Kojote Posted July 24, 2006 Share Posted July 24, 2006 I am receiving spam with questionable reporting addresses. Are these legit, or should I only report to "Abuse[at]........" ? anatol[at]unnet.ru (Notes) To: hornung[at]unnet.ru (Notes) To: hun7er[at]unnet.ru (Notes) Re: http://magic.hsorule.com/highdefcusw/index.html (Administrator of network hosting website referenced in spam) To: anatol[at]unnet.ru (Notes) To: hornung[at]unnet.ru (Notes) To: hun7er[at]unnet.ru (Notes) Link to comment Share on other sites More sharing options...
Farelf Posted July 24, 2006 Share Posted July 24, 2006 Presumably someone researched those addresses [what do the notes say?]. DNSReport - http://www.dnsreport.com/tools/dnsreport.ch?domain=unnet.ru says that abuse[at]unnet.ru is accepted (also postmaster) - whether it is read or not is another matter. Note the abusenet clearinghouse has no abuse record - http://www.abuse.net/lookup.phtml?DOMAIN=unnet.ru - same for hosting.unnet.ru So, no harm in trying but would be inclined to trust SC on this one, myself. Link to comment Share on other sites More sharing options...
Wazoo Posted July 24, 2006 Share Posted July 24, 2006 On the other hand, using the "Refresh" button; Removing old cache entries. Tracking details Display data: "whois 87.249.38.33[at]whois.ripe.net" (Getting contact from whois.ripe.net) Lookup dvp28-ripe[at]whois.ripe.net Display data: "whois dvp28-ripe[at]whois.ripe.net" (Getting contact from whois.ripe.net) dvp28-ripe = whois.ripe.net 87.249.38.33 (nothing found) (Primarily based on RIPE's "Filtered Output" mode ....) Parsing input: http://magic.hsorule.com Host magic.hsorule.com (checking ip) = 87.249.38.33 host 87.249.38.33 = NOLAZ-pc-38-33.unnet.ru (cached) Host magic.hsorule.com (checking ip) = 87.249.38.33 host 87.249.38.33 = NOLAZ-pc-38-33.unnet.ru (cached) Display data: "whois 87.249.38.33[at]whois.ripe.net" (Getting contact from whois.ripe.net) Lookup dvp28-ripe[at]whois.ripe.net Display data: "whois dvp28-ripe[at]whois.ripe.net" (Getting contact from whois.ripe.net) dvp28-ripe = whois.ripe.net 87.249.38.33 (nothing found) host 87.249.38.33 = NOLAZ-pc-38-33.unnet.ru (cached) Host NOLAZ-pc-38-33.unnet.ru (checking ip) IP not found ; NOLAZ-pc-38-33.unnet.ru discarded as fake. No reporting addresses found for 87.249.38.33, using devnull for tracking. Based on the data at http://www.dnsreport.com/tools/dnsreport.c...ain=hsorule.com .... a report there probably wouldn't count for much anyway .... U.S. UUNET response has been historically pretty much non-existent, most European UUNET abuse issues usually seem to be taken care of quickly, but I have to admit, I've not had any dealings with uunet.ru before ..... Link to comment Share on other sites More sharing options...
Kojote Posted July 29, 2006 Author Share Posted July 29, 2006 Okay, so today I got another phishing email. This time Spamcop seems to report back to the spammer's website. One of the reporting addresses was something[at]funb.com Well, this domain doesn't even exist. At least there is not a webpage set up at www.funb.com. So why does spamcop allow reporting back to an address that apparently the spammer set up? This is obviously a fake domain the spammer set up. Do I just need to be more careful with reporting next time? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 29, 2006 Share Posted July 29, 2006 Okay, so today I got another phishing email. This time Spamcop seems to report back to the spammer's website. One of the reporting addresses was something[at]funb.com Well, this domain doesn't even exist. At least there is not a webpage set up at www.funb.com. So why does spamcop allow reporting back to an address that apparently the spammer set up? This is obviously a fake domain the spammer set up. Do I just need to be more careful with reporting next time? You did not provide te IP address you were talking about, however, the domain DOES exist. Just because a domain does not have a web site does not mean anything. Could be a registered domain for employees to access that is not associated with a corporate name, for instance. Network Owner: Wachovia Corporation Domain Name Manager 201 South Tryon Street 7th Floor Charlotte, NC 28202 US domain.names[at]wachovia.com +1.7047153788 Fax: +1.7047154149 Registered on: 12-Aug-94 Updated on: 04-Apr-06 Expires on: 11-Aug-06 [Querying whois.internic.net] [Redirected to whois.corporatedomains.com] [Querying whois.corporatedomains.com] [Error writing to cache] [whois.corporatedomains.com] CSC Corporate Domains(sm) - Expert Global Domain Name Management for Corporations, Law Firms and IP Professionals Registrant: Wachovia Corporation Domain Name Manager 201 South Tryon Street 7th Floor Charlotte, NC 28202 US domain.names[at]wachovia.com +1.7047153788 Fax: +1.7047154149 Domain Name: FUNB.COM Registrar of Record: Corporate Domains, Inc. Administrative Contact: Wachovia Corporation Domain Name Manager 201 South Tryon Street 7th Floor Charlotte, NC 28202 US domain.names[at]wachovia.com +1.7047153788 Fax: +1.7047154149 Technical Contact, Billing Contact: Wachovia Corporation Domain Name Manager 201 South Tryon Street 7th Floor Charlotte, NC 28202 US domain.names[at]wachovia.com +1.7047153788 Fax: +1.7047154149 Domain servers in listed order: SLS-NS1.WACHOVIA.COM SLS-NS2.WACHOVIA.COM CIC-NS1.WACHOVIA.COM CIC-NS2.WACHOVIA.COM Created on..............: 12-Aug-94 Expires on..............: 11-Aug-06 Record last updated on..: 04-Apr-06 I chose one of the MX records for the funb.com domain and it was going to be reported to firewalls[at]funb.com but again, refreshing the address gives: Removing old cache entries. Tracking details Display data: "whois 169.200.184.92[at]whois.arin.net" (Getting contact from whois.arin.net ) 169.200.0.0 - 169.200.255.255:domain.names[at]wachovia.com whois.arin.net contact: domain.names[at]wachovia.com Routing details for 169.200.184.92 Using abuse net on domain.names[at]wachovia.com abuse net wachovia.com = postmaster[at]wachovia.com, abuse[at]wachovia.com Using best contacts postmaster[at]wachovia.com abuse[at]wachovia.com Link to comment Share on other sites More sharing options...
Kojote Posted July 29, 2006 Author Share Posted July 29, 2006 Okay, thanks for that information. I did also report it to CastleCops Phishing site. I made a mistake, the link was "webbased-banking.com" and this redirected to "funb.com". The phisher had my full name posted in the email, and wanted me to verify my account with Wachovia. I don't have an account with that bank! LOL!! Here is the full email message I received. The site is already disabled now. ********START SCAM********************* E*-MAIL *C*HANGE *N*OTIFICATION Dear --- ---- ! Thank you for banking online at wachovia.com. Our records indicate that you recently added or made a change to one of your email address(es). This notification is to confirm that you initiated this change. If you feel you have received this email in error and did not add or change your email address(es), please click here <http://webbased-banking.com/?lid=59293d7381d9580ee7f64ff7dea6a9d137fb165> Sincerely, David H. Stone Director of Customer Advocacy Wachovia Corporation - eCommerce Division © 2005 Wachovia Corporation, 301 South College Street, Suite 4000, One Wachovia Center, Charlotte, NC 28288-0013. All Rights Reserved. Wachovia Bank, N.A. Member FDIC Inside Wachovia <http://www.wachovia.com/inside> | Privacy <http://www.wachovia.com/inside/legal_footer/0,,2157,00.html> | Security <http://www.wachovia.com/inside/legal_footer/0,,2161,00.html> | Legal <http://www.wachovia.com/inside/legal_footer/0,,2137,00.html> | Merger <http://www.wachovia.com/inside/page/0,,131,00.html> *****************END SCAM*********** Report for web-basedbanking.com. Domain Name.......... webbased-banking.com Creation Date........ 2006-07-29 Registration Date.... 2006-07-29 Expiry Date.......... 2007-07-29 Organisation Name.... Alex Rufin Organisation Address. 2255 Clematias Organisation Address. Organisation Address. Sarasota Organisation Address. 34239 Organisation Address. FL Organisation Address. UNITED STATES Admin Name........... Alex Rufin Admin Address........ 2255 Clematias Admin Address........ Admin Address........ Sarasota Admin Address........ 34239 Admin Address........ FL Admin Address........ UNITED STATES Admin Email.......... zeballos71[at]yahoo.com Admin Phone.......... +1.4192931725 Admin Fax............ Tech Name............ YahooDomains TechContact Tech Address......... 701 First Ave. Tech Address......... Tech Address......... Sunnyvale Tech Address......... 94089 Tech Address......... CA Tech Address......... UNITED STATES Tech Email........... domain.tech[at]YAHOO-INC.COM Tech Phone........... +1.6198813096 Tech Fax............. Name Server.......... yns1.yahoo.com Name Server.......... yns2.yahoo.com Link to comment Share on other sites More sharing options...
btech Posted August 2, 2006 Share Posted August 2, 2006 The phisher had my full name posted in the email, and wanted me to verify my account with Wachovia. I don't have an account with that bank! LOL!! I get these all the time from spoofed Chase, Fifth Third, WAMU, and Citibank. I've found that the SpamCop parser catches the domain and reports to the ISP where the phishing site is hosted... not sure why you're not having the same results. Link to comment Share on other sites More sharing options...
Kojote Posted August 4, 2006 Author Share Posted August 4, 2006 I get these all the time from spoofed Chase, Fifth Third, WAMU, and Citibank. I've found that the SpamCop parser catches the domain and reports to the ISP where the phishing site is hosted... not sure why you're not having the same results. I'm not sure either. But it looks like the site is now disabled. Someone actually did something and closed down the site. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.