Author Topic: brain dead abuse contacts (mailbox full, not reachable, classified as spam ..)  (Read 18966 times)

0 Members and 2 Guests are viewing this topic.

July 29, 2010, 11:51:01 am
Read 18966 times

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die L鰏ung f黵 Ihr Spam-Problem
Quote
以下的邮岨:

> > 日期: Thu, 29 Jul 2010 13:33:02 +0200
> > 主题: [clean-mx-viruses-613902](61.191.54.50)-->(abuse@ah163.com) viruses sites (5  so far) within your network, please close them!
> > 庴小: 7447 bytes 字溭
> > 动作: 失败
没有能够发送禍以下的收岨人:

 abuse "(8), ErrMsg=Mailbox space not enough (space limit is 102400KB). Size of arriving mail (1KB) exceeds free space (0KB)."

不会再有任何动作缼尝试发送你的邮岨了。 请联系你的系统管理员或先蜌过其它非电子邮岨的窚蕼向你的朋友发送信息以免耽误。


original.eml
Betreff:
[clean-mx-viruses-613902](61.191.54.50)-->(abuse@ah163.com) viruses sites (5 so far) within your network, please close them! status: As of 2010-07-29 13:33:02 CEST
Von:
abuse@clean-mx.de
Datum:
Thu, 29 Jul 2010 13:33:02 +0200
An:
abuse@ah163.com
Received:
from relayn.netpilot.net([10.1.7.2]) by ah163.com(AIMC 3.1.0.0) with SMTP id jm254c5180c9; Thu, 29 Jul 2010 19:36:03 +0800
Received:
from relayn.netpilot.net([62.67.240.20]) by aisp.com(AIMC 2.9.5.4) with SMTP id AISP action; Thr, 29 Jul 2010 19:36:03 +0800
Received:
from relayn.netpilot.net (localhost [127.0.0.1]) by relayn.netpilot.net (Postfix) with ESMTP id CC6F01EB0071 for <abuse@ah163.com>; Thu, 29 Jul 2010 13:46:15 +0200 (CEST)
DKIM-Signature:
v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; s=sel; bh=6+ a0P9d9/AS+jlz7RmGlNYZGEMw=; b=umBgH7rT1hvzQ3saXbNjhTClqS6pS65C6C cOeNT6tp7PczljEg/8bW/5zVWiipjlbQ+qEXdOXWuk0HPSB6yoPMkf/DOjRhvlZz PSE2DkfzEXBee7y7Zv2aoBwlgcbswobE9+48KR6mn6WTVDaPf63Mf1vTCkHNpWQg Q2zv9+YBE=
DomainKey-Signature:
a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b= lYxDeEuib+Bn87ebquO7kh7rFNeuL0sRoCruVV+qMKsNi3w9Gbra9j/1lHXHSh5D IDYXNP7TnBxJPlLPxdzGqJ1m30Zin+CXMqjWvo/L/2S7VIq/cUXFqtoL3P65RWtA HOdRIz83/b6RNQpyF+GkzCA6MiSHLr8cOwrUgqthcl4=
Received:
from dbserv.netpilot.net (unknown [195.214.79.22]) by localhost (Postfix) with ESMTP id 8C9A21EB0051 for <abuse@ah163.com>; Thu, 29 Jul 2010 11:46:15 +0000 (UTC)
Precedence:
bulk
MIME-Version:
1.0
X-Mailer:
clean mx secure mailer
X-Virus-Scanned:
by netpilot GmbH at clean-mx.de
Nachricht-ID:
<20100729.1280403182@dbserv.netpilot.net>
content-Type:
multipart/signed; boundary="----------=_1280403975-25182-13531"; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-AIMC-AUTH:
(null)
X-AIMC-MAILFROM:
abuse@clean-mx.de
X-AIMC-Msg-ID:
qKJZ1eYB

Dear abuse team,

please help to close these offending viruses sites(5) so far.

status: As of 2010-07-29 13:33:02 CEST
http://support.clean-mx.de/clean-mx/viruses.php?email=abuse@ah163.com&response=alive

(for full uri, please scroll to the right end ...


We detected many active cases dated back to 2007, so please look at the date column below.
You may also subscribe to our MalwareWatch list http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch

This information has been generated out of our comprehensive real time database, tracking worldwide viruses URI's

most likely also affected pages for these ip may be found via passive dns
please have a look on these other domains correlated to these ip
example: see  http://www.bfk.de/bfk_dnslogger.html?query=61.191.54.50

If your review this list of offending site, please do this carefully, pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the issue !

Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server's owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes,
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.

DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!

You may forward my information to law enforcement, CERTs,
other responsible admins, or similar agencies.

+-----------------------------------------------------------------------------------------------

|date            |id   |virusname   |ip      |domain      |Url|
+-----------------------------------------------------------------------------------------------
|2010-06-30 20:22:35 CEST   |613902   |unknown_html   |61.191.54.50   |61.191.54.50   |http://61.191.54.50:8080/sogou/sogoujhfc.php?id=3
|2010-06-30 20:22:35 CEST   |613903   |unknown_html   |61.191.54.50   |61.191.54.50   |http://61.191.54.50:8080/sogou/sogoujhfc.php?id=5
|2010-06-30 20:22:35 CEST   |613904   |unknown_html   |61.191.54.50   |61.191.54.50   |http://61.191.54.50:8080/sogou/sogoujhfc.php?id=7
|2010-07-02 20:09:00 CEST   |615520   |unknown_html   |61.191.54.50   |61.191.54.50   |http://61.191.54.50:8080/sogou/sogoujhfc.php?id=10
|2010-07-02 20:09:00 CEST   |615521   |unknown_html   |61.191.54.50   |61.191.54.50   |http://61.191.54.50:8080/sogou/sogoujhfc.php?id=9
+-----------------------------------------------------------------------------------------------


Your email address has been pulled out of whois concerning this offending network block(s).
If you are not concerned with anti-fraud measurements, please forward this mail to the next responsible desk available...


If you just close(d) these incident(s) please give us a feedback, our automatic walker process may not detect a closed case

explanation of virusnames:
==========================
unknown_html_RFI_php   not yet detected by scanners as RFI, but pure php code for injection
unknown_html_RFI_perl   not yet detected by scanners as RFI, but pure perl code for injection
unknown_html_RFI_eval   not yet detected by scanners as RFI, but suspect javascript obfuscationg evals
unknown_html_RFI   not yet detected by scanners as RFI, but trapped by our honeypots as remote-code-injection
unknown_html   not yet detected by scanners as RFI, but suspious, may be in rare case false positive
unknown_exe   not yet detected by scanners as malware, but high risk!
all other names   malwarename detected by scanners
==========================


yours

Gerhard W. Recher
(Gesch鋐tsf黨rer)

NETpilot GmbH

Wilhelm-Riehl-Str. 13
D-80687 M黱chen

Tel: ++49 89 547182 0
Fax: ++49 89 547182 33
GSM: ++49 171 4802507

Handelsregister M黱chen: HRB 124497

w3: http://www.clean-mx.de
e-Mail:   mailto:abuse@clean-mx.de
PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552
Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc

July 29, 2010, 11:51:43 am
Reply #1

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die L鰏ung f黵 Ihr Spam-Problem
Quote
以下的邮岨:

> > 日期: Thu, 29 Jul 2010 13:32:38 +0200
> > 主题: [clean-mx-viruses-470466](61.176.222.143)-->(abuse@online.ln.cn) viruses sites (4  so far) within your network, please close th
> > 庴小: 7282 bytes 字溭
> > 动作: 失败
没有能够发送禍以下的收岨人:

 abuse "(5), ErrMsg=Mailbox space not enough (space limit is 102400KB). Size of arriving mail (1KB) exceeds free space (0KB)."

不会再有任何动作缼尝试发送你的邮岨了。 请联系你的系统管理员或先蜌过其它非电子邮岨的窚蕼向你的朋友发送信息以免耽误。


original.eml
Betreff:
[clean-mx-viruses-470466](61.176.222.143)-->(abuse@online.ln.cn) viruses sites (4 so far) within your network, please close them! status: As of 2010-07-29 13:32:38 CEST
Von:
abuse@clean-mx.de
Datum:
Thu, 29 Jul 2010 13:32:38 +0200
An:
abuse@online.ln.cn
Received:
from relayn.netpilot.net([10.1.1.7]) by online.ln.cn(AIMC 3.1.0.0) with SMTP id jm64c51acfb; Thu, 29 Jul 2010 19:43:36 +0800
Received:
from relayn.netpilot.net([62.67.240.20]) by online.ln.cn(AIMC 2.9.5.4) with SMTP id AISP action; Thr, 29 Jul 2010 19:43:36 +0800
Received:
from relayn.netpilot.net (localhost [127.0.0.1]) by relayn.netpilot.net (Postfix) with ESMTP id 996F21EB0004 for <abuse@online.ln.cn>; Thu, 29 Jul 2010 13:44:03 +0200 (CEST)
DKIM-Signature:
v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; s=sel; bh=yW ImKgfpEX8LsWKSE7tzbtfD1vI=; b=OGSZd0hEJIraTiDMhyqmEfhFbk824tLS/y 9FpuJZ/qHxa7d270G430QPEf+lAHCqkOvPBGzpycbrNoN7THiFjniTgTcEpLOS2T nNVhtXzRonlKFgY7tAEcNpQ0p0F4gf+7yhvdHiep4j+B0KxCYVBNOU9iu/IDfOVJ 1X/3PEeN8=
DomainKey-Signature:
a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b= wSgpuCHIanM8Q61HCipo+DaO+o77Z3vSLeEXzDZhDoSetv6wd3B9iT3y64XwipPj aQ8ARSiTuAGu/6cuJTDhBlRHZPD3Cw7rSe+Aql5r9i4XCK7TQmklaMc31Zsxt553 MQVLs25FhHOABjBaxGEoA3ftZ40zoqtjZNoR7thKK4U=
Received:
from dbserv.netpilot.net (unknown [195.214.79.22]) by localhost (Postfix) with ESMTP id 766D21EB00B1 for <abuse@online.ln.cn>; Thu, 29 Jul 2010 11:44:03 +0000 (UTC)
Precedence:
bulk
MIME-Version:
1.0
X-Mailer:
clean mx secure mailer
X-Virus-Scanned:
by netpilot GmbH at clean-mx.de
Nachricht-ID:
<20100729.1280403158@dbserv.netpilot.net>
content-Type:
multipart/signed; boundary="----------=_1280403843-25182-13239"; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-AIMC-AUTH:
(null)
X-AIMC-MAILFROM:
abuse@clean-mx.de
X-AIMC-Msg-ID:
BZ261eYB

Dear abuse team,

please help to close these offending viruses sites(4) so far.

status: As of 2010-07-29 13:32:38 CEST
http://support.clean-mx.de/clean-mx/viruses.php?email=abuse@online.ln.cn&response=alive

(for full uri, please scroll to the right end ...


We detected many active cases dated back to 2007, so please look at the date column below.
You may also subscribe to our MalwareWatch list http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch

This information has been generated out of our comprehensive real time database, tracking worldwide viruses URI's

most likely also affected pages for these ip may be found via passive dns
please have a look on these other domains correlated to these ip
example: see  http://www.bfk.de/bfk_dnslogger.html?query=61.176.222.143

If your review this list of offending site, please do this carefully, pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the issue !

Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server's owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes,
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.

DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!

You may forward my information to law enforcement, CERTs,
other responsible admins, or similar agencies.

+-----------------------------------------------------------------------------------------------

|date            |id   |virusname   |ip      |domain      |Url|
+-----------------------------------------------------------------------------------------------
|2010-03-23 05:46:40 CET   |470466   |unknown_html_google_malware   |61.176.222.143   |bz521.com   |http://www.bz521.com/
|2010-03-23 12:05:40 CET   |470713   |TR/Dldr.Banload.axov   |61.176.222.143   |bz521.com   |http://www.bz521.com/dlq.rar
|2010-05-31 00:29:41 CEST   |584304   |unknown_html_google_malware   |61.176.222.143   |bz521.com   |http://www.bz521.com
|2010-07-14 06:43:11 CEST   |620662   |PUA.HTML.Infected.WebPage-1   |61.176.222.143   |sfok.net   |http://www.sfok.net/
+-----------------------------------------------------------------------------------------------


Your email address has been pulled out of whois concerning this offending network block(s).
If you are not concerned with anti-fraud measurements, please forward this mail to the next responsible desk available...


