[nsp-sec] ACK 8928 RE: Phishing form @ AS21069

Mike Hellers Mike.Hellers at interoute.com
Thu Nov 19 10:53:31 EST 2009 

They are one of our (AS8928) downstream customers. I will see what I can
do to get it taken offline.

Thanks for the info.

Regards,
       ...mike

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net [mailto:nsp-security-
> bounces at puck.nether.net] On Behalf Of Gabriel Iovino
> Sent: 19 November 2009 14:30
> To: NSP nsp-security
> Subject: [nsp-sec] Phishing form @ AS21069
> 
> ----------- nsp-security Confidential --------
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Greetings,
> 
> Can anyone assist in getting this Phishing form taken offline?
> 
> [url] hxxp://morganti.ch/use/pingset/form1.html
> 
> AS      | IP               | AS Name
> 21069   | 80.74.156.168    | ASN-METANET METANET AG, Switzerland
> 
> Additional information:
> 
> > Return-path: <info at xxx.edu>
> > Received: from xxx.xxx.edu (xxx.xxx.edu [xxx.xxx.124.79])
> >  by xxx.xxx.edu
> >  (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug  8 2006))
> >  with ESMTP id <0KTA000O4YR3NV at xxx.xxx.edu> for
> >  xxx at xxx.edu; Wed, 18 Nov 2009 06:33:03 -0500 (EST)
> > Received: from xxx.xxx.edu (xxx.xxx.edu [127.0.0.1])
> > 	by localhost (Postfix) with SMTP id 78E9A8CCDF1	for
> >  <xxx at xxx.xxx.edu>; Wed, 18 Nov 2009 06:33:03 -0500 (EST)
> > Received: from mail.crida.ernet.in (mail.crida.ernet.in
[202.141.78.13])
> > 	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
> > 	(No client certificate requested)	by xxx.xxx.edu (Postfix)
> >  with ESMTP id 5FDA98CCE4E	for <xxx at xxx.edu>; Wed,
> >  18 Nov 2009 06:33:01 -0500 (EST)
> > Received: (qmail 12409 invoked by uid 509); Wed, 18 Nov 2009
16:46:49
> +0530
> > Received: from 127.0.0.1 by mail.crida.ernet.in
> >  (envelope-from <info at xxx.edu>, uid 507) with
qmail-scanner-1.25-st-qms
> >  (clamdscan: 0.95.2/9812. spamassassin: 3.1.7. perlscan:
1.25-st-qms.
> >  Clear:RC:1(127.0.0.1):. Processed in 0.018851 secs); Wed,
> >  18 Nov 2009 11:16:49 +0000
> > Received: from localhost (HELO mail.crida.ernet.in)
> >  (kausalya at crida.ernet.in@127.0.0.1) by mail.crida.ernet.in with
SMTP;
> Wed,
> >  18 Nov 2009 16:46:49 +0530
> > Received: from 81.199.63.156 (proxying for unknown)
> >  (SquirrelMail authenticated user kausalya at crida.ernet.in)
> >  by mail.crida.ernet.in with HTTP; Wed, 18 Nov 2009 16:46:49 +0530
> > Date: Wed, 18 Nov 2009 16:46:49 +0530
> > From: Computing Services <info at xxx.edu>
> > Subject: System Notice
> > To: undisclosed-recipients: ;
> > Reply-to: admin at xxx.edu
> > Message-id:
> <b345a57a2030206ee1beda8f1eb51613.squirrel at mail.crida.ernet.in>
> > MIME-version: 1.0
> > Content-type: text/plain; charset=iso-8859-1
> > Content-transfer-encoding: 8bit
> > Importance: Normal
> > X-Priority: 3 (Normal)
> > User-Agent: SquirrelMail/1.4.19
> > X-Antivirus-MYDOMAIN-Mail-From: info at xxx.edu via mail.crida.ernet.in
> > X-Antivirus-MYDOMAIN: 1.25-st-qms (Clear:RC:1(127.0.0.1):. Processed
in
> >  0.018851 secs Process 12400)
> > X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0284], KAS30/Release
> > X-SpamTest-Info: Not protected
> > X-PMX-Version: 5.5.7.378829, Antispam-Engine: 2.7.2.376379,
> >  Antispam-Data: 2009.11.18.112122
> > Original-recipient: rfc822;xxx at xxx.xxx.edu
> >
> > System Notice:
> > New Webmail
> >
> > Computing Services is pleased to introduce a new version of webmail
> > (version 4.0) for use by the university community.
> >
> > This updated version has a number of improvements and additional
> > features.There are also a number of under-the-hood changes that
improve
> > reliability and security.We are currently upgrading to our new
version.
> >
> > However, please be aware that neither the preferences nor the
address
> book
> > automatically carry over.To enable us carry over and to prevent your
> > account from closing you will have to validate it below so that we
will
> > know that it's a present used account
> >
> > Please upgrade the new version here
> > hxxp://validateaccount65.9hz.com/
> >
> > University Computing Services Team
> 
> hxxp://morganti.ch/use/pingset/form1.html was a HTML frame in
> hxxp://validateaccount65.9hz.com/.
> 
> Thanks
> 
> Gabe
> 
> - --
> Gabriel Iovino
> Principal Security Engineer, REN-ISAC
> http://www.ren-isac.net
> 24x7 Watch Desk +1(317)278-6630
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAksFVksACgkQwqygxIz+pTuS6ACeJUEXOUjMOa2f2Kgh5LDHb79S
> 3n0AmQEotMetd03aFRpVBxS55IITi63L
> =tBii
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
> community. Confidentiality is essential for effective Internet
security
> counter-measures.
> _______________________________________________

More information about the nsp-security mailing list