26 mars 2010
5
26
/03
/mars
/2010
23:07
Once again, I was not even expecting to get a sample that way...
Here is the message I received on one of the Skype accounts I use as 'honeypots' (one day ago):
I never requested in any way to receive such ads!
Okay so let's go to 'dreams-lady'. To be honest, at this point, I was really expecting a malicious website, or even a fake portal to steal my CB number...
Sometimes the habit does not help you out at 100%...
However, I was surprised to see the website that responds to dreams-lady. Here is a screenshot:

Looks really like a kindda russian version of meetic, huh? just kidding.
Just in case of, I had a look at the WhoIs. And there came an unexpected surprise:
http://www.domaincrawler.com/domains/view/dreams-lady.com
Wow, IP located in China? seems weird.
Any other information provided by the WhoIs looks relevant to a russian origin.
Just a thought... let's see the IP reputation...
An old tool: http://www.dnsbl.info/dnsbl-database-check.php
Bingo...! 59.53.91.107 listed! And I do trust SpamHaus' lists.
But that's not all. The IP address really seems to be a chineese one:
http://www.ip-adress.com/whois/59.53.91.107
Okay then, russian domain name, chineese IP... still looks strange to me.
But the IP address reveals other interesting details:
http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=59.53.91.107
Listed because I is said to host a malware.
And guess what... ESET confirms it (access blocked while accessing it)
Here is the message I received on one of the Skype accounts I use as 'honeypots' (one day ago):

I never requested in any way to receive such ads!
Okay so let's go to 'dreams-lady'. To be honest, at this point, I was really expecting a malicious website, or even a fake portal to steal my CB number...
Sometimes the habit does not help you out at 100%...
However, I was surprised to see the website that responds to dreams-lady. Here is a screenshot:

Looks really like a kindda russian version of meetic, huh? just kidding.
Just in case of, I had a look at the WhoIs. And there came an unexpected surprise:
http://www.domaincrawler.com/domains/view/dreams-lady.com
Wow, IP located in China? seems weird.
Any other information provided by the WhoIs looks relevant to a russian origin.
Just a thought... let's see the IP reputation...
An old tool: http://www.dnsbl.info/dnsbl-database-check.php
Bingo...! 59.53.91.107 listed! And I do trust SpamHaus' lists.
But that's not all. The IP address really seems to be a chineese one:
http://www.ip-adress.com/whois/59.53.91.107
Okay then, russian domain name, chineese IP... still looks strange to me.
But the IP address reveals other interesting details:
http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=59.53.91.107
Listed because I is said to host a malware.
And guess what... ESET confirms it (access blocked while accessing it)