27-Sep-2013

It’s a phisherman!
One of the sites I encountered a few days ago now appears to be a bad guy. Though the header appears to be valid:

Return-Path: internationalcardservices.notificationiare@mailing.internationalcardservices.nl
Received: from DIANA.INTRA.GROOTERSNET.NL (192.168.0.2)
by diana.intra.grootersnet.nl (V5.6-ECO5, OpenVMS V8.3 Alpha);
Fri, 27 Sep 2013 10:57:27 +0000 (UTC)
X-PMAS-MAIL-FROM:
internationalcardservices.notificationiare@mailing.internationalcardservices.nl
Received: from unknown ([87.106.96.232] EXTERNAL) (EHLO s16978676) by
diana.INTRA.GROOTERSNET.NL ([192.168.0.200]) (PreciseMail V3.2); Fri, 27 Sep
2013 10:05:41 +0000
Received: from mailing.internationalcardservices.nl ([127.0.0.1]) by s16978676
with Microsoft SMTPSVC(7.5.7601.17514); Fri, 27 Sep 2013 12:05:28 +0200
From: International Card Services
<internationalcardservices.notificationiare@mailing.internationalcardservices.nl>
To: (my address)
Subject: Uw rekeningoverzicht bekijken en betalen
Date: 27 Sep 2013 12:05:26 +0200
Message-ID:
<20130927112751.4EA0D4FB379FEEC7@mailing.internationalcardservices.nl>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0012_219D19A8.7D241EFA"
Return-Path:
internationalcardservices.notificationiare@mailing.internationalcardservices.nl
X-OriginalArrivalTime: 27 Sep 2013 10:05:28.0797 (UTC)
FILETIME=[17F140D0:01CEBB69]
<internationalcardservices>

and the content as welll, it is a phising attempt.
First, ICS normally sends just one reminder, and not two within a few hours. Nor will ISC send from an unknown address:

Received: from unknown ([87.106.96.232] EXTERNAL) (EHLO s16978676)

So I was triggered to check the included URL, and that is definitly NOT an ISCCards address:

href="http://www.lemrith.net/images/ICS.php"

Of course, the address has no longer access to the my network.
Lemmrith.net is actually a valid site: a small town in Germany (it is safe to check www.lemrith.net) but they have not secuired their site – given the fact that someone dropped a .PHP file on thein images directory. They have been notified.

Phishing using Paypal

Sometimes you see interesting attempts.

paypal phishing attempt

The header looks like this:

Return-Path: service@paypal.com
Received: from XXXXXXXXXX.GROOTERSNET.NL (192.168.0.2)
by xxxxxxxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Mon, 29 Oct 2007 10:14:17 +0100 (CET)
Received: from www.outsidepride.com ([69.20.59.177] EXTERNAL) (EHLO
www.outsidepride.com) by xxxxxxxxxx.GROOTERSNET.NL ([192.168.0.200])
(PreciseMail V3.0); Sun, 28 Oct 2007 21:34:22 +0100
Received: from User ([89.137.232.120]) (authenticated bits=0) by
www.outsidepride.com (8.12.11.20060308/8.12.11) with ESMTP id l9SKWQo4011442;
Sun, 28 Oct 2007 16:32:27 -0400
Message-Id: <200710282032.l9SKWQo4011442@www.outsidepride.com>
From: "PayPal"<service@paypal.com>
Subject: You have 1 new Security Message Alert !
Date: Sun, 28 Oct 2007 22:32:56 +0200
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by www.outsidepride.com id
l9SKWQo4011442

Blocked by the anti-spam frontend, for the following reasons:

