Re: [Declude.JunkMail] New Phishing Scheme
Sure. I'd be interested in taking a look. Darin. - Original Message - From: Dave Doherty To: Declude.JunkMail@declude.com Sent: Saturday, March 12, 2005 11:35 PM Subject: Re: [Declude.JunkMail] New Phishing Scheme This one's different. I'll send you the details OL. -d - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Saturday, March 12, 2005 8:24 PM Subject: Re: [Declude.JunkMail] New Phishing Scheme Yep...it's been around a while... we first saw it July of last year with a US Bank phishing attempt. It only affected IE...and only when no other toolbars were installed. Firefox was not vulnerable to it. It was quite surprising, as it uses DHTML to place a div over the URL window if the window is at the default offset from the main window... surprising that IE allowed that... Darin. - Original Message - From: Dave Doherty To: Declude.JunkMail@declude.com Sent: Saturday, March 12, 2005 5:27 PM Subject: [Declude.JunkMail] New Phishing Scheme Hi, All- Somebody has figured out how to use _javascript_ to make a link look correct on the page, and in the status window when you mouse over the link, while actually sending you to a phish site. So it is no longer sufficient to check the status window, you actually have to look at the page source to figure out whether a link goes where it says. Maybe some of you have already seen this technique, but it'sthe first time I have seenitin my inbox. I was waiting for this to happen, and I'm a little surprised that I haven't seen it before. It's actually pretty simple to do. Since there are probably lurkers here, I'll be happy to share the code OL with people I know if you want to see how it's done. If the weight of opinion here is to sharethe codeopenly, I will be happydo so. -Dave DohertySkywaves, Inc.301-652-8822 x209
Re: [Declude.JunkMail] New Phishing Scheme
Yep...it's been around a while... we first saw it July of last year with a US Bank phishing attempt. It only affected IE...and only when no other toolbars were installed. Firefox was not vulnerable to it. It was quite surprising, as it uses DHTML to place a div over the URL window if the window is at the default offset from the main window... surprising that IE allowed that... Darin. - Original Message - From: Dave Doherty To: Declude.JunkMail@declude.com Sent: Saturday, March 12, 2005 5:27 PM Subject: [Declude.JunkMail] New Phishing Scheme Hi, All- Somebody has figured out how to use _javascript_ to make a link look correct on the page, and in the status window when you mouse over the link, while actually sending you to a phish site. So it is no longer sufficient to check the status window, you actually have to look at the page source to figure out whether a link goes where it says. Maybe some of you have already seen this technique, but it'sthe first time I have seenitin my inbox. I was waiting for this to happen, and I'm a little surprised that I haven't seen it before. It's actually pretty simple to do. Since there are probably lurkers here, I'll be happy to share the code OL with people I know if you want to see how it's done. If the weight of opinion here is to sharethe codeopenly, I will be happydo so. -Dave DohertySkywaves, Inc.301-652-8822 x209
Re: [Declude.JunkMail] New Phishing Scheme
This one's different. I'll send you the details OL. -d - Original Message - From: Darin Cox To: Declude.JunkMail@declude.com Sent: Saturday, March 12, 2005 8:24 PM Subject: Re: [Declude.JunkMail] New Phishing Scheme Yep...it's been around a while... we first saw it July of last year with a US Bank phishing attempt. It only affected IE...and only when no other toolbars were installed. Firefox was not vulnerable to it. It was quite surprising, as it uses DHTML to place a div over the URL window if the window is at the default offset from the main window... surprising that IE allowed that... Darin. - Original Message - From: Dave Doherty To: Declude.JunkMail@declude.com Sent: Saturday, March 12, 2005 5:27 PM Subject: [Declude.JunkMail] New Phishing Scheme Hi, All- Somebody has figured out how to use _javascript_ to make a link look correct on the page, and in the status window when you mouse over the link, while actually sending you to a phish site. So it is no longer sufficient to check the status window, you actually have to look at the page source to figure out whether a link goes where it says. Maybe some of you have already seen this technique, but it'sthe first time I have seenitin my inbox. I was waiting for this to happen, and I'm a little surprised that I haven't seen it before. It's actually pretty simple to do. Since there are probably lurkers here, I'll be happy to share the code OL with people I know if you want to see how it's done. If the weight of opinion here is to sharethe codeopenly, I will be happydo so. -Dave DohertySkywaves, Inc.301-652-8822 x209
Re: [Declude.JunkMail] New Phishing scheme
Something new: This one actually have descent grammer and speling. :-) - Original Message - From: John Tolmachoff (Lists) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, February 14, 2005 11:21 AM Subject: [Declude.JunkMail] New Phishing scheme Claiming to be charter one bank. I have not seen this kind of angle before. John Tolmachoff Engineer/Consultant/Owner eServices For You --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Phishing Scam
Nope, The original link still works: http://www.paypal.com/verification/%?6488820019=20 Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 11:13 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam The site is finally non-responsive. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Klinge Sent: Saturday, February 14, 2004 5:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam I thought about that earlier too.. But then I soon realized.. They are not that swift. ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Saturday, February 14, 2004 7:00 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Of course - it could be that law enforcement asked them to MAINTAIN the site so that they can collect evidence. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Saturday, February 14, 2004 01:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam Well...I called in to join the fight...but checked the site while I was on hold and it looks like they've finally taken it down...so I hung up. Darin. - Original Message - From: Kevin Bilbee To: [EMAIL PROTECTED] Sent: Saturday, February 14, 2004 12:56 PM Subject: RE: [Declude.JunkMail] New Phishing Scam I just got off the phone with them and they said their manager is working on it. How many people can we get to start calling in about 15 minutes? So, Matt I see you have called multiple times. On my last call they asked if I was Matt or Kevin. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam I am on the phione with them now. I suggest we all call and take up all of their tech supoport lines until the site is down. I have all day. I reported this to them 24hours a go then reported it to the list. From my conversation last night with the SS Etask force if they were open they would be giving them a call also. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Sent: Saturday, February 14, 2004 9:29 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam The damn site is still up...24 hours later and these people haven't pulled the site. I just called their sales line and asked that they find someone at a higher level to direct this to. It's beyond me how these people can pull up the address in a Web browser and still not get that there is a problem. And for the sake of Internet archiving, let me just state for the benefit of others, A+Net, a.k.a. Abacus America Inc of San Diego, CA, who's Web site is located at aplus.net, has shown themselves incapable of taking appropriate action on one of the most common Internet scams despite numerous reports over a 24 hour period. One can only conclude that this is the typical level of response that they give to all support issues, and one should take note of this before considering their services. Other companies, including ones as large and complex as Akamai, have resolved issues within minutes of being reported, as they clearly understood the immediacy of the issue at hand. Matt Kevin Bilbee wrote: Use matts 888-301-2516 number instead. Make them pay for the call I kept them on the phone for 30 minutes. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 12:17 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Yes, I sent to abuse and support as per their tech support. I just got off the phone with them. They are still disinterested in shutting down the site. I have been doing some research on a place to report these issues and actualy have someone care. This is what I found Electronic Crimes Task Force http://www.ectaskforce.org/regional_locations.htm This is the Secret Service of the United States. I just spoke with them and they handle these issues. When calling just ask for the duty officer. Of course they will not be available for until Tuesday. So the more people we get to call OrgTechName: A Net Support OrgTechPhone: +1-858-410-6900 OrgTechEmail: [EMAIL PROTECTED] the quicker we can get the site shutdown. Kevin Bilbee -Original
Re: [Declude.JunkMail] New Phishing Scam
paypal.com should be working...as it is paypal...:)... The issue was this IP masquerading as a paypal site...http://216.55.162.5/ I made a similar mistake when I didn't realize that the original HTML email had passed through a non-HTML email client, removing the hidden IP in the a href=... tag ... and thought the issue had been finally addressed by A+Net mid-day Saturday. Darin. - Original Message - From: Andy Schmidt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 15, 2004 11:06 AM Subject: RE: [Declude.JunkMail] New Phishing Scam Nope, The original link still works: http://www.paypal.com/verification/%?6488820019=20 Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 11:13 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam The site is finally non-responsive. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Klinge Sent: Saturday, February 14, 2004 5:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam I thought about that earlier too.. But then I soon realized.. They are not that swift. ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Saturday, February 14, 2004 7:00 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Of course - it could be that law enforcement asked them to MAINTAIN the site so that they can collect evidence. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Saturday, February 14, 2004 01:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam Well...I called in to join the fight...but checked the site while I was on hold and it looks like they've finally taken it down...so I hung up. Darin. - Original Message - From: Kevin Bilbee To: [EMAIL PROTECTED] Sent: Saturday, February 14, 2004 12:56 PM Subject: RE: [Declude.JunkMail] New Phishing Scam I just got off the phone with them and they said their manager is working on it. How many people can we get to start calling in about 15 minutes? So, Matt I see you have called multiple times. On my last call they asked if I was Matt or Kevin. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam I am on the phione with them now. I suggest we all call and take up all of their tech supoport lines until the site is down. I have all day. I reported this to them 24hours a go then reported it to the list. From my conversation last night with the SS Etask force if they were open they would be giving them a call also. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Sent: Saturday, February 14, 2004 9:29 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam The damn site is still up...24 hours later and these people haven't pulled the site. I just called their sales line and asked that they find someone at a higher level to direct this to. It's beyond me how these people can pull up the address in a Web browser and still not get that there is a problem. And for the sake of Internet archiving, let me just state for the benefit of others, A+Net, a.k.a. Abacus America Inc of San Diego, CA, who's Web site is located at aplus.net, has shown themselves incapable of taking appropriate action on one of the most common Internet scams despite numerous reports over a 24 hour period. One can only conclude that this is the typical level of response that they give to all support issues, and one should take note of this before considering their services. Other companies, including ones as large and complex as Akamai, have resolved issues within minutes of being reported, as they clearly understood the immediacy of the issue at hand. Matt Kevin Bilbee wrote: Use matts 888-301-2516 number instead. Make them pay for the call I kept them on the phone for 30 minutes. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 12:17 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Yes, I sent to abuse and support as per their tech support. I just got off the phone with them. They are still disinterested in shutting down the site. I have been doing some research on a place to report these issues and actualy
RE: [Declude.JunkMail] New Phishing Scam
