IP Address Inspector

P.Hauser commented...

Received SPAM from IP 80.253.80.24. Here's the body of this latest JEFTEX-junk in German:

Hallo,

ich hoffe du kennst mich noch? Ich hab deine Mail Adresse von einen alten
Freund von uns bekommen.
Und hab gedacht ich schreib dir einfach mal. Hab echt lange nichts mehr von
dir gehört.
Wo wohnst du eigentlich ? Und was machst du so ?

Ich habe mich im Spiele Chat, vom Schulfreunde Casino, eingetragen. Mir
gefällt die Idee, und ich
will Dich auch dafür begeistern, mitzumachen.

Fast alle unsere alten Klassenkameraden und Freunde sind schon dabei. Sogar
zwei Lehrer von uns .
Vielleicht hast du ja Lust mitzumachen? Ich habe letzte Woche 12.134 Euro
beim Poker und Roulette gewonnen.


Ich hab dich einfach mal dort angemeldet mit folgenden Benutzer Namen:


Benutzer Name: Sctike

Passwort: Ich habe deine Email Adresse als Passwort angegeben. Kannst du ja
ändern :-)


Auf deinen Konto habe ich von meinen Gewinn mal 100 Euro überwiesen.
Somit kannst du mal die Sache mit meinen Geld kostenlos Testen.


Dein Gutschein Code ist: GE18339223


Vielleicht hast du ja Lust zusammen mit mir oder unseren Freunden zu Pokern
?
Oder wir treffen uns ja beim Roulette ? Ich würde mich echt freuen mit dir
zu chatten und zu Pokern.


Du musst natürlich nicht spielen. Wir können ja auch nur chatten. Oder wir
telefonieren einfach mal :-)



Hier kannst du kostenlos die Spiele Software downloaden. Ist ganz einfach.


hxxp://www.gewinner-times.net/Casino-Startxx.exe



Dein alter Schul Freund Markus ;-)
February 15 2008 02:50 PM

P.Hauser commented...

Geographic location of this server range is Switzerland. The Malaysian address in the WHOIS entry for jeftexint.com is faked. Jeftex International Ltd. is identical with Sun Star Casino Ldt. in Antigua. Domains sun-star.us, sunstarcasinos.com and sun-star-casino.net are a few more enterprises of this casino company. Check GOOGLE for the domain names.

While most of the Casino SPAMS in 2007 came from the range of 80.253.80.10 - 80.253.80.69, they have their harvesters in the same range from 80.253.80.0 - 80.253.81.255.

The harvesters are very aggressive and partly guessing URLs that don't exist.

Complaints at

green.ch AG Network Operations

are ignored and the jeftex harvesters come back with revolving IPs from that ranges though they are blocked.
September 09 2007 01:07 PM

P.Hauser commented...

The following three posts just show the first occurence of a jeftex harvester in chronological order from bottom to top. All in all they requested 1.500 URLs here since 28/Sep/2005 until today and came back though they're blocked. To be continued ....

Harvester IP Netname First approach
80.253.80.121 JEFTEX-NET [04/Sep/2007]
80.253.80.89 JEFTEX-NET [05/Sep/2007]
80.253.80.97 JEFTEX-NET [05/Sep/2007]
80.253.81.40 JEFTEX-NET-2 [06/Sep/2007]
80.253.80.55 JEFTEX-NET [07/Sep/2007]
80.253.81.184 JEFTEX-NET-2 [07/Sep/2007]
80.253.81.177 JEFTEX-NET-2 [07/Sep/2007]
80.253.81.42 JEFTEX-NET-2 [08/Sep/2007]
80.253.80.93 JEFTEX-NET [08/Sep/2007]

