Mr. Phish Finder

Romania emailed me with some pfresh phish!

2006-05-10T21:38:00.000-07:00

Romania emailed me with some pfresh phish!

Oh Dear another eBay unpaid item dispute today! Whatever shall I do.

Here is the latest scam to hit my inbox today.

Looks like the client sending this is in Romania : 86-107-49-159.asconet.ro (86.107.49.159)

X-Apparently-To: mrlinuxhead@yahoo.com via 68.142.200.99; Wed, 10 May 2006 17:26:38 -0700
X-Originating-IP: [63.247.69.130]
Return-Path:
Authentication-Results: mta180.mail.re4.yahoo.com from=ebay.com; domainkeys=neutral (no sig)
Received: from 63.247.69.130 (EHLO server3.unifiedns.com) (63.247.69.130) by mta180.mail.re4.yahoo.com with SMTP; Wed, 10 May 2006 17:26:36 -0700
Received: from 86-107-49-159.asconet.ro ([86.107.49.159] helo=User) by server3.unifiedns.com with esmtpa (Exim 4.52) id 1Fdz0J-0006v8-EQ; Wed, 10 May 2006 20:26:07 -0400
Reply-to:
From: "eBay" Add to Address BookAdd to Address Book Add Mobile Alert
Subject: eBay Unpaid Item Dispute #4870988286 -- response required
Date: Thu, 11 May 2006 03:27:55 +0300
MIME-Version: 1.0
Content-Type: text/html; charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server3.unifiedns.com
X-AntiAbuse: Original Domain - yahoo.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - ebay.com
X-Source:
X-Source-Args:
X-Source-Dir:
Content-Length: 688

eBay Unpaid Item Dispute #4870988286 -- response required

Dear member,

eBay member alkaza has indicated that they already paid for item #4870988286

Review the submitted details regarding the payment.

Regards,
eBay International AG

Here is the URL of the scammers:
http://shop.whg-walzstahl.de/.sign/eBayISAPI.dllSignInco_partnerIdpUserIdsiteidpageTypepa1i1bshowgifUsingSSL862984con462msgMNSIEhufem37ajhd84Sllencrypt378/signin.ebay.com/

Lets look these up.

Client is here:
http://www.dnsstuff.com/tools/ipall.ch?domain=86.107.49.159

IP address: 86.107.49.159
Reverse DNS: 86-107-49-159.asconet.ro.
Reverse DNS authenticity: [Verified]
ASN: 0
ASN Name: IANA-RSVD-0
IP range connectivity: 0
Registrar (per ASN): Unknown
Country (per IP registrar): RO [Romania]
Country Currency: ROL [Romania Lei]
Country IP Range: 86.104.0.0 to 86.107.255.255
Country fraud profile: High

ISP info in Romania as follows:

inetnum: 86.107.48.0 - 86.107.55.255
netname: SC-ASCO-SYSTEMS-SRL
descr: SC Asco Systems SRL
descr: Calea Dumbravii nr.89
descr: Sibiu 550399 Romania
country: ro
admin-c: AN951-RIPE
tech-c: AN951-RIPE
status: ASSIGNED PA
remarks: Registered trough http://www.jump.ro/ip.html
mnt-by: RO-MNT
mnt-lower: RO-MNT
mnt-routes: ASCONET-MNT
changed: hostmaster@jump.ro 20051114
source: RIPE

role: Asconet NOC
address: Calea Dumnbravii nr.89
address: 550399 Sibiu, Romania
phone: +40269233914
phone: +40369591003
phone: +40788327170
fax-no: +40269214505
org: ORG-AA80-RIPE
e-mail: tech@asconet.ro
admin-c: EC655-RIPE
admin-c: OC297-RIPE
admin-c: SL1371-RIPE
tech-c: EC655-RIPE
tech-c: OC297-RIPE
nic-hdl: AN951-RIPE
remarks: Spam mail/news complaints: abuse@asconet.ro
remarks: Security complaints: abuse@asconet.ro
remarks: Call center (24x7) +40269233914
abuse-mailbox: abuse@asconet.ro
notify: tech@asconet.ro
mnt-by: ASCONET-MNT
changed: hostmaster@asconet.ro 20031009
changed: hostmaster@asconet.ro 20031010
changed: hostmaster@asconet.ro 20040724
changed: hostmaster@asconet.ro 20051016
source: RIPE

% Information related to '86.107.48.0/21AS29523'

route: 86.107.48.0/21
descr: Asco Networks
origin: AS29523
mnt-by: ASCONET-MNT
changed: hostmaster@asconet.ro 20051115
source: RIPE

The email server is server3.unifiedns.com (63.247.69.130)
Link is here: http://www.dnsstuff.com/tools/ipall.ch?domain=63.247.69.130

WHOIS info for this netblock is:
OrgName: Global Net Access, LLC
OrgID: GNAL-2
Address: 55 Marietta St, NW
Address: Suite 1720
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US

ReferralServer: rwhois://rwhois.gnax.net:4321

NetRange: 63.247.64.0 - 63.247.95.255
CIDR: 63.247.64.0/19
NetName: GNAXNET
NetHandle: NET-63-247-64-0-1
Parent: NET-63-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.GNAX.NET
NameServer: DNS2.GNAX.NET
Comment: Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment: Comment: ********************************************
Comment: Comment: Reassignment information for this block is
Comment: Comment: available at rwhois.gnax.net port 4321
Comment: Comment: ********************************************
RegDate: 2003-04-11
Updated: 2004-02-06

OrgAbuseHandle: ABUSE745-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-404-230-9150
OrgAbuseEmail: abuse@gnax.net

WHOIS info on server3.unifiedns.com is locked. Don't know who owns the domain...

And the web server that's serveing up this tasty phish treat is here:

http://www.dnsstuff.com/tools/ipall.ch?domain=83.236.133.102

IP address: 83.236.133.102
Reverse DNS: port-83-236-133-102.static.qsc.de.
Reverse DNS authenticity: [Verified]
ASN: 20676
ASN Name: QSC-1 (QSC AG)
IP range connectivity: 4
Registrar (per ASN): RIPE
Country (per IP registrar): DE [Germany]
Country Currency: EUR [euros]
Country IP Range: 83.236.0.0 to 83.236.255.255
Country fraud profile: Normal
City (per outside source): Frankfurt, Hessen
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No
Link for WHOIS: 83.236.133.102

http://shop.whg-walzstahl.de/.sign/eBayISAPI.dllSignInco_partnerIdpUserIdsiteidpageTypepa1i1bshowgifUsingSSL862984con462msgMNSIEhufem37ajhd84Sllencrypt378/signin.ebay.com/

Here is a port scan. It's running Apache on Suse Linux.

The web server (shop.whg-walzstahl.de) resolves to : 83.236.133.102

http://www.dnsstuff.com/tools/ipall.ch?domain=83.236.133.102

This is the domain info..

