Spam Hunter

Viagra, penis enhancements, porn, mortgage rates, and much more are shoved into my inbox everyday. I'm not trying to win the spam war. I just like to vent by choosing one email a day, tracing down the jerk who sent it and publishing any antics that ensue.

Sunday, April 02, 2006

The Fastest, Most Effective Weight Loss Suplement

VICTIMX-Account-Key: account3
X-UIDL: 1143992203.3896.VICTIM.com,S=13396
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <xxenfqoyjxzy@mamma.com>
Delivered-To: VICTIM@VICTIM.com
Received: (qmail 3880 invoked from network); 2 Apr 2006 15:36:41 -0000
Received: from unknown (HELO user-12hcp2b.cable.mindspring.com) (69.22.100.75)
by VICTIM.com with SMTP; Sun, 02 Apr 2006 11:36:41 -0400
FCC: mailbox://xxenfqoyjxzy@mamma.com/Sent
X-Identity-Key: Id4
Date: Mon, 03 Apr 2006 05:32:33 -0300
From: Leona Jordan <xxenfqoyjxzy@mamma.com>
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: VICTIM@VICTIM.com
Subject: re[2]:
Content-Type: multipart/related;
boundary="------------000005070406060507080002"

This is a multi-part message in MIME format.
--------------000005070406060507080002
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body bgcolor="#FFFFFF" text="#A90930"> <p> <a href="http://dwam039.cutecactuus.com"><IMG SRC="cid:part1.00040701.00020201@mquosulu@moebelheinrich.de" border="0" ALT=""></a></p><p><font color="#FFFFFC">Paul stretched out and laid hold of the jamb in a death grip. in 1823 in 1838 They keep records.</font></p><p><font color="#FFFFF9">Ramage found now, following Geoffrey through the gates and into a thin mist that turned the leaning grave markers into islands, that what should have redeemed with nobility only made it seem all the more horrid. Shinny? Of course. He pushed himself up and tottered erect on his right foot. Then I helped you into your chair so you could write. He wrote undisturbed for the next four hours†ó until the points on all three of the pencils she had sharpened for him were written flat†ó and then he rolled himself back to the bed, got in, and went easily off to sleep. She turned considerately away while he fumbled his penis into the cold tube and urinated. I agree with you</font></p></body></html>

--------------000005070406060507080002
Content-Type: image/gif;
name="plume.GIF"
Content-Transfer-Encoding: base64
Content-ID: <part1.00040701.00020201@mquosulu@moebelheinrich.de>
Content-Disposition: inline;
filename = "plume.GIF"