Harvester IP Netname First approach
80.253.80.98 JEFTEX-NET [03/Aug/2007]
80.253.80.82 JEFTEX-NET [06/Aug/2007]
80.253.81.162 JEFTEX-NET-2 [06/Aug/2007]
80.253.80.115 JEFTEX-NET [16/Aug/2007]
80.253.81.106 JEFTEX-NET-2 [17/Aug/2007]
80.253.80.66 JEFTEX-NET [18/Aug/2007]
80.253.81.158 JEFTEX-NET-2 [24/Aug/2007]
80.253.80.75 JEFTEX-NET [25/Aug/2007]
80.253.80.52 JEFTEX-NET [25/Aug/2007]
80.253.81.118 JEFTEX-NET-2 [26/Aug/2007]
80.253.81.148 JEFTEX-NET-2 [26/Aug/2007]
80.253.81.134 JEFTEX-NET-2 [26/Aug/2007]
80.253.81.190 JEFTEX-NET-2 [28/Aug/2007]
80.253.81.49 JEFTEX-NET-2 [28/Aug/2007]
80.253.81.16 JEFTEX-NET-2 [28/Aug/2007]
80.253.81.12 JEFTEX-NET-2 [30/Aug/2007]
80.253.81.85 JEFTEX-NET-2 [30/Aug/2007]
80.253.80.72 JEFTEX-NET [31/Aug/2007]
80.253.80.116 JEFTEX-NET [31/Aug/2007]
September 09 2007 01:04 PM

P.Hauser commented...

From January 2006 until mid of May 2007 no jeftex-harvester was seen here. In this time they changed the network at NEXLINK. They came back here after this with even more aggressive harvesting in May/11/2007:

Harvester IP Netname First approach
80.253.81.35 JEFTEX-NET-2 [07/Jul/2007]
80.253.81.62 JEFTEX-NET-2 [13/Jul/2007]
80.253.81.114 JEFTEX-NET-2 [16/Jul/2007]
80.253.81.66 JEFTEX-NET-2 [17/Jul/2007]
80.253.80.109 JEFTEX-NET [19/Jul/2007]
80.253.81.140 JEFTEX-NET-2 [20/Jul/2007]
80.253.81.116 JEFTEX-NET-2 [21/Jul/2007]
80.253.81.79 JEFTEX-NET-2 [25/Jul/2007]
80.253.81.21 JEFTEX-NET-2 [25/Jul/2007]
80.253.81.133 JEFTEX-NET-2 [30/Jul/2007]
80.253.81.73 JEFTEX-NET-2 [30/Jul/2007]

Harvester IP Netname First approach
80.253.81.84 JEFTEX-NET-2 [21/Jun/2007]

Harvester IP Netname First approach
80.253.81.138 JEFTEX-NET-2 [11/May/2007]
80.253.80.49 JEFTEX-NET [13/May/2007]
80.253.80.96 JEFTEX-NET [15/May/2007]
September 09 2007 01:03 PM

P.Hauser commented...

First harvester approach here was end of September 2005:

Harvester IP Netname First approach
80.86.200.54 CH-NEXLINK-NET3 [12/Jan/2006]

Harvester IP Netname First approach
80.86.200.62 CH-NEXLINK-NET3 [09/Dec/2005]

Harvester IP Netname First approach
80.86.200.68 CH-NEXLINK-NET3 [15/Nov/2005]
80.86.200.52 CH-NEXLINK-NET3 [24/Nov/2005]

Harvester IP Netname First approach
80.86.200.55 CH-NEXLINK-NET3 [04/Oct/2005]
80.86.200.61 CH-NEXLINK-NET3 [04/Oct/2005]
80.86.200.56 CH-NEXLINK-NET3 [04/Oct/2005]
80.86.200.60 CH-NEXLINK-NET3 [06/Oct/2005]
80.86.200.59 CH-NEXLINK-NET3 [06/Oct/2005]
80.86.200.65 CH-NEXLINK-NET3 [09/Oct/2005]
80.86.200.53 CH-NEXLINK-NET3 [09/Oct/2005]
80.86.200.66 CH-NEXLINK-NET3 [11/Oct/2005]
80.86.200.63 CH-NEXLINK-NET3 [11/Oct/2005]
80.86.200.51 CH-NEXLINK-NET3 [14/Oct/2005]
80.86.200.64 CH-NEXLINK-NET3 [19/Oct/2005]
80.86.200.67 CH-NEXLINK-NET3 [20/Oct/2005]
80.86.200.69 CH-NEXLINK-NET3 [22/Oct/2005]
80.86.200.57 CH-NEXLINK-NET3 [27/Oct/2005]

Harvester IP Netname First approach
80.86.200.50 CH-NEXLINK-NET3 [28/Sep/2005]
September 09 2007 01:03 PM

P.Hauser commented...

