Re: Retry: Yet another attempt to defraud egold!
At 10:42 AM -0800 11/15/02, Sunder wrote: What's disturbing about this is that we are on someone's list as e-gold customers or something, and this is very likely the same spoofer that had earlier set up e-golb.com and attempted the same kind of spoof. FWIW, I got one of the e-gold letters. I don't have an e-gold account. Cheers - Bill - Bill Frantz | The principal effect of| Periwinkle -- Consulting (408)356-8506 | DMCA/SDMI is to prevent| 16345 Englewood Ave. [EMAIL PROTECTED] | fair use. | Los Gatos, CA 95032, USA
Re: Retry: Yet another attempt to defraud egold!
At 02:27 PM 11/18/2002 -0800, Bill Frantz wrote: At 10:42 AM -0800 11/15/02, Sunder wrote: What's disturbing about this is that we are on someone's list as e-gold customers or something, and this is very likely the same spoofer that had earlier set up e-golb.com and attempted the same kind of spoof. FWIW, I got one of the e-gold letters. I don't have an e-gold account. I got one, and while I'm neither confirming nor denying that I or someone like me has an e-gold account at this point in time (:-) I certainly don't have one with the name Bill Jones on it.
Re: Retry: Yet another attempt to defraud egold!
At 10:42 AM -0800 11/15/02, Sunder wrote: What's disturbing about this is that we are on someone's list as e-gold customers or something, and this is very likely the same spoofer that had earlier set up e-golb.com and attempted the same kind of spoof. FWIW, I got one of the e-gold letters. I don't have an e-gold account. Cheers - Bill - Bill Frantz | The principal effect of| Periwinkle -- Consulting (408)356-8506 | DMCA/SDMI is to prevent| 16345 Englewood Ave. [EMAIL PROTECTED] | fair use. | Los Gatos, CA 95032, USA
Re: Retry: Yet another attempt to defraud egold!
At 02:27 PM 11/18/2002 -0800, Bill Frantz wrote: At 10:42 AM -0800 11/15/02, Sunder wrote: What's disturbing about this is that we are on someone's list as e-gold customers or something, and this is very likely the same spoofer that had earlier set up e-golb.com and attempted the same kind of spoof. FWIW, I got one of the e-gold letters. I don't have an e-gold account. I got one, and while I'm neither confirming nor denying that I or someone like me has an e-gold account at this point in time (:-) I certainly don't have one with the name Bill Jones on it.
Re: Retry: Yet another attempt to defraud egold!
It is a fake, I contacted e-gold before posting it here and sent them the email with headers, they've confirmed it and are attempting to shut down the web site of the spoofer. What's disturbing about this is that we are on someone's list as e-gold customers or something, and this is very likely the same spoofer that had earlier set up e-golb.com and attempted the same kind of spoof. This time the urls point to e-gold.cc, but nic.cc doesn't give out much info for them. i.e. address, phone #, etc (not that I'd rely on those being true anyway...) The ip of the one I got came from a 12.x.x.x network address, I believe these are DSL lines. So likely the attacker looked around for open relays and found one, and used it. I didn't notice that ip in the headers Tim sent, so this is likely what has happened. Tracing the miscreant will come down to tracing the ip address of the forged web site. Update: I've just looked up e-gold and that address does belong to e-gold's technical contact (See www.opensrs.org..) So the spoofer wasn't attempting to get ID's after all (unless it's an inside job or the technical contact is in on the scam - but if they were, they could just change the DNS entry...) but rather get logins redirected to their site. --Kaos-Keraunos-Kybernetos--- + ^ + :NSA got $20Bil/year |Passwords are like underwear. You don't /|\ \|/ :and didn't stop 9-11|share them, you don't hang them on your/\|/\ --*--:Instead of rewarding|monitor, or under your keyboard, you \/|\/ /|\ :their failures, we |don't email them, or put them on a web \|/ + v + :should get refunds! |site, and you must change them very often. [EMAIL PROTECTED] http://www.sunder.net On Fri, 15 Nov 2002, Eric Murray wrote: On Fri, Nov 15, 2002 at 10:02:54AM -0800, Tim May wrote: On Friday, November 15, 2002, at 08:59 AM, Tim May wrote: I received a similar letter, and also one from PayPal/EBay which was quite similar in language. The full headers of the E-gold letter are included at the end of this message. Here