That is not the phishing link that is a reale link to paypal Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andy Schmidt Sent: Sunday, February 15, 2004 8:06 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Nope, The original link still works: http://www.paypal.com/verification/%?6488820019=20 Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 11:13 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam The site is finally non-responsive. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Klinge Sent: Saturday, February 14, 2004 5:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam I thought about that earlier too.. But then I soon realized.. They are not that swift. ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Saturday, February 14, 2004 7:00 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Of course - it could be that law enforcement asked them to MAINTAIN the site so that they can collect evidence. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Saturday, February 14, 2004 01:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam Well...I called in to join the fight...but checked the site while I was on hold and it looks like they've finally taken it down...so I hung up. Darin. - Original Message - From: Kevin Bilbee To: [EMAIL PROTECTED] Sent: Saturday, February 14, 2004 12:56 PM Subject: RE: [Declude.JunkMail] New Phishing Scam I just got off the phone with them and they said their manager is working on it. How many people can we get to start calling in about 15 minutes? So, Matt I see you have called multiple times. On my last call they asked if I was Matt or Kevin. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam I am on the phione with them now. I suggest we all call and take up all of their tech supoport lines until the site is down. I have all day. I reported this to them 24hours a go then reported it to the list. From my conversation last night with the SS Etask force if they were open they would be giving them a call also. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Sent: Saturday, February 14, 2004 9:29 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam The damn site is still up...24 hours later and these people haven't pulled the site. I just called their sales line and asked that they find someone at a higher level to direct this to. It's beyond me how these people can pull up the address in a Web browser and still not get that there is a problem. And for the sake of Internet archiving, let me just state for the benefit of others, A+Net, a.k.a. Abacus America Inc of San Diego, CA, who's Web site is located at aplus.net, has shown themselves incapable of taking appropriate action on one of the most common Internet scams despite numerous reports over a 24 hour period. One can only conclude that this is the typical level of response that they give to all support issues, and one should take note of this before considering their services. Other companies, including ones as large and complex as Akamai, have resolved issues within minutes of being reported, as they clearly understood the immediacy of the issue at hand. Matt Kevin Bilbee wrote: Use matts 888-301-2516 number instead. Make them pay for the call I kept them on the phone for 30 minutes. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 12:17 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Yes, I sent to abuse and support as per their tech support. I just got off the phone with them. They are still disinterested in shutting down the site. I have been doing some research on a place to report these issues and actualy have someone care. This is what I found Electronic Crimes Task Force http://www.ectaskforce.org
Re: [Declude.JunkMail] New Phishing Scam
FYI, If this happens again and if you all would like to make a statement, I wrote a little VBS file that uses wget to download a copy of the site, checks it for the offending content, and then E-mail whomever you wish (cobbed from the Sniffer download script). A dozen of us using this, scheduled to run every 30 minutes, would probably make a statement without crossing the line. Matt Kevin Bilbee wrote: The site is finally non-responsive. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rick Klinge Sent: Saturday, February 14, 2004 5:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam I thought about that earlier too.. But then I soon realized.. They are not that swift. ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andy Schmidt Sent: Saturday, February 14, 2004 7:00 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Of course - it could be that law enforcement asked them to MAINTAIN the site so that they can collect evidence. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darin Cox Sent: Saturday, February 14, 2004 01:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam Well...I called in to join the fight...but checked the site while I was on hold and it looks like they've finally taken it down...so I hung up. Darin. - Original Message - From: Kevin Bilbee To: [EMAIL PROTECTED] Sent: Saturday, February 14, 2004 12:56 PM Subject: RE: [Declude.JunkMail] New Phishing Scam I just got off the phone with them and they said their manager is working on it. How many people can we get to start calling in about 15 minutes? So, Matt I see you have called multiple times. On my last call they asked if I was Matt or Kevin. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam I am on the phione with them now. I suggest we all call and take up all of their tech supoport lines until the site is down. I have all day. I reported this to them 24hours a go then reported it to the list. From my conversation last night with the SS Etask force if they were open they would be giving them a call also. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Sent: Saturday, February 14, 2004 9:29 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam The damn site is still up...24 hours later and these people haven't pulled the site. I just called their sales line and asked that they find someone at a higher level to direct this to. It's beyond me how these people can pull up the address in a Web browser and still not get that there is a problem. And for the sake of Internet archiving, let me just state for the benefit of others, A+Net, a.k.a. Abacus America Inc of San Diego, CA, who's Web site is located at aplus.net, has shown themselves incapable of taking appropriate action on one of the most common Internet scams despite numerous reports over a 24 hour period. One can only conclude that this is the typical level of response that they give to all support issues, and one should take note of this before considering their services. Other companies, including ones as large and complex as Akamai, have resolved issues within minutes of being reported, as they clearly understood the immediacy of the issue at hand. Matt Kevin Bilbee wrote: Use matts 888-301-2516 number instead. Make them pay for the call I kept them on the phone for 30 minutes. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 12:17 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Yes, I sent to abuse and support as per their tech support. I just got off the phone with them. They are still disinterested in shutting down the site. I have been doing some research on a place to report these issues and actualy have someone care. This is what I found Electronic Crimes Task Force http://www.ectaskforce.org/regional_locations.htm This is the Secret Service of the United States. I just spoke with them and they handle these issues. When calling just ask for the duty officer. Of course they will not be available for until Tuesday. So the more people we get to call OrgTechName: A Net Support OrgTechPhone: +1-858-410-6900 OrgTechEmail: [EMAIL PROTECTED] the quicker we can get the site shutdown. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rick Klinge Sent
RE: [Declude.JunkMail] New Phishing Scam
Yes, I sent to abuse and support as per their tech support. I just got off the phone with them. They are still disinterested in shutting down the site. I have been doing some research on a place to report these issues and actualy have someone care. This is what I found Electronic Crimes Task Force http://www.ectaskforce.org/regional_locations.htm This is the Secret Service of the United States. I just spoke with them and they handle these issues. When calling just ask for the duty officer. Of course they will not be available for until Tuesday. So the more people we get to call OrgTechName: A Net Support OrgTechPhone: +1-858-410-6900 OrgTechEmail: [EMAIL PROTECTED] the quicker we can get the site shutdown. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Klinge Sent: Friday, February 13, 2004 11:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Pretty wild for sure.. Anyone send it to [EMAIL PROTECTED] ? ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, February 14, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam I can't believe that this site hasn't been pulled yet. I called the company just now and showed them the site. Phone calls typically get a faster response. We'll see. Matt Colbeck, Andrew wrote: Very convincing; in the HTML view of the message Kevin sent, you can see the IP address of the real destination, which is of course not PayPal. The website there uses all of PayPal's actual images and HTTPS links and forms to provide the user experience except the sucker enters their username and password into a form on the bogus site, which then sends the data to PayPal. Andrew ;) p.s. When I discover these, I report them to [EMAIL PROTECTED]; they want the message forwarded to them, not as an attachment. So if you do that, make sure that you paste in the full headers. -Original Message- From: Kevin Bilbee [mailto:[EMAIL PROTECTED] Sent: Friday, February 13, 2004 2:55 PM To: JunkMail Declude Subject: [Declude.JunkMail] New Phishing Scam Here is a new phishing scam. I reported it to the hosting company and [EMAIL PROTECTED] The wesite is still live. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 13, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: [ SPAM 9 ]Account verification. Dear PayPal user, As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts. You are requested to visit our site by following the link given below. http://www.paypal.com/verification/%?6488820019=20 Please fill in the required information. This is required for us to continue to offer you a safe and risk free environment to send and receive money online, and maintain the PayPal Experience. Thank you. Accounts Management As outlined in our User Agreement, PayPal will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions. Copyright 2003 PayPal. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Phishing Scam
I called.. Said that he would let his abuse team handle it. Guess California has strange laws or AUP's? ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, February 14, 2004 1:44 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam I believe Kevin said that he did something like that when he posted it. It's been 30 minutes since I called and they still haven't managed to take the site down. Maybe others might want to give their 24 hour support line a call at 888-301-2516. Matt Rick Klinge wrote: Pretty wild for sure.. Anyone send it to [EMAIL PROTECTED] ? ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, February 14, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam I can't believe that this site hasn't been pulled yet. I called the company just now and showed them the site. Phone calls typically get a faster response. We'll see. Matt Colbeck, Andrew wrote: Very convincing; in the HTML view of the message Kevin sent, you can see the IP address of the real destination, which is of course not PayPal. The website there uses all of PayPal's actual images and HTTPS links and forms to provide the user experience except the sucker enters their username and password into a form on the bogus site, which then sends the data to PayPal. Andrew ;) p.s. When I discover these, I report them to [EMAIL PROTECTED]; they want the message forwarded to them, not as an attachment. So if you do that, make sure that you paste in the full headers. -Original Message- From: Kevin Bilbee [mailto:[EMAIL PROTECTED] Sent: Friday, February 13, 2004 2:55 PM To: JunkMail Declude Subject: [Declude.JunkMail] New Phishing Scam Here is a new phishing scam. I reported it to the hosting company and [EMAIL PROTECTED] The wesite is still live. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 13, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: [ SPAM 9 ]Account verification. Dear PayPal user, As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts. You are requested to visit our site by following the link given below. http://www.paypal.com/verification/%?6488820019=20 Please fill in the required information. This is required for us to continue to offer you a safe and risk free environment to send and receive money online, and maintain the PayPal Experience. Thank you. Accounts Management As outlined in our User Agreement, PayPal will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions. Copyright 2003 PayPal. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Phishing Scam
Use matts 888-301-2516 number instead. Make them pay for the call I kept them on the phone for 30 minutes. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 12:17 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Yes, I sent to abuse and support as per their tech support. I just got off the phone with them. They are still disinterested in shutting down the site. I have been doing some research on a place to report these issues and actualy have someone care. This is what I found Electronic Crimes Task Force http://www.ectaskforce.org/regional_locations.htm This is the Secret Service of the United States. I just spoke with them and they handle these issues. When calling just ask for the duty officer. Of course they will not be available for until Tuesday. So the more people we get to call OrgTechName: A Net Support OrgTechPhone: +1-858-410-6900 OrgTechEmail: [EMAIL PROTECTED] the quicker we can get the site shutdown. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Klinge Sent: Friday, February 13, 2004 11:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Pretty wild for sure.. Anyone send it to [EMAIL PROTECTED] ? ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, February 14, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam I can't believe that this site hasn't been pulled yet. I called the company just now and showed them the site. Phone calls typically get a faster response. We'll see. Matt Colbeck, Andrew wrote: Very convincing; in the HTML view of the message Kevin sent, you can see the IP address of the real destination, which is of course not PayPal. The website there uses all of PayPal's actual images and HTTPS links and forms to provide the user experience except the sucker enters their username and password into a form on the bogus site, which then sends the data to PayPal. Andrew ;) p.s. When I discover these, I report them to [EMAIL PROTECTED]; they want the message forwarded to them, not as an attachment. So if you do that, make sure that you paste in the full headers. -Original Message- From: Kevin Bilbee [mailto:[EMAIL PROTECTED] Sent: Friday, February 13, 2004 2:55 PM To: JunkMail Declude Subject: [Declude.JunkMail] New Phishing Scam Here is a new phishing scam. I reported it to the hosting company and [EMAIL PROTECTED] The wesite is still live. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 13, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: [ SPAM 9 ]Account verification. Dear PayPal user, As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts. You are requested to visit our site by following the link given below. http://www.paypal.com/verification/%?6488820019=20 Please fill in the required information. This is required for us to continue to offer you a safe and risk free environment to send and receive money online, and maintain the PayPal Experience. Thank you. Accounts Management As outlined in our User Agreement, PayPal will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions. Copyright 2003 PayPal. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Phishing Scam