The harvester attacks below can be blocked via user-agent and/or via the fact, that, if you have ampersands '&' for parameters in your web-server-URLS, some harvester-applications like the "Microsoft URL Control" and many more will UTF-8-encode the '&' to something like (I escape this here, otherwise it will not be published) '\&\a\m\p\;'.

So if you check requests for this encoded ampersand, you'll be warned and can block the ranges early.
August 04 2007 10:26 AM

P.Hauser commented...

The following user-agents can be confirmed from our logs:

"Microsoft URL Control - 6.00.8862" (mostly)
"nokia6610I/1.0 (4.10) Profile/MIDP-1.0 Configuration/CLDC-1.0 (FAST WAP Proxy/1.0)"

The following harvesters and mail servers, as described below from logs and a SPAM mail, can be confirmed:

80.253.81.164 80.253.80.11 80.253.80.14 80.253.80.15
80.253.80.16 80.253.80.19 80.253.80.20 80.253.80.21
80.253.80.22 80.253.80.23 80.253.80.26 80.253.80.27
80.253.80.30 80.253.80.32 80.253.80.33 80.253.80.34
80.253.80.35 80.253.80.36 80.253.80.37 80.253.80.40
80.253.80.41 80.253.80.42 80.253.80.43 80.253.80.44
80.253.80.45 80.253.80.46 80.253.80.47 80.253.80.48
80.253.80.50 80.253.80.51 80.253.80.56 80.253.80.67
80.253.80.75 80.253.80.109

inetnum: 80.253.80.0 - 80.253.80.255
netname: JEFTEX-NET
inetnum: 80.253.81.0 - 80.253.81.255
netname: JEFTEX-NET-2

descr: Dedicated Servers New
country: CH
role: Jeftex International Ltd
address: Petronas Twin Towers
address: Kuala Lumpur 50088
address: Malaysia
e-mail: support@jeftexint.com
abuse-mailbox: abuse@jeftexint.com
role: NEXLINK SA Network Operations
address: Badstrasse 50
address: 5200 Brugg
address: Switzerland

The domain described in the SPAM is Domain name: winning-city.com

Registrant Contact:
bankmaker 5000
Marry Johnes (webmaster@winner-city.com)
+1.00154515454
Fax: +1.5555555555
Huistreet
No 466
Huis, AN 00000
AG
Creation date: 18 Jun 2007 19:26:47
Expiration date: 18 Jun 2008 19:26:47
August 04 2007 10:19 AM

P.Hauser commented...

The 1. harvest strike:

80.253.81.138 - - [11/May/2007:08:33:40] "GET / HTTP/1.1" 200 "-" "Microsoft URL Control - 6.00.8862"

