Tuesday, May 09, 2006

Fresh Phish today.

Hi all,

I love Fresh Phish in the morning!

Here is the headers and body of another phish email today. These people give me cramps.

I sent it to spoof@ebay.com and pasted the URL into phishfighting.com. Go Go Go!


Return-Path:
Authentication-Results: mta163.mail.mud.yahoo.com from=ebay.com; domainkeys=neutral (no sig)
Received: from 208.187.180.4 (EHLO web1.octelecom.net) (208.187.180.4) by mta163.mail.mud.yahoo.com with SMTP; Tue, 09 May 2006 02:05:11 -0700
Received: from web1.octelecom.net (localhost.localdomain [127.0.0.1]) by web1.octelecom.net (8.13.1/8.13.1) with ESMTP id k499EL4f022387 for ; Tue, 9 May 2006 03:14:21 -0600
Received: (from test@localhost) by web1.octelecom.net (8.13.1/8.13.1/Submit) id k499ELag022384 for mrlinuxhead@yahoo.com; Tue, 9 May 2006 03:14:21 -0600
Date: Tue, 9 May 2006 03:14:21 -0600
To: mrlinuxhead@yahoo.com
Subject: eBay Member wandasales
Message-ID: <1147166061.70001.qmail@paypal>
From: aw-confirm@ebay.com Add to Address BookAdd to Address Book Add Mobile Alert
Content-Type: text/html
Content-Length: 3699


 Question from wandasales
Item: (6876616738)
This message was sent while the listing was active.
wandasales is a potential buyer.
Hello, What would the shipping cost be to West Virginia zip code 25511?

Email server is at : 208.187.180.4

Here is a port scan.

Just a RH Linux box with too many ports open. Gee I wonder if the owner knows they are sending this crap out? Let see.


Using DNSStuff.com I see the box is at:

IP address: 208.187.180.4
Reverse DNS: web1.octelecom.net.
Reverse DNS authenticity: [Verified]
ASN: 29933
ASN Name: OFF-CAMPUS-TELECOMMUNICATIONS
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 208.184.0.0 to 208.191.255.255
Country fraud profile: Normal
City (per outside source): Provo, Utah

It looks like a campus ISP that is in Provo Utah.

No email address for them but a phone number - call us at 379-3000
(toll-free 1-800-370-1106)
We're located in Provo at 379 North University Avenue, Suite 301.

Well let's call them up and tell them they have a bad person using their RH server.

WHOIS info is blocked but I can probably find the email address.

On to the web site stealing people's passwords and user id's.

Real URL of the scam is at: http://216.122.128.59/~admin/%20%20/index.html

Going back to DNSStuff.com I learn that:

IP address:                     216.122.128.59
Reverse DNS: r59-128-dsl.sea.lightrealm.net.
Reverse DNS authenticity: [Could be forged: hostname r59-128-dsl.sea.lightrealm.net. does not exist]
ASN: 11305
ASN Name: INTERLAND-NET1
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 216.122.0.0 to 216.122.255.255
Country fraud profile: Normal
City (per outside source): Kirkland, Washington

Gotcha sucker, you are in the USA. Busted. Phish fry today!

Looks like Lightrealm is getting upstream pipe from Interland.

Interland, Inc. LR-BLK4 (NET-216-122-0-0-1)
216.122.0.0 - 216.122.255.255
Lightrealm, Inc. LR-ISP-GTEDHCP4-DSL (NET-216-122-128-0-1)
216.122.128.0 - 216.122.128.255


A Google for Lightrealm points to http://www.lightrealm.net/

It's a web hosting company. No surprise there.

"Get your own web site, share your special day!" is on the home page.


One that looks like eBay login page? Maybe that's not what thay had in mind.

Interland is a mass reseller of web hosts and a co-location facillity.

I used to work for a company that was bought by them, Hostcentric.

Here is a port scan of the host:



The web server is running Apache on FreeBSD, got sendmail running as well.

Email server is running as bearcomp.net. Hmm. Who are they?

Asking b.ns.interland.net. for 59.128.122.216.in-addr.arpa PTR record: 
Reports r59-128-dsl.sea.lightrealm.net. [from 69.0.145.33]

Answer:
216.122.128.59 PTR record: r59-128-dsl.sea.lightrealm.net. [TTL 1800s] [A=None]
*ERROR* There is no A record (may be cached).
That's our boy! I next find out who runs bearcomp.net with our trusty WHOIS lookup.

SoftPaw
41064 Riverock Lane
Palmdale, CA 93551-1834
US
Domain Name: BEARCOMP.NET
Administrative Contact :
Hess, John
jhh@bearcomp.net
41064 Riverock Lane
Palmdale, CA 93551-1834
US
Phone: 800-725-8910
Fax: (661) 722-9010
Record expires on 26-Aug-2006
Record created on 19-May-2004
Database last updated on 13-Jun-2005

OK game over. Let's call the cops in Palmdale and have them let Mr. Hess know his server is behaving badly.

8 Comments:

Blogger Jonh Neo said...

Great Work!!!
this is a good link you can refer Art Collection

5:53 AM  
Blogger Quickregister Link Exchange said...

Mr. Linux Head,

I took a look at your post
regarding email hosting web .

You are invited to place a link to
your blog on our website for free. See:

http://www.thefreeadforum.com


We get over 18,000 visitors per day.
Many are looking for email hosting web
related products and services.

We have a specific category for email hosting web .
Your listing will be spidered by the search
engines under email hosting web . Our pages
are made to be search engine friendly.
We hope you take a moment to take
advantage of this free advertising.

Cheers,

John

http://www.thefreeadforum.com
The Free Advertising Forum.

3:42 PM  
Blogger dukexo said...

I need to talk to you sir. I have never used this comment stuff before. I have been trying to track you down for some time now. I have a question about some one you may not know you know. Plz. Her name is Jade. If that dosen't ring a bell I will gladly tell you more. Plz this is very very important!!!

david_duke77785@yahoo.com

5:30 PM  
Blogger Brian said...

http://www.briansproperties.com/"Woodland Park" When I was looking to buy a ranch in colorado and after finding and calling so many realtors that never returned my calls i finally found Brian.So i thought i would post and let other people know about his site if they were having the same toubles as i was."Woodland Park" He is a true professional

9:40 PM  
Blogger adam said...

Hello I just entered before I have to leave to the airport, it's been very nice to meet you, if you want here is the site I told you about where I type some stuff and make good money (I work from home): here it is

5:37 AM  
Blogger Navya said...

Thanks for sharing..
regards

Photogrammetry mapping

4:24 AM  
Blogger chandra said...

You seems to have good technical stuff..Very helpful..Hope you keep updating with articles like this on daily basis..

12:32 AM  
Blogger smplcv said...

I see that web hosting company's are creating lot of this phishing activity's..Just because they need customers.

Administration CV

4:02 AM  

Post a Comment

<< Home