jwSpamSpy Recent spam domains Spam domain blacklist
Links joewein.de joewein.net Contact |
|
|
Spammers take revenge – "Joe jobs" against joewein.de
We don't send spam, we fight spam. Obviously this does't make us very popular with spammers whose websites get listed on our spam domain list. As a result, one or more spammers have done a total of four "Joe jobs" on us so far. That is, a spam run with a message using a fake sender address and or content "advertising" the "Joe job" victim, making it look like an innocent person was the originator of the mail. The intention is to cause trouble for that person (more info about "Joe Jobs" here).
The most recent batch went out on 2005-07-23 and (as of 2005-07-28) seems to be continuing. The spam was sent using a bulk email software called DMS ("Direct Mail Sender"), written by Alexey Panov who ranks in the top ten of the Spamhaus ROKSO list.
Here is an example of this spam:
From: "Stagger I. Unhooked" <autoconf@kyokofukada.net>Below are some message headers from spam forwarded to us, which list the infected hosts from which the spam was sent.
To: x <x>
Subject: Hi dear
Date: Sat, 23 Jul 2005 14:27:05 -0500
Hi
Try jwSpamSpy, our spam filter for POP3 mailboxes.
We use it to track spammers and scammers.
Free full featured 30 day evaluation version available!
https://joewein.de/
You can see that some are addressed to address a1aaa1azzzz1zaaaaa@domain, an address that is unlikely to exist on those mailservers. These mails will be delivered to the "catch all" account on the server, if enabled. This is normally read by the administrator of the host. It is as if the spammer was specifically trying to get administrators upset about our website, maybe because he thought they would know how to contact the abuse handling department of our webhoster. Normal users, if they send any complaints at all, tend to either write directly to a contact address listed the advertised website or they tend to complain to the abuse department for the sender address (which is fake in this case). Therefore I think the spammer was trying to get our website suspended. The more likely outcome however is that the spam gang will lose many of the DMS proxies via which the spam was sent, as the admins report the DMS proxies to the abuse departments in charge of the abused hosts.
A number of other anti-spam sites or personal sites of anti-spam activists were targetted by Joe jobs during the last couple of months. These include:
c51449b22.cable.wanadoo.nl (Netherlands):
Received: from crewstart.com (c51449b22.cable.wanadoo.nl [81.68.155.34]) by hostname (8.9.3-A/8.9.3) with SMTP id VAA08519.37078 for <emailaddress> sent by <greenwood@evafan.com>; Sun, 24 Jul 2005 21:13:14 -0500 (CDT) X-Authentication-Warning: hostname: Host c51449b22.cable.wanadoo.nl [81.68.155.34] claimed to be crewstart.com Received: from evafan.com (evafan.com [216.152.252.58]) by crewstart.com (Postfix) with ESMTP id 817C6687AA for <emailaddress>; Sat, 23 Jul 2005 23:16:23 -0500 From: "Crucifixes U. Ampler" Lt;greenwood@evafan.com> To: Username <emailaddress> Subject: Hi dear Date: Sat, 23 Jul 2005 23:16:23 -0500 Message-ID: <001001c59006$2931d486$fa5b060c@evafan.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2605 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123 X-Virus-Scanned: by Ameriserv.net Anti-Virus E-Gateway
200-171-190-136.dsl.telesp.net.br (São Paulo, Brasil):