are the headers of the E-gold message I got: From: [demime 0.97c removed an attachment of type image/tiff which had a name of image.tiff] The headers got demimed, at least on the version I got back from lne.com. Image.tiff? Wierd. Could you send me a copy of the one that got demimed? So, I hope what follows is plain text only. (My editors say it is.) From [EMAIL PROTECTED] Fri Nov 15 08:05:42 2002 Received: by sphinx (mbox tcmay) (with Cubic Circle's cucipop (v1.31 1998/05/13) Fri Nov 15 08:10:44 2002) X-From_: [EMAIL PROTECTED] Fri Nov 15 07:31:14 2002 Return-Path: [EMAIL PROTECTED] Received: from psmtp.com (exprod5mx17.postini.com [64.75.1.157]) by sphinx.got.net (8.12.2/8.12.2/Debian -5) with SMTP id gAFFVDap010192 for [EMAIL PROTECTED]; Fri, 15 Nov 2002 07:31:14 -0800 Received: from source ([24.51.87.108]) by exprod5mx17 ([64.75.1.245]) with SMTP; Fri, 15 Nov 2002 10:31:13 EST I'm guessing that 24.51.87.108 is the source and the Received line below is fake. 24.51.87.108 is in a netblock owned by Adelphia. 64.75.1.245 is an MX for got.net. Its common for spammers to send their spam through MX hosts to bypass blacklists. I'd compare this to other e-gold mails to be sure but I'd say just from loking at the headers there's a strong chance its fake. Received: from 216.53.150.250 (HELO maple.omnipay.net) by smtp.c000.snv.cp.net (209.228.32.87) with SMTP; Fri, 15 Nov 2002 15:31:32 + Received: by MAPLE with Internet Mail Service (5.5.2655.55) id TBHXL3DL; Fri, 15 Nov 2002 15:31:32 + From: Service EG [EMAIL PROTECTED] To: e-gold customer [EMAIL PROTECTED] Subject: [e-gold-service] We have set a value limit on your e-gold account X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Internet Mail Service (5.5.2655.55) Date: Fri, 15 Nov 2002 15:31:32 + Message-ID: h0jrog#fxvwrphuh0jrog#fxvwrphu@MAPLE Mime-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 Eric
Re: Retry: Yet another attempt to defraud egold!
Don't obsess on the message headers. Look at the scam site (the URL is cloaked in the e-mail): https://www.e-gold.cc/acct/manager.htm Unencoded, the HTML appears to be stuffing stolen account info into a page called https://a.e-gold.cc/acct.php In other words, there's no throwaway Hotmail drop box, etc. All the goods are right on that server, which appears to be hosted by Hurricane Electric (he.net) in Cal. They even have an SSL certificate, although you don't need to use https to access the site. Clever scam, but I wonder how many victims they can hope for. It sounds like they're blindly spamming out that e-maill and don't have a customer list, although they could probably put one together from here: http://www.e-gold.com/unsecure/lists.html Brian At 01:02 PM 11/15/2002, Tim May wrote: On Friday, November 15, 2002, at 08:59 AM, Tim May wrote: I received a similar letter, and also one from PayPal/EBay which was quite similar in language. The full headers of the E-gold letter are included at the end of this message. Here are the headers of the E-gold message I got: From: [demime 0.97c removed an attachment of type image/tiff which had a name of image.tiff] The headers got demimed, at least on the version I got back from lne.com. So, I hope what follows is plain text only. (My editors say it is.) From [EMAIL PROTECTED] Fri Nov 15 08:05:42 2002 Received: by sphinx (mbox tcmay) (with Cubic Circle's cucipop (v1.31 1998/05/13) Fri Nov 15 08:10:44 2002) X-From_: [EMAIL PROTECTED] Fri Nov 15 07:31:14 2002 Return-Path: [EMAIL PROTECTED] Received: from psmtp.com (exprod5mx17.postini.com [64.75.1.157]) by sphinx.got.net (8.12.2/8.12.2/Debian -5) with SMTP id gAFFVDap010192 for [EMAIL PROTECTED]; Fri, 15 Nov 2002 07:31:14 -0800 Received: from source ([24.51.87.108]) by exprod5mx17 ([64.75.1.245]) with SMTP; Fri, 15 Nov 2002 10:31:13 EST Received: from 216.53.150.250 (HELO maple.omnipay.net) by smtp.c000.snv.cp.net (209.228.32.87) with SMTP; Fri, 15 Nov 2002 15:31:32 + Received: by MAPLE with Internet Mail Service (5.5.2655.55) id TBHXL3DL; Fri, 15 Nov 2002 15:31:32 + From: Service EG [EMAIL PROTECTED] To: e-gold customer [EMAIL PROTECTED] Subject: [e-gold-service] We have set a value limit on your e-gold account X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Internet Mail Service (5.5.2655.55) Date: Fri, 15 Nov 2002 15:31:32 + Message-ID: h0jrog#fxvwrphuh0jrog#fxvwrphu@MAPLE Mime-Version: 1.0 Content-Type: text/html; charset=iso-8859-1