[ Show ]
Support VoyForums
[ Shrink ]
VoyForums Announcement: Programming and providing support for this service has been a labor of love since 1997. We are one of the few services online who values our users' privacy, and have never sold your information. We have even fought hard to defend your privacy in legal cases; however, we've done it with almost no financial support -- paying out of pocket to continue providing the service. Due to the issues imposed on us by advertisers, we also stopped hosting most ads on the forums many years ago. We hope you appreciate our efforts.

Show your support by donating any amount. (Note: We are still technically a for-profit company, so your contribution is not tax-deductible.) PayPal Acct: Feedback:

Donate to VoyForums (PayPal):

Login ] [ Contact Forum Admin ] [ Main index ] [ Post a new message ] [ Search | Check update time | Archives: 1234567[8]910 ]

[ Next Thread | Previous Thread | Next Message | Previous Message ]

Date Posted: 03:35:23 12/16/03 Tue
Author: Repost
Subject: CAIS/evapharmacy.com/paysystems.com

SPAM: Yes, buddy. Just for your information! srsckrdjkvmpzuvao

The never ending CAIS/evapharmacy.com/paysystems.com spam,
this one via a hijacked open web proxy.

Illegal drug sales. Prescription medication sold without a prescription.
Actually akamai/paysystems.com sells "PaySystems Points" to be redeemed
by their partners for the illegal drugs.

Spam FROM: qs22.internetdsl.tpnet.pl []

The spamvertized URL appears to be in Korea. It is in Argentina.
It is a pro-spam operation's proxy which proxies pages from a client's
site to redirect one to the drug sale site, evapharmacy.com on CAIS
which sets the order information and redirects one to the sale site,
paysystems.com. The spamvertized URL is hidden behind a hijacked
website/proxy. This is accomplished by the spammer having his HIJACKING
NAMESERVERS return the IP address of the hijacked proxy to everyone -
EXCEPT that it returns the true address of the spammer's site to the
resolver/nameserver used by the hijacked proxy to resolve hostnames so
that the hijacked proxy can find, fetch and pass on the pages.

Spamvertized URL: <a rel=nofollow target=_blank href="http://swissdrugs.com/discounts/index.php?pid=evaph3770">http://swissdrugs.com/discounts/index.php?pid=evaph3770</a>
accessed via a hijacked open web proxy at IP address
Your web server at IP address is an open proxy
which is being hijacked to fetch and pass on the spammer's pages.
but actually located at IP address
Hijacking NAMESERVERS: at IP addresses,
and (that last is also the true location of the spamvertized
URL) all on Telefonica de Argentina, TELEFONICA.COM.AR.

This site's order page may or may not work.
You may get an "unable to process order" unless the site includes
an extra bit of JavaScript at the bottom of the page. That sets the
form action to send one to the actual:

Spamvertized SITE: <a rel=nofollow target=_blank href="http://evapharmacy.com/cgi-bin/b/purchase.cgi">http://evapharmacy.com/cgi-bin/b/purchase.cgi</a>
<a rel=nofollow target=_blank href=""></a>
at the SPEWS and SPAMHAUS listed IP address on CAIS.

IF you get the JavaScript section, so the form's action sends
you to evapharmacy on CAIS, that redirects to the actual drug:

Spamvertized SALE SITE: <a rel=nofollow target=_blank href="https://secure.paysystems1.com/cgi-v310/payment/onlinesale-tpppro.asp?[data]">https://secure.paysystems1.com/cgi-v310/payment/onlinesale-tpppro.asp?[data]</a>
(the data submitted includes "companyid=185690" and "option1=10378")
which is hosted on Akamai mirrors, the one I accessed being at
IP address on Level3.

NOTE: If you have cached values of the nameservers used, you may
not be able to resolve the spamvertized hostname. Check
at the root servers to find the current nameservers
(they may change) and use them to resolve things.


SPAM FROM: qs22.internetdsl.tpnet.pl []

inetnum: -
descr: POLAND
country: PL
descr: for abuse: abuse@tpnet.pl
trouble: Abuse and spam notification: abuse@telekomunikacja.pl
abuse@tpnet.pl (for tpnet.pl)
postmaster@tpnet.pl (for tpnet.pl)

SPAMVERTIZED URL: <a rel=nofollow target=_blank href="http://swissdrugs.com/discounts/index.php?pid=evaph3770">http://swissdrugs.com/discounts/index.php?pid=evaph3770</a>

'[a href="<a rel=nofollow target=_blank href="http://gfgfgfgfgffgfgfffgfgfgfgfgfgff.com.hghghghghghghghghghgh.site@swissdrugs.com/discounts/index.php?pid=evaph3770"]">http://gfgfgfgfgffgfgfffgfgfgfgfgfgff.com.hghghghghghghghghghgh.site@swissdrugs.com/discounts/index.php?pid=evaph3770"]</a>
0-R-D-E-R T-0-D-A-Y![/a]'

HTTP/1.1 200 OK
Via: HTTP/1.0 cluster2 (Traffic-Server/4.0.18 [c sSf ]) <== PROXY!