Received: from 200-171-190-136.dsl.telesp.net.br ([200.171.190.136])
by mail.powerviewsystems.com (Merak 8.2.2) with SMTP id KME38518
for ; Sun, 24 Jul 2005 20:49:43 -0400
Received: from nctta.org (nctta-org.mr.outblaze.com [205.158.62.181])
by 200-171-190-136.dsl.telesp.net.br (Postfix) with ESMTP id 6F69EB2B0E
for ; Sun, 24 Jul 2005 09:49:56 -0500
From: "Scottish K. Underplayed" <dls@nctta.org>
To: Username <emailaddress>
Subject: Hi dear
Date: Sun, 24 Jul 2005 09:49:56 -0500
Message-ID: <110101c5905e$cddbd5ca$b4654ef5@nctta.org>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4024
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1082
X-AntiVirus: checked by AntiVir MailGate (version: 2.0.1.10;
AVE: 6.20.0.1; VDF: 6.20.0.46; host: 200-171-190-136.dsl.telesp.net.br)
222.96.121.165: (KORNET, South Korea)
Return-Path: <tanghus@mail.com> Received: from futbolamericano.com ([222.96.121.165]) by mailserver4.nebula.fi (8.12.10/8.12.10) with SMTP id j6P5Id5T023332 for <a1aaa1azzzz1zaaaaa@domain>; Mon, 25 Jul 2005 08:18:42 +0300 Received: from mail.com (mail-com-bk.mr.outblaze.com [64.71.166.194]) by futbolamericano.com (Postfix) with ESMTP id 2C32445668 for <a1aaa1azzzz1zaaaaa@domain>; Sun, 24 Jul 2005 19:21:40 -0500 From: "Ransomed I. Jason" <tanghus@mail.com> To: A <a1aaa1azzzz1zaaaaa@domain> Subject: Hi dear Date: Sun, 24 Jul 2005 19:21:40 -0500 Message-ID: <101101c590ae$3fe02c44$fb6e1c3c@mail.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123 X-Virus-Scanned: Norton
cpc2-ruth1-5-0-cust111.renf.cable.ntl.com:
Return-Path: <fliptop@guanajuato.com> Received: from cpc2-ruth1-5-0-cust111.renf.cable.ntl.com ([80.5.137.111] verified) by X (CommuniGate Pro SMTP 4.3.5) with SMTP id 8636265 for X; Sun, 24 Jul 2005 02:15:58 +0200 Received: from guanajuato.com (guanajuato-com-bk.mr.outblaze.com [64.62.181.94]) by cpc2-ruth1-5-0-cust111.renf.cable.ntl.com (Postfix) with ESMTP id 0B142AA183 for <X>; Sat, 23 Jul 2005 14:18:49 -0500 From: "Preteen V. Slathering" <fliptop@guanajuato.com> To: X <X> Subject: Hi dear Date: Sat, 23 Jul 2005 14:18:49 -0500 Message-ID: <101101c58fbb$98272312$1adaa87e@guanajuato.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2605 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123 X-RAV-Antivirus: This e-mail has been scanned for viruses on host: cpc2-ruth1-5-0-cust111.renf.cable.ntl.com X-Antivirus: AVG for E-mail 7.0.338 [267.9.4]
ip-sv.66.249.195.124.telefonica-ca.net:
Return-path: <amck@google.com> Envelope-to: emailaddress Delivery-date: Mon, 25 Jul 2005 01:44:43 +0100 Received: from [66.249.195.124] (helo=ip-sv.66.249.195.124.telefonica-ca.net) by emailhost with smtp (Exim 4.24) id 1Dwr5G-000C1h-Vq for emailaddress; Mon, 25 Jul 2005 01:44:43 +0100 Received: from google.com (smtp3.google.com [216.239.57.26]) by ip-sv.66.249.195.124.telefonica-ca.net (Postfix) with ESMTP id 8F46B44695 for <emailaddress>; Sat, 23 Jul 2005 21:48:26 -0500 From: "Rebuff I. Naturalists" <amck@google.com> To: Freespirit <emailaddress> Subject: Hi dear Date: Sat, 23 Jul 2005 21:48:26 -0500 Message-ID: <101101c58ffa$1c0211ef$463fe251@google.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000 X-RAV-Antivirus: This e-mail has been scanned for viruses on host: ip-sv.66.249.195.124.telefonica-ca.net
68-112-75-197.dhcp.jcsn.tn.charter.com (USA):