R0lGODlhgwItAfLGAAYHAICAgP8AAAAA/////wAAAAAAAAAAACH5BAQAAAAALAAAAAByAiUBAAP/SLrc/
jDKSau9OOvNu/9gKI5kaZ5oqq5s675wLM90bd94ru987//AoHBILBqPyKRyyWw6n9CodEqtWq/YrHbL
7Xq/4LB4TC6bz+i0es1uu9/wuHxOr9vv+Lx+z+/7/4CBgoOEhYaHiImKi4yNjo+QdgKTkUiTlwIKmJSN
l5GeeJuimASbJ6OmVKIRqzCorZqclKCcKKC2o7GpC7kVtxS7IL03qDTBT7+nmby1pcvOzybJzVOkENYz
ydDMz7vUJdrS39us0cDjEuEe6jK37C3vSfHC0b+18x3T5lLYDv0x4e4JdLePiTZ26MAl5ICPhT4bDYtE
ZFiv2cAUD+mRWHgu/+A/jb7GXWQw0QJHhyLRnQwxb6UuHAcLviiZI6VMjAlpXtDZcQRPXTZdmnTZktrP
a0JxffPoIl7EoyJiQkxa0ybAnFQxQH3wkWJWksegfUVK9KS+mxu6Xt33cayGd2q5uvU5V6klj2iV3fQU
FuhKWmxh+c30Cuy/V4KHkmO22PBhU4XLdTOHWHDiwYi5iSXIGV/MpQUT413FF1tkyR0f97sMNJ3Ri8dK
f/YXe1Znsmc3c4O1NQPC04xfTgDcAPDIkcUnK48lnGJjZ88Xc2befLhAuZRBa95O7izy4NSjY0/+Wu72
2svsAX/Kcbrw43vbmiZV2XZlw8nP1w8LPzN3/P+uYDVQReRZVxuABP0X3ksJirdTetc9l1uDDtLGWm5g
FSghhKENmN+CFf5nX4YfcqdeRcqlqKBraE0YIYXYzQagWLvV2JqI2amoG43gNTffdyuu8FuOCjolS3YI
RrghkQ0edeRk1X02X5DjgVhdYxhqJ96JJC6ZGmMwXulelECO2RNZFk4pXV6boajhkhySt5yY33FJ55wm
ptSOgG/ex6KVGnblXS7ysemafmR22FdDYd7pGKEL4TUjdJjFNeOIVvqJpUVlAvknmmlK+daPfYIWZ6kp
DmOnj/55eSWgQvJ56VdF/fgakZJxamg5mtVpFXpDsYnhq1QSm6WbXoVH3Jv/oCZapKeoNYsfellZM6yM
Mq6Z16raGoiqeWtFm+euzMp5Z6fCWjsXbHhuOWC7n8brrLQWVolosSERtpxV8q56rVBD2kstue/duqJx
9bK6ra6zLoyru3vG97BO6nBr47AG6kswbY/iqKi5IU5Kr8Uil/sqsPmstmh7Bm86McCylltoh1X+G9ip
DePrcs7ydstxuCN76JtKDFNacI4yMewkisje2LF+uzLlqI1pilsytSl7h1vPbcoMLb3Qzexm0SUm+XJg
BzdtKbe3We1zVRIzq7K3Ai97NHVzK33kqHK33CuydtvbJcY84q1ewUHO3OWXjuU6eHluu8cy2l7qXbLR
/+Pq6OrmLhM4b6Kebx54NjGfaymxbaqLs2W9INw16mXv/G137zqcMOeVPtoZ2ZenTrCkuarctODa1vqz
z667fjucvPFu8aBs8+67yLsPH+vA9glv5MqyAVf4brUz3XjwUGImZ/VIs3gfpNiHmr75vb+uFc0Zh19p
9t0b53CrqYNvP27cw9/0zgc9poVvPwZMFf6e9LBKfKAuDpSH9+iwvQj2AYIWlMitNnaGCmZQDxj8YBCA
J4nJiTAUHDzhEUhYBw+qcA4hfKEPpHYHF8rwhji8XuxaaMIc+vCHCmGNHIahuxQC8YhITKISl8jEJjrx
iVCMohSnSMUqWvGKWMyiFv+3yMUuevGLYAyjGMdIxjKa8YxoTKMa18jGNrrxjXCMoxznSMc62vGOeMyj
Hve4xgAQwI9/DIAgAckCQmoAkIb0QCIP+QFB8vGRQ/AjIhmwyB5MMgSVxEAmLbBJSHoSB5JUQCIJOUhK
OlKUgdTkH1PJSUdK0pClvMArTUnKU65ykJ1sQCxj+cle/mCUqAwmKUV5yVYWkwKIvOQwWynMBYRSmMec
wDJz6ctqzgCYq2ymNrNZgWdyE5nBzOYyu+nMcGJznODcpjXXeYNz4pKYuyynLNEpTXPC05bpFOc7A3lK
ekpgmiwAAAAaIFCCDpQABc1AQh+wUIQ2FAkPXUBEOTD/UYUetKIW/QBGYUWxBMZwB6rpCwzO6YBF+jMC
3qSmPAHKSHVys5gqtec3UfDQml70oBjA6EIFulEhVLSnFwAqBRIq1KHilKJHXR78glVEI44wGMWwASzl
Kc6VRvOfL5WlTE8KAZbekpgyJadLT9BQnh6VqEmtQFGLCoSfphWpIEBrCNgKAYzKp0cZW5wVlPdRTO7T
mfjk5Sy1ytUHuJKqvBTrS2152MXOs7Ak2ClPJYrTgk6WAWatrFkZetPLYlazlPWsQylbV9E6VLSSJW1o
R8tZ025WAZmFLWhDW9abyla1DnjtbV2rW9kOdKKliZ1ZbKPXoPbWsmmN7W2Xe9ra/56WV+DpazuRuFPW
WjezklWucg3q24imtrme/a5BdYvd2V5Xs9v97Hax213bMre8qpUrc9UbXva2N7u95QVeIZeOHmXPAvBt
73hf+90Ag9euj/veEmKaweqK97Lyfe9bJRwBudbXvdb9LGkvTOHlQti7ZzVvhM873wLPFsQafi5rOfzh
Ce8XSQ9qqlHR69vcZpfEHFZxUQ/ITgkgd7chxi135zvkDHN3xCs2r5B/nOIHY9jInC3xk8Vb5AgzebxR
9nBSrwxl4cJYMf7liE2JTGQLPznJQhaX9Hq8Yds6V8rkdTGVj3xmKyf3rWMmsZZTbGMCT/jNGbYvmoFc
WtSeuP+8vw3yofSaFJZNIM8TRbSbO2vfORPveGzWsJn5jN/6VljJdC4zhlFs4yE7Wcqt9XNpOY3eOFNY
p67WMnwBjRQvz886j97yme/74SQH2NImw/QL/srJcJ5glFMttlYp2VWUqjKgv20zq1FNZtxuVNVNBnWg
E21qEU/5ztkOt7W/Hd8QA7XXe85ytRn95ZDg2se6rva1gd1hsIFrpMxeNoMZCdl8Knam+TbsDwwd73Sr
uMv1TnWNF47WO3f24Oj2tI5JPfGHb5vhNDZ4c9U9aF9ruuHvTvCtw5yXHEca0Dk2uF2TZr0WJJufiIX5
YOFZzlDiE6XJtLljATvNm5eUqjD/NydjWRn0r+7bAwSvMqXjfPI0Y5m2F87vfaHeaSenl9etxi+vsV5u
9X461uddr6CbqsBnVLQwUUW4gd2aXoKD/eyqIuKwBb5NZSrTqmAFuC6zysq78z2sdH+53/WJyp4bWwVJ
n3Z3t41nbRdZwF5nu655y204d3mztbUpjbVu4sf3WdGM13yX15MMuMf9F7A29NfzTF/Qm35gNfirVwcP
07B2kqVe/TnQsbrJq9Y+3/0eA135MHyfmsDFifg97q0aT8CXdJ/Kf/7NE2tYb95T6P1k/u/VIHVCdJ8J
yKdoI5I9+7of/u+3X+lW937+9sd8/XwfZvnXYFpD1L8J4d9A//4FQX71a3P+49R7exd9VUV0f0d3/+d3
2Vd4eRd8mfaAIEBsiQV9KcVz76d3h/dMAQhL1ld0zQZ8GghYBUh42weBJniCKJiCKriCLNiCLviCUlB8
+pd/TQcDMvh1uWZcGnCDAAZ6SsEvarV/FnV/MNgDPJhTNNh4MXCEA5aDPbiDQghXTrcRrCNSnhdXY0cE
uHR09XRs7sd+XEgCJgUGTBhZSmiDUWhUQbgCZQhvfCYOoaMkbjgCKaeFAReBKLBvV4Vv7LeEiTZ5KAda
lBd68GZZ47ZkqidtevZ5QTaIqQeIWQd5KgduQCZn5pZ5gJhqkwaJH+dikMNfWIaJ3kZbov92BNhUdBM4
dBLYdxxYgiNIfTJHdLDogalYczRHi/3kc2QlaGvnbWL3i0TYi4c4dR1mZ5pYdVknecgoYMK4iON2dc/o
Z0xXf9rFi9YIjaACilSXjKO2dH+WhtMFfLZofn2nS8lkfvREe7qXfenofwV4jvG3jru3iw9ncr4oaxj3
hhg3ivUmX6cGZYHoXi3GcVxmYhnXeUq3a/goiaNFa5bXcWG3buDzYn2Wj8NYkA5nimA4jgHnigEoj2P4
ivLIgBmoeyNoe+fnirv4cd02jBAJcnPYj4cmbqcmVP/okAsXk0hmjDXojOIGdRUZkz7pkj3lDe1GbaVG
aAfXWkjgTrv/xFjQt3sfeX1ftZH85HO1t4XSx3MLiFhRaZUYaIYs+ZM36XrfF4gX+Y0QJ4iW+HbkpokD
ZpCVxpbqRm8Nx15td5Zm2Xr8eCbaeHFUp4jgFZQaKY4fGJIzNZUAFZJ76I4deJgm6XwAp5LH14gF948v
eYlnKJNdd4yHqIxlqY+tt43l9mt0mZRDKWtz6XabuYjNiHDg8pcB6WqieIV2eIEVGI8lCX9DN5L+lJVS
6Zj/936MOY+VOZad6Zpv+XRviJkjBpPPeX9oqXHnhpHJiZobh5p2qZDMuVqPh5CceW+Gs0NvRmvdl4hN
SWyoGFi9aYBTmUonBVO62Fj6VEmpyIFA/ydYyHaLbAhy9piTBmmRZDaQC+lxE3ed55lxekag31l5a5mT
mdmT2wmhx+WgALmXEZlwPGM040CgN0aKgIkIYSgHvQiMEhd20wia3BiNVsd4hSZ2LAqaXCdhMOqd2ul4
KNpiUXdyxnhgmOk+HvWiOlqhmllw10kHI0qifxiXodiXz4WJheiiVFahyCmRmOekk/WI9OWMeWmbyrlq
QAmiYhqUVueg9OYXVROlnGeki+d5SAaDbSgDcZpRXDCnh2CnRSiaRYCnMwaOSvB9IgSoeYp0fpoDfJpr
hZoERHhCizoGmYSYX1hsSTqolCoGkBqWklqpmpoFitmehzVYE2iB/P9JfY+5qab6BB+5fPA5eOjIkZN6
qrAaSUbHm666m/LXh7Gaq1agczm3gLfqUsoHla+qq8S6A7yakvaUeyJ5h5harM56m+iXgLopnL/arM96
rb+Un56qc9DUkcIqqtaKreLaBMM6rubqBep5ruq6ruzaru76rvAar2aUrhugi3m3ngZYfeUqr/CaixHY
e7VUS/lqjvxasB3Ano10ezl3r9K0rwbbrgi7qlxJlRL7fBLrrxX7ThSIsQP7sOsasaXEsQIrcyY1S64E
jyGLsiN7siLose8KsiprjhiLlSYLqjHLii3rr/bqsuYKsw2InzNbshd7s0HLlTrrsDybpz6Lsz//27Rb
OapEC48Dy7JJ664iS7VQ6bTz+a1ae7NM64FVy64SOHPs+ZQMC6762bUMO7ZIG7anurNJMItu+7JtG3t1
O7eaCrdGQK+F0Kh4+7c+gI2AO7gt0FOCSriIS49tmaiJ27hQKHmOG7n9yaOHKrmSi42Ha7ma+7ggVrmb
67jQ6LefO7pBmF+ZS7qou2qDmLqsi4RLKbqtG7tPmnkcJ6euK7t5CpNL2aa5BW3V6bm4a0cMSnnUKLpl
ZVxJCKh8qpdZKpTBm0QeWpsKN6YGNmPMKbjUy7jV66PBqKNyZH1324UCKFalerDzlAgfGnWsJr3ci7xN
