[nsp-sec] Phishing attack hitting 2116
Vidar Østmo
vidar.ostmo at ventelo.no
Sun Jan 11 10:00:42 EST 2009
Hello
Yesterday we had a phishing attack agains approx 100 of our DSL customers :
The attack itself was pretty straight forward , contained poor norwegian
language and had a yahoo.com response address.
18293 | 202.43.220.99 | YAHOO-HK2-AP Internet content provider
Reply-To: upgradeceenter at yahoo.com.hk
I have notified yahoo¹s abuse, and i concider that taken care of.
Unfortunately the mail slipped just below the treshold of our spam filter
:-(
What was more interresting was that the headers that suggested that there an
host ³UK rackspace² are either compromized or having compromized accounts.
In this case probably ³mbeatty²
Bulk mode; whois.cymru.com [2009-01-11 13:07:33 +0000]
15395 | 212.100.250.230 | UK Rackspace
#
Received: (from mail.law.gwu.edu [212.100.250.230])
by mail.law.gwu.edu (MOS 3.8.7a)
with HTTP/1.1 id BJV61204 (AUTH mbeatty);
Sat, 10 Jan 2009 02:45:11 -0500 (EST)
#
The Host does not seem to be allowing relaying per se, but are definately
vulnerable to backcatter spamming.
telnet mail.law.gwu.edu 25
helo checkor.com
250 mail.law.gwu.edu Hello xxxxxx, pleased to meet you
MAIL FROM: test1 at test.com
250 test1 at test.com... Sender ok
RCPT TO: test at mail.law.gwu.edu
250 test at mail.law.gwu.edu... Recipient ok
quit
Anyone here from rackspace(asn15395) and yahoo (asn18293)² for
verification/mitigation ?
Med vennlig hilsen/Kind regards
Vidar Østmo
Engineering - Ventelo AS asn 2116
_________________________________________
HEADERS:
Return-Path: <admin at ventelo.no>
Delivered-To: alb at ventelo.net
Received: from sb2.isp.kq.no (unknown [192.168.97.63])
by mb6.isp.kq.no (Postfix) with ESMTP id 3ECF61006E;
Sat, 10 Jan 2009 08:45:23 +0100 (CET)
Received: from sb2.isp.kq.no (localhost [127.0.0.1])
by localhost (Postfix) with SMTP id DDDED6000807E;
Sat, 10 Jan 2009 08:45:22 +0100 (CET)
Received: from mx11.isp.kq.no (unknown [192.168.97.60])
by sb2.isp.kq.no (Postfix) with ESMTP id 6C91F6000805A;
Sat, 10 Jan 2009 08:45:22 +0100 (CET)
Received: from mail.law.gwu.edu (mail.law.gwu.edu [128.164.132.6])
by mx11.isp.kq.no (Postfix) with ESMTP id 556632AA61A;
Sat, 10 Jan 2009 08:35:23 +0100 (CET)
Received: (from mail.law.gwu.edu [212.100.250.230])
by mail.law.gwu.edu (MOS 3.8.7a)
with HTTP/1.1 id BJV61204 (AUTH mbeatty);
Sat, 10 Jan 2009 02:45:11 -0500 (EST)
From: "mail.ventelo.no" <admin at ventelo.no>
Subject: Webmaster E-post-konto Oppgradering
Reply-To: upgradeceenter at yahoo.com.hk
X-Mailer: Mirapoint Webmail Direct 3.8.7a
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Message-Id: <20090110024511.BJV61204 at mail.law.gwu.edu>
Date: Sat, 10 Jan 2009 02:45:11 -0500 (EST)
X-Junkmail-Status: score=10/48, host=mail.law.gwu.edu
X-Junkmail-SD-Raw: score=unknown,
refid=str=0001.0A090207.4968520C.00D6,ss=1,fgs=0,
ip=0.0.0.0,
so=2008-05-01 23:44:25,
dmn=5.7.1/2008-09-02
X-Junkmail-IWF: false
X-Mirapoint-RAPID-Raw: score=unknown(0),
refid=str=0001.0A090207.4968520C.00D6,ss=1,fgs=0,
ip=0.0.0.0,
so=2008-05-01 23:44:25,
dmn=5.7.1/2008-09-02
X-Mirapoint-Loop-Id: 774a9e232c57eed876c5a2f7226bf581
To: undisclosed-recipients: ;
X-PMX-Version: 5.4.1.325704, Antispam-Engine: 2.6.0.325393, Antispam-Data:
X-PerlMx-Spam: Gauge=%%XPROB%%II, Probability=62%,
Report='FRAUD_FROM_KNOWN_IP 5
, FRAUD_IP_WITH_HTTP 0.5, WEBMAIL_REPLYTO_NOT_FROM 0.5, BODY_SIZE_1800_1899
0, B
ODY_SIZE_5000_LESS 0, TO_UNDISCLOSED_RECIPIENTS 0, WEBMAIL_SOURCE 0,
WEBMAIL_XMA
ILER 0, __CT 0, __CTE 0, __CT_TEXT_PLAIN 0, __FRAUD_419_WEBMAIL 0,
__FRAUD_419_W
EBMAIL_REPLYTO 0, __HAS_BLIZZARD_RCVD 0, __HAS_MSGID 0, __HAS_X_MAILER 0,
__MIME
_TEXT_ONLY 0, __MIME_VERSION 0, __PHISH_SPEAR_HTTP_RECEIVED 0,
__PHISH_SPEAR_STR
UCTURE_1 0, __PHISH_SPEAR_STRUCTURE_2 0, __SANE_MSGID 0'
More information about the nsp-security
mailing list