5742720312
Registrant Email:kieragladdishr946@yahoo.com


.us scumbag spammers are now .me scumbag spammers

This active scumbag spamming crew [1] [2] [3] have switched to .me domains instead of .us domains. Maybe they got too much heat.. anyway, here they are with a new set of mail servers and domains but a similar pile of affiliate networks as before.

Sending IPs:
79.142.65.6
79.142.65.7
79.142.65.8
79.142.65.10
79.142.65.12
79.142.65.15

All these IPs are on ALTUSHOST B.V. in the Netherlands.

Spamvertised domains:
getitnow.affordable-auto-ins10.me
orderhere.food-storage-freshness10.me
signup.lower-personal-credit10.me
starttoday.life-coverage-for-you10.me
actnow.reduce-mortgage-cost10.me
check.unwanted-timeshares-sold.me

Sample emails:

From:     Lower-Auto-Coverage.11013628 [Auto-Insurance-Discount@affordable-auto-ins10.me]
Date:     6 August 2014 14:28
Subject:     Re: Notice: Hey, Pay as little as $9/week on car insurance

Announcement:  You may be Required to carry Auto Insurance
-------------------------------------------------------------------------------------

[redacted],

You are NOT Required to Over-Pay!

Premiums as low as $9

Compare quotes from Top Carriers and see how much you can SAVE.

 Find Me Auto Insurance as low as $9/week:  http://getitnow.affordable-auto-ins10.me

Notice No: 11013628


Modify_announcement_preferences here:  http://disallow.affordable-auto-ins10.me???
Cheaper Auto Coverage-PO Box 425768 Cambridge MA02142-9998

========================================

From:     ASOTV_MrLid.20092754 [organized.mr.lid@food-storage-freshness10.me]
Date:     6 August 2014 14:15
Subject:     Hi, The only food storage container of its kind ID: 23965159


Are you loosing your Mind? Loosing your Lids.



========================================

From:     Go-Triple_Score.22560108 [score.report.476@lower-personal-credit10.me]
Date:     6 August 2014 14:08
Subject:     Fwd: Has Your Score Recently Changed? Update: 6055819

RE: Your TransUnion Score may have recently changed.
----------------------------------------------------.
Date:  August 2014 Score Update
----------------------------------------------------.
Update # 13518498
----------------------------------------------------.

Dear [redacted],

The reason that we are reaching out to you today is to make you aware that your score may have been changed based on a number of recent transactions.


Go here now to find out how your score was affected by these updates: http://signup.lower-personal-credit10.me

Your Score Generation Time: 47 Seconds


Regards,
Marcie D.
2014 Score Defender

Cancel_this email_notification: http://disallow.lower-personal-credit10.me
Suite 4753-24B  Moorefield Rd  Johnsonville--Wellington 6037 New Zealand

========================================

From:     AIG_Direct Inc.9292124 [aig.direct.2014@life-coverage-for-you10.me]
Date:     6 August 2014 14:01
Subject:     Re: Your $250K Term Life for Just $10.63 a month. Ref. No. 14329170


Call or Visit Today for $250K Term Life Under $11/mo


========================================


From:     Home_Savings Info.2550922 [lower.home.payment@reduce-mortgage-cost10.me]
Date:     6 August 2014 14:41
Subject:     Re: Homeowners Could be Missing out on Thousands in Savings

Notice for Homeowner:  [redacted]

President Has Waived Refi-Requirement

Homeowners who do this will save about 3,000 USD/year. The problem is 70% of homeowners don't even know how to take advantage of the savings. If you're a homeowner and you don't know, you have to read this. . .

Calculate My Lower House Payment:  http://actnow.reduce-mortgage-cost10.me

(To view this message in your browser, use the link above.)


Notice: 11105679

This is an advertisement. All trademarks, service marks, logos and/or domain names (including the names of products or retailers) are the property of their respective owners. The manufacturers, retailers or providers of the items offered may not have endorsed, approved of or otherwise sponsored this promotion. Restrictions apply. Void where prohibited by law. To manage your notification preferences, please visit here:  http://end.reduce-mortgage-cost10.me
Richardshaw Lane, Hanson Centre, GR
Leeds, LS28 6QP

==========================================

From:     Timeshare_Brokers.17819636 [linda.kesler93@unwanted-timeshares-sold.me]
Date:     6 August 2014 15:04
Subject:     Re: Timeshare Owners- Don't pay another Maintenance Fee. Bulletin: 14642854

TIMESHARE BULLETIN:  Timeshare Sales are heating up this Summer

July 2014

[redacted],

You may be eligible to sell your unwanted timeshare.

Eliminate monthly maintenance fees on a timeshare you no longer use.

Timeshare sales are on the rise in 2014;
non-US residents buying timeshares.

Don't miss the chance to dispose of your unwanted timeshare.

