Jump to content

phishing scam targeting Spamcop users


vilain
 Share

Recommended Posts

I reported a spam email supposedly sent from the "HELPDESK" to all spamcop.net subscribers asking for username, password and birthday (yeah, right). The headers clearly identified this as a phishing scam so I reported it:

http://www.spamcop.net/sc?id=z2396896722z5...75de77dc3ec802z

The spamcop news groups suggested I post it on this forum as a heads up in case someone falls for it. Don't know if this forum is the best place, so I'll leave it to the moderators to move this post elsewhere if it doesn't belong.

Or is this to much of a "well, duh!" thing to bother with on these forums?

Return-Path: <helpdesk[at]spamcop.net>
Delivered-To: xxxxx[at]spamcop.net
Received: (qmail 486 invoked from network); 7 Nov 2008 18:31:53 -0000
X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter8
X-spam-Level: 
X-spam-Status: hits=0.0 tests=none version=3.2.4
Received: from unknown (192.168.1.88)
  by filter8.cesmail.net with QMQP; 7 Nov 2008 18:31:53 -0000
Received: from mx-outbound2.npgco.com (207.192.213.58)
  by mxin1.cesmail.net with SMTP; 7 Nov 2008 18:31:04 -0000
Received: from cujo.npgco.com (cujo.npgco.com [207.192.213.29])
	by mx-outbound2.npgco.com (8.13.1/8.13.1) with ESMTP id mA7HwbPk009732;
	Fri, 7 Nov 2008 11:58:37 -0600
Received: from localhost (localhost.localdomain [127.0.0.1])
	by cujo.npgco.com (8.13.6/8.13.1) with ESMTP id mA7Hwb4O024456;
	Fri, 7 Nov 2008 11:58:37 -0600
Received: from 192.168.0.18 (192.168.0.18 [192.168.0.18]) by
	webmail.npgcable.com (Horde MIME library) with HTTP; Fri, 07 Nov 2008
	11:58:37 -0600
Message-ID: <20081107115837.7jh4sdc90r5s04oc[at]webmail.npgcable.com>
Date: Fri, 07 Nov 2008 11:58:37 -0600
From: HELPDESK <helpdesk[at]spamcop.net>
Reply-to: helpdesk[at]mconet.biz
To: undisclosed-recipients:;
Subject: E-mail Update
MIME-Version: 1.0
Content-Type: text/plain;
	charset=ISO-8859-1;
	DelSp="Yes";
	format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.1.3)
X-Canit-CHI2: 0.50
X-Bayes-Prob: 0.0018 (Score 0, tokens from: [at][at]RPTN, cujo-out)
X-CanItPRO-Stream: cujo-out (inherits from default)
X-Canit-Stats-ID: 14708681 - c78f2705cc57
X-Scanned-By: CanIt (www . roaringpenguin . com) on 207.192.213.58
X-SpamCop-Checked: 207.192.213.58 207.192.213.29 



Dear spamcop.net Subscribers,

We wish to inform you that we are undergoing slight maintenance and upgrading
of our site. And we are also using this medium to delete the inactive email id
and you are required to send your  account details for verification:

*Username:*****************
*Password:*****************
*Date Of Birth:************

Warning!!! it very important you update your email account within  three days
ofthis update notification,We are sorry for any inconvinence will might have
cause you,and expect our new mail features.

Webmail Support Team 2008.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


Link to comment
Share on other sites

The spamcop news groups suggested I post it on this forum as a heads up in case someone falls for it. Don't know if this forum is the best place, so I'll leave it to the moderators to move this post elsewhere if it doesn't belong.

Or is this to much of a "well, duh!" thing to bother with on these forums?

Thanks for posting this. It is good when the newsgroups, forums and Wiki and be used together to fight our common problems.

Another example of a related spam can be found in the SpamCop Wiki [at] Fake Notification Messages

The most important point to remember is to NEVER click on a link in a message unless you are positive where it came from and that it can be trusted. If in doubt, contact the source directly by phone, email, web page, regular mail etc using addresses you have from other sources. NOTHING in a questionable email message should be trusted.

Link to comment
Share on other sites

I reported a spam email supposedly sent from the "HELPDESK" to all spamcop.net subscribers asking for username, password and birthday (yeah, right). The headers clearly identified this as a phishing scam so I reported it:
Good idea to in this case report the reply email address

helpdesk[at]mconet.biz

as well

Link to comment
Share on other sites

The spamcop news groups suggested I post it on this forum as a heads up in case someone falls for it.

