btech Posted September 21, 2004 Share Posted September 21, 2004 I've received this a few times and I HOPE someone, somewhere recognizes this as illegal. X-SpamCop-Disposition: Blocked bl.spamcop.net Welcome to our web site www.shadowcrew.com/phpBB2/index.php Please use http://63.240.81.5 in case of our domain outage. You\'re invited to shop for large selection of bombs and different kinds of rockets such as surface-to-air, surface-to-surface and weaponry available at reduced price. With the following types of rockets you will be able to commit terrorist attacks, destroy buildings, electric power stations, bridges, factories and anything else that comes your mind. Most items are in stock and available for next day freight delivery in the USA. Worldwide delivery is available at additional cost. Prices are negotiable. Please feel free to inquire by ICQ # 176928755 or contacting us directly: +1-305-592-2222 +1-919-319-8249 +1-314-770-3395 Today special: ******* AIR BOMBS ******* OFAB-500U HE fragmentation air bomb Fuel-air explosive air bombs -Not in stock BETAB-500U concrete-piercing air bomb ZB-500RT incendiary tank 500-KG SIZE RBK-500U unified cluster bomb RBK-500U OAB-2.5PT loaded with fragmentation submunitions RBK-500U BETAB-M loaded with concrete-piercing submunitions-Not in stock RBK-500U OFAB-50UD loaded with HE fragmentation submunitions ******* UNGUIDED AIRCRAFT ROCKETS ******* Main-purpose unguided aircraft rockets S-8 unguided aircraft rockets S-8KOM S-8BM-Not in stock S-13 unguided aircraft rockets S-13, S-13T, S-13-OF, S-13D, S-13DF S-25-0 S-25-OFM S-24B -Not in stock RS-82 RS-132-Not in stock ******* ROCKET PODS ******* B-8M pod for S-8 rockets B-8V20-A pod for S-8 rockets B-13L pod for S-13 rockets Recently received *NEW* Hydra 70 2.75 inch Rockets Air-Launched 2.75-Inch Rockets FIM-92A Stinger Weapons System Stinger 101: Anti-Air Our clients are well known Al-Qaida, Hizballah, Al-Jihad, HAMAS, Abu Sayyaf Group and many other terrorist groups. We are well known supplier in the market and looking forward to expand our clientage with assistance of Internet. Do not hesitate to contact us via ICQ # 176928755 Impatiently awaiting for your orders, ShadowCrew I'm sure this is a phishing scam, but if it's not... WHY has the host of the spamvertised site not done something, since I'm pretty sure this is illegal. Link to comment Share on other sites More sharing options...
dra007 Posted September 21, 2004 Share Posted September 21, 2004 I am sure someone is on their trail with a phisher like that. Actually the web page is down. Link to comment Share on other sites More sharing options...
dra007 Posted September 21, 2004 Share Posted September 21, 2004 Seems phishers were on the rise today, I got more of them then actual spam. Some even advertising spam lists and spam programs, this one I had a reply for almost as soon as I reported a few minutes ago: Hello, Thank you for writing to eBay regarding the email you received. Emails such as this, commonly referred to as "spoof" or "phished" messages, are sent in an attempt to collect sensitive personal or financial information from the recipients. The email you reported was not sent by eBay. We have reported this email to the appropriate authorities. In the future, be very cautious of any email that asks you to submit information such as your credit card number or your email password. eBay will never ask you for sensitive personal information such as passwords, bank account or credit card numbers, Personal Identification Numbers (PINs), or Social Security Numbers in an email. If you ever need to provide sensitive information to us, please open a new Web browser, type www.ebay.com into your browser address field, and click on the "site map" link located at the top the page to access the eBay page you need. Link to comment Share on other sites More sharing options...
btech Posted September 22, 2004 Author Share Posted September 22, 2004 Seems phishers were on the rise today, I got more of them then actual spam. Some even advertising spam lists and spam programs, this one I had a reply for almost as soon as I reported a few minutes ago: 17512[/snapback] I've found some phishers/spammers sending fake Admin emails, making it seem as if an email I sent was bounced back, which is funny, because the email address they say I sent from is not one of mine. Link to comment Share on other sites More sharing options...
