Your Webmail Provider phish on a zombie domain

Phishing operations, including perpetrators, how to report them and get them shut down.

Your Webmail Provider phish on a zombie domain

Postby MyCanadian Spammerdeath » Sat Sep 12, 2009 11:15 am

Found the following email:
Code: Select all
Return-Path: <anonymous@aaliptha.com>
Received: from aaliptha.com (dns1.aaliptha.com [203.129.240.200])
        by x (8.13.6/8.13.6) with ESMTP id n8CCPDZR029294
        for <spurious@localhost>; Sat, 12 Sep 2009 08:25:16 -0400
Received: (qmail 27364 invoked by uid 33); 12 Sep 2009 12:46:26 -0000
Date: 12 Sep 2009 12:46:26 -0000
Message-ID: <20090912124626.27363.qmail@aaliptha.com>
To: spurious
Subject: Subject: **ACCOUNT SECURITY UPGRADE**
From: "support@x" <support@x>
Reply-To: webmall@mail2webmaster.com
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
X-SpamBouncer: 2.2 (04/16/06)
X-SBNote: From Admin
X-SBRule: Received IP: 203.129.240.200 is in no-more-funn (spam sources)
X-SBBlocklist-URL: http://moensted.dk/spam/no-more-funn/?addr=203.129.240.200
X-SBNote: Spamcop Standard Report submitted.
X-SBClass: Spam
X-Folder: Spam
Status:   

Subject: **ACCOUNT SECURITY UPGRADE**

A new email server with secure E-mail has been implemented and configuration to replace old CS email server. As a result, we are shutting down your account.

To confirm your active/inactive account you, are required to send us your E-mail account details listed below for verification. These information would be needed to verify your account and to avoid being shut down;

Click on reply and fill the information below correctly.

* Email:
* User name:
* Password:
* Password Again:
* Date of Birth:

Warning!!! All account owner are advised to follow this instruction immediately to avoid loosing your email account permanently.

Thanks for your understanding!

                 .:: WEBMAIL ADMINISTRATOR::.


The sending network is bogus and blocklisted, but the Reply-to network is particularly interesting:
Code: Select all
$ dig mx mail2webmaster.com         

; <<>> DiG 9.2.3rc4 <<>> mx mail2webmaster.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22711
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;mail2webmaster.com.            IN      MX

;; ANSWER SECTION:
mail2webmaster.com.     86400   IN      MX      10 publicms2.mail2world.com.
mail2webmaster.com.     86400   IN      MX      5 publicms1.mail2world.com.

;; AUTHORITY SECTION:
mail2webmaster.com.     172724  IN      NS      ns02.mail2world.com.
mail2webmaster.com.     172724  IN      NS      ns01.mail2world.com.

;; Query time: 121 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Sep 12 10:52:21 2009
;; MSG SIZE  rcvd: 137

These four hosts are on four entirely different networks:

$ host publicms2.mail2world.com
publicms2.mail2world.com has address 65.74.168.215
$ host publicms1.mail2world.com
publicms1.mail2world.com has address 216.163.188.54
$ host ns02.mail2world.com
ns02.mail2world.com has address 74.202.142.53
$ host ns01.mail2world.com
ns01.mail2world.com has address 209.67.128.53


mail2webmaster.com (209.67.128.20)

mail2world, Inc SAVV-S265634-1 (NET-209-67-128-0-1)
                                  209.67.128.0 - 209.67.129.255


Reported to SAVVIS, though I don't expect much to come of that.
Only on our site you will find a SPICE under the comprehensible prices!
MyCanadian Spammerdeath
Spammer Exterminator
 
Posts: 1145
Joined: Mon Feb 26, 2007 11:13 pm

Re: Your Webmail Provider phish on a zombie domain

Postby spamislame » Sat Sep 12, 2009 2:01 pm

mail2world.com is another freemail provider. Numerous 419 spammers use mail2world addresses as an alternative to both GMail and Hotmail, both of whom have become far more efficient at shutting down accounts used in 419 scams.

mail2world.com is not a malicious domain.

ADD: you can report this message by emailing: fraud@mail2world.com

SiL
User avatar
spamislame
Site Admin
 
Posts: 5058
Joined: Tue May 09, 2006 9:18 am


Return to Phishers

Who is online

Users browsing this forum: No registered users and 1 guest

cron