Received: from 68-112-75-197.dhcp.jcsn.tn.charter.com (HELO 68-112-75-197.dhcp.jcsn.tn.charter.com) [68.112.75.197] by mx0.gmx.net (mx057) with SMTP; 25 Jul 2005 02:45:18 +0200 Received: from prodigy.com (prodigy.com [207.115.61.104]) by 68-112-75-197.dhcp.jcsn.tn.charter.com (Postfix) with ESMTP id 6814B3F431 for xxxxx@gmx.xx; Sat, 23 Jul 2005 21:49:01 -0500 From: "Carcinomata C. Villainous" rdkeys@prodigy.com To: xxxxx@gmx.xx Subject: Hi dear Date: Sat, 23 Jul 2005 21:49:01 -0500 Message-ID: <010001c58ffa$29dbf7ff$c89abb55@prodigy.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000 X-RAV-Antivirus: This e-mail has been scanned for viruses on host: 68-112-75-197.dhcp.jcsn.tn.charter.com
j28107.upc-j.chello.nl (j28107.upc-j.chello.nl:
X-Envelope-From: <msingh@queretaro.com> X-Envelope-To: <a1aaa1azzzz1zaaaaa@domain> X-Delivery-Time: 1122490519 Received: from j28107.upc-j.chello.nl (j28107.upc-j.chello.nl [24.132.28.107]) by mailin.webmailer.de (8.13.1/8.13.1) with SMTP id j6RItFSk026883 for <a1aaa1azzzz1zaaaaa@domain>; Wed, 27 Jul 2005 20:55:18 +0200 (MEST) Received: from queretaro.com (queretaro-com.mr.outblaze.com [205.158.62.181]) by j28107.upc-j.chello.nl (Postfix) with ESMTP id 0BF3DCF2F9 for <a1aaa1azzzz1zaaaaa@domain>; Wed, 27 Jul 2005 08:58:01 -0500 From: "Bleakly P. Newsstands" <msingh@queretaro.com> To: A <a1aaa1azzzz1zaaaaa@domain> Subject: Hi dear Date: Wed, 27 Jul 2005 08:58:01 -0500 Message-ID: <100101c592b3$912f5799$3971bd76@queretaro.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081 X-Virus-Scanned: by Ameriserv.net Anti-Virus E-Gateway Hi Try jwSpamSpy, our spam filter for POP3 mailboxes. We use it to track spammers and scammers. Free full featured 30 day evaluation version available! https://joewein.de/
static61.17.27-203.vsnl.eth.net (India):
Received: from [61.17.27.203] (helo=static61.17.27-203.vsnl.eth.net) by mailhost with smtp (Exim 4.52) id 1Dy52u-0006c3-Hg for a1aaa1azzzz1zaaaaa@domain; Thu, 28 Jul 2005 11:51:22 +0200 Received: from norika-fujiwara.com (norika-fujiwara-com-bk.mr.outblaze.com [208.36.123.75]) by static61.17.27-203.vsnl.eth.net (Postfix) with ESMTP id 25950A25A4 for <a1aaa1azzzz1zaaaaa@domain>; Wed, 27 Jul 2005 23:54:06 -0500 From: "Smiths D. Authorship" <tug@norika-fujiwara.com> To: A <a1aaa1azzzz1zaaaaa@domain> Subject: Hi dear Date: Wed, 27 Jul 2005 23:54:06 -0500 Message-ID: <110001c59330$2a9feddb$f088b5b5@norika-fujiwara.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2605 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 X-Virus-Scanned: Symantec AntiVirus Scan Engine
Joe job on 2004-02-27
The previous joe job went out on 27 February 2004. It was sent to more than 15,000 email addresses, as we received more than 3000 bounces and more than 12,000 people opened the email, acording to the traffic statistics from our website logs.
Previous emails were sent by (as yet) unknown person(s) to thousands of recipients on 16 December 2003 at 07:55 UTC, trying to make us look like spammers. Another batch, with a different message body and a different sender was sent on 19 December 2003. Both a provider in Argentina and in Hong Kong were used for the first spam. The second batch was sent via Comcast, a provider in the USA. This last mail used as a fake sender address the mail abuse handler of the company that hosts our website. Therefore all error messages for undeliverable spam ended up going to our web hoster. If I really was a spammer I'd have to be pretty stupid to dump all spam bounces onto my own webhoster...