A lot of unnecessary work needed to reply to this statement.

Your use of X-No-Archive: yes in your newsgroup post made my initial attempt at linking to your post in the Archives impossible .... somewhat handled now by the post [scspamcop] Re: We must be doing something right... Wazoo The remainder of the 'conversation' is within the other multiple listings under the same Title/Subject Line (but date-ordered above this post) caused by the 'loss' of the thread-starting post.

I see that you asked about posting into the Forum. However, I don't see where anyone actually responded to the question. The news.spamcop.spam reply wasn't really helpful as so few folks actually subscribe to the newsgroup, but was an honest attempt to answer "where to post the spam" part of the question.

BTW: Your munged 'bad' Reply/From e-mail address doesn't match the suggested one offered up on various SpamCop.net Help/FAQ/Wiki pages.

Link to comment
Share on other sites

To whom?

helpdesk[at]mconet.biz

SpamCop reporting gives www.mconet.biz as

abuse[at]t-online.hu postmaster[at]t-online.hu abuse[at]matav.net abuse[at]axelero.hu abuse[at]telekom.hu

Link to comment
Share on other sites

helpdesk[at]mconet.biz

SpamCop reporting gives www.mconet.biz as

abuse[at]t-online.hu postmaster[at]t-online.hu abuse[at]matav.net abuse[at]axelero.hu abuse[at]telekom.hu

There is insufficient external evidence of helpdesk[at]mconet.biz as an actual 'drop box' - though as a phish the thing would be quite pointless if it were not, so I suppose the point is well made.

It is not necessary to find the routing for www.mconet.biz for the email reporting address - as mentioned elsewhere, the email address itself can be handled by the parser directly to give abuse reporting addresses. When you do this now for helpdesk[at]mconet.biz the (current) result - is

Parsing input: helpdesk[at]mconet.biz

Cannot find an MX for mconet.biz

Host mconet.biz (checking ip) IP not found ; mconet.biz discarded as fake.

No mail exchanger. Email to this address would bounce.

Cannot resolve helpdesk[at]mconet.biz

No valid email addresses found, sorry!

...

Not sure what to make of all that - whether this was a pointless phish all along or whether SC/JT have since absolutely pulverised the malefactor, his hidey-hole and the horse he rode in on. The latter case would be a delicious thing, wouldn't it?
Link to comment
Share on other sites

There is insufficient external evidence of helpdesk[at]mconet.biz as an actual 'drop box' - though as a phish the thing would be quite pointless if it were not, so I suppose the point is well made.

195.228.75.213

abuse[at]t-online.hu postmaster[at]t-online.hu abuse[at]matav.net abuse[at]axelero.hu abuse[at]telekom.hu

This has now shifted to google?

NSLookup(MX) for mail server(s):
  - ASPMX.L.GOOGLE.COM (10)

NSLookup(A) on Domain: ASPMX.L.GOOGLE.COM
  - 209.85.199.27
  - 209.85.199.114

--------------------------------------------------

Verify Email Address: helpdesk[at]mconet.biz
  Server not responding.

--------------------------------------------------

Looking up Abuse address on Abuse.net:
  - abuse[at]google.com (for google.com)

Link to comment
Share on other sites

This has now shifted to google?

NSLookup(MX) for mail server(s):
  - ASPMX.L.GOOGLE.COM (10)

NSLookup(A) on Domain: ASPMX.L.GOOGLE.COM
  - 209.85.199.27
  - 209.85.199.114
...

Yeah, though I don't understand the variability of the MX record:

Non-authoritative answer:

mconet.biz MX preference = 10, mail exchanger = ASPMX.L.GOOGLE.COM

ASPMX.L.GOOGLE.COM internet address = 74.125.45.27

ASPMX.L.GOOGLE.COM internet address = 74.125.45.114

But it's still "Google all the way down," or maybe that's turtles, and that helpdesk[at]mconet.biz address is still cactus.

Link to comment
Share on other sites

But it's still "Google all the way down," or maybe that's turtles, and that helpdesk[at]mconet.biz address is still cactus.

http://www.mxtoolbox.com/diagnostic.aspx?H...mx.l.google.com

Google may have an open relay

My test indicated its not

195.228.75.213 is listed by SCBL

http://www.mxtoolbox.com/diagnostic.aspx?H...mx.l.google.com

Do not understand why a Hungarian IP is going to/through Google (This is now not working?)

