«

Here we go...
The usual group of criminals involved in these bank phishes.

Criminal registrar Melbourne IT through there New Zealand branch
Domainz. Need I say that this type of behaviour is typical of Melbourne
IT. They most certainly need to have criminal charges laid against them
for allowing such a domain name to be registered. It clearly shows that
they do not do any due diligence at all.

Criminal hosting service EV1 hosts the web site.
Note this is the service that has hosted the illegal meds sites
listed on spam.co.nz and has such clients as Bill Stanley umongst
others. Also note that the source ip address that the spam was sent from
is also an EV1 address. Most certainly due to the nature of their
business their servers are very secure. They are regularly attacked due
to their involvement in illegal spam.

It is my considered opinion that EV1 needs to have charges laid against
them for aiding and abetting criminal spam gangs.

Possibally the DNS host does not know who is using their service.
A hat check on layeredtech.com added to this post would be much
appeciated. I can't say I know much about them.

Note the email address the spam was sent to is an address that Leo has
been using for a while.


From - Sun Oct 15 11:27:29 2006
X-UIDL: 1160864867.9458.mail6
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Return-Path: <>
Delivered-To:
Received: (qmail 9293 invoked from network); 14 Oct 2006 22:27:45 -0000
Received: from ironport4.ihug.co.nz (203.109.254.24)
by mail6.ihug.co.nz with SMTP; 14 Oct 2006 22:27:45 -0000
Received: from grunt15.ihug.co.nz ([203.109.254.62])
by ironport4.ihug.co.nz with ESMTP; 15 Oct 2006 11:27:45 +1300
X-Testing-Not: Yes
X-Ironport-Seen: Yes
X-BrightmailFiltered: true
X-Brightmail-Tracker: AAAAAQAAA+k=
X-IronPort-AV: i="4.09,311,1157284800";
d="gif'147?scan'147,208,217,147"; a="253036700:sNHT48628140"
X-Spam-Status: No
X-IHUG-iSpy: Doesn't appear to be Spam
Received: from ironport4.ihug.co.nz [203.109.254.24]
by grunt15.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian))
id 1GYryk-0002aH-00; Sun, 15 Oct 2006 11:27:38 +1300
Received: from mars.linuxsystems.net.nz ([202.27.219.162])
by ironport4.ihug.co.nz with ESMTP; 15 Oct 2006 11:27:38 +1300
X-Ironport-MID: 253036548
X-Reputation: 3.5
Received: from serv4.slavhost.ru (serv4.slavhost.ru [67.15.70.4])
by mars.linuxsystems.net.nz (Postfix) with SMTP id AC078A9ECA
for <>; Sun, 15 Oct 2006 11:22:05 +1300 (NZDT)
Received: from yaumk (180.234.157.221)
by serv4.slavhost.ru; Sun, 15 Oct 2006 02:27:35 +0400
Message-ID: <001a01c42018$ee67b4ca$ea7fca3e@yaumk>
Reply-To: Dontreply <>
From: "ANZ.com surveys" <>
To: 3f5927a4.8030604 <>
Subject: review: Random surveys asking for valuable feedback on how we
are doing and how we can improve
Date: Sun, 15 Oct 2006 02:27:35 +0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_001D_01C4CA3E.EA7FB4CA"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

