Wednesday, May 10, 2006

Romania emailed me with some pfresh phish!

Romania emailed me with some pfresh phish!

Oh Dear another eBay unpaid item dispute today! Whatever shall I do.

Here is the latest scam to hit my inbox today.

Looks like the client sending this is in Romania : 86-107-49-159.asconet.ro (86.107.49.159)


X-Apparently-To: mrlinuxhead@yahoo.com via 68.142.200.99; Wed, 10 May 2006 17:26:38 -0700
X-Originating-IP: [63.247.69.130]
Return-Path:
Authentication-Results: mta180.mail.re4.yahoo.com from=ebay.com; domainkeys=neutral (no sig)
Received: from 63.247.69.130 (EHLO server3.unifiedns.com) (63.247.69.130) by mta180.mail.re4.yahoo.com with SMTP; Wed, 10 May 2006 17:26:36 -0700
Received: from 86-107-49-159.asconet.ro ([86.107.49.159] helo=User) by server3.unifiedns.com with esmtpa (Exim 4.52) id 1Fdz0J-0006v8-EQ; Wed, 10 May 2006 20:26:07 -0400
Reply-to:
From: "eBay" Add to Address BookAdd to Address Book Add Mobile Alert
Subject: eBay Unpaid Item Dispute #4870988286 -- response required
Date: Thu, 11 May 2006 03:27:55 +0300
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server3.unifiedns.com
X-AntiAbuse: Original Domain - yahoo.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - ebay.com
X-Source:
X-Source-Args:
X-Source-Dir:
Content-Length: 688

eBay Unpaid Item Dispute #4870988286 -- response required


Dear member,

eBay member alkaza has indicated that they already paid for item #4870988286

Review the submitted details regarding the payment.

Regards,
eBay International AG

Here is the URL of the scammers:
http://shop.whg-walzstahl.de/.sign/eBayISAPI.dllSignInco_partnerIdpUserIdsiteidpageTypepa1i1bshowgifUsingSSL862984con462msgMNSIEhufem37ajhd84Sllencrypt378/signin.ebay.com/


Lets look these up.

Client is here:
http://www.dnsstuff.com/tools/ipall.ch?domain=86.107.49.159

IP address: 86.107.49.159
Reverse DNS: 86-107-49-159.asconet.ro.
Reverse DNS authenticity: [Verified]
ASN: 0
ASN Name: IANA-RSVD-0
IP range connectivity: 0
Registrar (per ASN): Unknown
Country (per IP registrar): RO [Romania]
Country Currency: ROL [Romania Lei]
Country IP Range: 86.104.0.0 to 86.107.255.255
Country fraud profile: High

ISP info in Romania as follows:

inetnum: 86.107.48.0 - 86.107.55.255
netname: SC-ASCO-SYSTEMS-SRL
descr: SC Asco Systems SRL
descr: Calea Dumbravii nr.89
descr: Sibiu 550399 Romania
country: ro
admin-c: AN951-RIPE
tech-c: AN951-RIPE
status: ASSIGNED PA
remarks: Registered trough http://www.jump.ro/ip.html
mnt-by: RO-MNT
mnt-lower: RO-MNT
mnt-routes: ASCONET-MNT
changed: hostmaster@jump.ro 20051114
source: RIPE

role: Asconet NOC
address: Calea Dumnbravii nr.89
address: 550399 Sibiu, Romania
phone: +40269233914
phone: +40369591003
phone: +40788327170
fax-no: +40269214505
org: ORG-AA80-RIPE
e-mail: tech@asconet.ro
admin-c: EC655-RIPE
admin-c: OC297-RIPE
admin-c: SL1371-RIPE
tech-c: EC655-RIPE
tech-c: OC297-RIPE
nic-hdl: AN951-RIPE
remarks: Spam mail/news complaints: abuse@asconet.ro
remarks: Security complaints: abuse@asconet.ro
remarks: Call center (24x7) +40269233914
abuse-mailbox: abuse@asconet.ro
notify: tech@asconet.ro
mnt-by: ASCONET-MNT
changed: hostmaster@asconet.ro 20031009
changed: hostmaster@asconet.ro 20031010
changed: hostmaster@asconet.ro 20040724
changed: hostmaster@asconet.ro 20051016
source: RIPE

% Information related to '86.107.48.0/21AS29523'

route: 86.107.48.0/21
descr: Asco Networks
origin: AS29523
mnt-by: ASCONET-MNT
changed: hostmaster@asconet.ro 20051115
source: RIPE

The email server is server3.unifiedns.com (63.247.69.130)
Link is here: http://www.dnsstuff.com/tools/ipall.ch?domain=63.247.69.130

WHOIS info for this netblock is:
OrgName: Global Net Access, LLC
OrgID: GNAL-2
Address: 55 Marietta St, NW
Address: Suite 1720
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US

ReferralServer: rwhois://rwhois.gnax.net:4321

NetRange: 63.247.64.0 - 63.247.95.255
CIDR: 63.247.64.0/19
NetName: GNAXNET
NetHandle: NET-63-247-64-0-1
Parent: NET-63-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.GNAX.NET
NameServer: DNS2.GNAX.NET
Comment: Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment: Comment: ********************************************
Comment: Comment: Reassignment information for this block is
Comment: Comment: available at rwhois.gnax.net port 4321
Comment: Comment: ********************************************
RegDate: 2003-04-11
Updated: 2004-02-06

OrgAbuseHandle: ABUSE745-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-404-230-9150
OrgAbuseEmail: abuse@gnax.net

WHOIS info on server3.unifiedns.com is locked. Don't know who owns the domain...


And the web server that's serveing up this tasty phish treat is here:

http://www.dnsstuff.com/tools/ipall.ch?domain=83.236.133.102


IP address: 83.236.133.102
Reverse DNS: port-83-236-133-102.static.qsc.de.
Reverse DNS authenticity: [Verified]
ASN: 20676
ASN Name: QSC-1 (QSC AG)
IP range connectivity: 4
Registrar (per ASN): RIPE
Country (per IP registrar): DE [Germany]
Country Currency: EUR [euros]
Country IP Range: 83.236.0.0 to 83.236.255.255
Country fraud profile: Normal
City (per outside source): Frankfurt, Hessen
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No
Link for WHOIS: 83.236.133.102

http://shop.whg-walzstahl.de/.sign/eBayISAPI.dllSignInco_partnerIdpUserIdsiteidpageTypepa1i1bshowgifUsingSSL862984con462msgMNSIEhufem37ajhd84Sllencrypt378/signin.ebay.com/

Here is a port scan. It's running Apache on Suse Linux.



The web server (shop.whg-walzstahl.de) resolves to : 83.236.133.102

http://www.dnsstuff.com/tools/ipall.ch?domain=83.236.133.102

This is the domain info..


Domain: whg-walzstahl.de
Nserver: ns01.qsc.de
Nserver: ns02.qsc.de
Status: connect
Changed: 2005-12-03T07:18:29+01:00

[Holder]
Type: PERSON
Name: The Company
Address: WHG WALZSTAHL Handels GmbH&Co. KG
Address: Uferstr. 14
Pcode: 45881
City: Gelsenkirchen
Country: DE
Changed: 2005-12-03T06:58:06+01:00

[Admin-C]
Type: PERSON
Name: Renate Behrs
Address: WHG WALZSTAHL Handels GmbH&Co. KG
Address: Uferstr. 14
Pcode: 45881
City: Gelsenkirchen
Country: DE
Changed: 2005-12-02T21:19:07+01:00

[Tech-C][Zone-C]
Type: PERSON
Name: The BDSL-Support
Address: QSC AG
Address: Mathias-Brueggen-Str. 55
Pcode: 50829
City: Koeln
Country: DE
Phone: +4942120259876
Fax: +494212025969
Email: bdsl-support@qsc.de
Changed: 2005-09-07T09:05:08+02:00


And this is the netblock information:

inetnum: 83.236.133.102 - 83.236.133.102
netname: QSC-CUSTOMER-538736-105045
descr: WHG Walzstahl-GmbH &
country: DE
admin-c: QSC1-RIPE
tech-c: QSC1-RIPE
status: ASSIGNED PA
mnt-by: QSC-NOC
mnt-lower: QSC-NOC
changed: inetnum-robot@qsc.de 20060331
source: RIPE

role: QSC Internet Services
address: QSC AG
address: Mathias-Brueggen-Str. 55
address: D-50829 Koeln
address: Germany
phone: +49 221 66 98 000
fax-no: +49 221 66 98 009
e-mail: abuse@qsc.de
remarks: ********************************************
remarks: QSC AG - Network Design Department
remarks:
remarks: Fuer Fragen zu SPAM, Portscans, Trojanern
remarks: usw. wenden Sie sich bitte an abuse@qsc.de
remarks:
remarks: To report SPAM/UCE/Portscans/Hacks please
remarks: contact abuse@qsc.de.
remarks:
remarks: For peering requests, BGP policy changes
remarks: etc. contact peering@NOSPAM.qsc.de. For
remarks: Routing issues noc-ip@NOSPAM.qsc.de. Please
remarks: remove NOSPAM. from email address.
remarks: ********************************************
admin-c: RH168-RIPE
tech-c: RH168-RIPE
tech-c: OS101-RIPE
tech-c: RW590-RIPE
tech-c: BF359-RIPE
tech-c: MD1900-RIPE
nic-hdl: QSC1-RIPE
mnt-by: QSC-NOC
changed: rha@NOSPAM.qsc.de 20040127
source: RIPE

% Information related to '83.236.0.0/16AS20676'

route: 83.236.0.0/16
descr: QSC AG
origin: AS20676
mnt-by: QSC-NOC
mnt-lower: QSC-NOC
changed: ralf.weber@NOSPAM.qsc.de 20040212
source: RIPE

OK, So email these people about the client who sent out these emails:

The ISP in Romainia : abuse@asconet.ro
The email server : server3.unifiedns.com netblock owner abuse@gnax.net
The web admin : abuse@qsc.de postmaster@unifiedns.com

OK jobs done. Who wants some phish for dinner?


0 Comments:

Post a Comment

<< Home