keythumper Posted September 22, 2004 Share Posted September 22, 2004 My current pet pieve is mail admins that send virus complaints to postmaster. Just because the originating email address pretends to be from our system, they do not bother to include the originating headers. They do, however send the original virus. Can anyone suggest a good boiler plate to reply with? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 22, 2004 Share Posted September 22, 2004 The one I use was originally "stolen" from this forum somewhere and slightly modified. Attention Postmaster, The most recent batch of computer viruses and worms released upon the internet almost invariably forge the sender information. Any alert notice to the address indicated in the "from" header usually is sent to an innocent party who has nothing to do with the original message. We request that you reconfigure your mail gateway to not generate notifications sent by email to the from address within the message. Rejecting the message during the initial SMTP transaction is the best way to accomplish this. If you examine the headers of the message that you received you'll see, by researching the IP address in question, that the virus came from some other network. Please contact *their* administrator if you wish to notify someone. Thank you for taking the time to read this response. If you need assistance in configuring the mail gateway, please consult the software developer. This is form-letter response. ------------------------- BEGIN HEADERS ----------------------------- -------------------------- END HEADERS ------------------------------ Link to comment Share on other sites More sharing options...
keythumper Posted September 22, 2004 Share Posted September 22, 2004 The one I use was originally "stolen" from this forum somewhere and slightly modified. 17570[/snapback] Great Stuff! The only thing I would add, is the bit about NOT sending the virus. Regards Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 22, 2004 Share Posted September 22, 2004 That's true, but then the messages with viruses never reach my machine because spamcop disposes of them for me. I have not had 1 slip through in almost 2 years now. Disclaimer: Past performance is not an indication of future results Link to comment Share on other sites More sharing options...
dra007 Posted September 22, 2004 Share Posted September 22, 2004 hmmm...I was wandering why some e-mail I forwrded or popped on webmail never made it there.... Some I kept in trash boxes and when I looked more carefully they did indeed contain exploits or viruses... Link to comment Share on other sites More sharing options...
Bumpkin Posted September 23, 2004 Share Posted September 23, 2004 In reference to the OP's e-mail, this is not a phish, but a joe job. Definition (courtesy of searchcio): A Joe job is an e-mail spoofing exploit in which someone sends out huge volumes of spam that appear to be from someone other than the actual source. A Joe job is sometimes conducted as an act of revenge on someone who reports a spammer to their Internet service provider (ISP) or publicly advocates anti-spam legislation. The perpetrator is said to be Joeing the legitimate owner of the e-mail address they use. The Joe job is one of the oldest spamming operations in existence, and one of the simplest ones to carry out: the spammer may not have to do anything more than change the "Reply To" address in their e-mail program. The term originated from an attack on Joe Doll, proprietor of Joe's CyberPost (joes.com). Doll's Web site, online since 1994, offers free Web pages to anyone who agrees to his stipulated rules, which include "good netiquette when publicizing your page." In 1996, one of his free page users sent bulk, unsolicited messages to a number of newsgroups. When questioned, the user claimed to have been unaware that this behavior contravened Doll's rules. Soon afterwards, the same person started promoting their Web page through an e-mail spam campaign and Doll terminated the user's account. One of the recipients-turned-spammer retaliated with threats, mail bombs, and forged messages to spam lists that made the messages appear to come from Doll. The recipients of the forged e-mail messages, believing Doll had sent the spam, retaliated by attacking joes.com and disabling Joe's CyberPost for over 10 days. No company in their right mind would advertise that they are terrorist friendly. The sites that are.... well, they're usually unknown to the general public. The spam should be reported as such... spam. It's 99% likely that it is nothing more than that. Link to comment Share on other sites More sharing options...
