amenex Posted June 18, 2007 Share Posted June 18, 2007 Here's the link to the spam/phish at issue: http://www.spamcop.net/sc?id=z1329430016zd...dd0e11bf185f87z SpamCop says: > Resolving link obfuscation > http://session-4021028.nationalcity.com.dl...s/TreasuryMgmt/ > Host session-4021028.nationalcity.com.dllet.bz (checking ip) = 126.96.36.199 > host 188.8.131.52 = pD9E4072E.dip0.t-ipconnect.de (cached) WhoIs (http://centralops.net/co/DomainDossier.aspx) says: > canonical name session-4021028.nationalcity.com.dllet.bz. > aliases > addresses 184.108.40.206 > 220.127.116.11 > 18.104.22.168 > 22.214.171.124 > 126.96.36.199 None of these IP's match SpamCop's WhoIs data (188.8.131.52). My own 'puter tcptracerte'd the phisher's domain as follows: > Tracing the path to session-4021028.nationalcity.com.dllet.bz (184.108.40.206) on TCP port 80 (www), 30 hops max ... > 11 dtag-level3-oc48.NewYork1.Level3.net (220.127.116.11) 27.464 ms 28.382 ms 29.721 ms > 12 18.104.22.168 122.449 ms 121.048 ms 122.439 ms > 13 22.214.171.124 127.437 ms 123.784 ms 214.967 ms > 14 p508FDA03.dip.t-dialin.net (126.96.36.199) [open] 170.089 ms 178.081 ms 179.967 ms This IP address (188.8.131.52) doesn't match SpamCop's either. Registrant (http://www.belizenic.bz/): > ... redac ed > ... redacted > ... redacted > United States > Phone:143-50-914 Probably ID theft; phone number isn't a USA number, and I can Google the guy's address to a real estate transaction. > Domain Name: dllet.bz > Created on.............: 2007-06-08 06:33:41 > Expires on.............: 2008-06-08 06:33:41 > Record last updated on..: 2007-06-08 06:33:41 I've reported this domain countless times in the last few days. > Administrative Contact: ... redacted > Email: czubakowski817[at]yahoo.com Yahoo hasn't responded to my reports of this email as the phisher, either. ... > Domain servers in listed order: > ns1.smile-np.com 184.108.40.206 > ns2.smile-np.com 220.127.116.11 Neither of the above IP's matches Spamcop's; Googling reveals that smile-np.com is a known phisher/spammer that won't go away. WhoIs (http://centralops.net/co/DomainDossier.aspx) says: > canonical name ns1.smile-np.com. > aliases > addresses 18.104.22.168 Different from the Belize registration ... WhoIs says: > canonical name ns2.smile-np.com > aliases > addresses 22.214.171.124 Omigosh ! It matches Belizenic ! But not to my trace, nor SpamCop's. My routine with the Regions and National City phishes has been: 1. Use Venkman's java scri_pt Debugger to capture the sourcecode at the phishing site. 2. Perform a tcptraceroute with my debian-based PC. 3. Use Centralops' Domain Dossier to look up the WhoIs data for the original canonical domain name and for tcptraceroute's result. 4. Report and forward the phish to all the abuse addresses found, plus the various groups claiming an interest in stamping out phishers. I now discover that SpamCop is getting completely different data from mine. In the present case, I reported this phish as follows: To: jeff.sumner[at]nationalcity.com Cc: reyner[at]globalcon.net, abuse[at]t-ipnet.de, abuse[at]cox.net, network-abuse[at]cc.yahoo-inc.com, PIRT[at]castlecops.com, scams[at]fraudwatchinternational.com, reportphishing[at]antiphishing.org, spam[at]uce.gov You will note that somehow I managed to include abuse[at]t-ipnet.de with my apparently different IP address. SpamCop's routing details page offers no clues: > Reports routes for 126.96.36.199: > routeid:27952578 188.8.131.52 - 184.108.40.206 to:ripe.dtip[at]telekom.de > Administrator found from whois records > routeid:27952579 220.127.116.11 - 18.104.22.168 to:abuse[at]t-ipnet.de > Administrator found from whois records Note that the routing details reported in the paragraph immediately above differ from the routing details that I quote at the top of this page. When I did a tcptraceroute again just this minute, I got another result altogether: > Tracing the path to session-4021028.nationalcity.com.dllet.bz (22.214.171.124) on TCP port 80 (www), 30 hops max ... > 12 * ro-ccs-03.ro.intercable.net.ve (126.96.36.199) 103.480 ms 103.698 ms > 13 * * * > 14 188.8.131.52 97.865 ms 98.581 ms 99.774 ms > 15 184.108.40.206 [open] 117.631 ms 106.192 ms 119.846 ms This phisher appears to have a dynamic method of changing registrations; is there any point in continuing to report these phishes ? amenex Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.