InBoxRevenge KS Forum

This URL is very stupid, has an @ sign in it. I do know that people who are new to the internet often insert an @ when they are trying to say a domain name, they will often mix it up with an email address: [email protected]


URL in this spam: www [email protected]/Wsz4YDc6UG.html

Sender IP: X-SOURCE-IP: [82.71.204.27]

sample:
________________________________________
From: ВКонтакте.ру [[email protected]]
Sent: Saturday, February 05, 2011 8:40 AM
To: xxxxxxxx
Subject: life of viagra

boundary="----------A9A1442D26B7E"

------------A9A1442D26B7E

<p>
<a href="hxxp://[email protected]/Wsz4YDc6UG.html">natural herbs used as viagra</a></p>

------------A9A1442D26B7E--

Using @ in a URL is usually for logging in a site requiring authentication, in the form username:[email protected], and that's what FireFox tried to do in this case, too:


It's obviously a spammer mistake. wa-p.by.ru/Wsz4YDc6UG.html redirects to tabletshealthmedsplus.com, which is a Canadian Neighbor Pharmacy site.

Yea, that is right, a URL for FTP contains an @ as in ftp://user:[email protected]

I forgot to mention that specifically in my earlier post. Thanks, Nodus.

I still smile when I see this one.
tabletnastyspillsrx.at

OK, then, for more fun, you might use the service http://wheregoes.com/ to view the current destinations of the unsavory redirection URL

hXXp://www.ela.region-rabka.pl/go.friend.php

The destinations alternate with a short time interval.

By the way, I have a slightly redacted specimen of malware-generated email that promotes the tabletnastyspillsrx.at online pharmacy scam; I have a few simple questions about the authenticity of its message headers. It was transmitted through the Comcast network in the northeastern USA. Would anyone on InBoxRevenge be familiar with Comcast headers and be willing to take a look?

>www.ela.region-rabka.pl/go.friend.php - - (80.53.55.74)
redirects to sites

drugstorechain.at/index.php?product=11
medsrxtablets.at/index.php?product=19
pharmacydrugstorechains.at/index.php?product=14
tabletnastyspillsrx.at/index.php?product=13

Registered on NIC.AT by Russian registrants

The last 2 digits vary from 11 to 99

quick-slimer.ru

Somehow I suspect they have forgotten another 'm' from there...

idiotreturn.com (Greenline Pharmacy)

"So, you didn't get it the first time you were ripped off, did you..."

What dickhead ViaGrow spammer tries to sell penile enlargement meds on a domain name like burstdick.com ?

The same one who also uses the uninspiring domain minispenis.com I suppose.

talibandietpharm.be

What kind of images does that bring to your mind? Surely not those of any legitimate Canadian pharmacy (Canadian Health&Care Mall).

http://steve-gasque-this-site-serves-malware-courtesy-steve-gasque-8515woodhaven-bethesda-steve-is-pornhost-greenguy-steve-gasque-is-phoney-remax-agent-launders-money-via-mortgage-fraud.justupp.com

The one-day-wonder

Domain Name: JUSTUPP.COM
Registrar: CENTER OF UKRAINIAN INTERNET NAMES
CLIENT HOLD
Creation Date: 16-Oct-2011
Modification Date: 16-Oct-2011

Domain servers in listed order:
ns1.tenten10.ru
ns2.tenten10.ru
ns3.monday-thuesday.ro

Registrant:
Svetlana Poltavceva [email protected]
ul. Leninskaya 17 43
Yubileynyy, 141090
RUSSIAN FEDERATION
+7.4956548754

I've seen that before:
http://spamtrackers.eu/wiki/index.php/H ... #Targets_2

Domaintools reports:

Current Domains 3,450

Email Search:
Svetlana Poltavceva poltavtzeva.svetlana@yandex.ru
is associated with about 3,429 domains

Déjà vu alright!

That's certainly interesting though, at least to me.

Someone has a vendetta against GreenGuy, who is actually VERY well known on porn spamming forums - and porn industry forums, notably gfy.com.

I wasn't aware of the mortgage fraud angle. I might just go on a little hunt to see i that bears out.

What was the topic of the spam that featured this url?

Interesting.

SiL

I can't help you there, I just spotted it in a passive DNS listing and yes, it did catch my eye !