It is a fake, I contacted e-gold before posting it here and sent them the email with headers, they've confirmed it and are attempting to shut down the web site of the spoofer.
What's disturbing about this is that we are on someone's list as e-gold customers or something, and this is very likely the same spoofer that had earlier set up e-golb.com and attempted the same kind of spoof. This time the urls point to e-gold.cc, but nic.cc doesn't give out much info for them. i.e. address, phone #, etc (not that I'd rely on those being true anyway...) The ip of the one I got came from a 12.x.x.x network address, I believe these are DSL lines. So likely the attacker looked around for open relays and found one, and used it. I didn't notice that ip in the headers Tim sent, so this is likely what has happened. Tracing the miscreant will come down to tracing the ip address of the forged web site. Update: I've just looked up e-gold and that address does belong to e-gold's technical contact (See www.opensrs.org..) So the spoofer wasn't attempting to get ID's after all (unless it's an inside job or the technical contact is in on the scam - but if they were, they could just change the DNS entry...) but rather get logins redirected to their site. ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :NSA got $20Bil/year |Passwords are like underwear. You don't /|\ \|/ :and didn't stop 9-11|share them, you don't hang them on your/\|/\ <--*-->:Instead of rewarding|monitor, or under your keyboard, you \/|\/ /|\ :their failures, we |don't email them, or put them on a web \|/ + v + :should get refunds! |site, and you must change them very often. [EMAIL PROTECTED] http://www.sunder.net ------------ On Fri, 15 Nov 2002, Eric Murray wrote: > On Fri, Nov 15, 2002 at 10:02:54AM -0800, Tim May wrote: > > On Friday, November 15, 2002, at 08:59 AM, Tim May wrote: > > > I received a similar letter, and also one from PayPal/EBay which was > > > quite similar in language. The full headers of the E-gold letter are > > > included at the end of this message. > > > Here are the headers of the E-gold message I got: > > > > > > From: > > > > > > [demime 0.97c removed an attachment of type image/tiff which had a > > > name of image.tiff] > > > > > > > > > > The headers got "demimed," at least on the version I got back from > > lne.com. > > "Image.tiff"? Wierd. Could you send me a copy of the one that got demimed? > > > > So, I hope what follows is plain text only. (My editors say it is.) > > > > From [EMAIL PROTECTED] Fri Nov 15 08:05:42 2002 > > Received: by sphinx (mbox tcmay) > > (with Cubic Circle's cucipop (v1.31 1998/05/13) Fri Nov 15 08:10:44 > > 2002) > > X-From_: [EMAIL PROTECTED] Fri Nov 15 07:31:14 2002 > > Return-Path: <[EMAIL PROTECTED]> > > Received: from psmtp.com (exprod5mx17.postini.com [64.75.1.157]) > > by sphinx.got.net (8.12.2/8.12.2/Debian -5) with SMTP id gAFFVDap010192 > > for <[EMAIL PROTECTED]>; Fri, 15 Nov 2002 07:31:14 -0800 > > Received: from source ([24.51.87.108]) by exprod5mx17 ([64.75.1.245]) > > with SMTP; > > Fri, 15 Nov 2002 10:31:13 EST > > I'm guessing that 24.51.87.108 is the source and the Received > line below is fake. > 24.51.87.108 is in a netblock owned by Adelphia. > 64.75.1.245 is an MX for got.net. Its common for spammers > to send their spam through MX hosts to bypass blacklists. > > I'd compare this to other "e-gold" mails to be sure but I'd > say just from loking at the headers there's a strong chance its fake. > > > > > Received: from 216.53.150.250 (HELO maple.omnipay.net) > > by smtp.c000.snv.cp.net (209.228.32.87) with SMTP; Fri, 15 > > Nov 2002 15:31:32 +0000 > > Received: by MAPLE with Internet Mail Service (5.5.2655.55) > > id <TBHXL3DL>; Fri, 15 Nov 2002 15:31:32 +0000 > > From: "Service EG" <[EMAIL PROTECTED]> > > To: "e-gold customer" <[EMAIL PROTECTED]> > > Subject: [e-gold-service] We have set a value limit on your e-gold > > account > > X-Priority: 3 > > X-MSMail-Priority: Normal > > X-Mailer: Internet Mail Service (5.5.2655.55) > > Date: Fri, 15 Nov 2002 15:31:32 +0000 > > Message-ID: <h0jrog#fxvwrphuh0jrog#fxvwrphu@MAPLE> > > Mime-Version: 1.0 > > Content-Type: text/html; charset="iso-8859-1" > > > Eric