X-PMAS-External: www.outsidepride.com [69.20.59.177] (EHLO
www.outsidepride.com)
X-PMAS-Software: PreciseMail V3.0 [071027] (diana.GROOTERSNET.NL)
X-PMAS-DYN_URI-OK_URL: Dynamic URI check: OK URL (0.000)
X-PMAS-REPUTATION_URI_NONSPAM: URI reputation check (0.000)
X-PMAS-VMF-OK: Envelope FROM: check: Source accepts mail for address (0.000)
X-PMAS-HDR-MISSING_HEADERS: Missing To: header (1.035)
X-PMAS-HDR-CTYPE_JUST_HTML: HTML-only mail, with no text version (1.500)
X-PMAS-HDR-NO_SPACE_FROM: From: header is poorly formatted (no space) (5.000)
X-PMAS-URI-NORMAL_FTP_TO_IP: Uses a dotted-decimal IP address in URL (1.000)
X-PMAS-BDY-IMAGE_LINK: Image that links to web site (3.000)
X-PMAS-BDY-INCREASE_YOUR_SOMETHING: Message has phrase "Increase your..."
(3.000)
X-PMAS-BDY-FOR_MORE_INFO2: Includes "for more information" (1.500)
X-PMAS-META-FORGED_OUTLOOK_HTML: Outlook can't send HTML message only (1.101)
X-PMAS-META-FORGED_OUTLOOK_TAGS: Outlook can't send HTML in this format
(5.000)
X-PMAS-META-1PIXEL_IMG: Message includes 1x1 img link (20.000)
X-PMAS-META-PHISHING_02: Message appears to be a phishing scam (10.000)
X-PMAS-META-PHISHING_03: Message appears to be a PayPal phishing scam (20.000)
X-PMAS-META-DEAR_SOMETHING: Contains generic 'Dear (something)' (1.596)
X-PMAS-META-STOP_RECEIVING: Specific spam text "to stop receiving" (5.000)
X-PMAS-Final-Score: 78.732
X-PMAS-Spam-Level: ********************+
X-PMAS-Spam: Yes

Apart from the fact that the sender server is not within the Paypal domain 🙂

The interesting part is on the inside.
Most often, links refer to some site using the http protocol (never https, of course), but this one is different – twice using FTP got get your data:

<td class="pp_sansserif" align="center"><a
href="ftp://futangiu:futangiu@209.202.224.140/index.htm">Travelling
confirmation Here</a></td>

<td class="pp_sansserif" align="center"><a
href="ftp://futangiu:futangiu@209.202.224.140/index.htm">Re-activate your account Here</a></td>

The addresses mentioned are Romanian, at least, two of them.

  • 192.102.104.2 is indeed owned by onix.ro – it is possible that it;s a source of abuse: an internet cafe, probably
  • 217.156.19.129 is owend by vl.ro – named analog Digital Systems Inc. RDS – Radio Data Systems? That makes sense. But ause like this, I doubt it!
  • 62.177.188.59 is owned by bbeyond – a Dutch network operator without a Romanian domain: bbeyond.ro does not exist.
  • The address mentioned in the liks refers to a network operator in Canada, and there is an abuse address in their Whois data. So I’ll forward the message to them.

    Paypal phishing attempt blocked

    The phishing attemps are now blocked by the anti-spam gateway so they do no longer arrive in any of my mailboxes. Which, of course, is what it is the intended use, plus it allows a closer look to the message code without having the message actually delivered.

    This one came in a few days ago:

    <p><b><font face="Verdana" size="2">You are required to upgrade your PayPal
    Account by subscribing to our New Security Center.</font></b></p>
    <p><font face="Verdana" size="2">Please <b> <a href="http://202.67.156.66/www.paypal.com/cgi-bin/webscrcmd=_login-run/update.php">click here</a></b> in order to upgrade your PayPal account.</font></p>
    <p><font face="Verdana" size="2">If you not perform the update now, your account will be placed on hold. On hold accounts can still send money, but they cannot withdraw or receive funds.</font></p>

    Mind the hyperlink-address:

    http://202.67.156.66/www.paypal.com/cgi-bin/webscrcmd=_login-run/update.php

    This is NOT a paypal address.

