SpamCop Discussion > New Spamcop Phishing

SpamCop Discussion > Discussions & Observations > SpamCop Email System & Accounts

Seeker

Sep 27 2008, 09:02 AM

fyi, I just received a different phishing email. Preposterously worded of course, but being received the morning after I had renewed my account was a bit weird.

CODE

Dear Spamcop Webmail Subscriber

This message is to inform all our {Spamcop} webmail users that we will be
maintaining and upgrading our website in a couple of days from now. As a
Subscriber you are required to send us your Email account details to
enable us know if you are still making use of your mail box.

Be informed that we will be deleting all mail account that is not
functioning to enable us create more space for new users, You are to send
your mailaccount details which are as follows:

*User Name:
*Password:
*Date of birth:

You can also confirm your email address by logging into your account
at https://webamil.spamcop.net/ before sending us the required information.

WARNING: Any of our webmail user that refuses to send his/her verification
details within the next seven(7) days of receiveing this message and
failed to respond will be deleted immedately from our database.

Verification code: Spamcop:0090-009

Thank you for using Spamcop!
>From The Spamcop Support Team.
© Spamcop Support Team

g4mby

Sep 27 2008, 10:45 AM

Remove the spelling and grammar mistakes and it might, just might make this one a little more believable. Like most phishes I receive the originators drastically reduce their rate of success with poorly worded content although the chances of catching out a SpamCop user with this must surely be nil!

Even SpamCop is not capitalised correctly.

Farelf

Sep 27 2008, 11:16 AM

A number of webmail services are currently being phished it seems and, going by the previous attempts, even a few SC account holders will fall for it. Sad, but seemingly inevitable. An interesting thing would be the 'drop-box' that is being used in such cases, the "Reply-To:" address.

Seeker

Sep 27 2008, 05:58 PM

There were several clues that this message was bogus. A Reply-To address in South Africa, can't even spell "webmail" correctly in the URL! The text stinks of English-is-not-native-language.

vilain

Jan 16 2009, 09:30 AM

They're at it again. I just got a spam from HYPERMAIL that's almost identical to the one in the original post:

http://mailsc.spamcop.net/mcgi?action=gett...rtid=3792851118

So either this worked last time they tried it or there's one lazyass spammer out there.

Farelf

Jan 16 2009, 11:00 AM

QUOTE(vilain @ Jan 16 2009, 11:30 PM)

http://mailsc.spamcop.net/mcgi?action=gett...rtid=3792851118

Thanks for the 'heads up' - but only you (and presumably SC staff) can see that report. For public consumption it needs to be a tracking URL which you can recover from the report (at the top of the parse - "Here is your TRACKING URL - it may be saved for future reference: ...").

And, sadly, some were caught by previous attempts and assuredly some will be caught by this one too. But none will be caught who heed your timely warning

Yes, of course spammers are (also) lazy. If it were otherwise the little sods would own the observable universe by now (well, would share it with Bill Gates, anyway).

cherrick

Feb 4 2009, 05:45 PM

I hope everyone who sees this in their inbox realizes it's b*llsh*t:
"
Dear spamcop.net Subscriber,

We are currently carrying-out a maintenance process to your spamcop.net
account to fight against spam MAILS,to complete this process and
if you are the rightful owner of this account you required to reply
with below information of your email

User Name here:(**********)
Password here(**********)

Failure to summit your spamcop.net details, will render your email address
in-active from our database.

NOTE: You will RECEIVE a password reset message in next two (2)
working days after undergoing this process for security reasons.

Thank you for using spamcop.net!
THE spamcop.net TEAM
"

Moderator Edit: Merged into existing Topic/Discussion on the same Subject.

SkipHuffman

Apr 16 2009, 12:00 AM

Still active. I just got this one. gmail account this time.

Dear SPAMCOP.NET Email Owner,

This message is from SPAMCOP.NET messaging center to all PAMCOP.NET Email owners. We are currently upgrading our data
base and e-mail center. We are deleting all unused SPAMCOP.NET email to create more space for new one.To prevent your
account from closing you will have to update it below so that we will know that it's a present used
account.

However USC has been receiving complaints from our customers for unauthorised use of the SPAMCOP.NET Email. As a result
remaking an extra security check on all of our Customers mailbox in order to protect their information from theft and
fraud.

Warning!!! Email owner that refuses to update his or her Email,within two days of receiving this warning will lose his
or her Email permanently. You are require to send us the below information

Requested Information

Email Username : .......... .....
Email Password : ................
Date of Birth : ................
Country or Territory : ..........

Thanks for your co-operation.