SKWEmZ1IWL1E2nhL//e9WRW+ztaFhCWGyoYI9khpXkehJpqGxCu/u/u6sNuEALq6T5eFbVSBAli2KGmx
8rmwA7iYAne1QAuutFSV8cSxc0C7dVhxmvl587ulu1u8ozm/lYVQNjqmq7W9c1S+5Zi/F4h3y2qfCqh3
M6ubXWmfDVhzKEsHSee9A0y8Gem+W2q6oseQpduWKFyRultHXAWAs2qS6ujD/leq70mO8YmSX/wGjqig
3nnADPyEKly85haYyCvFU8ykEEpHWomAvTpJ3NqHdtd8etxMQrxVfHzHgRdzY+wGSmxxSax5ipzCQMnG
D4y9hRaladzCCVzDxjmttujFXRyZxEmSfezJBP+4v6maw4bcuQx6xqJ4iXQKeY6MykvKxJEsx5MMvFd0
ih1ZwRioqieZs35sx+MYxJK5rFV5gG0gnUx3vcvIuz24iYg8x7NWXdaLg232wpKIbpbMrLYXWJd8ldjX
sszWm5oMyIvFtSN5i4WcBph7zANswuw8hFlawqwJnftnzLFmzfXbvcjXqAu8TvrLqIL7i9m7mpC8egLc
wIp8lwssae9cjcDIl9+opS/agv38QZDsxOmcojcojZBIucn4xqaJ0etMjEwpzbH8vHHgt1KHvWzMuDTq
cGwXv8tMz5PXnTE80iVt0yYdRqcbvPu5zS5XryLAqmm007Kbm8YqVZFaRkT/PbiC1bEkGbLDTMGFB7Af
nLP0icFguLON9ZQaO9WmFK5RtNR/a3i5HH89bNbtt8VnHdU/F8bwucmE944TTdG0LK+UqcuNKczY7I6t
6my5VK1nPX9bJNaA+5U+/JXKys3EnJJ8DMbzyZ99XMdrTZlWtM+EK9i3vMOf7NadbJiJycl/PMxwjdlZ
ZNlMPcTI+s20GtdubXfDicPI2tq5OdndmtNYtNXzCEzbh7CUzdvenIvAHXharYFZi9tCB9a2XbVIO9fJ
Tax8mwHP3dzSPd3UXd3Wfd1eNL7nS77PNqnMjd1ipN3/lk56iEngnUdy281gW9XpzdVcTcQ0F7Be7det
//jVotpz9X3eTFRYoazFX6iqZE3bXWmxmi2SgB3M+o1E45vYnS2+YDzatfqBBb7BHEnKCQ5Ez93fm/1P
zSfIQJys24zfA359+G20F55E/A1/vhyWAO7f7xjhK36pB+7ZJ47iZ+vZec3gta3WEA7KOPfgcg3bel3j
PkSfWpy1XdWe1UeCWG148r3Y8O3Bvq3Y90nkVn7lWJ7lWr7lXN7lXk7kee2F/rZse83JYxXUSf3ljhDm
JqBSYTii6acC363mcQDVUg21j+qV7onk9ZnkxwrZRk7EPJzfYZzedD5+qF1+nP3kuw3jWQ3kj83FfS3p
c37obxDK0XTFs4rZIeh+mP8ezHsY5+XL5pauCJ9uznx7rJxen/YarIE8yPpKS3gMmaXuQKeu2vX053rd
6ViFyaCe1NGX58hd64Rw6jMe48KZ2WU9rXed1l2c4sOOEzcDD0/yIO1ihQQkO1gofLQLm3rKAzxY1zFw
1VJOzsiu3nfY3kZ9n3+8tR383zceMUplFyGzoULkPjxyOmA6hUNwhNMokd++yiWwVmyqR5W+DqZC7UYU
MHxzI/peu+I+8CzNejNQuQRvTQeP8NOOEgtfOjHGHOmBOToY8EHg7wXvhzQlhBFvqtmCpjEiMRoDOn6T
P7oSH2ASXO5sZpTrhhod0XEMwQG90NaszIvciXxZiC7/rXTZhm0qPM1RXGqmrUfZQnpy5x/oozYLxCEr
c/PElfPemMoqemBxGc8i7dDeKPY5WqYY3dFCyo1Yevaht/ZIf88rP0b1MS4bqjCnMvPIYSc0tDcir8Y2
ap4PPfiEj4gAf/jNeY9cepBnSm3TGaIUH5BzvPiJzNIhvqv4lvFZExnHcjaBEhR4MiYk8yIQMoMN6nQ9
aWSW9qZWSomsr2iQtmvRye9TSGpTCmqtv5xXmPvmLeFTUOk2PEN+8vmzAzUypjCZc+8raflYt/qsh/tO
TNA1iviwidDVqHgELZo9qqG7j5S9r2Rl+N6AnN8yG61B955Nrn5T5anzDVZPztac/58soY8rNlP/F9P3
+p92IhC6bIoAAMTqv5gkalYbaZZXP75NHtR1zXaZYko6JwaK8sjK9RvjuWZHprrb/UKzoijAQCaXBKWy
yYROngGqBGm1RrHXbfL5ZWqr4rBUSjaq1+y2WwCXwQWMuchOwEv0+no8/9fH9wdI52dY6KY4A9GzgpIB
ZDT0GKQDcsNIVAmTI4nzeVmyWfQBlEl5yaO6murIucq62HW0pIXWxqUr43Rm63XWW1tGjFssPJusrNh3
6DyB1zyI+BxNmPiMrS14vbyo4hr6qjo6zhkqHivqE3IjHk46uXDKHlTeqQ4KWUp0L5tMpYqTNE0EBgRz
RSAaLv9f0jDsgixiFFrGKkosqNCXt40cte0hNA0ayG7TDFlDNAflSJXUTnacBW6fJUmu1uFL9a5dJJ03
d9Yj91NHOpwyY7nwMLOoUaWw1NX0dlEYwmEUdzEco/EqLaxUo279SvWl2FnNtqVMKfIsSbUuD6n9yBJu
2rNj3TRyCokEP3zr9GI6SkOTX6A97y4dDA9wjw8nEOdlHBivY76PBuN9KVUqsFtiLi6kOKXqZl5gLXYe
XTd1m7LS0M6gWwRtW7fVVsq9U1Y1v0z5ImuiTI+m4hHyhscErjhmcqWQBfczrnPeY1bNL6upbp2jQ62d
wWQ8wt0XGc6gv2NEJrqh5/EJb03/1Q0/vvz59Ovbv48/v/79/De+f68fgP0NSGCBBh6IYIIKLshgEf8N
aFCDEk5IoVgtXIhhhhpuyGGHHn64YYUijkhiiSaeiGKKKq7IYosuvghjjDLOSGONNt6IY4467shjjz7+
CGSQQg4JUITnEXSkgwGpN95BCTFJZJRSTknliwQ1+WRBWYI3kBlbfoell1WOSWaZZvKH5JddrpHRdrwM
tGaaZ85JZ512+vffkhixqZCb4GkZpnl3wpdOgoUWeGgyiSZKaDyDqijnkd4JOoUucLaJRaZaqvfoS8eN
yGhT8oWqyKI7xUdPpzFGeuWkkQKK6Zuwbsqpqt58KiKplqDq/+itve7VqDm2rsiqnpXm2ZCYYWApJ6XD
toFrhbr+o9q0bExrLbTPPdtisVtWOsN2a3LZnpLcfnNXBdhhVwlj61an7ql8NWcZR/RKF9wm8PL0Sr2V
8asPZNmee2CrtPpJK7hmFOukl68SvNhRF/7FbmOmGEYDYIYlli7Gvm7cAsUaW/aUJx6L7E8rIENMrJEG
IfmyuQvHnGzNULKsbWVCMIWBT5gQ1hgsNaXc0SjsyJud0TvLs2tTKRPdG85ST10qwCoLa4/VQm+bnclj
fUqUI7jyNk5O/RaVKtVqr71GtCxM/FtS/0Id72N+DSzqvEeHbPZwW1/HNTxYs0342m7v7f+vTYWt3O4Q
cA8VctySqzxx32ZT2xtvdP9aeOfcHo65OWAL/u9SgLcd+eCKo+PoxUxjnjbplHlOO8SgR/060GM/F9Tl
nvIbNrA7B1V264GjzXntyj97ez6fPKX55j2dk7xdPicN/PVdT3/68EGHvnz4tna8eMXbvz2Z0z6B7Lcy
qXMsMMk8C1Ux3BaPPLL4+o8vMVMn662+eO3qcNDBW8+YE518iUo4BwSccKTTQPDtb4IUrKAFL4jBDGpw
gxzsoAc/CMIQinCEJCyhCU+IwhSqcIUsbKELXwjDGMpwhjSsoQ1viMMc6nCHPOyhD38IxCAKcYhELKIR
j4jEJCpxiUz/bKITnwjFKEpxilSsohWviMUsanGLXOyiF78IxjCKcYxkLKMZz4jGNKpxjWxsI38GAMcJ
wHEAi5jjLOwYJTy2QY8t4iON/CgDQA5LkMubYxwDeUgGELIIi2RkIhPUyNREUo6PnGSDLLmiSGKyTptU
myE/KQI+drKTBCClfUzpjU2K8pElQmUrWYlIOkLMlbP8JCglQEtFwnINuYxPL/PzyzfuMkaaHKaqgmkr
Q1KyksZ0AymRKclmLgiawJRmH6VJzSFlc1CAVKYuZfnNWIITl7AkJB69OYNbLlOXoURnOm05zm/G853x
1KMf1RnOUsKTDe4kZz2ZKUtj4jOf/Vzm/zzPqUpbtjOggvRmMeepz4YqdKHsRKg1LTrOgRqUnuw06EGt
6UmJgnOVGd2nPynqSDpO1KP3jKM9TUpPfMIToiddZz7lSVKcNnKmKK1pOM250p9qlKf+hKkRZgrQiLZU
mQ9dqEyRSlE7SlWjUb2lUXXKyqmO9KrbtBNQbXpTqPo0ompAKkCNalKzplSdaj1qInOK1bcekqgxDepS
WQpRscaVpDA1K033+lK9+pWXZ52oX0sKysG69bB21atSMdrYvxIOk3Alqzx9+tC5VtayOAUrZzna08/G
cqyBxWxSCYtYz36WqmEt7GVJK9fTpnS0nVUqbLEpW8t207W1LahHdf9aVM/yNbW3FR9lT3tXgl60srvd
am5vStuxQrenzBXoc6Nr2n8iVrI7re5HGapdyc72tcrNKm6di13sunO9zWSvedFL3c22VrxrOy5xm+rb
0HL2sNLl73ilK1qwere5qk3vft9bYKfuMrkBtqiB61pamxK4rLF17GPly2DQAjjCAn6vYEFKNftK+Lys
VW1gPxxeuqZ3wrPNMF3la2AOQ3eSKmbwhFm81pUmF8ca9u+F3avf7mo3uixeKoqNO8zcOpjCWkVtfNsq
Wh+vuJztdSmC8QreBBdYxqsF6Yuv3GDNfpfJXx5ymMV7YqIqdroZnvKYp3vgFPcVxFPzrYyXnN3/LDP5
yfwEsyLaHOB1Arq319VvnEM7SnTamMp61rJtO2xmHhO5yn5us5ANzeVDOxrAtGsufMvLZ073N7Z9NnMd
/QxnBdN2x4XeMqmDK2o2vzq7q/bwYicdaUY7OdUbfu6gR/3mMwMbhO4l7nxh3WXuVvqsvd7urRG93BvD
FcbqZfZjNw1kWRs7ztt286ePjez/Jlulth42tlGdbOHqOtwUXHO692pi65r6xzCGMoSLGtQc4zqthf2r
vd2dWR0vu8wqFmeZn1zwaqsZ4Ki+tKu3G1mDP5W+ky34ZrmKbnPje9AJNziWnbngfs+6tjn2tJW7DWFf
exjI+U65pm/b5D1/qXzj5O72r7Xt7X6KdKBdfVTL343vGCc540OVN4gLml9xAxvdSWf3RoFO5mCnGuli
pvi1X67tRiud5EGHepQpjemQi32x63YjEXtu9rSzDO1qPxFj3w73uMt97nSvu93vjve8633vfO+73/8O
+MAL/qpt3yHbC494n9M58YxvvOMfD/nIS37ylK+85S+P+cxrfvOc77znPw/60It+9KQvvelPj/rUq570
CQAAIf5waHFnaHVtZWF5bG5sZmR4ZmlyY3ZzY3hnZ2J3a2ZucWR1eHdmbmZvenZzcnRranByZXBnZ3hy
dXRiZGpldnZqam9xcmJtYXF2anFrcXdoYXBhaHdleHRqZ3h3dGNrbGtkYW94ZnFrYXkAOz==