    PMAS signalled this – as is shown in the message header:


    Received: from unknown ([72.54.216.109] EXTERNAL) (EHLO mail.iei-web.net) by
    xxxxxxxxxxxxxxxxxxxx ([192.168.0.200]) (PreciseMail V3.0); Sun, 07 Oct
    2007 06:41:42 +0100
    Received: from User [62.14.249.101] by iei-web.net with ESMTP (SMTPD-9.10) id
    A0F40294; Sat, 06 Oct 2007 23:39:00 -0600
    Reply-To: <member_service@paypalsecurity.com>
    From: "PayPal Inc."<member_service@paypalsecurity.com>
    Subject: New Paypal Security Center: Update Your Account
    Date: Sun, 7 Oct 2007 07:40:01 +0200
    MIME-Version: 1.0
    Content-Type: text/html; charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Message-Id: <200710062339882.SM03048@User>

    What are the findings:


    X-PMAS-External: unknown [72.54.216.109] (EHLO mail.iei-web.net)
    X-PMAS-Software: PreciseMail V3.0 [071006] (diana.GROOTERSNET.NL)
    X-PMAS-DYN_URI-OK_URL: Dynamic URI check: OK URL (0.000)
    X-PMAS-VMF-OK: Envelope FROM: check: Source accepts mail for address (0.000)

    Quite well so far – except the “unknown” external address.
    But now the problems show up:


    X-PMAS-HDR-MISSING_HEADERS: Missing To: header (1.035)
    X-PMAS-HDR-CTYPE_JUST_HTML: HTML-only mail, with no text version (1.500)
    X-PMAS-HDR-RCVD_FROM_UNKNOWN: Message received from host without DNS entry (4.000)
    X-PMAS-HDR-NO_SPACE_FROM: From: header is poorly formatted (no space) (5.000)
    X-PMAS-URI-NORMAL_HTTP_TO_IP: Uses a dotted-decimal IP address in URL (0.942)
    X-PMAS-URI-IP_LINK_PLUS: Dotted-decimal IP address followed by CGI (0.708)
    X-PMAS-META-FORGED_OUTLOOK_HTML: Outlook can't send HTML message only (1.101)
    X-PMAS-META-MISSING_BODY_TAG: Message has </BODY> tag, but no <BODY> tag (3.000)
    X-PMAS-META-MISSING_HTML_TAG: Message has </HTML> tag, but no <HTML> tag (3.000)
    X-PMAS-META-FORGED_OUTLOOK_TAGS: Outlook can't send HTML in this format (5.000)

    You learn something new every day


    X-PMAS-META-NO_HTML_BEGIN: Message has </html> but not <html> (3.500)
    X-PMAS-META-PHISHING_01: Message is a phishing scam (50.000)
    X-PMAS-META-PHISHING_03: Message appears to be a PayPal phishing scam (20.000)
    X-PMAS-META-LAME_PAYPAL_SCAM: Claims to be from PayPal, but no PayPal URIs (20.000)

    I thought so 🙂


    X-PMAS-META-CLICK_BELOW: Asks you to click below (0.727)
    X-PMAS-META-BLIND_DATE3: Blind date spam (3) (20.000)
    X-PMAS-Final-Score: 139.513
    X-PMAS-Spam-Level: ********************+
    X-PMAS-Spam: Yes

    Apart from what is unusual in Paypal: no addressing header (should use your Paypal name).

    More E[B/d]ay to come

    At least according Hoff on his blog (read here). One good reason to have all incoming traffic run over the OpenVMS box (small chance that will be infected!), and being able to screen messages before actually donwloading them onto Windows boxes. (I would like to have apple systems around but having game-playing kids around, I’m stuck to Windows. And the company I work at – and their customers – heavily rely on Windows boxes for their office work…)

    There is a fair chance that this type of scam is now filtered – even better!

    Ebay kit?

    This might be correct:

    kit message

    The header looks quite honest as well:

    Return-Path: sellers.tools@getfreenow.com
    Received: from host75-97.pool217169.interbusiness.it (217.169.97.75)
    by diana.intra.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
    Sat, 1 Sep 2007 12:44:47 +0100 (CET)
    Received: from User ([70.91.163.25])
    by mail.publiposter.it (Merak 7.4.2) with ASMTP id BJV74577;
    Sat, 01 Sep 2007 12:44:42 +0200
    Reply-To: <no.reply@eBay.com>
    From: "eBay"<sellers.tools@getFREEnow.com>
    Subject: Your eBay Success Kit has arrived
    Date: Sat, 1 Sep 2007 05:45:17 -0500
    MIME-Version: 1.0
    Content-Type: text/plain;
    charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    X-Priority: 1
    X-MSMail-Priority: High
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

    but without a TO: line, and a reply-to address at ebay, makes it suspicious. As well as the user address: 70.91.163.25. This is located in the USA:

    Comcast Business Communications, Inc. CBC-CM-3 (NET-70-88-0-0-1)
    70.88.0.0 - 70.91.255.255
    Comcast Business Communications, Inc. CBC-LITTLEROCK-4 (NET-70-91-163-0-1)
    70.91.163.0 - 70.91.163.255

    # ARIN WHOIS database, last updated 2007-09-01 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    The receiving server (mail.publiposter.it) could be geniune:

    Domain: publiposter.it
    Status: ACTIVE
    Created: 2002-06-14 00:00:00
    Last Update: 2007-06-30 00:04:10
    Expire Date: 2008-06-14

    Registrant
    Name: Publiposter & Multimedia s.p.a.
    ContactID: PUBL355-ITNIC
    Address: Publiposter & Multimedia s.p.a.
    Isola Delle Femmine
    90040
    PA
    IT
    Created: 2007-03-01 10:39:36
    Last Update: 2007-03-01 10:39:36

    Admin Contact
    Name: Alessio Alessi
    ContactID: AA1731-ITNIC
    Address: Publiposter & Multimedia s.p.a.
    Isola Delle Femmine
    90040
    PA
    IT
    Created: 2002-06-14 00:00:00
    Last Update: 2007-03-01 07:39:08

    Technical Contacts
    Name: Centro Gestione Village
    ContactID: CGV35-ITNIC
    Organization: Telecom Italia Spa
    Address: Telecom Italia Spa
    Via Pontina, km. 29,100
    Roma
    00040
    RM
    IT
    Created: 2007-03-01 10:25:57
    Last Update: 2007-03-06 14:04:12

    Registrar
    Organization: Telecom Italia s.p.a.
    Name: INTERBUSINESS-MNT

    Nameservers
    dns6.interbusiness.it
    dns3.nic.it

    and interbusiness.it – also Italian – as well:

    inetnum: 217.169.97.64 - 217.169.97.95
    netname: IDC-DIALUP-POM-BLCK3
    descr: IDC - Telecom Italia - network used in dialup access - Pomezia
    country: it
    admin-c: ITR2-RIPE
    tech-c: ITR2-RIPE
    status: assigned PA
    mnt-by: FULCOM-MNT-RIPE
    source: RIPE # Filtered

    role: IT Telecom Role
    address: Telecom Italia S.p.A.
    address: Via Oriolo Romano, 257
    address: Italy
    phone: +390665679934(3)
    fax-no: +390636870532
    e-mail: ripe-noc@telecomitalia.it
    remarks: trouble: ripe-noc@telecomitalia.it
    admin-c: ITR2-RIPE
    tech-c: ITR2-RIPE
    nic-hdl: ITR2-RIPE
    remarks: ##############################################
    remarks: Pay attention
    remarks: Any communication sent to email different
    remarks: from the following will be ignored !
    remarks: ##############################################
    remarks: Any abuse and spamming reports, please
    remarks: send them to abuse-ripe@telecomitalia.it
    remarks: ##############################################
    mnt-by: FULCOM-MNT-RIPE
    source: RIPE # Filtered

    Used in dial-up access – you can tell by the full address as well.

