Current Sites
Lart Targets

The URLs

To locate the active URL in the e-mail, you must look at the source code. Depending on your mail client the URL will resemble one of the following:






http:// www.rh085.com|corbis.fr


So, the way to find the active URL in the source code is to look for a long URL containing what appear to be boxes( ),control characters(^T), equal sign followed by a number (=2), ampersand and number sign followed by a number (&#20), three digit numbers separated by backslash(\020\) or a percent sign and number (%20) series.

Immediately following this series will be a domain name possibly followed by a":80" or another port number. Just after the number or the domain name will be a forward slash (/). The next two sets of entries will be the address for the page on angelfire. Currently ET is using jjjjjjjj.com, previous names have included Londonville.org and com-rules.com, these may be different in your spam as these change usually monthly.

In mid November, there was a new version posted that did not use the control characters. This version did not go through a page at Angelfire, all other properties remained the same.

Current Sites
This link leads to a page that contains the most recent URLs from the stealth window spams. Each URL will show the date added, and the decoded links to the final site.
Lart Targets
This link contains contact addresses for the parties involved in hosting the websites and nameservers. Use the information on the Current Sites for the locations, then look here for contact information regarding those sites.

Home ] Current Sites ] Lart Targets ]

Last modified: February 14, 2001