Tuesday, July 16, 2013

Fake Health Ads

Fake Health Ads (PeskySpammer)

Some may think that since I have not posted for a long time that all is well.  Well you are wrong.  PeskySpammer still pumps in several hundred messages per day into one of my email boxes and I even occasionally get their messages in another of my email boxes.  It may even be them or Comcast that complained about the torrent with Comcast believing I am sending the messages that caused it so I could not send any mail messages at all from the account that is flooded via SMTP and Thunderbird.  I am not sending the messages.  I am receiving them!  Here is what the latest scheme looks like:

Fake Health Scheme (2013-07-15)
(click on picture to enlarge)


For those not in the know, these are not what they first appear to be.  Here is the Repy-To host name:  anachel.com.  Can we send to it:

host -t MX anachel.com
anachel.com mail is handled by 0 anachel.com
hdns anachel.com
anachel.com has address 69.89.31.111

I don't think you will be able to reply.  A value of 0 means it doesn't want mail.  The same can be said for me and the millions of other people receiving a torrent of messages from PeskySpammer's bots.  What about where it is supposedly from  akinkything.com?

host -t MX akinkything.com
akinkything.com mail is handled by 0 mail.akinkything.com
hdns mail.akinkything.com
mail.akinkything.com has address 74.220.219.58

The email really came from:
X-Originating-IP: 61.64.103.28

That means it is probably a DSL connected Windows machine on "Sony Network Taiwan Limited" network which runs from 61.64.64.0 ... 61.64.119.255 that is sending the message.  I would still like to believe the people that are receiving the messages PeskySpammer's bots are sending are just as unhappy as I am but perhaps the last two lines of my current email sig really are apropos:

Thinking has been suspended indefinitely.
Anybody caught thinking will be immediately shot!

I wonder if Vladimir Putin is getting a cut of the action that these Russian hackers that are living in both Moscow and the Ukraine are up to?  Here is the latest DNS run for the hosts I did (take the 15.7z folder):


This time around their servers are in Moscow Russia, Tabriz Iran, and GuiZhou GuiYang China.  Don't hold your breath.  They change where the hosts are hosted at every 2-3 days.  I suspect they will be filling our email boxes as long as people order what they sell.  Well, I hope the people like me with an any user that goes MX server like I have where you get several hundred of these messages per day aren't buying the stuff.  If the people that set up this disservice had it coming into their email box at the rate it pours into mine, maybe they would change the code for their bots to at least remove all specious email addresses.  These hackers deserve to be shot.