If you just close(d) these incident(s) please give us a feedback, our automatic walker process may not detect a closed case

explanation of virusnames:
==========================
unknown_html_RFI_php   not yet detected by scanners as RFI, but pure php code for injection
unknown_html_RFI_perl   not yet detected by scanners as RFI, but pure perl code for injection
unknown_html_RFI_eval   not yet detected by scanners as RFI, but suspect javascript obfuscationg evals
unknown_html_RFI   not yet detected by scanners as RFI, but trapped by our honeypots as remote-code-injection
unknown_html   not yet detected by scanners as RFI, but suspious, may be in rare case false positive
unknown_exe   not yet detected by scanners as malware, but high risk!
all other names   malwarename detected by scanners
==========================


yours

Gerhard W. Recher
(Gesch鋐tsf黨rer)

NETpilot GmbH

Wilhelm-Riehl-Str. 13
D-80687 M黱chen

Tel: ++49 89 547182 0
Fax: ++49 89 547182 33
GSM: ++49 171 4802507

Handelsregister M黱chen: HRB 124497

w3: http://www.clean-mx.de
e-Mail:   mailto:abuse@clean-mx.de
PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552
Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc

July 29, 2010, 11:52:23 am
Reply #2

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die L鰏ung f黵 Ihr Spam-Problem
Quote
以下的邮岨:

> > 日期: Thu, 29 Jul 2010 13:33:20 +0200
> > 主题: [clean-mx-viruses-437752](58.51.95.218)-->(abuse_hb@public.wh.hb.cn) viruses sites (2  so far) within your network, please clos
> > 庴小: 7092 bytes 字溭
> > 动作: 失败
没有能够发送禍以下的收岨人:

 abuse_hb`public_wh_hb_cn "(8), ErrMsg=Mailbox space not enough (space limit is 102400KB). Size of arriving mail (1KB) exceeds free space (0KB)."

不会再有任何动作缼尝试发送你的邮岨了。 请联系你的系统管理员或先蜌过其它非电子邮岨的窚蕼向你的朋友发送信息以免耽误。


original.eml
Betreff:
[clean-mx-viruses-437752](58.51.95.218)-->(abuse_hb@public.wh.hb.cn) viruses sites (2 so far) within your network, please close them! status: As of 2010-07-29 13:33:20 CEST
Von:
abuse@clean-mx.de
Datum:
Thu, 29 Jul 2010 13:33:20 +0200
An:
abuse_hb@public.wh.hb.cn
Received:
from relayn.netpilot.net([127.0.0.1]) by public.wh.hb.cn(AIMC 4.0.0.0) with SMTP id jm274c51c819; Thu, 29 Jul 2010 19:40:11 +0800
Received:
from relayn.netpilot.net([62.67.240.20]) by aisp.com(AIMC 4.0.0.0) with SMTP id AISP action; Thu, 29 Jul 2010 19:40:11 +0800
Received:
from relayn.netpilot.net (localhost [127.0.0.1]) by relayn.netpilot.net (Postfix) with ESMTP id 4F3411EB0045 for <abuse_hb@public.wh.hb.cn>; Thu, 29 Jul 2010 13:47:28 +0200 (CEST)
DKIM-Signature:
v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; s=sel; bh=62 G+LqGl0Tr6eQSwpRvYhunhjwU=; b=ZRbJjzo4ox4Q5VpPtDJWzeJ/VhDJNJSg9P jR/WR7scEPHBiWdH46zvmaIcX3ZQ+j74RWYMe00rl9RzC9SjDwjLM2iafEdBwfp+ O9E0SJNqMTy3VQYXCsCVPjuOWvzOBFTGRxX1KinBe2bvwl5ZyQbvt7ggdCa0HZGJ CFShK6mDs=
DomainKey-Signature:
a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b= obg0kNMt6gQqOmE5mMdzSF5bjQHegEnbowaHP2WKXW70rEmq8rpMgseckGZb0bd6 FBpLfktX4MWxwwy7LZ0E4iR8MajWyEl42X57OeaFUeMASXvSFfOZe+rV5TrNVYN6 SN5FGTuVnVJs70rkzxO7BKavOC+Ew494nk7D9PIAoik=
Received:
from dbserv.netpilot.net (unknown [195.214.79.22]) by localhost (Postfix) with ESMTP id 2E3EE1EB00B8 for <abuse_hb@public.wh.hb.cn>; Thu, 29 Jul 2010 11:47:28 +0000 (UTC)
Precedence:
bulk
MIME-Version:
1.0
X-Mailer:
clean mx secure mailer
X-Virus-Scanned:
by netpilot GmbH at clean-mx.de
Nachricht-ID:
<20100729.1280403200@dbserv.netpilot.net>
content-Type:
multipart/signed; boundary="----------=_1280404048-25182-13809"; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-AIMC-AUTH:
(null)
X-AIMC-MAILFROM:
abuse@clean-mx.de
X-AIMC-Msg-ID:
S3J31eYB

Dear abuse team,

please help to close these offending viruses sites(2) so far.

status: As of 2010-07-29 13:33:20 CEST
http://support.clean-mx.de/clean-mx/viruses.php?email=abuse_hb@public.wh.hb.cn&response=alive

(for full uri, please scroll to the right end ...


We detected many active cases dated back to 2007, so please look at the date column below.
You may also subscribe to our MalwareWatch list http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch

This information has been generated out of our comprehensive real time database, tracking worldwide viruses URI's

most likely also affected pages for these ip may be found via passive dns
please have a look on these other domains correlated to these ip
example: see  http://www.bfk.de/bfk_dnslogger.html?query=58.51.95.218

If your review this list of offending site, please do this carefully, pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the issue !

Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server's owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes,
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.

DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!

You may forward my information to law enforcement, CERTs,
other responsible admins, or similar agencies.

+-----------------------------------------------------------------------------------------------

|date            |id   |virusname   |ip      |domain      |Url|
+-----------------------------------------------------------------------------------------------
|2010-02-21 18:45:00 CET   |437752   |TR/Drop.Agent.apd   |58.51.95.218   |xf4.cn   |http://1.xf4.cn/0/lockfree.exe
|2010-03-06 00:00:00 CET   |453990   |TR/Dldr.Banload.atxh   |58.51.95.218   |djguo.com   |http://down.djguo.com/down51/svafd112009.exe
+-----------------------------------------------------------------------------------------------


Your email address has been pulled out of whois concerning this offending network block(s).
If you are not concerned with anti-fraud measurements, please forward this mail to the next responsible desk available...


If you just close(d) these incident(s) please give us a feedback, our automatic walker process may not detect a closed case

explanation of virusnames:
==========================
unknown_html_RFI_php   not yet detected by scanners as RFI, but pure php code for injection
unknown_html_RFI_perl   not yet detected by scanners as RFI, but pure perl code for injection
unknown_html_RFI_eval   not yet detected by scanners as RFI, but suspect javascript obfuscationg evals
unknown_html_RFI   not yet detected by scanners as RFI, but trapped by our honeypots as remote-code-injection
unknown_html   not yet detected by scanners as RFI, but suspious, may be in rare case false positive
unknown_exe   not yet detected by scanners as malware, but high risk!
all other names   malwarename detected by scanners
==========================


yours

Gerhard W. Recher
(Gesch鋐tsf黨rer)

NETpilot GmbH

Wilhelm-Riehl-Str. 13
D-80687 M黱chen

Tel: ++49 89 547182 0
Fax: ++49 89 547182 33
GSM: ++49 171 4802507

Handelsregister M黱chen: HRB 124497

w3: http://www.clean-mx.de
e-Mail:   mailto:abuse@clean-mx.de
PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552
Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc

July 29, 2010, 11:53:06 am
Reply #3

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die L鰏ung f黵 Ihr Spam-Problem
Quote
This report relates to a message you sent with the following header fields:

  Message-id: <20100729.1280403030@dbserv.netpilot.net>
  Date: Thu, 29 Jul 2010 13:30:30 +0200
  From: abuse@clean-mx.de
  To: abuse@emirates.net.ae
  Subject: [clean-mx-viruses-482336](194.170.187.6)-->(abuse@emirates.net.ae)
   viruses sites (1  so far) within your network,
   please close them!  status: As of 2010-07-29 13:30:30 CEST

Your message cannot be delivered to the following recipients:

  Recipient address: abuse1@ies.etisalat.ae
  Original address: abuse@emirates.net.ae
  Reason: Mailbox too large




Original-envelope-id: 0L6B00F6YHM42N00@dimail6.emirates.net.ae
Reporting-MTA: dns;auhmc2.emirates.net.ae (ims-ms-daemon)

Original-recipient: rfc822;abuse@emirates.net.ae
Final-recipient: rfc822;abuse1@ies.etisalat.ae
Action: failed
Status: 5.0.0 (Mailbox too large)



Return-path: <abuse@clean-mx.de>
Received: from ims-ms-daemon.auhsmail2.emirates.net.ae by
 auhsmail2.emirates.net.ae (I&ES Mail Server 4.2)
 id <0L6B002I6HM4WG00@auhsmail2.emirates.net.ae>; Thu,
 29 Jul 2010 15:37:16 +0400 (GST)
Received: from dimail6.emirates.net.ae by auhsmail2.emirates.net.ae
 (I&ES Mail Server 4.2)
 with ESMTP id <0L6B00L1EHM4VO30@auhsmail2.emirates.net.ae>; Thu,
 29 Jul 2010 15:37:16 +0400 (GST)
Received: from davmail5.emirates.net.ae ([86.96.226.108])
 by dimail6.emirates.net.ae (I&ES Mail Server 4.2)
 id <0L6B00F00ATS2N00@dimail6.emirates.net.ae> (ORCPT abuse@emirates.net.ae)
 ; Thu, 29 Jul 2010 15:37:16 +0400 (GST)
Received: from davmail5.emirates.net.ae ([86.96.226.108])
 by dimail6.emirates.net.ae (I&ES Mail Server 4.2)
 with ESMTP id <0L6B00LJWHM4KI40@dimail6.emirates.net.ae> for
 abuse@emirates.net.ae; Thu, 29 Jul 2010 15:37:16 +0400 (GST)
Received: from relayn.netpilot.net (relayn.netpilot.net [62.67.240.20])
   by davmail5.emirates.net.ae (I&ES Mail Server 4.2)
 with ESMTP id F21C3725029319EB   for <abuse@emirates.net.ae>; Thu,
 29 Jul 2010 15:37:11 +0400 (GST)
Received: from relayn.netpilot.net (localhost [127.0.0.1])
   by relayn.netpilot.net (Postfix) with ESMTP id 364861EB0058   for
 <abuse@emirates.net.ae>; Thu, 29 Jul 2010 13:37:07 +0200 (CEST)
Received: from dbserv.netpilot.net (unknown [195.214.79.22])
   by localhost (Postfix) with ESMTP id 1D9FF1EB005A   for <abuse@emirates.net.ae>;
 Thu, 29 Jul 2010 11:37:07 +0000 (UTC)
Date: Thu, 29 Jul 2010 13:30:30 +0200
From: abuse@clean-mx.de
Subject: [clean-mx-viruses-482336](194.170.187.6)-->(abuse@emirates.net.ae)
 viruses sites (1  so far) within your network,
 please close them!  status: As of 2010-07-29 13:30:30 CEST
To: abuse@emirates.net.ae
Message-id: <20100729.1280403030@dbserv.netpilot.net>
MIME-version: 1.0
X-Mailer: clean mx secure mailer
Content-type: TEXT/PLAIN
Content-transfer-encoding: QUOTED-PRINTABLE
Precedence: bulk
Authentication-Results: davmail5.emirates.net.ae   header.from=abuse@clean-mx.de;
 domainkeys=pass (ok)
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to
   :subject:mime-version:message-id:date:content-type; s=sel; bh=YI
   YFvS2X9FPj0eP0qMt2FCLZU98=; b=pIEVbotejJ439JTt5alFrVv6jm6C6M/8Ac
   BGmUh+0UcAB4M+cftn3MDrBiQZy00C7HNOfFY2TvPJSmscGqnXcr5j5Lpp8Vf6LU
   FZMAlzGSWXgzqrWI9Agu4JVFDbB14DhDgkHDxEnSo2+K6aQhAHk0EGgwWjYNYkCB   iOzoc9Z+g=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to
   :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b=
   fI0pe16hKhyt9fts5vYTbQ4sxJrT1C0+03U32aN9ckzg+Yej5wPdqm/20iOvC9TS
   kEno5Po9VOfrhtgtUbYetW576AW03C7upXnek9Mmg2pD9pRHKnkB574w/H8E0Urm
   oBEsk9HAhdKXm+LESKcijbBCPnGyUzMEQdCIuIMjF5o=
X-Virus-Scanned: by netpilot GmbH at clean-mx.de



