Gold VIP Club Casino垃圾邮件分析

wanbet-bc518

之前我提到过这些垃圾，看这个帖子：
https://www.gowanbo.cc/thread-5039-1-1.html

这个Gold VIP Club Casino每天至少一封垃圾邮件，而且变换各种信头等。从邮件你根本看不出从哪里发出来的。下面我就来分析一封垃圾邮件，给大家看看这个RTG流氓赌场的真面目。这个赌场从一上线以来就只以发垃圾邮件Spam。

X-Message-Delivery: Vj0zLjQuMDt1cz0wO2k9MDtsPTA7YT0x
X-Message-Status: n:0
X-SID-PRA: [email protected]
博彩518注：goldvip.com是个停放域名
X-Message-Info: 6sSXyD95QpXGGyvqOZccsBLrwP88zclNpXCrSavUMGcYmxurv+aeOhOvP1yoxw+rFyggpKjunMJch7B7EVtJAA==
Received: from serv1.webhosting.ge ([212.58.116.74]) by bay0-mc8-f2.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
博彩518注：服务器空间供应商是，如果你要投诉，找这里。
         Fri, 21 Mar 2008 12:03:33 -0700
Received: from zlgyv (139.121.187.218)
        by serv1.webhosting.ge; Fri, 21 Mar 2008 23:03:49 +0400
Date: Fri, 21 Mar 2008 23:03:49 +0400
From:  <[email protected]>
X-Mailer: The Bat! (v2.01)
Reply-To:  <support@vipcasino.com>
博彩518注：回复到VIPCasino.com，是鸿运来集团的一家十分有信誉的赌场。这些烂货根本不怕得罪别人或者影响别人的生意。它们往往将自己伪装成著名的信誉网上赌场。
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
To:  <y****@hotmail.com>
Subject: =?iso-8859-5?B?aXQgaXMgcmVhbGx5IGZvciB5?=
        =?iso-8859-5?B?b3U=?=
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------3C983BF0D5EDC"
Return-Path: [email protected]
X-OriginalArrivalTime: 21 Mar 2008 19:03:34.0576 (UTC) FILETIME=[42FC2B00:01C88B86]

------------3C983BF0D5EDC
Content-Type: text/html; charset=iso-8859-5
Content-Transfer-Encoding: 8bit

<html>

<a href="http://goldskygambling.com"><img src="http://www.irishparliamenttrust.com/images/true-online-casino.gif" alt="n5qrp33ua5z5y8thjgdhn9jl2e2j8dcujcp05l4t341tma654scd3ctoewrw8oey69uk6lu9gvsnkzdy427sc57juufemkrps49wochxnqv8l603zki24s0qzcwzozde4fxppqiqgn39cl1uwaltu1je7seylnh4t3adk3q2jo7fp9fys0kpohkitrr7i2y2h5nkhxrysleayvdlq1criwygt1pg8zefhbx11vdb8apl0veqznb2p63p121bnnncbkcmn0gx1k3u1j8a5zyv9s2pahzrjbuerea6a5np5ey4rghr8raxlb62cy558g1cr58zgdfkymy4nb2ekd9hmtvufcvqujf7x0synmbmbawl40g6rrnekbv4bs7s5cvopzs9kv8v3dutcxnzqwdx4x7ouj41znczapkv6wuerxnp8s1t5p1m5a208ghzdwgpa28gjndyfwfs3hx4mwvyxeiip948buviuv7banb3dbirbfz5051wxzdqxnvt3b4nw1jevkkneug1t49hdz7ev7m2qujr91y6h1rkpzbp48bzd2bia9nqnv7huctdbg8bfyf3vdk62m4uxxq6kgeuez4hlvbpwlc56g1xp3ehd2rjozvnj43edo4eolb2p26tomtn4tr6oyp850v2ojwv4vnmalugx4nuorw1lx5jf6eiz92incxk6wafth90jiqt1tc926jybsgmrwiyvgubeynk4gemuszlb09oehjme3g5msz8lv5eqseieb2e4eomhzafszkty8osu81b3uexbs9hl1zcfthoz1uir2cdcc7j4kler11mgjn1f7gqctmxp6pl4xe0ky72zin86mi3p0lls53vaxieiykebvvmlbhdt7cj4yp5ro5f5qinel3ml6ot06ekqn3r3b7egrq2nn3kv405zmnobrvnzv2xehf0zmuw137mjoc6sz3evrxqzw2v2ttlawatiqwohoi6159ytk9x03am3mnsqwmiqsgpy62j12xjzxzvhpcj3ktzhx9hfi6od62shuoi3hjln4k1m4byesekyx4dn0kbccnbnpff0s1amv4raxjone43rnawtk0qj75zmpf3kvfy1ypvfkjk73c8qx29y10fac50e9g4jqcuiedatn6p643wz4blx4"></img></a>