Put 195.228.75.213 in "box"

http://www.geobytes.com/IpLocator.htm?Getlocation

Edited by petzl
Link to comment
Share on other sites

...Do not understand why a Hungarian IP is going to/through Google (This is now not working?)...
Can be difficult but mostly resolves at the moment:

Non-authoritative answer:

mconet.biz MX preference = 10, mail exchanger = aspmx.l.google.com

aspmx.l.google.com internet address = 209.85.133.114

aspmx.l.google.com internet address = 209.85.133.27

SC (now) agrees

Removing old cache entries.

Tracking details

Display data:

"whois 209.85.201.114[at]whois.arin.net" (Getting contact from whois.arin.net )

209.85.128.0 - 209.85.255.255:arin-contact[at]google.com

whois.arin.net contact: arin-contact[at]google.com

Routing details for 209.85.201.114

Using abuse net on arin-contact[at]google.com

abuse net google.com = abuse[at]google.com

Using best contacts abuse[at]google.com

This has been going on (one way or another) for 24 hours or more. Helpdesk address (remains) definitely shonky anyway:

Results

confidence rating: 0 - Bad address what this means

error: Recipient rejected

Address parts

local part: helpdesk

domain: mconet.biz

extra text:

MX records

preference exchange IP address (if included)

10 ASPMX.L.GOOGLE.COM [72.14.247.27]

SMTP session

[Contacting ASPMX.L.GOOGLE.COM [72.14.247.27]...]

[Connected]

220 mx.google.com ESMTP 38si25234aga.4

EHLO hexillion.com

250-mx.google.com at your service, [70.84.211.98]

250-SIZE 35651584

250-8BITMIME

250 ENHANCEDSTATUSCODES

NOOP *** See <http://www.hexillion.com/MailAdmin/> for an explanation of this session

250 2.0.0 OK 38si25234aga.4

NOOP *** HexValidEmail COM 1.4.12 <5c31a8fa73d35685c3baa1e0430da151bdc52a85>

250 2.0.0 OK 38si25234aga.4

RSET

250 2.1.5 Flushed 38si25234aga.4

MAIL FROM:<HexValidEmail[at]hexillion.com>

250 2.1.0 OK 38si25234aga.4

RCPT TO:<helpdesk[at]mconet.biz>

550-5.1.1 The email account that you tried to reach does not exist. Please

550-5.1.1 try double-checking the recipient's email address for typos

550-5.1.1 or unnecessary spaces. Learn more at

550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 38si25234aga.4

[Address has been rejected]

RSET

250 2.1.5 Flushed 38si25234aga.4

QUIT

221 2.0.0 closing connection 38si25234aga.4

[Connection closed]

Domain registration - created by registrar NAMEBAY SAM

Whois Updated by registrar 1API GMBH Fri Nov 14 00:10:49 GMT 2008

(Registrant) contact: mconet[at]mconet.hu - which address also goes through Google but actually works.

Results

confidence rating: 3 - SMTP what this means

error: None

Address parts

local part: mconet

domain: mconet.hu

extra text:

MX records

preference exchange IP address (if included)

10 ASPMX.L.GOOGLE.COM [74.125.45.27]

SMTP session

[Contacting ASPMX.L.GOOGLE.COM [74.125.45.27]...]

[Connected]

220 mx.google.com ESMTP 4si93872yxj.7

EHLO hexillion.com

250-mx.google.com at your service, [70.84.211.98]

250-SIZE 35651584

250-8BITMIME

250 ENHANCEDSTATUSCODES

NOOP *** See <http://www.hexillion.com/MailAdmin/> for an explanation of this session

250 2.0.0 OK 4si93872yxj.7

NOOP *** HexValidEmail COM 1.4.12 <5c31a8fa73d35685c3baa1e0430da151bdc52a85>

250 2.0.0 OK 4si93872yxj.7

RSET

250 2.1.5 Flushed 4si93872yxj.7

MAIL FROM:<HexValidEmail[at]hexillion.com>

250 2.1.0 OK 4si93872yxj.7

RCPT TO:<hextest19F0[at]mconet.hu>

550-5.1.1 The email account that you tried to reach does not exist. Please

550-5.1.1 try double-checking the recipient's email address for typos

550-5.1.1 or unnecessary spaces. Learn more at

550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 4si93872yxj.7

RCPT TO:<mconet[at]mconet.hu>

250 2.1.5 OK 4si93872yxj.7

RSET

250 2.1.5 Flushed 4si93872yxj.7

QUIT

221 2.0.0 closing connection 4si93872yxj.7

[Connection closed]

All very strange but the Reply-to: helpdesk[at]mconet.biz supposed drop-box in the phish remains non-functional for whatever reason and it does sorts look like Google would be the current abuse handler whether they know it or not.

I'm guessing mconet got booted from their previous mail provider as a result of the phishing or other transgressions. If so, that was some effective reporting by someone. I would not relish the task of replicating it with Google as the provider. Nice enough people no doubt but about as sharp as a bowling ball when it comes to abuse matters.

Link to comment
Share on other sites

Can be difficult but mostly resolves at the moment:

All very strange but the Reply-to: helpdesk[at]mconet.biz supposed drop-box in the phish remains non-functional for whatever reason and it does sorts look like Google would be the current abuse handler whether they know it or not.

I'm guessing that the bot controller/phisher of IP 195.228.75.213 relays this IP to/through a google email server

Sometimes I can access 195.228.75.213 directly but not for long or often? I have to wonder if access is watched and turned off/manipulated when outsiders check it

Link to comment
Share on other sites

I'm guessing that the bot controller/phisher of IP 195.228.75.213 relays this IP to/through a google email server

Sometimes I can access 195.228.75.213 directly but not for long or often? I have to wonder if access is watched and turned off/manipulated when outsiders check it

Could be, but I wonder if it is just a routing issue from your location? Maybe try http://centralops.net/co/DomainDossier.aspx with DNS records, traceroute and service scan? I'm just not having the same difficulty.

H:\>nslookup

...

> set type=all

> mconet.biz

...

Non-authoritative answer:

mconet.biz internet address = 195.228.75.213

mconet.biz nameserver = ns1.mconet.hu

mconet.biz nameserver = ns2.mconet.hu

mconet.biz

primary name server = ns1.mconet.hu

responsible mail addr = postmaster.mconet.biz

serial = 2008110901

refresh = 86400 (1 day)

retry = 7200 (2 hours)

expire = 3600000 (41 days 16 hours)

default TTL = 3600 (1 hour)

mconet.biz MX preference = 10, mail exchanger = aspmx.l.google.com

ns1.mconet.hu internet address = 195.228.75.199

ns2.mconet.hu internet address = 195.228.155.197

>

I see the MX, aspmx.l.google.com resolving to different pairs at different times, RobTex finding yet a third pair of:

66.249.93.27 gsmtp93.google.com ug-in-f27.google.com

66.249.93.114 gsmtp93-2.google.com

but mostly 209.85.133.27 209.85.133.114

... but maybe all of that is 'normal' for that service. If so, worth knowing about.

http://www.google.com/support/a/bin/answer...mp;answer=33915

I see MCOnet.biz offers free webmail, I'm thinking that explains a lot though why they would allow a casual user to grab an 'official' sounding name like helpdesk is harder to understand. Maybe it's just not the same in Magyar. Or, since it's not just SC, but many other webmail services that are under phishing attack, maybe the real helpdesk[at] fell for an earlier phish? Wouldn't say a lot in favour of the quality of the support service but stranger things have happened in the annals of the internet. :D

Link to comment
Share on other sites

Just got another one from this same spammer (opengate.com.br seems to be the sender). Is posting this sort of phishing scam useful or should I just report these and leave off posting them?

Reported it here:

http://www.spamcop.net/sc?id=z2413263295z0...dfcda976c774efz

The actual message is

Moderator edit: The Actual message is removed since it is visible to anyone interested by following the TrackingURL above.

Link to comment
Share on other sites

Just got another one from this same spammer (opengate.com.br seems to be the sender). Is posting this sort of phishing scam useful or should I just report these and leave off posting them?

Reported it here:

http://www.spamcop.net/sc?id=z2413263295z0...dfcda976c774efz...

Just the tracking URL, I would think.

A heads up when they're active is useful, petzl's point in this topic being a good reason to post them here - a reminder that in these particular cases with no drop-box address in the body that the "Reply to:" address is an integral part of the phish and worth adding to the reports (for those having paid accounts and the ability to add user-specified addresses - and the knowledge to find the abuse address).

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...