[SpamCop-List] Re: parser defeated by obfuscation?
MikeE at ster.invalid
Mon Feb 14 08:29:52 EST 2005
> And I thought it was
> a Warez spam.
The decoding of the subject and body show a pr0n spam.
I worked on the deobfuscation some more and came up with this:
from this http://r%09U%09L%09E%09S%09%2e%09I%09T/o0kf8uz/
and there is definitely a p0rn site at that the redirectors from that
whois -h whois.arin.net 184.108.40.206 ...
Mzima Networks, Inc. 220.127.116.11 - 18.104.22.168
abuse at mzima.net
Lunarpages 22.214.171.124 - 126.96.36.199
abuse at lunarpages.com
=> http://4qe9z3i.Da.r%09u/ =>
which ultimately end up at
which is where the p0rn is.
DNS 188.8.131.52 which is spews and spamhaus listed
whois -h whois.arin.net 184.108.40.206 ...
OrgName: Webair Internet Development Inc = AS27257
antispam at webair.com abuse at gblx.net postmaster at webair.com (for
Upstream Adjacent AS list
AS3356 LEVEL3 Level 3 Communications
AS3549 GBLX Global Crossing Ltd.
kibitzer, not SC admin
More information about the SpamCop-List