</html>
博彩518注：邮件内容是HTML格式，如果你用在线查看电邮，并且和我一样使用微软的邮箱或者Yahoo的邮箱或者Gmail，并且设置不自动打开HTML电邮，是看不到邮件内容的。以上内容我都是通过查看电邮源文件得到，没有点击过邮件。

邮件链接到http://goldskygambling.com/，到这个网站可以发现除了下载和几个简单的页面，无任何介绍。这些垃圾每天可以注册一个新域名，复制一个这样一个新网站，再发出上万封垃圾电邮。

去这个网站，会发现这个Casino叫做World Casino，这个名字他们随便起的，每次都可以换一个名字。

下载后，查看执行文件，可以知道是RTG软件的赌场，但是不知道是哪家赌场。不过你如果安装就知道它是Gold VIP Club Casino。

如果是Playtech或者Microgaming软件，可以从执行文件查到里面的AFF代码。


------------3C983BF0D5EDC--
</

wanbet-bc518

这家赌场GoldVipClub.com十分无耻！
这家赌场发送无数垃圾邮件，原来是与这个Blackhat SEO(http://syndk8.net/)合作的。

2009年3月21日：

Easy jackpots are here today&#8207;
From:  [email protected]  
Sent: March 21, 2009 8:21:14 PM

Quick and Easy bonuses will win you jackpots today! No risk or deposit needed!
Be an instant winner with a no risk $3960 bonus <~~~
Collect free bonus valued at $880 <~~~
Free slot spins with this $729 no deposit bonus <~~~

100% NEW no purchase bonuses!

Become the biggest winner of 100k jackpot! Start with free no risk cash of $555!

Don’t wait until month end! No deposit $4250 bonus

Get your $21,099 free cash to play on selected exclusive slots! <<< Newest Slots

邮件内容全部挂了一个链接到http://uzimwwtrbriodjyotwoxprnlppv.blogspot.com/，这个链接直接转到http://www.32vip74.com/，这个网站是一个十分简单的页面，挂的全部是客户端下载链接，无任何实质内容。

直接通过google的blogspot来发垃圾邮件是最近几个月十分流行的一招。

wanbet-bc518

72 days at the baccarat table
Thursday, March 19, 2009 4:05 PM
From: "[email protected]" <[email protected]>
To: [email protected]
350% up to 1000$ on your first deposit. Your Bonus CODE: LP350 WELCOME

链接是http://rb.mail.ru/clb/nawunowi.mail333.su，通过302转到http://nawunowi.mail333.su，再转到http://vip-07.com/，显示的是Golden Crown Casino，只有下载链接。下载的客户端是Real Time Gaming的某个赌场，仔细分析会是Gold VIP Club Casino。

注意：vip-07.com的IP是58.17.3.57，是中国某地。该IP地址对应的域名有1059个，比如，09dic2.com， 0i0casino.ru，1cold98.com等。

比如1cold98.com是Star Winners Online Casino，和上面的Golden Crown Casino一样是假的，下载的都是Gold VIP Club Casino。

比如0i0casino.ru对应的是Fiesta Club Casino，和上面的Golden Crown Casino一样是假的，下载的都是Gold VIP Club Casino。