This is the Super-Zonda method.
They provide "professional spamming" services, including
hosting and/or proxying services (they run a proxy to
feed clients' pages to victims).

However, their server (or proxy) is hidden behind a
hijacked open web proxy.


Find an open web proxy, one for which:

telnet 80

GET / HTTP/1.1
Host: www.nytimes.com

gets the front page of the NY Times.

This is a server which transparently proxies pages from other sites
and now the spammer wants to know how it resolves hostnames. From
where does the connection by the proxy's resolver/nameserver come
from? To find out the spammer uses:

telnet 80

GET / HTTP/1.1

and checks the logs at his nameserver to find out how the proxy
resolves hostnames. He should do this several times (having set
the TTL for the A record for HIS_OWN_SERVER to just a few seconds
to avoid the victim using cached values) in case the proxy uses
multiple nameservers/resolvers.

Then he sends out spam, spamvertizing his hostname.
However, he sets his nameserver to give out the IP address OF
THE PROXY to all requests for its location.
- EXCEPT - that requests *from the resolver(s)/nameserver(s)
used by the open proxy, itself,* get the correct
IP address of the spam outfit's server.

The result is that everyone (except those who happen to use
the hijacked proxy's resolver/nameserver) sees that the IP
address of the spamvertized site is at ... in this case,
IP address They go there to get the page.
The proxy there is a proxy and tries to get the page to pass
it along. It tries to find it. IT FINDS THE REAL LOCATION
(since the spammer's nameserver gives the real location to
the hijacked proxy's resolver), gets the page and passes it

The result is that the spam outfit's server appears to be located
at the IP address of the hijacked proxy who gets the complaints
and -in one case- almost got booted from their ISP for spammming.

Now ... how can we find the true location of the spammer's site?
Do a recursive query at the proxy's resolver/nameserver IF we can
find it and if it is publicly accessible. In this case I can and
it is. If you run your own system, with nameserver for some web
site, you can duplicate what the spammer does, access your own
site via the proxy, check your nameserver logs and locate the
hijackable proxy's resolver.

I managed to locate the nameserver/resolver used by the proxy.
It is ns.hanaro.com at IP address
I won't mention how long it took me to locate it.
I don't have access to my own nameserver/website and so had to
hunt for the nameserver used by the hijacked proxy.

First, let's *prove* that this is used by the open proxy to resolve
hostnames (i.e. prove that this is how the proxy resolves a hostname
to an IP address in order to find, fetch and pass along web pages).

dig @ www.vivazap.com +norec

is a non-recursive lookup at this server for www.vivazap.com and
- HAH I found a site that it does NOT have cached and, as I did a
non-recursive lookup, I did not "seed" the cache with the IP address
of www.vivazap.com (and I checked that - since once I came across a
server that did a recursive query even when the recursive flag was not
set). The above query gets NO IP address for www.vivazap.com.

Now ...

telnet 80

GET / HTTP/1.1
Host: www.vivazap.com

NOW ...

dig @ www.vivazap.com +norec

and BINGO! has the IP address of www.vivazap.com!

Where did that come from? It was obtained when that nameserver had to
resolve the hostname www.vivazap.com. Why did it have to resolve that
hostname? It resolved it for the hijacked webserver/proxy when that
proxy resolved the hostname in order to fetch the pages I accessed via
the proxy.

Do this a few times to convince yourself that when you access a
page via the proxy, it looks up the IP address of the desired site

OK ... now, the hijacked open proxy gets the page for swissdrugs.com.
It gets it by using this nameserver to resolve the hostname, get the
location, and then fetch the page.


dig @ swissdrugs.com

gives its real location at:

swissdrugs.com A

(Actually I knew that at the beginning. One of the nameservers
used by this spam operation is ns1.ram-systems.info which
sometimes gets booted off one, and has to move to another
location. In the cases I have seen, its location has also been that
of the spammer's site and it currently has IP address
... ooops! It used to be that the spammer's site was at the IP
address of ns1.ram-systems.info but this time it appears to be
at the IP address of ns2.ram-systems.info!