Domain: whg-walzstahl.de
Nserver: ns01.qsc.de
Nserver: ns02.qsc.de
Status: connect
Changed: 2005-12-03T07:18:29+01:00

[Holder]
Type: PERSON
Name: The Company
Address: WHG WALZSTAHL Handels GmbH&Co. KG
Address: Uferstr. 14
Pcode: 45881
City: Gelsenkirchen
Country: DE
Changed: 2005-12-03T06:58:06+01:00

[Admin-C]
Type: PERSON
Name: Renate Behrs
Address: WHG WALZSTAHL Handels GmbH&Co. KG
Address: Uferstr. 14
Pcode: 45881
City: Gelsenkirchen
Country: DE
Changed: 2005-12-02T21:19:07+01:00

[Tech-C][Zone-C]
Type: PERSON
Name: The BDSL-Support
Address: QSC AG
Address: Mathias-Brueggen-Str. 55
Pcode: 50829
City: Koeln
Country: DE
Phone: +4942120259876
Fax: +494212025969
Email: bdsl-support@qsc.de
Changed: 2005-09-07T09:05:08+02:00

And this is the netblock information:

inetnum: 83.236.133.102 - 83.236.133.102
netname: QSC-CUSTOMER-538736-105045
descr: WHG Walzstahl-GmbH &
country: DE
admin-c: QSC1-RIPE
tech-c: QSC1-RIPE
status: ASSIGNED PA
mnt-by: QSC-NOC
mnt-lower: QSC-NOC
changed: inetnum-robot@qsc.de 20060331
source: RIPE

role: QSC Internet Services
address: QSC AG
address: Mathias-Brueggen-Str. 55
address: D-50829 Koeln
address: Germany
phone: +49 221 66 98 000
fax-no: +49 221 66 98 009
e-mail: abuse@qsc.de
remarks: ********************************************
remarks: QSC AG - Network Design Department
remarks:
remarks: Fuer Fragen zu SPAM, Portscans, Trojanern
remarks: usw. wenden Sie sich bitte an abuse@qsc.de
remarks:
remarks: To report SPAM/UCE/Portscans/Hacks please
remarks: contact abuse@qsc.de.
remarks:
remarks: For peering requests, BGP policy changes
remarks: etc. contact peering@NOSPAM.qsc.de. For
remarks: Routing issues noc-ip@NOSPAM.qsc.de. Please
remarks: remove NOSPAM. from email address.
remarks: ********************************************
admin-c: RH168-RIPE
tech-c: RH168-RIPE
tech-c: OS101-RIPE
tech-c: RW590-RIPE
tech-c: BF359-RIPE
tech-c: MD1900-RIPE
nic-hdl: QSC1-RIPE
mnt-by: QSC-NOC
changed: rha@NOSPAM.qsc.de 20040127
source: RIPE

% Information related to '83.236.0.0/16AS20676'

route: 83.236.0.0/16
descr: QSC AG
origin: AS20676
mnt-by: QSC-NOC
mnt-lower: QSC-NOC
changed: ralf.weber@NOSPAM.qsc.de 20040212
source: RIPE

OK, So email these people about the client who sent out these emails:

The ISP in Romainia : abuse@asconet.ro
The email server : server3.unifiedns.com netblock owner abuse@gnax.net
The web admin : abuse@qsc.de postmaster@unifiedns.com

OK jobs done. Who wants some phish for dinner?

Fresh Phish meat to hunt down and kill today!

2006-05-09T04:56:00.000-07:00

Hi all,

I love Fresh Phish in the morning!

Here is the headers and body of another phish email today. These people give me cramps.

I sent it to spoof@ebay.com and pasted the URL into phishfighting.com. Go Go Go!

Return-Path:
Authentication-Results: mta163.mail.mud.yahoo.com from=ebay.com; domainkeys=neutral (no sig)
Received: from 208.187.180.4 (EHLO web1.octelecom.net) (208.187.180.4) by mta163.mail.mud.yahoo.com with SMTP; Tue, 09 May 2006 02:05:11 -0700
Received: from web1.octelecom.net (localhost.localdomain [127.0.0.1]) by web1.octelecom.net (8.13.1/8.13.1) with ESMTP id k499EL4f022387 for ; Tue, 9 May 2006 03:14:21 -0600
Received: (from test@localhost) by web1.octelecom.net (8.13.1/8.13.1/Submit) id k499ELag022384 for mrlinuxhead@yahoo.com; Tue, 9 May 2006 03:14:21 -0600
Date: Tue, 9 May 2006 03:14:21 -0600
To: mrlinuxhead@yahoo.com
Subject: eBay Member wandasales
Message-ID: <1147166061.70001.qmail@paypal>
From: aw-confirm@ebay.com Add to Address BookAdd to Address Book Add Mobile Alert
Content-Type: text/html
Content-Length: 3699

Â Question from wandasales
Item: (6876616738)
This message was sent while the listing was active.
wandasales is a potential buyer.
Hello, What would the shipping cost be to West Virginia zip code 25511?

Email server is at : 208.187.180.4

Here is a port scan.

Just a RH Linux box with too many ports open. Gee I wonder if the owner knows they are sending this crap out? Let see.

Using DNSStuff.com I see the box is at:

IP address: 208.187.180.4
Reverse DNS: web1.octelecom.net.
Reverse DNS authenticity: [Verified]
ASN: 29933
ASN Name: OFF-CAMPUS-TELECOMMUNICATIONS
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 208.184.0.0 to 208.191.255.255
Country fraud profile: Normal
City (per outside source): Provo, Utah

It looks like a campus ISP that is in Provo Utah.

No email address for them but a phone number - call us at 379-3000
(toll-free 1-800-370-1106)
We're located in Provo at 379 North University Avenue, Suite 301.

Well let's call them up and tell them they have a bad person using their RH server.

WHOIS info is blocked but I can probably find the email address.

On to the web site stealing people's passwords and user id's.

Real URL of the scam is at: http://216.122.128.59/~admin/%20%20/index.html

Going back to DNSStuff.com I learn that:

IP address:                     216.122.128.59
Reverse DNS:                    r59-128-dsl.sea.lightrealm.net.
Reverse DNS authenticity:       [Could be forged: hostname r59-128-dsl.sea.lightrealm.net. does not exist]
ASN:                            11305
ASN Name:                       INTERLAND-NET1
IP range connectivity:          1
Registrar (per ASN):            ARIN
Country (per IP registrar):     US [United States]
Country Currency:               USD [United States Dollars]
Country IP Range:               216.122.0.0 to 216.122.255.255
Country fraud profile:          Normal
City (per outside source):      Kirkland, Washington

Gotcha sucker, you are in the USA. Busted. Phish fry today!

Looks like Lightrealm is getting upstream pipe from Interland.

Interland, Inc. LR-BLK4 (NET-216-122-0-0-1)
216.122.0.0 - 216.122.255.255
Lightrealm, Inc. LR-ISP-GTEDHCP4-DSL (NET-216-122-128-0-1)
216.122.128.0 - 216.122.128.255

A Google for Lightrealm points to http://www.lightrealm.net/

It's a web hosting company. No surprise there.

"Get your own web site, share your special day!" is on the home page.

One that looks like eBay login page? Maybe that's not what thay had in mind.

Interland is a mass reseller of web hosts and a co-location facillity.

I used to work for a company that was bought by them, Hostcentric.

Here is a port scan of the host:

The web server is running Apache on FreeBSD, got sendmail running as well.

Email server is running as bearcomp.net. Hmm. Who are they?

