[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BAY115-F2903690BC4EA0DBAC35A25C03A0@phx.gbl>
Date: Fri Dec 16 14:34:51 2005
From: dan_20407 at msn.com (DAN MORRILL)
Subject: Amazon Phishing Scam - Tech Details
Oh, I don't know, maybe someone might want to block the IP addres or shun
them, maybe someone might want to put it in their exchange server as a known
bad IP, maybe someone might want to black hole them at some point, just
little things like that, and that is why I posted this to this list.
Just a thought.
r/d
>
>
>--- DAN MORRILL <dan_20407@....com> wrote:
>
> > Ran across a very nice phishing scam from amazon
> > this morning. Technical
> > details follow as suggested black list for this
> > domain. It was really nice,
> > very authentic looking, and would suck in a lot of
> > folks because it really
> > looked very good. It has been reported to Amazon,
> > but thought I would
> > include the technical details to this group.
> >
>
>Hi Dan,
>
>What's the point in posting this to the list? How is
>it different from the zillion other phishing emails?
>It doesn't seem to use any new techniques from what I
>could gather from your post. If it does, you haven't
>mentioned it.
>
>--
>SG Masood
>
>
>
>
>
> > Cheers/r/Dan
> >
> >
> > This is a header from an authentic e-mail from
> > Amazon.
> >
> > Received: from mail-store-1001.amazon.com
> > ([207.171.164.43]) by
> > bay0-mc8-f3.bay0.hotmail.com with Microsoft
> > SMTPSVC(6.0.3790.211); Thu, 15
> > Dec 2005 21:03:11 -0800
> > Received: from ae-app-2102.iad2.amazon.com by
> > mail-store-1001.amazon.com
> > with ESMTP (peer crosscheck:
> > ae-app-2102.iad2.amazon.com)
> > Received: by ae-app-2102.iad2.amazon.comid
> > AAA06388,375; 15 Dec 2005
> > 21:03:08 -0800
> > X-Message-Info:
> > JGTYoYF78jEEhmTX9UX+3w4ZLRY9TlPY7fSuoOPz5zo=
> > X-Amazon-Corporate-Relay:
> > mail-store-1001.vdc.amazon.com
> > X-AMAZON-TRACK: default
> > Bounce-to:
> > VarzeaEmailSender+4-61129391@...nces.amazon.com
> > Return-Path:
> > VarzeaEmailSender+4-61129391@...nces.amazon.com
> > X-OriginalArrivalTime: 16 Dec 2005 05:03:11.0815
> > (UTC)
> > FILETIME=[0377ED70:01C601FE]
> >
> > This is the email header from the suspected phishing
> > e-mail
> >
> > Received: from thebe.jtan.com ([207.106.84.138]) by
> > bay0-mc7-f17.bay0.hotmail.com with Microsoft
> > SMTPSVC(6.0.3790.211); Thu, 15
> > Dec 2005 12:34:48 -0800
> > Received: from thebe.jtan.com (localhost
> > [127.0.0.1])by thebe.jtan.com
> > (8.13.3/8.12.9) with ESMTP id jBFKYki2014108for
> > <dan_XXXX7@....com>; Thu, 15
> > Dec 2005 15:34:46 -0500
> > Received: (from apache@...alhost)by thebe.jtan.com
> > (8.13.3/8.13.3/Submit) id
> > jBFKYkhi014107;Thu, 15 Dec 2005 15:34:46 -0500
> > X-Message-Info:
> > JGTYoYF78jE8tZXo0G/OwVSmdTTPCilDDfKPKME8AI4=
> > Return-Path: apache@...be.jtan.com
> > X-OriginalArrivalTime: 15 Dec 2005 20:34:48.0333
> > (UTC)
> > FILETIME=[FDF9F3D0:01C601B6]
> >
> > So the phishing e-mail came from here:
> > http://www.uslec.com/
> >
> > OrgName: USLEC Corp.
> > OrgID: USLC
> > Address: 6801 Morrison Blvd
> > City: Charlotte
> > StateProv: NC
> > PostalCode: 28211
> > Country: US
> >
> > With an eventual owner here (Suspected hacked site
> > http://thebe.jtan.com/)
> > with the owner http://www.jtan.com which is a
> > service provider under uslec.
> >
> > J. Thomas Associates
> > 1302 Diamond St
> > Sellersville, PA 18960
> > US
> > Domain Name: JTAN.COM
> >
> > Administrative Contact, Technical Contact:
> > Nadovich, Chris T chris@...N.COM
> > 1302 DIAMOND ST
> > SELLERSVILLE, PA 18960-2906
> > US 215-257-8708 fax: 123 123 1234
> >
> >
> >
> >
> >
> > Sometimes MSN E-mail will indicate that the mesasge
> > failed to be delivered.
> > Please resend when you get those, it does not mean
> > that the mail box is bad,
> > merely that MSN mail is over worked at the time.
> >
> >
>_________________________________________________________________
> > FREE pop-up blocking with the new MSN Toolbar – get
> > it now!
> >
>http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> >
>http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia -
> > http://secunia.com/
> >
>
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
_________________________________________________________________
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
Powered by blists - more mailing lists