John.. Yes I agree it is a scam.. I visited the site and it is definitely a scam. Needless to say PayPal would never send such an email. But my question was not posed right... It is confusing .. The email shows as if it has come through a PayPal computer. The IP, REVDNS, etc. All show PayPal. I guess my question should have been: How? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, February 13, 2004 6:23 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam It is a scam. I went to the IP address in IE. I clicked on log in with no user name or password and went to screen to input info like CC number. Left all blank, and submit and it said thank you. Key is it is a IP address in the URL and not a SSL site. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Friday, February 13, 2004 3:12 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam This is strange Kevin... http://www.senderbase.org/search?searchString=64.4.240.74 That is a PayPal IP address.. It is also coming from a PayPal reverse dns.. Am I not seeing this right? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Friday, February 13, 2004 6:06 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Here is the header and source information. Kevin Received: from ns1.ssc-isp.net [12.9.25.242] by standardabrasives.com (SMTPD32-8.05) id A6F11B600C2; Fri, 13 Feb 2004 15:00:01 -0800 Received: from smtp1.nix.paypal.com ([64.4.240.74]) by ns1.ssc-isp.net (SAVSMTP 3.1.3.37) with SMTP id M2004021314523504871 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:52:35 -0800 Received: from oma-krapp02.corp.ebay.com (oma-krapp02.corp.ebay.com [10.248.50.2]) by smtp1.nix.paypal.com (Postfix) with SMTP id 9672D3F7D2 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:48:17 -0800 (PST) Precedence: bulk Auto-Submitted: auto-replied Date: Fri, 13 Feb 2004 16:55:20 -0600 To: Kevin Bilbee [EMAIL PROTECTED] Subject: AutoResponse - Email Returned SAXK (KMM42611038V12917L0KM) From: PayPal Customer Service 2 [EMAIL PROTECTED] Reply-To: PayPal Customer Service 2 [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset = us-ascii Content-Transfer-Encoding: quoted-printable X-Mailer: KANA Response 7.01.102 Message-Id: [EMAIL PROTECTED] X-RBL-Warning: AHBLEXEMPT: Paypal X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [64.4.240.74] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: AHBLEXEMPT, BONDEDSENDER, NOABUSE [-18] X-Note: This E-mail was sent from smtp1.nix.paypal.com ([64.4.240.74]). X-RemoteIp: [64.4.240.74] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 373607793 Dear PayPal user,br As part of our continuing commitment to protect your account brand to reduce the instance of fraud on our website, we are undertaking a brperiod review of our member accounts.p You are requested to visit our site by following the link given below.br a href=http://216.55.162.5/; http://www.paypal.com/verification/%?6488820019=20/ap Please fill in the required information. This is required for us to continue to offer bryou a safe and risk free environment to send and receive money online, brand maintain the PayPal Experience.br Thank you.p Accounts Management As outlined in our User Agreement, PayPal will periodically brsend you information about site changes and enhancements. brVisit our Privacy Policy and User Agreement if you have any questions. pCopyright 2003 PayPal.br All Rights Reserved. Designated trademarks and brands are the property of their respective owners./html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail
RE: [Declude.JunkMail] New Phishing Scam
Kami I think your confusion was my fault. In one of my posts I incorrectly posted the bounce message from payplas abuse email. I later posted the correct headers. Sorry, Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kami Razvan Sent: Saturday, February 14, 2004 5:25 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam John.. Yes I agree it is a scam.. I visited the site and it is definitely a scam. Needless to say PayPal would never send such an email. But my question was not posed right... It is confusing .. The email shows as if it has come through a PayPal computer. The IP, REVDNS, etc. All show PayPal. I guess my question should have been: How? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, February 13, 2004 6:23 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam It is a scam. I went to the IP address in IE. I clicked on log in with no user name or password and went to screen to input info like CC number. Left all blank, and submit and it said thank you. Key is it is a IP address in the URL and not a SSL site. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Friday, February 13, 2004 3:12 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam This is strange Kevin... http://www.senderbase.org/search?searchString=64.4.240.74 That is a PayPal IP address.. It is also coming from a PayPal reverse dns.. Am I not seeing this right? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Friday, February 13, 2004 6:06 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Here is the header and source information. Kevin Received: from ns1.ssc-isp.net [12.9.25.242] by standardabrasives.com (SMTPD32-8.05) id A6F11B600C2; Fri, 13 Feb 2004 15:00:01 -0800 Received: from smtp1.nix.paypal.com ([64.4.240.74]) by ns1.ssc-isp.net (SAVSMTP 3.1.3.37) with SMTP id M2004021314523504871 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:52:35 -0800 Received: from oma-krapp02.corp.ebay.com (oma-krapp02.corp.ebay.com [10.248.50.2]) by smtp1.nix.paypal.com (Postfix) with SMTP id 9672D3F7D2 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:48:17 -0800 (PST) Precedence: bulk Auto-Submitted: auto-replied Date: Fri, 13 Feb 2004 16:55:20 -0600 To: Kevin Bilbee [EMAIL PROTECTED] Subject: AutoResponse - Email Returned SAXK (KMM42611038V12917L0KM) From: PayPal Customer Service 2 [EMAIL PROTECTED] Reply-To: PayPal Customer Service 2 [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset = us-ascii Content-Transfer-Encoding: quoted-printable X-Mailer: KANA Response 7.01.102 Message-Id: [EMAIL PROTECTED] X-RBL-Warning: AHBLEXEMPT: Paypal X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [64.4.240.74] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: AHBLEXEMPT, BONDEDSENDER, NOABUSE [-18] X-Note: This E-mail was sent from smtp1.nix.paypal.com ([64.4.240.74]). X-RemoteIp: [64.4.240.74] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 373607793 Dear PayPal user,br As part of our continuing commitment to protect your account brand to reduce the instance of fraud on our website, we are undertaking a brperiod review of our member accounts.p You are requested to visit our site by following the link given below.br a href=http://216.55.162.5/; http://www.paypal.com/verification/%?6488820019=20/ap Please fill in the required information. This is required for us to continue to offer bryou a safe and risk free environment to send and receive money online, brand maintain the PayPal Experience.br Thank you.p Accounts Management As outlined in our User Agreement, PayPal will periodically brsend you information about site changes and enhancements. brVisit our Privacy Policy and User Agreement if you have any questions. pCopyright 2003 PayPal.br All Rights Reserved. Designated trademarks and brands are the property of their respective owners./html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list
Re: [Declude.JunkMail] New Phishing Scam
The damn site is still up...24 hours later and these people haven't pulled the site. I just called their sales line and asked that they find someone at a higher level to direct this to. It's beyond me how these people can pull up the address in a Web browser and still not get that there is a problem. And for the sake of Internet archiving, let me just state for the benefit of others, A+Net, a.k.a. Abacus America Inc of San Diego, CA, who's Web site is located at aplus.net, has shown themselves incapable of taking appropriate action on one of the most common Internet scams despite numerous reports over a 24 hour period. One can only conclude that this is the typical level of response that they give to all support issues, and one should take note of this before considering their services. Other companies, including ones as large and complex as Akamai, have resolved issues within minutes of being reported, as they clearly understood the immediacy of the issue at hand. Matt Kevin Bilbee wrote: Use matts 888-301-2516 number instead. Make them pay for the call I kept them on the phone for 30 minutes. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 12:17 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Yes, I sent to abuse and support as per their tech support. I just got off the phone with them. They are still disinterested in shutting down the site. I have been doing some research on a place to report these issues and actualy have someone care. This is what I found Electronic Crimes Task Force http://www.ectaskforce.org/regional_locations.htm This is the Secret Service of the United States. I just spoke with them and they handle these issues. When calling just ask for the duty officer. Of course they will not be available for until Tuesday. So the more people we get to call OrgTechName: A Net Support OrgTechPhone: +1-858-410-6900 OrgTechEmail: [EMAIL PROTECTED] the quicker we can get the site shutdown. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rick Klinge Sent: Friday, February 13, 2004 11:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Pretty wild for sure.. Anyone send it to [EMAIL PROTECTED] ? ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Saturday, February 14, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam I can't believe that this site hasn't been pulled yet. I called the company just now and showed them the site. Phone calls typically get a faster response. We'll see. Matt Colbeck, Andrew wrote: Very convincing; in the HTML view of the message Kevin sent, you can see the IP address of the real destination, which is of course not PayPal. The website there uses all of PayPal's actual images and HTTPS links and forms to provide the user experience except the sucker enters their username and password into a form on the bogus site, which then sends the data to PayPal. Andrew ;) p.s. When I discover these, I report them to [EMAIL PROTECTED]; they want the message forwarded to them, not as an attachment. So if you do that, make sure that you paste in the full headers. -Original Message- From: Kevin Bilbee [mailto:[EMAIL PROTECTED]] Sent: Friday, February 13, 2004 2:55 PM To: JunkMail Declude Subject: [Declude.JunkMail] New Phishing Scam Here is a new phishing scam. I reported it to the hosting company and [EMAIL PROTECTED] The wesite is still live. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 13, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: [ SPAM 9 ]Account verification. Dear PayPal user, As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts. You are requested to visit our site by following the link given below. http://www.paypal.com/verification/%?6488820019=20 Please fill in the required information. This is required for us to continue to offer you a safe and risk free environment to send and receive money online, and maintain the PayPal Experience. Thank you. Accounts Management As outlined in our User Agreement, PayPal will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions. Copyright 2003 PayPal. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. ___ Virus Scanned and Filtered by http
RE: [Declude.JunkMail] New Phishing Scam
I just got off the phone with them and they said their manager is working on it. How many people can we get to start calling in about 15 minutes? So, Matt I see you have called multiple times. On my last call they asked if I was Matt or Kevin. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam I am on the phione with them now. I suggest we all call and take up all of their tech supoport lines until the site is down. I have all day. I reported this to them 24hours a go then reported it to the list. From my conversation last night with the SS Etask force if they were open they would be giving them a call also. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Sent: Saturday, February 14, 2004 9:29 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam The damn site is still up...24 hours later and these people haven't pulled the site. I just called their sales line and asked that they find someone at a higher level to direct this to. It's beyond me how these people can pull up the address in a Web browser and still not get that there is a problem. And for the sake of Internet archiving, let me just state for the benefit of others, A+Net, a.k.a. Abacus America Inc of San Diego, CA, who's Web site is located at aplus.net, has shown themselves incapable of taking appropriate action on one of the most common Internet scams despite numerous reports over a 24 hour period. One can only conclude that this is the typical level of response that they give to all support issues, and one should take note of this before considering their services. Other companies, including ones as large and complex as Akamai, have resolved issues within minutes of being reported, as they clearly understood the immediacy of the issue at hand. Matt Kevin Bilbee wrote: Use matts 888-301-2516 number instead. Make them pay for the call I kept them on the phone for 30 minutes. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 12:17 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Yes, I sent to abuse and support as per their tech support. I just got off the phone with them. They are still disinterested in shutting down the site. I have been doing some research on a place to report these issues and actualy have someone care. This is what I found Electronic Crimes Task Force http://www.ectaskforce.org/regional_locations.htm This is the Secret Service of the United States. I just spoke with them and they handle these issues. When calling just ask for the duty officer. Of course they will not be available for until Tuesday. So the more people we get to call OrgTechName: A Net Support OrgTechPhone: +1-858-410-6900 OrgTechEmail: [EMAIL PROTECTED] the quicker we can get the site shutdown. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Klinge Sent: Friday, February 13, 2004 11:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Pretty wild for sure.. Anyone send it to [EMAIL PROTECTED] ? ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, February 14, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam I can't believe that this site hasn't been pulled yet. I called the company just now and showed them the site. Phone calls typically get a faster response. We'll see. Matt Colbeck, Andrew wrote: Very convincing; in the HTML view of the message Kevin sent, you can see the IP address of the real destination, which is of course not PayPal. The website there uses all of PayPal's actual images and HTTPS links and forms to provide the user experience except the sucker enters their username and password into a form on the bogus site, which then sends the data to PayPal. Andrew ;) p.s. When I discover these, I report them to [EMAIL PROTECTED]; they want the message forwarded to them, not as an attachment. So if you do that, make sure that you paste in the full headers. -Original Message- From: Kevin Bilbee [mailto:[EMAIL PROTECTED] Sent: Friday, February 13, 2004 2:55 PM To: JunkMail Declude Subject: [Declude.JunkMail] New Phishing Scam Here is a new phishing scam. I reported it to the hosting company and [EMAIL PROTECTED] The wesite is still live. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 13, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: [ SPAM 9 ]Account verification. Dear PayPal