The bulk mailer employed in all these spams is quite rare - in fact, we only have five
previous specimens of it in our 100,000-odd item spam archive, all five sent in November
or December of 2003. We suspect that the sender of the "Joe job"
and the sender of one or more of these these spam mails is the same person. If you have received any spams using this bulk emailer, send us a copy!
Version #4 (27-Feb-2004):
Version #3 (19-Dec-2003):
Version #2 (16-Dec-2003):
Version #1 (16-Dec-2003):
Return-Path: <joewein@pobox.com>
Received: (qmail 29016 invoked from network); 27 Feb 2004 02:34:39 -0000
Received: from dhcp0062.hse.resnet.group.upenn.edu (HELO 604-740-3744)
(165.123.166.142)
by ############### with SMTP; 27 Feb 2004 02:34:39 -0000
From: joewein@pobox.com
To: #####@########
Date: Thu, 26 Feb 2004 18:39:22 -0800
MIME-Version: 1.0 (produced by Synapse)
x-mailer: Synapse - Delphi & Kylix TCP/IP library by Lukas Gebauer
Content-type: text/html; charset=UTF-8
Content-Transfer-Encoding: Quoted-printable
Content-Disposition: inline
Content-Description: HTML text
=3Chtml=3E
=3Cbody=3E
Kostspieliger Webhosting Kosten Sie unten erhalten=3F Habe ich erhielt=
einer L=C3=B6sung f=C3=BCr Sie freies Webhosting gerechtes email ich an
joewein=40pobox=2Ecom=2E Oder besuchen Sie meine Webseite an http=3A=2F=
=2Fwww=2Ejoewein=2Ede! Sie k=C3=B6nnen nicht von dieser verschickenden
Liste entfernt werden=2E Sie werden email von mir einmal t=C3=A4glich f=C3=
=BCr die folgenden 3 Monate wie pro unsere Vereinbarung erhalten=2E
Bester Respekt=2C Joe Wein
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fizu=2Ejpg=22=
border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fshig1=2Ejpg=22=
border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fyukiko1=2Ejpg=22=
border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fsab1=2Ejpg=22=
border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fgue2=2Ejpg=22=
border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fgue1=2Ejpg=22=
border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Furoma2=2Ejpg=22=
border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fneuschwanstein=
=2Ejpg=22 border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Faftca2=2Ejpg=22=
border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Frunning=2Ejpg=22=
border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fjumbo=2Ejpg=22=
border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fshin5=2Ejpg=22=
border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fmax=2Ejpg=22=
border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fmax6=2Ejpg=22=
border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fmax7=2Ejpg=22=
border=3D=220=22=3E=3C=2Fa=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Ffritz=2Ejpg=22=
border=3D=220=22=3E=3C=2Fa=3E
=3C=2Fbody=3E
=3C=2Fhtml=3E
Return-Path: <abuse@schlund.de>
X-Flags: 0000
Delivered-To: GMX delivery to ####@gmx.net
Received: (qmail 767 invoked by uid 65534); 20 Dec 2003 09:11:13 -0000
Received: from c-24-9-163-244.client.comcast.net (EHLO shawmail-cg-shawcable-net)
(24.9.163.244)
by mx0.gmx.net (mx024-rz3) with SMTP; 20 Dec 2003 10:11:13 +0100
From: abuse@schlund.de
To: #####@gmx.net
Subject: Visit my Anti-spam site
Date: Fri, 19 Dec 2003 18:53:33 -0800
MIME-Version: 1.0 (produced by Synapse)
x-mailer: Synapse - Delphi & Kylix TCP/IP library by Lukas Gebauer
Content-type: text/html; charset=UTF-8
Content-Transfer-Encoding: Quoted-printable
Content-Disposition: inline
Content-Description: HTML text
Message-ID: <20031220091114.826gmx1@mx024-rz3.gmx.net>
X-GMX-Antivirus: -1 (not scanned, may not use virus scanner)