July 29, 2010, 11:53:50 am
Reply #4

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die L鰏ung f黵 Ihr Spam-Problem
Quote
This report relates to a message you sent with the following header fields:

  Return-path: <abuse@clean-mx.de>
  Return-path: <abuse@clean-mx.de>
  Received: from ims-ms-daemon.mail2.mailmty.avantel.net.mx by
   mail2.mailmty.avantel.net.mx
   (iPlanet Messaging Server 5.1 HotFix 1.14 (built Oct  8 2003))
   id <0L6B00190I3WR1@mail2.mailmty.avantel.net.mx>
   (original mail from abuse@clean-mx.de); Thu, 29 Jul 2010 06:47:56 -0500 (CDT)
  Received: from smtpin4.mailmty.avantel.net.mx ([200.38.95.7])
   by mail2.mailmty.avantel.net.mx
   (iPlanet Messaging Server 5.1 HotFix 1.14 (built Oct  8 2003))
   with ESMTP id <0L6B00DLKI3WJ0@mail2.mailmty.avantel.net.mx> for
   noc@ims-ms-daemon (ORCPT noc@avantel.net.mx); Thu,
   29 Jul 2010 06:47:56 -0500 (CDT)
  Received: from relayn.netpilot.net ([62.67.240.20])
   by smtpin4.mailmty.avantel.net.mx with ESMTP; Thu, 29 Jul 2010 06:48:04 -0500
  Received: from relayn.netpilot.net (localhost [127.0.0.1])
     by relayn.netpilot.net (Postfix) with ESMTP id AB7E91EB0052   for
   <noc@avantel.net.mx>; Thu, 29 Jul 2010 13:48:02 +0200 (CEST)
  Received: from dbserv.netpilot.net (unknown [195.214.79.22])
     by localhost (Postfix) with ESMTP id 98AAE1EB0071   for <noc@avantel.net.mx>;
   Thu, 29 Jul 2010 11:48:02 +0000 (UTC)
  Date: Thu, 29 Jul 2010 13:33:28 +0200
  From: abuse@clean-mx.de
  Subject: [clean-mx-viruses-419465](200.78.238.146)-->(noc@AVANTEL.NET.MX)
   viruses sites (1  so far) within your network,
   please close them!  status: As of 2010-07-29 13:33:28 CEST
  To: noc@AVANTEL.NET.MX
  Message-id: <20100729.1280403208@dbserv.netpilot.net>
  MIME-version: 1.0
  X-Mailer: clean mx secure mailer
  Content-type: multipart/signed; protocol="application/pgp-signature";
   micalg=pgp-sha1; boundary="----------=_1280404082-25182-13886"
  Precedence: bulk
  DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to
     :subject:mime-version:message-id:date:content-type; s=sel; bh=8B
     SyxN1CTZGP7oX02WGFld7aN74=; b=erXCq7c+4j2u639wkVYSHIW+HVZiqmPk/o
     9JUAzbXZ7m+yUJyizYWeh9AxEaai5KTYWgS3Z6Aa0gHTMGNkayT0tOWi4NL3dHVD
     R1YaoqyVASF2AnSvZCsi4xd1xYfsvyqxkp1+7eEucjcVIMFcCec/++eAKHLodkne   fpaYsHR7k=
  DomainKey-Signature: a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to
     :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b=
     pFfBtvihzD9KKIRw/B7cYxndWXdc9wD3IwO1sdP/79aNVT6gAvRc0OEFxST1vkX9
     ySdvldxHmpxh7SrJR4YhDdGeUDj2/GGu9mvXDnDBar1gPheQ/x3SzrqteeUcw8Wr
     EQDiKPnHbbqnMqk6zOqWOHkZawq8tA5+/y70jqsdg1c=
  X-IronPort-Anti-Spam-Filtered: true
  X-IronPort-Anti-Spam-Result:
   AqEEAIoHUUw+Q/AUZGdsb2JhbAABmUqGPQgaCwoGEgQeiBmoAI5zAQSFOIgfXoJQ
  X-IronPort-AV: E=Sophos;i="4.55,279,1278306000"; d="asc'?scan'208";a="228985318"
  X-Virus-Scanned: by netpilot GmbH at clean-mx.de

Your message cannot be delivered to the following recipients:

  Recipient address: noc@ims-ms-daemon
  Original address: noc@avantel.net.mx
  Reason: Over quota





Reporting-MTA: dns;mail2.mailmty.avantel.net.mx (ims-ms-daemon)

Original-recipient: rfc822;noc@avantel.net.mx
Final-recipient: rfc822;noc@ims-ms-daemon
Action: failed
Status: 5.2.2 (Over quota)



Teil 1.2
Betreff:
[clean-mx-viruses-419465](200.78.238.146)-->(noc@AVANTEL.NET.MX) viruses sites (1 so far) within your network, please close them! status: As of 2010-07-29 13:33:28 CEST
Von:
abuse@clean-mx.de
Datum:
Thu, 29 Jul 2010 13:33:28 +0200
An:
noc@AVANTEL.NET.MX
Return-path:
<abuse@clean-mx.de>
Return-path:
<abuse@clean-mx.de>
Received:
from ims-ms-daemon.mail2.mailmty.avantel.net.mx by mail2.mailmty.avantel.net.mx (iPlanet Messaging Server 5.1 HotFix 1.14 (built Oct 8 2003)) id <0L6B00190I3WR1@mail2.mailmty.avantel.net.mx> (original mail from abuse@clean-mx.de); Thu, 29 Jul 2010 06:47:56 -0500 (CDT)
Received:
from smtpin4.mailmty.avantel.net.mx ([200.38.95.7]) by mail2.mailmty.avantel.net.mx (iPlanet Messaging Server 5.1 HotFix 1.14 (built Oct 8 2003)) with ESMTP id <0L6B00DLKI3WJ0@mail2.mailmty.avantel.net.mx> for noc@ims-ms-daemon (ORCPT noc@avantel.net.mx); Thu, 29 Jul 2010 06:47:56 -0500 (CDT)
Received:
from relayn.netpilot.net ([62.67.240.20]) by smtpin4.mailmty.avantel.net.mx with ESMTP; Thu, 29 Jul 2010 06:48:04 -0500
Received:
from relayn.netpilot.net (localhost [127.0.0.1]) by relayn.netpilot.net (Postfix) with ESMTP id AB7E91EB0052 for <noc@avantel.net.mx>; Thu, 29 Jul 2010 13:48:02 +0200 (CEST)
Received:
from dbserv.netpilot.net (unknown [195.214.79.22]) by localhost (Postfix) with ESMTP id 98AAE1EB0071 for <noc@avantel.net.mx>; Thu, 29 Jul 2010 11:48:02 +0000 (UTC)
Nachricht-ID:
<20100729.1280403208@dbserv.netpilot.net>
MIME-Version:
1.0
X-Mailer:
clean mx secure mailer
Content-type:
multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="----------=_1280404082-25182-13886"
Precedence:
bulk
DKIM-Signature:
v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; s=sel; bh=8B SyxN1CTZGP7oX02WGFld7aN74=; b=erXCq7c+4j2u639wkVYSHIW+HVZiqmPk/o 9JUAzbXZ7m+yUJyizYWeh9AxEaai5KTYWgS3Z6Aa0gHTMGNkayT0tOWi4NL3dHVD R1YaoqyVASF2AnSvZCsi4xd1xYfsvyqxkp1+7eEucjcVIMFcCec/++eAKHLodkne fpaYsHR7k=
DomainKey-Signature:
a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b= pFfBtvihzD9KKIRw/B7cYxndWXdc9wD3IwO1sdP/79aNVT6gAvRc0OEFxST1vkX9 ySdvldxHmpxh7SrJR4YhDdGeUDj2/GGu9mvXDnDBar1gPheQ/x3SzrqteeUcw8Wr EQDiKPnHbbqnMqk6zOqWOHkZawq8tA5+/y70jqsdg1c=
X-IronPort-Anti-Spam-Filtered:
true
X-IronPort-Anti-Spam-Result:
AqEEAIoHUUw+Q/AUZGdsb2JhbAABmUqGPQgaCwoGEgQeiBmoAI5zAQSFOIgfXoJQ
X-IronPort-AV:
E=Sophos;i="4.55,279,1278306000"; d="asc'?scan'208";a="228985318"
X-Virus-Scanned:
by netpilot GmbH at clean-mx.de

Dear abuse team,

please help to close these offending viruses sites(1) so far.

status: As of 2010-07-29 13:33:28 CEST
http://support.clean-mx.de/clean-mx/viruses.php?email=noc@AVANTEL.NET.MX&response=alive

(for full uri, please scroll to the right end ...


We detected many active cases dated back to 2007, so please look at the date column below.
You may also subscribe to our MalwareWatch list http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch

This information has been generated out of our comprehensive real time database, tracking worldwide viruses URI's

most likely also affected pages for these ip may be found via passive dns
please have a look on these other domains correlated to these ip
example: see  http://www.bfk.de/bfk_dnslogger.html?query=200.78.238.146

If your review this list of offending site, please do this carefully, pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the issue !

Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server's owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes,
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.

DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!

You may forward my information to law enforcement, CERTs,
other responsible admins, or similar agencies.

+-----------------------------------------------------------------------------------------------

|date            |id   |virusname   |ip      |domain      |Url|
+-----------------------------------------------------------------------------------------------
|2010-02-08 17:34:29 CET   |419465   |unknown_html_RFI_shell   |200.78.238.146   |difusion.com.mx   |http://www.difusion.com.mx/ceids/google.php?
+-----------------------------------------------------------------------------------------------


Your email address has been pulled out of whois concerning this offending network block(s).
If you are not concerned with anti-fraud measurements, please forward this mail to the next responsible desk available...


If you just close(d) these incident(s) please give us a feedback, our automatic walker process may not detect a closed case

explanation of virusnames:
==========================
unknown_html_RFI_php   not yet detected by scanners as RFI, but pure php code for injection
unknown_html_RFI_perl   not yet detected by scanners as RFI, but pure perl code for injection
unknown_html_RFI_eval   not yet detected by scanners as RFI, but suspect javascript obfuscationg evals
unknown_html_RFI   not yet detected by scanners as RFI, but trapped by our honeypots as remote-code-injection
unknown_html   not yet detected by scanners as RFI, but suspious, may be in rare case false positive
unknown_exe   not yet detected by scanners as malware, but high risk!
all other names   malwarename detected by scanners
==========================


yours

Gerhard W. Recher
(Gesch鋐tsf黨rer)

NETpilot GmbH

Wilhelm-Riehl-Str. 13
D-80687 M黱chen

Tel: ++49 89 547182 0
Fax: ++49 89 547182 33
GSM: ++49 171 4802507

Handelsregister M黱chen: HRB 124497

w3: http://www.clean-mx.de
e-Mail:   mailto:abuse@clean-mx.de
PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552
Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc

July 29, 2010, 11:54:51 am
Reply #5

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die L鰏ung f黵 Ihr Spam-Problem
Quote
Delivery to the following recipient failed permanently:

     yijungik@gmail.com

Technical details of permanent failure:
Internal Message-ID collision

----- Original message -----

Received: by 10.224.29.4 with SMTP id o4mr9569608qac.203.1280403592688;
        Thu, 29 Jul 2010 04:39:52 -0700 (PDT)
Return-Path: <abuse@clean-mx.de>
Received: from HCLC1 ([211.236.182.240])
        by mx.google.com with ESMTP id h7si1349525qcm.80.2010.07.29.04.39.49;
        Thu, 29 Jul 2010 04:39:51 -0700 (PDT)
Received-SPF: fail (google.com: domain of abuse@clean-mx.de does not designate 211.236.182.240 as permitted sender) client-ip=211.236.182.240;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of abuse@clean-mx.de does not designate 211.236.182.240 as permitted sender) smtp.mail=abuse@clean-mx.de; dkim=pass header.i=@clean-mx.de
Received: by HCLC1 (Postfix)
   id 0F6DF3801E5A3; Thu, 29 Jul 2010 20:39:49 +0900 (KST)
Delivered-To: noc@hclc.co.kr
Received: from relayn.netpilot.net (relayn.netpilot.net [62.67.240.20])
   by HCLC1 (Postfix) with ESMTPS id 480263801E58C
   for <noc@hclc.co.kr>; Thu, 29 Jul 2010 20:39:48 +0900 (KST)
Received: from relayn.netpilot.net (localhost [127.0.0.1])
   by relayn.netpilot.net (Postfix) with ESMTP id F31091EB00DD
   for <noc@hclc.co.kr>; Thu, 29 Jul 2010 13:39:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to
   :subject:mime-version:message-id:date:content-type; s=sel; bh=fm
   A+fj+c3JX7XP+u0cvOjT56Psg=; b=ZGMkTRq//kWi+MPKV2H9tX6IMWvSOLiBDk
   J6Vs8sOeCdS9/CEGBqtbXjey0Hji9G4QeMoJVbz/VXg34dkJHyzBj9a3w8INDxT/
   /7sMnNGoXrnpPIml9N5Z5N/Pnr0JLPGzXoxDLXvgU0FYlUIs6UIiWWhCpqvjaLzZ
   nnDT+bXsE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to
   :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b=
   e7nIxpe0I24rQX2T+gzQascCR6cbrDfCti8/tDyoEA7NZUauN4WBLxxQjuvVjNIN
   5XKqgrTDHgtf5rBlXKDhuIMnDKGIt/pyWo6sThYH5ICQan5yu2T5bVwZRsTKt/lu
   dyGcvYOEsWlU+x23A+/7pDakkkeFy0Yf0DwTVZBtKjY=
Received: from dbserv.netpilot.net (unknown [195.214.79.22])
   by localhost (Postfix) with ESMTP id E717B1EB00DE
   for <noc@hclc.co.kr>; Thu, 29 Jul 2010 11:39:39 +0000 (UTC)
From: abuse@clean-mx.de
to: noc@hclc.co.kr
Subject: [clean-mx-viruses-499493](124.217.198.252)-->(noc@hclc.co.kr) viruses sites (1  so far) within your network, please close them!  status: As of 2010-07-29 13:31:29 CEST
Precedence: bulk
MIME-Version: 1.0
X-Mailer: clean mx secure mailer
X-Virus-Scanned: by netpilot GmbH at clean-mx.de
Message-Id: <20100729.1280403089@dbserv.netpilot.net>
Date: Thu, 29 Jul 2010 13:31:29 +0200
content-Type: multipart/signed; boundary="----------=_1280403579-25182-12375"; micalg="pgp-sha1"; protocol="application/pgp-signature"

Dear abuse team,

please help to close these offending viruses sites(1) so far.

status: As of 2010-07-29 13:31:29 CEST
http://support.clean-mx.de/clean-mx/viruses.php?email=noc@hclc.co.kr&response=alive

(for full uri, please scroll to the right end ...


We detected many active cases dated back to 2007, so please look at the date column below.
You may also subscribe to our MalwareWatch list http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch

This information has been generated out of our comprehensive real time database, tracking worldwide viruses URI's

most likely also affected pages for these ip may be found via passive dns
please have a look on these other domains correlated to these ip
example: see  http://www.bfk.de/bfk_dnslogger.html?query=124.217.198.252

If your review this list of offending site, please do this carefully, pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the issue !

Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server's owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes,
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.

DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!

You may forward my information to law enforcement, CERTs,
other responsible admins, or similar agencies.

+-----------------------------------------------------------------------------------------------

|date            |id   |virusname   |ip      |domain      |Url|
+-----------------------------------------------------------------------------------------------
|2010-04-04 00:00:00 CEST   |499493   |JS/iFrame.AL   |124.217.198.

July 29, 2010, 11:55:51 am
Reply #6

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die L鰏ung f黵 Ihr Spam-Problem
Quote
This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

       abuse@fastservers.net





Reporting-MTA: dns;mx1.layeredtechnologies.com
Received-From-MTA: dns;relentless.fastservers.net
Arrival-Date: Thu, 29 Jul 2010 06:49:13 -0500

Final-Recipient: rfc822;abuse@fastservers.net
Action: failed
Status: 5.1.1


Teil 1.2
Betreff:
[clean-mx-viruses-445649](74.200.208.10)-->(abuse@fastservers.net) viruses sites (2 so far) within your network, please close them! status: As of 2010-07-29 13:33:43 CEST
Von:
abuse@clean-mx.de
Datum:
Thu, 29 Jul 2010 13:33:43 +0200
An:
abuse@fastservers.net
Received:
from relentless.fastservers.net ([64.38.19.98]) by mx1.layeredtechnologies.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 29 Jul 2010 06:49:13 -0500
X-ASG-Debug-ID:
1280404152-784c02530000-UtaBuu
X-Barracuda-URL:
http://64.38.19.98:7777/cgi-bin/mark.cgi
Received:
from relayn.netpilot.net (localhost [127.0.0.1]) by relentless.fastservers.net (Spam Firewall) with ESMTP id 34B7811FD475 for <abuse@fastservers.net>; Thu, 29 Jul 2010 06:49:12 -0500 (CDT)
Received:
from relayn.netpilot.net (relayn.netpilot.net [62.67.240.20]) by relentless.fastservers.net with ESMTP id pBxrEBz4k6PmBrR2 for <abuse@fastservers.net>; Thu, 29 Jul 2010 06:49:12 -0500 (CDT)
Received:
from relayn.netpilot.net (localhost [127.0.0.1]) by relayn.netpilot.net (Postfix) with ESMTP id 5756D1EB0044 for <abuse@fastservers.net>; Thu, 29 Jul 2010 13:49:10 +0200 (CEST)
DKIM-Signature:
v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; s=sel; bh=t7 7ijT5kdwccUGHXQXWPxr6yYAU=; b=ZPeUELI0ULgAJ66/DYG1Js44sZAgUo01jq 4a3vfJe6IazUmr2SNGSVO9Z49oBg2vSZ7HVeKI5NamYmAOSMe5GPsLsWd0+vayij 7tYIdyUrsADjKlSk6V64BQt/xH/uLBJrUIQeOQDMQjEktRjQ8llkQR/wZQRRWw4V 6ohls6ijQ=
DomainKey-Signature:
a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b= mTZabkSzBlVXYi969qT9TbFGI15e+Fhv/AOV/4HBTGjAqdQwh9aJ+YOtntSe/aXV rrR2pgc1lA3v7XZtsx2kr+BUYm6jsc2SjlGEUuXEKC0KCtlg0JvVNFHEmLdUDKZs o/TaBKQ3b/Nc4f6NjCX9xFkuPWfJfQenN8zi6ugFAEY=
Received:
from dbserv.netpilot.net (unknown [195.214.79.22]) by localhost (Postfix) with ESMTP id 2219F1EB0087 for <abuse@fastservers.net>; Thu, 29 Jul 2010 11:49:09 +0000 (UTC)
X-ASG-Orig-Subj:
[clean-mx-viruses-445649](74.200.208.10)-->(abuse@fastservers.net) viruses sites (2 so far) within your network, please close them! status: As of 2010-07-29 13:33:43 CEST
Precedence:
bulk
MIME-Version:
1.0
X-Mailer:
clean mx secure mailer
X-Virus-Scanned:
by netpilot GmbH at clean-mx.de
Nachricht-ID:
<20100729.1280403223@dbserv.netpilot.net>
content-Type:
multipart/signed; boundary="----------=_1280404149-25182-14031"; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Barracuda-Connect:
relayn.netpilot.net[62.67.240.20]
X-Barracuda-Start-Time:
1280404153
X-Barracuda-Virus-Scanned:
by RELENTLESS Barracuda Spam Firewall at fastservers.net
Return-Path:
abuse@clean-mx.de
X-OriginalArrivalTime:
29 Jul 2010 11:49:13.0432 (UTC) FILETIME=[10962D80:01CB2F14]

Dear abuse team,

please help to close these offending viruses sites(2) so far.

status: As of 2010-07-29 13:33:43 CEST
http://support.clean-mx.de/clean-mx/viruses.php?email=abuse@fastservers.net&response=alive

(for full uri, please scroll to the right end ...


We detected many active cases dated back to 2007, so please look at the date column below.
You may also subscribe to our MalwareWatch list http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch

This information has been generated out of our comprehensive real time database, tracking worldwide viruses URI's

most likely also affected pages for these ip may be found via passive dns
please have a look on these other domains correlated to these ip
example: see  http://www.bfk.de/bfk_dnslogger.html?query=74.200.208.10

If your review this list of offending site, please do this carefully, pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the issue !

Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server's owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes,
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.

DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!

You may forward my information to law enforcement, CERTs,
other responsible admins, or similar agencies.

+-----------------------------------------------------------------------------------------------

|date            |id   |virusname   |ip      |domain      |Url|
+-----------------------------------------------------------------------------------------------
|2010-02-26 00:00:00 CET   |445649   |HTML/Crypted.Gen   |74.200.208.10   |arthaexpress.com.np   |http://arthaexpress.com.np/
|2010-02-26 00:00:00 CET   |445650   |TR/Crypt.XDR.Gen   |74.200.208.10   |arthaexpress.com.np   |http://arthaexpress.com.np/zcv.gif
+-----------------------------------------------------------------------------------------------


Your email address has been pulled out of whois concerning this offending network block(s).
If you are not concerned with anti-fraud measurements, please forward this mail to the next responsible desk available...


If you just close(d) these incident(s) please give us a feedback, our automatic walker process may not detect a closed case

explanation of virusnames:
==========================
unknown_html_RFI_php   not yet detected by scanners as RFI, but pure php code for injection
unknown_html_RFI_perl   not yet detected by scanners as RFI, but pure perl code for injection
unknown_html_RFI_eval   not yet detected by scanners as RFI, but suspect javascript obfuscationg evals
unknown_html_RFI   not yet detected by scanners as RFI, but trapped by our honeypots as remote-code-injection
unknown_html   not yet detected by scanners as RFI, but suspious, may be in rare case false positive
unknown_exe   not yet detected by scanners as malware, but high risk!
all other names   malwarename detected by scanners
==========================


yours

Gerhard W. Recher
(Gesch鋐tsf黨rer)

NETpilot GmbH

Wilhelm-Riehl-Str. 13
D-80687 M黱chen

Tel: ++49 89 547182 0
Fax: ++49 89 547182 33
GSM: ++49 171 4802507

Handelsregister M黱chen: HRB 124497

w3: http://www.clean-mx.de
e-Mail:   mailto:abuse@clean-mx.de
PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552
Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc

July 29, 2010, 11:56:49 am
Reply #7

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die L鰏ung f黵 Ihr Spam-Problem
Quote
This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

       scott.porter@interoute.com





Reporting-MTA: dns;ukex01.interoute.com
Received-From-MTA: dns;mail1.interoute.com
Arrival-Date: Thu, 29 Jul 2010 13:43:05 +0200

Final-Recipient: rfc822;scott.porter@interoute.com
Action: failed
Status: 5.1.1


Teil 1.2
Betreff:
[clean-mx-viruses-245911](195.81.248.143)-->(scott.porter@interoute.com) viruses sites (1 so far) within your network, please close them! status: As of 2010-07-29 13:32:00 CEST
Von:
abuse@clean-mx.de
Datum:
Thu, 29 Jul 2010 13:32:00 +0200
An:
scott.porter@interoute.com
Received:
from mail1.interoute.com ([172.31.49.60]) by ukex01.interoute.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 29 Jul 2010 13:43:05 +0200
Received:
from mail189.messagelabs.com ([85.158.139.179]) by mail1.interoute.com with Microsoft SMTPSVC(7.0.6001.18000); Thu, 29 Jul 2010 13:43:11 +0200
X-VirusChecked:
Checked
X-Env-Sender:
abuse@clean-mx.de
X-Msg-Ref:
server-8.tower-189.messagelabs.com!1280403726!61640040!1
X-StarScan-Version:
6.2.4; banners=-,-,-
X-Originating-IP:
[62.67.240.20]
X-SpamReason:
No, hits=3.4 required=7.0 tests=ADDRESS_IN_SUBJECT, BODY_RANDOM_LONG,X_MAILER_SPAM
Received:
(qmail 10684 invoked from network); 29 Jul 2010 11:42:06 -0000
Received:
from relayn.netpilot.net (HELO relayn.netpilot.net) (62.67.240.20) by server-8.tower-189.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 29 Jul 2010 11:42:06 -0000
Received:
from relayn.netpilot.net (localhost [127.0.0.1]) by relayn.netpilot.net (Postfix) with ESMTP id 3A37F1EB0052 for <scott.porter@interoute.com>; Thu, 29 Jul 2010 13:42:06 +0200 (CEST)
DKIM-Signature:
v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; s=sel; bh=Ee jT7TbfIdC7vRtl0nilRQA8Cp0=; b=sVB9j8kIoA3CiM6LSVm3L4tA/S/TSqM8nC dOjfnSCyVlOmkP969cow5BIK66/vNXvqlxd4JkTQ0R3xMiMs95aqTr1AFB+SAaVL Zypewbcph9Rp/xHogDZvWDBIHffnFMT5JCBCGWr41hvmE2MW23pe5cSPXGcMFBrT Zvygfeufk=
DomainKey-Signature:
a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b= msTB2LvXzmneiMCp413xOetpVNtPbz98tB0YvU6IDAaIDkj1zVTpDf67u6DLJa4Q w5GJewCJpUvI1ORLmMDe9mIFjCdAlib82UnDVMLkPzkMKxYwxlLlJ8WmvOdYrDiY WaZU2hkINMykIa7lhK6sjpvJfma0EKQtQPuY7QCcVwE=
Received:
from dbserv.netpilot.net (unknown [195.214.79.22]) by localhost (Postfix) with ESMTP id F3CC11EB0048 for <scott.porter@interoute.com>; Thu, 29 Jul 2010 11:42:05 +0000 (UTC)
Precedence:
bulk
MIME-Version:
1.0
X-Mailer:
clean mx secure mailer
X-Virus-Scanned:
by netpilot GmbH at clean-mx.de
Nachricht-ID:
<20100729.1280403120@dbserv.netpilot.net>
content-Type:
multipart/signed; boundary="----------=_1280403725-25182-12743"; micalg="pgp-sha1"; protocol="application/pgp-signature"
Return-Path:
abuse@clean-mx.de
X-OriginalArrivalTime:
29 Jul 2010 11:43:11.0593 (UTC) FILETIME=[38E9ED90:01CB2F13]

Dear abuse team,

please help to close these offending viruses sites(1) so far.

status: As of 2010-07-29 13:32:00 CEST
http://support.clean-mx.de/clean-mx/viruses.php?email=scott.porter@interoute.com&response=alive

(for full uri, please scroll to the right end ...