--------------000005070406060507080002--


The message was sent from user-12hcp2b.cable.mindspring.com which means a botnet.

Another Credit Card harvester.
http://dwam039.cutecactuus.com/
This seems like a very cheap amatuer job. There isn't any type of obfusication.
The site doesn't even use any SSL. They do verify that the card will match the algorithm
for each card.

"Please correct following errors and re-submit:
Numbers does not match with VISA pattern!
Please check your numbers and card type then try again."

The comment page even has a image verification. OK, thanks.


#!/usr/bin/perl
use strict;
require LWP::UserAgent;

my $target = 'http://dwam039.cutecactuus.com/contactus.php?validate=img';
my $count;
my $proxy = 'http://127.0.0.1:3128'; #find your own :)

## neutered for your own protection. Learn some perl and you can write your own!
while (0)
{
my $ua = LWP::UserAgent->new;
$ua->proxy(http => $proxy);
my $req = HTTP::Request->new(GET => $target);
my $res = $ua->request($req);
if ($res->is_success) {
print localtime() . "\n";
}
else {
print $res->status_line, "\n";
}


}

Friday, March 10, 2006

Dr Spam?

UPDATE:
After a lot of research I've concluded the name attached to this DNS entry
is NOT the person behind the spamming. Dr Carpenter should not be contacted
in regards to this matter. His address and phone number were easily
found on public web sites and I believe he was simply picked to add legitimacy
to the site. The web site in question appears to simply harvest credit card
numbers and is operated out of Hong Kong. I have left the entry in tact
so anyone can follow my line of reasoning.

-------------------------------------------------------------------------
The most recent spam I investigated leaves me puzzled. No effort to conceal activities for a pharacutical related spam and everything points to a licensed doctor in WA. I'm really speechless. Part of me wants to believe no doctor would be this stupid and risk his license and career. But I must document what I found.
The spam came on a registered email address (I forget where it's from but I believe it was a dev related mailing list.


