It's been a boring day at work, so i thought i would help. The IP address 216.55.179.253 belongs to a company called Codero. Here is the website:
www.codero.com They are a hosting site and are known to host Spam servers as i found out here:
http://www.forumpostersunion.com/showthread.php?t=22423Here is their WhoIs info:
NetRange: 216.55.176.0 - 216.55.187.255
CIDR: 216.55.184.0/22, 216.55.176.0/21
OriginAS: AS10316
NetName: CODERO1999A
NetHandle: NET-216-55-176-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
RegDate: 1999-05-28
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-216-55-176-0-1
OrgName: Codero
OrgId: APHIN
Address: 5750 W. 95th St., Suite 300
City: Overland Park
StateProv: KS
PostalCode: 66207
Country: US
RegDate: 2009-07-21
Updated: 2013-12-03
Ref: http://whois.arin.net/rest/org/APHIN
OrgAbuseHandle: APHAB-ARIN
OrgAbuseName: APH Abuse
OrgAbusePhone: +1-866-226-3376
OrgAbuseEmail:
[email protected]OrgAbuseRef: http://whois.arin.net/rest/poc/APHAB-ARIN
OrgTechHandle: ADA108-ARIN
OrgTechName: APH DNS Administrator
OrgTechPhone: +1-866-226-3376
OrgTechEmail:
[email protected]OrgTechRef: http://whois.arin.net/rest/poc/ADA108-ARIN
If you notice this section here:
Received: from mailer223.gate181.sl.smtp.com (unknown [192.40.181.223])
by mx46 (Coremail) with SMTP id YMCowEDp30d3Kg5TuhQ7Cw--.1133S2;
Thu, 27 Feb 2014 01:55:05 +0800 (CST)
This tells me that the original was sent from the Ip to
[email protected]. Smtp.com is being used like a proxy server to get past Codero's spam filter. That would also explain why they had to use port: 61709 as seen here:
Received: from [216.55.179.253] ([216.55.179.253:61709] helo=216-55-179-253.dedicated.codero.net)
I know what you're thinking, what about the download? The truth, i cant look at it here at work, but can tell that it comes from
http://deseobc.com/ and here is the Whois info for this site:
Domain Name: DESEOBC.COM
Registry Domain ID:
Registrar WHOIS Server: whois.neubox.com
Registrar URL: http://neubox.com/
Updated Date: 10-Jul-2013
Creation Date: 11-Mar-2013
Registrar Registration Expiration Date: 11-Mar-2014
Registrar: NEUBOX Internet S.A. de C.V.
Registrar IANA ID: 1483
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +524448100982
Domain Status: clientTransferProhibited
Registry Registrant ID: NBX_24167807
Registrant Name: Mauricio Gaona Olivo
Registrant Organization: MS Consulting
Registrant Street: Iglesia 130
Registrant City: Mexico
Registrant State/Province: Distrito Federal
Registrant Postal Code: 01900
Registrant Country: MX
Registrant Phone: +52.36156415
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:
Registry Admin ID: NBX_24167807
Admin Name: Mauricio Gaona Olivo
Admin Organization: MS Consulting
Admin Street: Iglesia 130
Admin City: Mexico
Admin State/Province: Distrito Federal
Admin Postal Code: 01900
Admin Country: MX
Admin Phone: +52.36156415
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:
Registry Tech ID: NBX_24167807
Tech Name: Mauricio Gaona Olivo
Tech Organization: MS Consulting
Tech Street: Iglesia 130
Tech City: Mexico
Tech State/Province: Distrito Federal
Tech Postal Code: 01900
Tech Country: MX
Tech Phone: +52.36156415
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email:
Name Server: ns143.neubox.net
Name Server: ns144.neubox.net
And all this matches up because the name on the Whois is the same name that is on the main page that says: "Powered by Mau Gaona." The lesson for today kids, If your going to try to steal from someone, don't sign the damn page hosting the download!