[SURBL-Discuss] Joe Wein has a new friend?

List Mail User track at Plectere.com
Mon Jul 25 07:58:29 CEST 2005


>...
>
>FWIW Joe's getting jobbed:
>__
>
>Return-Path: <bouteille at kinki-kids.com>
>Received: from dbzmail.com ([61.85.57.209])
>        by smtp1.supranet.net (8.12.10/8.12.10) with SMTP id j6P3ZTlx009677
>        for <x>; Sun, 24 Jul 2005 22:35:30 -0500 (CDT)
>Received: from kinki-kids.com (kinki-kids-com-bk.mr.outblaze.com [64.62.181.92])
>        by dbzmail.com (Postfix) with ESMTP id E5A841602F
>        for <x>; Sun, 24 Jul 2005 00:39:14 -0500
>From: "Ambulance U. Descant" <bouteille at kinki-kids.com>
>To: Info <x>
>Subject: Hi dear
>Date: Sun, 24 Jul 2005 00:39:14 -0500
>Message-ID: <100101c59012$879febec$06412c2e at kinki-kids.com>
>MIME-Version: 1.0
>Content-Type: text/plain
>Content-Transfer-Encoding: 7bit
>X-Priority: 3 (Normal)
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook, Build 10.0.2605
>Importance: Normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123
>X-GMX-Antivirus: 0 (no virus found)
>X-UIDL: K,H!!c%?"!Fde!!XT9"!
>
>Hi
>Try jwSpamSpy, our spam filter for POP3 mailboxes. 
>We use it to track spammers and scammers. 
>Free full featured 30 day evaluation version available!
>
>http://www.joewein.de/
>
>...

	kinki-kids.com is actually a quite legitimate Outblaze customer.
Every forgery or it I have seen is for CP or at least "std." pornography.
So maybe Joe can guess at who he pissed off.  The sender's IP 61.85.57.209
seems to be a comprimised Windows box on DSL at Kornet - Dynamic address
too.  The IP is only listed at five-ten, SORBS, NOMOREFUNN, and NJABL;
In other words, not really listed or listable (except as dynamic or for
full Korean blockage).  If it is still the same machine connected at that
IP, the entrance was probably the wide open UPnP port or the IIS running.
Backdoor installed on port 123 (ntp) UDP - machine is "0wn3d".  Also, the
routing takes an "interesting" side trip by way fo Kornet -> TONEK (China)
the back -> Kornet.  Maybe a very good hack at the router level (AS4766 to
AS17431 back to AS4766) - Not many people capable of that.

	I doubt many people running any BLs would list Joe.


	Paul Shupak
	track at plectere.com



More information about the Discuss mailing list