X-GMX-Antispam: -2 (not scanned, spam filter disabled)
=3Chtml=3E
=3Chead=3E
=3Ctitle=3EUse my site=3C=2Ftitle=3E
=3C=2Fhead=3E
=3Cbody=3E
=3Cp=3E=3Cfont face=3D=22Microsoft Sans Serif=22=3E =3B =3B =
=3B How this list is compiled=3A
Every email sent to our mailboxes is analyzed by our spam filter software=
=2E It extracts and inspects the domain names in all mail sent to
us that meets a sufficient number of criteria that are typical for spam=2E=
We then perform whois-lookups =28see whois log=29 and Google
searches on these domains=2C as we seek to minimize the risk of missing=
legitimate mail from legitimate domains=2E
Updates
If you want to be automatically notified about additions to this list=2C=
send an e-mail to=3A
dbl-update-subscribe=40yahoogroups=2Ede
You can unsubscribe at any time=2E We won't share your address with anyone=
or use it for any other purpose=2E
Notice=3A
A listing here does not imply that we recommend anyone to block any mail=
involving these domains=2C only that we at joewein=2Ede chose
to filter all such mail=2E If you find the following list useful=2C please=
add a link to it on your website=2E Thanks!
Spam filtering software
We are currently developing a product to help prevent spam from reaching=
your email intray=3A
jwSpamSpy - email spam filter for POP3 mailboxes
Links=3A
Whois-Details of recently blacklisted domains
419-Scam Hall of Shame =28=22Nigerian Scam=22=29
=3C=2Ffont=3E
=3C=2Fp=3E
=3Cp=3E=3Cfont face=3D=22Microsoft Sans Serif=22=3EI have a great deal for=
you on all CK Tommy and all great designer clothing at bargain prices!
=3C=2Ffont=3E=3C=2Fp=3E
=3Cp=3E=3Cfont face=3D=22Microsoft Sans Serif=22=3EBest Regards=2C Joe=3C=
=2Ffont=3E=3C=2Fp=3E
=3Ca href=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=22 target=3D=22=5Fblank=22=
onmouseover=3D=22window=2Estatus=3D'http=3A=2F=2Fwww=2Ejoewein=2Ede'=
=3Breturn true=3B=22
onmouseout=3D=22window=2Estatus=3D' '=3Breturn true=3B=22=3E
=3Cimg src=3D=22http=3A=2F=2Fwww=2Ejoewein=2Ede=2Fimg=2Fweinfam=2Ejpg=22=
width=3D=22250=22 height=3D=22250=22 alt=3D=22http=3A=2F=2Fwww=2Ejoewein=
=2Ede=22 border=3D=220=22=3E=3C=2Fa=3E
=3C=2Fbody=3E
Received: from [218.253.48.203] (helo=shawmail-cg-shawcable-net)
by mx22.web.de with esmtp (WEB.DE 4.99 #566)
id 1AWHtM-0007Y4-00
for xxxxxxxx@web.de; Tue, 16 Dec 2003 17:17:49 +0100
From: postmaster@joewein.de
To: xxxxxxx@web.de
Subject: Visit our site
Date: Tue, 16 Dec 2003 05:42:53 -0800
MIME-Version: 1.0 (produced by Synapse)
x-mailer: Synapse - Delphi & Kylix TCP/IP library by Lukas Gebauer
Content-type: text/plain;
charset=ISO-8859-1
Content-Transfer-Encoding: Quoted-printable
Content-Disposition: inline
Content-Description: Message text
Message-Id:
Received: from mta3-rme.xtra.co.nz ([210.86.15.143])
by mta205-rme.xtra.co.nz with ESMTP
id <20031216075509.IDBN7964.mta205-rme.xtra.co.nz@mta3-rme.xtra.co.nz>
for <#########@team.xtra.co.nz>;
Tue, 16 Dec 2003 20:55:09 +1300
Received: from shawmail-cg-shawcable-net ([200.63.144.121])
by mta3-rme.xtra.co.nz with ESMTP
id <20031216075507.CJWR4025.mta3-rme.xtra.co.nz@shawmail-cg-shawcable-net>
for <#########@team.xtra.co.nz>;
Tue, 16 Dec 2003 20:55:07 +1300
From: webmaster@joewein.de
To: #########@team.xtra.co.nz
Subject: Visit our site
Date: Mon, 15 Dec 2003 23:52:52 -0800
MIME-Version: 1.0 (produced by Synapse)
x-mailer: Synapse - Delphi & Kylix TCP/IP library by Lukas Gebauer
Content-type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: Quoted-printable
Content-Disposition: inline
Content-Description: Message text
Message-Id: <20031216075507.CJWR4025.mta3-rme.xtra.co.nz@shawmail-cg-shawcable-net>
We are getting bigger and better visit our site today!