Copyright @2009 SPAMCOP.NET All rights reserved

agsteele

Apr 16 2009, 02:13 AM

Yes, I got my first ever today to my SC mailbox... :-( Ironically it was the only spam item received overnight that made it through grey-listing, SpamAssassin checks, block list checks and into my mailbox

Andrew

petzl

Apr 16 2009, 04:12 AM

QUOTE(agsteele @ Apr 16 2009, 07:13 AM)

http://www.spamcop.net/sc?id=z2796589541z7...;action=display

Mine was blocked and reported also reported the reply address

Lking

Apr 16 2009, 07:55 AM

I wonder if they are actually bright enough to coordinate the attack with the maintenance window scheduled for today?

No, no, no. The human mind is always looking for patterns to explain events, even random events.

That also points out something about the spammer's mind. They're not 'human enough' to always do the pattern matching for s-p-a-m-c-o-p correctly.

cherrick

Apr 16 2009, 08:42 AM

Same email, just in on 16-4 From: header says "Spamcop.net Team Support" <teamsupporttelenets4[at]gmail.com>

ReplyTo: header resolves to the same.

... going right to /dev/null

cherrick

May 1 2009, 02:00 PM

New phish hit my in box.

Replyto: field is webmailupgrader[at]consultant.com

Body: is
"Quoting Spamcop Webmail Notice <webmail.upgrade[at]spamcop.net>:

> Dear Spamcop Webmail Account Owner,
> We are currently performing maintenance for Our Spamcop
> Digital Webmail Customers.We intend upgrading our Digital
> Webmail Security Server for better online services. We are
> canceling unused Spamcop webmail email account to create
> more space for new accounts.To prevent your account from
> closing you will have to update it below to know it's status
> as a currently used account.
>
> CONFIRM YOUR EMAIL IDENTITY BELOW
> Email Username :=====================================
> Email Password :=====================================
> Date of Birth :======================================
>
> Warning!!! Any account owner that refuses to update his/her
> webmail account within three (3) days of this update
> notification will loose his/her account permanently.
>
> Thank You For Your Support
"

Ricardo

May 1 2009, 02:03 PM

Today (1-May-2009), I received another PHISH e-mail message (in my SpamCop mailbox) to get my SpamCop username and password. The "From:" header in the message reads as "Spamcop Webmail Notice <webmail.upgrade[at]spamcop.net>" but the "Reply-To:" is "webmailupgrader[at]consultant.com".

I have already reported it through SpamCop Reporting form (the report was sent to postmaster[at]ibw.com):

QUOTE

Return-Path: <webmail.upgrade[at]spamcop.net>
Delivered-To: spamcop-net-MUNGED[at]spamcop.net
Received: (qmail 32767 invoked from network); 1 May 2009 16:12:29 -0000
X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter7
X-spam-Level:
X-spam-Status: hits=0.0 tests=none version=3.2.4
Received: from unknown (192.168.1.86)
by filter7.cesmail.net with QMQP; 1 May 2009 16:12:29 -0000
Received: from tk.ibw.net (HELO tk.ibw.com.ni) (200.85.160.21)
by mxin2.cesmail.net with SMTP; 1 May 2009 16:12:13 -0000
X-ASG-Debug-ID: 1241194346-7d1d039c0000-B5XM8f
X-Barracuda-URL: http://200.85.160.21:8000/cgi-bin/mark.cgi
Received: from nicaraguense.ibw.com.ni (localhost [127.0.0.1])
by tk.ibw.com.ni (spam Firewall) with ESMTP
id 9BFE31788120; Fri, 1 May 2009 10:12:26 -0600 (CST)
Received: from nicaraguense.ibw.com.ni (nicaraguense.ibw.com.ni [200.85.160.12]) by tk.ibw.com.ni with ESMTP id ToK5gz4rSIDdvLAu; Fri, 01 May 2009 10:12:26 -0600 (CST)
X-Barracuda-Envelope-From: webmail.upgrade[at]spamcop.net
Received: from mailhost.ibw.com.ni (tiscapa.ibw.com.ni [200.85.160.3])
by nicaraguense.ibw.com.ni (8.12.11/8.12.9) with SMTP id n41GCQmm002175;
Fri, 1 May 2009 10:12:26 -0600 (GMT)
Message-Id: <2009___________________2175[at]nicaraguense.ibw.com.ni>
X-Barracuda-BBL-IP: 200.85.160.3
X-Barracuda-RBL-IP: 200.85.160.3
X-Priority:
Sensitivity: Company-Confidential
From: Spamcop Webmail Notice <webmail.upgrade[at]spamcop.net>
Reply-To: webmailupgrader[at]consultant.com
Organization: Spamcop Webmail Notice
To: x
X-ASG-Orig-Subj: Spamcop Email Verification
Subject: Spamcop Email Verification
Date: Fri, 1 May 2009 11:12:26 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Barracuda-Connect: nicaraguense.ibw.com.ni[200.85.160.12]
X-Barracuda-Start-Time: 1241194346
X-Barracuda-Virus-Scanned: by Barracuda spam & Virus Firewall at ibw.com.ni
X-SpamCop-Checked: 200.85.160.21 200.85.160.12 200.85.160.3

