Forgot your training wheels again, spammer?

Submitted by Rune on July 1, 2009 - 21:52

Another one who let go too early.
Fresh spam. Well relatively fresh, from one inbox yesterday (parts of it):

Subject: %SI_subj

What if you could %SI2_rnd10 your desire and %SI2_rnd11 by just %SI2_rnd12 %SI2_rnd13 step?
What if this step was %SI2_rnd14, %SI2_rnd15 and side-effect-free?

There is %SI2_rnd16 solution!
%SI2_rnd17 %SI2_rnd18 use %SI2_rnd20 to give their %SI2_rnd20 %SI2_rnd21 night fire!

If there are no %SI2_rnd22, why refusing to take one pilule before %SI2_rnd23?

%SI2_rnd24 of men did it – You can do it too!

Buy fake antivirus software through Google Checkout?

Submitted by Rune on June 15, 2009 - 23:11

Interesting. Checking it out.
Fake antivirus via Google checkout

Maybe more later.

A nice bag of malware/scareware. And velcom.com.

Submitted by Rune on May 22, 2009 - 15:06

I mostly write about what others already have written about, I am a kind of parasite.

Today I spotted this one in my RSS-reader from the Sunbelt blog, titled " New rogue: Presto TuneUp":
http://sunbeltblog.blogspot.com/2009/05/presto-tuneup.html

I steal and quote from that blogposting:

64.213.140.69 Prestotuneup com
64.213.140.69 update1.prestotuneup com
64.213.140.69 update2.prestotuneup com

Spam for fake BlueMontain card leads to malware

Submitted by Rune on May 11, 2009 - 19:37

Fresh spam in today, subject: "BlueMountain e-Card : Someone thought about you".

Yeah, someone is thinking about infecting your computer.

Obfuscating the link:
h||p://0x55.0xee.000000051.0000221/i/BlueMountain&2009&05.card=LoveScreen. php
0x55.0xee.000000051.0000221 decodes to 85.238.41.145 and the IP is listed in the SBL for reasons similar to this spamrun.
The setup is almost identical.
service.net.ge is behind 85.238.41.145.

Asprox domains - new and old ones April 29 2009

Submitted by Rune on April 29, 2009 - 18:21

Some of them, others do of course exist too.

I stumbled across two new ones registered today, 15infinput.com and binnet11.net.
One of the IPs that shows up in connection with those is 69.66.237.74.

Here is an example using bfk.de from 69.66.237.74 (all of those are not active):

The acaiberries spammers

Submitted by Rune on April 28, 2009 - 22:01

Only a few words this time.

007aff.com has been replaced by 007-aff.com. Same guys.
The replacement for bulker.biz? (Pure speculation).

Latest domain taking orders: ksdjhfnkejrnkfjekrjnfkejrnkj.com

One branch of the setup can be traced back to JustThinkMedia.
aka edirectsoftware, earncashfastwithgoogle.com, creditreportamerica.com, wu-yisource.com etc.

Syndicate content