[nsp-sec] kimo.com/tw.yahoo.com phishing drop box

Daniel Adinolfi dra1 at cornell.edu
Thu Mar 4 11:50:41 EST 2010 

Folks,

We just got phished from a compromised med.cornell.edu account.  The  
reply-to address is mrgordon at kimo.com.  If I'm reading stuff  
correctly, kimo.com's email is handled by tw.yahoo.com.

kimo.com has address 206.190.60.37
kimo.com has address 68.180.206.184
kimo.com mail is handled by 5 mx1.mail.tw.yahoo.com.
kimo.com mail is handled by 5 mx2.mail.tw.yahoo.com.

AS      | IP               | AS Name
14779   | 206.190.60.37    | INKTOMI-LAWSON - Inktomi Corporation
PEER_AS | IP               | AS Name
10310   | 206.190.60.37    | YAHOO-1 - Yahoo!

AS      | IP               | AS Name
36752   | 68.180.206.184   | YAHOO-SP1 - Yahoo
PEER_AS | IP               | AS Name
10310   | 68.180.206.184   | YAHOO-1 - Yahoo!

Can someone in Yahooland please destroy this account?

Thanks.

-Dan


Received: from orchid.mail.cornell.edu (132.236.56.61) by
CASHUB04.exchange.cornell.edu (10.16.197.23) with Microsoft SMTP  
Server id
8.1.393.1; Thu, 4 Mar 2010 11:25:35 -0500
Received: (from daemon at localhost)	by orchid.mail.cornell.edu  
(8.13.6/8.13.6)
id o24GPUdN018016;	Thu, 4 Mar 2010 11:25:30 -0500 (EST)
Received: from localhost.localdomain (poppy.mail.cornell.edu  
[132.236.56.48])
	by orchid.mail.cornell.edu (8.13.6/8.13.6) with ESMTP id  
o24GPUFT017965;	Thu,
4 Mar 2010 11:25:30 -0500 (EST)
Received: from poppy	by poppy with queue id 121470115-10;	Thu, 04 Mar  
2010
16:25:00 GMT
Received: from mail-gw2.med.cornell.edu (mail-gw2.med.cornell.edu
[140.251.3.2])	by  with SMTP id ;	Thu, 04 Mar 2010 16:25:00 GMT
	(envelope-from kjtardif at med.cornell.edu)
Received: from mpx6.med.cornell.edu ([140.251.11.120]) by
mail-gw2.med.cornell.edu (Sun Java(tm) System Messaging Server 6.3-8.03
(built Apr 24 2009; 32bit)) with ESMTP id
<0KYR000ECMXE64C0 at mail-gw2.med.cornell.edu>; Thu, 04 Mar 2010 11:24:51  
-0500
(EST)
Received: from med.cornell.edu ([unknown] [140.251.14.74]) by
mpx6.med.cornell.edu (Sun Java(tm) System Messaging Server 7u2-7.04  
64bit
(built Jul  2 2009)) with ESMTP id <0KYR00KWTMX3I390 at mpx6.med.cornell.edu 
 >;
Thu, 04 Mar 2010 11:24:50 -0500 (EST)
Received: from [140.251.14.74] (Forwarded-For: 41.190.2.24) by
mpx6.med.cornell.edu (mshttpd); Thu, 04 Mar 2010 16:24:38 +0000 (GMT)
From: Kenneth Tardiff <kjtardif at med.cornell.edu>
Date: Thu, 4 Mar 2010 11:24:38 -0500
Subject: Attn; Cornell.edu  Valued Member
Thread-Topic: Attn; Cornell.edu  Valued Member
Thread-Index: Acq7t1F9zTLxBCDcSZq8rD8YmlCEDQ==
Message-ID: <72d0b0b7d7c7.4b8fdec6 at med.cornell.edu>
Reply-To: "mrgordon at kimo.com" <mrgordon at kimo.com>
Accept-Language: en
Content-Language: en
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AuthSource: CASHUB04.exchange.cornell.edu
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en
x-ph: V4.1 at orchid
x-pmx-version: 5.5.9.388399, Antispam-Engine: 2.7.2.376379, Antispam- 
Data:
2010.3.4.161541
x-pmx-cornell-spam-checked: poppy
x-perlmx-spam: Gauge=XXXXIIIIII, Probability=46%, Report='  
PHISH_SPEAR1_X3
3, PHISH_SPEAR2_X3 1, FRAUD_IP_FORWARDED_FOR 0.5, HTML_NO_HTTP 0.1,
PHISH_SPEAR_CONTENT_X3 0.1, BODY_SIZE_1400_1499 0, BODY_SIZE_2000_LESS  
0,
BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, MISSING_HEADERS 0,
TO_MALFORMED 0, WEBMAIL_SOURCE 0, __CT 0, __CTYPE_HAS_BOUNDARY 0,
__CTYPE_MULTIPART 0, __CTYPE_MULTIPART_ALT 0, __FRAUD_CONTACT_NUM 0,
__FRAUD_SUBJ_A 0, __HAS_HTML 0, __HAS_MSGID 0, __HAS_X_MAILER 0,  
__MIME_HTML
0, __MIME_VERSION 0, __PHISH_SPEAR_ACCOUNT_1 0, __PHISH_SPEAR_GREETING  
0,
__PHISH_SPEAR_HTTP_RECEIVED 0, __PHISH_SPEAR_PASSWORD_1 0,
__PHISH_SPEAR_STRUCTURE_1 0, __PHISH_SPEAR_STRUCTURE_2 0, __SANE_MSGID  
0'
Content-Type: multipart/alternative;
	boundary="_000_72d0b0b7d7c74b8fdec6medcornelledu_"
MIME-Version: 1.0

--_000_72d0b0b7d7c74b8fdec6medcornelledu_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Attn; Cornell.edu  Valued Member,

Due to the congestion in our Cornell.edu   servers,there would be  
removal o=
f all unused Accounts.You will have to confirm if your E-mail is still  
acti=
ve by filling out your login info below.

   Username:..................
   Password:...................
   Phonenumber:.................

--_000_72d0b0b7d7c74b8fdec6medcornelledu_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<p /><p>Attn; Cornell.edu=A0 Valued Member,</p><p><br />Due to the  
congesti=
on in our Cornell.edu=A0=A0 servers,there would be removal of all  
unused Ac=
counts.You will have to confirm if your E-mail is still active by  
filling o=
ut your login info below.<br />=A0<br />=A0=A0=A0  
Username:................=
..<br />=A0=A0=A0 Password:...................<br />=A0=A0=A0  
Phonenumber:.=
................</p>

--_000_72d0b0b7d7c74b8fdec6medcornelledu_--

More information about the nsp-security mailing list