Bumpkin Posted September 23, 2004 Share Posted September 23, 2004 Forgot to mention... Phishing definiton: In computing, phishing is luring sensitive information, such as passwords and financial data, from a victim by masquerading as someone trustworthy with a real need for such information. The term was coined in the mid nineties by crackers attempting to steal AOL accounts. The initial communication with the victim is usually in the form of an e-mail message. Typically this will provide a link to a fake webpage (which may link to other fake pages) which looks like one of a trustworthy company, in order to fraudulently take personal information - for example a website appearing exactly like one of PayPal's in order to obtain credit card details. Checking the URL in the address bar of the browser may not be sufficient, as, in some browsers, that can be faked too. The file properties feature of the browser may disclose the real URL of the fake webpage. Link to comment Share on other sites More sharing options...
moonbroth Posted September 23, 2004 Share Posted September 23, 2004 I've received this a few times and I HOPE someone, somewhere recognizes this as illegal. I'm sure this is a phishing scam, but if it's not... WHY has the host of the spamvertised site not done something, since I'm pretty sure this is illegal. 17509[/snapback] It's a joe-job: pay no attention. (Someone at ShadowCrew must have annoyed a spammer a while back, as this has been going on for years: Google for shadowcrew joe-job for details). Cheers, Nick Link to comment Share on other sites More sharing options...
Merlyn Posted September 23, 2004 Share Posted September 23, 2004 I believe this is a Joe Job. nuff said. Link to comment Share on other sites More sharing options...
dra007 Posted September 23, 2004 Share Posted September 23, 2004 A Joe job is an e-mail spoofing exploit in which someone sends out huge volumes of spam that appear to be from someone other than the actual source. A Joe job is sometimes conducted as an act of revenge on someone who reports a spammer to their Internet service provider (ISP) or publicly advocates anti-spam legislation. The perpetrator is said to be Joeing the legitimate owner of the e-mail address they use. The Joe job is one of the oldest spamming operations in existence, and one of the simplest ones to carry out: the spammer may not have to do anything more than change the "Reply To" address in their e-mail program. My brother just recieved a virus containing e-mail with my e-mail address forged in the header, (so have some of my friends) would that be considered a Joe Job? (why is that in makes me think of a B Job, it is extreemly annoying nevertheless) Link to comment Share on other sites More sharing options...
DavidT Posted September 23, 2004 Share Posted September 23, 2004 My brother just recieved a virus containing e-mail with my e-mail address forged in the header, (so have some of my friends) would that be considered a Joe Job? No...go back up the thread and read the definotion that Bumpkin posted. However, if I were you, I'd try to get one of the recipients to provide you with the headers from one of those infected messages. You may be able to determine which one of your friends and/or colleagues has the infection, because that's the likely scenario. DT Link to comment Share on other sites More sharing options...
dra007 Posted September 24, 2004 Share Posted September 24, 2004 No, it was the same IP that keeps sending me viruses since last yer (5-10/day), and yes I contacted their abuse desk and upstream providers, no results so far. Link to comment Share on other sites More sharing options...
DavidT Posted September 24, 2004 Share Posted September 24, 2004 No, it was the same IP that keeps sending me viruses since last yer (5-10/day), and yes I contacted their abuse desk and upstream providers, no results so far. What do you mean by "No"? The most likely source would be anyone with whom you have corresponded....or anyone who might have received your address in forwarded mail. That's where these worms get the addresses that they spoof and the addresses that they attack. DT Link to comment Share on other sites More sharing options...
dra007 Posted September 24, 2004 Share Posted September 24, 2004 What do you mean by "No"? The most likely source would be anyone with whom you have corresponded....or anyone who might have received your address in forwarded mail. That's where these worms get the addresses that they spoof and the addresses that they attack. DT 17706[/snapback] The only reson I ever corresponded with their abuse desk was to request that they stop the abuse. I recieved an e-mail from them today with mydoom attachment defanged (by postini) and postmaster[at]my.domain spoofed in the <<from:>> of the header, they are presently listed in sorbs: Received: from source ([207.194.18.89]) by exprod7mx28.postini.com ([64.18.6.10]) with SMTP; Fri, 24 Sep 2004 01:42:38 EDT From: "Returned mail" <postmaster[at]my domain> To: myself Subject: Test Date: Thu, 23 Sep 2004 22:54:17 -0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0001_68027079.4A47FFB7" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-pstn-levels: (S:13.03352/99.64271 R:95.9108 P:95.9108 M:98.9607 C:80.1007 ) X-pstnvirus: W32/Mydoom.o[at]MM X-pstn-settings: 1 (0.1500:0.4500) gt3 gt2 gt1 r p m C X-pstn-addresses: from <postmaster[at]my.domain> forward (good recip) [1804/59] boundary=" I exchanged personal messages with their abuse desk on a few occasions: host 207.194.18.89 = vanc06m02-89.bctel.ca (cached) No recent reports, no history available Routing details for 207.194.18.89 [refresh/show] Cached whois for 207.194.18.89 : ted_murray[at]bctel.net Using last resort contacts ted_murray[at]bctel.net Statistics: 207.194.18.89 not listed in bl.spamcop.net More Information.. 207.194.18.89 not listed in dnsbl.njabl.org 207.194.18.89 not listed in dnsbl.njabl.org 207.194.18.89 not listed in cbl.abuseat.org 207.194.18.89 listed in dnsbl.sorbs.net ( 127.0.0.10 ) 207.194.18.89 not listed in relays.ordb.org. Reporting addresses: ted_murray[at]bctel.net Link to comment Share on other sites More sharing options...
DavidT Posted September 24, 2004 Share Posted September 24, 2004 they are presently listed in sorbs The reason that IP is listed at SORBS is that it's dynamic....used by an end-user, and not a mail server. It's not there due to any specific abuse issues. In other words, someone in British Columbia, CA, has a computer that has "seen" your address, either by corresponding with you or by receiving a message containing your address (as in a forward from a family member or friend). That computer is infected and therefore can send messages either To you or From you, or both. Keep after the ISP...have you tried telephoning Mr. Murray at 604-454-5151? That's what I usually do (although in many cases with these numbers, it's an Abuse Desk recording, with no operator). DT Link to comment Share on other sites More sharing options...
Bumpkin Posted September 24, 2004 Share Posted September 24, 2004 My brother just recieved a virus containing e-mail with my e-mail address forged in the header, (so have some of my friends) would that be considered a Joe Job? (why is that in makes me think of a B Job, it is extreemly annoying nevertheless) 17647[/snapback] I receive viral e-mails that appear to be from myself sometimes. Instead of playing "who's got a virus?", I contact the technical contact for the originating IP address. I usually forward the original header information with the originating IP highlighted, letting them know that a virus is originating from their server. In the case of one I'm dealing with this week, I just called our ISP and asked them to put a block on an IP that's been spewing viral mails for over two weeks and the administrator/postmaster/techie is non-responsive. Link to comment Share on other sites More sharing options...
dra007 Posted September 24, 2004 Share Posted September 24, 2004 I receive viral e-mails that appear to be from myself sometimes. Instead of playing "who's got a virus?", I contact the technical contact for the originating IP address. I usually forward the original header information with the originating IP highlighted, letting them know that a virus is originating from their server. In the case of one I'm dealing with this week, I just called our ISP and asked them to put a block on an IP that's been spewing viral mails for over two weeks and the administrator/postmaster/techie is non-responsive. 17720[/snapback] Thank you Bumpkin, indeed I follow the same procedure and also cc a copy to my own ISP since these e-mails often spoof postmaster or mailer-demon[at]my.domain.name. Unfortunately, some of these IPs have been sending viruses since last year, and almost on a daily basis. You would think they had ample time to correct a temporary problem. I have a large collection of e-mails exchanged with administrators, even went to upstream ISPs and government agencies, had whole ranges of IPs blocked and removed. That only worked briefly, the pattern repeats itself over and over. And guess what, same admins that where responsible with past IPs re-emerge for these new e-mails. Needless to say it reminds me of THIS STORY! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.