80.253.81.138 - - [11/May/2007:09:01:27] "GET / HTTP/1.1" 200 "-" [same UA]
80.253.81.138 - - [11/May/2007:09:01:31] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.81.138 - - [11/May/2007:09:01:33] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.81.138 - - [11/May/2007:09:01:33] "GET /[URL]&[URL]register HTTP/1.1" 302 262 "-" [same UA]
80.253.81.138 - - [11/May/2007:09:01:35] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.81.138 - - [11/May/2007:09:01:36] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.81.138 - - [11/May/2007:09:01:37] "GET /[URL]&[URL]lostPassword&[URL] HTTP/1.1" 302 262 "-" [same UA]
80.253.81.138 - - [11/May/2007:09:01:37] "GET /[URL]&[URL]&[URL]&[URL]&[URL] HTTP/1.1" 302 262 "-" [same UA]
80.253.81.138 - - [11/May/2007:09:01:38] "GET /[URL]&[URL]&[URL]&[URL]&[URL] HTTP/1.1" 302 262 "-" [same UA]
80.253.81.138 - - [11/May/2007:09:01:38] "GET /[URL]&[URL]&[URL]&[URL]&[URL] HTTP/1.1" 302 262 "-" [same UA]
80.253.81.138 - - [11/May/2007:09:01:40] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.81.138 - - [11/May/2007:09:01:41] "GET /[URL]404&[URL]You must register HTTP/1.1" 200 "-" [same UA]
80.253.81.138 - - [11/May/2007:09:01:42] "GET /[URL]404&[URL]You must register HTTP/1.1" 200 "-" [same UA]
80.253.81.138 - - [11/May/2007:09:01:43] "GET /[URL]404&[URL]You must register HTTP/1.1" 200 "-" [same UA]
80.253.81.138 - - [11/May/2007:09:01:46] "GET /[URL]404&[URL]You must register HTTP/1.1" 200 "-" [same UA]
80.253.81.138 - - [11/May/2007:09:01:47] "GET /[URL]404&[URL]You must register HTTP/1.1" 200 "-" [same UA]
August 04 2007 10:05 AM

P.Hauser commented...

The 2. harvest strike:

80.253.80.49 - - [13/May/2007:23:30:14] "GET / HTTP/1.1" 200 "-" "Microsoft URL Control - 6.00.8862"
August 04 2007 10:04 AM

P.Hauser commented...

The 3. harvest strike:

80.253.80.96 - - [15/May/2007:08:25:07] "GET / HTTP/1.1" 200 "-" "Microsoft URL Control - 6.00.8862"
80.253.80.96 - - [15/May/2007:08:25:10] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:08:25:12] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:08:25:12] "GET /[URL]&[URL]register HTTP/1.1" 302 262 "-" [same UA]
80.253.80.96 - - [15/May/2007:08:25:13] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:08:25:15] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:08:25:15] "GET /[URL]&[URL]lostPassword&[URL] HTTP/1.1" 302 262 "-" [same UA]
80.253.80.96 - - [15/May/2007:08:25:16] "GET /[URL]&[URL]&[URL]&[URL]&[URL] HTTP/1.1" 302 262 "-" [same UA]
80.253.80.96 - - [15/May/2007:08:25:16] "GET /[URL]&[URL]&[URL]&[URL]&[URL] HTTP/1.1" 302 262 "-" [same UA]
80.253.80.96 - - [15/May/2007:08:25:16] "GET /[URL]&[URL]&[URL]&[URL]&[URL] HTTP/1.1" 302 262 "-" [same UA]
80.253.80.96 - - [15/May/2007:08:25:17] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:08:25:19] "GET /[URL]404&[URL]You must register HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:08:25:20] "GET /[URL]404&[URL]You must register HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:08:25:21] "GET /[URL]404&[URL]You must register HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:08:25:23] "GET /[URL]404&[URL]You must register HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:08:25:23] "GET /[URL]404&[URL]You must register HTTP/1.1" 200 "-" [same UA]
August 04 2007 10:04 AM

P.Hauser commented...

The 4. harvest strike same evening:

They came with a new UA via a Swiss DMOZ-directory, letter 'H':

66.151.181.4 - - [15/May/2007:08:46:17] "GET /robots.txt HTTP/1.1" 200 468 "-"
"nokia6610I/1.0 (4.10) Profile/MIDP-1.0 Configuration/CLDC-1.0 (FAST WAP Proxy/1.0)"
66.151.181.4 - - [15/May/2007:08:46:57] "GET / HTTP/1.1" 301 5
"http://www.mirago.ch/search/directories.aspx?cat=Top%2fWorld%2fDeutsch%2fGesellschaft%2fMenschen
%2fPers%c3%b6nliche_Homepages%2fH"
"nokia6610I/1.0 (4.10) Profile/MIDP-1.0 Configuration/CLDC-1.0 (FAST WAP Proxy/1.0)"
August 04 2007 10:03 AM

P.Hauser commented...