NOTE: The address can change. The spammer's nameservers themselves
can return a different, fake, address. You might get a cached
value from your ISP's nameserver. So check for the "glue record"
at the root server to find the IP addresses:
dig @tld1.ultradns.net ns2.ram-systems.info +norec
ns2.ram-systems.info. A

(It used to be that the pro-spam system appeared dead - their
web server did not respond to any incoming packets, EXCEPT port 80,
http, connections, from the abused open proxy. In this case,
however, one can addess the spammer's site directly by modifying a
"hosts" file or using "curl" or whatever.)

So, the spamvertized URL is actually located at

* Connected to
Host: swissdrugs.com

inetnum: 168.226/16
status: assigned
owner: Telefonica de Argentina
e-mail: tasamail@TELEFONICA.COM.AR

Now, who is giving out the IP address of a hijacked web server as that
of the spammer's system?

For the host:

NAMESERVERS listed in the root servers for swissdrugs.com:
swissdrugs.com NS ns1.2raceline.biz
swissdrugs.com NS ns1.ram-systems.info
swissdrugs.com NS ns2.2raceline.biz
swissdrugs.com NS ns2.ram-systems.info
ns1.2raceline.biz A
ns1.ram-systems.info A
ns2.ram-systems.info A

[extract from dig]
dig @
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
swissdrugs.com A

dig @
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
swissdrugs.com A

dig @
A +noqu +noadd +noau +norec
;; flags: qr aa <-- AUTHORITATIVE and NON-RECURSIVE
swissdrugs.com A

IP addresses, and
inetnum: 168.226/16
status: assigned
owner: Telefonica de Argentina
e-mail: tasamail@TELEFONICA.COM.AR
They are all in the same (B-)block on Telefonica de Argentina,

Well, that is how the spam service (Super Zonda or a clone?)
works ... what about the spamvertized site itself?

The order form at:
<a rel=nofollow target=_blank href="http://swissdrugs.com/discounts/order.php?">http://swissdrugs.com/discounts/order.php?</a>
[title]GENERIC VIAGRA :: order page[/title]
(which one reaches via a data POST)

is interesting. It has action:
[form ... ]
well, it has no action listed, so the post of the data here
would go to the URL of this page. That would get back an
error message:
"Sorry, at this moment we are unable to process your order."
(or other fake message).

Unless ... I am not sure what magic combination of cookies, data
(you only get this page after filling out data on the prior page
which gets "validated" - I suspect that if you use a truly fake
address and phone number, you will get the non-working page)
referrers, etc. are necessary - BUT I GOT ONE TO WORK.

The form has the above action - UNLESS the web server includes a bit
of JavaScript code at the bottom, after the closing [/html] tag.
When this page loads it may load with a section of JavaScript
at the bottom. *That* gives the working page.

That section is (it worked for me, just now):

var s='2441://9v31237m35y.5om/5g8-08n/0/1u7523s9.5g8';
var a="740928135";
var b="rtbehipac";

for(var j=0;j<b.length;j++){
for(var i=0;i<a.length;i++){

This *resets* the form's action to the working version.

Well ... with the second line, the action is not set to
"<a rel=nofollow target=_blank href="http://evapharmacy.com/cgi-bin/b/purchase.cgi"">http://evapharmacy.com/cgi-bin/b/purchase.cgi"</a> (as the first would set it)
but to:
"<a rel=nofollow target=_blank href=""">"</a>

(I don't know why, since evapharmacy.com is at IP address ... oh, the other day it did not resolve.
They may have had to get different nameservers due to
the massive spamming.)

SPAMVERTIZED SITE: <a rel=nofollow target=_blank href="http://evapharmacy.com/cgi-bin/b/purchase.cgi">http://evapharmacy.com/cgi-bin/b/purchase.cgi</a>
<a rel=nofollow target=_blank href=""></a> is found in sbl.spamhaus.org
Lists "known spammers, spam gangs or spam support services." is found in SPEWS (<a rel=nofollow target=_blank href="http://spews.sorbs.net)">http://spews.sorbs.net)</a> under: S1845

OrgName: CAIS Internet
NameServer: NS2.CAIS.COM
TechEmail: domreg@cais.net
abuse@cais.com (for cais.com)

When the data (from the post) is sent there, one gets a redirection
to the actual drug sale site:

HTTP/1.1 302 Found
Location: <a rel=nofollow target=_blank href="https://secure.paysystems1.com/cgi-v310/payment/onlinesale-tpppro.asp?[data]">https://secure.paysystems1.com/cgi-v310/payment/onlinesale-tpppro.asp?[data]</a>
(see below for the data)

