![[SpamCop.net - protecting the internet through technology]](http://news.spamcop.net/newlogo.jpg)
[SpamCop-List] Re: parser defeated by obfuscation?
Mike Easter
MikeE at ster.invalid
Mon Feb 14 08:29:52 EST 2005
nospam wrote:
> And I thought it was
> a Warez spam.
The decoding of the subject and body show a pr0n spam.
I worked on the deobfuscation some more and came up with this:
http://rules.it/o0kf8uz/
from this http://r%09U%09L%09E%09S%09%2e%09I%09T/o0kf8uz/
and there is definitely a p0rn site at that the redirectors from that
result.
DNS 64.235.234.138
whois -h whois.arin.net 64.235.234.138 ...
Mzima Networks, Inc. 64.235.224.0 - 64.235.255.255
abuse at mzima.net
Lunarpages 64.235.234.0 - 64.235.234.255
abuse at lunarpages.com
=> http://4qe9z3i.Da.r%09u/ =>
http://www.allinternal.com/go/355961/2/9/n/ =>
which ultimately end up at
http://www.allinternal.com/32288162/index.html
which is where the p0rn is.
DNS 69.42.72.70 which is spews and spamhaus listed
whois -h whois.arin.net 69.42.72.70 ...
OrgName: Webair Internet Development Inc = AS27257
antispam at webair.com abuse at gblx.net postmaster at webair.com (for
webair.com)
Upstream Adjacent AS list
AS3356 LEVEL3 Level 3 Communications
AS3549 GBLX Global Crossing Ltd.
--
Mike Easter
kibitzer, not SC admin
More information about the SpamCop-List
mailing list