Dear Spamcop Webmail Account Owner,
We are currently performing maintenance for Our Spamcop
Digital Webmail Customers.We intend upgrading our Digital
Webmail Security Server for better online services. We are
canceling unused Spamcop webmail email account to create
more space for new accounts.To prevent your account from
closing you will have to update it below to know it's status
as a currently used account.

CONFIRM YOUR EMAIL IDENTITY BELOW
Email Username :=====================================
Email Password :=====================================
Date of Birth :======================================

Warning!!! Any account owner that refuses to update his/her
webmail account within three (3) days of this update
notification will loose his/her account permanently.

Thank You For Your Support

Ricardo

May 1 2009, 02:13 PM

Hi Cherrick,

You wrote:

QUOTE(cherrick @ May 1 2009, 02:00 PM)

New phish hit my in box.

Replyto: field is webmailupgrader[at]consultant.com

Body: is
"Quoting Spamcop Webmail Notice <webmail.upgrade[at]spamcop.net>:

[snip]
"

Right. I received that PHISHING message today (1-May-2009) in my SpamCop mailbox, as well. The content and e-mail addresses used were the same ones that you got (webmailupgrader[at]consultant.com in the "Reply-To:" header and "webmail.upgrade[at]spamcop.net" in the "From:" header).

Regarding this, you may check the post (Post #13) that I wrote a few minutes ago, in this same forum ("SpamCop Email System & Accounts") for the discussion "New Spamcop Phishing":

http://forum.spamcop.net/forums/index.php?...ost&p=71168

Cheers!

Farelf

May 2 2009, 12:17 AM

Well, the good news is that particular reply-to has been deactivated:

[Resolving consultant-com.mr.outblaze.com...]
[Contacting consultant-com.mr.outblaze.com [208.36.123.58]...]
[Connected]
220 spf11.us4.outblaze.com ESMTP Postfix
EHLO hexillion.com
250-spf11.us4.outblaze.com
250-PIPELINING
250-SIZE 31457280
250-ETRN
250 8BITMIME
NOOP *** See <http://www.hexillion.com/MailAdmin/> for an explanation of this session
250 Ok
NOOP *** HexValidEmail COM 1.4.12 <5c31a8fa73d35685c3baa1e0430da151bdc52a85>
250 Ok
RSET
250 Ok
MAIL FROM:<HexValidEmail[at]hexillion.com>
250 Ok
RCPT TO:<webmailupgrader[at]consultant.com>
550 <webmailupgrader[at]consultant.com>: Account Deactivated
[Address has been rejected]
RSET
250 Ok
QUIT
221 Bye
[Connection closed]

cherrick

May 5 2009, 06:52 PM

Reply-To: header resolves to:
"upgrade[at]spamcop.net" <webmail.upgrade2[at]consultant.com>

----- Forwarded message from howell1[at]dodo.com.au -----
Date: Wed, 6 May 2009 8:59:05 +1000
From: "upgrade[at]spamcop.net" <howell1[at]dodo.com.au>
Reply-To: "upgrade[at]spamcop.net" <webmail.upgrade2[at]consultant.com>
Subject: Attn: Spamcop.net Webmail User!

Dear spamcop.net Webmail User,
We are really sorry for the inconvenience we are making you pass through,we
are having problem with our database due to our recent upgrade and we can
not find your data. Please we need to rectify this problem before the next
24-hours if not, you may not be able to send or receive email with your
spamcop.net Webmail e-mail address.

Please provide your account details below so we can rectify this problem as
soon as possible:
Username/ e-mail:
PASSWORD:
COUNTRY:

NOTE: Your data and information will not be tampered or interfered with,
We'll just record your data back into our database and send you a new
confirmation alphanumerical password that will only be valid during this
period and can be changed after this process.
Please respond to this notice to enable us provide you better online
services.

________________________________________________

This message
was sent using Dodo Webmail - www.dodo.com.au

----- End forwarded message -----

rconner

May 5 2009, 10:03 PM

QUOTE

Your data and information will not be tampered or interfered with,
We'll just record your data back into our database and send you a new
confirmation alphanumerical password that will only be valid during this
period and can be changed after this process.

Reminds me of an old Bob & Ray PSA about how the Bob & Ray bank lost all of its records, and would depositors please stop by and tell them how much they had in their accounts (no cheating, please).

-- rick

Farelf

May 6 2009, 12:52 AM

QUOTE(cherrick @ May 6 2009, 07:52 AM)

Reply-To: header resolves to:
"upgrade[at]spamcop.net" <webmail.upgrade2[at]consultant.com>

And that one hasn't been deactivated at this time:

RCPT TO:<webmail.upgrade2[at]consultant.com>
250 Ok

(no flooding it now, play nice

)

dra007

May 6 2009, 02:53 PM

QUOTE(Farelf @ May 6 2009, 01:52 AM)

(no flooding it now, play nice

)

no, but I will certainly register it with a few spamming sites..

SpamCopAdmin

May 15 2009, 11:46 PM

Another Phishing run has started. The spammer is trying to get your SpamCop username and password, plus other personal info.

Moderators:

Please feel free to move this post, delete it, or whatever.

- Don D'Minion - SpamCop Admin -

DavidT

May 16 2009, 02:13 AM

Thanks for the "alert," Don. Unfortunately, the people most likely to fall for the phish probably never visit these forums, but there's always hope. I suppose JT could broadcast a message to all users, advising them of these repeated phishing attempts and that they should never give their information up.

DT

Wazoo

May 16 2009, 02:56 AM

QUOTE(SpamCopAdmin @ May 15 2009, 11:46 PM)

Moderators:

Please feel free to move this post, delete it, or whatever.

Merged into the existing Topic/Discussion on the same subject matter.

agsteele

Jul 14 2009, 12:57 PM

Looks like a new phishing run has started....

Apart from the obvious text the real giveaway was an entirely improbable senders address.

Be vigilant

CODE

Dear SpamCop Webmail online Email Account Owner,

Important notice, harmful virus was detected in your account which can be
harmful to our subscriber unit.You are to enter your Username and Password here
{____________, __________} to enable us set in an anti virus in your user
account to clear up this virus. we do need your co-operation in this, Providing
us with this information we enable us insert in your account an anti virus
machine for clean up.

Andrew

cherrick

Jul 22 2009, 02:13 PM

Just got the new Phishing expedition trying to hit spamcop.net users:

QUOTE

Date: Thu, 23 Jul 2009 02:15:44 +0800 [01:15:44 PM CDT]
From: SPAMCOP SUPPORT TEAM <helpdesk[at]spamcop.net>Add helpdesk[at]spamcop.net to my Address Book
To: undisclosed-recipients:;
Reply-To: verification_teamss12[at]yahoo.com.hkAdd verification_teamss12[at]yahoo.com.hk to my Address Book
Subject: FINAL ACCOUNT UPDATE!!!
Headers: Show All Headers

Dear spamcop.net Subscriber,

We are currently carrying-out a mantainace
process to your spamcop.net account, to
complete this, you must reply to
this mail immediately, and enter your
User Name here (,,,,,,,,) And Password here
(.......) if you are the rightful owner of
this account.

This process we help us to fight against
spam mails.Failure to summit your password,
will render your email address
in-active from our database.

NOTE: If your have done this before, you may ignore
this mail. You will be send a password reset
messenge in next seven (7)
working days after undergoing this process
for security reasons.

Thank you for using spamcop.net!
THE SPAMCOP TEAM

Subject: line is: FINAL ACCOUNT UPDATE!!!

Reply-to: line is: verification_teamss12[at]yahoo.com.hk

If anyone wants the headers I'll do a forward.

StevenUnderwood

Jul 22 2009, 04:30 PM

QUOTE(cherrick @ Jul 22 2009, 03:13 PM)

Just got the new Phishing expedition trying to hit spamcop.net users:
Subject: line is: FINAL ACCOUNT UPDATE!!!

Thank you for the information. It would have been better to simply report it and post the TrackingURL here,

cherrick

Jul 22 2009, 09:27 PM

QUOTE(StevenUnderwood @ Jul 22 2009, 04:30 PM)

Thank you for the information. It would have been better to simply report it and post the TrackingURL here,

How do you report it?

What is a "tracking URL"?

so ....

www.spamcop.net

click on "Report spam"

copy email address

forward Pfishing email.

Is that right?

Nope. Doesn't work. bounces back. go figure.

