This Facebook spam has undergone some sort of failure during construction, revealing some of the secrets of how these messages are constructed. It leads to malware on
scriptuserreported.org:
Date: Thu, 21 Mar 2013 10:56:28 -0500
From: Facebook [update+oi=MKW63Z@facebookmail.com]
Subject: John Jenkins commented photo of you.
facebook
John Jenkins commented on {l5}.
reply to this email to comment on this photo.
see comment
this message was sent to {mailto_username}@{mailto_domain}. if you don't want to receive these emails from facebook in the future, please unsubscribe.
facebook, inc., attention: department 415, po box 1000{digit}, palo alto, ca 9{digit}3{digit}
The malicious payload is at
[donotclick]scriptuserreported.org/close/keys-importance-mention.php hosted on
5.39.37.31 and there are no surprises that this is OVH in France.. but wait a minute because this is in a little suballocated block thusly:
inetnum: 5.39.37.24 - 5.39.37.31
netname: n2p3DoHost
descr: DoHost n2 p3
country: FR
admin-c: OTC2-RIPE
tech-c: OTC2-RIPE
status: ASSIGNED PA
mnt-by: OVH-MNT
source: RIPE # Filtered
Let's start with the server at
5.39.37.31 which is distributing the Blackhole Exploit Kit (
report here). This server also hosts the following potentially malicious domains:
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com
Go back a few IPs to
5.39.37.28 and there is are a couple of work-at-home scam sites:
workhomeheres01.com
workhomeheres02.com
There's also a work-at-home scam on
5.39.37.24:
makeworkhome12.pl
5.39.37.26 appears to be hosting a control panel for the
Neutrino Exploit kit:
myadminspanels.info
supermyadminspanels.info
So you can pretty much assume that
5.39.37.24/29 is a sewer and you should block the lot. Who is n2p3DoHost? Well, I don't know.. but there's one more clue at
5.39.37.29 which is the domain
rl-host.net. The WHOIS details for rl-host.net are anonymised, but on the day of registration were:
Queste Julien
Email:julien@queste.fr
50 rue Arthur lamendin
62330 isbergues
France
Tel: +33.649836105
Does M. Queste own this /29? If he does, then it looks like he has some very bad customers..
Minimum blocklist:
5.39.37.31
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com
Recommended blocklist:
5.39.37.24/29
makeworkhome12.pl
myadminspanels.info
supermyadminspanels.info
workhomeheres01.com
workhomeheres02.com
rl-host.net
pesteringpricelinecom.net
resolveconsolidate.net
scriptuserreported.org
provingmoa.com