From - Fri Mar 10 05:25:41 2006
X-Account-Key: account3
X-UIDL: 1141977566.9085.loop.myISP.com,S=3345
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <hasso@aramark.com>
Delivered-To: victim@victim.com
Received: (qmail 9077 invoked from network); 10 Mar 2006 07:59:25 -0000
Received: from unknown (HELO aramark.com) (220.184.165.4)
by loop.myISP.com with SMTP; Fri, 10 Mar 2006 02:59:25 -0500
Message-ID: <000001c64418$79497940$328ca8c0@can55>
Reply-To: "Moray Hassen" <hasso@aramark.com>
From: "Moray Hassen" <hasso@aramark.com>
To: victim@victim.com
Subject: Re: ParamZcy news
Date: Fri, 10 Mar 2006 02:58:53 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0001_01C643EE.9075E240"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

This is a multi-part message in MIME format.

------=_NextPart_000_0001_01C643EE.9075E240
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

u V q a i I f i x u p m $1 k 05 (30 Ru tabIe Qp ts)
n V u i o a h g y r h a $ z 69 (1 Xs 0 t 5D abIets)
k C x i c a i I n i j s $ y 99 (1 Hj 0 tabI gu ets)
=20
And m 5K any other http://pyp44.miltsuil.com

------=_NextPart_000_0001_01C643EE.9075E240
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D3><FONT color=3D#0337ED><span style=3D" =
float : right "> u </span>V<span style=3D" float : right "> q =

</span>a<span style=3D" float : right "> i </span>I<span style=3D" float =
: right "> f </span>i<span style=3D" float : right "> x </span>u<span =
style=3D" float : right "> p </span>m</FONT> <FONT =
color=3D#F1420B>$1<span style=3D" float : right "> k </span>05</FONT> =
(30<span style=3D" float : right "> Ru </span> tabIe<span style=3D" =
float : right "> Qp </span>ts)</FONT></DIV>

<DIV><FONT face=3DArial size=3D3><FONT color=3D#0337ED><span style=3D" =
float : right "> n </span>V<span style=3D" float : right "> u =
</span>i<span style=3D" float : right "> o </span>a<span style=3D" float =
: right "> h </span>g<span style=3D" float : right "> y </span>r<span =
style=3D" float : right "> h </span>a</FONT> <FONT =
color=3D#F1420B>$<span style=3D" float : right "> z </span>69</FONT> =
(1<span style=3D" float : right "> Xs </span>0 t<span style=3D" =
float : right "> 5D </span>abIets)</FONT></DIV>

<DIV><FONT face=3DArial size=3D3><FONT color=3D#0337ED><span style=3D" =
float : right "> k </span>C<span style=3D" float : right "> x =
</span>i<span style=3D" float : right "> c </span>a<span style=3D" float =
: right "> i </span>I<span style=3D" float : right "> n </span>i<span =
style=3D" float : right "> j </span>s</FONT> <FONT =
color=3D#F1420B>$<span style=3D" float : right "> y </span>99</FONT> =
(1<span style=3D" float : right "> Hj </span>0 tabI<span style=3D" =
float : right "> gu </span>ets)</FONT></DIV>

<DIV><FONT face=3DArial size=3D3></FONT> </DIV>
<DIV><FONT face=3DArial size=3D3>And m<span style=3D" float : right "> =
5K </span>any other <A =
href=3D"http://pyp44.miltsuil.com">http://pyp44.miltsuil.com</A></FONT></=
DIV></BODY></HTML>
------=_NextPart_000_0001_01C643EE.9075E240--


The link leads to the miltsuil.com site and aside from a simple redirect the entire operation is straighforward. a trip to SamSpade yields the following:


Server Used: [ whois.yesnic.com ]

miltsuil.com = [ 59.148.144.203 ]
-----------------------------------------------
Queried Domain Information as follows
-----------------------------------------------
Domain Name : miltsuil.com
: :Registrant: :
Name : Richard Carpenter
Email : ostalana@yahoo.com

Address : 824 S. 295th PL
Zipcode : 98003
Nation : US
Tel : 253-941-4749
Fax :
: :Administrative Contact: :
Name : Richard Carpenter
Email : ostalana@yahoo.com

Address : 824 S. 295th PL
Zipcode : 98003
Nation : US
Tel : 253-941-4749
Fax :
: :Technical Contact: :
Name : Richard Carpenter
Email : ostalana@yahoo.com

Address : 824 S. 295th PL
Zipcode : 98003
Nation : US
Tel : 253-941-4749
Fax :
: :Name Servers: :
ns0.acorande.com
ns0.enanger.com
: :Dates & Status: :
Created Date 2006-03-07 16: 02: 33 EST
Updated Date 2006-03-07 16: 02: 33 EST
Valid Date 2007-03-07 16: 02: 33 EST
Status ACTIVE


It's creepy to see a real name and address. I search for the name and phone number listed only to find a list of Family Doctors in WA! See list here


Carpenter, Richard M
30809 1st Ave S
Federal Way, WA 98003-0000





Phonebook results for 253-941-4749
E Carpenter, (253) 941-4749, , Federal Way, WA 98003


Either this is a very well put together frame (do people get framed for spam??) or this doctor has decided to supplement his income. It's possible since a doctor could get away with creating false prescriptions by the thousands. A doctor in the east coast (New York?) was busted for this last year. But what idiot would attempt this today??

I'm keeping watch over this server and will report any findings. I may have 'scoop' on this one :), the DNS record is barely 48 hours old!

Update: I think this is a setup by Chinese spammers. It was just way to easy and that bugged me from the start. A traceroute shows this

4 ge-0-1-0-030.br2.qcy1.ma.gnaps.net (199.232.44.141) 6.683 ms 6.390 ms 6.565 ms
5 POS3-0.GW5.BOS4.ALTER.NET (208.192.182.173) 8.11 ms 7.466 ms 8.186 ms
6 0.so-2-0-0.CL1.BOS4.ALTER.NET (152.63.25.70) 8.315 ms 23.281 ms 21.669 ms
7 0.so-4-0-0.XL1.SAC1.ALTER.NET (152.63.53.245) 98.949 ms 96.628 ms 102.104 ms
8 POS6-0.IG3.SAC1.ALTER.NET (152.63.54.121) 93.654 ms 106.122 ms 98.970 ms
9 hkbn-gw.customer.alter.net (208.214.139.106) 268.645 ms 280.339 ms 275.420 ms
10 61.244.232.105 (61.244.232.105) 295.729 ms 255.630 ms 261.515 ms
11 61.244.232.170 (61.244.232.170) 267.802 ms 254.997 ms 256.17 ms
12 059148144203.ctinets.com (59.148.144.203) 262.475 ms 259.126 ms 253.566 ms

http://www.google.com/search?hl=en&lr=&client=safari&rls=en&q=site:ctinets.com
shows that the citnets site is clearly from China.

Wednesday, December 07, 2005

Welcome to the Victims side

I have been using a hosted server for the last few years. They provide me with cheap presence on the net and they even allow for lots of email address (technically unlimited). Over the last few days my "bounce account" has been flooded every morning. I didn't know what to make of it at first. Maybe someone tracked me down via this blog (not impossible) and decided to exact some revenge. Spammers are scummy people to begin with so I wouldn't put this past them. Maybe someone was just flooding me directly?
Today I noticed a strange pattern in the bounce messages. They all were from a specific company (which I can't name) and looked pretty legitamate. So I looked into the email (with a hex editor) and it was authentic. My heart sank as I realized I was now a victim. My mail server had been coerced into helping these assholes. Since the server is hosted there isn't much I can do from here. I don't have direct access to the mail server in question so I can't shutdown SMTP or even investigate the logs. All I can do is issue help requests and wait. I have started tracking down the multiple mirrors of this particular spam in online mailing list archives. I'm doing what I can to contact the other domain name admins who seem to have been affected.
This may be the final straw for me to start running my own mail server.