    The domain: interbusiness.it is valid also:

    Domain: interbusiness.it
    Status: ACTIVE
    Created: 1996-01-29 00:00:00
    Last Update: 2007-01-30 00:36:13
    Expire Date: 2008-01-29

    Registrant
    Name: Telecom Italia S.p.A.
    ContactID: TELE616-ITNIC
    Address: Via Paolo Di Dono, 44
    Roma
    00143
    RM
    IT
    Created: 2007-03-01 10:44:12
    Last Update: 2007-03-01 10:44:12

    Admin Contact
    Name: Camillo Di Vincenzo
    ContactID: CD2-ITNIC
    Address: Telecom Italia S.P.A.
    Via Paolo Di Dono, 44
    Roma
    00143
    RM
    IT
    Created: 2000-11-15 00:00:00
    Last Update: 2007-03-01 07:49:08

    Technical Contacts
    Name: Domain Registration Staff
    ContactID: DRS9-ITNIC
    Address: Telecom Italia S.p.A.
    Via Campania 11
    Taranto
    74100
    TA
    IT
    Created: 2005-07-19 00:00:00
    Last Update: 2007-08-08 10:51:21

    Name: Gian Luca Mattu
    ContactID: GLM2-ITNIC
    Address: Telecom Italia SpA
    Via Oriolo Romano, 240
    Roma
    00189
    RM
    IT
    Created: 2005-03-09 00:00:00
    Last Update: 2007-03-01 07:37:44

    Name: Fabio Ginocchi
    ContactID: FG82-ITNIC
    Address: Telecom Italia
    Via Oriolo Romano, 257
    IT
    Created: 2000-11-02 00:00:00
    Last Update: 2007-03-01 07:38:47

    Registrar
    Organization: Telecom Italia s.p.a.
    Name: INTERBUSINESS-MNT

    Nameservers
    dnsti.interbusiness.it
    dns.opb.interbusiness.it
    dns3.nic.it
    dnsts.interbusiness.it

    and makes sense because this domain is mentioned earlier – it’s name server is used.

    The link in te mesage however, leads to Russia – it looks like a valid page but the contents are Russian, contains a huge amount of redirects on CGI, and the link to get an English page returns”a 404-message: Document not found.

    This stinks!

    Ebay – a bit altered

    This message arived today – form an Ebay – I mean, Eday member:

    eday

    With Outlook, Eday is easily read as Ebay…

    Fake of course, sent to obtain credentials.
    The header shows it’s origin: Australia – given the names, I’d say Melbourne:

    Return-Path: member@eday.com
    Received: from mail.southern-ro.com.au (203.46.24.242)
    by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
    Thu, 30 Aug 2007 13:40:27 +0100 (CET)
    Received: from User ([195.84.14.70]) by melbserver.southern-ro.com.au with Microsoft SMTPSVC(6.0.3790.3959);
    Thu, 30 Aug 2007 21:40:16 +1000
    Reply-To: <member@eday.com>
    From: "member"<member@eday.com>
    Subject: message from member
    Date: Thu, 30 Aug 2007 13:40:15 +0200
    MIME-Version: 1.0
    Content-Type: text/html;
    charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Bcc:
    Return-Path: member@eday.com
    Message-ID: <MELBSERVERAtC33BcZY00000e29@melbserver.southern-ro.com.au>
    X-OriginalArrivalTime: 30 Aug 2007 11:40:16.0643 (UTC) FILETIME=[891CAD30:01C7EAFA]

    that is: from address 195.84.14.70, and this is NOT an Ebay address, nor is the mailserver that connected (203.46.24.242). Nor would Ebay use Outlook Express. In other words: it is a basic PC. no TO: line either, I wonder how the message got here in the first place.
    No name in the message – which is not like ebay would do it.

    Almost all links that could require a login, refer to a site at oberleitner.biz. Even the ones wheer you could signal or learn about abuse:

    Always remember to complete your transactions on eBay - it's the safer way to trade.</B><BR><BR>Is
    this message an offer to buy your item directly through email without
    winning the item on eBay? If so, please help make the eBay marketplace
    safer by reporting it to us. These external transactions may be unsafe
    and are against eBay policy. <A href="
    http://www.oberleitner.biz/cache/ws/eBay_com_Verify_your_eBay_account_files/" target=_blank><FONT color=#003399>Learn more about trading safely</FONT></A>

    A bit more down:

    <B>Always remember to complete your transactions on eBay - it's the safer way to trade.</B><BR><BR>Is this message an offer to buy your item directly through email without winning the item on eBay? If so, please help make the eBay marketplace
    safer by reporting it to us. These external transactions may be unsafe and are against eBay policy. <A href="
    http://www.oberleitner.biz/cache/ws/eBay_com_Verify_your_eBay_account_files/"
    target=_blank><FONT color=#003399>Learn more about trading safely</FONT></A>

    and

    Learn how you can protect yourself from spoof (fake) emails at:<BR><A href="http://www.oberleitner.biz/cache/ws/eBay_com_Verify_your_eBay_account_files/" target=_blank><FONT
    color=#003399>https://pages.ebay.com/education/spooftutorial</FONT></A>

    It looks like Oberleitner.biz’s business is getting user credentials. Or it’s domain is abused.