Let us Sell Your Timeshare Now:
http://check.unwanted-timeshares-sold.me

Thank you,
Emily D.
Time-share Advisor
No. 17819636

Click paths:

http://getitnow.affordable-auto-ins10.me/
http://navytrkn.com/?a=125&c=9558&s1=alt806
http://genetix420.com/?a=125&c=9558&s1=alt806&ckmguid=3d4d97bb-f163-4c45-bedc-61d9169c3170
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=201700&subid2=6389

http://orderhere.food-storage-freshness10.me/
http://affiliate.adgtracker.com/rd/r.php?sid=6396&pub=331259&c1=alt806
http://comperz.com/click.ashx?CID=243834&AFID=156909&SID=273736842&AffiliateReferenceID=331259
http://www.vacationrome.net?subid=243834

http://signup.lower-personal-credit10.me/
http://network.adsmarket.com/click/jmZsmWOdqZmKaWmZYMp6w4iQap1koX-Vi2KYmmKhg5qJkHKcYKR7w49icZVinA?dp=alt806

http://starttoday.life-coverage-for-you10.me/
http://network.adsmarket.com/click/jmZsmWOdqZmKaWmZYMp6w4iQa5hjpIKdimOYmmKifZWJkHKbZZ57w5Fqb5llnQ?dp=alt806

http://actnow.reduce-mortgage-cost10.me/
http://www.soccertruck.com/rd/r.php?sid=4841&pub=331259&c1=alt806
http://affiliate.adgtracker.com/rd/r.php?sid=4841&pub=331259&c1=alt806
https://www.lowermybills.com/lending/home-refinance/?pkey1=331259&pkey2=273738878&sourceid=lmb-30537-53464-85353

http://check.unwanted-timeshares-sold.me/
http://trkerlittle.com/?a=9406&c=46451&s1=alt806
http://aboveallurl.com/?a=9406&c=46451&s1=alt806&ckmguid=4a81a1ee-41aa-4e37-9a42-da436ff2dcba
http://aboveall.garcinia.cpa.clicksure.com/?s1=GLOBAL-9406
http://clicksurecpa.com/recookie/Fep4b8L5ECHFQnqk

The WHOIS details on the domains are fake:

Registrant ID:3537f036cb04904e
Registrant Name:Rose Cotterill
Registrant Organization:n/a
Registrant Address:5300 Gateway Ctr
Registrant Address2:
Registrant Address3:
Registrant City:Troy
Registrant State/Province:MI
Registrant Country/Economy:US
Registrant Postal Code:48507
Registrant Phone:+1.8102321772
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant E-mail:rosecotterillv296@yahoo.com


Tuesday, 5 August 2014

.us scumbag spammers, part 3

These are the same scumbags as found here and here.They are burning through hosting accounts at a fearsome rate. The latest two IPs are in the Worldstream address space:

217.23.14.153
217.23.14.13

Spamvertised domains:

reservenow.enroll-in-medicare-14.us
startnow.protect-your-surface01.us

Sample emails:

From:     enrollment_period.12352763
Date:     5 August 2014 17:32
Subject:     Hey, Medicare Enrollment Begins Soon. Notice #11262474

Notice:  Medicare Open Enrollment Starts Soon
**********************************************************

Medicare Recipient:  [redacted]

Open Enrollment for 2015 Medicare Programs begins October 15, 2014 to December 7, 2014.

You can only change your Medicare or Prescription Drug plan during this Annual Election Period.  .

Find the best, most affordable Medicare plan.

**Aetna, Humana, BlueCross, AARP and more**


Don't Miss Your Chance to Change Plans.  Find the Best Plan & Save up to 40% Online: http://reservenow.enroll-in-medicare-14.us

Notice: 11262474


======================================

From:     Protective.Coating.3879421
Date:     5 August 2014 17:14
Subject:     Re: Garage Floor Coatings before Winter Rain and Snow


-------- Start Notice #3879421 --------------

Surface Protect Plus Summer Savings

Attn: snowshoe2@dynamoo.com

Don't let rain and the coming snow ruin your deck and garage.

Summer is the time to protect your garage and wood floors.

Amazing deal for homeowners looking to preserve their deck and garage surfaces.

Go Here Now to Protect Your Floors for Years and Years: http://startnow.protect-your-surface01.us


--------------- End Notice ----------------

Manage_your_preferences: http://end.protect-your-surface01.us

PO Box: #19258
Falterstrasse., 12 97318--Kitzingen., Germany.
Click paths:

http://reservenow.enroll-in-medicare-14.us/
http://affiliate.adgtracker.com/rd/r.php?sid=7748&pub=331259&c1=exm805
http://www.medicare-providers.net/plans/index.php?Referrer=FM&Subreferrer=331259&Subid=273621705&utm_source=flex&utm_medium=email&utm_content=medicare&utm_campaign=24560

http://startnow.protect-your-surface01.us/
http://silvertrkn.com/?a=125&c=2907&s1=nf805
http://genetix420.com/?a=125&c=2907&s1=nf805&ckmguid=a8d5f09a-ceb2-47ec-9ba7-c4e42fd7afaa
http://www.enzjptkr.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://affiliate.gwmtracker.com/rd/r.php?sid=6389&pub=201700&c1=&c2=&c3=
http://valuedealshopper.com?subid1=200001&subid2=6389

Some of these affiliate networks and sites have no contact details at all, all the other ones have been notified of the problem.

Recommended blocklist (for this spam run and the one earlier today):
217.23.14.153
217.23.14.13
109.201.135.21
109.201.135.35
109.201.135.47
109.201.135.108
109.201.148.11
109.201.148.24
77.93.204.105
enroll-in-medicare-14.us
protect-your-surface01.us
readcriminalsearch.us
pluscarsearch.us
bumpcredit.us
expectlowmortgage.us
citizensmedicare.us
closedfoodstorage.us
silvertrkn.com
genetix420.com
enzjptkr.com
navytrkn.com
autoaffiliatenetwork.com