We detected many active cases dated back to 2007, so please look at the date column below.
You may also subscribe to our MalwareWatch list http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch

This information has been generated out of our comprehensive real time database, tracking worldwide viruses URI's

most likely also affected pages for these ip may be found via passive dns
please have a look on these other domains correlated to these ip
example: see  http://www.bfk.de/bfk_dnslogger.html?query=195.81.248.143

If your review this list of offending site, please do this carefully, pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the issue !

Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server's owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes,
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.

DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!

You may forward my information to law enforcement, CERTs,
other responsible admins, or similar agencies.

+-----------------------------------------------------------------------------------------------

|date            |id   |virusname   |ip      |domain      |Url|
+-----------------------------------------------------------------------------------------------
|2009-10-28 14:07:14 CET   |245911   |Suspicious File   |195.81.248.143   |partycasino.com   |http://www.partycasino.com/Downloads/si/pcsetup_si.exe
+-----------------------------------------------------------------------------------------------


Your email address has been pulled out of whois concerning this offending network block(s).
If you are not concerned with anti-fraud measurements, please forward this mail to the next responsible desk available...


If you just close(d) these incident(s) please give us a feedback, our automatic walker process may not detect a closed case

explanation of virusnames:
==========================
unknown_html_RFI_php   not yet detected by scanners as RFI, but pure php code for injection
unknown_html_RFI_perl   not yet detected by scanners as RFI, but pure perl code for injection
unknown_html_RFI_eval   not yet detected by scanners as RFI, but suspect javascript obfuscationg evals
unknown_html_RFI   not yet detected by scanners as RFI, but trapped by our honeypots as remote-code-injection
unknown_html   not yet detected by scanners as RFI, but suspious, may be in rare case false positive
unknown_exe   not yet detected by scanners as malware, but high risk!
all other names   malwarename detected by scanners
==========================


yours

Gerhard W. Recher
(Gesch鋐tsf黨rer)

NETpilot GmbH

Wilhelm-Riehl-Str. 13
D-80687 M黱chen

Tel: ++49 89 547182 0
Fax: ++49 89 547182 33
GSM: ++49 171 4802507

Handelsregister M黱chen: HRB 124497

w3: http://www.clean-mx.de
e-Mail:   mailto:abuse@clean-mx.de
PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552
Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc

July 29, 2010, 11:58:24 am
Reply #8

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die L鰏ung f黵 Ihr Spam-Problem
Quote
Hi. This is the qmail-send program at inmail.gabia.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<liy@gabia.com>:
Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <abuse@clean-mx.de>
Received: (hhosting 30629 invoked by uid 99); 29 Jul 2010 20:42:53 +0900(KST)
Delivered-To: security@gabia.com
Received: (hhosting 21999 invoked from network); 29 Jul 2010 20:33:29 +0900(KST)
Received: from unknown (HELO gabia-spamzone.gabia.com) (121.254.168.150)
   by 0 (qmail 1.03 + ejcp) with SMTP;
   29 Jul 2010 20:33:29 +0900(KST)
Received: from unknown (HELO relayn.netpilot.net) (62.67.240.20)
   by 121.254.168.150 with SMTP; 29 Jul 2010 20:32:03 +0900
X-Original-SENDERIP: 62.67.240.20
X-Original-MAILFROM: abuse@clean-mx.de
Received: from relayn.netpilot.net (localhost [127.0.0.1])
   by relayn.netpilot.net (Postfix) with ESMTP id EC4791EB003F
   for <security@gabia.com>; Thu, 29 Jul 2010 13:33:25 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to
   :subject:mime-version:message-id:date:content-type; s=sel; bh=yT
   l9r0Gij7OQIWHyXd0y145gjSY=; b=bweDZXFjTaQd0jstdWux941Gf2zQGFywcV
   gvwrW63CPfOEIfELhFyI4PHy8/OPmFTRVsq67o9pUEl3giXI58CBrbZZLDezIhdR
   atXabB2wP3Xrf8bQS7qHRUNxt8uoUuALDaTtIYzwIIeQCwrZQhJ1AX+4AJOeJGVN
   hGdcSo1gg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to
   :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b=
   EIMqJSzadtDq82FlcOGsT7/0QOLt12dwGnbqsDFPx0HIrTEby6X0dXmGviRWSn33
   Hhxsu+Zvm41JlG2wHqUwjagKpNKtSoByNbvNzWRFu3jIatkAl8sHJYdBgWRZ0NO9
   y1TzTjZQg5HADiglUTeJRPlZwqTCzo/my8MWrA6Kk8U=
Received: from dbserv.netpilot.net (unknown [195.214.79.22])
   by localhost (Postfix) with ESMTP id DBFA21EB0047
   for <security@gabia.com>; Thu, 29 Jul 2010 11:33:25 +0000 (UTC)
From: abuse@clean-mx.de
to: security@gabia.com
Subject: [clean-mx-viruses-368972](121.254.177.220)-->(security@gabia.com) viruses sites (1  so far) within your network, please close them!  status: As of 2010-07-29 13:29:14 CEST
Precedence: bulk
MIME-Version: 1.0
X-Mailer: clean mx secure mailer
X-Virus-Scanned: by netpilot GmbH at clean-mx.de
Message-Id: <20100729.1280402954@dbserv.netpilot.net>
Date: Thu, 29 Jul 2010 13:29:14 +0200
content-Type: multipart/signed; boundary="----------=_1280403205-25182-10823"; micalg="pgp-sha1"; protocol="application/pgp-signature"

This is a multi-part message in MIME format.
It has been signed conforming to RFC3156.
Produced by clean-mx transparent crypt gateway.
Version: 2.01.0619 http://www.clean-mx.de
You need GPG to check the signature.

------------=_1280403205-25182-10823
Content-type: multipart/mixed;   boundary="----=_NextPart"

This is a multi-part message in MIME format.

------=_NextPart
Content-Type: text/plain; charset="iso-8859-1"

Dear abuse team,

please help to close these offending viruses sites(1) so far.

status: As of 2010-07-29 13:29:14 CEST
http://support.clean-mx.de/clean-mx/viruses.php?email=security@gabia.com&response=alive

(for full uri, please scroll to the right end ...


We detected many active cases dated back to 2007, so please look at the date column below.
You may also subscribe to our MalwareWatch list http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch

This information has been generated out of our comprehensive real time database, tracking worldwide viruses URI's

most likely also affected pages for these ip may be found via passive dns
please have a look on these other domains correlated to these ip
example: see  http://www.bfk.de/bfk_dnslogger.html?query=121.254.177.220

If your review this list of offending site, please do this carefully, pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the issue !

Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server's owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes,
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.

DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!

You may forward my information to law enforcement, CERTs,
other responsible admins, or similar agencies.

+-----------------------------------------------------------------------------------------------

|date            |id   |virusname   |ip      |domain      |Url|
+-----------------------------------------------------------------------------------------------
|2010-01-22 00:00:00 CET   |368972   |TR/Dldr.Genome.abln   |121.254.177.220   |winnerstudy.net   |http://file.winnerstudy.net/ipsi_board/wsupporters/1/7812/7812.exe
+-----------------------------------------------------------------------------------------------


Your email address has been pulled out of whois concerning this offending network block(s).
If you are not concerned with anti-fraud measurements, please forward this mail to the next responsible desk available...


If you just close(d) these incident(s) please give us a feedback, our automatic walker process may not detect a closed case

explanation of virusnames:
==========================
unknown_html_RFI_php   not yet detected by scanners as RFI, but pure php code for injection
unknown_html_RFI_perl   not yet detected by scanners as RFI, but pure perl code for injection
unknown_html_RFI_eval   not yet detected by scanners as RFI, but suspect javascript obfuscationg evals
unknown_html_RFI   not yet detected by scanners as RFI, but trapped by our honeypots as remote-code-injection
unknown_html   not yet detected by scanners as RFI, but suspious, may be in rare case false positive
unknown_exe   not yet detected by scanners as malware, but high risk!
all other names   malwarename detected by scanners
==========================


yours

Gerhard W. Recher
(Gesch鋐tsf黨rer)

NETpilot GmbH

Wilhelm-Riehl-Str. 13
D-80687 M黱chen

Tel: ++49 89 547182 0
Fax: ++49 89 547182 33
GSM: ++49 171 4802507

Handelsregister M黱chen: HRB 124497

w3: http://www.clean-mx.de
e-Mail:   mailto:abuse@clean-mx.de
PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552
Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc
------=_NextPart--

------------=_1280403205-25182-10823
Content-Type: application/pgp-signature; name="signature.asc"
Content-Disposition: inline; filename="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Description: Digital Signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJMUWcFAAoJEBTGcx9kwGtzPLsH/3XPM8a9Ejk06uOBaG096Qo2
IfIhsKNE+qZ/0aTIFUdIdhf+SfBRVQBdyxaQ8pLpTzy+GiLooXjeXq7ac3VrtNl1
INJSw9STvxFv3E46gxtVJeEgbhj1tz6nHfEClWGcwTyY0d2QdPy7YFaJEYk/OmU7
SKTC9D944DiSmGcTjCBGeBuVy/x/ZmIdtb/oyxkI3sGagO54BGDJq42CAOTgF6Hu
CqzxyHRFAdoC1mcGAi227+of3uCb12n/vzn/EBJafpmNx+NKfubgfj7rM7JzMrvz
N3rYkJ16lNSXhQk8sKMuMIUTq7b8lTknq83zuaBsXUpHDOy6WS1+wvh3WFfSMCA=
=UhAz
-----END PGP SIGNATURE-----

------------=_1280403205-25182-10823--

July 29, 2010, 11:59:24 am
Reply #9

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die L鰏ung f黵 Ihr Spam-Problem
Quote
Hi. This is the deliver program at jltele.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

ipmgr@jltele.com
quota exceed
--- Attachment is a copy of the message.