Sunday, November 27, 2005

powerful enlargement

X-Account-Key: account2
X-UIDL: 1132365525.24507.victim.com,S=1554
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path:
Delivered-To: victim@4
Received: (qmail 24497 invoked from network); 19 Nov 2005 01:58:44 -0000
Received: from unknown (HELO zipmail.com.br) (60.171.109.114)
by victim.com with SMTP; Fri, 18 Nov 2005 20:58:44 -0500
Message-ID:
Date: Fri, 18 Nov 2005 07:32:47 +0800
From: "madonna black"
User-Agent: MOMENTUM (3.0 build(25) [Asynch])
X-Accept-Language: en-us
MIME-Version: 1.0
To: "Victim Victim"
Subject: powerful enlargement
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Male enhancement is achieving your goals of becoming a better man

90% of males were interested in improving their sexual stamina,
performance, and the size of their manhood. Are you one of the 90%?

You guys have made my dreams come true. I have been self-conscience for as
long as I can remember. I did not want to shower with other guys growing up,
because I was embarrassed. Not only has your system increased the size of my
manhood while erect, but it has helped my size while flaccid as well. I hang
bigger, and I feel more like the man I should have been all these years. The
change is tremendous, I wanted to send you this note to let you know what it
has done for me, and of course to order more LONGZ! Leroy, Brooklyn

check out the only Male Enhancement formula with a free DVD

http://geocities.yahoo.com.br/clifton_smothers/?7=X2



not for you, then use link above




The President bowed gravely. This is your invention? he asked
No; I'm hardly equal to that



Please wait while the web page loads

In a market research, men identified three things
as essential elements of achieving a satisfactory erection, including:


  • The ability to attain an erection
  • Erection hardness
  • The ability to maintain it for satisfactory sex

Taken together these make up erection quality (EQ).


Many men have been, or will be, concerned with the
quality of their erection at some time in their life. It may be an occasional
difficulty in getting or maintaining an erection; it could be an erection that
is just not as hard as it once was; or it may be a consistent inability to
achieve an erection.


It is estimated that over 30 million men in the US have
experienced at least partial erectile dysfunction (ED). You are not alone if you
experience a loss of erectile function.


Fortunately, if you've noticed changes in your erection
there is something you can do about it, talk to your
doctor.



The technique used by this spammer is called obfusication and we have been talking about this a lot in this particular blog. A quick refresher for those who are a little rusty on the unescape javascript function can be found here

JavaScript unescape
Answer: To convert a string from URL-encoded form, use the JavaScript function
unescape(string) . This function works as follows: if the string contains ...
www.javascripter.net/faq/unescape.htm - 3k - Cached - Similar pages

eval(unescape("\x76\x61\x72\x25\x32\x30\x55\x52\x49\x25\x33\x42\x25\x30\x44\x25
\x30\x41\x76\x61\x72\x25\x32\x30\x53\x43\x52\x49\x50\x54\x5F\x4E\x41\x4D\x45\x25
\x33\x42\x25\x30\x44\x25\x30\x41\x76\x61\x72\x25\x32\x30\x51\x55\x45\x52\x59\x5F
\x53\x54\x52\x49\x4E\x47\x25\x33\x42\x25\x30\x44\x25\x30\x41\x76\x61\x72\x25\x32
\x30\x5F\x47\x45\x54\x25\x33\x44\x6E\x65\x77\x25\x32\x30\x41\x72\x72\x61\x79\x25
\x32\x38\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x66\x75\x6E\x63\x74\x69
\x6F\x6E\x25\x32\x30\x5F\x63\x67\x69\x5F\x70\x61\x72\x73\x65\x5F\x61\x72\x67\x73
\x25\x32\x38\x25\x32\x39\x25\x37\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x76\x61
\x72\x25\x32\x30\x69\x25\x32\x43\x74\x6D\x70\x25\x32\x43\x74\x6D\x70\x32\x25\x32
\x43\x74\x6D\x70\x33\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x74\x72\x79
\x25\x37\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x55\x52\x49\x25\x33\x44\x6C\x6F
\x63\x61\x74\x69\x6F\x6E\x2E\x68\x72\x65\x66\x25\x33\x42\x25\x30\x44\x25\x30\x41
\x25\x30\x39\x74\x6D\x70\x25\x33\x44\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x73\x65
\x61\x72\x63\x68\x2E\x73\x75\x62\x73\x74\x72\x25\x32\x38\x31\x25\x32\x43\x6C\x6F
\x63\x61\x74\x69\x6F\x6E\x2E\x73\x65\x61\x72\x63\x68\x2E\x6C\x65\x6E\x67\x74\x68
\x2D\x31\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x74\x6D\x70
\x32\x25\x33\x44\x74\x6D\x70\x2E\x73\x70\x6C\x69\x74\x25\x32\x38\x25\x32\x32\x25
\x32\x36\x25\x32\x32\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39
\x66\x6F\x72\x25\x32\x38\x69\x25\x33\x44\x30\x25\x33\x42\x69\x25\x33\x43\x74\x6D
\x70\x32\x2E\x6C\x65\x6E\x67\x74\x68\x25\x33\x42\x69\x2B\x2B\x25\x32\x39\x25\x37
\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x25\x30\x39\x74\x6D\x70\x33\x25\x33\x44
\x74\x6D\x70\x32\x25\x35\x42\x69\x25\x35\x44\x2E\x73\x70\x6C\x69\x74\x25\x32\x38
\x25\x32\x32\x25\x33\x44\x25\x32\x32\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30
\x41\x25\x30\x39\x25\x30\x39\x5F\x47\x45\x54\x25\x35\x42\x74\x6D\x70\x33\x25\x35
\x42\x30\x25\x35\x44\x25\x35\x44\x25\x33\x44\x74\x6D\x70\x33\x25\x35\x42\x31\x25
\x35\x44\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x25\x37\x44\x25\x30\x44
\x25\x30\x41\x25\x30\x39\x25\x37\x44\x63\x61\x74\x63\x68\x25\x32\x38\x65\x25\x32
\x39\x25\x37\x42\x61\x6C\x65\x72\x74\x25\x32\x38\x65\x2E\x64\x65\x73\x63\x72\x69
\x70\x74\x69\x6F\x6E\x25\x32\x39\x25\x33\x42\x25\x37\x44\x25\x30\x44\x25\x30\x41
\x25\x37\x44\x25\x30\x44\x25\x30\x41\x5F\x63\x67\x69\x5F\x70\x61\x72\x73\x65\x5F
\x61\x72\x67\x73\x25\x32\x38\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x76
\x61\x72\x25\x32\x30\x71\x25\x32\x30\x25\x33\x44\x25\x32\x30\x25\x32\x32\x37\x25
\x32\x32\x25\x33\x42\x25\x30\x44\x25\x30\x41\x69\x66\x25\x32\x38\x5F\x47\x45\x54
\x25\x35\x42\x71\x25\x35\x44\x25\x32\x39\x25\x37\x42\x25\x30\x44\x25\x30\x41\x25
\x30\x39\x76\x61\x72\x25\x32\x30\x70\x72\x65\x66\x69\x78\x25\x32\x30\x25\x33\x44
\x25\x32\x30\x25\x32\x37\x68\x74\x74\x70\x25\x33\x41\x2F\x2F\x77\x77\x77\x2E\x25
\x32\x37\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x64\x6F\x63\x75\x6D\x65
\x6E\x74\x2E\x74\x69\x74\x6C\x65\x25\x33\x44\x25\x32\x32\x4C\x6F\x6E\x67\x25\x32
\x30\x4D\x61\x6C\x65\x25\x32\x30\x45\x6E\x68\x61\x6E\x63\x65\x6D\x65\x6E\x74\x25
\x32\x32\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x76\x61\x72\x25\x32\x30
\x74\x64\x6F\x6D\x61\x69\x6E\x73\x25\x32\x30\x25\x33\x44\x25\x32\x30\x6E\x65\x77
\x25\x32\x30\x41\x72\x72\x61\x79\x25\x32\x38\x25\x32\x39\x25\x33\x42\x25\x30\x44
\x25\x30\x41\x25\x30\x39\x74\x64\x6F\x6D\x61\x69\x6E\x73\x25\x35\x42\x74\x64\x6F
\x6D\x61\x69\x6E\x73\x2E\x6C\x65\x6E\x67\x74\x68\x25\x35\x44\x25\x33\x44\x25\x32
\x37\x6C\x6F\x77\x70\x72\x69\x63\x65\x73\x6F\x6E\x70\x6C\x61\x74\x69\x6E\x75\x6D
\x73\x2E\x63\x6F\x6D\x2F\x6C\x7A\x25\x32\x37\x25\x33\x42\x25\x30\x44\x25\x30\x41
\x25\x30\x39\x74\x64\x6F\x6D\x61\x69\x6E\x73\x25\x35\x42\x74\x64\x6F\x6D\x61\x69
\x6E\x73\x2E\x6C\x65\x6E\x67\x74\x68\x25\x35\x44\x25\x33\x44\x25\x32\x37\x6F\x75
\x72\x62\x65\x73\x74\x70\x72\x6F\x6D\x6F\x74\x69\x6F\x6E\x73\x73\x69\x74\x65\x2E
\x63\x6F\x6D\x2F\x6C\x67\x25\x32\x37\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30
\x39\x76\x61\x72\x25\x32\x30\x64\x6F\x6D\x61\x69\x6E\x5F\x69\x6E\x64\x65\x78\x25
\x32\x30\x25\x33\x44\x25\x32\x30\x4D\x61\x74\x68\x2E\x66\x6C\x6F\x6F\x72\x25\x32
\x38\x4D\x61\x74\x68\x2E\x72\x61\x6E\x64\x6F\x6D\x25\x32\x38\x25\x32\x39\x25\x32
\x30\x2A\x25\x32\x30\x74\x64\x6F\x6D\x61\x69\x6E\x73\x2E\x6C\x65\x6E\x67\x74\x68
\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x76\x61\x72\x25\x32
\x30\x64\x6F\x6D\x61\x69\x6E\x5F\x74\x6F\x25\x32\x30\x25\x33\x44\x25\x32\x30\x74
\x64\x6F\x6D\x61\x69\x6E\x73\x25\x35\x42\x64\x6F\x6D\x61\x69\x6E\x5F\x69\x6E\x64
\x65\x78\x25\x35\x44\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x6C\x6F\x63
\x61\x74\x69\x6F\x6E\x2E\x68\x72\x65\x66\x25\x33\x44\x70\x72\x65\x66\x69\x78\x25
\x32\x30\x2B\x25\x32\x30\x64\x6F\x6D\x61\x69\x6E\x5F\x74\x6F\x25\x32\x30\x2B\x25
\x32\x30\x25\x32\x32\x2F\x25\x32\x32\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x37
\x44"));