------=_NextPart_000_001D_01C4CA3E.EA7FB4CA

URL from spam http://www.anzfeedback.co.nz/inetbank/bankmain.php

whois anzfeedback.co.nz
% New Zealand Domain Name Registry Limited
% Users confirm on submission their agreement to all published Terms
%
version: 1.23.0
query_datetime: 2006-10-15T11:32:11+13:00
domain_name: anzfeedback.co.nz
query_status: 200 Active
domain_dateregistered: 2006-10-01T18:05:04+13:00
domain_datebilleduntil: 2007-10-01T18:05:04+12:00
domain_datelastmodified: 2006-10-02T07:15:23+13:00
domain_delegaterequested: yes
%
registrar_name: Domainz Limited
registrar_address1: Private Bag 1810
registrar_city: Wellington
registrar_country: NZ (NEW ZEALAND)
registrar_phone: +64 4 473 4567
registrar_fax: +64 4 473 4569
registrar_email:
%
registrant_contact_name: cindy cole
registrant_contact_address1: Meadow Glen Pkwy
registrant_contact_city: Fairburn
registrant_contact_country: US (UNITED STATES)
registrant_contact_phone: +16 78 4325443
registrant_contact_email: nz-
%
admin_contact_name: cindy cole
admin_contact_address1: Meadow Glen Pkwy
admin_contact_city: Fairburn
admin_contact_country: US (UNITED STATES)
admin_contact_phone: +16 78 4325443
admin_contact_email: nz-
%
technical_contact_name: cindy cole
technical_contact_address1: Meadow Glen Pkwy
technical_contact_city: Fairburn
technical_contact_country: US (UNITED STATES)
technical_contact_phone: +16 78 4325443
technical_contact_email: nz-
%
ns_name_01: ns1.cc-dns.net
ns_name_02: ns2.cc-dns.net

dig anzfeedback.co.nz

; <<>> DiG 9.2.4 <<>> anzfeedback.co.nz
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19996
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;anzfeedback.co.nz. IN A

;; ANSWER SECTION:
anzfeedback.co.nz. 78 IN A 67.15.70.4

;; AUTHORITY SECTION:
anzfeedback.co.nz. 78 IN NS ns1.cc-dns.net.

;; ADDITIONAL SECTION:
ns1.cc-dns.net. 170174 IN A 72.232.49.98

;; Query time: 1014 msec
;; SERVER: 203.109.252.42#53(203.109.252.42)
;; WHEN: Sun Oct 15 11:36:35 2006
;; MSG SIZE rcvd: 95

whois 67.15.70.4

OrgName: Everyones Internet
OrgID: EVRY
Address: 390 Benmar
Address: Suite 200
City: Houston
StateProv: TX
PostalCode: 77060
Country: US

NetRange: 67.15.0.0 - 67.15.255.255
CIDR: 67.15.0.0/16
NetName: EVRY-BLK-15
NetHandle: NET-67-15-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1.NET
NameServer: NS2.EV1.NET
Comment:
RegDate: 2004-02-06
Updated: 2005-12-16

RTechHandle: RW172-ARIN
RTechName: Williams, Randy
RTechPhone: +1-713-579-2850
RTechEmail:

OrgAbuseHandle: ABUSE477-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-713-579-2850
OrgAbuseEmail:

OrgNOCHandle: NOC1445-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-713-579-2850
OrgNOCEmail:

OrgTechHandle: RW172-ARIN
OrgTechName: Williams, Randy
OrgTechPhone: +1-713-579-2850
OrgTechEmail:

OrgTechHandle: VST3-ARIN
OrgTechName: Stinson, Valarie
OrgTechPhone: +1-713-579-2850
OrgTechEmail:

# ARIN WHOIS database, last updated 2006-10-13 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
whois 72.232.49.98

OrgName: Layered Technologies, Inc.
OrgID: LAYER-3
Address:
Address: 1647 Witt Road Suite#201
City: Frisco
StateProv: TX
PostalCode: 75034
Country: US

ReferralServer: rwhois://rwhois.layeredtech.com:4321

NetRange: 72.232.0.0 - 72.232.255.255
CIDR: 72.232.0.0/16
NetName: LAYERED-TECH-
NetHandle: NET-72-232-0-0-1
Parent: NET-72-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LAYEREDTECH.COM
NameServer: NS2.LAYEREDTECH.COM
Comment: Please send all abuse complaints to
Comment:
RegDate: 2005-09-07
Updated: 2006-03-07

RTechHandle: JPS66-ARIN
RTechName: Suo-Anttila, Jeremy Paul
RTechPhone: +1-972-398-7998
RTechEmail:

OrgAbuseHandle: LAT-ARIN
OrgAbuseName: LT Abuse Team
OrgAbusePhone: +1-972-398-7998
OrgAbuseEmail:

OrgNOCHandle: LIT-ARIN
OrgNOCName: LT IP-Network Team
OrgNOCPhone: +1-972-398-7998
OrgNOCEmail:

OrgTechHandle: LNT3-ARIN
OrgTechName: LT NOC Team
OrgTechPhone: +1-972-398-7998
OrgTechEmail:

# ARIN WHOIS database, last updated 2006-10-13 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


Found a referral to rwhois.layeredtech.com:4321.