    Another job offer

    I received another job offer today. The same one as two days ago – from a different sender, for the same company and another link.

    The new header runs:

    Return-Path: akstcxylbmnsdgs@xylb.com
    Received: from 87-205-210-108.adsl.inetia.pl (87.205.210.108)
    by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
    Fri, 24 Aug 2007 23:14:43 +0100 (CET)
    Return-Path: <akstcxylbmnsdgs @xylb.com>
    Received: from 218.66.102.106 (HELO mail.xylb.com)
    by grootersnet.nl with esmtp (?< ?*A+.7,/0 >)(7)
    id S.DCAR-TAHH0N-+)
    for willem@grootersnet.nl; Fri, 24 Aug 2007 21:15:33 -0100
    Message-ID: <01c7e693$e85df080$6c822ecf@akstcxylbmnsdgs>
    From: "Enid Mullen" </akstcxylbmnsdgs>l<akstcxylbmnsdgs @xylb.com>
    To: (me)
    Subject: job for you
    Date: Fri, 24 Aug 2007 21:15:33 -0100
    MIME-Version: 1.0
    Content-Type: text/plain;
    format=flowed;
    charset="iso-8859-2";
    reply-type=original
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.3790.2663
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663</willem></akstcxylbmnsdgs>

    So the sender – or relay – is Polish. Or it’s a zombie.
    The message-ID is bogus (I didn’t even bother checking), so it the return address. Don’t try explaining a user “akstcxylbmnsdgs” would actually exist. I don’t think theer is such a user on XYLB.COM.
    However: XYLB.COM does exist (and is valid) otherwise it wouldn’t get so far anyway.

    Did the previous sender use MSN, this one seems to use good old Outlook Express. Hardly a professional method, I’d say.

    If you follow the link you’ll end up on JSB Register – like the previous job offer – but the link is different:

    http://58.65.239.116/zaka/
    and in the page, the hiodden data is:

    <input type="hidden" name="icq" value="zaka">

    Job offer

    Another way to get control.
    Mohammad@northwest.edu (unsure wether this is genuine but I have my doubts)
    sent me a mail:

    HELLO.

    We would like to offer you a job in the JBS REGISTER Company.

    We have many vacant positions, and we can grant you perfect and very profitable job.

    MINIMAL MONTHLY INCOME: 1500 EURO (2-4 hours of your time is required)

    The job is processing of money orders of our clients.

    You should have several hours a day for execution of our orders.

    EACH CANDIDATE GETS A JOB IN OUR COMPANY.

    Please, fill the questionnaire, and in 24 hours you will receive instructions and documents (contract) for beginning of the work.

    http://58.65.239.116/buri/

    THANK YOU VERY MUCH.

    Of course, the first thing to check is the header;

    Return-Path: Mohammad@northwestern.edu
    Received: from dsl-189-130-158-237.prod-infinitum.com.mx (189.130.158.237)
    by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
    Thu, 23 Aug 2007 03:06:23 +0100 (CET)
    Message-ID: <E9E15B67.6162678@northwestern.edu>
    Date: Thu, 23 Aug 2007 20:05:31 +0200
    From: Mohammad <Mohammad@northwestern.edu>
    User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050716)
    X-Accept-Language: en-us, en
    MIME-Version: 1.0
    To: (me)
    Subject: job offer
    Content-Type: text/plain; charset=iso-8859-1; format=flowed
    Content-Transfer-Encoding: 8bit

    Mail exchange ? dsl-189-130-158-237.prod-infinitum.com.mx (189.130.158.237) doesn’t seem something from an educational institute….The address does not refer to a domain, it seems. Prod-Infinitum.com resides in the US, and has another address. It’s a hack,it seems. com.mx doesn’t translate to an address either but gave som Spanish comments:
    Meta Keywords:
    diseñador, gráfico, freelance, diseño, web, site, sitio, paginas, Internet, animacion, flash, multimedia, mexico, México,
    Meta Description:
    Portafolios en línea del Diseñador Gráfico Luis Francisco Reyes Aceves

    The website (www.com.mx) seems to exist but you have no access.