The 5. harvest strike same evening:

80.253.80.96 - - [15/May/2007:11:37:38] "GET / HTTP/1.1" 200 "-" "Microsoft URL Control - 6.00.8862"
80.253.80.96 - - [15/May/2007:11:37:40] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:11:37:41] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:11:37:41] "GET /[URL]&[URL]register HTTP/1.1" 302 262 "-" [same UA]
80.253.80.96 - - [15/May/2007:11:37:44] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:11:37:45] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:11:37:46] "GET /[URL]&[URL]lostPassword&[URL] HTTP/1.1" 302 262 "-" [same UA]
80.253.80.96 - - [15/May/2007:11:37:46] "GET /[URL]&[URL]&[URL]&[URL]&[URL] HTTP/1.1" 302 262 "-" [same UA]
80.253.80.96 - - [15/May/2007:11:37:47] "GET /[URL]&[URL]&[URL]&[URL]&[URL] HTTP/1.1" 302 262 "-" [same UA]
80.253.80.96 - - [15/May/2007:11:37:47] "GET /[URL]&[URL]&[URL]&[URL]&[URL] HTTP/1.1" 302 262 "-" [same UA]
80.253.80.96 - - [15/May/2007:11:37:48] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:11:37:50] "GET /[URL]404&[URL]You must register HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:11:37:51] "GET /[URL]404&[URL]You must register HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:11:37:52] "GET /[URL]404&[URL]You must register HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:11:37:54] "GET /[URL]404&[URL]You must register HTTP/1.1" 200 "-" [same UA]
80.253.80.96 - - [15/May/2007:11:37:55] "GET /[URL]404&[URL]You must register HTTP/1.1" 200 "-" [same UA]
August 04 2007 10:03 AM

P.Hauser commented...

The 6. harvest strike same evening:

They came again via a Swiss DMOZ-directory, letter 'H'. The referer was meanwhile deleted in the directory:

80.253.80.96 - - [15/May/2007:13:25:55] "GET /index.php?name=
Open_Directory_Project&browse=/World/Deutsch/Gesellschaft/Menschen/Pers%C3%B6nliche_Homepages/ODPgo.php?
url=http://www.rockvornzug.de/&title=Hausdorf%2C+Florian&desc=+-+Zeigt+viele+Fotos+von+Aktivit%C3%A4ten+
und+stellt+Songs+als+MP3-Download+zur+Verf%C3%BCgung&newlang=english HTTP/1.1" 200 68386 "-" "Microsoft URL Control - 6.00.8862"
80.253.80.96 - - [15/May/2007:13:25:55] "GET /site-link HTTP/1.1" 302 223 "-" [same UA]
80.253.80.96 - - [15/May/2007:13:25:58] "GET /index.php?name=
Open_Directory_Project&browse=/World/Deutsch/Gesellschaft/Menschen/Pers%C3%B6nliche_Homepages/ODPgo.php?
url=http://www.rockvornzug.de/&title=Hausdorf%2C+Florian&desc=+-+Zeigt+viele+Fotos+von+Aktivit%C3%A4ten+
und+stellt+Songs+als+MP3-Download+zur+Verf%C3%BCgung&newlang=indonesian HTTP/1.1" 200 68403 "-" [same UA]
80.253.80.96 - - [15/May/2007:13:26:00] "GET /index.php HTTP/1.1" 200 "-" [same UA]
August 04 2007 09:50 AM

P.Hauser commented...

The 7. harvest strike:

A real short one ....

80.253.81.84 - - [21/Jun/2007:08:59:42] "GET / HTTP/1.1" 301 5 "-" "Microsoft URL Control - 6.00.8862"
80.253.81.84 - - [21/Jun/2007:08:59:45] "GET / HTTP/1.1" 200 "-" [same UA]

... next was one hour later ....
August 04 2007 09:49 AM

P.Hauser commented...

