Full Disclosure mailing list archives
Re: Amazon Phishing Scam - Tech Details
From: "DAN MORRILL" <dan_20407 () msn com>
Date: Fri, 16 Dec 2005 14:34:38 +0000
Oh, I don't know, maybe someone might want to block the IP addres or shun them, maybe someone might want to put it in their exchange server as a known bad IP, maybe someone might want to black hole them at some point, just little things like that, and that is why I posted this to this list.
Just a thought. r/d
--- DAN MORRILL <dan_20407 () msn com> wrote: > Ran across a very nice phishing scam from amazon > this morning. Technical > details follow as suggested black list for this > domain. It was really nice, > very authentic looking, and would suck in a lot of > folks because it really > looked very good. It has been reported to Amazon, > but thought I would > include the technical details to this group. > Hi Dan, What's the point in posting this to the list? How is it different from the zillion other phishing emails? It doesn't seem to use any new techniques from what I could gather from your post. If it does, you haven't mentioned it. -- SG Masood > Cheers/r/Dan > > > This is a header from an authentic e-mail from > Amazon. > > Received: from mail-store-1001.amazon.com > ([207.171.164.43]) by > bay0-mc8-f3.bay0.hotmail.com with Microsoft > SMTPSVC(6.0.3790.211); Thu, 15 > Dec 2005 21:03:11 -0800 > Received: from ae-app-2102.iad2.amazon.com by > mail-store-1001.amazon.com > with ESMTP (peer crosscheck: > ae-app-2102.iad2.amazon.com) > Received: by ae-app-2102.iad2.amazon.comid > AAA06388,375; 15 Dec 2005 > 21:03:08 -0800 > X-Message-Info: > JGTYoYF78jEEhmTX9UX+3w4ZLRY9TlPY7fSuoOPz5zo= > X-Amazon-Corporate-Relay: > mail-store-1001.vdc.amazon.com > X-AMAZON-TRACK: default > Bounce-to: > VarzeaEmailSender+4-61129391 () bounces amazon com > Return-Path: > VarzeaEmailSender+4-61129391 () bounces amazon com > X-OriginalArrivalTime: 16 Dec 2005 05:03:11.0815 > (UTC) > FILETIME=[0377ED70:01C601FE] > > This is the email header from the suspected phishing > e-mail > > Received: from thebe.jtan.com ([207.106.84.138]) by > bay0-mc7-f17.bay0.hotmail.com with Microsoft > SMTPSVC(6.0.3790.211); Thu, 15 > Dec 2005 12:34:48 -0800 > Received: from thebe.jtan.com (localhost > [127.0.0.1])by thebe.jtan.com > (8.13.3/8.12.9) with ESMTP id jBFKYki2014108for > <dan_XXXX7 () msn com>; Thu, 15 > Dec 2005 15:34:46 -0500 > Received: (from apache@localhost)by thebe.jtan.com > (8.13.3/8.13.3/Submit) id > jBFKYkhi014107;Thu, 15 Dec 2005 15:34:46 -0500 > X-Message-Info: > JGTYoYF78jE8tZXo0G/OwVSmdTTPCilDDfKPKME8AI4= > Return-Path: apache () thebe jtan com > X-OriginalArrivalTime: 15 Dec 2005 20:34:48.0333 > (UTC) > FILETIME=[FDF9F3D0:01C601B6] > > So the phishing e-mail came from here: > http://www.uslec.com/ > > OrgName: USLEC Corp. > OrgID: USLC > Address: 6801 Morrison Blvd > City: Charlotte > StateProv: NC > PostalCode: 28211 > Country: US > > With an eventual owner here (Suspected hacked site > http://thebe.jtan.com/) > with the owner http://www.jtan.com which is a > service provider under uslec. > > J. Thomas Associates > 1302 Diamond St > Sellersville, PA 18960 > US > Domain Name: JTAN.COM > > Administrative Contact, Technical Contact: > Nadovich, Chris T chris () JTAN COM > 1302 DIAMOND ST > SELLERSVILLE, PA 18960-2906 > US 215-257-8708 fax: 123 123 1234 > > > > > > Sometimes MSN E-mail will indicate that the mesasge > failed to be delivered. > Please resend when you get those, it does not mean > that the mail box is bad, > merely that MSN mail is over worked at the time. > > _________________________________________________________________ > FREE pop-up blocking with the new MSN Toolbar get > it now! > http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - > http://secunia.com/ > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_________________________________________________________________On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Amazon Phishing Scam - Tech Details DAN MORRILL (Dec 16)
- Re: Amazon Phishing Scam - Tech Details S G Masood (Dec 16)
- Re: Amazon Phishing Scam - Tech Details DAN MORRILL (Dec 16)
- Re: Amazon Phishing Scam - Tech Details Dave Korn (Dec 16)
- <Possible follow-ups>
- RE: Amazon Phishing Scam - Tech Details Todd Towles (Dec 16)
- RE: Amazon Phishing Scam - Tech Details S G Masood (Dec 16)
- RE: Amazon Phishing Scam - Tech Details DAN MORRILL (Dec 16)
- Re: Amazon Phishing Scam - Tech Details S G Masood (Dec 16)