其它域名有：
Found 34 domains hosted on the same web server as vip-07.com (58.17.3.57).
goodtimetowin.com 显示的是Euro Prime Casino，里面的链接是http://newcasinoseason.com/prime_green/
siteplayingweb.net 显示的是Euro Dice Casino，里面的链接是http://newcasinoseason.com/eurodicecasino/
fullvipplaying.net  显示的是Euro Dice Casino，里面的链接是http://newcasinoseason.com/eurodicecasino/
sitegamblingnew.com 显示的是Euro Prime Casino，里面的链接是http://newcasinoseason.com/
www.pokerredclub.com 显示的是RedClub Poker 里面的链接是http://newcasinoseason.com/redclubpoker/
www.playingsunwave.com 显示的是Vegas Club Casino 里面的链接是http://newcasinoseason.com/vegasclub/
cazinotop.com, Euro Club Casino, http://newcasinoseason.com/euroclub/
1our48.com, Star Winners Online Casino
daygamingplace.com, Privilege Club Casino, http://newcasinoseason.com/privilegeclub/
redsungambling.net, Exclusive Club Casino, http://newcasinoseason.com/exclusive/
casinowayhit.com, Vegas Club Casino, http://newcasinoseason.com/vegasclub/
www.newyeargames.ru, Fiesta Club Casino, http://www.newyeargames.ru/
waylightplaying.com, Casino Fiesta Club, http://newcasinoseason.com/fiesta/
gamingisreal.com, Vegas Club Casino, http://newcasinoseason.com/vegasclub/
www.timegoldgambling.com, Privilege Club Casino, http://newcasinoseason.com/privilegeclub/
wayplayinglite.net, Royal Club Casino, http://newcasinoseason.com/royalclub/
wayhitplaying.com, Euro Dice Casino, http://newcasinoseason.com/eurodicecasino/
gamblingwebplay.com, Vegas Club Casino, http://newcasinoseason.com/vegasclub/
www.hydroxycutcasino.com, Vegas Club Casino, http://newcasinoseason.com/vegasclub/
hea88q.com, VIP Vegas Online Casino, http://hea88q.com/
www.wincasinopro.ru, Vegas Club Casino, http://www.wincasinopro.ru/
creativeslots.com, Euro Prime Casino, http://newcasinoseason.com/prime_green/
supplementscasino.com, Grattage, http://newcasinoseason.com/grattage/
floristcasino.com, Privilege Club Casino, http://newcasinoseason.com/privilegeclub/
accessoriescasino.com, Privilege Club Casino, http://newcasinoseason.com/privilegeclub/
rugscasino.com, Vegas Club Casino, http://newcasinoseason.com/vegasclub/
lightwaygaming.net, Privilege Club Casino, http://newcasinoseason.com/privilegeclub/
gamingwayhit.net, Vegas Club Casino, http://newcasinoseason.com/vegasclub/
cigarettecasino.com, Euro Dice Casino, http://newcasinoseason.com/eurodicecasino/
casinovmostmonster.com, Royal Club Casino, http://casinovmostmonster.com/
www.marveni.net, Star winners Online Casino, http://www.marveni.net/
casinomostvmonster.com, Royal Club Casino, http://casinomostvmonster.com/
cricale.com, Royal VIP Casino, http://cricale.com/
8cram33.com, Royal VIP Casino, http://8cram33.com/

这个团伙看起来是俄罗斯，但是服务器在中国。很可能这个服务器被俄罗斯人搞定了，或者中国某人也参与了。


另外一封：

play free slots
Thursday, March 19, 2009 7:26 PM
From: "[email protected]" <[email protected]>
To: [email protected]
350% up to 1000$ on your first deposit. Your Bonus CODE: LP350 WELCOME

里面链接是http://rb.mail.ru/clb/hiwogomo.pochta.ru，再转到hiwogomo.pochta.ru，再转到vip-07.com

所有的赌场名字都是假的，最终链接到流氓赌场Gold VIP Club Casino

top1628

楼主翻译一下邮件的内容。好象红利很可观的样子，我也是天天收到。晕

wanbet-bc518

这是最垃圾的网络赌场，骗的就是觉得它们不错的人

top1628

差点要中招