Gefälschte UGG Boots

[truelife]

header:

01: From - Tue Oct 22 xx:xx:xx 2013
02: X-Account-Key: account1
03: X-UIDL: [UID filtered]
04: X-Mozilla-Status: 0001
05: X-Mozilla-Status2: 00000000
06: X-Mozilla-Keys:                                                                        
07: 	        
08: Return-Path: bounce[BOUNCE filtered]@i.email.hotsaleusa.biz
09: Received:  from 23-106-159-144.m.emsender.biz ([23.106.159.144]) by
10:  mx-ha.gmx.net (mxgmx110) with ESMTP (Nemesis) ID: [ID filtered]
11:  <***>; Tue, 22 Oct 2013 xx:xx:xx +0200
12: DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=email.hotsaleusa.biz;
13:  h=Date:To:From:Reply-to:Subject:Message-ID:List-Unsubscribe:MIME-Version:Content-Transfer-Enco
14: 	ing:Content-Type; i=info [at] email.hotsaleusa.biz;
15:  bh=4Ia2KaKbJ+VyViiNjyvFdGmE3aY=;
16:  b=bLCmKFyypg7FCmnnXlF+h0p2ol0JL+5IW4txU3CaAlOr25T9Na9qneqyVAN9QJ+jJksA05bvcznU
17:    v0zv/YBD+ylo63u5mG/cSC6Y4m1wx5fKRo0K1zVtINY0PaGLv0szhXnEAV5BRznw9xezql32OhtY
18:    F9adbMy9vns7fa+SRcE=
19: DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key1; d=email.hotsaleusa.biz;
20:  b=nZdoc+ZtGNk7/2UKSDadXLiGY47XS43/VIh8ImszG+MGIcTtHN1i3UMhbmy034yqHW8S81Be95s2
21:    ETuqQUSeeO4dJp0xpGuLGEdwhzK0XGd2F7yhCZZqkFY2t2/O3nGGqsWjpJPHXt8BtAvwBdRAR2Qg
22:    B84rNleGce9oZe5o3+0=;
23: Date: Tue, 22 Oct 2013 xx:xx:xx +0800
24: Return-Path: bounce[BOUNCE filtered]@i.email.hotsaleusa.biz
25: To: "***" <***>
26: From: UGG Boots <info [at] email.hotsaleusa.biz>
27: Reply-to: UGG Boots <info [at] email.hotsaleusa.biz>
28: Message-ID: [ID filtered]
29: X-Priority: 3
30: X-Mailer: doEdm.biz
31: X-Complaints-To: admin [at] email.hotsaleusa.biz
32: List-Unsubscribe: <http://email.hotsaleusa.biz/u.php?[UNSUB filtered]>
33: X-MessageID: [ID filtered]
34: X-Report-Abuse: <http://email.hotsaleusa.biz/report_abuse.php?mid=***>
35: MIME-Version: 1.0
36: Content-Transfer-Encoding: quoted-printable
37: Content-Type: text/html; charset="utf-8"
38: Envelope-To: <poor [at] spamvictim.tld>
39: Subject:*** GMX Spamverdacht ***  3 Days Special - 80% Off UGG Boots Everything!
40: X-GMX-Antispam: 6 (nemesis text pattern profiler); Detail=V3;
41: X-GMX-Antivirus: 0 (no virus found)
42: X-Antivirus: avast! (VPS 131022-1, 22.10.2013), Inbound message
43: X-Antivirus-Status: Clean

Im Body der Mail dann ganz viel html und Bilder:

UGG BOOTS Discount Store!
save 80 %OFF
------ Only today ------
shop now

Der Link führt zwischenzeitlich zu einer Infoseite der Rechteinhaber für UGG Boots, der Manolo Blahnik International Limited.

