It is a fake, I contacted e-gold before posting it here and sent them the
email with headers, they've confirmed it and are attempting to shut down
the web site of the spoofer.
What's disturbing about this is that we are on someone's list as e-gold
customers or something, and this is very likely the same spoofer that had
earlier set up e-golb.com and attempted the same kind of spoof.
This time the urls point to e-gold.cc, but nic.cc doesn't give out much
info for them. i.e. address, phone #, etc (not that I'd rely on those
being true anyway...)
The ip of the one I got came from a 12.x.x.x network address, I believe
these are DSL lines. So likely the attacker looked around for open relays
and found one, and used it. I didn't notice that ip in the headers Tim
sent, so this is likely what has happened. Tracing the miscreant will
come down to tracing the ip address of the forged web site.
Update: I've just looked up e-gold and that address does belong to
e-gold's technical contact (See www.opensrs.org..) So the spoofer wasn't
attempting to get ID's after all (unless it's an inside job or the
technical contact is in on the scam - but if they were, they could
just change the DNS entry...) but rather get logins redirected to
their site.
--Kaos-Keraunos-Kybernetos---
+ ^ + :NSA got $20Bil/year |Passwords are like underwear. You don't /|\
\|/ :and didn't stop 9-11|share them, you don't hang them on your/\|/\
--*--:Instead of rewarding|monitor, or under your keyboard, you \/|\/
/|\ :their failures, we |don't email them, or put them on a web \|/
+ v + :should get refunds! |site, and you must change them very often.
[EMAIL PROTECTED] http://www.sunder.net
On Fri, 15 Nov 2002, Eric Murray wrote:
On Fri, Nov 15, 2002 at 10:02:54AM -0800, Tim May wrote:
On Friday, November 15, 2002, at 08:59 AM, Tim May wrote:
I received a similar letter, and also one from PayPal/EBay which was
quite similar in language. The full headers of the E-gold letter are
included at the end of this message.
Here are the headers of the E-gold message I got:
From:
[demime 0.97c removed an attachment of type image/tiff which had a
name of image.tiff]
The headers got demimed, at least on the version I got back from
lne.com.
Image.tiff? Wierd. Could you send me a copy of the one that got demimed?
So, I hope what follows is plain text only. (My editors say it is.)
From [EMAIL PROTECTED] Fri Nov 15 08:05:42 2002
Received: by sphinx (mbox tcmay)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Fri Nov 15 08:10:44
2002)
X-From_: [EMAIL PROTECTED] Fri Nov 15 07:31:14 2002
Return-Path: [EMAIL PROTECTED]
Received: from psmtp.com (exprod5mx17.postini.com [64.75.1.157])
by sphinx.got.net (8.12.2/8.12.2/Debian -5) with SMTP id gAFFVDap010192
for [EMAIL PROTECTED]; Fri, 15 Nov 2002 07:31:14 -0800
Received: from source ([24.51.87.108]) by exprod5mx17 ([64.75.1.245])
with SMTP;
Fri, 15 Nov 2002 10:31:13 EST
I'm guessing that 24.51.87.108 is the source and the Received
line below is fake.
24.51.87.108 is in a netblock owned by Adelphia.
64.75.1.245 is an MX for got.net. Its common for spammers
to send their spam through MX hosts to bypass blacklists.
I'd compare this to other e-gold mails to be sure but I'd
say just from loking at the headers there's a strong chance its fake.
Received: from 216.53.150.250 (HELO maple.omnipay.net)
by smtp.c000.snv.cp.net (209.228.32.87) with SMTP; Fri, 15
Nov 2002 15:31:32 +
Received: by MAPLE with Internet Mail Service (5.5.2655.55)
id TBHXL3DL; Fri, 15 Nov 2002 15:31:32 +
From: Service EG [EMAIL PROTECTED]
To: e-gold customer [EMAIL PROTECTED]
Subject: [e-gold-service] We have set a value limit on your e-gold
account
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Internet Mail Service (5.5.2655.55)
Date: Fri, 15 Nov 2002 15:31:32 +
Message-ID: h0jrog#fxvwrphuh0jrog#fxvwrphu@MAPLE
Mime-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Eric