%rwhois V-1.5:003eff:00 rwhois.layeredtech.com (by Network Solutions,
Inc. V-1.5.7.3)
network:Class-Name:network
network:ID:ORG-LAYER-3.72.232.0.0/18
network:Auth-Area:72.232.0.0/18
network:Network-Name:ORG-LAYER-3-72.232.49.97
network:IP-Network:72.232.49.97/29
network:Organization;I:Qc1 Internet
network:Org-Name:radiokoha.qc1.net
network:Street-Address:2 Jacobs Green
network:City:Saffron Walden
network:State:England
networkostal-Code:CB10 1DH
network:Country-Code:GB
networkhone:972-398-7998
network:Tech-Contact;I:
network:Admin-Contact;I:
network:Abuse-Contact;I:
network:Created:20060361
network:Updated:20060361
network:Updated-By:

Source of the spam

whois 67.15.70.4

OrgName: Everyones Internet
OrgID: EVRY
Address: 390 Benmar
Address: Suite 200
City: Houston
StateProv: TX
PostalCode: 77060
Country: US

NetRange: 67.15.0.0 - 67.15.255.255
CIDR: 67.15.0.0/16
NetName: EVRY-BLK-15
NetHandle: NET-67-15-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1.NET
NameServer: NS2.EV1.NET
Comment:
RegDate: 2004-02-06
Updated: 2005-12-16

RTechHandle: RW172-ARIN
RTechName: Williams, Randy
RTechPhone: +1-713-579-2850
RTechEmail:

OrgAbuseHandle: ABUSE477-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-713-579-2850
OrgAbuseEmail:

OrgNOCHandle: NOC1445-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-713-579-2850
OrgNOCEmail:

OrgTechHandle: RW172-ARIN
OrgTechName: Williams, Randy
OrgTechPhone: +1-713-579-2850
OrgTechEmail:

OrgTechHandle: VST3-ARIN
OrgTechName: Stinson, Valarie
OrgTechPhone: +1-713-579-2850
OrgTechEmail:

The web site is up and operational.

http://www.anzfeedback.co.nz/inetbank/bankmain.php

The top level of the domain http://www.anzfeedback.co.nz/ has the
standard EV1 CPanel interface.

http://www.anzfeedback.co.nz/inetbank/anz.txt
Contains the login and password information gathered.

The first entry shows a Road Runner Ip address.
It is thought that this is the ip of the phisher and is most likely a
trojaned machine. The second entry was the same and phishy testing
as at first the password I entered was rejected.

whois 66.108.255.162

OrgName: Road Runner HoldCo LLC
OrgID: RRNY
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US

ReferralServer: rwhois://ipmt.rr.com:4321

NetRange: 66.108.0.0 - 66.108.255.255
CIDR: 66.108.0.0/16
NetName: ROADRUNNER-NYC-1
NetHandle: NET-66-108-0-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.RR.COM
NameServer: DNS2.RR.COM
NameServer: DNS3.RR.COM
NameServer: DNS4.RR.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-04-13
Updated: 2001-07-13

RTechHandle: ZS30-ARIN
RTechName: ServiceCo LLC
RTechPhone: +1-703-345-3416
RTechEmail:

OrgAbuseHandle: ABUSE10-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-703-345-3416
OrgAbuseEmail:

OrgTechHandle: IPTEC-ARIN
OrgTechName: IP Tech
OrgTechPhone: +1-703-345-3416
OrgTechEmail:

# ARIN WHOIS database, last updated 2006-10-13 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


Found a referral to ipmt.rr.com:4321.

