Phishing & BotNets
FW: You've got a Yahoo! Greeting May 17 2006 08:21AM
John Uhlmann (john uhlmann anu edu au) (1 replies)
Try #2. In plain text. I edited the email slightly to make it more
readable.

Date: Wed, 17 May 2006 17:57:36 +1000
From: John Uhlmann <john.uhlmann (at) anu.edu (dot) au [email concealed]>
Subject: FW: You've got a Yahoo! Greeting
To: au-abuse (at) yahoo-inc (dot) com [email concealed]
Cc: mdannatt (at) longmeadowconsulting (dot) com [email concealed], hostmaster (at) startlogic (dot) com [email concealed],
webmaster (at) pickaweb.co (dot) uk [email concealed], doi.helpdesk (at) anu.edu (dot) au [email concealed],
phishing (at) securityfocus (dot) com [email concealed]

Yahoo!,
This is not abuse of a Yahoo! account, but rather a phishing attack
disguised as a Yahoo! Greeting. I couldn't find an explicit means to
report phishing attacks, but figured reporting it as abuse was close
enough.

I've CCed the contacts for the armourbilt.com domain as they are either
complicit or have been exploited and are now the platform whereby the
exploit is launched.
I've CCed the contact for the hostingseries40.net domain as the phishing
attack is probably launched from their domain.
I've CCed the ANU helpdesk as I figure they'd like to know what's going
on their network.
I've CCed securityfocus.com because I hear that they like to know about
phishing attacks.

The text of the original email is attached, but I've included a copy of
the SMTP headers for completeness.

Cheers,

John


----- SMTP headers -----
Received: from anumail5.anu.edu.au ([150.203.2.45])
by messaging2.anu.edu.au (Sun Java System Messaging Server 6.2-4.03
(built Sep
22 2005)) with ESMTP id <0IZE00AQN01ILJA0 (at) messaging2.anu.edu (dot) au [email concealed]> for
u9915240 (at) anumail.anu.edu (dot) au [email concealed]; Wed, 17 May 2006 11:56:06 +1000 (EST)
Received: from host.hostingseries40.net
(host.hostingseries40.net [209.59.136.85])
by anumail5.anu.edu.au (8.13.6/8.13.6) with ESMTP id k4H1trHZ015851
for
<john.uhlmann (at) anu.edu (dot) au [email concealed]>; Wed, 17 May 2006 11:56:05 +1000 (EST)
Received: from nobody by host.hostingseries40.net with local (Exim 4.52)
id 1FgBGV-0007Dd-0S for john.uhlmann (at) anu.edu (dot) au [email concealed]; Wed,
17 May 2006 02:55:33 +0100
Date: Wed, 17 May 2006 02:55:33 +0100
From: greetings (at) reply.yahoo (dot) com [email concealed]
Subject: You've got a Yahoo! Greeting
To: john.uhlmann (at) anu.edu (dot) au [email concealed]
Reply-to: greetings (at) donotreply.yahoo (dot) com [email concealed]
Message-id: <E1FgBGV-0007Dd-0S (at) host.hostingseries40 (dot) net [email concealed]>
MIME-version: 1.0
Content-type: text/html
X-AntiAbuse: This header was added to track abuse,
please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.hostingseries40.net
X-AntiAbuse: Original Domain - anu.edu.au
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - host.hostingseries40.net
X-Source:
X-Source-Args:
X-Source-Dir:
X-PMX-Version: 4.7.1.128075, Antispam-Engine: 2.3.0.1,
Antispam-Data: 2006.5.16.181107 external
X-Perlmx-Spam: Gauge=XI, Probability=11%, Report='CTYPE_JUST_HTML 0.848,
NO_REAL_NAME 0, _PHISH_NO_REPLY 0, __CP_URI_IN_BODY 0, __CT 0,
__CTYPE_IS_HTML 0, __HAS_MSGID 0, __MIME_HTML 0, __MIME_HTML_ONLY 0,
__MIME_VERSION 0, __SANE_MSGID 0, __STOCK_SUBJ_9 0, __TAG_EXISTS_HTML
0'


-----Original Message-----
From: greetings (at) reply.yahoo (dot) com [email concealed] [mailto:greetings (at) reply.yahoo (dot) com [email concealed]]
Sent: Wednesday, 17 May 2006 11:56 AM
To: john.uhlmann (at) anu.edu (dot) au [email concealed]
Subject: You've got a Yahoo! Greeting
Importance: High

<html><body>
Surprise! You've just received a Yahoo! Greeting<br><br>
To view this greeting card, click on the following
Web address at anytime within the next 30 days.<br>
<a
href='http://www.armourbilt.com//card_.html?a=http://au.view.greetings.y

ahoo.com/greet/view&YBADLEFGQESUB'>http://au.view.greetings.yahoo.com/gr

eet/view?EQRQSYAJNZLRS</a><br><br>
Enjoy!<br><br>
The Yahoo! Greetings Team<br><br>
-------------------------<br>
Yahoo! Greetings is a free service. If you'd like to send someone a<br>
Yahoo! Greeting, you can do so at <a
href='http://au.greetings.yahoo.com/'>http://au.greetings.yahoo.com/</a>

<br>
</body></html>

[ reply ]
Re: FW: You've got a Yahoo! Greeting May 18 2006 01:13AM
Matthew McGlashan (matthew auscert org au)


 

Privacy Statement
Copyright 2010, SecurityFocus