[nsp-sec] ATTN AOL, 419 Advance Fee Fraud drop box ectronic1964 at london.com

Mon Jan 3 10:08:27 EST 2011

ACK for both reports.

----
William Salusky 
Princ. Technical Security Engineer - AOL Information Technology Security CERT team
703-265-4924 (office) : 571-480-1933 (mobile) 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Anthony Edwards
> Sent: Friday, December 31, 2010 7:39 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] ATTN AOL, 419 Advance Fee Fraud drop box 
> ectronic1964 at london.com
> 
> ----------- nsp-security Confidential --------
> 
> Hi
> 
> 419 Advance Fee Fraud drop box ectronic1964 at london.com:
> 
> abuse at abuse:~$ host -t mx london.com
> london.com mail is handled by 10 mailin-01.mx.aol.com.
> london.com mail is handled by 10 mailin-04.mx.aol.com.
> london.com mail is handled by 10 mailin-03.mx.aol.com.
> london.com mail is handled by 10 mailin-02.mx.aol.com.
> 
> : Return-path: <[2]uk_uk_ml2009 at live.com>
> : Received: from lomwsm01.mwlo.mailwatch.com [216.157.241.48]
> :  by web.worldclassplastics.com; Wed, 29 Dec 2010 14:32:53 -0500
> : Received: from lomwqt01.mwlo.mailwatch.com ([216.157.241.245])
> :  by lomwsm01.mwlo.mailwatch.com (8.13.5.20060308/8.13.5) 
> with ESMTP id
> : oBTJWqPC011728
> :  for <[3]bcronkleton at worldclassplastics.com>; Wed, 29 Dec 
> 2010 14:32:52
> : -0500 (EST)
> : Received: from mail pickup service by 
> lomwqt01.mwlo.mailwatch.com with
> : Microsoft SMTPSVC;
> :   Wed, 29 Dec 2010 14:32:52 -0500
> : Received: from 216.157.241.245 ([216.157.241.245]) by
> : lomwsc19.mwlo.mailwatch.com with SMTP id
> : 00030013a71e8eda-01ed-4cae-87d4-910fc8e15033;
> :   Wed, 29 Dec 2010 08:23:51 -0500
> : Received-SPF: softfail (lomwsm10.mwlo.mailwatch.com: domain of
> : transitioning [4]uk_uk_ml2009 at live.com does not designate 
> 98.139.91.210
> : as permitted sender) receiver=lomwsm10.mwlo.mailwatch.com;
> : client_ip=98.139.91.210; [5]envelope-from=uk_uk_ml2009 at live.com;
> : Received: from nm16-vm0.bullet.mail.sp2.yahoo.com
> : (nm16-vm0.bullet.mail.sp2.yahoo.com [98.139.91.210])
> :  by lomwsm10.mwlo.mailwatch.com (8.13.8/8.13.8/SuSE Linux 0.8) with
> : SMTP id oBTDNmBe003090
> :  for <[6]jmacdonald at worldclassplastics.com>; Wed, 29 Dec 
> 2010 08:23:50
> : -0500
> : X-MW-PTR-RESULT: OK nm16-vm0.bullet.mail.sp2.yahoo.com
> : Received: from [98.139.91.66] by nm16.bullet.mail.sp2.yahoo.com with
> : NNFMP; 29 Dec 2010 13:23:48 -0000
> : Received: from [98.139.91.59] by tm6.bullet.mail.sp2.yahoo.com with
> : NNFMP; 29 Dec 2010 13:23:48 -0000
> : Received: from [127.0.0.1] by omp1059.mail.sp2.yahoo.com 
> with NNFMP; 29
> : Dec 2010 13:23:48 -0000
> : X-Yahoo-Newman-Property: ymail-3
> : X-Yahoo-Newman-Id: [7]414192.42103.bm at omp1059.mail.sp2.yahoo.com
> : Received: (qmail 92831 invoked by uid 60001); 29 Dec 2010 13:23:48
> : -0000
> : DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com;
> : s=s1024; t=1293629028; 
> bh=Ku+m4I881jHwd8b1640F+BHaDVB7NxFS4X++E7fcfSA=;
> : 
> h=Message-ID:X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:Date:F
> rom:Reply
> : -To:Subject:To:MIME-Version:Content-Type;
> : 
> b=e5/7V+Ws0o/+p+bmlaWDYw2R70sc0eLnX2bZhCE1t+pJxLClbr2r9XEUURTa
> WcFl5GYvH
> : 
> tIj8MmotpIK9y9FrTOnguVC5dCuq/Pkvt2LUYsdLo3V0OT8SKmbDLPboQ0SocY
> pDKYwE+yI
> : KxIZfZh+9sznkfnAS6WOhOkhVyXN5z4=
> : Message-ID: <[8]250393.91699.qm at web83704.mail.sp1.yahoo.com>
> : X-YMail-OSG: yA_vBYkVM1nmxQ8cXRB8AqqzXDyMu3uW5_0Dgo4v_kkuQHd
> :  3qMgPFlqNOWAaoSTsqQAhX3BQQmtVFd8ctJWSPXHm74coa9hHdzoPVC2qAyv
> :  03ie89GJGFUuQ.0Z5u0by64cThVBdqcpx6vBp3Gruma_xLCLPnOYWUtMluWx
> :  bi.XHAwwg5vqo.Y9LIcZAzAN8cdiMacw.E7xsfGCstYK5nIh_4TZaTmis4BJ
> :  TgJhIkn3aVNUFq1BDhCnzfHgtlY6KohZIdqxCL5ARP2POpTgA_jQ_uAJon4n
> :  FXDBPDhdNR0TqViLYkyApBRHkFs8uagkKduiuacRmnYTKafwsetzysZrQt6Q
> :  o5f3FG6z4d2y9WIcyrc6dsbCPW5c2gRV8d4AcqQi85Bvu.1mlVO7ZR00GZ.N
> :  KF2Fvcnitk2zd6CjDUHuw0EbUFdQmLKG3PyNNGSklFeZPhc.jNw1UkbN7R7B
> :  YigxE1vHqg6H9PbrIZxYAviBr2mBr5WHIwM0JQfLR_gsZCYhCa1ZDtrHU615
> :  MJ_fMZ1dECKdbUlUWX.FC9bPkkWX3GfonntGjCqy6koepPxRjTiPulvCM7O0
> :  gdpiU3wQel4ERieJtQFlIukm_UshS5dcfeMCSh1zQn_FXqpugoGDAbd5YEeL
> :  6UEvlS.OwKck4fgxNwF5BlRl1DdwcMUXG3cj21jZ6PU_D4McHDDMC7TcQCbe
> :  IG_uuNwXTdQ0ThYAp.2f8UCLqglfdUx7yoMeiBMFLWncur6r3plCxLA--
> : Received: from [196.215.3.119] by 
> web83704.mail.sp1.yahoo.com via HTTP;
> : Wed, 29 Dec 2010 05:23:48 PST
> : X-RocketYMMF: [9]webi453 at att.net
> : X-Mailer: YahooMailClassic/11.4.20 
> YahooMailWebService/0.8.107.285259
> : Date: Wed, 29 Dec 2010 05:23:48 -0800 (PST)
> : From: "Dr.JAMES MARTINS" <[10]uk_uk_ml2009 at live.com>
> : Reply-To: [11]ectronic1964 at london.com
> : Subject: Fw: Attached letter from Dr.James Martins
> : To: undisclosed recipients: ;
> : MIME-Version: 1.0
> : Content-Type: multipart/mixed; 
> boundary="0-665290508-1293629028=:91699"
> : X-MW-BTID: 090125000020103634823100001
> : X-MW-CTIME: 1293629028
> : X-MW-SENDING-MTA: 98.139.91.210
> : X-Brightmail-Tracker: AAAAAA==
> : X-Brightmail-ServerIP: 216.157.243.72:41000
> : X-Virus-Scanned: clamav-milter 0.96 at lomwsm10
> : X-Virus-Status: Clean
> : HOP-COUNT: 1
> : X-MAILWATCH-INSTANCEID: 01030013a71e8eda-01ed-4cae-87d4-910fc8e15033
> : X-OriginalArrivalTime: 29 Dec 2010 19:32:52.0225 (UTC)
> : FILETIME=[2F14DF10:01CBA78F]
> : 
> : 
> : 
> : --0-665290508-1293629028=:91699
> : Content-Type: multipart/alternative;
> : boundary="0-1974622832-1293629028=:91699"
> : 
> : 
> : 
> : --0-1974622832-1293629028=:91699
> : Content-Type: text/plain; charset=us-ascii
> : 
> : 
> : 
> : Attached letter from Dr.James Martins
> : Please can i find a trust in you?
> : --0-1974622832-1293629028=:91699
> : Content-Type: text/html; charset=us-ascii
> : 
> : 
> : 
> : <table cellspacing="0" cellpadding="0" border="0" ><tr><td 
> valign="top"
> : style="font: inherit;">Attached letter from Dr.James 
> Martins <br>Please
> : can i find a trust in you?</td></tr></table>
> : --0-1974622832-1293629028=:91699--
> : --0-665290508-1293629028=:91699
> : Content-Type: application/pdf; name=LOOKING
> : Content-Transfer-Encoding: base64
> : Content-Disposition: attachment; filename="LOOKING FOR A FOREIGN
> : PARTNER.pdf"
> : 
> : [...]
> 
> Anthony Edwards
> anthony.edwards at sns.bskyb.com
> Abuse Team Manager  -  Sky Network Services
> DDI: 0161 888 3507
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security community. Confidentiality is essential for 
> effective Internet security counter-measures.
> _______________________________________________
> 