Wednesday, April 26, 2006

Another eBay scam artist emailed me tonight blackstump.com.au

Another eBay scam artist emailed me tonight. This one was just a little different.

I guess now I have an "Unpaid Item Dispute" Points to 209.216.209.10 as the mail server.

Here is the full email headers and all..

X-Apparently-To: mrlinuxhead@yahoo.com via 68.142.207.116; Mon, 24 Apr 2006 15:56:29 -0700
X-Originating-IP: [209.216.209.10]
Return-Path:
Authentication-Results: mta244.mail.re2.yahoo.com from=ebay.com; domainkeys=neutral (no sig)
Received: from 209.216.209.10 (EHLO admin.blackstump.com.au) (209.216.209.10) by mta244.mail.re2.yahoo.com with SMTP; Mon, 24 Apr 2006 15:56:29 -0700
Received: (qmail 15991 invoked by uid 10018); 24 Apr 2006 15:35:41 -0700
Date: 24 Apr 2006 15:35:41 -0700
Message-ID: <20060424223541.15990.qmail@admin.blackstump.com.au>
To: mrlinuxhead@yahoo.com
Subject: eBay Unpaid Item Dispute #4858411651 -- response required
From: aw-confirm@ebay.com

eBay Unpaid Item Dispute #4858411651 -- response required

Dear member,
eBay member moviemars-uk has indicated that they already paid for item #4858411651
Review the submitted details regarding the payment.

Regards,
eBay International AG


Bogus eBay link points to:
http://ns1.zerotrance.net/.sign/eBayISAPI.dllSignInco_partnerIdpUserIdsiteidpageTypepa1i1bshowgifUsingSSL862984con462msgMNSIEhufem37ajhd84Sllencrypt378/signin.ebay.com/

Of couse I email "spoof@ebay.com and paste the bogus link into phishfighting.com.

Using DNSStuff let's see who we are dealing with....

The IP address of the email relay is: 209.216.209.10

And they are .... in San Diego, Califorina. Busted.
This is just the email server that delivered the scam email.

IP address: 209.216.209.10
Reverse DNS: admin.blackstump.com.au.
Reverse DNS authenticity: [Verified]
ASN: 6130
ASN Name: ADN-WEST
IP range connectivity: 0
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 209.216.192.0 to 209.216.255.255
Country fraud profile: Normal
City (per outside source): San Diego, California
Private (internal) IP? No

Sneaky little bastards blocked the WHOIS lookup, but I got the DNS servers..

blackstump.com.au. A IN 3600 209.216.209.10
blackstump.com.au. NS IN 3600 ns2.webintellects.com.
blackstump.com.au. NS IN 3600 ns1.webintellects.com.
ns2.webintellects.com. A IN 3600 209.126.236.3
ns1.webintellects.com. A IN 3600 209.216.201.3

Now lets see who is hosting the bogus web site. . .

ns1.zerotrance.net. A IN 172800 85.234.144.88
zerotrance.net. NS IN 172800 ns1.zerotrance.net.
zerotrance.net. NS IN 172800 ns2.zerotrance.net.
ns1.zerotrance.net. A IN 172800 85.234.144.88
ns2.zerotrance.net. A IN 172800 85.234.144.89

Chatchy name, eh? 85.234.144.88 is the IP of ns1.zerotrance.net

That is located in. . The U.K.

IP address: 85.234.144.88
Reverse DNS: ns1.zerotrance.net.
Reverse DNS authenticity: [Verified]
ASN: 29550
ASN Name: EUROCONNEX-AS (Euroconnex Networks LLP)
IP range connectivity: 5
Registrar (per ASN): RIPE
Country (per IP registrar): GB [United Kingdom]
Country Currency: GBP [United Kingdom Pounds]
Country IP Range: 85.234.128.0 to 85.234.159.255
Country fraud profile: Normal
City (per outside source): Unknown
Private (internal) IP? No

The ISP phone numbers are here:

inetnum: 85.234.128.0 - 85.234.159.255
org: ORG-PIS3-RIPE
netname: UK-POUNDHOST-20050429
descr: PoundHost Internet Services
country: GB
admin-c: MM5420-RIPE
admin-c: KW725-RIPE
tech-c: MM5420-RIPE
status: ALLOCATED PA
remarks: PH-Network (Europe)
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: POUNDHOST
mnt-routes: POUNDHOST
mnt-routes: AS5413-MNT
notify: Matthew@Poundhost.com
changed: hostmaster@ripe.net 20050429
source: RIPE

organisation: ORG-PIS3-RIPE
org-name: PoundHost Internet Services
org-type: LIR
address: PoundHost Internet Services,
Ginchy House,
Marsh Lane,
Taplow,
Maidenhead,
Berkshire.
SL6 0DE
ENGLAND
phone: +44 (0) 870 744 1700
fax-no: +44 1628 639977
e-mail: Info@poundhost.com
admin-c: MM5420-RIPE
admin-c: LP1106-RIPE
mnt-ref: POUNDHOST
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE

person: Matthew Munson
address: Euroconnex Networks LLP,
Marsh Lane,
Taplow,
Maidenhead, UK
phone: +44 870 744 1700
e-mail: matthew@euroconnex.net
nic-hdl: MM5420-RIPE
remarks: ******************************************************
remarks: Please contact abuse@euroconnex.net for any abuse issues
remarks: E-mail sent to other addresses may not be acted upon.
remarks: ******************************************************
mnt-by: EUROCONNEX
changed: matthew@poundhost.com 20050721
source: RIPE

person: Katalin Weigand
address: PoundHost Internet Services,
Marsh Lane,
Taplow,
Maidenhead, UK
phone: +44 870 744 1700
e-mail: Katalin@poundhost.com
nic-hdl: KW725-RIPE
remarks: ******************************************************
remarks: Please contact abuse@PoundHost.com for all abuse issues
remarks: ******************************************************
mnt-by: POUNDHOST
changed: matthew@poundhost.com 20030827
changed: matthew@poundhost.com 20031009
changed: Katalin@poundhost.com 20031010
source: RIPE

% Information related to '85.234.128.0/19AS29550'

route: 85.234.128.0/19
descr: PH-Network Europe, operated by Euroconnex Networks LLP
origin: AS29550
remarks: *********************************************
remarks: For Peering and more info: www.euroconnex.net
remarks: *********************************************
mnt-by: POUNDHOST
changed: Matthew@PoundHost.com 20050601
source: RIPE

email addresses are:
abuse@PoundHost.com
matthew@euroconnex.net
Katalin@poundhost.com


Now, lets see who owns the domain zerotrance.net, shall we..

WHOIS info is blocked by these clowns:
Whois Privacy Protection Service, Inc.

Domain name: zerotrance.net

Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (sxdysbyxvq@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O zerotrance.net
Bellevue, WA 98007
US

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (sxdysbyxvq@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O zerotrance.net
Bellevue, WA 98007
US

Technical Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (sxdysbyxvq@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O zerotrance.net
Bellevue, WA 98007
US

Status: Locked

Name Servers:
ns1.zerotrance.net
ns2.zerotrance.net

Creation date: 10 Nov 2005 05:18:38
Expiration date: 10 Nov 2007 05:18:38

I emailed the admin at the UK ISP to shut down these clowns.

Later...

0 Comments:

Post a Comment

<< Home