efa Posted August 31, 2008 Share Posted August 31, 2008 hi, I'm receiving a lot of phishing email with the following domain: 111212c.com In particular go to the address: hxxx://www.111212c.com/CartaSi this is the fake site of CartaSi credit card: https://titolari.cartasi.it/portal/server.pt The list of all phish email is: resolves to: 2008/07/06 14:00 hxxx://www.111212c.com/CartaSi 18.104.22.168 2008/07/07 00:00 hxxx://www.111212c.com/CartaSi 22.214.171.124 2008/07/08 14:00 hxxx://www.111212c.com/CartaSi 126.96.36.199 2008/07/08 00:00 hxxx://www.111212c.com/CartaSi 188.8.131.52 2008/07/26 14:00 hxxx://www.111212c.com/CartaSi 184.108.40.206 2008/08/30 00:00 hxxx://www.111212c.com/CartaSi 220.127.116.11 2008/08/31 14:00 hxxx://www.111212c.com/CartaSi 18.104.22.168 all are archived if asked. The tracking link of the last is: http://www.spamcop.net/sc?id=z2203453250z8...2cfa447909520az The domain '111212c.com' resolves to IP: 22.214.171.124 The name servers are: ns1.netsons.com [126.96.36.199] ns2.netsons.com [188.8.131.52] ns3.netsons.com [184.108.40.206] ns4.netsons.com [220.127.116.11] The IP:18.104.22.168 is the same of old already suspended phished domain: 2008/08/02 00:00 hxxx://www.101001cs.com/CartaSi 22.214.171.124 2008/08/04 00:00 hxxx://www.101001cs.com/CartaSi/liberamente/ 126.96.36.199 2008/08/04 14:00 hxxx://www.101001cs.com/liberamente/ 188.8.131.52 2008/08/06 14:00 hxxx://www.101001cs.com/CartaSi 184.108.40.206 The problem from the whois report is that the domain: 111212c.com to me seem registered from Registrar: Wild West Domains, Inc. to SUPERNOVA S.R.L. Via Marconi 29 Pescara, Pescara 65100 http://www.netsons.org/ that in turns, it registrar to a person: Franco Analoa via salerno 10 Roma, RM 00100 Apart that those maybe fake data, because there is no Via Marconi in Pescara, and there is no Via Salerno 10 in Rome, Spamcop parsing system report that domain is registered to 'unitedcolo.de': http://www.spamcop.net/sc?action=showcmd;c...0whois.ripe.net and the abuse email 'abuse[at]unitedcolo.de' is bouncing. Making a reverse lookup from IP: 220.127.116.11 really carry to unitedcolo.de ?! How they managed to obtain this difference in direct and reverse lookup of NS ? Whois record is errata? Is this confusing Spamcop web based parse reporting? [on edit] While these and other matters are pondered Live links pulled. This is a known EXPLOIT site, why would you post links to it? Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.