Blog for hpHosts, and whatever else I feel like writing about ....

Sunday 10 June 2012

Fake meds spam spoofing Microsoft

Looks like the fake meds gang have started to spoofing Microsoft too. I've received 5 of these bad boys so far, nothing particularly special about them, and they're certainly nowhere near convincing, which in itself is unusual (those impersonating Microsoft previously, whether leading to fake meds or malware, have usually been a lot more convincing than this).

They've included individual URLs so far;

altab.cl/up/load/
rezb.com/up/load/
paprecision.com/up/load/
brafdesign.com/up/load/

But predictably, have only led to one of two domains;

medicinepillsgroup.com
wichimedical.com

Both domains belong to a couple of IPs that are well known for housing fake meds domains, so this is also no surprise. You'd have thought they'd have switched to something a little less predictable by now.

91.205.74.218
IP PTR: 91-205-74-218.arpa.teredo.pl
ASN: 41508 91.205.72.0/22 PL-IWACOM-AS IWACOM Sp. z o.o.

37.230.212.19
IP PTR: Resolution failed
ASN: 2819 37.230.212.0/24 GTSCZ GTS NOVERA (GTS CZ)

The headers for these;

Return-Path: <ticket@enright.ie>
Delivered-To: [REMOVED]
X-Spam-Flag: YES
X-Spam-Score: 11.439
X-Spam-Level: ***********
X-Spam-Status: Yes, score=11.439 tagged_above=-9999 required=1.3
tests=[BAYES_50=0.8, FH_FROMEML_NOTLD=1.082,
FSL_HELO_NON_FQDN_1=0.001, HELO_LOCALHOST=3.828, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.723, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_XBL=0.375,
RDNS_NONE=0.793, SPF_NEUTRAL=0.779, URIBL_WS_SURBL=1.608] autolearn=no
Subject: [SPAM]
Microsoft notification
From:
"Windows Live" <noreplay-live.com>
To: [REMOVED] <[REMOVED]>
List-Unsubscribe: <https://profile.live.com/options/notifications/>
X-HM-NotificationScenario: 33557
X-HM-SenderCID: -1953486829893903145
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Message-ID: <BAY0-OMC1-S52gfFwS5PzP9nC0E@bay0-omc1-s52.bay0.hotmail.com>
Date: Sun, 10 Jun 2012 18:13:52 -0700

*********************************************************************************************

Return-Path: <ticket@microj.com>
Delivered-To: [REMOVED]
X-Spam-Flag: YES
X-Spam-Score: 10.143
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.143 tagged_above=-9999 required=1.3
tests=[BAYES_50=0.8, DATE_IN_FUTURE_06_12=1.947, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.723, RAZOR2_CF_RANGE_51_100=0.5,
RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=0.922, RCVD_IN_PSBL=2.7,
SPF_HELO_PASS=-0.001, SPF_SOFTFAIL=0.665] autolearn=no
Received: from server.elsistech.com (server.elsistech.com [89.107.224.242])
by [REMOVED] (Postfix) with SMTP id 3A1A1398434
for <[REMOVED]>; Sun, 10 Jun 2012 17:14:43 +0100 (BST)
Subject: [SPAM]
Microsoft notification
From:
"Windows Live" <notification@live-windows.com>
To: [REMOVED] <[REMOVED]>
List-Unsubscribe: <https://profile.live.com/options/notifications/>
X-HM-NotificationScenario: 73015
X-HM-SenderCID: -6264914321449266347
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Message-ID: <BAY0-OMC1-S213s5SdYLcgyKvuz@bay0-omc1-s21.bay0.hotmail.com>
Date: Sun, 10 Jun 2012 19:11:21 -0700