Asking b.ns.interland.net. for 59.128.122.216.in-addr.arpa PTR record:
Reports r59-128-dsl.sea.lightrealm.net. [from 69.0.145.33]

Answer:
216.122.128.59 PTR record: r59-128-dsl.sea.lightrealm.net. [TTL 1800s] [A=None]
*ERROR* There is no A record (may be cached).

That's our boy! I next find out who runs bearcomp.net with our trusty WHOIS lookup.

	SoftPaw
	41064 Riverock Lane
	Palmdale, CA 93551-1834
	US

	Domain Name: BEARCOMP.NET

	Administrative Contact :
	Hess, John
	jhh@bearcomp.net
	41064 Riverock Lane
	Palmdale, CA 93551-1834
	US
	Phone: 800-725-8910
	Fax: (661) 722-9010

	Record expires on 26-Aug-2006
	Record created on 19-May-2004
	Database last updated on 13-Jun-2005

OK game over. Let's call the cops in Palmdale and have them let Mr. Hess know his server is behaving badly.

Paypay scam site from Russia - nnov.ru - KIS.RU

2006-04-30T11:00:00.000-07:00

Got another Phisherman" today. Seems my PAypal account is in danger! OOOH!
I set the link to spoof@paypal.com and pasted the URL into phishfighting.com.

Phony PayPal URL points to:
http://a.citron.nnov.ru/~test/%20/.paypal.com/link.php

Here is the full headers from the bogus email:

X-Apparently-To: mrlinuxhead@yahoo.com via 68.142.207.121; Sun, 30 Apr 2006 05:03:13 -0700
X-YahooFilteredBulk: 61.78.62.237
X-Originating-IP: [61.78.62.237]
Return-Path:
Authentication-Results: mta222.mail.mud.yahoo.com from=paypal.com; domainkeys=neutral (no sig)
Received: from 61.78.62.237 (EHLO localhost.localdomain) (61.78.62.237) by mta222.mail.mud.yahoo.com with SMTP; Sun, 30 Apr 2006 05:03:13 -0700
Received: from localhost.localdomain (dbslow [127.0.0.1]) by localhost.localdomain (8.13.1/8.13.1) with ESMTP id k3UBugDJ006814 for ; Sun, 30 Apr 2006 20:56:42 +0900
Received: (from mysql@localhost) by localhost.localdomain (8.13.1/8.13.1/Submit) id k3UBugwh006813; Sun, 30 Apr 2006 20:56:42 +0900
Date: Sun, 30 Apr 2006 20:56:42 +0900
Message-Id: <200604301156.k3ubugwh006813@localhost.localdomain>
To: mrlinuxhead@yahoo.com
Subject: Restore Your Account Access - mrlinuxhead@yahoo.com (Routing Code: C840-L1581-Q120-1937)
From: "PayPal Security Service" Add to Address BookAdd to Address Book Add Mobile Alert
Content-Type: multipart/alternative; boundary="msg_boundary_0000-03"
Content-Length: 1653

Dear mrlinuxhead@yahoo.com,

It has come to our attention that your PayPal® account information needs to be
updated as part of our continuing commitment to protect your account and to
reduce the instance of fraud on our website. If you could please take 5-10 minutes
out of your online experience and update your personal records you will not run into
any future problems with the online service.

However, failure to update your records will result in account suspension.
Please update your records on or before May 03, 2006.

Once you have updated your account records, your PayPal® session will not be
interrupted and will continue as normal.

To update your PayPal® records click on the following link:
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/restrictedaccounts.asp

Thank You.
PayPal® UPDATE TEAM

Accounts Management As outlined in our User Agreement, PayPal® will
periodically send you information about site changes and enhancements.

Visit our Privacy Policy and User Agreement if you have any questions.
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/ua/policy_privacy-outside

Email header points to this box as the SMTP server

IP address: 61.78.62.237
Reverse DNS: [No reverse DNS entry per ns1.siidc.net.]
Reverse DNS authenticity: [Unknown]
ASN: 4766
ASN Name: KIXS-AS-KR (Korea Telecom)
IP range connectivity: 5
Registrar (per ASN): APNIC
Country (per IP registrar): KR [Korea-KR]
Country Currency: KRW [Korea (South) Won]
Country IP Range: 61.72.0.0 to 61.79.255.255
Country fraud profile: Normal
City (per outside source): Seoul, Kyonggi-Do
Private (internal) IP? No
IP address registrar: whois.apnic.net
Known Proxy? No

This is where the phoney PayPal site is located

195.98.59.34 PTR record: a.citron.nnov.ru. [TTL 86400s] [A=195.98.59.34]

WHOIS - NNOV.RU

domain: NNOV.RU
type: GEOGRAPHICAL
descr: Public geographical domain
descr: for Nizhny Novgorod region
descr: supported by Agenstvo Delovoj Svjazi, Ltd.
nserver: ns.kis.ru.
nserver: ns.nnov.ru. 195.98.32.114
nserver: ns1.cityline.ru.
nserver: ns1.kis.ru.
nserver: ns2.kis.ru.
state: REGISTERED, DELEGATED
org: "Agenstvo Delovoj Svjazi", Ltd
phone: +7 8312 777777
fax-no: +7 8312 777771
e-mail: agency@bca.ru
registrar: RIPN-REG-RIPN
created: 1996.10.23
paid-till: 2006.11.01
source: TC-RIPN

domain: NNOV.RU
type: GEOGRAPHICAL
descr: Public geographical domain
descr: for Nizhny Novgorod region
descr: supported by Agenstvo Delovoj Svjazi, Ltd.
admin-o: ADSL-ORG-RIPN
nserver: ns.kis.ru.
nserver: ns.nnov.ru. 195.98.32.114
nserver: ns1.cityline.ru.
nserver: ns1.kis.ru.
nserver: ns2.kis.ru.
created: 1996.10.23
state: Delegated till 2007.03.01
changed: 2003.10.07
mnt-by: ADSL-MNT-RIPN
source: RIPN

org: "Agenstvo Delovoj Svjazi", Ltd
nic-hdl: ADSL-ORG-RIPN
admin-c: DM59-RIPE
admin-c: ZOV3-RIPN
bill-c: DM59-RIPE
bill-c: DV15-RIPE
bill-c: AS14618-RIPE
bill-c: ZOV3-RIPN
phone: +7 8312 777777
fax-no: +7 8312 777771
e-mail: agency@bca.ru
changed: 2004.10.06
mnt-by: ADSL-MNT-RIPN
source: RIPN

person: OLGA V ZAHRYAPINA
nic-hdl: ZOV3-RIPN
phone: +7 8312 777777
e-mail: olya@bca.ru
changed: 2004.10.06
mnt-by: ADSL-MNT-RIPN
source: RIPN

Last updated on 2006.04.12 04:43:49 MSK/MSD

DNS entries for nnov.ru

nnov.ru. A IN 86400 195.98.32.114
nnov.ru. NS IN 86400 ns.nnov.ru.
nnov.ru. NS IN 86400 ns.kis.ru.
nnov.ru. NS IN 86400 ns1.kis.ru.
nnov.ru. NS IN 86400 ns2.kis.ru.
nnov.ru. NS IN 86400 ns1.cityline.ru.
ns.nnov.ru. A IN 86400 195.98.32.114
ns.kis.ru. A IN 44456 195.98.32.193
ns1.kis.ru. A IN 44456 195.98.32.200
ns2.kis.ru. A IN 56534 195.98.51.60
ns1.cityline.ru. A IN 217645 195.46.160.1

