« Forwarding at Gmail | Main | Smaller pages »
March 06, 2005
What is this?
Although I cannot find the email address I got from my ISP through Google, I get bounces roughly weekly that show somebody's using it. But for what? An excerpt of one of the bounced mails:
Century office, down. Use pass grew. Minute yellow held if. Girl
will finger low plane friend. Even tire early it, after. Group
air where, written this look. Vowel, their here. Tell farm any,
other colony, practice. On can job.
--
Phone: 348-499-6730
Mobile: 628-542-9681
Then there's attached images that aren't images when you base64 decode them. Here's the base64 encoded "image" called reached6.gif:
R0lGODlhTAEdAJEAAAAAzMwAAAAAAP///yH5BAAAAAAALAAAAABMAR0AAAL/nI+py+0Po5y0 2otTyLz7D3aCYIwluZihtq3TiLqQarXyfdEuDOOOCowldAziIWAzIJVJn8LoHAolyCpryahq bdtmVCoLfovTAdRcfqYH2KN3jDiP5dlNi3t/L7Bttv5LhyF2YMIjJdZzQsQzWKjzmHhSx8Lk ZoXQVXm5RRZpSEgSeSjkSDOItndH6QbR1tcHilb2iSoax3i7aEuL2qsYK1mL22sa03haHOyr 4IqXylrpp8WsB6nMmIacTGycZtX0+gfth/mWaM3NC+yrTQi8jR5spPtOinLKfd3d0DxeHh0N 1io16/I1QIfw3r5UsMI9aMgphT19yiTeqoiPoryJ//UI5vqUEKNCRbTk9AOYiRw0gSk9LssI pqNMYQ8vqQQ4yZ/AlwqH0QlZzxO2mTwrGoUCNOkaOksc3uSTBOrAnew4/rSKNVYgO1L9URt4 8yLRgi4N6ju3dGRBmPTKHhMLkwrXf0/z0IXodR1QMnCzStoaMKozujrN+Y3Jl+g8tT84anTk Ed5bjWa34q27sus4qnsDtVNsUklYzaO9OEWs9EGQhab0MsaGD1JcdT2O8ZLtuA44PNMsqWQZ says3J1yx2bau9xlnJZsjlq8rXEoe7qqE4eDHQ7V7GHWYOKOGLz48eRrlscRSDT59Ofbu18R /D0I9ufpy7+PP7/+/fz7+9H/D2CAAg5IYIEG+gcAAAYk6ACDDzh4YIQSTghBghYe4CCEC2jI AIcUfghigRpmqGAEHipwYogqrqjfiCWSiICFL5Y4wIkMypgAjgsqeOGOKbIIZJAS/AjjjkYW iSKESs7oY49ICglllA0QyWSNNGLI45U5Xonkk1ZiKWWYYoLZYZUe6lhmjDPKWCWWbI4JZ5RU Gvnllj1uyGWbam4ZZ59hukinl3WmCGidfO7pZ6JBFtolk0viieigegaqpaKWRvgmpWo+eWae m9Jo452XjkpgAQA7
When base 64 decoded, the "image" contains bogus characters according to the Gimp. Gimp cannot read it.
The "images" are linked into the body of the message with stuff like:
<A href=3D"http://www.raster.nnjahglgdd.com/?p.XcrWpFVt0Tbdp00ccdb37"> <IMG alt=3D"" = hspace=3D0=20 src=3D"cid:e100ccdb37@myIsp.domain" align=3Dbaseline=20 border=3D0></A>
The cid: seems to be some sort of Windows thing. Don't know what the 3D bits are.
Nnjahglgdd.com's home page:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Frameset//EN"
"_THE_LATEST_VERSION_/frameset.dtd">
<html>
<head>
</head>
<script>
var targetieSP2 = false;
</script>
<frameset frameborder=0 border=0 framespacing=0
onload="if(targetieSP2) {IfSP2_load();}">
<frame
src="http://www.raster.nnjahglgdd.com/¤ê266/?affiliate_id=234227&campaign_id=0"
name="list" marginwidth=10 marginheight=10 scrolling=Auto frameborder=no
framespacing=0 >
</frameset>
</html>
$ whois nnjahglgdd.com
[Querying whois.internic.net]
[Redirected to whois.opensrs.net]
[Querying whois.opensrs.net]
[whois.opensrs.net]
Registrant:
NA
1753 Botany RD
Banksmeadow, Sydney NSW 2019
AU
Domain name: NNJAHGLGDD.COM
Administrative Contact:
Platt, Mather mather_platt@yahoo.com.au
1753 Botany RD
Banksmeadow, Sydney NSW 2019
AU
+61.294750668 Fax: +61.294750668
Technical Contact:
Platt, Mather mather_platt@yahoo.com.au
1753 Botany RD
Banksmeadow, Sydney NSW 2019
AU
+61.294750668 Fax: +61.294750668
Registrar of Record: TUCOWS, INC.
Record last updated on 28-Feb-2005.
Record expires on 28-Feb-2006.
Record created on 28-Feb-2005.
Domain servers in listed order:
FIRST.XBCBCDEE.INFO
SECOND.XBCBCDEE.INFO
THIRD.XBCBCDEE.INFO
Domain status: ACTIVE
That email address brings me to a Japanese blog full of blog spammer stuff, http://swatteam.blog.ocn.ne.jp/my_weblog/2005/03/.
Explanations?
Posted by Mark at March 6, 2005 08:12 AM