Andere Fängerdomains sind noch online:

header:

01: From - Thu Nov 21 xx:xx:xx 2013
02: X-Account-Key: account1
03: X-UIDL: [UID filtered]
04: X-Mozilla-Status: 0001
05: X-Mozilla-Status2: 00000000
06: X-Mozilla-Keys:                                                                        
07: 	        
08: Return-Path: ugg [at] topps3games.org
09: Received: from mail2.topps3games.org ([23.88.58.47]) by mx-ha.gmx.net
10:  (mxgmx107) with ESMTP (Nemesis) ID: [ID filtered]
11:  <***>; Thu, 21 Nov 2013 xx:xx:xx +0100
12: DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=topps3games.org;
13:  h=To:Subject:Message-ID:Date:From:Reply-To:MIME-Version:List-Unsubscribe:Content-Type:Content-
14: 	ransfer-Encoding; i=ugg [at] topps3games.org;
15:  bh=Gl/TRB7Oghllvc1MDm+imh+YEe4=;
16:  b=cBjWU2RqlWjQ0E//7ZXfEQAADNBSiNfNjAaQ5kPiBNvtVOizsSbi0Zg/rHbUYJyQsKLelwo7vZ3E
17:    l2OabPmYBVUuq4wMXlpRlEpulrUy6suCTw0HzxRlsm1XHBprh8lGGL9JmarPZiuR+iYe93XAO5DJ
18:    I0Jv5oCv65rZUvSdFic=
19: DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key1; d=topps3games.org;
20:  b=uQbeb9YBAreOrk3lZW75IUL+NTzS63502wF9egjujydyaZFnTc2VRa20j4FXi2cPjKHeoAXhm0GB
21:    9/+BK1/Th7NSsLByRFjGhV2M0+1rnO/ak7qLjSJAItBY0iyZC19RF5eAk2wJWF7khBPcxHGCzuWy
22:    PeKvDV8QKkmIgEiruMc=;
23: Received: from www.topps3games.org (23.88.58.46) by mail1.topps3games.org ID: [ID
24: 	filtered]
25: To: ***
26: Message-ID: [ID filtered]
27: Return-Path: ugg [at] topps3games.org
28: Date: Thu, 21 Nov 2013 xx:xx:xx +0400
29: From: "UGG" <ugg [at] topps3games.org>
30: Reply-To: ugg [at] topps3games.org
31: MIME-Version: 1.0
32: X-Mailer-LID: [ID filtered]
33: List-Unsubscribe: <http://www.topps3games.org/iem/unsubscribe.php?[UNSUB filtered]>
34: X-Mailer-RecptID: [ID filtered]
35: X-Mailer-SID: [ID filtered]
36: X-Mailer-Sent-By: 1
37: Content-Type: multipart/alternative; charset="UTF-8";
38: 	boundary="b1_0332e5b94fccf11e7475373448cd064b"
39: Content-Transfer-Encoding: 8bit
40: Envelope-To: <***>
41: Subject:*** GMX Spamverdacht ***  Classic & New UGG Boots Available
42: X-GMX-Antispam: 6 (nemesis text pattern profiler); Detail=V3;
43: X-GMX-Antivirus: 0 (no virus found)
44: X-Antivirus: avast! (VPS 131120-0, 20.11.2013), Inbound message
45: X-Antivirus-Status: Clean

Hi,

I would like to let you know about our new ugg boots available in your size.

Click Here To Shop Classic & New UGG Boots Now! <========

Sincerely yours,

vipuggbootsus.com

Link führt auf: ^whois:http://www.vipuggbootsus.com/, der Shop ist auch noch online.