http=3A=2F=2Fwww=2Ejoewein=2Ede
% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2003-12-16 07:50:28 (BRST -02:00)
inetnum: 200.63.144/23
status: reallocated
owner: Telefonica de Argentina
ownerid: AR-TEAR7-LACNIC
responsible: Marcelo A. Muņoz
address: Defensa, 390, Piso 5
address: 1065 - Buenos Aires - CF
country: AR
phone: +54 11 4-3335509 []
owner-c: TEA
tech-c: TEA
created: 20030916
changed: 20030916
inetnum-up: 200.63.128/18
nic-hdl: TEA
person: TELEFONICA DE ARGENTINA
e-mail: tasamail@TELEFONICA.COM.AR
address: H. Yrigoyen 1556 - 8th floor, 1556,
address: 1089 - Capital Federal - BA
country: AR
phone: +54 11 4332-2364 []
created: 20030618
changed: 20030915
% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.
inetnum: 218.252.0.0 - 218.255.255.255 netname: HKCABLE-HK descr: HK Cable TV Ltd descr: Cable Multi-Media Services country: HK admin-c: AD23-AP tech-c: AD23-AP mnt-by: APNIC-HM mnt-lower: MAINT-HK-ICABLE remarks: include previous allocations changed: hm-changed@apnic.net 20030922 status: ALLOCATED PORTABLE source: APNIC person: administrator dns address: 12/F., Cable TV Tower, address: 9 Hoi Shing Road, address: Tsuen Wan, address: N.T., address: HK country: HK phone: +852-2112-7516 fax-no: +852-2112-7977 e-mail: dnsadmin@cms.hkcable.com nic-hdl: AD23-AP mnt-by: MAINT-HK-ICABLE changed: dnsadmin@cms.hkcable.com 20000811 source: APNIC
OrgName: University of Pennsylvania
OrgID: UNIVER-8
Address: 3401 Walnut Street
Address: Suite 221A
City: Philadelphia
StateProv: PA
PostalCode: 19104-6228
Country: US
NetRange: 165.123.0.0 - 165.123.255.255
CIDR: 165.123.0.0/16
NetName: UPENN-LANSUB
NetHandle: NET-165-123-0-0-1
Parent: NET-165-0-0-0-0
NetType: Direct Assignment
NameServer: NOC3.DCCS.UPENN.EDU
NameServer: NOC2.DCCS.UPENN.EDU
NameServer: DNS1.UDEL.EDU
NameServer: DNS2.UDEL.EDU
Comment:
RegDate: 1993-05-28
Updated: 2001-04-30
A Google search found the same IP address already listed for spamming on a Japanese website on February 26, 2004 i.e. the day before the Joe job against us was sent:
http://www.src.co.jp/spam/2004/02/GreyE20040226.txt
upenn.edu is listed there for spam from this address:
dhcp0062.hse.resnet.group.upenn.edu [165.123.166.142]
The most recent Joe Job tried to display 16 pictures from our website in order to drive up our web hosting bill. We responded by moving those pictures and replacing one of the images with a file that includes the following message:
Anti-Spam Resources:
Anti-spam domain blacklist – list of domains that I refuse to receive mail from
Recent additions to domain blacklist (with whois details)