RE: [Declude.JunkMail] New Phishing Scam
Still running from my end. I turned caching off on my machine. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Darin Cox Sent: Saturday, February 14, 2004 10:04 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam Well...I called in to join the fight...but checked the site while I was on hold and it looks like they've finally taken it down...so I hung up. Darin. - Original Message - From: Kevin Bilbee To: [EMAIL PROTECTED] Sent: Saturday, February 14, 2004 12:56 PM Subject: RE: [Declude.JunkMail] New Phishing Scam I just got off the phone with them and they said their manager is working on it. How many people can we get to start calling in about 15 minutes? So, Matt I see you have called multiple times. On my last call they asked if I was Matt or Kevin. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam I am on the phione with them now. I suggest we all call and take up all of their tech supoport lines until the site is down. I have all day. I reported this to them 24hours a go then reported it to the list. From my conversation last night with the SS Etask force if they were open they would be giving them a call also. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Sent: Saturday, February 14, 2004 9:29 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam The damn site is still up...24 hours later and these people haven't pulled the site. I just called their sales line and asked that they find someone at a higher level to direct this to. It's beyond me how these people can pull up the address in a Web browser and still not get that there is a problem. And for the sake of Internet archiving, let me just state for the benefit of others, A+Net, a.k.a. Abacus America Inc of San Diego, CA, who's Web site is located at aplus.net, has shown themselves incapable of taking appropriate action on one of the most common Internet scams despite numerous reports over a 24 hour period. One can only conclude that this is the typical level of response that they give to all support issues, and one should take note of this before considering their services. Other companies, including ones as large and complex as Akamai, have resolved issues within minutes of being reported, as they clearly understood the immediacy of the issue at hand. Matt Kevin Bilbee wrote: Use matts 888-301-2516 number instead. Make them pay for the call I kept them on the phone for 30 minutes. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 12:17 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Yes, I sent to abuse and support as per their tech support. I just got off the phone with them. They are still disinterested in shutting down the site. I have been doing some research on a place to report these issues and actualy have someone care. This is what I found Electronic Crimes Task Force http://www.ectaskforce.org/regional_locations.htm This is the Secret Service of the United States. I just spoke with them and they handle these issues. When calling just ask for the duty officer. Of course they will not be available for until Tuesday. So the more people we get to call OrgTechName: A Net Support OrgTechPhone: +1-858-410-6900 OrgTechEmail: [EMAIL PROTECTED] the quicker we can get the site shutdown. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Klinge Sent: Friday, February 13, 2004 11:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Pretty wild for sure.. Anyone send it to [EMAIL PROTECTED] ? ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, February 14, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam I can't believe that this site hasn't been pulled yet. I called the company just now and showed them the site. Phone calls typically get a faster response. We'll see. Matt Colbeck, Andrew wrote: Very convincing; in the HTML view of the message Kevin sent, you can see the IP address of the real destination, which is of course not PayPal. The website there uses all of PayPal's actual images and HTTPS links and forms to provide the user experience except the sucker enters their username and password into a form on the bogus site, which then sends the data to PayPal. Andrew ;) p.s. When I discover these, I
Re: [Declude.JunkMail] New Phishing Scam
Well...I called in to join the fight...but checked the site while I was on hold and it looks like they've finally taken it down...so I hung up. Darin. - Original Message - From: Kevin Bilbee To: [EMAIL PROTECTED] Sent: Saturday, February 14, 2004 12:56 PM Subject: RE: [Declude.JunkMail] New Phishing Scam I just got off the phone with them and they said their manager is working on it. How many people can we get to start calling in about 15 minutes? So, Matt I see you have called multiple times. On my last call they asked if I was Matt or Kevin. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam I am on the phione with them now. I suggest we all call and take up all of their tech supoport lines until the site is down. I have all day. I reported this to them 24hours a go then reported it to the list. From my conversation last night with the SS Etask force if they were open they would be giving them a call also. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Sent: Saturday, February 14, 2004 9:29 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam The damn site is still up...24 hours later and these people haven't pulled the site. I just called their sales line and asked that they find someone at a higher level to direct this to. It's beyond me how these people can pull up the address in a Web browser and still not get that there is a problem. And for the sake of Internet archiving, let me just state for the benefit of others, A+Net, a.k.a. Abacus America Inc of San Diego, CA, who's Web site is located at aplus.net, has shown themselves incapable of taking appropriate action on one of the most common Internet scams despite numerous reports over a 24 hour period. One can only conclude that this is the typical level of response that they give to all support issues, and one should take note of this before considering their services. Other companies, including ones as large and complex as Akamai, have resolved issues within minutes of being reported, as they clearly understood the immediacy of the issue at hand. Matt Kevin Bilbee wrote: Use matts 888-301-2516 number instead. Make them pay for the call I kept them on the phone for 30 minutes. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 12:17 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Yes, I sent to abuse and support as per their tech support. I just got off the phone with them. They are still disinterested in shutting down the site. I have been doing some research on a place to report these issues and actualy have someone care. This is what I found Electronic Crimes Task Force http://www.ectaskforce.org/regional_locations.htm This is the Secret Service of the United States. I just spoke with them and they handle these issues. When calling just ask for the duty officer. Of course they will not be available for until Tuesday. So the more people we get to call OrgTechName: A Net Support OrgTechPhone: +1-858-410-6900 OrgTechEmail: [EMAIL PROTECTED] the quicker we can get the site shutdown. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Klinge Sent: Friday, February 13, 2004 11:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Pretty wild for sure.. Anyone send it to [EMAIL PROTECTED] ? ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, February 14, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam I can't believe that this site hasn't been pulled yet. I called the company just now and showed them the site. Phone calls typically get a faster response. We'll see. Matt Colbeck, Andrew wrote: Very convincing; in the HTML view of the message Kevin sent, you can see the IP address of the real destination, which is of course not PayPal. The website there uses all of PayPal's actual images and HTTPS links and forms to provide the user experience except the sucker enters their username and password into a form on the bogus site, which then sends the data to PayPal. Andrew ;) p.s. When I discover these, I report them to [EMAIL PROTECTED]; they want the message forwarded to them, not as an attachment. So if you do that, make sure that you paste in the full headers. -Original Message- From: Kevin Bilbee [mailto:[EMAIL PROTECTED] Sent: Friday, February 13, 2004 2:55 PM To: JunkMail Declude Subject: [Declude.JunkMail] New
RE: [Declude.JunkMail] New Phishing Scam #2
Below is an email we received - it is an Ebay scam or so it seems. I notified verio just to be on the safe side. It points to: http://198.173.234.225/stats.htm -Nick Hayer Received: from 061093114108.ctinets.com [61.93.114.108] by mx1.vtbass.com (SMTPD32-8.05) id A4A56045A; Sat, 14 Feb 2004 12:02:29 -0500 Received: from ebay.com (data.ebay.com [66.135.195.180]) by 061093114108.ctinets.com (Postfix) with ESMTP id ADA1DCD957 for [EMAIL PROTECTED]; Sat, 14 Feb 2004 11:02:36 -0600 From: eBay Service [EMAIL PROTECTED] To: redacted Subject: [Possible Spam(vhigh)]-Ebay Account Update Date: Sat, 14 Feb 2004 11:02:36 -0600 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_0007_F090AF1D.AD141D2B X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. X-Virus-Scanned: by AMaViS perl-11 mion X-RBL-Warning: This message may be spam. [hongkong.blackholes.us] HongKong blocked by hongkong.blackholes.us X-RBL-Warning: This message may be spam. [query.bondedsender.org] IronPort Bonded Sender - http://www.bondedsender.com; X-RBL-Warning: This message may be spam. [bl.spamcop.net] Blocked - see http://www.spamcop.net/bl.shtml?66.135.195.180; X-RBL-Warning: This message may be spam. [abuse.rfc-ignorant.org] Not supporting [EMAIL PROTECTED] X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 93, weight 1) X-RBL-Warning: LOANS: Message failed LOANS test (line 28, weight 4) X-RBL-Warning: BODY!: Message failed BODY! test (line 98, weight 4) X-RBL-Warning: FOREIGN: Message failed FOREIGN test (line 581, weight 3) (weight capped at 3) X-Note: X-Declude-Sender: [EMAIL PROTECTED] [61.93.114.108] X-Note: X-Note: This e-mail was scanned for spam. [Details at http://spamstats.madriveraccess.com] X-Country-Chain: UNITED STATES-HONG KONG-destination X-Hello: 061093114108.ctinets.com X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Sent from: [REVDNS: 061093114108.ctinets.com] [HOST: ebay.com] [IP: 61.93.114.108] X-Note: Server Name: ebay.com X-Note: Spam [v:1.77i27] tests: BLACKHOLE-HONGKONG [2], BONDEDSENDER [-8], SPAMCOP [6], NOABUSE [1], SPAMCHK [3], SPAMASSASSIN_v2.61 [7], SPAMDOMAINS [1], ROUTING [4], COUNTRY [1], LOANS [4], BODY! [4], FOREIGN [3] X-Note: Total spam weight of this E-mail is 28. X-Note: Scan time: 12:02:58 on 02/14/2004 X-Note: Queue name: D54a50006045abdc3.SMD X-Note: X-Declude-Date: 02/14/2004 17:02:36 [0] Content-Transfer-Encoding: 7bit Dear eBay Member, Dear customer, you have been billed for $15.00 recently. Please update your billing information at eBay Billing Center. This is eBay auto generated message, if you think you received it by mistake or you want to remove these notifications, please update your profile at Billing Center. **Note eBay never asks for your credit card number, pin code or any of your passwords. Thank you Accounts Management As outlined in our User Agreement, eBay will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions. Copyright © 1995-2004 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. Use of this Web site constitutes acceptance of the eBay User Agreement and Privacy Policy. --=_NextPart_000_0007_F090AF1D.AD141D2B Content-Type: text/html Content-Transfer-Encoding: quoted-printable html=20 body bgcolor=3d#FF link=3d#FF table border=3d0 cellspacing=3d0 cellpadding=3d0 bgcolor=3d#F= Ftrtdimg src=3dhttp://r=2eaol=2ecom\cgi\redir-complex/?url=3dhttp= ://pics=2eebaystatic=2ecom/aw/pics/spacer=2egif width=3d180 height=3d= 1/tdtdimg src=3dhttp://r=2eaol=2ecom\cgi\redir-complex/?url=3dhtt= p://pics=2eebaystatic=2ecom/aw/pics/spacer=2egif width=3d1 height=3d1= /td/trtrtda href=3dhttp://r=2eaol=2ecom\cgi\redir-complex/?ur= l=3dhttp://pages=2eebay=2ecom/;img border=3d0 alt=3dFrom collectible= s to cars, buy and sell all kinds of items on eBay src=3dhttp://r=2eaol= =2ecom\cgi\redir-complex/?url=3dhttp://pics=2eebaystatic=2ecom/aw/pics/na= vbar/redesign_p1/ebayLogo=2egif/a/tdtd align=3dcenter valign=3d= toptable border=3d0 cellspacing=3d0 cellpadding=3d0 width=3d100= %trtdimg src=3dhttp://r=2eaol=2ecom\cgi\redir-complex/?url=3dhttp= ://pics=2eebaystatic=2ecom/aw/pics/spacer=2egif width=3d1 height=3d1= /tdtdimg src=3dhttp://r=2eaol=2ecom\cgi\redir-complex/?url=3dhttp:= //pics=2eebaystatic=2ecom/aw/pics/spacer=2egif width=3d1 height=3d1= /td/trtrtd nowrap=3dtrue align=3drightfont size=3d2 face=3d= Arial, Helvetica, sans-serif color=3d#FFa href=3dhttp://pages=2e= ebay=2ecom/font color=3d#CChome/font/a | a href=3dhttp://= r=2eaol=2ecom\cgi\redir-complex/?url=3dhttp://payments=2eebay=2ecom/ws/eB= ayISAPI=2edll?PaymentLandingamp;ssPageName=3dh:h:pay:USfont
Re: [Declude.JunkMail] New Phishing Scam
