Groups > EMAIL > Spamcop > Re: Strange source




Strange source

Strange source
Fri, 21 Mar 2008 09:42:32 -080 
http://www.spamcop.net/sc?id=z1736865796z7bc0393af76ecb0db9c6998e32b79d51z
I'm sure this is looking too pass out some malware.
In checking the routing details, there is a note from 2007 by bellsouth
mentioning a hijacked block.
What does that mean?

Looking at the whois info, I don't understand how bellsouth got involved
& the info looks kinda bogus, but who knows.
I don't think its a good idea to paste it here...
Post Reply
Re: Strange source
Fri, 21 Mar 2008 11:13:41 -070 
jg wrote:
> http://www.spamcop.net/sc?id=z1736865796z7bc0393af76ecb0db9c6998e32b79d51z
> I'm sure this is looking too pass out some malware.
> In checking the routing details, there is a note from 2007 by bellsouth
> mentioning a hijacked block.
> What does that mean?
> 
> Looking at the whois info, I don't understand how bellsouth got involved
> & the info looks kinda bogus, but who knows.
> I don't think its a good idea to paste it here...
> 
> t
Post Reply
Re: Strange source
Fri, 21 Mar 2008 11:28:08 -070 
jg wrote:
> http://www.spamcop.net/sc?id=z1736865796z7bc0393af76ecb0db9c6998e32b79d51z
> I'm sure this is looking too pass out some malware.
> In checking the routing details, there is a note from 2007 by bellsouth
> mentioning a hijacked block.
> What does that mean?
> 
> Looking at the whois info, I don't understand how bellsouth got involved
> & the info looks kinda bogus, but who knows.
> I don't think its a good idea to paste it here...
> 
> t

It's also ask jeeves spam.

http://evolutionary.culvertsleepless.net/wcv.asp redirects to 
http://evolutionary.culvertsleepless.net/removewc/ which says its Web Coast 
Ventures

http://a's.culvertsleepless.net/xeaster/f.asp would redirect to 
http://www.mailunsubscribe.com/optout.jsp?pid=MFC001 if you just removed the '

Domain Name: CULVERTSLEEPLESS.NET

Registrant [1003524]:
         Web Coast Ventures
         1005 Terminal Way
         Suite110
         Reno
         NV
         89502
         US

Registrant:
         Ask Jeeves, Inc.
         555 12th Street Suite 500
         Oakland, CA 94607
         United States
         dnsmanager@askjeeves.com
         1.51098574  Fax: 1.51098574

     Domain Name: MAILUNSUBSCRIBE.COM
Post Reply
Re: Strange source
Fri, 21 Mar 2008 11:30:54 -070 
Scott Grayban wrote:
> jg wrote:
>>
http://www.spamcop.net/sc?id=z1736865796z7bc0393af76ecb0db9c6998e32b79d51z 
>>
>> I'm sure this is looking too pass out some malware.
>> In checking the routing details, there is a note from 2007 by
bellsouth
>> mentioning a hijacked block.
>> What does that mean?
>>
>> Looking at the whois info, I don't understand how bellsouth got
involved
>> & the info looks kinda bogus, but who knows.
>> I don't think its a good idea to paste it here...
>>
>> t
> 
> It's also ask jeeves spam.
> 
> http://evolutionary.culvertsleepless.net/wcv.asp redirects to 
> http://evolutionary.culvertsleepless.net/removewc/ which says its Web 
> Coast Ventures
> 
> http://a's.culvertsleepless.net/xeaster/f.asp would redirect to 
> http://www.mailunsubscribe.com/optout.jsp?pid=MFC001 if you just removed 
> the '
> 
> Domain Name: CULVERTSLEEPLESS.NET
> 
> Registrant [1003524]:
>         Web Coast Ventures
>         1005 Terminal Way
>         Suite110
>         Reno
>         NV
>         89502
>         US
> 
> Registrant:
>         Ask Jeeves, Inc.
>         555 12th Street Suite 500
>         Oakland, CA 94607
>         United States
>         dnsmanager@askjeeves.com
>         1.51098574  Fax: 1.51098574
> 
>     Domain Name: MAILUNSUBSCRIBE.COM
>     Registrar of Record: Corporate Domains, Inc.

Also see http://www.freshcoastventures.com/blog/2007/11/

You may or may not be a victim of excessive spam from a company by the name of 
Web Coast Ventures, LLC, but we’ve been getting plenty of phone calls asking 
us if we’re Web Coast Ventures, LLC.  You can reach Web Coast Ventures (not 
Fresh Coast Ventures) at…
	Web Coast Ventures, LLC
	sales@webcoastventures.com
	1005 Terminal Way
	Suite 110
	Reno, NV 89502
	US
Post Reply
Re: Strange source
Fri, 21 Mar 2008 11:31:14 -070 
jg wrote:
>
http://www.spamcop.net/sc?id=z1736865796z7bc0393af76ecb0db9c6998e32b79d51z
> I'm sure this is looking too pass out some malware.

I'm not finding any.  The spamvertised links are various
culvertsleepless.net which redirect to http://x.azjmp.com/1BwKd?sub=
which redirects to myfuncards.smileycentral.com which looks like a real
greeting card place.  Maybe if there is some kind of browser recognition
trick I'm not finding the real payload.

> In checking the routing details, there is a note from 2007 by
> bellsouth mentioning a hijacked block.
> What does that mean?

The arin info sez

OrgName:    Lever Industries
NetRange:   148.51.0.0 - 148.51.255.255
RAbuseEmail:  ee@uncanny.net

but our routing deputy sez to devnull that

Reports routes for 148.51.192.243:
routeid:31037153 148.51.0.0 - 148.51.255.255
to:lever@devnull.spamcop.net
Administrator interested in all reports

> Looking at the whois info, I don't understand how bellsouth got
> involved & the info looks kinda bogus, but who knows.

I tho't you said in an earlier post that you have an understanding of
who the bellsouth routing deputy is and I don't know why you would call
her info bogus.

> I don't think its a good idea to paste it here...

Presumably Ellen might be in communication with someone minding that /16
block who is saying they don't have anything to do with something.  The
date of the routing entry was 2007 Oct.


-- 
Mike Easter
kibitzer, not SC admin
Post Reply
<< Previous 1 2 Next >>
( Page 1 of 2 )
about | contact