The 8. harvest strike:

80.253.81.84 - - [21/Jun/2007:09:04:04] "GET / HTTP/1.1" 301 5 "-" "Microsoft URL Control - 6.00.8862"
80.253.81.84 - - [21/Jun/2007:09:04:06] "GET / HTTP/1.1" 200 "-" [same UA]
80.253.81.84 - - [21/Jun/2007:09:04:07] "GET /[URL]&[URL]&[URL]&[URL]&[URL] HTTP/1.1" 301 5 "-" [same UA]
80.253.81.84 - - [21/Jun/2007:09:04:07] "GET /[URL]&[URL]&[URL]&[URL]&[URL] HTTP/1.1" 301 5 "-" [same UA]
80.253.81.84 - - [21/Jun/2007:09:04:07] "GET /[URL]&[URL]&[URL]&[URL]&[URL] HTTP/1.1" 301 5 "-" [same UA]
80.253.81.84 - - [21/Jun/2007:09:04:09] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.81.84 - - [21/Jun/2007:09:04:11] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.81.84 - - [21/Jun/2007:09:04:11] "GET /[URL]&[URL]register HTTP/1.1" 302 262 "-" [same UA]
80.253.81.84 - - [21/Jun/2007:09:04:13] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 68614 "-" [same UA]
80.253.81.84 - - [21/Jun/2007:09:04:15] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.81.84 - - [21/Jun/2007:09:04:17] "GET /[URL]&[URL]&[URL] HTTP/1.1" 200 "-" [same UA]
80.253.81.84 - - [21/Jun/2007:09:04:19] "GET / HTTP/1.1" 200 "-" [same UA]
80.253.81.84 - - [21/Jun/2007:09:04:21] "GET / HTTP/1.1" 200 "-" [same UA]
80.253.81.84 - - [21/Jun/2007:09:04:23] "GET / HTTP/1.1" 200 "-" [same UA]
80.253.81.84 - - [21/Jun/2007:09:04:23] "GET /[URL]404&[URL]You must register HTTP/1.1" 200 "-" [same UA]
August 04 2007 09:48 AM

P.Hauser commented...

Then we stopped them:

80.253.81.35 - - [07/Jul/2007:12:48:10] "GET / HTTP/1.1" 200 "-" "Microsoft URL Control - 6.00.8862"

80.253.81.62 - - [13/Jul/2007:20:52:11] "GET / HTTP/1.1" 403 "-" "Microsoft URL Control - 6.00.8862"

80.253.81.114 - - [16/Jul/2007:23:45:54] "GET / HTTP/1.1" 403 "-" "Microsoft URL Control - 6.00.8862"

80.253.81.66 - - [17/Jul/2007:20:14:48] "GET / HTTP/1.1" 403 "-" "Microsoft URL Control - 6.00.8862"

80.253.80.109 - - [19/Jul/2007:00:16:44] "GET / HTTP/1.1" 403 "-" "Microsoft URL Control - 6.00.8862"

80.253.81.140 - - [20/Jul/2007:20:44:23] "GET / HTTP/1.1" 403 "-" "Microsoft URL Control - 6.00.8862"

80.253.81.116 - - [21/Jul/2007:21:38:51] "GET / HTTP/1.1" 403 "-" "Microsoft URL Control - 6.00.8862"

80.253.81.79 - - [25/Jul/2007:08:21:45] "GET / HTTP/1.1" 403 "-" "Microsoft URL Control - 6.00.8862"

80.253.81.21 - - [25/Jul/2007:22:31:54] "GET / HTTP/1.1" 403 "-" "Microsoft URL Control - 6.00.8862"

80.253.81.133 - - [30/Jul/2007:01:06:59] "GET / HTTP/1.1" 403 "-" "Microsoft URL Control - 6.00.8862"

80.253.81.73 - - [30/Jul/2007:14:32:26] "GET / HTTP/1.1" 403 "-" "Microsoft URL Control - 6.00.8862"

80.253.80.98 - - [03/Aug/2007:22:38:07] "GET / HTTP/1.1" 403 "-" "Microsoft URL Control - 6.00.8862"
August 04 2007 09:46 AM

P.Hauser commented...