My fault...I scrolled down in the email to click on the link, but evidently the IP address in the HTML link had been removed/corrected...it is still up. I'm on hold... Darin. - Original Message - From: John Tolmachoff (Lists) To: [EMAIL PROTECTED] Sent: Saturday, February 14, 2004 1:28 PM Subject: RE: [Declude.JunkMail] New Phishing Scam Still running from here. Just got off the phone with them and told them very clearly that they are now considered an accessory to the crime. The person I talked too that answered the phone would not let me talk to any one else, he just kept saying that his supervisor has been notified. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 10:14 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Still running from my end. I turned caching off on my machine. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Darin Cox Sent: Saturday, February 14, 2004 10:04 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam Well...I called in to join the fight...but checked the site while I was on hold and it looks like they've finally taken it down...so I hung up. Darin. - Original Message - From: Kevin Bilbee To: [EMAIL PROTECTED] Sent: Saturday, February 14, 2004 12:56 PM Subject: RE: [Declude.JunkMail] New Phishing Scam I just got off the phone with them and they said their manager is working on it. How many people can we get to start calling in about 15 minutes? So, Matt I see you have called multiple times. On my last call they asked if I was Matt or Kevin. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam I am on the phione with them now. I suggest we all call and take up all of their tech supoport lines until the site is down. I have all day. I reported this to them 24hours a go then reported it to the list. From my conversation last night with the SS Etask force if they were open they would be giving them a call also. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Sent: Saturday, February 14, 2004 9:29 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam The damn site is still up...24 hours later and these people haven't pulled the site. I just called their sales line and asked that they find someone at a higher level to direct this to. It's beyond me how these people can pull up the address in a Web browser and still not get that there is a problem. And for the sake of Internet archiving, let me just state for the benefit of others, A+Net, a.k.a. Abacus America Inc of San Diego, CA, who's Web site is located at aplus.net, has shown themselves incapable of taking appropriate action on one of the most common Internet scams despite numerous reports over a 24 hour period. One can only conclude that this is the typical level of response that they give to all support issues, and one should take note of this before considering their services. Other companies, including ones as large and complex as Akamai, have resolved issues within minutes of being reported, as they clearly understood the immediacy of the issue at hand. Matt Kevin Bilbee wrote: Use matts 888-301-2516 number instead. Make them pay for the call I keptthem on the phone for 30 minutes. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED]:[EMAIL PROTECTED] Behalf Of Kevin BilbeeSent: Saturday, February 14, 2004 12:17 AMTo: [EMAIL PROTECTED]: RE: [Declude.JunkMail] New Phishing Scam Yes, I sent to abuse and support as per their tech support. I just got off the phone with them. They are still disinterestedin shuttingdown the site. I have been doing some research on a place to report these issues andactualy have someone care. This is what I found Electronic Crimes Task Forcehttp://www.ectaskforce.org/regional_locations.htm This is the Secret Service of the United States. I just spokewith them andthey handle these issues. When calling just ask for the duty officer. Of course they will not be available for until Tuesday. So the more people we get to callOrgTechName: A Net SupportOrgTechPhone: +1-858-410-6900OrgTechEmail: [EMAIL PROTECTED] the quicker we can get the site shutdown. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED]:[EMAIL PROTECTED] Behalf Of Rick KlingeSent: Friday, February 13, 2004 11:38 PMTo: [EMAIL PROTECTED]: RE: [Declude.JunkMail] New
Re: [Declude.JunkMail] New Phishing Scam
Kevin Bilbee wrote: So, Matt I see you have called multiple times. On my last call they asked if I was Matt or Kevin. :) I only spoke to their support line once, however I also called their sales line this morning and then got a call back from a higher up after an impassioned and forceful plea. Us New Yorkers know how to apply pressure. The damn site's still up though... Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Phishing Scam #2
This is not accessable from my machine. Good job if verio already took this site down The other one is still up. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of nick Sent: Saturday, February 14, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam #2 Below is an email we received - it is an Ebay scam or so it seems. I notified verio just to be on the safe side. It points to: http://198.173.234.225/stats.htm -Nick Hayer --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Phishing Scam
I've got someone's personal E-mail address and phone number that supposedly is at a higher level. If he doesn't take action in another 30 minutes, I'll share that info here for others to use instead of waiting on hold with their inept support. Here's a copy of the message that I sent him (as requested). Dave, Below my signature is the source of one of these messages. The originating IP of this one message, 209.189.127.231 is an open relay (zombie) that has been tagged now in numerous blacklists due to the exploit. http://www.dnsstuff.com/tools/ip4r.ch?ip=209.189.127.231 Note that the last hop in the headers is the gateway server of the receiver. These E-mails are typically sent from numerous hijacked computers, so the source is irrelevant to the immediate problem. The IP of the site in question is however hosting on your server. http://216.55.162.5/ This was first reported to your abuse@ address yesterday afternoon, and many of my fellow administrators have tried calling your support number with absolutely no response to the problem. The scam was also reported to the Electronic Crimes Task Force, a division of the FBI (this is incorrect, actually a division of the Secret Service) So far your company's lack of response has undoubtedly caused unnecessary harm to innocent victims. Please take care of the problem immediately so that you can save countless other people from around the world from falling victim to this scam. Also note that I have never before encountered a company that is so unwilling to take action. Most, including companies as large as Akamai, have resolved such problems in a matter of minutes. Your company needs to enact a policy and process for better handling such matters. Matt Matt... Kevin Bilbee wrote: I am on the phione with them now. I suggest we all call and take up all of their tech supoport lines until the site is down. I have all day. I reported this to them 24hours a go then reported it to the list. From my conversation last night with the SS Etask force if they were open they would be giving them a call also. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Sent: Saturday, February 14, 2004 9:29 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam The damn site is still up...24 hours later and these people haven't pulled the site. I just called their sales line and asked that they find someone at a higher level to direct this to. It's beyond me how these people can pull up the address in a Web browser and still not get that there is a problem. And for the sake of Internet archiving, let me just state for the benefit of others, A+Net, a.k.a. Abacus America Inc of San Diego, CA, who's Web site is located at aplus.net, has shown themselves incapable of taking appropriate action on one of the most common Internet scams despite numerous reports over a 24 hour period. One can only conclude that this is the typical level of response that they give to all support issues, and one should take note of this before considering their services. Other companies, including ones as large and complex as Akamai, have resolved issues within minutes of being reported, as they clearly understood the immediacy of the issue at hand. Matt
Re: [Declude.JunkMail] New Phishing Scam
Here's someone to contact directly. This is the person that I spoke with earlier today, supposedly a manager at their company. Note that the phone number might not be active, it's only what showed up on my caller ID. David Thompson [EMAIL PROTECTED] (858) 450-5034 I would recommend that everyone direct your calls and E-mails to this person instead of their support line. Matt Sanford Whiteman wrote: Still running from my end. I turned caching off on my machine. Still running for me. I am on hold and I'm going to be very, very blunt. Kudos to you guys for escalating this off the list. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] New Phishing Scam
Resending... Original Message Here's someone to contact directly. This is the person that I spoke with earlier today, supposedly a manager at their company. Note that the phone number might not be active, it's only what showed up on my caller ID. David Thompson [EMAIL PROTECTED] (858) 450-5034 I would recommend that everyone direct your calls and E-mails to this person instead of their support line. Matt
Re: [Declude.JunkMail] New Phishing Scam
I think it may be time to Slashdot this thing. Anyone with an account that could post it there? These guys need to be taught a lesson. BTW, I tried calling David with that phone number that I gave out and it doesn't take incoming phone calls. The E-mail address though does work. John, they're not party to a crime, however as a civil matter, they could be sued for negligence by either PayPal or someone that was scammed. Matt Kevin Bilbee wrote: They were notified of this issue 24 hours ago. 7.8. Gathering personally identifiable information for unlawful purposes. This is directly from their acceptable use policy. This issue should have been give priority status yesterday morning when they were notified of the illegal activity and violation of their policy. I just called and the CSR I spoke to was surprised that it was still up. This company is irresponsible Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sanford Whiteman Sent: Saturday, February 14, 2004 11:24 AM To: John Tolmachoff (Lists) Subject: Re[2]: [Declude.JunkMail] New Phishing Scam Just got off the phone with them and told them very clearly that they are now considered an accessory to the crime. The person I talked too that answered the phone would not let me talk to any one else, he just kept saying that his supervisor has been notified. To be fair, the operations guy is unlikely to have the ability to turn anyone off, so let's give it a little while for the manager to "get into the office." --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] New Phishing Scam
Or CNET, or anyone else that is in the press, would do quite a bit of damage to the host... - Original Message - From: Matt To: [EMAIL PROTECTED] Sent: Saturday, February 14, 2004 12:14 PM Subject: Re: [Declude.JunkMail] New Phishing Scam I think it may be time to Slashdot this thing. Anyone with an account that could post it there?These guys need to be taught a lesson.BTW, I tried calling David with that phone number that I gave out and it doesn't take incoming phone calls. The E-mail address though does work.John, they're not party to a crime, however as a civil matter, they could be sued for negligence by either PayPal or someone that was scammed.MattKevin Bilbee wrote: They were notified of this issue 24 hours ago. 7.8. Gathering personally identifiable information for unlawful purposes. This is directly from their acceptable use policy. This issue should have been give priority status yesterday morning when they were notified of the illegal activity and violation of their policy. I just called and the CSR I spoke to was surprised that it was still up. This company is irresponsible Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sanford Whiteman Sent: Saturday, February 14, 2004 11:24 AM To: John Tolmachoff (Lists) Subject: Re[2]: [Declude.JunkMail] New Phishing Scam Just got off the phone with them and told them very clearly that they are now considered an accessory to the crime. The person I talked too that answered the phone would not let me talk to any one else, he just kept saying that his supervisor has been notified. To be fair, the operations guy is unlikely to have the ability to turn anyone off, so let's give it a little while for the manager to "get into the office." --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
RE: [Declude.JunkMail] New Phishing Scam
They have knowledge that a crime is taking place using their resources and are not taking steps to stop the use of their resources in the act of that crime, that makes them an accessory to the crime. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, February 14, 2004 12:14 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam I think it may be time to Slashdot this thing. Anyone with an account that could post it there? These guys need to be taught a lesson. BTW, I tried calling David with that phone number that I gave out and it doesn't take incoming phone calls. The E-mail address though does work. John, they're not party to a crime, however as a civil matter, they could be sued for negligence by either PayPal or someone that was scammed. Matt Kevin Bilbee wrote: They were notified of this issue 24 hours ago.7.8. Gathering personally identifiable information for unlawful purposes.This is directly from their acceptable use policy.This issue should have been give priority status yesterday morning when theywere notified of the illegal activity and violation of their policy.I just called and the CSR I spoke to was surprised that it was still up.This company is irresponsibleKevin Bilbee -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of Sanford WhitemanSent: Saturday, February 14, 2004 11:24 AMTo: John Tolmachoff (Lists)Subject: Re[2]: [Declude.JunkMail] New Phishing Scam Just got off the phone with them and told them very clearly thatthey are now considered an accessory to the crime. The person Italked too that answered the phone would not let me talk to any oneelse, he just kept saying that his supervisor has been notified. To be fair, the operations guy is unlikely to have the ability to turnanyone off, so let's give it a little while for the manager to getinto the office.--SandySanford Whiteman, Chief TechnologistBroadleaf Systems, a division ofCypress Integrated Systems, Inc.e-mail: [EMAIL PROTECTED]SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/---[This E-mail was scanned for viruses by Declude Virus(http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype unsubscribe Declude.JunkMail. The archives can be foundat http://www.mail-archive.com. ---[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]---This E-mail came from the Declude.JunkMail mailing list. Tounsubscribe, just send an E-mail to [EMAIL PROTECTED], andtype unsubscribe Declude.JunkMail. The archives can be foundat http://www.mail-archive.com. -- =MailPure custom filters for Declude JunkMail Pro.http://www.mailpure.com/software/=
