[nsp-sec] AOL to the WCP

Salusky, William william.salusky at corp.aol.com
Mon Jan 25 21:34:16 EST 2010 

Hi David,

Took a look at it and it showed it's true colors.  Mailbox terminated as
of 9:25pm -0500.
 
----
William Salusky 
William.Salusky at corp.aol.com
Principal Technical Security Engineer - AOL Information Technology
Security CERT team
703-265-4924 (office) : 571-480-1933 (mobile) 
 
 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> David Freedman
> Sent: Monday, January 25, 2010 7:30 PM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] AOL to the WCP
> 
> ----------- nsp-security Confidential --------
> 
> would appreciate some help getting the dropbox for this phish 
> nailed, domain possibly legit but can only follow it back as 
> far as AOL mxxen:
> 
> Non-authoritative answer:
> engineer.com	mail exchanger = 15 mailin-02.mx.aol.com.
> engineer.com	mail exchanger = 15 mailin-01.mx.aol.com.
> engineer.com	mail exchanger = 15 mailin-04.mx.aol.com.
> engineer.com	mail exchanger = 15 mailin-03.mx.aol.com.
> 
> If the domain is legitimate then possibly hijacked, 
> clara.net at engineer.com is set as reply-to and there are no 
> further addresses in the mail.
> 
> 
> Regards, 
> 
> David Freedman
> Clara.net 
> 
> CC:	recipient list not shown: ;
> MIME-Version:	1.0
> X-Sender-Verification-Failed:	Sender verify failed
> X-Borderscout-Virus:	clean
> Importance:	Normal
> content-type:	text/plain; charset="utf-8"
> Reply-To:	clara.net at engineer.com
> Received:	from staff00.mail.eu.clara.net ([80.168.65.68]) 
> by rtfe03.uk.clara.net with esmtp (Exim 4.60) (envelope-from 
> <webmasters at clara.net>) id 1NZYv6-0002nA-RH for 
> peering at tkt.uk.clara.net; Tue, 26 Jan 2010 00:04:36 +0000
> Received:	from mx00.mail.eu.clara.net 
> ([213.253.3.20]:42562) by staff00.mail.eu.clara.net 
> (staff00.mail.eu.clara.net [80.168.65.68]:25) with esmtps 
> (TLS-1.0:RSA_AES_256_CBC_SHA1:32) id 1NZYv6-0003u3-1l for 
> peering at eu.clara.net (return-path <webmasters at clara.net>); 
> Tue, 26 Jan 2010 00:04:36 +0000
> Received:	from marcie.netcarrier.net 
> ([216.178.72.21]:59306) by mx00.mail.eu.clara.net 
> (mx-vh.clara.net [213.253.3.20]:1025) with smtp id 
> 1NZYv6-0007QJ-0R for peerops at clara.net (return-path 
> <webmasters at clara.net>); Tue, 26 Jan 2010 00:04:36 +0000
> Received:	(qmail 95986 invoked from network); 26 Jan 2010 
> 00:04:29 -0000
> Received:	from dion.netcarrier.net (HELO netcarrier.com) 
> (66.212.2.70) by marcie.netcarrier.net with SMTP; 26 Jan 2010 
> 00:04:29 -0000
> Received:	(qmail 9935 invoked by uid 80); 26 Jan 2010 
> 00:04:34 -0000
> Received:	from 174.34.135.146 (SquirrelMail authenticated 
> user theresak) by webmail.netcarrier.com with HTTP; Mon, 25 
> Jan 2010 19:04:34 -0500 (EST)
> Subject:	Clara.net Notice
> User-Agent:	SquirrelMail/1.4.4
> X-Priority:	3 (Normal)
> Date:	Mon, 25 Jan 2010 19:04:34 -0500 (EST)
> X-Original-Recipient:	peerops at clara.net
> Message-Id:	
> <3731.174.34.135.146.1264464274.squirrel at webmail.netcarrier.com>
> 
>  
> Attention:Clara.net Email User
> 
> Claranet Limited is upgrading database Servers from the old 
> Servers(Nol06769) to the new Servers (No521766).
> 
> You are to fill the details  to enable us upgrade and verify 
> from the old server.
> 
> 
> 
>  FILL THE DETAILS BELOW OR ANYWHERE IN THE MAIL
> 
> 
> 
> Username:
> 
> 
> 
> 
> 
> 
> Password :
> 
> 
> 
> 
> 
> 
> Address:
> 
> 
> 
> 
> 
> 
> 
> City:
> 
> 
> 
> Attention:Account owners who do not update his or her account 
> immediately you receive this Notification will have problems 
> using our online facilities effectively.
> 
> 
> 
> Notification Code:AXX1A13ABJ
> 
> 
> 
> The Claranet Limited Upgrade Team
> 
> Thanks for your co-operation.
> Copyright (c) 2009.All rights reserved.
> 
> 
> 
> 
> 
> 
> ------------------------------------------------
> David Freedman
> Group Network Engineering
> Claranet Limited
> http://www.clara.net
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list