Received SPAM from IP 80.253.80.24. Here's the header of the SPAM below:

Return-Path: anwaltzevuu@web.de
Received: from xxxxxxxx.xxx.xxxxxxxx.xx (xxxxxxxx.xxx.xxxxxxxx.xx [xxx.xx.xx.xx])
by xxxxxxx with LMTP; Sat, 04 Aug 2007 14:22:29 +0200
X-Sieve: CMU Sieve 2.2
Received: from web.de ([80.253.80.24]) by xxxxxxxx.xxx.xxxxxxxx.xx
with smtp id 1IHIeI-1a9uPw0; Sat, 4 Aug 2007 14:22:26 +0200
Received: from group21.345mail.com ([112.83.108.152]) by external.newsubdomain.com with QMQP; Sat, 04 Aug 2007 13:16:30 +0000
Message-ID: 6ADCEE74.2F9A98AD@web.de
Date: Sat, 04 Aug 2007 12:59:06 +0000
From: "Anwalt" anwaltzevuu@web.de
X-Accept-Language: en-us
MIME-Version: 1.0
To: "Administrator" xxxxxxx@xxxxxxxx.xx
Subject: Rechnung
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: base64
August 04 2007 09:27 AM

P.Hauser commented...

Received SPAM from IP 80.253.80.24. Here's the body in German:
!! Sun-Star-Casino, dem f|hrenden Deutschen Online Casino!!

Sie wurden von einen Freund Angemeldet und haben 100 Euro gewonnen.
Bitte holen Sie sich ihren Gewinn hab. Danke

Gewinn Nr. 74528
Gewinn Code: 4962-ae

Sie kvnnen somit einfach mal unser Online-Casino kostenlos kennen lernen.

***********!! Ohne selbst echtes Geld einsetzen zu m|ssen !!***********
http://www.winning-city.com/Casino

Als erstmaliger Spieler kvnnen Sie praktisch nur echtes Geld gewinnen!
Es ist ganz einfach. Wir schenken allen neuen Spielern 100 Euro in
Spielchips.

Auf Ihrem Casinokonto werden sofort 100 Euro gutgeschrieben. Das Geld, das
Sie gewinnen, d|rfen Sie selbstverstdndlich behalten. Sollten Sie verlieren,
ist es auf Kosten des Casinos.
http://www.winning-city.com/Casino

Knacken Sie die Jackpot in Hvhe von 2.500.000 Euro. Oder gewinnen Sie eine
von 60 Reisen nach Las Vegas im Wert von 5000 Euro

http://www.winning-city.com/Casino
Spielen und gewinnen Sie Steuerfrei ein Vermvgen beim Roulette, Blackjack,
Slotmachine, Bingo und Bacarra.
*************!! \ber 60 verschiedene Casinospiele !!****************

Knacken Sie die Jackpot in Hvhe von 2.500.000 Euro. Oder gewinnen Sie eine
von 60 Reisen nach Las Vegas im Wert von 5000 Euro

http://www.winning-city.com/Casino
- 24 Stunden Gewinnauszahlung
- Stattlich Lizenziert und Gepr|ft
- 24 Std. - 7 Tage die Woche Support
- 100 % Datensicherheit und Diskretion
Mit freundlichen Gr|_en
Ihr Sun-Star-Casino Team
http://www.winning-city.com/Casino

Sie haben diesen Newsletter bekommen. Weil Sie oder ein anderer bei
SunStarCasino ihre Email Adresse registriert hat. Wenn Sie den Newsletter
nicht mehr haben wollen. Dann schicken Sie uns bitte eine Email an
http://www.winning-city.com/abmelden.htm
August 04 2007 09:26 AM