Die letzte Spammail im Bunde hat dann nur noch ein eingebundes Bild als Link:

header:

01: From - Wed Nov 27 xx:xx:xx 2013
02: X-Account-Key: account1
03: X-UIDL: [UID filtered]
04: X-Mozilla-Status: 0001
05: X-Mozilla-Status2: 00000000
06: X-Mozilla-Keys:                                                                        
07: 	        
08: Return-Path: bounce[BOUNCE filtered]@n21.uggonsale.biz
09: Received: from 23-105-49-206.m2.emsender.biz ([23.105.49.206]) by
10:  mx-ha.gmx.net (mxgmx108) with ESMTP (Nemesis) ID: [ID filtered]
11:  <***>; Wed, 27 Nov 2013 xx:xx:xx +0100
12: DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key1; d=n21.uggonsale.biz;
13:  h=Date:To:From:Reply-to:Subject:Message-ID:List-Unsubscribe:MIME-Version:Content-Transfer-Enco
14: 	ing:Content-Type; i=info [at] n21.uggonsale.biz;
15:  bh=CB1T2WgkdchqdqPRaa1U4vGd0YA=;
16:  b=qBL5XI/we8yNIZ6QjFbAyq8XqSqXVjt6ghA2kurH0W6xMh/1e4rcPMpRqchJ+94qRxckDQjj0w2g
17:    fem3ZrvDBWydxXPjfZAkdZjiS64sEwGuB2iOuXYYBumjwuEDuLFeXk5BC2yKCs+LJ/zxSd3azJP4
18:    lwtFAVisnKDdRV6SqGg=
19: DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key1; d=n21.uggonsale.biz;
20:  b=RHiXHa9njAz0jWKcy5zJztG8vK53CElfM/trmyxjwSXs43HRrPyUqmTlxrhqaL03t8gx+ekUaA0s
21:    5bHosqxBe+SRng3zGETCetdctu5sIN1EMNTXuRaQnkVfgAitNi/GANB3EuImRTpOStELw4VB041D
22:    oyklb45RBV4ATSNGL1w=;
23: Date: Thu, 28 Nov 2013 xx:xx:xx +0800
24: Return-Path: bounce[BOUNCE filtered]@n21.uggonsale.biz
25: To: "***" <***>
26: From: UGGBOOTS <info [at] n21.uggonsale.biz>
27: Reply-to: UGGBOOTS <info [at] n21.uggonsale.biz>
28: Message-ID: [ID filtered]
29: X-Priority: 3
30: X-Mailer: doEdm.biz
31: X-Complaints-To: admin [at] n21.uggonsale.biz
32: List-Unsubscribe: <http://n21.uggonsale.biz/u.php?[UNSUB filtered]>
33: X-MessageID: [ID filtered]
34: X-Report-Abuse: <http://n21.uggonsale.biz/report_abuse.php?mid=***>
35: MIME-Version: 1.0
36: Content-Transfer-Encoding: quoted-printable
37: Content-Type: text/html; charset="utf-8"
38: Envelope-To: <***>
39: Subject:*** GMX Spamverdacht ***  Thanksgiving Day Save 75% off, discount UGG boots for
40: 	colder weather
41: X-GMX-Antispam: 6 (nemesis text pattern profiler); Detail=V3;
42: X-GMX-Antivirus: 0 (no virus found)
43: X-Antivirus: avast! (VPS 131127-1, 27.11.2013), Inbound message
44: X-Antivirus-Status: Clean

Code:

<title>Untitled document</title>
</head>
<body>
<a title=3D"UGG Boots" href=3D"http://n21.uggonsale.biz/tl.php?p=3Dsd/sd/rs=
/rmi/s7/rs/UGG%20Boots/aHR0cDovL3d3dy5idXlib290cy5vcmcvI3UxMTI4MDE%3D"><img=
 width=3D"550" height=3D"232" alt=3D"UGG Boots" src=3D"http://img.63bjl.com=
/zboots/343.jpg" /></a>

<img src=3D"http://n21.uggonsale.biz/to.php?p=3Dsd/sd/rs/rmi/s7/rs" width=
=3D"5" height=3D"2" alt=3D".">

</body>
</html>

Link führt zu: ^whois:http://www.buyboots.org/#u112801

[ichliebespam]

header:

01: Return-Path: bounce[BOUNCE filtered]@offersde.com
02: Received: from news17.glassesde.com ([199.188.75.250]) by mx-ha.web.de
03:  (mxweb009) with ESMTP (Nemesis) ID: [ID filtered]
04:  <xyx>; Mon, 24 Nov 2014 xx:xx:xx +0100
05: DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=offersde.com;
06:  h=Date:To:From:Reply-to:Subject:Message-ID:List-Unsubscribe:MIME-Version:Content-Transfer-Enco
07: 	ing:Content-Type; i=info [at] offersde.com;
08:  bh=KGAXUClbMpkjsBKlPfMP5P0IK6A=;
09:  b=HG/j2FGFFsQ56FN0TLPOjV8CQpWc3p49/4QP5eH7Ts9JRRWO5t6gJ0TJOLmmQZ9kD1PyUsM/PkJo
10:    x9bGwvXTGTs2sHOGX4ZH4S+knDpBN9s70aloN2XgQ/8kb4679+E9tiybWmPhN3k8mOCXz5Q4IO9Y
11:    08cjNK6XRF18bF2EuIM=
12: DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=offersde.com;
13:  b=SCnFntkgFH3nHXYuJ5iFr9k0LtrKfWOb1lDAon4T2+74BCAKMbCsbFpikqVb98pvdmC0HP4BHYz3
14:    HZUG502BSIJz4ZOw/j3Gq18ezgSje1a3LGmp43beZdEy/4mF8by9O/dHk5y6ifO8NUyAY2XdQ8if
15:    UR3oMFHCzEj7tLo6Xzs=;
16: Date: Sun, 23 Nov 2014 xx:xx:xx -0500
17: To: "xyx" <xyx>
18: From: UGG Boots <info [at] offersde.com>
19: Reply-to: UGG Boots <info [at] offersde.com>
20: Subject: UGG Boots - Bis zu 70% Rabatt! Nicht verpassen!
21: Message-ID: [ID filtered]
22: X-Priority: 3
23: X-Mailer: Email Sending System
24: X-Complaints-To: info [at] offersde.com
25: List-Unsubscribe: <http://www.offersde.com/u.php?[UNSUB filtered]>
26: X-MessageID: [ID filtered]
27: X-Report-Abuse: <http://www.offersde.com/report_abuse.php?mid=xyx>
28: MIME-Version: 1.0
29: Content-Transfer-Encoding: quoted-printable
30: Content-Type: text/html; charset="utf-8"
31: Envelope-To: <xyx>

^whois:http://www.stiefelvipde.com/

Sehr schöner Shop mit 1000 Schreibfehlern und fehlendem Impressum, aber monica.help.shoes@gmail.com freut sich trotzdem über ganz viele eMails

[MeikelHH]

Guten Tag. Mein Vater ist Staatsanwalt und ermittelt gegen die Händler der gefälschten Markenware. Unfassbar, was bei uns täglich im Hafen ankommt. Mir geht es mehr um den Spam und um die Tiere, die qualvoll gehalten werden. Leider auch für die echten Ugg-Boots. Nach meiner Geschäftsreise suche ich mal die Spams betr. UGG raus.

[truelife]

Da ist er wieder:

Kann unten Nachricht nicht sehen, versuchen Sie, auf diesen Link klicken: ^whois:http://www.destiefel.com
UGG Boots - Sparen Sie bis zu 80% Rabatt!

shop now!

Zuhause UGG
Frau UGG
Männer UGG
Kinder

UGG Bailey Button 5803 Chestnut Boots
€64.24

UGG Short Sparkles 3161 Silver Boots
€90.38

UGG Short Classic 5899 Chestnut Boots
€75.46

UGG Mini Fox Fur 5854 Sand Boots
€115.88

UGG Bailey Button 1873 Chestnut Boots
€81.58

UGG Bailey Button 1873 Peony Boots
€81.58

Wenn Sie nicht mehr wünschen, um unsere E-Mails erhalten, wenden Sie sich bitte Abmelden .

header:

01: Return-Path: <bounce[BOUNCE filtered]@kkoffers.com>  
02: Received: from ppwhs5.kkoffers.com ([142.0.134.6]) by mx-ha.gmx.net (mxgmx001)
03: 	with ESMTP (Nemesis) ID: [ID filtered]