    Northwest.edu has nothing to do with this either. I bet there isn’t even a “Mohammad” user registered:
    nslookup northwest.edu
    Server: nlutrdc03.nl.hr.group
    Address: 172.21.206.1

    Name: northwest.edu
    This is an university in the Northwest of Ohio.

    JSB Register seems to be a known company – Google gave the same IP address. The link in this message leads to aserver in Hong Kong, accoring the address.
    If you follow the link, you get:

    jsb-register fake

    This is the result of a PHP script – or, when filled, it is send to an PHP application:

    <FORM action=form.php method=POST>

    But that is the compnay entry page. If you use the link in the message, the outcome in the browser is exactly the same, but when displaying the source, there is a difference at the end of the message: there is a hidden INPUT item, and that makes it suspicious:
    The page linked from Google states:
    <input type="hidden" name="icq" value="orig">
    and the link from the message states:
    <input type="hidden" name="icq" value="buri">

    It might be genuine but I have my doubts. I guess their server is hacked….

    What would be the outcome if you DID subscribe? Some malware planted on your PC, I assume.

    Paypal again

    Another one as if from Paypal
    Paypal-21aug

    if displayed in HTML format – as it is received in Outlook (or Outlook Express, as most innocent users would).

    No name – so bogus. Look at the date: 28-Aug-2007, which is two weeks ahead. It might indeed be the date when your account will be abused IF you react on this message.

    If you look to the raw data, it’s not that obvious in first glance because the names seem to match:

    Return-Path: service@paypal.com
    Received: from cpe-71-65-23-167.twmi.res.rr.com (71.65.23.167)
    by xxxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
    Tue, 21 Aug 2007 18:56:32 +0100 (CET)
    Received: from 208.188.111.32 by ; Tue, 21 Aug 2007 18:57:49 +0100
    Message-ID: <qtprxvpwrckqwbprqtl @msn.com>
    From: "PayPal" <service@paypal.com>
    Reply-To: "PayPal" <service@paypal.com>
    To: (me)
    Subject: Restore your account access
    Date: Tue, 21 Aug 2007 10:54:49 -0700
    X-Mailer: AOL 7.0 for Windows US sub 118
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="--2194093895003147"
    X-Priority: 1
    X-MSMail-Priority: High

    However, what about:


    X-Mailer: AOL 7.0 for Windows US sub 118

    That is America OnLine – an ISP – and I’m pretty sure Paypal has it’s own servers, and won’t use a broadband- or dial-in service from one of the biigest ISP’s in the world.
    The sender address from where I got the message is RR.COM – RoadRunner, an ISP located in the US. Not really payPal…

    Nor would Paypal use MSN for sending a message:


    Message-ID: <qtprxvpwrckqwbprqtl @msn.com>
    X-MSMail-Priority: High

    Looking into the message, the pain is in the central link:

    <table width=3D"100%" cellpadding=3D"4" cellspacing=3D"0" border=3D"0" bgc=
    olor=3D"#FFFECD" align=3D"center">
    <tr><td class=3D"pp_sansserif" align=3D"center">
    <a href=3D"http://centrala.junis.ni.ac.yu/.../.paypal/.confirm/index.htm"
    title=3D"Please click here to restore your account access">
    Please click here to restore your account access</a>
    </td></tr></table>

    And there are some links at the bottom that do not show up – because it’s behind the </html> tag:

    <!-- text below generated by server. PLEASE REMOVE --><!-- Counter/=
    Statistics data collection code --><script

    language=3D"JavaScript" src=3D"http://hostingprod.com/js_source/geov2.js">=
    </script><script language=3D"javascript">geovisit

    ();</script><noscript><img src=3D"http://visit.webhosting.yahoo.com/visit.=
    gif?us1173035983" alt=3D"setstats" border=3D"0" width=3D"1"

    height=3D"1"></noscript>

    and that’s something you won’t find on a real Paypal message. They have their own servers and will not host on Yahoo.