SPAMVERTIZED SALE SITE: <a rel=nofollow target=_blank href="https://secure.paysystems1.com/cgi-v310/payment/onlinesale-tpppro.asp?[data]">https://secure.paysystems1.com/cgi-v310/payment/onlinesale-tpppro.asp?[data]</a>

"You are buying PaySystems Points to be redeemed at:

* Connected to
Host: secure.paysystems1.com
This is hosted on Akamai mirrors.
secure.paysystems1.com is an alias for secure.paysystems1.com.edgekey.net.
secure.paysystems1.com.edgekey.net is an alias for e61.g.akamaiedge.net.
e61.g.akamaiedge.net has address
[this varies, of course]

OrgName: Level 3 Communications, Inc.
OrgAbuseEmail: abuse@level3.com
abuse@level3.net (for level3.com)
abuse@level3.com (for level3.com)
spamtool@level3.net (for level3.com)

abuse@akamai.com (for paysystems.com)
postmaster@paysystems.com (for paysystems.com)
abuse@sprint.ca (for paysystems.com)
abuse@paysystems.com (for paysystems.com)
abuse@akamai.com (for paysystems1.com)
abuse@sprint.ca (for paysystems1.com)
abuse@cybercon.com (for paysystems1.com)
postmaster@paysystems1.com (for paysystems1.com)
support@mail.paysystems1.com (for paysystems1.com)
abuse@paysystems.com (for paysystems1.com)

Where the data submitted is:

redirectfail=<a rel=nofollow target=_blank href="http://www.newpillsformula.com/fail.php">http://www.newpillsformula.com/fail.php</a>
[hmmm ... a change ... it used to be
<a rel=nofollow target=_blank href="http://www.pillsthatwork.com/fail.php]">http://www.pillsthatwork.com/fail.php]</a>
&total=264.95 [varires]
&product1=60 Pills Generic Viagra, 100mg + 8 free [varies]
&b_firstname=[victim's name: first]
&b_lastname=[victim's name: last]
&b_address=[victim's address: street]
&b_city=[victim's address: city]
&b_state=[victim's address: state]
&b_zip=[victim's address: zip code]
&b_tel=[victim's phone number]
&email=[victim's address: e-mail]
&redirect=<a rel=nofollow target=_blank href=""></a>

NOTE: How much spam (for this or other sites which have your
credit card information submitted insecurely there)
is there for for "affiliates" "evap[somthing]"?
Say, hosted on alldolly.net (that one tries to install
a trojan), e-buy-net.com (which is a "Super-Zonda"
operation, hijacking open web proxies), pillsthatwork.com,
pillshere.com or this, swissdrugs.com (Super-Zonda again!)?

[ORIGINAL SPAM: with angle brackets, such as "<", converted
to square brackets, such as "[", so as not
to affect HTML enabled mail/news readers.]

Return-Path: <extremekdbuerfor@ramirez.com>
Received: from _my_name_ (qs22.internetdsl.tpnet.pl [])
by _my_isp_ (xxx) with SMTP id hBFF6mnY096174
for <_my_email_address_>; Mon, 15 Dec 2003 10:06:50 -0500 (EST)
(envelope-from extremekdbuerfor@ramirez.com)
Message-ID: <ruvyps.77527bczzxmhxi@Heatherpxeczx>
From: "Heather" <extremekdbuerfor@ramirez.com>
Date: Mon, 15 Dec 2003 16:07:54 -0000
To: <xxx>
Subject: Yes, buddy. Just for your information! srsckrdjkvmpzuvao
xxxMIME-Version: 1.0
xxxContent-Transfer-Encoding: 8bit
xxxContent-Type: text/html; charset=iso-8859-1
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
X-Spam-DCC: COLLEGEOFNEWCALEDONIA: _my_isp_ 1189; Body=1 Fuz1=1
* 4.1 SUBJ_HAS_SPACES Subject contains lots of white space
* 1.0 INCH_OBFU_SEXUAL BODY: INCH CUSTOM RULE -- Obfuscated "sexual"
* 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 0.1 HTML_FONTCOLOR_UNKNOWN BODY: HTML font color is unknown to us
* 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 0.1 HTML_MESSAGE BODY: HTML included in message
* 0.3 HTML_FONT_BIG BODY: HTML has a big font
* 0.1 HTML_FONTCOLOR_UNSAFE BODY: HTML font color not in safe 6x6x6 palette
* 3.8 USERPASS URI: URL contains username and (optional) password
* 2.7 SUBJ_HAS_UNIQ_ID Subject contains a unique ID
* 1.5 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
* [Blocked - see <http://www.spamcop.net/bl.shtml?>]
* 4.0 INCH_GENERIC_VIAGRA INCH CUSTOM RULE -- pushing generic viagra
* 2.0 INCH_SUBJ_SPACES_ID INCH CUSTOM RULE -- Subject has lots of spaces and a uniq id field
* 1.2 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
* 1.0 INCH_ALLCONSONANTS INCH CUSTOM RULE -- multiple words with no vowels
X-Spam-Status: Yes, hits=27.6 required=6.0 tests=BAYES_99,
SUBJ_HAS_UNIQ_ID,USERPASS autolearn=spam version=2.60
X-Spam-Level: ***************************
X-UIDL: @l&#!^9;"!eQ?!!NDJ!!
Status: O
X-UID: 38