[truelife]

Rechtzeitig vor den kalten Tagen:

HAUS DAMEN HERREN KINDER VERKAUF

UGG
-50%
Coupon: 5ugg*snip*

die Schuhe Ihrer Träume

* Das Angebot gilt bis zum 20. / 20.10 16

CLASSIC II SHORT
Details >
Details >

BAILEY BOW II
Details >
Details >

Wenn Sie nicht über eine solche E-Mail erhalten möchten? Bitte klicken abmelden *
Ist dies nicht Ihre Abonnements ist? Bitte klicken Beschwerde *

Link führt weiter auf: ^whois:http://education.avila-architecture.nl/administrator/components/com_finder/views/indexer/myshe.php?*snip*

header:

01: Return-Path: <avilaarc [at] ams035.yourwebhoster.com>  
02: Received: from beetle.larch.relay.mailchannels.net ([23.83.213.15]) by
03: 	mx-ha.gmx.net (mxgmx104 [212.227.17.5]) with ESMTPS (Nemesis) ID: [ID filtered]
04: X-Sender-ID: [ID filtered]
05: Received: from relay.mailchannels.net (localhost [127.0.0.1]) by
06: 	relay.mailchannels.net (Postfix) with ESMTP ID: [ID filtered]
07: Received: from ams035.yourwebhoster.com (ip-10-107-69-155.us-west-2.compute.internal
08: 	[10.107.69.155]) by relay.mailchannels.net (Postfix) with ESMTPA ID: [ID filtered]
09: X-Sender-ID: [ID filtered]
10: Received: from ams035.yourwebhoster.com (ams035.yourwebhoster.com
11: 	[10.102.194.57]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by
12: 	0.0.0.0:2500 (trex/5.7.8); Sat, 15 Oct 2016 xx:xx:xx +0000  
13: X-MC-Relay: Bad  
14: X-MailChannels-SenderID: [ID filtered]
15: X-MailChannels-Auth-ID: [ID filtered]
16: X-MC-Loop-Signature: 1476531037171:1380665594  
17: X-MC-Ingress-Time: 1476531037171  
18: Received: from avilaarc by ams035.yourwebhoster.com with local (Exim 4.87)
19: 	(envelope-from <poor [at] spamvictim.tld>) ID: [ID filtered]
20: To: *snip*<*snip*@gmx.de>  
21: Subject: Herbst die besten Stiefel mit kleinem Budget  
22: X-PHP-Script:
23: 	education.avila-architecture.nl/administrator/components/com_finder/views/indexer/myshe.php
24: 	for 61.111.8.94  
25: MIME-Version: 1.0  
26: Content-Type: text/html  
27: From: <service [at] education.avila-architecture.nl>  
28: Date: Sat, 15 Oct 2016 xx:xx:xx +0200  
29: X-Mailer: education.avila-architecture.nl  
30: Message-ID: [ID filtered]
31: X-AuthUser: avilaarc [at] ams035.yourwebhoster.com  
32: Envelope-To: <*snip*@gmx.de>  
33: X-GMX-Antispam: 0 (Mail was not recognized as spam); Detail=V3; 

[truelife]

^whois:http://destiefel.com ist noch immer oder schon wieder online. Damit ich das auch ja nicht übersehe, schickt $spammy mir den Schmarrn gleich dreimal zu.


[Klick für Vollbild]

header:

01: Received: from ppwhs13.cooomobi.com ([137.175.115.54]) by mx-ha.gmx.net
02: 	(mxgmx107 [212.227.17.5]) with ESMTP (Nemesis) ID: [ID filtered]

header:

01: Received: from ppwhs14.cooomobi.com ([137.175.115.55]) by mx-ha.gmx.net
02: 	(mxgmx009 [212.227.15.9]) with ESMTP (Nemesis) ID: [ID filtered]

header:

01: Received: from ppwhs12.cooomobi.com ([137.175.115.53]) by mx-ha.gmx.net
02: 	(mxgmx004 [212.227.15.9]) with ESMTP (Nemesis) ID: [ID filtered]

[schara56]

header:

01: Received: from email.invogueboxs.com (email.invogueboxs.com [104.149.203.138])
02: 	by x (Postfix) with ESMTP ID: [ID filtered]
03: 	for <x>; Wed, 16 Nov 2016 xx:xx:xx +0100 (CET)

^whois:http://email.invogueboxs.com/display.php?M=*schnapp*&C=*schnapp*&S=*schnapp*&L=*schnapp*&N=*schnapp* (^whois:104.149.203.138) -> weiter zu
^whois:https://goo.gl/LrlP8c -> weiter zu
^whois:http://www.botsug.com (^whois:196.196.14.4)

[schara56]

header:

01: Received: from mail1.invogueboxs.com (mail1.invogueboxs.com [104.149.203.139])
02: 	by x (Postfix) with ESMTP ID: [ID filtered]
03: 	for <x>; Wed, 23 Nov 2016 xx:xx:xx +0100 (CET)

^whois:http://email.invogueboxs.com/display.php?M=*schnapp*&C=*schnapp*&S=*schnapp*&L=*schnapp*&N=*schnapp* (^whois:104.149.203.138) -> weiter zu
^whois:https://goo.gl/6wEvfA -> weiter zu
^whois:http://www.mclearance.com (^whois:199.33.121.77)

[kjz1]

Das dürfte wohl eine ganze China-Bande sein:

header:

01: Received: from srvh20.yyymobi.com ([37.61.210.85]) by mx-ha.gmx.net
02: (mxgmx003 [212.227.15.9]) with ESMTP (Nemesis) ID: [ID filtered]
03:  <x>; Fri, 25 Nov 2016 xx:xx:xx +0100

^whois:http://www.yyymobi.com

dient da aber nur als Verschleierer für:

^whois:http://www.DEUSTIEFEL.COM

^whois:http://www.JACKETS-EUR.COM

^whois:http://www.EUTASCHEN.COM

^whois:http://www.CEUJEWELRY.COM

Alles natürlich völlig schmerzbefreit bei den üblichen altbekannten Schwarzhüten gehostet. Über Post freut sich:

mail@yyymobi.com

itmaper@gmail.com

abuse@internet.bs

myfupqv9831890@163.com

abuse@PublicDomainRegistry.com

yaomaiyumingzhaowo@126.com

Abuse@hkdns.hk

[mAiLmAn]

Seit GMX dkim benutzt kommt bei mir fast nix mehr durch, diese Stiefel sind aber echt hartnäckig:

Do 13.10.2016 13:56
Fr 14.10.2016 14:45
Do 20.10.2016 03:49
Di 25.10.2016 03:14
Mi 23.11.2016 16:57
Mo 28.11.2016 12:41

Beworbene Domains:

^whois:runguys.com
^whois:gatmobi.com
^whois:gooomobi.com
^whois:ionmobi.com
^whois:kkoomobi.com

...und wenn man sich die Links genau anschaut kommen die genau gleichen Seiten raus, wie oben erwähnt (deustiefel, jckets-eur,...), die Mail kommt jedes mal von "mail@[domain]".

header:

01: Return-Path: <bounce[BOUNCE filtered]@runguys.com>
02: Received: from hsstmg19.cokapro.com ([107.148.51.252]) by mx-ha.gmx.net
03:  (mxgmx110 [212.227.17.5]) with ESMTP (Nemesis) ID: [ID filtered]
04:  for <me>; Sun, 27 Nov 2016 xx:xx:xx +0100
05: DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=runguys.com;
06:  h=Date:To:From:Reply-to:Subject:Message-ID:List-Unsubscribe:MIME-Version:Content-Transfer-Enco
07: 	ing:Content-Type; i=mail [at] runguys.com;
08:  bh=1iaGK8DtwSDpoTzHU2s4G971I1E=;