RE: [Declude.JunkMail] New Phishing Scam
Title: Message Of course - it could be that law enforcement asked them to MAINTAIN the site so that they can collect evidence. Best RegardsAndy SchmidtPhone: +1 201 934-3414 x20 (Business)Fax: +1 201 934-9206 -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin CoxSent: Saturday, February 14, 2004 01:04 PMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] New Phishing Scam Well...I called in to join the fight...but checked the site while I was on hold and it looks like they've finally taken it down...so I hung up. Darin. - Original Message - From: Kevin Bilbee To: [EMAIL PROTECTED] Sent: Saturday, February 14, 2004 12:56 PM Subject: RE: [Declude.JunkMail] New Phishing Scam I just got off the phone with them and they said their manager is working on it. How many people can we get to start calling in about 15 minutes? So, Matt I see you have called multiple times. On my last call they asked if I was Matt or Kevin. Kevin -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kevin BilbeeSent: Saturday, February 14, 2004 9:42 AMTo: [EMAIL PROTECTED]Subject: RE: [Declude.JunkMail] New Phishing Scam I am on the phione with them now. I suggest we all call and take up all of their tech supoport lines until the site is down. I have all day. I reported this to them 24hours a go then reported it to the list. From my conversation last night with the SS Etask force if they were open they would be giving them a call also. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of MattSent: Saturday, February 14, 2004 9:29 AMTo: [EMAIL PROTECTED]Subject: Re: [Declude.JunkMail] New Phishing ScamThe damn site is still up...24 hours later and these people haven't pulled the site. I just called their sales line and asked that they find someone at a higher level to direct this to. It's beyond me how these people can pull up the address in a Web browser and still not get that there is a problem.And for the sake of Internet archiving, let me just state for the benefit of others, A+Net, a.k.a. Abacus America Inc of San Diego, CA, who's Web site is located at aplus.net, has shown themselves incapable of taking appropriate action on one of the most common Internet scams despite numerous reports over a 24 hour period. One can only conclude that this is the typical level of response that they give to all support issues, and one should take note of this before considering their services. Other companies, including ones as large and complex as Akamai, have resolved issues within minutes of being reported, as they clearly understood the immediacy of the issue at hand.MattKevin Bilbee wrote: Use matts 888-301-2516 number instead. Make them pay for the call I kept them on the phone for 30 minutes. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 12:17 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Yes, I sent to abuse and support as per their tech support. I just got off the phone with them. They are still disinterested in shutting down the site. I have been doing some research on a place to report these issues and actualy have someone care. This is what I found Electronic Crimes Task Force http://www.ectaskforce.org/regional_locations.htm This is the Secret Service of the United States. I just spoke with them and they handle these issues. When calling just ask for the duty officer. Of course they will not be available for until Tuesday. So the more people we get to call OrgTechName: A Net Support OrgTechPhone: +1-858-410-6900 OrgTechEmail: [EMAIL PROTECTED] the quicker we can get the site shutdown. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rick Klinge Sent: Friday, February 13, 2004 11:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Pretty wild for sure.. Anyone send it to [EMAIL PROTECTED] ? ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Saturday, February 14, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam I can't believe that this site hasn't been pulled yet. I called the company just now and showed them the site. Phone calls typically get a faster response. We'll see. Matt Colbeck, Andrew wrote: Very convincing; in the HTML view of the message Kevin sent, you can see the IP address
RE: [Declude.JunkMail] New Phishing Scam
I thought about that earlier too.. But then I soon realized.. They are not that swift. ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Saturday, February 14, 2004 7:00 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Of course - it could be that law enforcement asked them to MAINTAIN the site so that they can collect evidence. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Saturday, February 14, 2004 01:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam Well...I called in to join the fight...but checked the site while I was on hold and it looks like they've finally taken it down...so I hung up. Darin. - Original Message - From: Kevin Bilbee To: [EMAIL PROTECTED] Sent: Saturday, February 14, 2004 12:56 PM Subject: RE: [Declude.JunkMail] New Phishing Scam I just got off the phone with them and they said their manager is working on it. How many people can we get to start calling in about 15 minutes? So, Matt I see you have called multiple times. On my last call they asked if I was Matt or Kevin. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam I am on the phione with them now. I suggest we all call and take up all of their tech supoport lines until the site is down. I have all day. I reported this to them 24hours a go then reported it to the list. From my conversation last night with the SS Etask force if they were open they would be giving them a call also. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Sent: Saturday, February 14, 2004 9:29 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam The damn site is still up...24 hours later and these people haven't pulled the site. I just called their sales line and asked that they find someone at a higher level to direct this to. It's beyond me how these people can pull up the address in a Web browser and still not get that there is a problem. And for the sake of Internet archiving, let me just state for the benefit of others, A+Net, a.k.a. Abacus America Inc of San Diego, CA, who's Web site is located at aplus.net, has shown themselves incapable of taking appropriate action on one of the most common Internet scams despite numerous reports over a 24 hour period. One can only conclude that this is the typical level of response that they give to all support issues, and one should take note of this before considering their services. Other companies, including ones as large and complex as Akamai, have resolved issues within minutes of being reported, as they clearly understood the immediacy of the issue at hand. Matt Kevin Bilbee wrote: Use matts 888-301-2516 number instead. Make them pay for the call I kept them on the phone for 30 minutes. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 12:17 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Yes, I sent to abuse and support as per their tech support. I just got off the phone with them. They are still disinterested in shutting down the site. I have been doing some research on a place to report these issues and actualy have someone care. This is what I found Electronic Crimes Task Force http://www.ectaskforce.org/regional_locations.htm This is the Secret Service of the United States. I just spoke with them and they handle these issues. When calling just ask for the duty officer. Of course they will not be available for until Tuesday. So the more people we get to call OrgTechName: A Net Support OrgTechPhone: +1-858-410-6900 OrgTechEmail: [EMAIL PROTECTED] the quicker we can get the site shutdown. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Klinge Sent: Friday, February 13, 2004 11:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Pretty wild for sure.. Anyone send it to [EMAIL PROTECTED] ? ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, February 14, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam I can't believe that this site hasn't been pulled yet. I called the company just now and showed them the site. Phone calls typically get a faster response. We'll see. Matt Colbeck, Andrew wrote: Very convincing; in the HTML view of the message Kevin sent, you can see the IP address of the real destination
RE: [Declude.JunkMail] New Phishing Scam
The site is finally non-responsive. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Klinge Sent: Saturday, February 14, 2004 5:11 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam I thought about that earlier too.. But then I soon realized.. They are not that swift. ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Schmidt Sent: Saturday, February 14, 2004 7:00 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Of course - it could be that law enforcement asked them to MAINTAIN the site so that they can collect evidence. Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax:+1 201 934-9206 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Saturday, February 14, 2004 01:04 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam Well...I called in to join the fight...but checked the site while I was on hold and it looks like they've finally taken it down...so I hung up. Darin. - Original Message - From: Kevin Bilbee To: [EMAIL PROTECTED] Sent: Saturday, February 14, 2004 12:56 PM Subject: RE: [Declude.JunkMail] New Phishing Scam I just got off the phone with them and they said their manager is working on it. How many people can we get to start calling in about 15 minutes? So, Matt I see you have called multiple times. On my last call they asked if I was Matt or Kevin. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 9:42 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam I am on the phione with them now. I suggest we all call and take up all of their tech supoport lines until the site is down. I have all day. I reported this to them 24hours a go then reported it to the list. From my conversation last night with the SS Etask force if they were open they would be giving them a call also. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Sent: Saturday, February 14, 2004 9:29 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam The damn site is still up...24 hours later and these people haven't pulled the site. I just called their sales line and asked that they find someone at a higher level to direct this to. It's beyond me how these people can pull up the address in a Web browser and still not get that there is a problem. And for the sake of Internet archiving, let me just state for the benefit of others, A+Net, a.k.a. Abacus America Inc of San Diego, CA, who's Web site is located at aplus.net, has shown themselves incapable of taking appropriate action on one of the most common Internet scams despite numerous reports over a 24 hour period. One can only conclude that this is the typical level of response that they give to all support issues, and one should take note of this before considering their services. Other companies, including ones as large and complex as Akamai, have resolved issues within minutes of being reported, as they clearly understood the immediacy of the issue at hand. Matt Kevin Bilbee wrote: Use matts 888-301-2516 number instead. Make them pay for the call I kept them on the phone for 30 minutes. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin Bilbee Sent: Saturday, February 14, 2004 12:17 AM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Yes, I sent to abuse and support as per their tech support. I just got off the phone with them. They are still disinterested in shutting down the site. I have been doing some research on a place to report these issues and actualy have someone care. This is what I found Electronic Crimes Task Force http://www.ectaskforce.org/regional_locations.htm This is the Secret Service of the United States. I just spoke with them and they handle these issues. When calling just ask for the duty officer. Of course they will not be available for until Tuesday. So the more people we get to call OrgTechName: A Net Support OrgTechPhone: +1-858-410-6900 OrgTechEmail: [EMAIL PROTECTED] the quicker we can get the site shutdown. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Klinge Sent: Friday, February 13, 2004 11:38 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Pretty wild for sure.. Anyone send it to [EMAIL PROTECTED] ? ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, February 14, 2004 1:09 AM To: [EMAIL
RE: [Declude.JunkMail] New Phishing Scam
Kevin: Could you please send the Header and the actual page- so we can see the code.. if we are to filter it we have to see the code.. where the URL is pointing, etc. Regards, Kami From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BilbeeSent: Friday, February 13, 2004 5:55 PMTo: JunkMail DecludeSubject: [Declude.JunkMail] New Phishing Scam Here is a new phishing scam. I reported it to the hosting company and [EMAIL PROTECTED] The wesite is still live. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Friday, February 13, 2004 2:38 PMTo: [EMAIL PROTECTED]Subject: [ SPAM 9 ]Account verification.Dear PayPal user,As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts. You are requested to visit our site by following the link given below.http://www.paypal.com/verification/%?6488820019=20 Please fill in the required information. This is required for us to continue to offer you a safe and risk free environment to send and receive money online, and maintain the PayPal Experience.Thank you. Accounts Management As outlined in our User Agreement, PayPal will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions. Copyright 2003 PayPal.All Rights Reserved. Designated trademarks and brands are the property of their respective owners.
RE: [Declude.JunkMail] New Phishing Scam
Here is the header and source information. Kevin Received: from ns1.ssc-isp.net [12.9.25.242] by standardabrasives.com (SMTPD32-8.05) id A6F11B600C2; Fri, 13 Feb 2004 15:00:01 -0800 Received: from smtp1.nix.paypal.com ([64.4.240.74]) by ns1.ssc-isp.net (SAVSMTP 3.1.3.37) with SMTP id M2004021314523504871 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:52:35 -0800 Received: from oma-krapp02.corp.ebay.com (oma-krapp02.corp.ebay.com [10.248.50.2]) by smtp1.nix.paypal.com (Postfix) with SMTP id 9672D3F7D2 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:48:17 -0800 (PST) Precedence: bulk Auto-Submitted: auto-replied Date: Fri, 13 Feb 2004 16:55:20 -0600 To: Kevin Bilbee [EMAIL PROTECTED] Subject: AutoResponse - Email Returned SAXK (KMM42611038V12917L0KM) From: PayPal Customer Service 2 [EMAIL PROTECTED] Reply-To: PayPal Customer Service 2 [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset = us-ascii Content-Transfer-Encoding: quoted-printable X-Mailer: KANA Response 7.01.102 Message-Id: [EMAIL PROTECTED] X-RBL-Warning: AHBLEXEMPT: Paypal X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [64.4.240.74] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: AHBLEXEMPT, BONDEDSENDER, NOABUSE [-18] X-Note: This E-mail was sent from smtp1.nix.paypal.com ([64.4.240.74]). X-RemoteIp: [64.4.240.74] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 373607793 Dear PayPal user,br As part of our continuing commitment to protect your account brand to reduce the instance of fraud on our website, we are undertaking a brperiod review of our member accounts.p You are requested to visit our site by following the link given below.br a href=http://216.55.162.5/; http://www.paypal.com/verification/%?6488820019=20/ap Please fill in the required information. This is required for us to continue to offer bryou a safe and risk free environment to send and receive money online, brand maintain the PayPal Experience.br Thank you.p Accounts Management As outlined in our User Agreement, PayPal will periodically brsend you information about site changes and enhancements. brVisit our Privacy Policy and User Agreement if you have any questions. pCopyright 2003 PayPal.br All Rights Reserved. Designated trademarks and brands are the property of their respective owners./html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Phishing Scam
This is strange Kevin... http://www.senderbase.org/search?searchString=64.4.240.74 That is a PayPal IP address.. It is also coming from a PayPal reverse dns.. Am I not seeing this right? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Friday, February 13, 2004 6:06 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Here is the header and source information. Kevin Received: from ns1.ssc-isp.net [12.9.25.242] by standardabrasives.com (SMTPD32-8.05) id A6F11B600C2; Fri, 13 Feb 2004 15:00:01 -0800 Received: from smtp1.nix.paypal.com ([64.4.240.74]) by ns1.ssc-isp.net (SAVSMTP 3.1.3.37) with SMTP id M2004021314523504871 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:52:35 -0800 Received: from oma-krapp02.corp.ebay.com (oma-krapp02.corp.ebay.com [10.248.50.2]) by smtp1.nix.paypal.com (Postfix) with SMTP id 9672D3F7D2 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:48:17 -0800 (PST) Precedence: bulk Auto-Submitted: auto-replied Date: Fri, 13 Feb 2004 16:55:20 -0600 To: Kevin Bilbee [EMAIL PROTECTED] Subject: AutoResponse - Email Returned SAXK (KMM42611038V12917L0KM) From: PayPal Customer Service 2 [EMAIL PROTECTED] Reply-To: PayPal Customer Service 2 [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset = us-ascii Content-Transfer-Encoding: quoted-printable X-Mailer: KANA Response 7.01.102 Message-Id: [EMAIL PROTECTED] X-RBL-Warning: AHBLEXEMPT: Paypal X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [64.4.240.74] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: AHBLEXEMPT, BONDEDSENDER, NOABUSE [-18] X-Note: This E-mail was sent from smtp1.nix.paypal.com ([64.4.240.74]). X-RemoteIp: [64.4.240.74] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 373607793 Dear PayPal user,br As part of our continuing commitment to protect your account brand to reduce the instance of fraud on our website, we are undertaking a brperiod review of our member accounts.p You are requested to visit our site by following the link given below.br a href=http://216.55.162.5/; http://www.paypal.com/verification/%?6488820019=20/ap Please fill in the required information. This is required for us to continue to offer bryou a safe and risk free environment to send and receive money online, brand maintain the PayPal Experience.br Thank you.p Accounts Management As outlined in our User Agreement, PayPal will periodically brsend you information about site changes and enhancements. brVisit our Privacy Policy and User Agreement if you have any questions. pCopyright 2003 PayPal.br All Rights Reserved. Designated trademarks and brands are the property of their respective owners./html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Phishing Scam
Here is a new phishing scam... These look like great targets for a SpamAssassin RegEx or even an IMail rule--a dotted-decimal href followed by an oft-phished domain in the anchor text. I don't think the headers would be what I'd target. But that's just me... --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.mailmage.com/download/software/freeutils/SPAMC32/Release/ --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Phishing Scam
Ok so I have no brain today. Here are the real headers. Received: from ns1.ssc-isp.net [12.9.25.242] by standardabrasives.com (SMTPD32-8.05) id A30018300C2; Fri, 13 Feb 2004 14:43:12 -0800 Received: from iebee.com ([209.189.127.231]) by ns1.ssc-isp.net (SAVSMTP 3.1.3.37) with SMTP id M2004021314350204848 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:35:46 -0800 Received: from paypal.com [209.25.171.42] by iebee.com with ESMTP (SMTPD32-7.10) id A1A525000164; Fri, 13 Feb 2004 14:37:25 -0800 To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] Subject: [ SPAM 9 ]Account verification. Content-Type: text/html; charset=ISO-8859-1 Message-Id: [EMAIL PROTECTED] Date: Fri, 13 Feb 2004 14:38:25 -0800 X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-RBL-Warning: REVDNS: This E-mail was sent from a MUA/MTA 209.189.127.231 with no reverse DNS entry. X-Declude-Sender: [EMAIL PROTECTED] [209.189.127.231] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: NOABUSE, IPNOTINMX, REVDNS, SPAM-LOW [9] X-Note: This E-mail was sent from [No Reverse DNS] ([209.189.127.231]). X-RemoteIp: [209.189.127.231] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 373607791 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kami Razvan Sent: Friday, February 13, 2004 3:12 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam This is strange Kevin... http://www.senderbase.org/search?searchString=64.4.240.74 That is a PayPal IP address.. It is also coming from a PayPal reverse dns.. Am I not seeing this right? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Friday, February 13, 2004 6:06 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Here is the header and source information. Kevin Received: from ns1.ssc-isp.net [12.9.25.242] by standardabrasives.com (SMTPD32-8.05) id A6F11B600C2; Fri, 13 Feb 2004 15:00:01 -0800 Received: from smtp1.nix.paypal.com ([64.4.240.74]) by ns1.ssc-isp.net (SAVSMTP 3.1.3.37) with SMTP id M2004021314523504871 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:52:35 -0800 Received: from oma-krapp02.corp.ebay.com (oma-krapp02.corp.ebay.com [10.248.50.2]) by smtp1.nix.paypal.com (Postfix) with SMTP id 9672D3F7D2 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:48:17 -0800 (PST) Precedence: bulk Auto-Submitted: auto-replied Date: Fri, 13 Feb 2004 16:55:20 -0600 To: Kevin Bilbee [EMAIL PROTECTED] Subject: AutoResponse - Email Returned SAXK (KMM42611038V12917L0KM) From: PayPal Customer Service 2 [EMAIL PROTECTED] Reply-To: PayPal Customer Service 2 [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset = us-ascii Content-Transfer-Encoding: quoted-printable X-Mailer: KANA Response 7.01.102 Message-Id: [EMAIL PROTECTED] X-RBL-Warning: AHBLEXEMPT: Paypal X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [64.4.240.74] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: AHBLEXEMPT, BONDEDSENDER, NOABUSE [-18] X-Note: This E-mail was sent from smtp1.nix.paypal.com ([64.4.240.74]). X-RemoteIp: [64.4.240.74] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 373607793 Dear PayPal user,br As part of our continuing commitment to protect your account brand to reduce the instance of fraud on our website, we are undertaking a brperiod review of our member accounts.p You are requested to visit our site by following the link given below.br a href=http://216.55.162.5/; http://www.paypal.com/verification/%?6488820019=20/ap Please fill in the required information. This is required for us to continue to offer bryou a safe and risk free environment to send and receive money online, brand maintain the PayPal Experience.br Thank you.p Accounts Management As outlined in our User Agreement, PayPal will periodically brsend you information about site changes and enhancements. brVisit our Privacy Policy and User Agreement if you have any questions. pCopyright 2003 PayPal.br All Rights Reserved. Designated trademarks and brands are the property of their respective owners./html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http
RE: [Declude.JunkMail] New Phishing Scam
It is a scam. I went to the IP address in IE. I clicked on log in with no user name or password and went to screen to input info like CC number. Left all blank, and submit and it said thank you. Key is it is a IP address in the URL and not a SSL site. John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Friday, February 13, 2004 3:12 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam This is strange Kevin... http://www.senderbase.org/search?searchString=64.4.240.74 That is a PayPal IP address.. It is also coming from a PayPal reverse dns.. Am I not seeing this right? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Friday, February 13, 2004 6:06 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] New Phishing Scam Here is the header and source information. Kevin Received: from ns1.ssc-isp.net [12.9.25.242] by standardabrasives.com (SMTPD32-8.05) id A6F11B600C2; Fri, 13 Feb 2004 15:00:01 -0800 Received: from smtp1.nix.paypal.com ([64.4.240.74]) by ns1.ssc-isp.net (SAVSMTP 3.1.3.37) with SMTP id M2004021314523504871 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:52:35 -0800 Received: from oma-krapp02.corp.ebay.com (oma-krapp02.corp.ebay.com [10.248.50.2]) by smtp1.nix.paypal.com (Postfix) with SMTP id 9672D3F7D2 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:48:17 -0800 (PST) Precedence: bulk Auto-Submitted: auto-replied Date: Fri, 13 Feb 2004 16:55:20 -0600 To: Kevin Bilbee [EMAIL PROTECTED] Subject: AutoResponse - Email Returned SAXK (KMM42611038V12917L0KM) From: PayPal Customer Service 2 [EMAIL PROTECTED] Reply-To: PayPal Customer Service 2 [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset = us-ascii Content-Transfer-Encoding: quoted-printable X-Mailer: KANA Response 7.01.102 Message-Id: [EMAIL PROTECTED] X-RBL-Warning: AHBLEXEMPT: Paypal X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [64.4.240.74] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: AHBLEXEMPT, BONDEDSENDER, NOABUSE [-18] X-Note: This E-mail was sent from smtp1.nix.paypal.com ([64.4.240.74]). X-RemoteIp: [64.4.240.74] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 373607793 Dear PayPal user,br As part of our continuing commitment to protect your account brand to reduce the instance of fraud on our website, we are undertaking a brperiod review of our member accounts.p You are requested to visit our site by following the link given below.br a href=http://216.55.162.5/; http://www.paypal.com/verification/%?6488820019=20/ap Please fill in the required information. This is required for us to continue to offer bryou a safe and risk free environment to send and receive money online, brand maintain the PayPal Experience.br Thank you.p Accounts Management As outlined in our User Agreement, PayPal will periodically brsend you information about site changes and enhancements. brVisit our Privacy Policy and User Agreement if you have any questions. pCopyright 2003 PayPal.br All Rights Reserved. Designated trademarks and brands are the property of their respective owners./html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Phishing Scam
Title: Message Very convincing; in the HTML view of the message Kevinsent, you can see the IP address of the real destination, which is of course not PayPal. The website there uses all of PayPal's actual images and HTTPS links and forms to provide the user experience except the sucker enters their username and password into a form on the bogus site, which then sends the data to PayPal. Andrew ;) p.s. When I discover these, I report them to [EMAIL PROTECTED]; they want the message forwarded to them, not as an attachment. So if you do that, make sure that you paste in the full headers. -Original Message-From: Kevin Bilbee [mailto:[EMAIL PROTECTED] Sent: Friday, February 13, 2004 2:55 PMTo: JunkMail DecludeSubject: [Declude.JunkMail] New Phishing Scam Here is a new phishing scam. I reported it to the hosting company and [EMAIL PROTECTED] The wesite is still live. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Friday, February 13, 2004 2:38 PMTo: [EMAIL PROTECTED]Subject: [ SPAM 9 ]Account verification.Dear PayPal user,As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts. You are requested to visit our site by following the link given below.http://www.paypal.com/verification/%?6488820019=20 Please fill in the required information. This is required for us to continue to offer you a safe and risk free environment to send and receive money online, and maintain the PayPal Experience.Thank you. Accounts Management As outlined in our User Agreement, PayPal will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions. Copyright 2003 PayPal.All Rights Reserved. Designated trademarks and brands are the property of their respective owners.
