vilain Posted November 8, 2008 Share Posted November 8, 2008 I reported a spam email supposedly sent from the "HELPDESK" to all spamcop.net subscribers asking for username, password and birthday (yeah, right). The headers clearly identified this as a phishing scam so I reported it: http://www.spamcop.net/sc?id=z2396896722z5...75de77dc3ec802z The spamcop news groups suggested I post it on this forum as a heads up in case someone falls for it. Don't know if this forum is the best place, so I'll leave it to the moderators to move this post elsewhere if it doesn't belong. Or is this to much of a "well, duh!" thing to bother with on these forums? Return-Path: <helpdesk[at]spamcop.net> Delivered-To: xxxxx[at]spamcop.net Received: (qmail 486 invoked from network); 7 Nov 2008 18:31:53 -0000 X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter8 X-spam-Level: X-spam-Status: hits=0.0 tests=none version=3.2.4 Received: from unknown (192.168.1.88) by filter8.cesmail.net with QMQP; 7 Nov 2008 18:31:53 -0000 Received: from mx-outbound2.npgco.com (207.192.213.58) by mxin1.cesmail.net with SMTP; 7 Nov 2008 18:31:04 -0000 Received: from cujo.npgco.com (cujo.npgco.com [207.192.213.29]) by mx-outbound2.npgco.com (8.13.1/8.13.1) with ESMTP id mA7HwbPk009732; Fri, 7 Nov 2008 11:58:37 -0600 Received: from localhost (localhost.localdomain [127.0.0.1]) by cujo.npgco.com (8.13.6/8.13.1) with ESMTP id mA7Hwb4O024456; Fri, 7 Nov 2008 11:58:37 -0600 Received: from 192.168.0.18 (192.168.0.18 [192.168.0.18]) by webmail.npgcable.com (Horde MIME library) with HTTP; Fri, 07 Nov 2008 11:58:37 -0600 Message-ID: <20081107115837.7jh4sdc90r5s04oc[at]webmail.npgcable.com> Date: Fri, 07 Nov 2008 11:58:37 -0600 From: HELPDESK <helpdesk[at]spamcop.net> Reply-to: helpdesk[at]mconet.biz To: undisclosed-recipients:; Subject: E-mail Update MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.1.3) X-Canit-CHI2: 0.50 X-Bayes-Prob: 0.0018 (Score 0, tokens from: [at][at]RPTN, cujo-out) X-CanItPRO-Stream: cujo-out (inherits from default) X-Canit-Stats-ID: 14708681 - c78f2705cc57 X-Scanned-By: CanIt (www . roaringpenguin . com) on 207.192.213.58 X-SpamCop-Checked: 207.192.213.58 207.192.213.29 Dear spamcop.net Subscribers, We wish to inform you that we are undergoing slight maintenance and upgrading of our site. And we are also using this medium to delete the inactive email id and you are required to send your account details for verification: *Username:***************** *Password:***************** *Date Of Birth:************ Warning!!! it very important you update your email account within three days ofthis update notification,We are sorry for any inconvinence will might have cause you,and expect our new mail features. Webmail Support Team 2008. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. Link to comment Share on other sites More sharing options...
dbiel Posted November 8, 2008 Share Posted November 8, 2008 The spamcop news groups suggested I post it on this forum as a heads up in case someone falls for it. Don't know if this forum is the best place, so I'll leave it to the moderators to move this post elsewhere if it doesn't belong. Or is this to much of a "well, duh!" thing to bother with on these forums? Thanks for posting this. It is good when the newsgroups, forums and Wiki and be used together to fight our common problems. Another example of a related spam can be found in the SpamCop Wiki [at] Fake Notification Messages The most important point to remember is to NEVER click on a link in a message unless you are positive where it came from and that it can be trusted. If in doubt, contact the source directly by phone, email, web page, regular mail etc using addresses you have from other sources. NOTHING in a questionable email message should be trusted. Link to comment Share on other sites More sharing options...
petzl Posted November 8, 2008 Share Posted November 8, 2008 I reported a spam email supposedly sent from the "HELPDESK" to all spamcop.net subscribers asking for username, password and birthday (yeah, right). The headers clearly identified this as a phishing scam so I reported it:Good idea to in this case report the reply email address helpdesk[at]mconet.biz as well Link to comment Share on other sites More sharing options...
DavidT Posted November 8, 2008 Share Posted November 8, 2008 Good idea to in this case report the reply email address helpdesk[at]mconet.biz as well To whom? DT Link to comment Share on other sites More sharing options...
Wazoo Posted November 9, 2008 Share Posted November 9, 2008 The spamcop news groups suggested I post it on this forum as a heads up in case someone falls for it. A lot of unnecessary work needed to reply to this statement. Your use of X-No-Archive: yes in your newsgroup post made my initial attempt at linking to your post in the Archives impossible .... somewhat handled now by the post [scspamcop] Re: We must be doing something right... Wazoo The remainder of the 'conversation' is within the other multiple listings under the same Title/Subject Line (but date-ordered above this post) caused by the 'loss' of the thread-starting post. I see that you asked about posting into the Forum. However, I don't see where anyone actually responded to the question. The news.spamcop.spam reply wasn't really helpful as so few folks actually subscribe to the newsgroup, but was an honest attempt to answer "where to post the spam" part of the question. BTW: Your munged 'bad' Reply/From e-mail address doesn't match the suggested one offered up on various SpamCop.net Help/FAQ/Wiki pages. Link to comment Share on other sites More sharing options...
petzl Posted November 12, 2008 Share Posted November 12, 2008 To whom? helpdesk[at]mconet.biz SpamCop reporting gives www.mconet.biz as abuse[at]t-online.hu postmaster[at]t-online.hu abuse[at]matav.net abuse[at]axelero.hu abuse[at]telekom.hu Link to comment Share on other sites More sharing options...
Farelf Posted November 13, 2008 Share Posted November 13, 2008 helpdesk[at]mconet.biz SpamCop reporting gives www.mconet.biz as abuse[at]t-online.hu postmaster[at]t-online.hu abuse[at]matav.net abuse[at]axelero.hu abuse[at]telekom.hu There is insufficient external evidence of helpdesk[at]mconet.biz as an actual 'drop box' - though as a phish the thing would be quite pointless if it were not, so I suppose the point is well made. It is not necessary to find the routing for www.mconet.biz for the email reporting address - as mentioned elsewhere, the email address itself can be handled by the parser directly to give abuse reporting addresses. When you do this now for helpdesk[at]mconet.biz the (current) result - is Parsing input: helpdesk[at]mconet.biz Cannot find an MX for mconet.biz Host mconet.biz (checking ip) IP not found ; mconet.biz discarded as fake. No mail exchanger. Email to this address would bounce. Cannot resolve helpdesk[at]mconet.biz No valid email addresses found, sorry! ... Not sure what to make of all that - whether this was a pointless phish all along or whether SC/JT have since absolutely pulverised the malefactor, his hidey-hole and the horse he rode in on. The latter case would be a delicious thing, wouldn't it? Link to comment Share on other sites More sharing options...
petzl Posted November 13, 2008 Share Posted November 13, 2008 There is insufficient external evidence of helpdesk[at]mconet.biz as an actual 'drop box' - though as a phish the thing would be quite pointless if it were not, so I suppose the point is well made. 195.228.75.213 abuse[at]t-online.hu postmaster[at]t-online.hu abuse[at]matav.net abuse[at]axelero.hu abuse[at]telekom.hu This has now shifted to google? NSLookup(MX) for mail server(s): - ASPMX.L.GOOGLE.COM (10) NSLookup(A) on Domain: ASPMX.L.GOOGLE.COM - 209.85.199.27 - 209.85.199.114 -------------------------------------------------- Verify Email Address: helpdesk[at]mconet.biz Server not responding. -------------------------------------------------- Looking up Abuse address on Abuse.net: - abuse[at]google.com (for google.com) Link to comment Share on other sites More sharing options...
Farelf Posted November 13, 2008 Share Posted November 13, 2008 This has now shifted to google? NSLookup(MX) for mail server(s): - ASPMX.L.GOOGLE.COM (10) NSLookup(A) on Domain: ASPMX.L.GOOGLE.COM - 209.85.199.27 - 209.85.199.114 ... Yeah, though I don't understand the variability of the MX record: Non-authoritative answer: mconet.biz MX preference = 10, mail exchanger = ASPMX.L.GOOGLE.COM ASPMX.L.GOOGLE.COM internet address = 74.125.45.27 ASPMX.L.GOOGLE.COM internet address = 74.125.45.114 But it's still "Google all the way down," or maybe that's turtles, and that helpdesk[at]mconet.biz address is still cactus. Link to comment Share on other sites More sharing options...
petzl Posted November 13, 2008 Share Posted November 13, 2008 But it's still "Google all the way down," or maybe that's turtles, and that helpdesk[at]mconet.biz address is still cactus. http://www.mxtoolbox.com/diagnostic.aspx?H...mx.l.google.com Google may have an open relay My test indicated its not 195.228.75.213 is listed by SCBL http://www.mxtoolbox.com/diagnostic.aspx?H...mx.l.google.com Do not understand why a Hungarian IP is going to/through Google (This is now not working?) Put 195.228.75.213 in "box" http://www.geobytes.com/IpLocator.htm?Getlocation Link to comment Share on other sites More sharing options...
Farelf Posted November 14, 2008 Share Posted November 14, 2008 ...Do not understand why a Hungarian IP is going to/through Google (This is now not working?)...Can be difficult but mostly resolves at the moment: Non-authoritative answer: mconet.biz MX preference = 10, mail exchanger = aspmx.l.google.com aspmx.l.google.com internet address = 209.85.133.114 aspmx.l.google.com internet address = 209.85.133.27 SC (now) agrees Removing old cache entries. Tracking details Display data: "whois 209.85.201.114[at]whois.arin.net" (Getting contact from whois.arin.net ) 209.85.128.0 - 209.85.255.255:arin-contact[at]google.com whois.arin.net contact: arin-contact[at]google.com Routing details for 209.85.201.114 Using abuse net on arin-contact[at]google.com abuse net google.com = abuse[at]google.com Using best contacts abuse[at]google.com This has been going on (one way or another) for 24 hours or more. Helpdesk address (remains) definitely shonky anyway: Results confidence rating: 0 - Bad address what this means error: Recipient rejected Address parts local part: helpdesk domain: mconet.biz extra text: MX records preference exchange IP address (if included) 10 ASPMX.L.GOOGLE.COM [72.14.247.27] SMTP session [Contacting ASPMX.L.GOOGLE.COM [72.14.247.27]...] [Connected] 220 mx.google.com ESMTP 38si25234aga.4 EHLO hexillion.com 250-mx.google.com at your service, [70.84.211.98] 250-SIZE 35651584 250-8BITMIME 250 ENHANCEDSTATUSCODES NOOP *** See <http://www.hexillion.com/MailAdmin/> for an explanation of this session 250 2.0.0 OK 38si25234aga.4 NOOP *** HexValidEmail COM 1.4.12 <5c31a8fa73d35685c3baa1e0430da151bdc52a85> 250 2.0.0 OK 38si25234aga.4 RSET 250 2.1.5 Flushed 38si25234aga.4 MAIL FROM:<HexValidEmail[at]hexillion.com> 250 2.1.0 OK 38si25234aga.4 RCPT TO:<helpdesk[at]mconet.biz> 550-5.1.1 The email account that you tried to reach does not exist. Please 550-5.1.1 try double-checking the recipient's email address for typos 550-5.1.1 or unnecessary spaces. Learn more at 550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 38si25234aga.4 [Address has been rejected] RSET 250 2.1.5 Flushed 38si25234aga.4 QUIT 221 2.0.0 closing connection 38si25234aga.4 [Connection closed] Domain registration - created by registrar NAMEBAY SAM Whois Updated by registrar 1API GMBH Fri Nov 14 00:10:49 GMT 2008 (Registrant) contact: mconet[at]mconet.hu - which address also goes through Google but actually works. Results confidence rating: 3 - SMTP what this means error: None Address parts local part: mconet domain: mconet.hu extra text: MX records preference exchange IP address (if included) 10 ASPMX.L.GOOGLE.COM [74.125.45.27] SMTP session [Contacting ASPMX.L.GOOGLE.COM [74.125.45.27]...] [Connected] 220 mx.google.com ESMTP 4si93872yxj.7 EHLO hexillion.com 250-mx.google.com at your service, [70.84.211.98] 250-SIZE 35651584 250-8BITMIME 250 ENHANCEDSTATUSCODES NOOP *** See <http://www.hexillion.com/MailAdmin/> for an explanation of this session 250 2.0.0 OK 4si93872yxj.7 NOOP *** HexValidEmail COM 1.4.12 <5c31a8fa73d35685c3baa1e0430da151bdc52a85> 250 2.0.0 OK 4si93872yxj.7 RSET 250 2.1.5 Flushed 4si93872yxj.7 MAIL FROM:<HexValidEmail[at]hexillion.com> 250 2.1.0 OK 4si93872yxj.7 RCPT TO:<hextest19F0[at]mconet.hu> 550-5.1.1 The email account that you tried to reach does not exist. Please 550-5.1.1 try double-checking the recipient's email address for typos 550-5.1.1 or unnecessary spaces. Learn more at 550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 4si93872yxj.7 RCPT TO:<mconet[at]mconet.hu> 250 2.1.5 OK 4si93872yxj.7 RSET 250 2.1.5 Flushed 4si93872yxj.7 QUIT 221 2.0.0 closing connection 4si93872yxj.7 [Connection closed] All very strange but the Reply-to: helpdesk[at]mconet.biz supposed drop-box in the phish remains non-functional for whatever reason and it does sorts look like Google would be the current abuse handler whether they know it or not. I'm guessing mconet got booted from their previous mail provider as a result of the phishing or other transgressions. If so, that was some effective reporting by someone. I would not relish the task of replicating it with Google as the provider. Nice enough people no doubt but about as sharp as a bowling ball when it comes to abuse matters. Link to comment Share on other sites More sharing options...
petzl Posted November 14, 2008 Share Posted November 14, 2008 Can be difficult but mostly resolves at the moment: All very strange but the Reply-to: helpdesk[at]mconet.biz supposed drop-box in the phish remains non-functional for whatever reason and it does sorts look like Google would be the current abuse handler whether they know it or not. I'm guessing that the bot controller/phisher of IP 195.228.75.213 relays this IP to/through a google email server Sometimes I can access 195.228.75.213 directly but not for long or often? I have to wonder if access is watched and turned off/manipulated when outsiders check it Link to comment Share on other sites More sharing options...
Farelf Posted November 14, 2008 Share Posted November 14, 2008 I'm guessing that the bot controller/phisher of IP 195.228.75.213 relays this IP to/through a google email server Sometimes I can access 195.228.75.213 directly but not for long or often? I have to wonder if access is watched and turned off/manipulated when outsiders check it Could be, but I wonder if it is just a routing issue from your location? Maybe try http://centralops.net/co/DomainDossier.aspx with DNS records, traceroute and service scan? I'm just not having the same difficulty. H:\>nslookup ... > set type=all > mconet.biz ... Non-authoritative answer: mconet.biz internet address = 195.228.75.213 mconet.biz nameserver = ns1.mconet.hu mconet.biz nameserver = ns2.mconet.hu mconet.biz primary name server = ns1.mconet.hu responsible mail addr = postmaster.mconet.biz serial = 2008110901 refresh = 86400 (1 day) retry = 7200 (2 hours) expire = 3600000 (41 days 16 hours) default TTL = 3600 (1 hour) mconet.biz MX preference = 10, mail exchanger = aspmx.l.google.com ns1.mconet.hu internet address = 195.228.75.199 ns2.mconet.hu internet address = 195.228.155.197 > I see the MX, aspmx.l.google.com resolving to different pairs at different times, RobTex finding yet a third pair of: 66.249.93.27 gsmtp93.google.com ug-in-f27.google.com 66.249.93.114 gsmtp93-2.google.com but mostly 209.85.133.27 209.85.133.114 ... but maybe all of that is 'normal' for that service. If so, worth knowing about. http://www.google.com/support/a/bin/answer...mp;answer=33915 I see MCOnet.biz offers free webmail, I'm thinking that explains a lot though why they would allow a casual user to grab an 'official' sounding name like helpdesk is harder to understand. Maybe it's just not the same in Magyar. Or, since it's not just SC, but many other webmail services that are under phishing attack, maybe the real helpdesk[at] fell for an earlier phish? Wouldn't say a lot in favour of the quality of the support service but stranger things have happened in the annals of the internet. Link to comment Share on other sites More sharing options...
vilain Posted November 19, 2008 Author Share Posted November 19, 2008 Just got another one from this same spammer (opengate.com.br seems to be the sender). Is posting this sort of phishing scam useful or should I just report these and leave off posting them? Reported it here: http://www.spamcop.net/sc?id=z2413263295z0...dfcda976c774efz The actual message is Moderator edit: The Actual message is removed since it is visible to anyone interested by following the TrackingURL above. Link to comment Share on other sites More sharing options...
Farelf Posted November 19, 2008 Share Posted November 19, 2008 Just got another one from this same spammer (opengate.com.br seems to be the sender). Is posting this sort of phishing scam useful or should I just report these and leave off posting them? Reported it here: http://www.spamcop.net/sc?id=z2413263295z0...dfcda976c774efz... Just the tracking URL, I would think. A heads up when they're active is useful, petzl's point in this topic being a good reason to post them here - a reminder that in these particular cases with no drop-box address in the body that the "Reply to:" address is an integral part of the phish and worth adding to the reports (for those having paid accounts and the ability to add user-specified addresses - and the knowledge to find the abuse address). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.