    I checked the node in the link: It looks like a telephone exchance:

    paypal target

    Hacked, most likely, given the stealth location of /.../.confirm (It’s a Unix/Linux box and a dot as first character renders the file (or directory) invisible). No real wonder for a university….

    I contacted the site on this.

    The price of being famous?

    Once again, somone tries to get credentials using EBay-style messages.
    ebay number 3

    As usual, you should be alarmed by the full header:

    Return-Path: member@ebay.com
    Received: from mail.neel.net (71.165.245.13)
    by xxxxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
    Sat, 18 Aug 2007 20:18:13 +0100 (CET)
    Received: from User ([202.28.4.25])
    by mail.neel.net (Merak 7.6.2) with ASMTP id EAA74438;
    Thu, 16 Aug 2007 13:13:34 -0700
    From: "ebay"<member@ebay.com>
    Subject: confirm your email address on file at eBay
    Date: Thu, 16 Aug 2007 11:15:32 +0700
    MIME-Version: 1.0
    Content-Type: text/html;
    charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

    Outlook Express – so BASIC Internet Explorer – I’m not fooled by such stupidity.
    no TO line, and the message actually states:
    For security reasons your registered name and email is not included.
    Makes sense – since they don’t know it. They want you to supply it to them – and your password….

    The mailserver has little or nothing to do with EBay: it’s a Verizon address:

    $ dig -x 71.165.245.13

    ; < <>> DiG 9.3.1 < <>> -x 71.165.245.13
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 17107 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;13.245.165.71.in-addr.arpa. IN PTR ;; ANSWER SECTION: 13.245.165.71.in-addr.arpa. 69628 IN PTR mail.neel.net. ;; AUTHORITY SECTION: 245.165.71.in-addr.arpa. 69628 IN NS ns2.verizon.net. 245.165.71.in-addr.arpa. 69628 IN NS ns2.bellatlantic.net. 245.165.71.in-addr.arpa. 69628 IN NS ns4.verizon.net. 245.165.71.in-addr.arpa. 69628 IN NS ns1.bellatlantic.net.

    EBay may relay over Verizon or Bell Atlantic, but given the sender is from Thailand:

    $ dig -x 202.28.4.25

    ; < <>> DiG 9.3.1 < <>> -x 202.28.4.25
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 15689 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;25.4.28.202.in-addr.arpa. IN PTR ;; ANSWER SECTION: 25.4.28.202.in-addr.arpa. 86400 IN PTR libmod25.lib.kmutt.ac.th. ;; AUTHORITY SECTION: 4.28.202.in-addr.arpa. 86400 IN NS libmod.lib.kmutt.ac.th.

    I have my doubts.

    More important: the links for your email contain a link that is NOT Ebay at all:
    <div><FONT face="Arial, Verdana" size=2>To confirm your email address on file at eBay, just click the button to the right: </FONT></div> <div><FONT face="Arial, Verdana" size=2>You can also copy and paste the following link into your web browser: <BR><A onclick="return top.js.OpenExtLink(window,event,this)" href="http://0xcfead15b/signin.ebay.com/ws/index.htm"
    target=_blank>http://cgi4.ebay.com/ws<WBR>/eBayISAPI.dll?ChangeEmailConfi<WBR>rm</A>

    The address is coded in HEX: 0xcfead15b, and this translates to 207.234.209.91. This is the owner of the addres:
    Affinity Internet, Inc AFFINITY-207-234-128-0 (NET-207-234-128-0-1)
    207.234.128.0 - 207.234.255.255
    Affinity Internet, Inc AFFINITY-DEDIATED-207-234-209-0 (NET-207-234-209-0-1)
    207.234.209.0 - 207.234.209.255