%rwhois V-1.5:003fff:00 ipmt-01.rr.com (by Network Solutions, Inc.
V-1.5.7.3)
network:Class-Name:network
network:ID:NETBLK-isrr-66.108.248.0-21
network:Auth-Area:66.108.248.0/21
network:Network-Name:isrr-66.108.248.0
network:IP-Network:66.108.248.0/21
network:IP-Network-Block:66.108.248.0 - 66.108.255.255
network:Organization;I:Road Runner
network:Tech-Contact;I:
network:Admin-Contact;I:IPADD-ARIN
network:Created:20061014
network:Updated:20061014
network:Updated-By:

network:Class-Name:network
network:ID:NETBLK-ISRR-66.108.128.0/17
network:Auth-Area:66.108.128.0/17
network:Network-Name:ISRR-66.108.128.0
network:IP-Network:66.108.128.0/17
network:IP-Network-Block:66.108.128.0 - 66.108.255.255
network:Organization;I:Road Runner
network:Tech-Contact;I:
network:Admin-Contact;I:IPADD-ARIN
network:Created:20061014
network:Updated:20061014
network:Updated-By:

The web server is configured to with a host name of
www.thequicksoftware.com which has been registered to Go Daddy and is
currently parked.

While looking at the web site the top level directory was reconfigered
and access to the directory was closed and then access to the file
anz.txt was closed off.

In other words as soon as the phishers saw that things were no secure he
moved quickly to close off access.

Finally the EV1 admin watches the news group Nanae and is most certainly
aware of the acitivities of his clients. He knows who they are and is
profiting from their illegal activities.

Law enforcement most certainly needs to action a search and seziure
warrant against EV1.

Anony Mouse

Within minutes of investigating this phish site and posting here and
nz.comp dns no longer resolves.

I guess phishy got very nervous.

Chalk one up to the anti-spammers...

**** you Leo and the EV1 scum that supports you.
You were not quick enough covering your tracks.

Just like I said. The scum bags are watching this news group and
probably nz.comp where I also post from time to time.

dig anzfeedback.co.nz @ns1.cc-dns.net

; <<>> DiG 9.2.4 <<>> anzfeedback.co.nz @ns1.cc-dns.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43362
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;anzfeedback.co.nz. IN A

;; Query time: 402 msec
;; SERVER: 72.232.49.98#53(ns1.cc-dns.net)
;; WHEN: Sun Oct 15 13:07:59 2006
;; MSG SIZE rcvd: 35


Anony Mouse
Spam NZ IP space and I will find you.
Ruslan, Leo and Alex your days are numbered.

On Sun, 15 Oct 2006 13:16:08 +1300, Anony Mouse <>
magnanimously proffered:

>Within minutes of investigating this phish site and posting here and
>nz.comp dns no longer resolves.
>
>I guess phishy got very nervous.
>
>Chalk one up to the anti-spammers...
>
>**** you Leo and the EV1 scum that supports you.
>You were not quick enough covering your tracks.
>
>Just like I said. The scum bags are watching this news group and
>probably nz.comp where I also post from time to time.
>
>dig anzfeedback.co.nz @ns1.cc-dns.net
>
>; <<>> DiG 9.2.4 <<>> anzfeedback.co.nz @ns1.cc-dns.net
>;; global options: printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43362
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;anzfeedback.co.nz. IN A
>
>;; Query time: 402 msec
>;; SERVER: 72.232.49.98#53(ns1.cc-dns.net)
>;; WHEN: Sun Oct 15 13:07:59 2006
>;; MSG SIZE rcvd: 35
>
>
>Anony Mouse
>Spam NZ IP space and I will find you.
>Ruslan, Leo and Alex your days are numbered.

I would very much like to know who or what is responsible for all of
the html stock report spams that are regularly getting past Xtra's
spam filters and into my inbox because they can't be filtered by
Thunderbird. Nor does reporting them to SpamCop do any good.

Whoever is sending them should have their fingers broken one at a
time.

Looks like an MS machine on RR to me.

nmap -sS -P0 66.108.255.162

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-10-15 12:45
NZDT
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Interesting ports on cpe-66-108-255-162.nyc.res.rr.com (66.108.255.162):
(The 1656 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap

>>Anony Mouse
>>Spam NZ IP space and I will find you.
>>Ruslan, Leo and Alex your days are numbered.
>
>
> I would very much like to know who or what is responsible for all of
> the html stock report spams that are regularly getting past Xtra's
> spam filters and into my inbox because they can't be filtered by
> Thunderbird. Nor does reporting them to SpamCop do any good.
>
> Whoever is sending them should have their fingers broken one at a
> time.
>
Firstly I don't want to post this to nanae so I have not close posted it.