Still don't know how to report Pfishing. Can anyone help?

rconner

Jul 23 2009, 12:14 AM

QUOTE(cherrick @ Jul 22 2009, 10:27 PM)

What is a "tracking URL"?

See Tracking URL

QUOTE(cherrick @ Jul 22 2009, 10:27 PM)

Is "report spam" the same as "report Pfishing"?
Nope. Doesn't work. bounces back. go figure.

Still don't know how to report Pfishing. Can anyone help?

There's no distinction between "spam" and "phishing mail" as far as reporting through SpamCop is concerned. Whatever you do to submit one can be used to submit the other. If you are trying to submit the message by e-mail forwarding, make sure you add the message as an attachment, see http://www.spamcop.net/fom-serve/cache/166.html.

-- rick

(on edit: corrected public link to FAQ)

agsteele

Jul 23 2009, 02:58 AM

Yes, a report would be a good thing but an alert that a further phishing expedition is in progress is no bad thing in this forum. Perhaps this new thread should merge with the existing longer-term thread with almost the same subject line

Andrew

Farelf

Jul 23 2009, 03:45 AM

QUOTE(agsteele @ Jul 23 2009, 03:58 PM)

...Perhaps this new thread should merge with the existing longer-term thread with almost the same subject line

Good idea, done.

cherrick

Jul 23 2009, 07:03 AM

QUOTE(rconner @ Jul 23 2009, 12:14 AM)

See Tracking URL

There's no distinction between "spam" and "phishing mail" as far as reporting through SpamCop is concerned. Whatever you do to submit one can be used to submit the other. If you are trying to submit the message by e-mail forwarding, make sure you add the message as an attachment, see http://mailsc.spamcop.net/fom-serve/cache/166.html.

It should be possible to just FORWARD the Pfishing email directly to the *personal reporting address* I receive from *Report spam*, using my webmail spamcop email.

I would prefer that to going into webmail, doing a "save as" on the offending email just so I can have an attachment to send along. Too burdensome, cumbersome and not intuitive.

rconner

Jul 23 2009, 08:26 AM

QUOTE(cherrick @ Jul 23 2009, 08:03 AM)

It should be possible to just FORWARD the Pfishing email directly to the *personal reporting address* I receive from *Report spam*, using my webmail spamcop email.

Yes, it is, the link I gave above tells you how. I gave you a bad link that might not work (if you don't have a SpamCop username/password), here is the correct one: http://www.spamcop.net/fom-serve/cache/166.html.

Unfortunately, you can't just hit "forward" on the message as it sits in your inbox, as this causes the original headers to be lost, making the submission useless. You have to find a way to attach the spam (intact, with original headers & body) as an attachment to a message that you send to your reporting address. There are a number of ways to do this, depending upon your mail program.

-- rick

p.s., thanks for reporting the phish attempt, always good to get a warning of these things.

Miss Betsy

Jul 23 2009, 10:42 PM

I thought about making an announcement - the way that was done last time. But since I don't have an email account, I kind of hate to announce something that is hearsay - to me. The example in the ng wasn't the same as here.

Miss Betsy

agsteele

Sep 30 2009, 05:51 AM

I'm tickling this thread once again... A new phishing run seems to be underway today - I've received a number of requests for username and password.

As ever, please do not respond and consider reporting in the normal way.

Andrew

spamlikeno

Sep 30 2009, 07:09 AM

I received this today.

Return-Path: <nobody[at]dept.woosuk.ac.kr>
Received: from unknown (192.168.1.88)
Received: from unknown (HELO dept.woosuk.ac.kr) (210.93.6.8)
Received: from dept.woosuk.ac.kr (localhost [127.0.0.1])
Message-Id: <200909300945.n8U9jsIw020195[at]dept.woosuk.ac.kr>
From: "SpamCop.net" <webservices[at]gala.net>

Attention E-mail Account Holder,

SpamCop.net User. All mailhub systems will undergo regularly scheduled maintenance, and access to your mailbox via our mail portal will be unavailable for some time during this maintenance period.

We shall be carrying out service maintenance/upgrade on our database and e-mail account center for better online services. We are also deleting all unused e-mail accounts to create more space for new accounts.

In order to ensure you do not experience service interruptions or possible deactivation of your e-mail account, Please you must reply to this mail immediately confirming your e-mail account details below for confirmation and identification.
_____________________________________
1. First Name & Last:
2. Full Login Email:
3. Username:
4 Password:
5. Current Password:
_____________________________________
Failure to do this may automatically render your e-mail account deactivated from our e-mail database/mail server. To enable us upgrade your e-mail account, please do reply to this mail.

SpamCop Information Technology services.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.