amenex Posted June 18, 2007 Posted June 18, 2007 Here's the link to the spam/phish at issue: http://www.spamcop.net/sc?id=z1329430016zd...dd0e11bf185f87z SpamCop says: > Resolving link obfuscation > http://session-4021028.nationalcity.com.dl...s/TreasuryMgmt/ > Host session-4021028.nationalcity.com.dllet.bz (checking ip) = 217.228.7.46 > host 217.228.7.46 = pD9E4072E.dip0.t-ipconnect.de (cached) WhoIs (http://centralops.net/co/DomainDossier.aspx) says: > canonical name session-4021028.nationalcity.com.dllet.bz. > aliases > addresses 70.51.93.176 > 190.142.13.144 > 217.228.7.46 > 62.43.145.36 > 83.200.117.134 None of these IP's match SpamCop's WhoIs data (217.228.7.46). My own 'puter tcptracerte'd the phisher's domain as follows: > Tracing the path to session-4021028.nationalcity.com.dllet.bz (80.143.218.3) on TCP port 80 (www), 30 hops max ... > 11 dtag-level3-oc48.NewYork1.Level3.net (4.68.111.70) 27.464 ms 28.382 ms 29.721 ms > 12 62.153.176.54 122.449 ms 121.048 ms 122.439 ms > 13 217.0.73.69 127.437 ms 123.784 ms 214.967 ms > 14 p508FDA03.dip.t-dialin.net (80.143.218.3) [open] 170.089 ms 178.081 ms 179.967 ms This IP address (80.143.218.3) doesn't match SpamCop's either. Registrant (http://www.belizenic.bz/): > ... redac ed > ... redacted > ... redacted > United States > Phone:143-50-914 Probably ID theft; phone number isn't a USA number, and I can Google the guy's address to a real estate transaction. > Domain Name: dllet.bz > Created on.............: 2007-06-08 06:33:41 > Expires on.............: 2008-06-08 06:33:41 > Record last updated on..: 2007-06-08 06:33:41 I've reported this domain countless times in the last few days. > Administrative Contact: ... redacted > Email: czubakowski817[at]yahoo.com Yahoo hasn't responded to my reports of this email as the phisher, either. ... > Domain servers in listed order: > ns1.smile-np.com 75.126.65.24 > ns2.smile-np.com 72.201.23.147 Neither of the above IP's matches Spamcop's; Googling reveals that smile-np.com is a known phisher/spammer that won't go away. WhoIs (http://centralops.net/co/DomainDossier.aspx) says: > canonical name ns1.smile-np.com. > aliases > addresses 64.74.124.156 Different from the Belize registration ... WhoIs says: > canonical name ns2.smile-np.com > aliases > addresses 72.201.23.147 Omigosh ! It matches Belizenic ! But not to my trace, nor SpamCop's. My routine with the Regions and National City phishes has been: 1. Use Venkman's java scri_pt Debugger to capture the sourcecode at the phishing site. 2. Perform a tcptraceroute with my debian-based PC. 3. Use Centralops' Domain Dossier to look up the WhoIs data for the original canonical domain name and for tcptraceroute's result. 4. Report and forward the phish to all the abuse addresses found, plus the various groups claiming an interest in stamping out phishers. I now discover that SpamCop is getting completely different data from mine. In the present case, I reported this phish as follows: To: jeff.sumner[at]nationalcity.com Cc: reyner[at]globalcon.net, abuse[at]t-ipnet.de, abuse[at]cox.net, network-abuse[at]cc.yahoo-inc.com, PIRT[at]castlecops.com, scams[at]fraudwatchinternational.com, reportphishing[at]antiphishing.org, spam[at]uce.gov You will note that somehow I managed to include abuse[at]t-ipnet.de with my apparently different IP address. SpamCop's routing details page offers no clues: > Reports routes for 217.226.92.162: > routeid:27952578 217.224.0.0 - 217.237.161.47 to:ripe.dtip[at]telekom.de > Administrator found from whois records > routeid:27952579 217.224.0.0 - 217.237.161.47 to:abuse[at]t-ipnet.de > Administrator found from whois records Note that the routing details reported in the paragraph immediately above differ from the routing details that I quote at the top of this page. When I did a tcptraceroute again just this minute, I got another result altogether: > Tracing the path to session-4021028.nationalcity.com.dllet.bz (190.142.13.144) on TCP port 80 (www), 30 hops max ... > 12 * ro-ccs-03.ro.intercable.net.ve (200.75.113.7) 103.480 ms 103.698 ms > 13 * * * > 14 200.75.112.8 97.865 ms 98.581 ms 99.774 ms > 15 190.142.13.144 [open] 117.631 ms 106.192 ms 119.846 ms This phisher appears to have a dynamic method of changing registrations; is there any point in continuing to report these phishes ? amenex
StevenUnderwood Posted June 18, 2007 Posted June 18, 2007 WhoIs (http://centralops.net/co/DomainDossier.aspx) says: > canonical name session-4021028.nationalcity.com.dllet.bz. > aliases > addresses 70.51.93.176 > 190.142.13.144 > 217.228.7.46 > 62.43.145.36 > 83.200.117.134 None of these IP's match SpamCop's WhoIs data (217.228.7.46). Stopping right here.... compare the third entry found with that of spamcop's parse.
amenex Posted June 18, 2007 Author Posted June 18, 2007 Stopping right here.... compare the third entry found with that of spamcop's parse. Aha ! Looks as though I should be reporting all five of those addresses. What about the smile-np.com and the dllet.bz domains ? They appear to remain immune to anti-phishing efforts. amenex
Miss Betsy Posted June 18, 2007 Posted June 18, 2007 <snip> This phisher appears to have a dynamic method of changing registrations; is there any point in continuing to report these phishes ? IMHO, no. However, you might be interested in Complainerator - the thread is here http://forum.spamcop.net/forums/index.php?...=complainerator - it is in the Suggested tools Forum. Miss Betsy
amenex Posted June 20, 2007 Author Posted June 20, 2007 IMHO, no. However, you might be interested in Complainerator - the thread is here http://forum.spamcop.net/forums/index.php?...=complainerator - it is in the Suggested tools Forum. Miss Betsy Alas, I use linux for tracking phishes. Oh, well. I tried tracking another phish today that was registered as ...mode.kg. Every time I tried WhoIs, I got a different list of five IP addresses. But the .kg registrar is broken - can't get the person's registration data. When I used tcptraceroute, I got different IP addresses every time I tried for the listed IP's. Hopeless. amenex
Recommended Posts
Archived
This topic is now archived and is closed to further replies.