First Let's break apart the text glob into individual characters:


my $text = '\x76\x61\x72\x25\x32\x30\x55\x52'; ##snipped for formatting
my @characters = split(/\\x/,$text);

foreach my $char (@characters)
{
print "$char ";
}

this will give us something like this
76 61 72 25 32 30 55 52 49 25 33 42 25 30 44 25 30 41 76 ...

Notice that $text is using single quotes and not double. Using double quotes will interpret some of the results for us but not all.

old value: 'var%20URI%3B%0D%0Avar%20SCRIPT_NAME%3B%0D%0Avar%20QUERY_STRING%3B%0D%0Avar
%20_GET%3Dnew%20Array%28%29%3B%0D%0Afunction%20_cgi_parse_args%28%29%7B%0D%0A
%09var%20i%2Ctmp%2Ctmp2%2Ctmp3%3B%0D%0A%09try%7B%0D%0A%09URI%3Dlocation.href
%3B%0D%0A%09tmp%3Dlocation.search.substr%281%2Clocation.search.length-1%29%3B
%0D%0A%09tmp2%3Dtmp.split%28%22%26%22%29%3B%0D%0A%09for%28i%3D0%3Bi%3C
tmp2.length%3Bi++%29%7B%0D%0A%09%09tmp3%3Dtmp2%5Bi%5D.split%28%22%3D%22%29%3B
%0D%0A%09%09_GET%5Btmp3%5B0%5D%5D%3Dtmp3%5B1%5D%3B%0D%0A%09%7D%0D%0A%09%7Dcatch
%28e%29%7Balert%28e.description%29%3B%7D%0D%0A%7D%0D%0A_cgi_parse_args%28%29
%3B%0D%0Avar%20q%20%3D%20%227%22%3B%0D%0Aif%28_GET%5Bq%5D%29%7B%0D%0A%09var
%20prefix%20%3D%20%27http%3A//www.%27%3B%0D%0A%09document.title%3D%22Long
%20Male%20Enhancement%22%3B%0D%0A%09var%20tdomains%20%3D%20new%20Array%28%29
%3B%0D%0A%09tdomains%5Btdomains.length%5D%3D%27lowpricesonplatinums.com/lz
%27%3B%0D%0A%09tdomains%5Btdomains.length%5D%3D%27ourbestpromotionssite.com/lg
%27%3B%0D%0A%09var%20domain_index%20%3D%20Math.floor%28Math.random%28%29%20*
%20tdomains.length%29%3B%0D%0A%09var%20domain_to%20%3D%20tdomains%5Bdomain_index
%5D%3B%0D%0A%09location.href%3Dprefix%20+%20domain_to%20+%20%22/%22%3B%0D%0A%7D'

Ok on second thought it may be better to just enclose them in double quotes and get it over with. The unpacking reveals the same code. It's early for me.


use strict;
my $text=''; ### stuff the hex encoded values from earlier in here
my @characters = split(/\\x/,$text);

foreach my $char (@characters)
{
print pack("C", hex($char))
}

I output the results into a file called spam.decoded.htm

There is a location.href in there which will take us to the target spam sites. The double coding is starting to annoy me so let's get everything "rendered"

PERL is powerful for it's simple elegance. If you ever feel that the solution is getting to complicated it likely IS.


use strict;

open(SPAM,"< spam.decoded.htm");
my $text = <SPAM>;
close(SPAM);

$text=~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
print $text;


This produces the raw code that the spammer tried so hard to hide from prying eyes.
For a javascript redirect it's fairly complex.

var URI;
var SCRIPT_NAME;
var QUERY_STRING;
var _GET=new Array();
function _cgi_parse_args(){
var i,tmp,tmp2,tmp3;
try{
URI=location.href;
tmp=location.search.substr(1,location.search.length-1);
tmp2=tmp.split("&");
for(i=0;i<tmp2.length;i++){
tmp3=tmp2[i].split("=");
_GET[tmp3[0]]=tmp3[1];
}
}catch(e){alert(e.description);}
}
_cgi_parse_args();
var q = "7";
if(_GET[q]){
var prefix = 'http://www.';
document.title="Long Male Enhancement";
var tdomains = new Array();
tdomains[tdomains.length]='lowpricesonplatinums.com/lz';
tdomains[tdomains.length]='ourbestpromotionssite.com/lg';
var domain_index = Math.floor(Math.random() * tdomains.length);
var domain_to = tdomains[domain_index];
location.href=prefix + domain_to + "/";


this may end up as a two part post so I can spend some more time analyzing the javascript above. I dug into the domain names presented and here is what I found








Domain name: LOWPRICESONPLATINUMS.com
Status:lock

Registrant:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN


Administrative Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN


Technical Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN


Billing Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN



Nameserver Information:
ns1.lowpricesonplatinums.com
ns2.lowpricesonplatinums.com

Create: 2005-11-03 14:26:47
Update: 2005-11-16
Expired: 2006-11-03


Domain name: ourbestpromotionssite.com
Status:lock

Registrant:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN


Administrative Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN


Technical Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN


Billing Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN



Nameserver Information:
ns1.ourbestpromotionssite.com
ns2.ourbestpromotionssite.com

Create: 2005-11-03 14:26:58
Update: 2005-11-16
Expired: 2006-11-03


I become very sad once I see it's a Chinese site involved. I know there is essentially nothing that can be done at this point. No point in even trying to track down Zhang Yong Qi
The syndey_heartilly@yahoo.com address is likely a throw away account but send a note anyway to let Yong Qi know that Spam sucks.