[font color=#fefefe]auotv hmjdbcz buwaimy gfzecz pxamg[/font][br]
V i @ g r @. The new medication got it's name from two words: "Vigour" and "Niagara".
[font color=#fefefe]ryeegvxcy uwdnubxoxg xweaap qtjawfptac bjtqwhnmq[/font][br]
[font color=#fefefe]hiegrrsppo jxpsmbqwhi dnyia tlizhmbvcg svsqpj[/font][br]
Yes, over 27,000,000 men worldwide use it. It hepls them to regain their s e x u @ l ego, fullfill sexual energy![br]
[font color=#fefefe]sewosdzct qtxowbjbp itknl bclvsnzlr fvdmwi[/font][br]
[font color=#fefefe]dwymu efwcktqvk oqzcsifgtd ovzci ymenc[/font][br]
[font color=green][b]It's a choice of millions, it's safe and extremely efficient![/b][/font]
[font color=#fefefe]fmgzptys yqaaxxtw tmylnjzp xshpadxsl ljbpxnf[/font][br]
[font color=#fefefe]mviltgoik spapdseqa ltsfttwhnx isafilknf fjwhoaektk[/font][br]
We offer you a Generic V i @ g r @ (the same medication as V l @ g r @, just a full chemical equivalent).[br]
Our prices are really low, they are just shocking! Go and compare![br]
[font color=#fefefe]jrdkfv fhxumwwi itnbkxwvfb iwvulxig pybxng[/font][br]
[center][font size=+1][a hrefauhhzgohref=<a rel=nofollow target=_blank href="http://zbdocob.com">http://zbdocob.com</a> href="<a rel=nofollow target=_blank href="http://gfgfgfgfgffgfgfffgfgfgfgfgfgff.com.hghghghghghghghghghgh.site@swissdrugs.com/discounts/index.php?pid=evaph3770"]0-R-D-E-R">http://gfgfgfgfgffgfgfffgfgfgfgfgfgff.com.hghghghghghghghghghgh.site@swissdrugs.com/discounts/index.php?pid=evaph3770"]0-R-D-E-R</a> T-0-D-A-Y![/center][/font]
[font color=#fefefe]migfkvjwqj zmnomfo vmdvj ikiyfpslof jebcp[/font][br][BR][BR][BR]
[a hrefsjaufhref=<a rel=nofollow target=_blank href="http://jexnz.com">http://jexnz.com</a> href="<a rel=nofollow target=_blank href="http://gfgfgfgfgffgfgfffgfgfgfgfgfgff.com.hghghghghghghghghghgh.site@swissdrugs.com/discounts/applepie.php"]off[/a]">http://gfgfgfgfgffgfgfffgfgfgfgfgfgff.com.hghghghghghghghghghgh.site@swissdrugs.com/discounts/applepie.php"]off[/a]</a>

[ Next Thread | Previous Thread | Next Message | Previous Message ]

Login ] Create Account Not required to post.
Post a public reply to this message | Go post a new public message
* HTML allowed in marked fields.
Message subject (required):

Name (required):

  Expression (Optional mood/title along with your name) Examples: (happy, sad, The Joyful, etc.) help)

  E-mail address (optional):

Type your message here:

Notice: Copies of your message may remain on this and other systems on internet. Please be respectful.

[ Contact Forum Admin ]

Forum timezone: GMT-8
VF Version: 3.00b, ConfDB:
Before posting please read our privacy policy.
VoyForums(tm) is a Free Service from Voyager Info-Systems.
Copyright © 1998-2019 Voyager Info-Systems. All Rights Reserved.