[这是服务器 jltele.com 的投递程序返回的提薀信息]

禍下列地址的信岨投递失败,对窚服务器无窔正常溣受或者熫燌溣受这封邮岨,
这是一烐永熋性的庬误,服务器已煭放弃屘续投递。
ipmgr@jltele.com

对窚服务器返回庬误提薀:
quota exceed
--
[灉岨是您所发送信岨的原岨]

orig.eml
Betreff:
[clean-mx-viruses-361740](222.169.224.74)-->(ipmgr@jltele.com) viruses sites (1 so far) within your network, please close them! status: As of 2010-07-29 13:33:06 CEST
Von:
abuse@clean-mx.de
Datum:
Thu, 29 Jul 2010 13:33:06 +0200
An:
ipmgr@jltele.com
Received:
(eyou send program); Thu, 29 Jul 2010 19:43:47 +0800
Received:
from 192.168.66.201 (HELO rf1.jltele.com) (192.168.66.201) by 192.168.66.142 with SMTP; Thu, 29 Jul 2010 19:43:47 +0800
Return-Path:
<abuse@clean-mx.de>
Received:
from [62.67.240.20] by [10.10.10.10] with StormMail ESMTP id 47659.11027314; Thu, 29 Jul 2010 19:44:07 +0800 (CST)
Received:
from relayn.netpilot.net (localhost [127.0.0.1]) by relayn.netpilot.net (Postfix) with ESMTP id 80EFD1EB0044 for <ipmgr@jltele.com>; Thu, 29 Jul 2010 13:46:29 +0200 (CEST)
DKIM-Signature:
v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; s=sel; bh=wW ePw3oo1YKwgA5YVoD5iQONmis=; b=FaXJxlrhnVUytpI9NWYuYzUwfdn/gTgz5u hYBE52I0ltiTDFAW7fOOjwojp+Mao27g1hj/o1LC4obtlezHL21/nqOKmVgmZYGC WNH4gAWWsRpaJjtHPf/QBAjQFGs9h3L1KV8gDc/+hhGo2MdoAktb3cy0EMQO0E+M NMDy0i+tQ=
DomainKey-Signature:
a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b= fy/sleTf8bXRPueeAFTXHJFOHJnNC9mo6uUWm/7wKIWOs4j+fSGHsYmSk/J5Z6dv scHGFJrgWJnm9QNlx8+UbRZ8raU32f7kCYAaJxfReSFGH+f0xmOLCrzddpb5MugC zaReprRs/kQVmujTWdlROojKRqn5JKLjbdeFqLKNoF0=
Received:
from dbserv.netpilot.net (unknown [195.214.79.22]) by localhost (Postfix) with ESMTP id 564B61EB00C2 for <ipmgr@jltele.com>; Thu, 29 Jul 2010 11:46:29 +0000 (UTC)
Precedence:
bulk
MIME-Version:
1.0
X-Mailer:
clean mx secure mailer
X-Virus-Scanned:
by netpilot GmbH at clean-mx.de
Nachricht-ID:
<20100729.1280403186@dbserv.netpilot.net>
content-Type:
multipart/signed; boundary="----------=_1280403989-25182-13583"; micalg="pgp-sha1"; protocol="application/pgp-signature"

Dear abuse team,

please help to close these offending viruses sites(1) so far.

status: As of 2010-07-29 13:33:06 CEST
http://support.clean-mx.de/clean-mx/viruses.php?email=ipmgr@jltele.com&response=alive

(for full uri, please scroll to the right end ...


We detected many active cases dated back to 2007, so please look at the date column below.
You may also subscribe to our MalwareWatch list http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch

This information has been generated out of our comprehensive real time database, tracking worldwide viruses URI's

most likely also affected pages for these ip may be found via passive dns
please have a look on these other domains correlated to these ip
example: see  http://www.bfk.de/bfk_dnslogger.html?query=222.169.224.74

If your review this list of offending site, please do this carefully, pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the issue !

Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server's owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes,
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.

DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!

You may forward my information to law enforcement, CERTs,
other responsible admins, or similar agencies.

+-----------------------------------------------------------------------------------------------

|date            |id   |virusname   |ip      |domain      |Url|
+-----------------------------------------------------------------------------------------------
|2010-01-18 13:11:21 CET   |361740   |Trojan-Clicker.HTML.RemoteScript (v)   |222.169.224.74   |haoting.com   |http://www.haoting.com/?=dh
+-----------------------------------------------------------------------------------------------


Your email address has been pulled out of whois concerning this offending network block(s).
If you are not concerned with anti-fraud measurements, please forward this mail to the next responsible desk available...


If you just close(d) these incident(s) please give us a feedback, our automatic walker process may not detect a closed case

explanation of virusnames:
==========================
unknown_html_RFI_php   not yet detected by scanners as RFI, but pure php code for injection
unknown_html_RFI_perl   not yet detected by scanners as RFI, but pure perl code for injection
unknown_html_RFI_eval   not yet detected by scanners as RFI, but suspect javascript obfuscationg evals
unknown_html_RFI   not yet detected by scanners as RFI, but trapped by our honeypots as remote-code-injection
unknown_html   not yet detected by scanners as RFI, but suspious, may be in rare case false positive
unknown_exe   not yet detected by scanners as malware, but high risk!
all other names   malwarename detected by scanners
==========================


yours

Gerhard W. Recher
(Gesch鋐tsf黨rer)

NETpilot GmbH

Wilhelm-Riehl-Str. 13
D-80687 M黱chen

Tel: ++49 89 547182 0
Fax: ++49 89 547182 33
GSM: ++49 171 4802507

Handelsregister M黱chen: HRB 124497

w3: http://www.clean-mx.de
e-Mail:   mailto:abuse@clean-mx.de
PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552
Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc

July 29, 2010, 12:01:39 pm
Reply #10

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die L鰏ung f黵 Ihr Spam-Problem
blocking internal forwards ???

Quote
The original message was received at Thu, 29 Jul 2010 06:57:24 -0500
from relayn.netpilot.net [62.67.240.20]

   ----- The following addresses had permanent fatal errors -----
<techops@pantherexpress.net>
    (reason: 591 techops@cdnetworks.com your host [65.61.159.36] is blacklisted by feb.spamlab.com. No mail will be accepted)

   ----- Transcript of session follows -----
... while talking to cdnetworks.com.1.arsmtp.com.:
>>> >>> DATA
<<< 591 techops@cdnetworks.com your host [65.61.159.36] is blacklisted by feb.spamlab.com. No mail will be accepted
554 5.0.0 Service unavailable
<<< 554 no valid RCPT address specified



Reporting-MTA: dns; rs11.luxsci.com
Received-From-MTA: DNS; relayn.netpilot.net
Arrival-Date: Thu, 29 Jul 2010 06:57:24 -0500

Original-Recipient: rfc822;techops@pantherexpress.net
Final-Recipient: RFC822; techops@cdnetworks.com
Action: failed
Status: 5.0.0
Remote-MTA: DNS; cdnetworks.com.1.arsmtp.com
Diagnostic-Code: SMTP; 591 techops@cdnetworks.com your host [65.61.159.36] is blacklisted by feb.spamlab.com. No mail will be accepted
Last-Attempt-Date: Thu, 29 Jul 2010 06:57:27 -0500



Return-Path: <abuse@clean-mx.de>
Received: from relayn.netpilot.net (relayn.netpilot.net [62.67.240.20])
   by rs11.luxsci.com (8.13.1/8.13.7) with ESMTP id o6TBvNOX008493
   (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
   for <techops@pantherexpress.net>; Thu, 29 Jul 2010 06:57:24 -0500
Received: from relayn.netpilot.net (localhost [127.0.0.1])
   by relayn.netpilot.net (Postfix) with ESMTP id E211C1EB0024
   for <techops@pantherexpress.net>; Thu, 29 Jul 2010 13:57:22 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to
   :subject:mime-version:message-id:date:content-type; s=sel; bh=fz
   ZYuibLW+aWwKoz1tZTvBy1fOI=; b=jqjwtWqeskuHpm7Hvzcgv0T6HQNb7rTY4N
   AgRpzfvAsff/BqDWS+enrrYpodF7dzK3afyDYMqEKWolgqAdQPQGbK+2Z1TukRty
   59EA5uJ0od7VXsMNc92ELWVL3BFqgXraYyHeFXpBvlhHHJoHLx7YTchSh+RYAYSF
   BrY/Z6B4c=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to
   :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b=
   GJHD1c9gfkGbGb+tkjIQYRaHTwY7aHg4XIRz8eDPUbwj1+OeY9RHAWc8TCGUh1yt
   kk+MEKNTDkTe6c84wqkmS8kuXTC+7tFMoNvIocQt0c+xuRR47Z03iCOhxY5pux/j
   DfDQyEwZS1DXgq4B8mlQEPCDOl8qTRerWXhaKXNTsMg=
Received: from dbserv.netpilot.net (unknown [195.214.79.22])
   by localhost (Postfix) with ESMTP id CDFA91EB0061
   for <techops@pantherexpress.net>; Thu, 29 Jul 2010 11:57:22 +0000 (UTC)
From: abuse@clean-mx.de
to: techops@pantherexpress.net
Subject: [clean-mx-viruses-546800](93.188.130.21)-->(techops@pantherexpress.net) viruses sites (1  so far) within your network, please close them!  status: As of 2010-07-29 13:34:59 CEST
Precedence: bulk
MIME-Version: 1.0
X-Mailer: clean mx secure mailer
X-Virus-Scanned: by netpilot GmbH at clean-mx.de
Message-Id: <20100729.1280403299@dbserv.netpilot.net>
Date: Thu, 29 Jul 2010 13:34:59 +0200
content-Type: multipart/signed; boundary="----------=_1280404642-25182-15341"; micalg="pgp-sha1"; protocol="application/pgp-signature"

July 29, 2010, 12:05:08 pm
Reply #11

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die L鰏ung f黵 Ihr Spam-Problem
Quote
This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

       anoriega@prima.com.ar





Reporting-MTA: dns;prima23.prima.local
Received-From-MTA: dns;postino1-hr.prima.com.ar
Arrival-Date: Thu, 29 Jul 2010 09:01:28 -0300

Final-Recipient: rfc822;anoriega@prima.com.ar
Action: failed
Status: 5.1.1


Teil 1.2
Betreff:
[clean-mx-portals-120441](190.228.29.89)-->(anoriega@PRIMA.COM.AR) portals sites (3 so far) within your network, please close them! status: As of 2010-07-29 13:35:31 CEST
Von:
abuse@clean-mx.de
Datum:
Thu, 29 Jul 2010 13:35:31 +0200
An:
anoriega@PRIMA.COM.AR
Received:
from postino1-hr.prima.com.ar ([200.42.0.132]) by prima23.prima.local with Microsoft SMTPSVC(6.0.3790.4675); Thu, 29 Jul 2010 09:01:28 -0300
Received:
(qmail 73027 invoked from network); 29 Jul 2010 12:01:28 -0000
Received:
from relayn.netpilot.net (62.67.240.20) by postino1.prima.com.ar with SMTP; 29 Jul 2010 12:01:28 -0000
Received:
from relayn.netpilot.net (localhost [127.0.0.1]) by relayn.netpilot.net (Postfix) with ESMTP id A9CF11EB00B1 for <anoriega@prima.com.ar>; Thu, 29 Jul 2010 14:01:25 +0200 (CEST)
DKIM-Signature:
v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; s=sel; bh=Ew Mh4mIgvw9r3fTasltoWV/WGiw=; b=thTuZAY4XQmvv5HsgEYQoLLmoA+ub3pjOm tsnzbx7q6BAyNldusVyTUwwqtA8rI7P8v/zy1SGybZKwNqh+bTfNTPfU0Ls4WDl3 ksx4EYDkNezI1O6IqnLw6IiKCBOl8OqX55zfM92Swa0oRxzAdp6TwiMIxCCiwI3k yi9VNMizA=
DomainKey-Signature:
a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b= X5l4O7ji9W9HSYu1Ta+onRtuyjr6CF8h6MWTctCFHm58dXzD6Fh3/WozPFGtwLw3 MWZprgWD0u6JL4bEq7ll5PRe6tOdzNL+6FxpL+alt92Jmm8Gy0GlwLpdUZOqvgVG rMzjs3jaHbAM+HvF7cLsGjuFwmzJ9wkypCrqddSqIDY=
Received:
from dbserv.netpilot.net (unknown [195.214.79.22]) by localhost (Postfix) with ESMTP id 7620A1EB0004 for <anoriega@prima.com.ar>; Thu, 29 Jul 2010 12:01:25 +0000 (UTC)
Precedence:
bulk
MIME-Version:
1.0
X-Mailer:
clean mx secure mailer
X-Virus-Scanned:
by netpilot GmbH at clean-mx.de
Nachricht-ID:
<20100729.1280403331@dbserv.netpilot.net>
content-Type:
multipart/signed; boundary="----------=_1280404885-25182-16015"; micalg="pgp-sha1"; protocol="application/pgp-signature"
Return-Path:
abuse@clean-mx.de
X-OriginalArrivalTime:
29 Jul 2010 12:01:28.0890 (UTC) FILETIME=[C6F429A0:01CB2F15]

Dear abuse team,

please help to close these offending portals sites(3) so far.

status: As of 2010-07-29 13:35:31 CEST
http://support.clean-mx.de/clean-mx/portals.php?email=anoriega@PRIMA.COM.AR&response=alive

(for full uri, please scroll to the right end ...