Thats easy to answer...

Alex Blood / Alexander Mosh / AlekseyB / Alex Polyakov

http://www.spamhaus.org/rokso/listin...lex%20Polyakov

Leo Kuvayev / BadCow

http://www.spamhaus.org/rokso/listin...v%20/%20BadCow

Supported by this man who writes the software that exploits the
virus/trojan infected machines.

Ruslan Ibragimov / send-safe.com

http://www.spamhaus.org/rokso/listin...0send-safe.com

There are several others that live on Undernet IRC who write the code to
infect machines and the html/php that is used on the phishing web sites.

And more people who do the pump & dump buying and selling.

It is a huge gang and at this point I can't tell you who else is
involved although I have several names in my files from my invesigations.

Think work from home and tax fruad which are both subjects linked to
this gang. Unfortunatly I am not a professional investigator and it is
way to big for me to get my head around.

As for reporting them it is just a waste of time. If you do not analyse
the spam before reporting you will find that they use spam reports to
confirm that the email address is active.

If they find that you are attacking them they will attack your domain
name just like they do with my multi-drop mail box at my domain. 3,500 +
spam per week.

Why do theay get pass xtra' spam filters... Because they use a different
bot net to send the spam almost every day. As fast as the bot net ip
addresses are listed they move on to another bot net.

These people are the most notorious criminal spam gang on the net with
links to at least one New Zealander that I know of. Well one that I am
prepared to disclose.

The New Zealanders name who I suspect is involved is ****** ******* of
Christchurch. He runs a internet type bussiness and is thought to be
involved in Credit Card fraud, Pay Pal fraud and money laundering.

Sorry I just can't bring myself to post his name as it may land me in
court if I publish it again. Lets say it has been published before.

He has also been tracked to web sites hosted on EV1.

As with these things it is very difficult to pin him down and despite
evidence being sent to several Ministers he has not been arrested.

How come I am so sure of myself... I have been tracking and watching
these scum for many years and been an anti-spam activist for nearly ten
years now.

I was one of the people who helped track down Shane Atkinson of
Christchurch. You can find info on his activities here.

http://www.nzherald.co.nz/storydispl...ection=general
http://www.nzherald.co.nz/storydispl...ondsubsection=
http://www.nzherald.co.nz/storydispl...toryID=3518744

This link needs windows media player which you should have on your PC.
mms://media.tvnz.co.nz/holmes/spam_300104_128k.wmv

As further evidence here is the source of a message the was bounced from
the Kiwi Bank servers. Note the virus name is my company name and the
phish was the first one the gang did targeting New Zealand and is the
result of my anti-spam activities.

In other words I am to blame for the ongoing targeting of New Zealand
citizens most likely however it could be said that they would have
targeted this country anyway as part of there ongoing expansion.

Note that on the same day one year latter the first phish involving Kiwi
Bank customers was reported. The first one was covered up and at that
time the banks were not required to disclose such incidents.

Anony Mouse


From - Sat Dec 25 11:03:24 2004
X-UIDL: ;^'#!Zl@!!@Um!!U0<!!
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Return-Path: <>
Received: from localhost (fetchmail@localhost [127.0.0.1])
by gate.nomax (8.12.3/8.12.3/Debian-6.6) with ESMTP id iBOM1uKZ017239
for <pb@localhost>; Sat, 25 Dec 2004 11:01:59 흽
Delivered-To:
Received: from pop.ihug.co.nz [203.109.252.42]
by localhost with POP3 (fetchmail-5.9.11)
for pb@localhost (single-drop); Sat, 25 Dec 2004 11:01:59 흽 (NZDT)
Received: (qmail 2067 invoked from network); 24 Dec 2004 21:59:43 -0000
Received: from grunt2.ihug.co.nz (203.109.254.42)
by mail3.ihug.co.nz with SMTP; 24 Dec 2004 21:59:43 -0000
Received: from ironport2.ihug.co.nz [203.109.254.20]
by grunt2.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian))
id 1ChxTL-0001ZB-00; Sat, 25 Dec 2004 10:59:43 흽
Received: from mars.linuxsystems.net.nz (202.27.219.162)
by ironport2.ihug.co.nz with ESMTP; 25 Dec 2004 10:59:39 흽
X-Ironport-Seen: Yes
X-BrightmailFiltered: true
X-Brightmail-Tracker: AAAAAQAAA=
X-IHUG-iSpy: Doesn't appear to be Spam
Received: from wn-nzp-mgw-1.nzpost.co.nz (mail1.nzpost.co.nz
[210.48.48.100])
by mars.linuxsystems.net.nz (Postfix) with ESMTP id 1262EA9B5A
for <>; Sat, 25 Dec 2004 10:59:36 흽 (NZDT)
Received: from mail1.nzpost.co.nz (localhost.localdomain [127.0.0.1])
by wn-nzp-mgw-1.nzpost.co.nz (8.11.6/8.11.6) with ESMTP id iBOLxdC24281
for <>; Sat, 25 Dec 2004 10:59:39 흽
Received: from fswndntexs01.corp.bank.nzpfs.co.nz
(wn-nzp-fgw-1.nzpost.co.nz [210.48.48.103])
by mail1.nzpost.co.nz (8.11.6/8.11.6) with ESMTP id iBOLxd124275
for <>; Sat, 25 Dec 2004 10:59:39 흽
From:
To:
Date: Sat, 25 Dec 2004 10:59:37 흽
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="9B095B5ADSN=_01C4E3F5B98F61010000B837fsw ndntexs01.cor"
X-DSNContext: 335a7efd - 4460 - 00000001 - 80040546
Message-ID: < .nz>
Subject: Delivery Status Notification (Failure)
X-MailScanner: Clean
X-MailScanner-Information: Mail Scanner Version 4.12-2
X-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.1, required 6,
FAILURE_NOTICE_1, FAILURE_NOTICE_2, NO_REAL_NAME)
X-UIDL: ;^'#!Zl@!!@Um!!U0<!!

This is a MIME-formatted message.
Portions of this message may be unreadable without a MIME-capable mail
program.

--9B095B5ADSN=_01C4E3F5B98F61010000B837fswndntexs01. cor
Content-Type: text/plain; charset=unicode-1-1-utf-7

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.













































--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



--9B095B5ADSN=_01C4E3F5B98F61010000B837fswndntexs01. cor
Content-Type: message/delivery-status

Reporting-MTA: dns;fswndntexs01.corp.bank.nzpfs.co.nz
Received-From-MTA: dns;wn-nzp-mgw-1.nzpost.co.nz
Arrival-Date: Sat, 25 Dec 2004 10:59:37 흽

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

Final-Recipient: rfc822;
Action: failed
Status: 5.1.1

--9B095B5ADSN=_01C4E3F5B98F61010000B837fswndntexs01. cor
Content-Type: message/rfc822

Received: from wn-nzp-mgw-1.nzpost.co.nz ([210.48.48.100]) by
fswndntexs01.corp.bank.nzpfs.co.nz with Microsoft SMTPSVC(5.0.2195.6713);
Sat, 25 Dec 2004 10:59:37 흽
Received: from mail1.nzpost.co.nz (localhost.localdomain [127.0.0.1])
by wn-nzp-mgw-1.nzpost.co.nz (8.11.6/8.11.6) with ESMTP id iBOLxcC24271;
Sat, 25 Dec 2004 10:59:38 흽
Received: from witgigmov.nz (222-152-241-66.jetstream.xtra.co.nz
[222.152.241.66])
by mail1.nzpost.co.nz (8.11.6/8.11.6) with SMTP id iBOLxO124265;
Sat, 25 Dec 2004 10:59:25 흽
From:
To:
Date: Fri, 24 Dec 2004 21:52:11 GMT
Subject: invalid mail <error_:7648>
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="======bc0a6d24b975eaff198d"
Content-Transfer-Encoding: 7bit
Return-Path:
X-OriginalArrivalTime: 24 Dec 2004 21:59:37.0241 (UTC)
FILETIME=[DC24B090:01C4EA03]

This is a multi-part message in MIME format.

--======bc0a6d24b975eaff198d

This mail was generated automatically.
More info about --xxxx-- under: http://www.xxxx.co.nz

-------
Occured_Errors:

93.127.16.38_failed_after_I_sent_the_message.
# 244: mailbox_unavailable
# 198: This_account_has_been_discontinued_[#301].

End
-------

The original mail is attached.

Auto_Mail.System: [xxxx]


*-*-* Attachment: No Virus found
*-*-* KIWIBANK.CO- Anti_Virus Service
*-*-* http://www.kiwibank.co.nz
--======bc0a6d24b975eaff198d
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

[Filename: xxxx.4759.bat, Content-Type: application/octet-stream]
New Zealand Post has blocked the attachment to this email. This file
that was attached is of a type frequently used to transmit viruses. The
attachment was blocked to limit the possibility of a virus entering or
leaving New Zealand Post

--======bc0a6d24b975eaff198d--



--9B095B5ADSN=_01C4E3F5B98F61010000B837fswndntexs01. cor--

On Sun, 15 Oct 2006 15:32:49 +1300, Anony Mouse <>
magnanimously proffered:

>
>>>Anony Mouse
>>>Spam NZ IP space and I will find you.
>>>Ruslan, Leo and Alex your days are numbered.
>>
>>
>> I would very much like to know who or what is responsible for all of
>> the html stock report spams that are regularly getting past Xtra's
>> spam filters and into my inbox because they can't be filtered by
>> Thunderbird. Nor does reporting them to SpamCop do any good.
>>
>> Whoever is sending them should have their fingers broken one at a
>> time.
>>
>Firstly I don't want to post this to nanae so I have not close posted it.
>
>Thats easy to answer...

I've read through your post twice and find the whole thing both
fascinating and daunting. These guys don't sound very nice.

Another thing I'm very curious about is how they got my Xtra email
address. Since before I even changed my Xtra address (due to spam
because some well-meaning friend published my original Xtra address on
his website) I've only been using a couple of made-up email addresses
set up using my domain name.

I've organised it so any email is either forwarded to either my
private (but unpublished) Xtra address or a Yahoo webmail address. Yet
90% of the html/stock spam I receive is sent using the real Xtra
address that nobody, except me (and Xtra and my webhost), is supposed
to have ever seen.

How the hell do these parasites get a hold of an unpublished Xtra
address that, for all intents and purposes, hasn't been used except to
forward email from my domain? Is there someone inside Xtra who is
selling addresses to the spammers? Or do the spammers have some way to
get inside Xtra's records to harvest the addresses?

Donchano wrote:
> On Sun, 15 Oct 2006 15:32:49 +1300, Anony Mouse <>
> magnanimously proffered:
>
>
>>>>Anony Mouse
>>>>Spam NZ IP space and I will find you.
>>>>Ruslan, Leo and Alex your days are numbered.
>>>
>>>
>>>I would very much like to know who or what is responsible for all of
>>>the html stock report spams that are regularly getting past Xtra's
>>>spam filters and into my inbox because they can't be filtered by
>>>Thunderbird. Nor does reporting them to SpamCop do any good.
>>>
>>>Whoever is sending them should have their fingers broken one at a
>>>time.
>>>
>>
>>Firstly I don't want to post this to nanae so I have not close posted it.
>>
>>Thats easy to answer...
>
>
> I've read through your post twice and find the whole thing both
> fascinating and daunting.
Yep it takes a lot of understanding it all and I only gave you less than
half of what I know leaving most of the stuff I have gathered regarding
the New Zealand side and the links to the spam gang. There are so many
deviant people that use the spam gang it is not funny.

For instances there was nearly 1,000 arrests recently for advanced fee
fraud in a half dozen countries.

> These guys don't sound very nice.
No not at all nice. Leo (Wanted in the US where he used to live but fled
to Russia after a court ruling in the millions) is the criminal mind
behind the gang and Alex the knuckle dragging thug. Ruslan the software
writer and botnet co-ordinator. Ruslan gets lists of bot nets from a
gang (Romainians and others) and then sells it to Leo who then gives the
list to Alex. They are so predictable. You can analyze how they work
together.

They are linked to the Russian mafia and it is suspected linked to the
death of a Russian banker that has been trying to freeze and seize
assets from crime.

Shane Atkinson and Mike Van Essen were linked to the gang and after Van
Essen seeded my email address for me I tracked down Ruslan. I talked to
Mike after he was outed by Eyefive who I gave a hard time for a long
time until they decided that I had to much on them so they gave up Van
Essen.

I was then vigeriously attacked by Dean Westbury an Aussie who now lives
in the Phillipinnes. I have information that links the Christchurch man
I know of to Westbury.
>
> Another thing I'm very curious about is how they got my Xtra email
> address. Since before I even changed my Xtra address (due to spam
> because some well-meaning friend published my original Xtra address on
> his website) I've only been using a couple of made-up email addresses
> set up using my domain name.
>
> I've organised it so any email is either forwarded to either my
> private (but unpublished) Xtra address or a Yahoo webmail address. Yet
> 90% of the html/stock spam I receive is sent using the real Xtra
> address that nobody, except me (and Xtra and my webhost), is supposed
> to have ever seen.
>
> How the hell do these parasites get a hold of an unpublished Xtra
> address that, for all intents and purposes, hasn't been used except to
> forward email from my domain? Is there someone inside Xtra who is
> selling addresses to the spammers? Or do the spammers have some way to
> get inside Xtra's records to harvest the addresses?
>
>
Have you registered a domain name with a certain Christchurch registrar.
There are actually two of them that are crooks in Christchurch.

See http://www.spam.co.nz/linkspamming.html

The other thing is that Ruslan writes software that guesses email addresses.

They run this software in conjunction with web sites that log hits from
the unique url in the spam. All you need to do is open the spam and they
have got you.

I doubt that Xtra staff have sold your address although it has been
known to happen.

Peter

Donchano wrote:

> I would very much like to know who or what is responsible for all of
> the html stock report spams that are regularly getting past Xtra's
> spam filters and into my inbox because they can't be filtered by
> Thunderbird. Nor does reporting them to SpamCop do any good.
>
> Whoever is sending them should have their fingers broken one at a
> time.

Agreed. On any given day those messages constitute roughly 60% of the spam I
get.....and they are all the same message.

In article <>,
lid says...
>
> I've organised it so any email is either forwarded to either my
> private (but unpublished) Xtra address or a Yahoo webmail address. Yet
> 90% of the html/stock spam I receive is sent using the real Xtra
> address that nobody, except me (and Xtra and my webhost), is supposed
> to have ever seen.
>
> How the hell do these parasites get a hold of an unpublished Xtra
> address that, for all intents and purposes, hasn't been used except to
> forward email from my domain? Is there someone inside Xtra who is
> selling addresses to the spammers? Or do the spammers have some way to
> get inside Xtra's records to harvest the addresses?
>

Most likely they use a dictionary/10000monkey approach - in other words they
send to briana@domain, brianb@, brianc@ ...brianz@, brianaa@, .... asmith@,
bsmith@, et cetera et cetera at nauseam.

I often get spam like that forwarded from ihug where I used to have an account
as peterwh (rip, but it still gets forwarded to me) and they are addressed to
some peterxxxxnnn instead of peterwh. Which is very much indicative of the
method I described above.

cheers, -Peter

--
=========================================
firstname dot lastname at gmail fullstop com

In article <>, says...
> Donchano wrote:
>
> > I would very much like to know who or what is responsible for all of
> > the html stock report spams that are regularly getting past Xtra's
> > spam filters and into my inbox because they can't be filtered by
> > Thunderbird. Nor does reporting them to SpamCop do any good.
> >
> > Whoever is sending them should have their fingers broken one at a
> > time.
>
> Agreed. On any given day those messages constitute roughly 60% of the spam I
> get.....and they are all the same message.
>
>
>
What's even worse is that some spammer has (mis)appropriated the domain
name I host to generate hundreds of false return addresses so as well as
spam I'm getting inundated with bounced emails.