[nsp-sec] phishing icm.edu.pl

Fri Jan 29 11:57:47 EST 2010

This doesn't seem to fall under our cymru phishing reports, so I'll pass
this along here, and hopefully somebody can quash the drop box at:

   webmail-helpdesk-usersupport3 at sogomail.com

sogomail.com.		7200	IN	A	97.74.180.1
;; WHEN: Fri Jan 29 11:52:15 2010

I'd report the ASN and peer, but both v4.whois.cymru.com and
v4-peer.whois.cymru.com are timing out!

===

Received: from gharial.ui.ac.id ([152.118.24.49]:53643 "EHLO gharial.ui.ac.id"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752022Ab0A2QAd convert rfc822-to-8bit (ORCPT
	<rfc822;netdev at vger.kernel.org>); Fri, 29 Jan 2010 11:00:33 -0500
X-Greylist: delayed 408 seconds by postgrey-1.27 at vger.kernel.org; Fri, 29 Jan 2010 11:00:32 EST
Received: from localhost (unknown [152.118.24.147])
	by gharial.ui.ac.id (Postfix) with ESMTP id C20681CA26A;
	Fri, 29 Jan 2010 22:52:44 +0700 (WIT)
X-Virus-Scanned: Debian amavisd-new at kadal.ui.ac.id
Received: from gharial.ui.ac.id ([152.118.24.49])
	by localhost (kadal.ui.ac.id [152.118.24.147]) (amavisd-new, port 10024)
	with ESMTP id kk-4gxK6ROd4; Fri, 29 Jan 2010 22:53:28 +0700 (WIT)
Received: from smtp.ui.ac.id (localhost [127.0.0.1])
	by gharial.ui.ac.id (Postfix) with ESMTP id C6B0B1CA0F5;
	Fri, 29 Jan 2010 22:52:36 +0700 (WIT)
Received: from smtp.ui.ac.id ([152.118.24.129] helo=smtp.ui.ac.id) by
	gharial.ui.ac.id; 29 Jan 2010 22:52:36 +0700
Received: from smtp.ui.ac.id (localhost [127.0.0.1])
	by smtp.ui.ac.id (Postfix) with ESMTP id C06BD2890;
	Fri, 29 Jan 2010 22:53:28 +0700 (WIT)
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=ui.ac.id; h=message-id
	:date:subject:from:reply-to:mime-version:content-type:to:
	content-transfer-encoding; s=mail; bh=jCHCoOXJW/Dw8LGyDU5t6AV8WX
	M=; b=OxtAlJ/twYLKJ9CEnDW6A1qkICKfPUKOmNWR2R9Lhbq2Qlhwoo6rXZBuvX
	hyrVvmWLDrP6Od8RGYZA21fdx7nt3vcdMBpx1X9lfT1hv2bseBsZTV6dQKfmYmfb
	tgoFkhhgi9S8eW5tXiciniALu7LReDtJpM3lbAzFqIDsYQkrU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=ui.ac.id; h=message-id:date
	:subject:from:reply-to:mime-version:content-type:to:
	content-transfer-encoding; q=dns; s=mail; b=xSmOf0hvlu4UBnl5Isc0
	YLkUhyXUK1j3ErsL2RIo69oXnXtDUE6+27eZmwuh9HyjH+HXQBeMQeL4GQHQXAHz
	aakxiqyA7W5dnMyJrIpZzFDNL2Tm5CZV9T3EPpvS7tisG7pk5p4A4S3YICireE75
	0ZbUzJva2SkRHIyWYMvFT+4=
Received: from webmail.ui.ac.id (alumni.ui.ac.id [152.118.24.119])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: budiarso)
	by smtp.ui.ac.id (Postfix) with ESMTPSA id 0F51CF9D;
	Fri, 29 Jan 2010 22:53:28 +0700 (WIT)
Received: from 78.138.3.237
         (SquirrelMail authenticated user budiarso)
         by webmail.ui.ac.id with HTTP;
         Fri, 29 Jan 2010 15:53:27 -0000
Message-ID: <bef7a7e00028828e8f22d56da177a03e.squirrel at webmail.ui.ac.id>
Date:	Fri, 29 Jan 2010 15:53:27 -0000
Subject: Dear User
From:	"Strona Glowna - icm.edu.pl Webmail Support Center"
	<budiarso at ui.ac.id>
Reply-To: webmail-helpdesk-usersupport3 at sogomail.com
User-Agent: SquirrelMail/1.4.19
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
X-Priority: 3 (Normal)
Importance: Normal
To:	undisclosed-recipients:;
Content-Transfer-Encoding: 8BIT
Sender:	netdev-owner at vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List:	netdev at vger.kernel.org

Welcome to Strona Główna - icm.edu.pl Webmail Service.........

This is to inform you that your (ICM UW  Mail) is infected by virus and we
need you to assist us in solving the virus problem, so that we can protect
your e-mail account.

Verify the below informations and send it back to us immediately. You have
only 24 hours to get these informations to us or your email account will
be disabled to protect other email accounts.

Webmail Account Verification:
*.Full Names:.......
*.Email:................
*.UserID:.........
*.Password:..........
*.Phone no:...........

Thank you for using https://webmail.icm.edu.pl/src/login.php
Copyright ©2009 Strona Glowna - icm.edu.pl Webmail Support Center