This information has been generated out of our comprehensive real time database, tracking worldwide portals URI's

most likely also affected pages for these ip may be found via passive dns
please have a look on these other domains correlated to these ip
example: see  http://www.bfk.de/bfk_dnslogger.html?query=190.228.29.89

If your review this list of offending site, please do this carefully, pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the issue !

Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server's owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes,
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.

DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!

You may forward my information to law enforcement, CERTs,
other responsible admins, or similar agencies.

+-----------------------------------------------------------------------------------------------

|date            |id   |virusname   |ip      |domain      |Url|
+-----------------------------------------------------------------------------------------------
|2010-06-18 19:47:25 CEST   |120441   |unknown_html   |190.228.29.89   |alsham-artarabe.com   |http://alsham-artarabe.com/k1.html
|2010-07-02 18:45:03 CEST   |128324   |unknown_html   |190.228.29.89   |buenosairesdental.com.ar   |http://buenosairesdental.com.ar/rx1.html
|2010-07-28 05:45:07 CEST   |138342   |unknown_html   |190.228.29.89   |elserver.com   |http://jiamm.com.ar.elserver.com/rx1.html
+-----------------------------------------------------------------------------------------------


Your email address has been pulled out of whois concerning this offending network block(s).
If you are not concerned with anti-fraud measurements, please forward this mail to the next responsible desk available...


If you just close(d) these incident(s) please give us a feedback, our automatic walker process may not detect a closed case


yours

Gerhard W. Recher
(Gesch鋐tsf黨rer)

NETpilot GmbH

Wilhelm-Riehl-Str. 13
D-80687 M黱chen

Tel: ++49 89 547182 0
Fax: ++49 89 547182 33
GSM: ++49 171 4802507

Handelsregister M黱chen: HRB 124497

w3: http://www.clean-mx.de
e-Mail:   mailto:abuse@clean-mx.de
PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552
Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc

July 29, 2010, 12:05:48 pm
Reply #12

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die L鰏ung f黵 Ihr Spam-Problem
Quote
Hi. This is the qmail-send program at pop.aviso.ci.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<denis.tiegbe@orange-cit.ci>:
Connected to 41.202.66.19 but sender was rejected.
Remote host said: 501 Syntax error - Badly formatted address.

<cjelen@aviso.ci>:
user does not exist, but will deliver to /home/vpopmail/domains/aviso.ci/postmaster/
user is over quota


--- Below this line is a copy of the message.

Return-Path: <abuse@clean-mx.de>
Received: (qmail 22705 invoked by uid 513); 29 Jul 2010 11:56:57 -0000
Received: from unknown (HELO ultramx.aviso.ci) (213.136.96.5)
  by 0 with SMTP; 29 Jul 2010 11:56:57 -0000
Received-SPF: fail (0: SPF record at netpilot.net does not designate 213.136.96.5 as permitted sender)
X-Greylist: delayed 83 seconds by postgrey-1.32 at ultramx; Thu, 29 Jul 2010 11:47:00 GMT
Received: from relayn.netpilot.net (relayn.netpilot.net [62.67.240.20])
   by ultramx.aviso.ci (Postfix) with SMTP id 46CFEB41E1
   for <cjelen@aviso.ci>; Thu, 29 Jul 2010 11:47:00 +0000 (GMT)
Received: from relayn.netpilot.net (localhost [127.0.0.1])
   by relayn.netpilot.net (Postfix) with ESMTP id DE2811EB0032
   for <cjelen@aviso.ci>; Thu, 29 Jul 2010 13:47:14 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to
   :subject:mime-version:message-id:date:content-type; s=sel; bh=xB
   DTER+RjvDuDdlj7ky7tClNFmw=; b=pNs/lLwl6Pg9aOfNyhAEVzpvN4qcflY0dH
   omkRk/Lp8VjPiLMZ+luqDI+RLe9me7qGQwXMrSR9K+W/0jE7o5PLtX7sSlIwtVok
   O6ZSYDrYcvAQGmnlYfUnk9iyuglG15L2ZTKT+tgXwIY46JhzPeqChOUGiOuI+R4K
   3bwdxnNuY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to
   :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b=
   r4LPuH7uQNRpBTUwfNQ/9nFbIuaNnMwjKjmONUHUANSxKoJVCM6zWIKZYrV4CFut
   cgs1ih8Riv1J0k4i4NuSL9txkDBGCk5U+3Ez/7v8k6t9MopwoMVvDpx5C1CJXcTK
   2g3ZS4f3rtHX94P+O+JrazLrQKAdgq/a1YmavgQ0Hjk=
Received: from dbserv.netpilot.net (unknown [195.214.79.22])
   by localhost (Postfix) with ESMTP id B5C731EB0044
   for <cjelen@aviso.ci>; Thu, 29 Jul 2010 11:47:14 +0000 (UTC)
From: abuse@clean-mx.de
to: cjelen@aviso.ci
Subject: [clean-mx-viruses-410579](213.136.106.214)-->(cjelen@aviso.ci) viruses sites (1  so far) within your network, please close them!  status: As of 2010-07-29 13:33:16 CEST
Precedence: bulk
MIME-Version: 1.0
X-Mailer: clean mx secure mailer
X-Virus-Scanned: by netpilot GmbH at clean-mx.de
Message-Id: <20100729.1280403196@dbserv.netpilot.net>
Date: Thu, 29 Jul 2010 13:33:16 +0200
content-Type: multipart/signed; boundary="----------=_1280404034-25182-13745"; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-AVISO-MailScanner-ID: 46CFEB41E1.A4B2C
X-AVISO-MailScanner: Found to be clean
X-AVISO-MailScanner-SpamScore: s
X-AVISO-MailScanner-From: abuse@clean-mx.de
X-Spam-Status: No

This is a multi-part message in MIME format.
It has been signed conforming to RFC3156.
Produced by clean-mx transparent crypt gateway.
Version: 2.01.0619 http://www.clean-mx.de
You need GPG to check the signature.

------------=_1280404034-25182-13745
Content-type: multipart/mixed;   boundary="----=_NextPart"

This is a multi-part message in MIME format.

------=_NextPart
Content-Type: text/plain; charset="iso-8859-1"

Dear abuse team,

please help to close these offending viruses sites(1) so far.

status: As of 2010-07-29 13:33:16 CEST
http://support.clean-mx.de/clean-mx/viruses.php?email=cjelen@aviso.ci&response=alive

(for full uri, please scroll to the right end ...


We detected many active cases dated back to 2007, so please look at the date column below.
You may also subscribe to our MalwareWatch list http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch

This information has been generated out of our comprehensive real time database, tracking worldwide viruses URI's

most likely also affected pages for these ip may be found via passive dns
please have a look on these other domains correlated to these ip
example: see  http://www.bfk.de/bfk_dnslogger.html?query=213.136.106.214

If your review this list of offending site, please do this carefully, pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the issue !

Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server's owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes,
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.

DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!

You may forward my information to law enforcement, CERTs,
other responsible admins, or similar agencies.

+-----------------------------------------------------------------------------------------------

|date            |id   |virusname   |ip      |domain      |Url|
+-----------------------------------------------------------------------------------------------
|2010-02-01 00:24:50 CET   |410579   |PHP/Pbot.A.9   |213.136.106.214   |213.136.106.214   |http://213.136.106.214/nicci/_private/_cgi_cnf/.loop/.rut2.txt?????
+-----------------------------------------------------------------------------------------------


Your email address has been pulled out of whois concerning this offending network block(s).
If you are not concerned with anti-fraud measurements, please forward this mail to the next responsible desk available...


If you just close(d) these incident(s) please give us a feedback, our automatic walker process may not detect a closed case

explanation of virusnames:
==========================
unknown_html_RFI_php   not yet detected by scanners as RFI, but pure php code for injection
unknown_html_RFI_perl   not yet detected by scanners as RFI, but pure perl code for injection
unknown_html_RFI_eval   not yet detected by scanners as RFI, but suspect javascript obfuscationg evals
unknown_html_RFI   not yet detected by scanners as RFI, but trapped by our honeypots as remote-code-injection
unknown_html   not yet detected by scanners as RFI, but suspious, may be in rare case false positive
unknown_exe   not yet detected by scanners as malware, but high risk!
all other names   malwarename detected by scanners
==========================


yours

Gerhard W. Recher
(Gesch鋐tsf黨rer)

NETpilot GmbH

Wilhelm-Riehl-Str. 13
D-80687 M黱chen

Tel: ++49 89 547182 0
Fax: ++49 89 547182 33
GSM: ++49 171 4802507

Handelsregister M黱chen: HRB 124497

w3: http://www.clean-mx.de
e-Mail:   mailto:abuse@clean-mx.de
PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552
Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc
------=_NextPart--

------------=_1280404034-25182-13745
Content-Type: application/pgp-signature; name="signature.asc"
Content-Disposition: inline; filename="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Description: Digital Signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJMUWpCAAoJEBTGcx9kwGtzLIYIAIM6IhNbvKOBwTjYLaEiI+BI
mSVpMhwBm+F8/tY9Pk+pzY1Q0D09fbtfB767NuG+2Hv657CNjpl/foLV7huaV2TO
olWVwNGBsH0URNUuH8sr3bICrehfBByS90mHPa62S4TqUHAOTxC9/gm1kON3LXgi
GT90ql9PPfzWtjHVCnuzDakjms+T8VbbT01C56nXefSIDSh1gWNmYgoqk2kzeLd5
tOOWPLcFHg83BgGIvCaEB2ZxjSnXN7U4ORRZbu7EGHETdbtmVT20mCmaTZOOXzWv
Ka9nFpk3HFjIHMPrfklehEpBc7pr6L3xcGZY3noUrhqy8zTKJC4RSUoQeRJ0vhs=
=Tkzy
-----END PGP SIGNATURE-----

------------=_1280404034-25182-13745--

-- Ce message a 閠 v閞ifi par MailScanner pour des virus ou des polluriels et rien de suspect n'a 閠 trouv. For all your IT requirements visit: http://www.transtec.co.uk

July 29, 2010, 12:06:49 pm
Reply #13

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die L鰏ung f黵 Ihr Spam-Problem
Quote
This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

       abuse@ono.es





Reporting-MTA: dns;correo.ono.es
Received-From-MTA: dns;antispam01.ono.es
Arrival-Date: Thu, 29 Jul 2010 14:04:41 +0200

Final-Recipient: rfc822;abuse@ono.es
Action: failed
Status: 5.7.1
X-Display-Name: Abuse



Teil 1.2
Betreff:
[clean-mx-viruses-617004](62.82.102.227)-->(abuse@ono.es) viruses sites (3 so far) within your network, please close them! status: As of 2010-07-29 13:35:58 CEST
Von:
abuse@clean-mx.de
Datum:
Thu, 29 Jul 2010 13:35:58 +0200
An:
abuse@ono.es
Received:
from antispam01.ono.es ([172.16.3.19]) by correo.ono.es with Microsoft SMTPSVC(6.0.3790.4675); Thu, 29 Jul 2010 14:04:41 +0200
Received:
from (unknown [62.67.240.20]) by antispam01.ono.es with smtp id 089a_2ced_1441d2f0_9b1a_11df_a987_0013725c6ca4; Thu, 29 Jul 2010 16:03:35 +0200
Received:
from relayn.netpilot.net (localhost [127.0.0.1]) by relayn.netpilot.net (Postfix) with ESMTP id 3C7311EB00F6 for <abuse@ono.es>; Thu, 29 Jul 2010 14:04:38 +0200 (CEST)
DKIM-Signature:
v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; s=sel; bh=ER bl/vF8J2cgaKJEBXSHNPZzWms=; b=MH4iTgIvDaJXV95vUMNzF9qdUkmOkU/gwy wfJqus8/TAGjw1ueKbXEZAFi6Zpjke5iqI4kQ2kHjqjrwWt4Y3TPGwXG3b2uCYtr CnYHhui9puyQlfF5ELCI/te/w48g6yzmgGJrh+P0WqsmqAxzoYS87sb9DHquELB8 PNQ5FylDc=
DomainKey-Signature:
a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b= ZTkAVq1+3XgrJSDRVPjfTYhdwlosKSIdb26ZXRGBR4JzoDNuEAnAZqjsnsI367TM dA3v4ThXf8dik9orNdMqiqppX8S3dEzJiLU1OmEE4pwxDP4qeEUquUpgNAQyyroN UcSiWxJDUfyk7SGYGd+ArjFKtxYJYIVeRMcjDiXVkMg=
Received:
from dbserv.netpilot.net (unknown [195.214.79.22]) by localhost (Postfix) with ESMTP id 092BF1EB00FC for <abuse@ono.es>; Thu, 29 Jul 2010 12:04:38 +0000 (UTC)
Precedence:
bulk
MIME-Version:
1.0
X-Mailer:
clean mx secure mailer
X-Virus-Scanned:
by netpilot GmbH at clean-mx.de
Nachricht-ID:
<20100729.1280403358@dbserv.netpilot.net>
content-Type:
multipart/signed; boundary="----------=_1280405077-25182-16598"; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-NAI-Spam-Flag:
NO
X-NAI-Spam-Level:
**
X-NAI-Spam-Threshold:
4
X-NAI-Spam-Score:
2
X-NAI-Spam-Version:
2.2.0.9286 : core <3588> : streams <515234> : uri <637092>
Return-Path:
abuse@clean-mx.de
X-OriginalArrivalTime:
29 Jul 2010 12:04:41.0068 (UTC) FILETIME=[398032C0:01CB2F16]

Dear abuse team,

please help to close these offending viruses sites(3) so far.

status: As of 2010-07-29 13:35:58 CEST
http://support.clean-mx.de/clean-mx/viruses.php?email=abuse@ono.es&response=alive

(for full uri, please scroll to the right end ...


