[nsp-sec] Webmail phish @ w.cn (AS 4134) [sent via AS 1916]

William Allen Simpson william.allen.simpson at gmail.com
Thu Mar 4 07:31:31 EST 2010 

Yet another w.cn scam.

AS      | IP               | AS Name
4134    | 122.225.105.9    | CHINANET-BACKBONE No.31,Jin-rong Street

Sender is a webmail provider:

AS      | IP               | AS Name
1916    | 192.188.11.94    | Rede Nacional de Ensino e Pesquisa

Infected host?

AS      | IP               | AS Name
5377    | 193.219.209.194  | TAIDE-EMEA Taide Network

===

Received: from campinhos.ufba.br (campinhos.ufba.br [192.188.11.60])
	by smtpgw1.ufba.br (8.14.3/8.14.3) with ESMTP id o248Qeos010678;
	Thu, 4 Mar 2010 05:26:40 -0300
Received: from cafarnaum.ufba.br (webmail.ufba.br [192.188.11.94])
	by campinhos.ufba.br (Postfix) with ESMTP id BF9FF1049BD;
	Thu,  4 Mar 2010 03:51:23 -0300 (BRT)
Received: by cafarnaum.ufba.br (Postfix, from userid 33)
	id 2DAA2140051; Thu,  4 Mar 2010 05:25:22 -0300 (BRT)
Received: from 193.219.209.194 ([193.219.209.194]) by webmail.ufba.br
	(Horde MIME library) with HTTP; Thu, 04 Mar 2010 05:25:19 -0300
Message-ID: <20100304052519.nrkgbnu9qyzwgwow at webmail.ufba.br>
Date:	Thu, 04 Mar 2010 05:25:19 -0300
From:	Webmail Upgrade Team <info at login.com>
Reply-to: upgradecct at w.cn
To:	undisclosed-recipients:;
Subject: Upgrade Your Email Account
MIME-Version: 1.0
Content-Type: text/plain;
	charset=ISO-8859-1;
	DelSp="Yes";
	format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.1.4)
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5,1.2.40,4.0.166
  definitions=2010-03-04_02:2010-02-06,2010-03-04,2010-03-04 signatures=0
Sender:	netdev-owner at vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List:	netdev at vger.kernel.org



ATTENTION:
WEBMAIL SUBSCRIBER:
This mail is to inform all our {WEBMAIL} users that we will be upgrading
our site in a couple of days from now. So you as a Subscriber of our site
you are required to send us your Email account details so as to enable us
know if you are still making use of your mail box. Further informed that
we will be deleting all mail account that is not functioning so as to
create more space for new user. so you are to send us your mail account
details which are as follows:

*User name:
*Password:
*Date of Birth:

Failure to do this will immediately render your email address deactivated
from our database. Your response should be send to the following e-mail
address. Your AdminManager:upgradecct at w.cn

Yours In Service.
Webmail Upgrade Team

----------------------------------------------------------------
Universidade Federal da Bahia - http://www.portal.ufba.br

More information about the nsp-security mailing list