IP Info on nnov.ru

IP address: 195.98.32.114
Reverse DNS: nnov.kis.ru.
Reverse DNS authenticity: [Verified]
ASN: 8371
ASN Name: KIS-ADS (Commercial Information Networks)
IP range connectivity: 1
Registrar (per ASN): RIPE
Country (per IP registrar): RU [Russian Federation]
Country Currency: RUR [Russia Rubles]
Country IP Range: 195.98.32.0 to 195.98.63.255
Country fraud profile: High
City (per outside source): New Westminster, British Columbia
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No

KIS.RU

domain: KIS.RU
type: CORPORATE
nserver: ns.kis.ru. 195.98.32.193
nserver: ns1.kis.ru. 195.98.32.200
nserver: ns2.kis.ru. 195.98.51.60
state: REGISTERED, DELEGATED
org: "Agenstvo Delovoj Svjazi", Ltd
phone: +7 8312 777777
fax-no: +7 8312 777771
e-mail: www@bca.ru
registrar: RUCENTER-REG-RIPN
created: 1996.09.14
paid-till: 2006.10.01
source: TC-RIPN

So it seems that this NNOV.RU is aucually a sub-domain of KIS.RU

Some body email this clown and tell him to shut it down ??

www@bca.ru
olya@bca.ru

Another ebay scammer from Finland...

2006-04-26T18:37:00.000-07:00

Another ebay scammer at this address:

http://1044980011/%20/signin.ebay.com/ws/eBayISAPI/index.html

Pasted it into Phishfighing. com and emailed ebay and the ISP in Finland.

http://1044980011/%20/signin.ebay.com/ws/eBayISAPI/index.html

resolves to 62.73.33.43

WHOIS info on 62.73.33.43

IP address: 62.73.33.43
Reverse DNS: [No reverse DNS entry per ns1.auria.fi.]
Reverse DNS authenticity: [Unknown]
ASN: 16044
ASN Name: AURIA (Auria Oy)
IP range connectivity: 1
Registrar (per ASN): RIPE
Country (per IP registrar): FI [Finland]
Country Currency: EUR [euros]
Country IP Range: 62.73.32.0 to 62.73.63.255
Country fraud profile: Normal
City (per outside source): Unknown
Private (internal) IP? No

inetnum: 62.73.33.0 - 62.73.33.127
netname: AURIA-NET
descr: AURIA Turun Puhelin Oy
descr: Game server pool
descr: DATA-4
descr: 20810, Turku
country: FI
admin-c: KPM-RIPE
tech-c: HOST7-RIPE
status: ASSIGNED PA
remarks: ---------------------------------------------------------
remarks: Please send abuse and spam notifications to abuse@auria.fi
remarks: ---------------------------------------------------------
remarks: INFRA-AW
notify: hostmaster@auria.fi
mnt-by: AURIATP-MNT
changed: kari.solja@auria.fi 20040802
source: RIPE

role: Auria Hostmaster
address: Auria Oy
address: RIPE management
address: PL 231
address: 20101 Turku
phone: +358 2 262121
fax-no: +358 2 261975
e-mail: hostmaster@auria.fi
remarks: trouble: Please send abuse and spam notifications to abuse@auria.fi
remarks: trouble: General information: http://www.auria.fi/
admin-c: KS1112-RIPE
tech-c: MH14627-RIPE
tech-c: RM7972-RIPE
tech-c: KK2824-RIPE
tech-c: JO2466-RIPE
tech-c: KS1112-RIPE
nic-hdl: HOST7-RIPE
notify: hostmaster@auria.fi
mnt-by: AURIATP-MNT
changed: rolf.moller@auria.fi 20041123
source: RIPE
abuse-mailbox: abuse@auria.fi

person: Kimmo Murto
address: Turku Telephone Company
address: Linnankatu 4, FIN-20100 Turku
address: Finland
phone: +358 2 262 1584
fax-no: +358 2 250 0417
e-mail: Kimmo.Murto@turunpuhelin.fi
nic-hdl: KPM-RIPE
changed: hostmaster@kolumbus.fi 19981221
source: RIPE

% Information related to '62.73.32.0/19AS16044'

route: 62.73.32.0/19
descr: Turun Puhelin Oy
origin: AS16044
notify: hostmaster@auria.fi
mnt-by: AURIATP-MNT
changed: marko.hakkarainen@auria.fi 20021014
source: RIPE

Sure. I trust you. Lets fry this clown. mmjd1996

2006-04-26T18:36:00.000-07:00

Another email from another eBay customer.
Sure. I trust you. Lets fry this clown..

Here is the text of the scam email :

Ã Question from mmjd1996
Item: (4629414062)
This message was sent while the listing was active.
mmjd1996 is a potential buyer.
Hi, how much would be shipping to Germany? Thanks

Using DNSStuff.com I find out our scammers IP address.

eBay.com URL points to:
http://1393442438/img/...bleh/signin.ebay.com/ws/eBayISAPI.dll/SignIn.htm

1393442438 is decimal for 83.14.62.134

Seems to be a box on some DSL line in Poland..

IP address: 83.14.62.134
Reverse DNS: dyk134.internetdsl.tpnet.pl.
Reverse DNS authenticity: [Verified]
ASN: 5617
ASN Name: TPNET (Polish Telecom's commercial IP network)
IP range connectivity: 2
Registrar (per ASN): RIPE
Country (per IP registrar): PL [Poland]
Country Currency: PLN [Poland Zlotych]
Country IP Range: 83.0.0.0 to 83.31.255.255

The ISP is Poland Telecom. Here are the ISP contact numbers and email addresses.

role: TP S.A. Hostmaster
address: TP S.A. "POLPAK"
address: ul. Nowogrodzka 47A
address: 00-695 Warszawa
address: Poland
phone: +48 22 6252383
fax-no: +48 22 6225182
remarks: trouble: Network problems: hostmaster@tpnet.pl
remarks: trouble: Abuse and spam notification: abuse@tpnet.pl
remarks: trouble: DNS problems: dns@tpnet.pl
remarks: trouble: Routing problems: registry@tpnet.pl
admin-c: TK569-RIPE
tech-c: TK569-RIPE
tech-c: JS1838-RIPE
nic-hdl: TPHT
remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - !
remarks: Please send spam and abuse notification only to abuse@tpnet.pl
remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - !
mnt-by: TPNET
e-mail: hostmaster@tpnet.pl
abuse-mailbox: abuse@tpnet.pl
changed: hostmaster@tpnet.pl 20030122
changed: hostmaster@tpnet.pl 20030904
changed: hostmaster@tpnet.pl 20060306
source: RIPE

Port scan shows nothing but FTP and SSH. No UDP ports open.

So I shoot a quick email to the boys at Polish Telecom (abuse@tpnet.pl).

I also paste the bougus URL into PhishFighing.com.
(That feeds our "Phisherman" with hundreds of bogus usernames and passwords.)

That should keep him busy for a few days.

Just another day ho hum.

Another eBay scam artist emailed me tonight blackstump.com.au

2006-04-26T10:40:00.000-07:00

Another eBay scam artist emailed me tonight. This one was just a little different.

I guess now I have an "Unpaid Item Dispute" Points to 209.216.209.10 as the mail server.

Here is the full email headers and all..

X-Apparently-To: mrlinuxhead@yahoo.com via 68.142.207.116; Mon, 24 Apr 2006 15:56:29 -0700
X-Originating-IP: [209.216.209.10]
Return-Path:
Authentication-Results: mta244.mail.re2.yahoo.com from=ebay.com; domainkeys=neutral (no sig)
Received: from 209.216.209.10 (EHLO admin.blackstump.com.au) (209.216.209.10) by mta244.mail.re2.yahoo.com with SMTP; Mon, 24 Apr 2006 15:56:29 -0700
Received: (qmail 15991 invoked by uid 10018); 24 Apr 2006 15:35:41 -0700
Date: 24 Apr 2006 15:35:41 -0700
Message-ID: <20060424223541.15990.qmail@admin.blackstump.com.au>
To: mrlinuxhead@yahoo.com
Subject: eBay Unpaid Item Dispute #4858411651 -- response required
From: aw-confirm@ebay.com

eBay Unpaid Item Dispute #4858411651 -- response required

Dear member,
eBay member moviemars-uk has indicated that they already paid for item #4858411651
Review the submitted details regarding the payment.

Regards,
eBay International AG

Bogus eBay link points to:
http://ns1.zerotrance.net/.sign/eBayISAPI.dllSignInco_partnerIdpUserIdsiteidpageTypepa1i1bshowgifUsingSSL862984con462msgMNSIEhufem37ajhd84Sllencrypt378/signin.ebay.com/

Of couse I email "spoof@ebay.com and paste the bogus link into phishfighting.com.

Using DNSStuff let's see who we are dealing with....

The IP address of the email relay is: 209.216.209.10

And they are .... in San Diego, Califorina. Busted.
This is just the email server that delivered the scam email.

IP address: 209.216.209.10
Reverse DNS: admin.blackstump.com.au.
Reverse DNS authenticity: [Verified]
ASN: 6130
ASN Name: ADN-WEST
IP range connectivity: 0
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 209.216.192.0 to 209.216.255.255
Country fraud profile: Normal
City (per outside source): San Diego, California
Private (internal) IP? No

Sneaky little bastards blocked the WHOIS lookup, but I got the DNS servers..

blackstump.com.au. A IN 3600 209.216.209.10
blackstump.com.au. NS IN 3600 ns2.webintellects.com.
blackstump.com.au. NS IN 3600 ns1.webintellects.com.
ns2.webintellects.com. A IN 3600 209.126.236.3
ns1.webintellects.com. A IN 3600 209.216.201.3

Now lets see who is hosting the bogus web site. . .

ns1.zerotrance.net. A IN 172800 85.234.144.88
zerotrance.net. NS IN 172800 ns1.zerotrance.net.
zerotrance.net. NS IN 172800 ns2.zerotrance.net.
ns1.zerotrance.net. A IN 172800 85.234.144.88
ns2.zerotrance.net. A IN 172800 85.234.144.89

Chatchy name, eh? 85.234.144.88 is the IP of ns1.zerotrance.net

That is located in. . The U.K.

IP address: 85.234.144.88
Reverse DNS: ns1.zerotrance.net.
Reverse DNS authenticity: [Verified]
ASN: 29550
ASN Name: EUROCONNEX-AS (Euroconnex Networks LLP)
IP range connectivity: 5
Registrar (per ASN): RIPE
Country (per IP registrar): GB [United Kingdom]
Country Currency: GBP [United Kingdom Pounds]
Country IP Range: 85.234.128.0 to 85.234.159.255
Country fraud profile: Normal
City (per outside source): Unknown
Private (internal) IP? No

The ISP phone numbers are here:

inetnum: 85.234.128.0 - 85.234.159.255
org: ORG-PIS3-RIPE
netname: UK-POUNDHOST-20050429
descr: PoundHost Internet Services
country: GB
admin-c: MM5420-RIPE
admin-c: KW725-RIPE
tech-c: MM5420-RIPE
status: ALLOCATED PA
remarks: PH-Network (Europe)
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: POUNDHOST
mnt-routes: POUNDHOST
mnt-routes: AS5413-MNT
notify: Matthew@Poundhost.com
changed: hostmaster@ripe.net 20050429
source: RIPE

organisation: ORG-PIS3-RIPE
org-name: PoundHost Internet Services
org-type: LIR
address: PoundHost Internet Services,
Ginchy House,
Marsh Lane,
Taplow,
Maidenhead,
Berkshire.
SL6 0DE
ENGLAND
phone: +44 (0) 870 744 1700
fax-no: +44 1628 639977
e-mail: Info@poundhost.com
admin-c: MM5420-RIPE
admin-c: LP1106-RIPE
mnt-ref: POUNDHOST
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE

person: Matthew Munson
address: Euroconnex Networks LLP,
Marsh Lane,
Taplow,
Maidenhead, UK
phone: +44 870 744 1700
e-mail: matthew@euroconnex.net
nic-hdl: MM5420-RIPE
remarks: ******************************************************
remarks: Please contact abuse@euroconnex.net for any abuse issues
remarks: E-mail sent to other addresses may not be acted upon.
remarks: ******************************************************
mnt-by: EUROCONNEX
changed: matthew@poundhost.com 20050721
source: RIPE

person: Katalin Weigand
address: PoundHost Internet Services,
Marsh Lane,
Taplow,
Maidenhead, UK
phone: +44 870 744 1700
e-mail: Katalin@poundhost.com
nic-hdl: KW725-RIPE
remarks: ******************************************************
remarks: Please contact abuse@PoundHost.com for all abuse issues
remarks: ******************************************************
mnt-by: POUNDHOST
changed: matthew@poundhost.com 20030827
changed: matthew@poundhost.com 20031009
changed: Katalin@poundhost.com 20031010
source: RIPE

% Information related to '85.234.128.0/19AS29550'

route: 85.234.128.0/19
descr: PH-Network Europe, operated by Euroconnex Networks LLP
origin: AS29550
remarks: *********************************************
remarks: For Peering and more info: www.euroconnex.net
remarks: *********************************************
mnt-by: POUNDHOST
changed: Matthew@PoundHost.com 20050601
source: RIPE

email addresses are:
abuse@PoundHost.com
matthew@euroconnex.net
Katalin@poundhost.com

Now, lets see who owns the domain zerotrance.net, shall we..

WHOIS info is blocked by these clowns:
Whois Privacy Protection Service, Inc.

Domain name: zerotrance.net

Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (sxdysbyxvq@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O zerotrance.net
Bellevue, WA 98007
US

Administrative Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (sxdysbyxvq@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O zerotrance.net
Bellevue, WA 98007
US

Technical Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (sxdysbyxvq@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O zerotrance.net
Bellevue, WA 98007
US

Status: Locked

Name Servers:
ns1.zerotrance.net
ns2.zerotrance.net

Creation date: 10 Nov 2005 05:18:38
Expiration date: 10 Nov 2007 05:18:38

I emailed the admin at the UK ISP to shut down these clowns.

Later...

I got a question from an eBay buyer tonight. How sweet.

2006-04-26T10:39:00.001-07:00

I got a question from an eBay buyer tonight. How sweet. I don't have anything for sale on eBay.

Game on. Your ass is mine soon. . .

here is your real url: http://3717423647/~silverfoil/index.html/.ws/www.ebay.com/index.html

Here is the the message (for what is matters):

Â Question from cdesteve
Item: (8403494162)
This message was sent while the listing was active.
cdesteve is a potential buyer.
Still no answer from you!Will this deal go through?At least send me a message please!

Respond to this question in My Messages.
Respond Now

Item Details
Item number: 8403494162
End date: Apr-13-06 01:39:15 PDT
View item description:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=8403494162&sspagename=ADME:B:AAQ:US:1
Thank you for using eBay!
http://www.ebay.com/

URL is really pointing to : http://3717423647/~silverfoil/index.html/.ws/www.ebay.com/index.html

Do you really think I wont track you down?!
http://3717423647/~silverfoil/index.html/.ws/www.ebay.com/index.html

221.147.98.31

IP address: 221.147.98.31
Reverse DNS: [No reverse DNS entry per rev1.kornet.net.]
Reverse DNS authenticity: [Unknown]
ASN: 4766
ASN Name: KIXS-AS-KR (Korea Telecom)
IP range connectivity: 5
Registrar (per ASN): APNIC
Country (per IP registrar): KR [Korea-KR]
Country Currency: KRW [Korea (South) Won]
Country IP Range: 221.144.0.0 to 221.159.255.255
Country fraud profile: Normal
City (per outside source): Unknown
Private (internal) IP? No
IP address registrar: whois.apnic.net
Known Proxy? No

WHOIS results for 221.147.98.31
Generated by www.DNSstuff.com

Location: Korea-KR

ARIN says that this IP belongs to APNIC; I'm looking it up there.

APNIC says that this IP belongs to KRNIC; I'm looking it up there.

query: 221.147.98.31

??? ??? : +82-2-3674-5708
???? ???? : **@ns.kornet.net

??? ??? : +82-2-3674-5708
???? ???? : **@ns.kornet.net
??? ??? : 080-223-5577
???? ???? : *****@kornet.net

IPv4 Address : 221.147.98.0-221.147.98.255
Network Name : KORNET-10359345650
Connect ISP Name : KORNET
Publishes : N

[ Organization Information ]
Organization ID : ORG526451
Org Name : KT
Address : Sinchon-dong, Seodaemun-gu
Zip Code : 120140

[ Technical Contact Information ]
Org Name : KT
Address : Sinchon-dong, Seodaemun-gu
Zip Code : 120140

--------------------------------------------------------------------------------

If the above contacts are not reachable, please contact following ISP
for further information.

[ ISP IPv4 Admin Contact Information ]
Name : IP Administrator
Phone : +82-2-3674-5708
E-Mail : **@ns.kornet.net

[ ISP IPv4 Tech Contact Information ]
Name : IP Manager
Phone : +82-2-3674-5708
E-Mail : **@ns.kornet.net

[ ISP Network Abuse Contact Information ]
Name : Network Abuse
Phone : 080-223-5577
E-Mail : *****@kornet.net

How Sweet, letter from another eBay customer.

2006-04-26T10:39:00.000-07:00

How Sweet, letter from another eBay customer. Lets fry this clown..
Here is the text of the scam email :

Â Question from mmjd1996
Item: (4629414062)
This message was sent while the listing was active.
mmjd1996 is a potential buyer.
Hi, how much would be shipping to Germany? Thanks

Using DNSStuff I find out our scammers IP address.

eBay.com URL points to:
http://1393442438/img/...bleh/signin.ebay.com/ws/eBayISAPI.dll/SignIn.htm

1393442438 is decimal for 83.14.62.134

Seems to be a box on some DSL line in Poland..

IP address: 83.14.62.134
Reverse DNS: dyk134.internetdsl.tpnet.pl.
Reverse DNS authenticity: [Verified]
ASN: 5617
ASN Name: TPNET (Polish Telecom's commercial IP network)
IP range connectivity: 2
Registrar (per ASN): RIPE
Country (per IP registrar): PL [Poland]
Country Currency: PLN [Poland Zlotych]
Country IP Range: 83.0.0.0 to 83.31.255.255

The ISP is Poland Telecom. Here are the ISP contact numbers and email addresses.

role: TP S.A. Hostmaster
address: TP S.A. "POLPAK"
address: ul. Nowogrodzka 47A
address: 00-695 Warszawa
address: Poland
phone: +48 22 6252383
fax-no: +48 22 6225182
remarks: trouble: Network problems: hostmaster@tpnet.pl
remarks: trouble: Abuse and spam notification: abuse@tpnet.pl
remarks: trouble: DNS problems: dns@tpnet.pl
remarks: trouble: Routing problems: registry@tpnet.pl
admin-c: TK569-RIPE
tech-c: TK569-RIPE
tech-c: JS1838-RIPE
nic-hdl: TPHT
remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - !
remarks: Please send spam and abuse notification only to abuse@tpnet.pl
remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - !
mnt-by: TPNET
e-mail: hostmaster@tpnet.pl
abuse-mailbox: abuse@tpnet.pl
changed: hostmaster@tpnet.pl 20030122
changed: hostmaster@tpnet.pl 20030904
changed: hostmaster@tpnet.pl 20060306
source: RIPE

person: Tomasz Kielb
address: TP S.A. - POLPAK
address: ul. Nowogrodzka 47A
address: 00-695 Warszawa
address: POLAND
remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - !
remarks:
remarks: In case of abuse (intrusion attempts, hacking,
remarks: spamming or other unaccepted behavior) from
remarks: TP S.A. address space, please contact only to:
remarks:
remarks: abuse@tpnet.pl
remarks:
remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - !
phone: +48 800 120 810
phone: +48 800 120 811
fax-no: +48 22 5230178
e-mail: Tomasz.Kielb@telekomunikacja.pl
nic-hdl: TK569-RIPE
mnt-by: TPNET
changed: tkielb@cst.tpsa.pl 19970730
changed: tkielb@cst.tpsa.pl 20011003
changed: tomasz.kielb@telekomunikacja.pl 20021129
changed: tomasz.kielb@telekomunikacja.pl 20030114
changed: hostmaster@tpnet.pl 20030904
changed: hostmaster@tpnet.pl 20041220
source: RIPE

person: Jaroslaw Salamon
address: TP S.A. -POLPAK
address: ul. Nowogrodzka 47A
address: 00-695 Warszawa
address: POLAND
remarks:
remarks: !=====================================================
remarks:
remarks: In case of abuse (intrusion attempts, hacking,
remarks: spamming or other unaccepted behavior) from
remarks: TP S.A. address space, please contact only to:
remarks:
remarks: abuse@telekomunikacja.pl
remarks:
remarks: !=====================================================
remarks:
phone: +48 800 120 810
phone: +48 800 120 811
fax-no: +48 22 5230178
e-mail: Jaroslaw.Salamon@telekomunikacja.pl
nic-hdl: JS1838-RIPE
mnt-by: TPNET
changed: tkielb@cst.tpsa.pl 20000727
changed: hostmaster@tpnet.pl 20030904
changed: hostmaster@tpnet.pl 20031211
changed: hostmaster@tpnet.pl 20060407
source: RIPE

person: Konrad Plich
address: TP S.A. CST POLPAK
address: ul. Sienkiewicza 9
address: 97-300 Piotrkow Tryb.
address: Poland
remarks: ---------------------------------------------
remarks: In case of abuse (intrusion attempts, hacking,
remarks: spamming or other unaccepted behavior) from
remarks: TP S.A. address space, please mail only to:
remarks: abuse@tpnet.pl
remarks: ----------------------------------------------
phone: + 48 44 6480030
fax-no: + 48 44 6473572
e-mail: konradpl@piotrkow.tpsa.pl
nic-hdl: KP21-RIPE
mnt-by: AS5617-MNT
changed: konradpl@piotrkow.tpsa.pl 20031001
source: RIPE

So I shoot a quick email to the boys at Polish Telecom (abuse@tpnet.pl)

I also paste the bougus URL into PhishFighing.com.
That feeds our "Phisherman" with hundreds of bogus usernames and passwords.
That should keep him busy for a few days.
Just another day ho hum.

2006-04-26T10:38:00.000-07:00

Â Question from snoboy2k
Item: (6863632227)
This message was sent while the listing was active.
snoboy2k is a potential buyer.
What would the shipping cost be to West Virginia zip code 25511?

Respond to this question in My Messages.
Respond Now

Item Details
Item number: 6863632227
End date: Mar-27-06 01:43:11 PST
View item description:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=6863632227&sspagename=ADME:B:AAQ:US:1
Thank you for using eBay!
http://www.ebay.com/

http://1121800143/test/.index/index.htm
66.221.79.207

IP address: 66.221.79.207
Reverse DNS: ez4.propagation.net.
Reverse DNS authenticity: [Verified]
ASN: 14501
ASN Name: CIHOST
IP range connectivity: 2
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 66.221.0.0 to 66.221.255.255
Country fraud profile: Normal
City (per outside source): Ft. Worth, Texas
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No

OrgName: C I Host
OrgID: CIHS
Address: 1851 Central Drive
Address: #110
City: Bedford
StateProv: TX
PostalCode: 76112
Country: US

NetRange: 66.221.0.0 - 66.221.255.255
CIDR: 66.221.0.0/16
NetName: CIHOST7
NetHandle: NET-66-221-0-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS.CIHOST.COM
NameServer: NS2.CIHOST.COM
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-01-17
Updated: 2002-06-17

RTechHandle: NC61-ARIN
RTechName: Network Operations Center
RTechPhone: +1-888-868-9931
RTechEmail: noc@cihost.com

OrgAbuseHandle: ABUSE821-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-888-868-9931
OrgAbuseEmail: abuse@cihost.com

Administrative Contact :
Propagation Networks
admin@PROPAGATION.NET
1851 CENTRAL DR STE 110
BEDFORD, TX 76021-5865
US
Phone: 800-607-0123

Technical Contact :
Propagation Networks,
noc@PROPAGATION.NET
1851 Central Drive Suite 110
Bedford, TX 76021
US
Phone: 800-605-5438
Fax: 888-242-7554

Record expires on 31-May-2006
Record created on 01-Jun-1998
Database last updated on 08-Jul-2004

Domain servers in listed order: Manage DNS

NS.PROPAGATION.NET 216.221.160.10
NS2.PROPAGATION.NET 216.221.162.106
NS3.PROPAGATION.NET 63.249.128.204

Â Question from bigmoney

2006-04-26T10:37:00.001-07:00

Â Question from bigmoney
Item: (6852613597)
This message was sent while the listing was active.
bigmoney is a potential buyer.
What is the last price for this Item?

Respond to this question in My Messages.
Respond Now

Item Details
Item number: 6852613597
End date: Mar-01-06 18:33:23 PST
View item description:
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=7387869660&sspagename=ADME:B:AAQ:US:1
Thank you for using eBay!
http://www.ebay.com/

http://1088880691/%20/signin.ebay.com/ws/eBayISAPI/index.html

IP 64.231.0.51 is decimal 1088880691.

IP address: 64.231.0.51
Reverse DNS: [No reverse DNS entry per ns3.bellglobal.com.]
Reverse DNS authenticity: [Unknown]
ASN: 577
ASN Name: BACOM
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): CA [Canada]
Country Currency: CAD [Canada Dollars]
Country IP Range: 64.228.0.0 to 64.231.255.255
Country fraud profile: Normal
City (per outside source): Toronto, Ontario

That's a BellCanada IP block:
Bell Canada BELLCANADA-5 (NET-64-228-0-0-1) 64.228.0.0 - 64.231.255.255
Bell Nexxia (HSE) NEXXIAJ10-CA (NET-64-231-0-0-1) 64.231.0.0 - 64.231.95.255

No WHOIS records exist for this IP, and there was no reverse DNS information I could glean.
It is probably a personal computer that has been hacked, and is under someone else's control.

Time for us to take a collection and buy this poor sucker a firewall. Any donations?

Here is a port scan. Our scammer box is infected with the W32.MyDoom virus, like many other hosts.

This is probably the vector for the exploit. I see this on lots of other targets.
I suspect that may be the port that receive control messages.
Also it's running half-life engine (port 27015)! Lots of other exploited servers are as well.
The HTTP deamon is Apache and return the ID Celestix celnx. Hmmm who could that be I wonder?

WWhatever let's take them down. I called up phishfighing.com and pasted the URL in. Nothing happened!
Whatever this one is doing, nothing shows up in the usernname/password box.
He may be actively blocking phishfighing.com because that will poison their list of victims.

Let's see if I can email the ISP and have this box shut down.

Question from prescreened

2006-04-26T10:37:00.000-07:00

Question from prescreened
About This Member
prescreened( 5792)
Positive Feedback: 100%
Member Since: Apr-14-99
Location: OH, United States
Registered On: www.ebay.com

Hey ,
I'll send you the money today.When will you send the package ?

Thanks !

Respond to this question in My Messages.
Respond Now

prescreened
Thank you for using eBay!
http://www.ebay.com/

http://www.steveariss.com/%20/Index.html

Registrant:
Steve Ariss
42 Lakefield Road
Brampton, ON L7A 1W5
CA

Domain name: STEVEARISS.COM

Administrative Contact:
Ariss, Steve steveariss@rogers.com
42 Lakefield Road
Brampton, ON L7A 1W5
CA
416 508-8245
Technical Contact:
Ariss, Steve steveariss@rogers.com
42 Lakefield Road
Brampton, ON L7A 1W5
CA
416 508-8245

Registrar of Record: easyDNS Technologies, Inc.

Resolves to 69.194.147.254

Reverse DNS: cpe000393086bfa-cm000f9f7f15b6.cpe.net.cable.rogers.com.
Reverse DNS authenticity: [Verified]
ASN: 812
ASN Name: ROGERS-CABLE
IP range connectivity: 1
Registrar (per ASN): ARIN
Country (per IP registrar): CA [Canada]
Country Currency: CAD [Canada Dollars]
Country IP Range: 69.192.0.0 to 69.199.255.255
Country fraud profile: Normal
City (per outside source): Mississauga, Ontario
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No

Redirects to: http://www.domainsnipe.co.uk/.ebay/aw-cgi/index.html

Domain name:
domainsnipe.co.uk

Registrant:
Matt Ashby

Registrant type:
UK Individual

Registrant's address:
Smallands Hall Farm
Spring Lane
Hatfield Peverel
CM3 2JW
GB

Registrant's agent:
Internet Assist Ltd [Tag = INTERNET-ASSIST]
URL: http://www.i-a.co.uk

Relevant dates:
Registered on: 08-Dec-2005
Renewal date: 08-Dec-2007

Registration status:
Registered until renewal date.

Name servers:
ns1.i-a.co.uk
ns2.i-a.co.uk

IP address: 217.151.101.69
Reverse DNS: rack5.i-a.co.uk.
Reverse DNS authenticity: [Verified]
ASN: 21055
ASN Name: WEBTAPESTRY-AS (Axamba Limited T/As Web Tapestry)
IP range connectivity: 1
Registrar (per ASN): RIPE
Country (per IP registrar): GB [United Kingdom]
Country Currency: GBP [United Kingdom Pounds]
Country IP Range: 217.151.96.0 to 217.151.111.255
Country fraud profile: Normal
City (per outside source): Unknown
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No

steveariss@rogers.com
info@i-a.co.uk

I received ANOTHER "Phishing" attempt

2006-04-26T10:06:00.000-07:00

I received ANOTHER "Phishing" attempt tonight. This one was a good laugh for me.
It was to welcome me to join something called the "PowerSeller Silver Membership"
What is so funny is I have sold exactly ONE item on eBay.
I really don't think I qualify to be a "Power Seller", silver or any color!

Of course I reported this to eBay, but they seem to be about as good at stopping these clowns as Bush seems to be at catching Osama BinLaden. I thought I would do some snooping on my own.

Here is the subject line. How thoughtful, they want ME to join their little club.

Subject:Your PowerSeller Silver Membership
From: "eBay PowerSellers"
Date: Tue, 04 Apr 2006 22:10:35 +0000

Orignal email link embedded in HTML of spoof email is:
http://www.elitemarine.net/blog/archives/www.anaconda.com

Reverse DNS points us to the evildoers:
elitemarine.net. A IN 14400 66.228.123.163

They are pretty sneaky about their information. They do however leave a email address:(spyhunter2000@bellsouth.net).

Registration Service Provided By: Surpass Hosting
Contact: enom@surpasshosting.com
Visit: http://www.surpasshosting.com

Domain name: elitemarine.net
Registrant Contact:
other
somename somename (spyhunter2000@bellsouth.net)
Fax: somephone
someaddress
somecity, SC somezip
US

A google search for (spyhunter2000@bellsouth.net) lead to a page on www.teamxodus.com. Hmmm.

This is only a jumping off point that points to the REAL spoof eBay site, as you will see here...

That URL (www.elitemarine.net/blog/archives/www.anaconda.com) redirects to another site in Germany:

http://projekt-pd.power-wlan.at/images/.PowerSellerpages.eBay.com/ws/eBayISAPII.dll/SignIn.html

DNS reverse lookup using DNS Stuff

projekt-pd.power-wlan.at. A IN 86400 62.141.48.148

IP address: 62.141.48.148
Reverse DNS: ns.power-web34.net.
Reverse DNS authenticity: [Verified]
ASN: 31103
ASN Name: KEYWEB-AS (Keyweb AG)
IP range connectivity: 0
Registrar (per ASN): RIPE
Country (per IP registrar): DE [Germany]

WHOIS report on projekt-pd.power-wlan.at

domain: power-wlan.at
registrant: CD820810-NICAT
admin-c: CD820810-NICAT
tech-c: CD820810-NICAT
zone-c: CD820810-NICAT
nserver: ns.power-web34.net
remarks: 62.141.48.148
nserver: ns2.power-web34.net
remarks: 62.141.49.148
changed: 20040503 16:31:12
source: AT-DOM

personname: Christian Dvorak
organization: power-web.at
street address: Soedingberg 129
postal code: A-8152
city: Stallhofen
country: Austria
phone: +433142805280
fax-no: +433142805230
e-mail: domreg@power-web.at
nic-hdl: CD820810-NICAT
changed: 20050409 10:35:11
source: AT-DOM

inetnum: 62.141.48.0 - 62.141.55.255
netname: DE-KEYWEB-I
descr: Keyweb AG IP Network
country: DE
admin-c: MERO-RIPE
tech-c: MERO-RIPE
status: ASSIGNED PA
mnt-by: KEYWEB-MNT
changed: hostmaster@keyweb.de 20060217
source: RIPE

WHOIS report on netblock:
Information related to '62.141.48.0 - 62.141.55.255'

person: Holger Amberg
address: Keyweb AG
address: Neuwerkstrasse 45/46
address: 99084 Erfurt
address: Germany
e-mail: ha@keyweb.de
abuse-mailbox: abuse@keyweb.de
phone: +49 361 658530
fax-no: +49 361 6585366
nic-hdl: MERO-RIPE
mnt-by: KEYWEB-MNT
changed: ha@keyweb.de 20050419
source: RIPE

A google for Mr. Christiian Dvorak leads to this web page and this contact info:

POWER-WEB.AT, ING. CHRISTIAN DVORAK
Eintrag korrigieren Kontakt
Strasse / Nr.: SÖDINGBERG 6
PLZ / Ort: 8152 STALLHOFEN
Land ÖSTERREICH
E-Mail: office@power-web.at
Telefon: 03142 80 52 80
Fax: 03142 80 52 30
URL: http://www.power-web.at

It is a web hosting company in SÖDINGBERG Austria.

Someone should let Mr. Dvorak his server is being bad!

What follows is the text of the email.

To: mrlinuxhead@yahoo.com
Subject:Your PowerSeller Silver Membership
From: "eBay PowerSellers"
Date: Tue, 04 Apr 2006 22:10:35 +0000

Dear eBay Member,

You've been on a super sales streak and since you've done so well, it's time to recognize you for your efforts. You are PowerSeller Silver!

Congratulations! joining the eBay Silver PowerSeller Program. Come and join us. When you join the PowerSeller program, you'll be able to receive more of the support you'll need for continued success. So, why wait? Join now!

PowerSeller icon next to your User ID in recognition of your hard work.
PowerSeller Priority Support via email webform and phone support at Silver level and above.
Exclusive offerings on the PowerSeller portal--check in frequently to see updated program benefits and special offers!
Discussion Board for you to network with other PowerSellers.
Free PowerSeller Business Templates for business cards and letterhead.

Membership to the PowerSeller program is FREE.

Again, congratulations and best wishes for your continued success!

Regards,
eBay PowerSeller Team
If you agree with this rank please Become an eBay Power Seller within 24 hours
You are receiving this communication because you are part of the PowerSeller program. This is a one time communication. There is no need to unsubscribe. eBay will not request personal data (password, credit card/bank numbers) in an email.

Copyright © 2003 eBay Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are trademarks of eBay Inc.

enom@surpasshosting.com
domreg@power-web.at
projekt-pd.power-wlan.at
ha@keyweb.de
abuse@keyweb.de
hostmaster@keyweb.de