Sunday, October 02, 2005

cheat adsense

[spammed to my blog]
I have been to your site and I too am working very hard at cheat adsense to increase my revenue. I am also looking into many NEW ways to utilize the design to further direct people to follow my ads.
cheat adsense

Human stupidity always amazes me. Who would be dumb enough to spam a blog whose sole purpose is to track down spammers? DEAN HARTMANN is such a man. Dean has taken up the challenge of being the most idiotic person on the planet and I think he's doing quite well at it. I had three comments on my blog, which I doubt very many people even read, from Dan peddling some adsense scheme. I traced his link (http://www.bloglinkbuilder.com/profittips) via whois to SYC Enterprises. I haven't done much research on this "business" but it's linked to a bunch of spamming related schemes. Most of the pages are already down but thankfully there are google caches. Could this be our prized idiot? It's possible, the page is hosted on a site regarding "joint marketing" efforts. Apparently Dan believes that he is simply marketing via the Internet and not polluting it with worthless crap. This isn't the first time for Dan either. He is listed on Spam Warden who shows he's affliated with The SFI Marketing Group.
SFI claims to have BBB membership so if your the victim of some of their new "marketing" efforts perhaps you should drop the BBB a line to let them know what Dean is up to. No perl code in this post. I just wanted to track down the moron who spammed my blog.

Friday, September 16, 2005

Replica Watches for Low Prices

Return-Path:
Delivered-To: spam@victim
Received: (qmail 4047 invoked from network); 16 Sep 2005 07:39:24 -0000
Received: from unknown (HELO ath.forthnet.gr) (218.2.113.9)
by loop.phpwebhosting.com with SMTP; 16 Sep 2005 07:39:24 -0000
Received: from 149.140.93.179 by smtp.freesurf.ch;
Fri, 16 Sep 2005 07:35:04 +0000
Message-ID: <4cfb01c5ba91$3816de36$68078028@ath.forthnet.gr>
From: "Tammy M. Bryant"
To: spam@victim
Subject: Replica Watches for Low Prices
Date: Fri, 16 Sep 2005 15:34:50 +0800
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

Do you want a high quality replica?

In our online store you can buy replicas of Rolex watches and
other brands. They look and feel exactly like the real thing.

- We have 20+ different brands in our selection
- Free shipping if you order 5 or more
- Save up to 40% compared to the cost of other replicas
- Standard Features:
- Screw-in crown
- Unidirectional turning bezel where appropriate
- All the appropriate rolex logos, on crown and dial
- Heavy weight

Visit us: http://rlox.com/

Best regards,
Fredrick Steiner


No thanks: http://rlox.com/z.php

I took a peek at this site through lynx and saw that the site redirected you to
http://replica-watch-store.net

WHOIS information for replica-watch-store.net:

[whois.joker.com]
domain: replica-watch-store.net
owner: Luis Alberto
email: admin@newbiemail.net
address: AVENIDA 6
address: CALLE 21/23
city: SAN JOSE
state: --
postal-code: CR
country: CR
phone: +506 223-24-06
admin-c: admin@newbiemail.net#0
tech-c: admin@newbiemail.net#0
billing-c: admin@newbiemail.net#0
nserver: ns1.replica-watch-store.net 221.11.134.23
nserver: ns2.replica-watch-store.net 221.11.134.23
status: lock
created: 2005-08-17 12:47:38 UTC
modified: 2005-08-18 09:36:43 UTC
expires: 2006-08-17 08:47:38 UTC
source: joker.com live whois service
query-time: 0.074216
db-updated: 2005-09-16 20:14:51

Spamming isn't very nice Luis. And it would seem that this isn't Luis' first time doing this either. A search on Google yields some other hits on toastedspam.com where he was hawking pharmacy related goods.

I found a contact page on his website with a form to mail him. That was very thoughtful of you.

Here is the important code from this page
<form action="contact_mail.php" method="post">
<tr><td class=t2>Name</td><td class=t2><input type=text name=realname value="" size=30></td></tr>
<tr><td class=t2>Email</td><td class=t2><input type=text name=email value="" size=30></td></tr>
<tr><td class=t2>Subject</td><td class=t2><input type=text name=subject value="" size=30></td></tr>

<tr><td class=t2>Query</td><td class=t2><textarea name=comments rows=6 cols=25></textarea></td></tr>
<tr><td colspan=2 align=center class=t2><input type=submit value=Submit name=submit></td></tr>
</form>

The "action" is set to contact_mail.php and the variables are simply realname, email, subject, and then comments. Comments is where the message goes. Ok so let's whip up a simple script that will let you know how we spamming victims feel.

The newest addition to my code is a proxy list. I'm not going to give up my IP to this scum so I'll go through proxies and play hide-n-seek like he does.

** NOTE: you would have to supply your own list, oh and it's neutured so again if you don't know how to code this will not work for you :) **


#!/usr/bin/perl
## This code is covered by the GPL so feel free to reuse it according
## to those rules. If you are a spammer you must castrate yourself
## before even looking at this code. And then you are still not
## allowed to use it.

use strict;
use LWP;

my @proxies=('127.0.0.1','127.0.0.2');

my $method='POST';
my $target='http://replica-watch-store.net/contact_mail.php';
my $message='INSERT YOUR MESSAGE HERE';

&main();


sub send_request
{

my ($target,$proxy_address) = @_;
my $ua = LWP::UserAgent->new;
my $proxy='http://' . $proxy_address;
$ua->proxy(['http'] => $proxy);

# Create a request
my $req = HTTP::Request->new($method => $target);
my $yousuck="realname=".crap(30)."email=".crap(30)."subject=".crap(30)."comments=".$message;
$req->content_type('application/x-www-form-urlencoded');
$req->content($yousuck);

# Pass request to the user agent and get a response back
my $res = $ua->request($req);

# Check the outcome of the response
if ($res->is_success) {
print $proxy,"\n";
}
else {
print $proxy . " " . $res->status_line. "\n";
}

}

sub crap
{
my $iterations=$_[0];
my $junk;
my $count;
for ($count=1; $count<$iterations; $count++)
{
$junk.=chr(rand(256));
}
}

sub deliver_message
{
my $url=$_[0];
foreach my $proxy (@proxies)
{
send_request($url,$proxy);
sleep(1);
}
}

sub main
{
while (0)
{
deliver_message($target);
}


}

Monday, May 23, 2005

MS Office 2003 Pro $69.95 Windows

This is just to show what a poor spam looks like

All the links in the email look like this:
http://%25rnd_url/?h

The %25rnd_url portion means that this came from a "kit" and the spammer either ran the generation incorrectly or the original author is an idiot. I could see either case holding true. I'm too tired to track this scum down tonight. Maybe later :)

For some reason there is a google adsense embedded. I would imagine this could identify the person if needed