[nsp-sec] Google/Enom - phishy domain

[Helge Aksdal]

Hi all,

web-upgrade.com seems to be a domain used only for phishing.
Enom is registrar for the domain.

Google is being used for MX:
20 alt2.aspmx.l.google.com.
30 aspmx2.googlemail.com.
30 aspmx3.googlemail.com.
30 aspmx4.googlemail.com.
30 aspmx5.googlemail.com.
10 aspmx.l.google.com.
20 alt1.aspmx.l.google.com.

Proof of phishing:

Return-Path: <epost at telenor.no>
Received: from sv07.e.nsc.no (vip1scan.telenor.net [148.123.15.75])
	by mail19.nsc.no (8.14.4/8.14.4) with ESMTP id p6BFiqZ9003763
	for <xxxxx at 10.online.no>; Mon, 11 Jul 2011 17:53:49 +0200 (MEST)
Received: from mail25.e.nsc.no (mail25.e.nsc.no [193.213.115.25]) by sv07.nsc.no with ESMTP id BT-MMP-269560 for b-30 at 10.online.no; Mon, 11 Jul 2011 17:53:48 +0200
Received: (from mailuser at localhost)
	by mail25.nsc.no (8.14.4/8.14.4) id p6BFrmeA009855
	for xxxxxx at 10.online.no; Mon, 11 Jul 2011 17:53:48 +0200 (MEST)
Received: from eyou.net (email.xznu.edu.cn [202.195.64.25])
	by mail25.nsc.no (8.14.4/8.14.4) with SMTP id p6BFrgcT009551
	for <xxxxxx at frisurf.no>; Mon, 11 Jul 2011 17:53:46 +0200 (MEST)
X-EYOU-SPAMVALUE: 0
X-EYOU-DEALDRC: 
X-EMDG-VER: 2009-11-28
Received: (eyou anti_spam gateway 3.0); Mon, 11 Jul 2011 22:57:53 +0800
Message-ID: <510396273.21249 at eyou.net>
X-EYOUMAIL-SMTPAUTH: @
Received: from 64.94.77.129 by 202.195.64.25 with SMTP; Mon, 11 Jul 2011 22:57:50 +0800
Reply-To: <webmaster at web-upgrade.com>
From: "Telenor © Telecommunications" <epost at telenor.no>
Subject: Telenor © Advarsel Code: VX2G99AAJ
Date: Mon, 11 Jul 2011 16:58:17 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
	boundary="----=_NextPart_000_009A_01C2A75B.3AA980F4"
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
X-Xxroufqwki: sw=gld ver=1.2 d=55m tld=cn st=win
X-XClient-IP-Addr: 202.195.64.25

-- 
Helge Aksdal 
Telenor