Re: Nike shoes and beautiful handbags on www.china-seller.com!

On Fri, 11 Jan 2008 11:46:53 -0800, "gatt" <admin@xxxxxxxxxxxxxxxxxx>
wrote in <13ofhs5e5h50b95@xxxxxxxxxxxxxxxxxx>:


Foward complaints to the following:
abuse@xxxxxxxxxxxxxx; abuse@xxxxxxxxx; abuse@xxxxxxx;
about@xxxxxxxxxxxxxxxx; abuse@xxxxxxxxxxxxxx

www.china-seller.com is 67.210.100.3, which traces through att.net to
marquisnet.com. Marquisnet.com is a colocation /hosting facility out of
Las Vegas so authority for that IP is not offshore. China-seller.com is
hosted by lundarmania.com, which unfortunately is a company in China, but
the authoritative e-mail address for the domain is sky_player@xxxxxxx, who
will very shortly begin receiving hardcore gay sex personals and
anti-Chinese-government e-mails.

-c

That's a good way to alert the spammer's ISP that his system is being
used to propagate spam.

Here is the header of the spam message:

Path:

bgtnsc05-news.ops.worldnet.att.net!wnmaster11!wns14feed!worldnet.att.net!64.192.187.27!news.glorb.com!postnews.google.com!t1g2000pra.googlegroups.com!not-for-mail
From: "www.china-seller.com" <baobeifengfeng@xxxxxxxxx>
Newsgroups: rec.aviation.piloting
Subject: Nike shoes and beautiful handbags on
www.china-seller.com!
Date: Fri, 11 Jan 2008 10:29:26 -0800 (PST)
Organization: http://groups.google.com
Message-ID:
<02232a11-9ce2-407c-99c3-9c91b0ad57f5@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
NNTP-Posting-Host: 125.45.98.60
X-Trace: posting.google.com 1200076166 9468 127.0.0.1 (11 Jan 2008
18:29:26 GMT)
X-Complaints-To: groups-abuse@xxxxxxxxxx
NNTP-Posting-Date: Fri, 11 Jan 2008 18:29:26 +0000 (UTC)
Complaints-To: groups-abuse@xxxxxxxxxx
Injection-Info: t1g2000pra.googlegroups.com;
posting-host=125.45.98.60;
posting-account=CUsvmwoAAADGALXPwMd5pdr2vO_zzX9J

So given: NNTP-Posting-Host: 125.45.98.60

Nslookup resolves that IP address to:

Name: hn.kd.ny.adsl
Address: 125.45.98.60

Whois provides this record:

125.45.98.60
Record Type: IP Address

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 125.0.0.0 - 125.255.255.255
CIDR: 125.0.0.0/8
NetName: APNIC-125
NetHandle: NET-125-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS.LACNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
Comment: This IP address range is not registered in the ARIN
database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or
http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet
Registry
Comment: for the Asia Pacific region. APNIC does not operate
networks
Comment: using this IP address range and is not able to
investigate
Comment: spam or abuse reports relating to these addresses. For
more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
RegDate: 2005-01-27
Updated: 2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: search-apnic-not-arin@xxxxxxxxx

An ip address search (125.45.98.60) here:
http://wq.apnic.net/apnic-bin/whois.pl provides this information:

% [whois.apnic.net node-2]
% Whois data copyright terms
http://www.apnic.net/db/dbcopyright.html

inetnum: 125.40.0.0 - 125.47.255.255
netname: CNCGROUP-HA
descr: CNCGROUP Henan province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
country: CN
admin-c: CH455-AP
tech-c: WW444-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-HA
mnt-routes: MAINT-CNCGROUP-RR
status: ALLOCATED PORTABLE
remarks:
-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC
hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks:
-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@xxxxxxxxx 20051011
changed: hm-changed@xxxxxxxxx 20051020
source: APNIC

route: 125.40.0.0/13
descr: CNC Group CHINA169 Henan Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: abuse@xxxxxxxxxxx 20060118
source: APNIC

role: CNCGroup Hostmaster
e-mail: abuse@xxxxxxxxxxx
address: No.156,Fu-Xing-Men-Nei Street,
address: Beijing,100031,P.R.China
nic-hdl: CH455-AP
phone: +86-10-82993155
fax-no: +86-10-82993102
country: CN
admin-c: CH444-AP
tech-c: CH444-AP
changed: abuse@xxxxxxxxxxx 20041119
mnt-by: MAINT-CNCGROUP
source: APNIC

person: Wei Wang
nic-hdl: WW444-AP
e-mail: abuse@xxxxxxxxxxxxxxx
address: #37 Wei Wu Road, Zhengzhou, Henan Provice
phone: +86-371-65952358
fax-no: +86-371-65968952
country: CN
changed: wangw@xxxxxxxxxxxxx 20060205
mnt-by: MAINT-CNCGROUP-HA
source: APNIC

So although the information you provided gives information about the
site for whom the spam is intended to advertise, if you want to
contact the ISP whom the spammer apparently used to inject his message
through GoogleGroups, this would be the appropriate e-mail address::
abuse@xxxxxxxxxxx
.

Relevant Pages