[nsp-sec] AOL to the WCP

David Freedman david.freedman at uk.clara.net
Mon Jan 25 19:29:44 EST 2010 

would appreciate some help getting the dropbox for this phish nailed, domain possibly legit but can only follow it back as far as AOL mxxen:

Non-authoritative answer:
engineer.com	mail exchanger = 15 mailin-02.mx.aol.com.
engineer.com	mail exchanger = 15 mailin-01.mx.aol.com.
engineer.com	mail exchanger = 15 mailin-04.mx.aol.com.
engineer.com	mail exchanger = 15 mailin-03.mx.aol.com.

If the domain is legitimate then possibly hijacked, clara.net at engineer.com is set as reply-to and there are no further addresses in the mail.


Regards, 

David Freedman
Clara.net 

CC:	recipient list not shown: ;
MIME-Version:	1.0
X-Sender-Verification-Failed:	Sender verify failed
X-Borderscout-Virus:	clean
Importance:	Normal
content-type:	text/plain; charset="utf-8"
Reply-To:	clara.net at engineer.com
Received:	from staff00.mail.eu.clara.net ([80.168.65.68]) by rtfe03.uk.clara.net with esmtp (Exim 4.60) (envelope-from <webmasters at clara.net>) id 1NZYv6-0002nA-RH for peering at tkt.uk.clara.net; Tue, 26 Jan 2010 00:04:36 +0000
Received:	from mx00.mail.eu.clara.net ([213.253.3.20]:42562) by staff00.mail.eu.clara.net (staff00.mail.eu.clara.net [80.168.65.68]:25) with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA1:32) id 1NZYv6-0003u3-1l for peering at eu.clara.net (return-path <webmasters at clara.net>); Tue, 26 Jan 2010 00:04:36 +0000
Received:	from marcie.netcarrier.net ([216.178.72.21]:59306) by mx00.mail.eu.clara.net (mx-vh.clara.net [213.253.3.20]:1025) with smtp id 1NZYv6-0007QJ-0R for peerops at clara.net (return-path <webmasters at clara.net>); Tue, 26 Jan 2010 00:04:36 +0000
Received:	(qmail 95986 invoked from network); 26 Jan 2010 00:04:29 -0000
Received:	from dion.netcarrier.net (HELO netcarrier.com) (66.212.2.70) by marcie.netcarrier.net with SMTP; 26 Jan 2010 00:04:29 -0000
Received:	(qmail 9935 invoked by uid 80); 26 Jan 2010 00:04:34 -0000
Received:	from 174.34.135.146 (SquirrelMail authenticated user theresak) by webmail.netcarrier.com with HTTP; Mon, 25 Jan 2010 19:04:34 -0500 (EST)
Subject:	Clara.net Notice
User-Agent:	SquirrelMail/1.4.4
X-Priority:	3 (Normal)
Date:	Mon, 25 Jan 2010 19:04:34 -0500 (EST)
X-Original-Recipient:	peerops at clara.net
Message-Id:	<3731.174.34.135.146.1264464274.squirrel at webmail.netcarrier.com>

 
Attention:Clara.net Email User

Claranet Limited is upgrading database Servers from
the old Servers(Nol06769) to the new Servers
(No521766).

You are to fill the details  to enable us upgrade and
verify from the old server.



 FILL THE DETAILS BELOW OR ANYWHERE IN THE MAIL



Username:






Password :






Address:







City:



Attention:Account owners who do not update his or
her account immediately you receive this Notification
will have problems using our online facilities
effectively.



Notification Code:AXX1A13ABJ



The Claranet Limited Upgrade Team

Thanks for your co-operation.
Copyright (c) 2009.All rights reserved.






------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net

More information about the nsp-security mailing list