*********************************************************************************************

Return-Path: <ticket@prohosting.com>
Delivered-To: [REMOVED]
X-Spam-Flag: YES
X-Spam-Score: 10.714
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.714 tagged_above=-9999 required=1.3
tests=[BAYES_50=0.8, DATE_IN_FUTURE_06_12=1.947,
FH_FROMEML_NOTLD=1.082, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723,
RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_BRBL_LASTEXT=1.449,
RCVD_IN_PSBL=2.7, SPF_SOFTFAIL=0.665] autolearn=no
Received: from marvin.uplink.cz (marvin.uplink.cz [93.170.18.39])
by [REMOVED] (Postfix) with SMTP id 1A639398447
for <[REMOVED]>; Sun, 10 Jun 2012 18:27:26 +0100 (BST)
Subject: [SPAM]
Microsoft notification
From:
"Windows Live" <microsoft-notification.com>
To: [REMOVED] <[REMOVED]>
List-Unsubscribe: <https://profile.live.com/options/notifications/>
X-HM-NotificationScenario: 60062
X-HM-SenderCID: -735258105463640151
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Message-ID: <BAY0-OMC1-S29r5lxjG2Q0FvEq8@bay0-omc1-s29.bay0.hotmail.com>
Date: Sun, 10 Jun 2012 19:27:29 -0700

*********************************************************************************************

Return-Path: <ticket@classicbasements.ca>
Delivered-To: [REMOVED]
X-Spam-Flag: YES
X-Spam-Score: 10.684
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.684 tagged_above=-9999 required=1.3
tests=[BAYES_50=0.8, FH_FROMEML_NOTLD=1.082, HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.723, RCVD_IN_BL_SPAMCOP_NET=1.347, RCVD_IN_PSBL=2.7,
RCVD_IN_SBL=0.141, TO_NO_BRKTS_HTML_ONLY=1.022, T_SURBL_MULTI1=0.01,
URIBL_JP_SURBL=1.25, URIBL_WS_SURBL=1.608] autolearn=spam
Received: from servicios.qnet.com.pe (servicios.qnet.com.pe [200.31.110.166])
by [REMOVED] (Postfix) with SMTP id CFEFC39843D
for <[REMOVED]>; Sun, 10 Jun 2012 20:45:33 +0100 (BST)
Subject: [SPAM]
Microsoft notification
From:
"Windows Live" <noreplay-microsoft.com>
To: [REMOVED]
List-Unsubscribe: <https://profile.live.com/options/notifications/>
X-HM-NotificationScenario: 06570
X-HM-SenderCID: -9672573908892897013
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Message-ID: <BAY0-OMC1-S03zYqSFk5TR8rP9x@bay0-omc1-s03.bay0.hotmail.com>
Date: Sun, 10 Jun 2012 14:52:03 -0700

*********************************************************************************************

Return-Path: <ticket@tatraklubbrno.cz>
Delivered-To: [REMOVED]
X-Spam-Flag: YES
X-Spam-Score: 12.71
X-Spam-Level: ************
X-Spam-Status: Yes, score=12.71 tagged_above=-9999 required=1.3
tests=[BAYES_50=0.8, DATE_IN_FUTURE_06_12=1.947,
FH_FROMEML_NOTLD=1.082, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723,
RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886,
RAZOR2_CHECK=0.922, RCVD_IN_BRBL_LASTEXT=1.449,
RCVD_IN_SORBS_WEB=0.77, TO_NO_BRKTS_HTML_ONLY=1.022,
URIBL_WS_SURBL=1.608] autolearn=no
Received: from homenet.com.ua (homenet.com.ua [193.151.12.132])
by [REMOVED] (Postfix) with SMTP id B4A0A39843A
for <[REMOVED]>; Sun, 10 Jun 2012 21:55:35 +0100 (BST)
Subject: [SPAM]
Microsoft notification
From:
"Windows Live" <live-notification.com>
To: [REMOVED]
List-Unsubscribe: <https://profile.live.com/options/notifications/>
X-HM-NotificationScenario: 08952
X-HM-SenderCID: -679787259136459798
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Message-ID: <BAY0-OMC1-S36D1sIpIxGuwcn78@bay0-omc1-s36.bay0.hotmail.com>
Date: Sun, 10 Jun 2012 23:55:36 -0700

No comments: