Your Webmail Provider phish on a zombie domain

Phishing operations, including perpetrators, how to report them and get them shut down.

Your Webmail Provider phish on a zombie domain

Postby MyCanadian Spammerdeath » Sat Sep 12, 2009 11:15 am

Found the following email:
Code: Select all
Return-Path: <>
Received: from ( [])
        by x (8.13.6/8.13.6) with ESMTP id n8CCPDZR029294
        for <spurious@localhost>; Sat, 12 Sep 2009 08:25:16 -0400
Received: (qmail 27364 invoked by uid 33); 12 Sep 2009 12:46:26 -0000
Date: 12 Sep 2009 12:46:26 -0000
Message-ID: <>
To: spurious
From: "support@x" <support@x>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
X-SpamBouncer: 2.2 (04/16/06)
X-SBNote: From Admin
X-SBRule: Received IP: is in no-more-funn (spam sources)
X-SBNote: Spamcop Standard Report submitted.
X-SBClass: Spam
X-Folder: Spam


A new email server with secure E-mail has been implemented and configuration to replace old CS email server. As a result, we are shutting down your account.

To confirm your active/inactive account you, are required to send us your E-mail account details listed below for verification. These information would be needed to verify your account and to avoid being shut down;

Click on reply and fill the information below correctly.

* Email:
* User name:
* Password:
* Password Again:
* Date of Birth:

Warning!!! All account owner are advised to follow this instruction immediately to avoid loosing your email account permanently.

Thanks for your understanding!

                 .:: WEBMAIL ADMINISTRATOR::.

The sending network is bogus and blocklisted, but the Reply-to network is particularly interesting:
Code: Select all
$ dig mx         

; <<>> DiG 9.2.3rc4 <<>> mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22711
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;            IN      MX

;; ANSWER SECTION:     86400   IN      MX      10     86400   IN      MX      5

;; AUTHORITY SECTION:     172724  IN      NS     172724  IN      NS

;; Query time: 121 msec
;; WHEN: Sat Sep 12 10:52:21 2009
;; MSG SIZE  rcvd: 137

These four hosts are on four entirely different networks:

$ host has address
$ host has address
$ host has address
$ host has address (

mail2world, Inc SAVV-S265634-1 (NET-209-67-128-0-1)

Reported to SAVVIS, though I don't expect much to come of that.
Only on our site you will find a SPICE under the comprehensible prices!
MyCanadian Spammerdeath
Spammer Exterminator
Posts: 1144
Joined: Mon Feb 26, 2007 11:13 pm

Re: Your Webmail Provider phish on a zombie domain

Postby spamislame » Sat Sep 12, 2009 2:01 pm is another freemail provider. Numerous 419 spammers use mail2world addresses as an alternative to both GMail and Hotmail, both of whom have become far more efficient at shutting down accounts used in 419 scams. is not a malicious domain.

ADD: you can report this message by emailing:

User avatar
Site Admin
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Return to Phishers

Who is online

Users browsing this forum: No registered users and 1 guest