[Dshield] OT China Connection ?

Parish, Sandy Sandy_Parish at mcafee.com
Wed May 8 20:52:42 GMT 2002

You might be interested in SpamKiller, recently acquired by McAfee.com.  It
blocks Spam by examining the subject, content, message header, and country
code for trigger words or phrases commonly found in Spam.  It sends a false
"bounced" message back to the Spammer, so the Spammer will scrub you from
their list.  It tracks the spam back to the source ISP and sends complaint
e-mails to the Spammer's service provider.

Check out the press release at

Check out SpamKiller at http://www.mcafee.com.  

Also, the updated McAfee.com PrivacyService application should help keep the
kids off the porn sites.


-----Original Message-----
From: Daniels566 at cs.com [mailto:Daniels566 at cs.com] 
Sent: Wednesday, May 08, 2002 1:18 PM
To: list at dshield.org
Subject: [Dshield] OT China Connection ?

Hello everyone, thought this might be of some interest. I received this in
mail today and one similar a little while back.  I'm pretty much cut off
spam but once in a while a couple get through. These intrigued me enough to 
do a little snooping. ( I'm trying to see the connection).
What I'm feeling is that China is becoming a universal mail hub to launch 
spam and whatever. I could be wrong? Asia,the Netherlands and Oregon
are what I perceive to be hot beds of activity and when I snoop they know 
Iv'e been there. My resources start droping as my security stuff start
Also got one from this address ( mary2658u27 at swbell.net  Pushing kinky
sites) Had pics that my daughter or most people shouldn't see. My wife and 
daughter are members of a pet rescue and pet foster parent Organazation, I'm

going to try and nail this one.
Any way I thought this might bring a little insight, because innovations are

constantly changing and I could see all your machines one day possibly 

John Daniels
Look no farther then your nose and you'll always know it's not you fault.

My received E-mail as follows:

Subj: 32 Million Addresses will EXPLODE your Business! 
Date: 5/8/02 8:18:14 AM Eastern Daylight Time 
From:    daume91 at adera.se
To:    beaulah
excerpt > We're offering this highly deliverable, quality list which would
normally sell for over $500.00, for a limited time for ONLY $289 !!

Looked up:
http://www.adera.se    (It's a Swedish IT business site)

Traced >
Results Network:
inetnum: -
netname:     CNCNET
descr:       China Netcom Corp.
descr:       New Telecommunication Carrier Based on IP Backbone
country:     CN
admin-c:     ZM28-AP
tech-c:      ZM28-AP
remarks:     This is a replacement object as they have four /17
remarks:     objects in this range so we make it to one /15.
mnt-by:      APNIC-HM
mnt-lower:   MAINT-CN-ZM28
changed:     hostmaster at apnic.net 20000314
changed:     hostmaster at apnic.net 20000627
changed:     hostmaster at apnic.net 20001011
changed:     hostmaster at apnic.net 20020130
source:      APNIC

person:      Zhao Mingqun
address:     9/F, Building A, Corporate Square, No. 35 Financial Street,
address:     Xicheng District, Beijing 100032, P.R.China
country:     CN
phone:       +86-10-86011588
fax-no:      +86-10-88091446
e-mail:      tech-group at china-netcom.com
nic-hdl:     ZM28-AP
mnt-by:      MAINT-CN-ZM28
changed:     zhaomq at china-netcom.com 20010922
source:      APNIC

Next Trace >
Southwestern Bell Internet Services, Inc. (SWBELL2-DOM)
   1651 N. Collins Suite 200
   Richardson, TX 75080

   Domain Name: SWBELL.NET

   Administrative Contact, Technical Contact:
      Southwestern Bell Internet NetCenter  (SB703-ORG)  noc at SWBELL.NET
      1701 Alma Drive
      Plano, TX  75075
      1800-708-INET (708-4638)
      Fax- 000-000-0000

Little Rock Regional Chamber of Commerce (NETBLK-SBCIS-1001117-16114)
   200 E Markham
   Little Rock, AR 72201

   Netname: SBCIS-1001117-16114
   Netblock: -

      Southwestern Bell Internet Services  (ZS44-ARIN)  ipadmin at swbell.net

   Record last updated on 18-Nov-2000.
   Database last updated on  7-May-2002 20:01:18 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

----------------------- Headers --------------------------------
Return-Path: <daume91 at adera.se>
Received: from  rly-za02.mx.aol.com (rly-za02.mail.aol.com [])
air-za02.mail.aol.com (v84.16) with ESMTP id MAILINZA22-0508081814; Wed, 08 
May 2002 08:18:14 -0400
Received: from  cysgzu.gd-choyang.com ([]) by 
rly-za02.mx.aol.com (v85.3) with ESMTP id MAILRELAYINZA21-0508081753; Wed,
May 2002 08:17:53 -0400
Received: from mail.hydra.com.br (unverified []) by 
(Rockliffe SMTPRA 4.2.4) with ESMTP id <B0001521495 at cysgzu.gd-choyang.com>;
Wed, 8 May 2002 19:08:55 +0800
Message-ID: <000048f54f78$0000693b$00006f25 at mail178.pair.com>
To: <beaulah>
From: daume91 at adera.se
Subject: 32 Million Addresses will EXPLODE your Business!
Date: Wed, 08 May 2002 09:27:24 -1600
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

Earlier Received E-mail as follows:

Subj: ADV:Harvest lots of Target Email address quickly 
Date: 4/21/02 1:09:00 PM Eastern Daylight Time 
From:    rose at etang.com
To:    daniels566 at cs.com

 Want To Get A Lot Of Target Email   Addresses In A Very Short Time? 
Target Email Extractor is  a  powerful  Email  Software that  harvests
Email Addresses from search engines, any specified starting URLs , including

cgi , asp pages etc.
It Quickly and automatically search and spider from search engine, any 
specified starting URLs to find and extract e-mail addresses

Fast Search Ability. Nearly can find thousands of e-mail addresses in an 
hour, allowing up to 500 simultaneous search threads!

----> ( I like this part )
Helpful for anyone for internet Email marketing purposes.

Download links:
I left out the trace on http://www.wldinfo.com and http://bestsoft.3322.org/

their the same and in chinese. 

-----> ( This  part is great I'm looking for the punch line)   
We are strongly against continuously sending unsolicited emails to those who

do not wish to receive our special mailings. We have attained the services
an independent 3rd party to overlook list management and removal services. 
This is not unsolicited email. If you do not wish to receive further 
mailings, please click this link 
http://www.autoemailremoval.com/cgi-bin/remove.pl . Auto Email Removal 
Company. Ref# 01222263545

------> ( The clincher! )
This message is a commercial advertisement. It is compliant with all federal

and state laws regarding email messages including the California Business
Professions Code. We have provided the subject line "ADV" to provide you 
notification that this is a commercial advertisement for persons over 18yrs 

Looked up http://www.etang.com/ (Chinese site)

Net trace >  (Chinanet-zj)
 Rights restricted by copyright. See

inetnum: -
netname:     CHINANET-ZJ
descr:       CHINANET Zhejiang province network
descr:       Data Communication Division
descr:       China Telecom
country:     CN
admin-c:     CH93-AP
tech-c:      YC30-AP
mnt-by:      MAINT-CHINANET
mnt-lower:   MAINT-CHINANET-ZJ
changed:     hostmaster at ns.chinanet.cn.net 20000101
source:      APNIC

person:      Chinanet Hostmaster
address:     A12,Xin-Jie-Kou-Wai Street
country:     CN
phone:       +86-10-62370437
fax-no:      +86-10-62053995
e-mail:      hostmaster at ns.chinanet.cn.net
nic-hdl:     CH93-AP
mnt-by:      MAINT-CHINANET
changed:     hostmaster at ns.chinanet.cn.net 20000101
source:      APNIC

person:      YICHUN WANG
country:     CN
phone:       +86-571-7015441
fax-no:      +86-571-7015514
e-mail:      ycwang at dcb.hz.zj.cn
nic-hdl:     YC30-AP
mnt-by:      MAINT-CHINANET-ZJ
changed:     ycwang at dcb.hz.zj.cn 20000328
source:      APNIC

Traced > Same network as above.

----------------------- Headers --------------------------------
Return-Path: <rose at etang.com>
Received: from  rly-zd05.mx.aol.com (rly-zd05.mail.aol.com []) 
by air-zd01.mail.aol.com (v84.10) with ESMTP id MAILINZD14-0421130900; Sun, 
21 Apr 2002 13:09:00 -0400
Received: from  mail.qzptt.zj.cn ([]) by rly-zd05.mx.aol.com 
(v85.3) with ESMTP id MAILRELAYINZD510-0421130850; Sun, 21 Apr 2002 13:08:50

Received: from html([]) by mail.qzptt.zj.cn(JetMail
    with SMTP id jm473cc32a54; Sun, 21 Apr 2002 17:07:46 -0000
From: rose at etang.com
To: daniels566 at cs.com
Subject: ADV:Harvest lots of Target Email address quickly
Date: Mon, 22 Apr 2002 01:09:07
Mime-Version: 1.0
Content-Type: text/html; charset="DEFAULT_CHARSET"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
Message-ID: <200204211308.10NoVTGa18972 at rly-zd05.mx.aol.com>

[[ Attachement of type text/html deleted]]

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list