We detected many active cases dated back to 2007, so please look at the date column below.
You may also subscribe to our MalwareWatch list http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch

This information has been generated out of our comprehensive real time database, tracking worldwide viruses URI's

most likely also affected pages for these ip may be found via passive dns
please have a look on these other domains correlated to these ip
example: see  http://www.bfk.de/bfk_dnslogger.html?query=62.82.102.227

If your review this list of offending site, please do this carefully, pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the issue !

Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server's owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes,
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.

DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!

You may forward my information to law enforcement, CERTs,
other responsible admins, or similar agencies.

+-----------------------------------------------------------------------------------------------

We denote domains and url in this fancy way, because your spamfilter will not pass this !
If you lower your filter drop us a note to reset this attribute for your email contact!


|date            |id   |virusname   |ip      |domain      |Url|
+-----------------------------------------------------------------------------------------------
|2010-07-05 22:19:53 CEST   |617004   |PHP.Id-30   |62.82.102.227   |_n_u_e_v_o_p_g_c_._e_s   |_h_t_t_p_:_/_/_w_w_w_._n_u_e_v_o_p_g_c_._e_s_/_/_i_m_a_g_e_s_/_s_c_._p_d_f
|2010-07-07 19:37:12 CEST   |617748   |PHP.Agent-4   |62.82.102.227   |_n_u_e_v_o_p_g_c_._e_s   |_h_t_t_p_:_/_/_w_w_w_._n_u_e_v_o_p_g_c_._e_s_/_/_i_m_a_g_e_s_/_1_._t_x_t
|2010-07-14 20:02:47 CEST   |620866   |PHP.Agent-4   |62.82.102.227   |_n_u_e_v_o_p_g_c_._e_s   |_h_t_t_p_:_/_/_w_w_w_._n_u_e_v_o_p_g_c_._e_s_/_/_i_m_a_g_e_s_/_e_r_r_o_r
+-----------------------------------------------------------------------------------------------


Your email address has been pulled out of whois concerning this offending network block(s).
If you are not concerned with anti-fraud measurements, please forward this mail to the next responsible desk available...


If you just close(d) these incident(s) please give us a feedback, our automatic walker process may not detect a closed case

explanation of virusnames:
==========================
unknown_html_RFI_php   not yet detected by scanners as RFI, but pure php code for injection
unknown_html_RFI_perl   not yet detected by scanners as RFI, but pure perl code for injection
unknown_html_RFI_eval   not yet detected by scanners as RFI, but suspect javascript obfuscationg evals
unknown_html_RFI   not yet detected by scanners as RFI, but trapped by our honeypots as remote-code-injection
unknown_html   not yet detected by scanners as RFI, but suspious, may be in rare case false positive
unknown_exe   not yet detected by scanners as malware, but high risk!
all other names   malwarename detected by scanners
==========================


yours

Gerhard W. Recher
(Gesch鋐tsf黨rer)

NETpilot GmbH

Wilhelm-Riehl-Str. 13
D-80687 M黱chen

Tel: ++49 89 547182 0
Fax: ++49 89 547182 33
GSM: ++49 171 4802507

Handelsregister M黱chen: HRB 124497

w3: http://www.clean-mx.de
e-Mail:   mailto:abuse@clean-mx.de
PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552
Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc

July 29, 2010, 12:09:38 pm
Reply #14

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die L鰏ung f黵 Ihr Spam-Problem
Quote
很抱歉地通知您,邮件无法投递到指定收件人,请先通过其它方式向您的朋友发送信息,以免耽误。
Sorry, we were unable to deliver your message to the following address. Please reach him/her through other ways for any emergency .

被退回邮件(Returned Mail):
> > 日期(Date): <Thu, 29 Jul 2010 19:41:03 +0800>
> > 大小(Size): <353>
没有能够发送到以下的收件人:
Sorry, we were unable to deliver your message to the following address:
<abuse@gddc.com.cn>

退信原因(The Reasons For Bounce):
<abuse@gddc.com.cn>: host 127.0.0.1[127.0.0.1] said: 550 bounce as<too many mails in the destination mailbox abuse@gddc.com.cn> (in reply to end of DATA command)



[clean-mx-viruses-621748](121.12.105.151)-->(abuse@gddc.com.cn) viruses sites (2 so far) within your network, please close them! status: As of 2010-07-29 13:31:48 CEST.eml
Betreff:
[clean-mx-viruses-621748](121.12.105.151)-->(abuse@gddc.com.cn) viruses sites (2 so far) within your network, please close them! status: As of 2010-07-29 13:31:48 CEST
Von:
abuse@clean-mx.de
Datum:
Thu, 29 Jul 2010 13:31:48 +0200
An:
abuse@gddc.com.cn
HMM_SOURCE_IP:
10.27.101.1:55130.1639014530
HMM_ATTACHE_NUM:
0001
HMM_SOURCE_TYPE:
SMTP
Received:
from entas1-mta (unknown [10.27.101.1]) by corp.21cn.com (HERMES) with ESMTP id 9247B3E4014 for <abuse@gddc.com.cn>; Thu, 29 Jul 2010 19:41:03 +0800 (CST)
Received:
from relayn.netpilot.net([62.67.240.20]) by entas1-mta(Knowledge-based Antispam Gateway 2.129d2(2010-06-30),121.14.129.71) with ESMTP id mx29403.1280403662 for <abuse@gddc.com.cn>; Thu, 29 Jul 2010 19:41:04 +0800 (CST)
X-Original-MailFrom:
abuse@clean-mx.de
Received:
from relayn.netpilot.net (localhost [127.0.0.1]) by relayn.netpilot.net (Postfix) with ESMTP id 9CBF81EB00BD for <abuse@gddc.com.cn>; Thu, 29 Jul 2010 13:40:53 +0200 (CEST)
DKIM-Signature:
v=1; a=rsa-sha1; c=simple; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; s=sel; bh=Wl v0zJNliZJJZrUNO8AJG25pn/8=; b=cN6jeFJqYdil1rmMOQm7HAM355iY/rFmCU C9Net9Nxby+hFwUEnpT1a3EqAni4L5RQGlcaiTIjp8ierWRZnfpwOrDzOcpvRT+p gXFA3XXD0utzDmTq8mBhbyJXKo7LvJeaDYPpxK1PiBVghlvRFYe4AnaY2HnTfIvD 3ZwnhM/38=
DomainKey-Signature:
a=rsa-sha1; c=nofws; d=clean-mx.de; h=from:to :subject:mime-version:message-id:date:content-type; q=dns; s=sel; b= NhDoATmSjCER7acxsZUJAjSAZ2QxRsZs5Mb3F8EDa7XLf89HeJ9boiEu25i7iB+g 1hGL+jImmwVqhZExnYPBPVwswfYV9LbzVAcrutf6ST/MV8LzJte7PyGXUMsKiXSP oPFo6tcvh97VSbW1NaB5zFfPxYbA+A7EBBCeaNOtSdQ=
Received:
from dbserv.netpilot.net (unknown [195.214.79.22]) by localhost (Postfix) with ESMTP id 8155B1EB00E1 for <abuse@gddc.com.cn>; Thu, 29 Jul 2010 11:40:53 +0000 (UTC)
Precedence:
bulk
MIME-Version:
1.0
X-Mailer:
clean mx secure mailer
X-Virus-Scanned:
by netpilot GmbH at clean-mx.de
Nachricht-ID:
<20100729.1280403108@dbserv.netpilot.net>
content-Type:
multipart/signed; boundary="----------=_1280403653-25182-12594"; micalg="pgp-sha1"; protocol="application/pgp-signature"

Dear abuse team,

please help to close these offending viruses sites(2) so far.

status: As of 2010-07-29 13:31:48 CEST
http://support.clean-mx.de/clean-mx/viruses.php?email=abuse@gddc.com.cn&response=alive

(for full uri, please scroll to the right end ...


We detected many active cases dated back to 2007, so please look at the date column below.
You may also subscribe to our MalwareWatch list http://lists.clean-mx.com/cgi-bin/mailman/listinfo/viruswatch

This information has been generated out of our comprehensive real time database, tracking worldwide viruses URI's

most likely also affected pages for these ip may be found via passive dns
please have a look on these other domains correlated to these ip
example: see  http://www.bfk.de/bfk_dnslogger.html?query=121.12.105.151

If your review this list of offending site, please do this carefully, pay attention for redirects also!
Also, please consider this particular machines may have a root kit installed !
So simply deleting some files or dirs or disabling cgi may not really solve the issue !

Advice: The appearance of a Virus Site on a server means that
someone intruded into the system. The server's owner should
disconnect and not return the system into service until an
audit is performed to ensure no data was lost, that all OS and
internet software is up to date with the latest security fixes,
and that any backdoors and other exploits left by the intruders
are closed. Logs should be preserved and analyzed and, perhaps,
the appropriate law enforcement agencies notified.

DO NOT JUST DELETE THE FILES. IF YOU DO NOT FIX THE SECURITY
PROBLEM, THEY WILL BE BACK!

You may forward my information to law enforcement, CERTs,
other responsible admins, or similar agencies.

+-----------------------------------------------------------------------------------------------

We denote domains and url in this fancy way, because your spamfilter will not pass this !
If you lower your filter drop us a note to reset this attribute for your email contact!


|date            |id   |virusname   |ip      |domain      |Url|
+-----------------------------------------------------------------------------------------------
|2010-07-16 12:40:05 CEST   |621748   |JS/Dldr.Agent.biu   |121.12.105.151   |_w_a_n_g_q_i_a_o_3_6_5_._c_o_m   |_h_t_t_p_:_/_/_w_w_w_._w_a_n_g_q_i_a_o_3_6_5_._c_o_m_/_i_m_g_/_a_d_._h_t_m
|2010-07-16 12:40:05 CEST   |621749   |Trojan-Downloader.Win32.Small!IK   |121.12.105.151   |_w_a_n_g_q_i_a_o_3_6_5_._c_o_m   |_h_t_t_p_:_/_/_w_w_w_._w_a_n_g_q_i_a_o_3_6_5_._c_o_m_/_i_m_g_/_s_._e_x_e
+-----------------------------------------------------------------------------------------------


Your email address has been pulled out of whois concerning this offending network block(s).
If you are not concerned with anti-fraud measurements, please forward this mail to the next responsible desk available...


If you just close(d) these incident(s) please give us a feedback, our automatic walker process may not detect a closed case

explanation of virusnames:
==========================
unknown_html_RFI_php   not yet detected by scanners as RFI, but pure php code for injection
unknown_html_RFI_perl   not yet detected by scanners as RFI, but pure perl code for injection
unknown_html_RFI_eval   not yet detected by scanners as RFI, but suspect javascript obfuscationg evals
unknown_html_RFI   not yet detected by scanners as RFI, but trapped by our honeypots as remote-code-injection
unknown_html   not yet detected by scanners as RFI, but suspious, may be in rare case false positive
unknown_exe   not yet detected by scanners as malware, but high risk!
all other names   malwarename detected by scanners
==========================


yours

Gerhard W. Recher
(Gesch鋐tsf黨rer)

NETpilot GmbH

Wilhelm-Riehl-Str. 13
D-80687 M黱chen

Tel: ++49 89 547182 0
Fax: ++49 89 547182 33
GSM: ++49 171 4802507

Handelsregister M黱chen: HRB 124497

w3: http://www.clean-mx.de
e-Mail:   mailto:abuse@clean-mx.de
PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552
Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc