Jump to content

Questionable spam reporting addresses


Kojote

Recommended Posts

Posted

I am receiving spam with questionable reporting addresses. Are these legit, or should I only report to "Abuse[at]........" ?

anatol[at]unnet.ru (Notes)

To: hornung[at]unnet.ru (Notes)

To: hun7er[at]unnet.ru (Notes)

Re: http://magic.hsorule.com/highdefcusw/index.html (Administrator of network hosting website referenced in spam)

To: anatol[at]unnet.ru (Notes)

To: hornung[at]unnet.ru (Notes)

To: hun7er[at]unnet.ru (Notes)

Posted

Presumably someone researched those addresses [what do the notes say?]. DNSReport - http://www.dnsreport.com/tools/dnsreport.ch?domain=unnet.ru says that abuse[at]unnet.ru is accepted (also postmaster) - whether it is read or not is another matter. Note the abusenet clearinghouse has no abuse record - http://www.abuse.net/lookup.phtml?DOMAIN=unnet.ru - same for hosting.unnet.ru

So, no harm in trying but would be inclined to trust SC on this one, myself.

Posted

On the other hand, using the "Refresh" button;

Removing old cache entries.

Tracking details

Display data:

"whois 87.249.38.33[at]whois.ripe.net" (Getting contact from whois.ripe.net)

Lookup dvp28-ripe[at]whois.ripe.net

Display data:

"whois dvp28-ripe[at]whois.ripe.net" (Getting contact from whois.ripe.net)

dvp28-ripe =

whois.ripe.net 87.249.38.33 (nothing found)

(Primarily based on RIPE's "Filtered Output" mode ....)

Parsing input: http://magic.hsorule.com

Host magic.hsorule.com (checking ip) = 87.249.38.33

host 87.249.38.33 = NOLAZ-pc-38-33.unnet.ru (cached)

Host magic.hsorule.com (checking ip) = 87.249.38.33

host 87.249.38.33 = NOLAZ-pc-38-33.unnet.ru (cached)

Display data:

"whois 87.249.38.33[at]whois.ripe.net" (Getting contact from whois.ripe.net)

Lookup dvp28-ripe[at]whois.ripe.net

Display data:

"whois dvp28-ripe[at]whois.ripe.net" (Getting contact from whois.ripe.net)

dvp28-ripe =

whois.ripe.net 87.249.38.33 (nothing found)

host 87.249.38.33 = NOLAZ-pc-38-33.unnet.ru (cached)

Host NOLAZ-pc-38-33.unnet.ru (checking ip) IP not found ; NOLAZ-pc-38-33.unnet.ru discarded as fake.

No reporting addresses found for 87.249.38.33, using devnull for tracking.

Based on the data at http://www.dnsreport.com/tools/dnsreport.c...ain=hsorule.com .... a report there probably wouldn't count for much anyway ....

U.S. UUNET response has been historically pretty much non-existent, most European UUNET abuse issues usually seem to be taken care of quickly, but I have to admit, I've not had any dealings with uunet.ru before .....

Posted

Okay, so today I got another phishing email. This time Spamcop seems to report back to the spammer's website. One of the reporting addresses was something[at]funb.com

Well, this domain doesn't even exist. At least there is not a webpage set up at www.funb.com. So why does spamcop allow reporting back to an address that apparently the spammer set up? This is obviously a fake domain the spammer set up.

Do I just need to be more careful with reporting next time?

Posted

Okay, so today I got another phishing email. This time Spamcop seems to report back to the spammer's website. One of the reporting addresses was something[at]funb.com

Well, this domain doesn't even exist. At least there is not a webpage set up at www.funb.com. So why does spamcop allow reporting back to an address that apparently the spammer set up? This is obviously a fake domain the spammer set up.

Do I just need to be more careful with reporting next time?

You did not provide te IP address you were talking about, however, the domain DOES exist. Just because a domain does not have a web site does not mean anything. Could be a registered domain for employees to access that is not associated with a corporate name, for instance.

Network Owner: Wachovia Corporation

Domain Name Manager

201 South Tryon Street

7th Floor

Charlotte, NC 28202

US

domain.names[at]wachovia.com

+1.7047153788 Fax: +1.7047154149

Registered on: 12-Aug-94

Updated on: 04-Apr-06

Expires on: 11-Aug-06

[Querying whois.internic.net]

[Redirected to whois.corporatedomains.com]

[Querying whois.corporatedomains.com]

[Error writing to cache]

[whois.corporatedomains.com]

CSC Corporate Domains(sm) - Expert Global Domain Name

Management for Corporations, Law Firms and IP Professionals

Registrant:

Wachovia Corporation

Domain Name Manager

201 South Tryon Street

7th Floor

Charlotte, NC 28202

US

domain.names[at]wachovia.com

+1.7047153788 Fax: +1.7047154149

Domain Name: FUNB.COM

Registrar of Record: Corporate Domains, Inc.

Administrative Contact:

Wachovia Corporation

Domain Name Manager

201 South Tryon Street

7th Floor

Charlotte, NC 28202

US

domain.names[at]wachovia.com

+1.7047153788 Fax: +1.7047154149

Technical Contact, Billing Contact:

Wachovia Corporation

Domain Name Manager

201 South Tryon Street

7th Floor

Charlotte, NC 28202

US

domain.names[at]wachovia.com

+1.7047153788 Fax: +1.7047154149

Domain servers in listed order:

SLS-NS1.WACHOVIA.COM

SLS-NS2.WACHOVIA.COM

CIC-NS1.WACHOVIA.COM

CIC-NS2.WACHOVIA.COM

Created on..............: 12-Aug-94

Expires on..............: 11-Aug-06

Record last updated on..: 04-Apr-06

I chose one of the MX records for the funb.com domain and it was going to be reported to firewalls[at]funb.com but again, refreshing the address gives:

Removing old cache entries.

Tracking details

Display data:

"whois 169.200.184.92[at]whois.arin.net" (Getting contact from whois.arin.net )

169.200.0.0 - 169.200.255.255:domain.names[at]wachovia.com

whois.arin.net contact: domain.names[at]wachovia.com

Routing details for 169.200.184.92

Using abuse net on domain.names[at]wachovia.com

abuse net wachovia.com = postmaster[at]wachovia.com, abuse[at]wachovia.com

Using best contacts postmaster[at]wachovia.com abuse[at]wachovia.com

Posted

Okay, thanks for that information. I did also report it to CastleCops Phishing site.

I made a mistake, the link was "webbased-banking.com" and this redirected to "funb.com". The phisher had my full name posted in the email, and wanted me to verify my account with Wachovia. I don't have an account with that bank! LOL!!

Here is the full email message I received. The site is already disabled now.

********START SCAM*********************

E*-MAIL *C*HANGE *N*OTIFICATION

Dear --- ---- !

Thank you for banking online at wachovia.com. Our records indicate that you

recently added or made a change to one of your email address(es). This

notification is to confirm that you initiated this change.

If you feel you have received this email in error and did not add or change your

email address(es), please click here

<http://webbased-banking.com/?lid=59293d7381d9580ee7f64ff7dea6a9d137fb165>

Sincerely,

David H. Stone

Director of Customer Advocacy

Wachovia Corporation - eCommerce Division

© 2005 Wachovia Corporation, 301 South College Street, Suite 4000, One Wachovia

Center, Charlotte, NC 28288-0013. All Rights Reserved.

Wachovia Bank, N.A. Member FDIC

Inside Wachovia <http://www.wachovia.com/inside> | Privacy

<http://www.wachovia.com/inside/legal_footer/0,,2157,00.html> | Security

<http://www.wachovia.com/inside/legal_footer/0,,2161,00.html> | Legal

<http://www.wachovia.com/inside/legal_footer/0,,2137,00.html> | Merger

<http://www.wachovia.com/inside/page/0,,131,00.html>

*****************END SCAM***********

Report for web-basedbanking.com.

Domain Name.......... webbased-banking.com

Creation Date........ 2006-07-29

Registration Date.... 2006-07-29

Expiry Date.......... 2007-07-29

Organisation Name.... Alex Rufin

Organisation Address. 2255 Clematias

Organisation Address.

Organisation Address. Sarasota

Organisation Address. 34239

Organisation Address. FL

Organisation Address. UNITED STATES

Admin Name........... Alex Rufin

Admin Address........ 2255 Clematias

Admin Address........

Admin Address........ Sarasota

Admin Address........ 34239

Admin Address........ FL

Admin Address........ UNITED STATES

Admin Email.......... zeballos71[at]yahoo.com

Admin Phone.......... +1.4192931725

Admin Fax............

Tech Name............ YahooDomains TechContact

Tech Address......... 701 First Ave.

Tech Address.........

Tech Address......... Sunnyvale

Tech Address......... 94089

Tech Address......... CA

Tech Address......... UNITED STATES

Tech Email........... domain.tech[at]YAHOO-INC.COM

Tech Phone........... +1.6198813096

Tech Fax.............

Name Server.......... yns1.yahoo.com

Name Server.......... yns2.yahoo.com

Posted

The phisher had my full name posted in the email, and wanted me to verify my account with Wachovia. I don't have an account with that bank! LOL!!

I get these all the time from spoofed Chase, Fifth Third, WAMU, and Citibank. I've found that the SpamCop parser catches the domain and reports to the ISP where the phishing site is hosted... not sure why you're not having the same results.

Posted
I get these all the time from spoofed Chase, Fifth Third, WAMU, and Citibank. I've found that the SpamCop parser catches the domain and reports to the ISP where the phishing site is hosted... not sure why you're not having the same results.

I'm not sure either. But it looks like the site is now disabled. Someone actually did something and closed down the site.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...