--- DAN MORRILL <[EMAIL PROTECTED]> wrote:
> Ran across a very nice phishing scam from amazon > this morning. Technical > details follow as suggested black list for this > domain. It was really nice, > very authentic looking, and would suck in a lot of > folks because it really > looked very good. It has been reported to Amazon, > but thought I would > include the technical details to this group. > Hi Dan, What's the point in posting this to the list? How is it different from the zillion other phishing emails? It doesn't seem to use any new techniques from what I could gather from your post. If it does, you haven't mentioned it. -- SG Masood > Cheers/r/Dan > > > This is a header from an authentic e-mail from > Amazon. > > Received: from mail-store-1001.amazon.com > ([207.171.164.43]) by > bay0-mc8-f3.bay0.hotmail.com with Microsoft > SMTPSVC(6.0.3790.211); Thu, 15 > Dec 2005 21:03:11 -0800 > Received: from ae-app-2102.iad2.amazon.com by > mail-store-1001.amazon.com > with ESMTP (peer crosscheck: > ae-app-2102.iad2.amazon.com) > Received: by ae-app-2102.iad2.amazon.comid > AAA06388,375; 15 Dec 2005 > 21:03:08 -0800 > X-Message-Info: > JGTYoYF78jEEhmTX9UX+3w4ZLRY9TlPY7fSuoOPz5zo= > X-Amazon-Corporate-Relay: > mail-store-1001.vdc.amazon.com > X-AMAZON-TRACK: default > Bounce-to: > [EMAIL PROTECTED] > Return-Path: > [EMAIL PROTECTED] > X-OriginalArrivalTime: 16 Dec 2005 05:03:11.0815 > (UTC) > FILETIME=[0377ED70:01C601FE] > > This is the email header from the suspected phishing > e-mail > > Received: from thebe.jtan.com ([207.106.84.138]) by > bay0-mc7-f17.bay0.hotmail.com with Microsoft > SMTPSVC(6.0.3790.211); Thu, 15 > Dec 2005 12:34:48 -0800 > Received: from thebe.jtan.com (localhost > [127.0.0.1])by thebe.jtan.com > (8.13.3/8.12.9) with ESMTP id jBFKYki2014108for > <[EMAIL PROTECTED]>; Thu, 15 > Dec 2005 15:34:46 -0500 > Received: (from [EMAIL PROTECTED])by thebe.jtan.com > (8.13.3/8.13.3/Submit) id > jBFKYkhi014107;Thu, 15 Dec 2005 15:34:46 -0500 > X-Message-Info: > JGTYoYF78jE8tZXo0G/OwVSmdTTPCilDDfKPKME8AI4= > Return-Path: [EMAIL PROTECTED] > X-OriginalArrivalTime: 15 Dec 2005 20:34:48.0333 > (UTC) > FILETIME=[FDF9F3D0:01C601B6] > > So the phishing e-mail came from here: > http://www.uslec.com/ > > OrgName: USLEC Corp. > OrgID: USLC > Address: 6801 Morrison Blvd > City: Charlotte > StateProv: NC > PostalCode: 28211 > Country: US > > With an eventual owner here (Suspected hacked site > http://thebe.jtan.com/) > with the owner http://www.jtan.com which is a > service provider under uslec. > > J. Thomas Associates > 1302 Diamond St > Sellersville, PA 18960 > US > Domain Name: JTAN.COM > > Administrative Contact, Technical Contact: > Nadovich, Chris T [EMAIL PROTECTED] > 1302 DIAMOND ST > SELLERSVILLE, PA 18960-2906 > US 215-257-8708 fax: 123 123 1234 > > > > > > Sometimes MSN E-mail will indicate that the mesasge > failed to be delivered. > Please resend when you get those, it does not mean > that the mail box is bad, > merely that MSN mail is over worked at the time. > > _________________________________________________________________ > FREE pop-up blocking with the new MSN Toolbar get > it now! > http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - > http://secunia.com/ > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