RE: [Declude.JunkMail] New Phishing Scam
Title: Message Thank you for the paypal email address. I refuse to user their abuse form. then need to accept all emails to [EMAIL PROTECTED] and not redirect you to use their form. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Colbeck, AndrewSent: Friday, February 13, 2004 4:20 PMTo: '[EMAIL PROTECTED]'Subject: RE: [Declude.JunkMail] New Phishing Scam Very convincing; in the HTML view of the message Kevinsent, you can see the IP address of the real destination, which is of course not PayPal. The website there uses all of PayPal's actual images and HTTPS links and forms to provide the user experience except the sucker enters their username and password into a form on the bogus site, which then sends the data to PayPal. Andrew ;) p.s. When I discover these, I report them to [EMAIL PROTECTED]; they want the message forwarded to them, not as an attachment. So if you do that, make sure that you paste in the full headers. -Original Message-From: Kevin Bilbee [mailto:[EMAIL PROTECTED] Sent: Friday, February 13, 2004 2:55 PMTo: JunkMail DecludeSubject: [Declude.JunkMail] New Phishing Scam Here is a new phishing scam. I reported it to the hosting company and [EMAIL PROTECTED] The wesite is still live. Kevin Bilbee -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Friday, February 13, 2004 2:38 PMTo: [EMAIL PROTECTED]Subject: [ SPAM 9 ]Account verification.Dear PayPal user,As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts. You are requested to visit our site by following the link given below.http://www.paypal.com/verification/%?6488820019=20 Please fill in the required information. This is required for us to continue to offer you a safe and risk free environment to send and receive money online, and maintain the PayPal Experience.Thank you. Accounts Management As outlined in our User Agreement, PayPal will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions. Copyright 2003 PayPal.All Rights Reserved. Designated trademarks and brands are the property of their respective owners.
Re: [Declude.JunkMail] New Phishing Scam
I can't believe that this site hasn't been pulled yet. I called the company just now and showed them the site. Phone calls typically get a faster response. We'll see. Matt Colbeck, Andrew wrote: Message Very convincing; in the HTML view of the message Kevinsent, you can see the IP address of the real destination, which is of course not PayPal. The website there uses all of PayPal's actual images and HTTPS links and forms to provide the user experience except the sucker enters their username and password into a form on the bogus site, which then sends the data to PayPal. Andrew ;) p.s. When I discover these, I report them to [EMAIL PROTECTED]; they want the message forwarded to them, not as an attachment. So if you do that, make sure that you paste in the full headers. -Original Message- From: Kevin Bilbee [mailto:[EMAIL PROTECTED]] Sent: Friday, February 13, 2004 2:55 PM To: JunkMail Declude Subject: [Declude.JunkMail] New Phishing Scam Here is a new phishing scam. I reported it to the hosting company and [EMAIL PROTECTED] The wesite is still live. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 13, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: [ SPAM 9 ]Account verification. Dear PayPal user, As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts. You are requested to visit our site by following the link given below. http://www.paypal.com/verification/%?6488820019=20 Please fill in the required information. This is required for us to continue to offer you a safe and risk free environment to send and receive money online, and maintain the PayPal Experience. Thank you. Accounts Management As outlined in our User Agreement, PayPal will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions. Copyright 2003 PayPal. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =
Re: [Declude.JunkMail] New Phishing Scam
I saw your correction and it appears that you are bypassing a gateway server which threw me off. Still though, the same advice applies. Credit to Andrew for this work around as well. Matt Matt wrote: Kevin, Two very important things here. The scammers are using BONDEDSENDER IP's, forged in the headers, in order to fool your system into passing this. You are clearly scanning on multiple hops, and any whitelist RBL that you are using need to be limited to the last hop only, i.e. BONDEDSENDER(DYNA) AHBLEXEMPT(DYNA) The naming convention will cause Declude to skip all but the last hop so that this won't happen. I've seen this before. Scott, it might be nice to add a column to the definitions of these tests so that we can specify how many hops they will work on instead of relying on a naming convention. It also would be nice in some cases to have a way to define what hop to start scanning on, in the event that you want to score hits on the last hop, and hits on previous hops differently...maybe another column. Another note to Kevin...I dumped AHBLEXEMPT fairly quickly because they have a good number of ISP mail servers listed, and as things stand, there is an increasing amount of spam that is being forwarded through such mail servers from zombies, which are challenging enough to detect without giving them extra credit. There are of course issues with BONDEDSENDER as well, but I won't rehash this except to say that you should review your scoring of them at a minimum. Matt Kevin Bilbee wrote: Here is the header and source information. Kevin Received: from ns1.ssc-isp.net [12.9.25.242] by standardabrasives.com (SMTPD32-8.05) id A6F11B600C2; Fri, 13 Feb 2004 15:00:01 -0800 Received: from smtp1.nix.paypal.com ([64.4.240.74]) by ns1.ssc-isp.net (SAVSMTP 3.1.3.37) with SMTP id M2004021314523504871 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:52:35 -0800 Received: from oma-krapp02.corp.ebay.com (oma-krapp02.corp.ebay.com [10.248.50.2]) by smtp1.nix.paypal.com (Postfix) with SMTP id 9672D3F7D2 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:48:17 -0800 (PST) Precedence: bulk Auto-Submitted: auto-replied Date: Fri, 13 Feb 2004 16:55:20 -0600 To: Kevin Bilbee [EMAIL PROTECTED] Subject: AutoResponse - Email Returned SAXK (KMM42611038V12917L0KM) From: PayPal Customer Service 2 [EMAIL PROTECTED] Reply-To: PayPal Customer Service 2 [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset = us-ascii Content-Transfer-Encoding: quoted-printable X-Mailer: KANA Response 7.01.102 Message-Id: [EMAIL PROTECTED] X-RBL-Warning: AHBLEXEMPT: Paypal X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [64.4.240.74] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: AHBLEXEMPT, BONDEDSENDER, NOABUSE [-18] X-Note: This E-mail was sent from smtp1.nix.paypal.com ([64.4.240.74]). X-RemoteIp: [64.4.240.74] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 373607793 Dear PayPal user,br As part of our continuing commitment to protect your account brand to reduce the instance of fraud on our website, we are undertaking a brperiod review of our member accounts.p You are requested to visit our site by following the link given below.br a href=http://216.55.162.5/; http://www.paypal.com/verification/%?6488820019=20/ap Please fill in the required information. This is required for us to continue to offer bryou a safe and risk free environment to send and receive money online, brand maintain the PayPal Experience.br Thank you.p Accounts Management As outlined in our User Agreement, PayPal will periodically brsend you information about site changes and enhancements. brVisit our Privacy Policy and User Agreement if you have any questions. pCopyright 2003 PayPal.br All Rights Reserved. Designated trademarks and brands are the property of their respective owners./html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Phishing Scam
Kevin, Two very important things here. The scammers are using BONDEDSENDER IP's, forged in the headers, in order to fool your system into passing this. You are clearly scanning on multiple hops, and any whitelist RBL that you are using need to be limited to the last hop only, i.e. BONDEDSENDER(DYNA) AHBLEXEMPT(DYNA) The naming convention will cause Declude to skip all but the last hop so that this won't happen. I've seen this before. Scott, it might be nice to add a column to the definitions of these tests so that we can specify how many hops they will work on instead of relying on a naming convention. It also would be nice in some cases to have a way to define what hop to start scanning on, in the event that you want to score hits on the last hop, and hits on previous hops differently...maybe another column. Another note to Kevin...I dumped AHBLEXEMPT fairly quickly because they have a good number of ISP mail servers listed, and as things stand, there is an increasing amount of spam that is being forwarded through such mail servers from zombies, which are challenging enough to detect without giving them extra credit. There are of course issues with BONDEDSENDER as well, but I won't rehash this except to say that you should review your scoring of them at a minimum. Matt Kevin Bilbee wrote: Here is the header and source information. Kevin Received: from ns1.ssc-isp.net [12.9.25.242] by standardabrasives.com (SMTPD32-8.05) id A6F11B600C2; Fri, 13 Feb 2004 15:00:01 -0800 Received: from smtp1.nix.paypal.com ([64.4.240.74]) by ns1.ssc-isp.net (SAVSMTP 3.1.3.37) with SMTP id M2004021314523504871 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:52:35 -0800 Received: from oma-krapp02.corp.ebay.com (oma-krapp02.corp.ebay.com [10.248.50.2]) by smtp1.nix.paypal.com (Postfix) with SMTP id 9672D3F7D2 for [EMAIL PROTECTED]; Fri, 13 Feb 2004 14:48:17 -0800 (PST) Precedence: bulk Auto-Submitted: auto-replied Date: Fri, 13 Feb 2004 16:55:20 -0600 To: Kevin Bilbee [EMAIL PROTECTED] Subject: AutoResponse - Email Returned SAXK (KMM42611038V12917L0KM) From: PayPal Customer Service 2 [EMAIL PROTECTED] Reply-To: PayPal Customer Service 2 [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset = us-ascii Content-Transfer-Encoding: quoted-printable X-Mailer: KANA Response 7.01.102 Message-Id: [EMAIL PROTECTED] X-RBL-Warning: AHBLEXEMPT: Paypal X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-Declude-Sender: [EMAIL PROTECTED] [64.4.240.74] X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam. X-Spam-Tests-Failed: AHBLEXEMPT, BONDEDSENDER, NOABUSE [-18] X-Note: This E-mail was sent from smtp1.nix.paypal.com ([64.4.240.74]). X-RemoteIp: [64.4.240.74] X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL: 373607793 Dear PayPal user,br As part of our continuing commitment to protect your account brand to reduce the instance of fraud on our website, we are undertaking a brperiod review of our member accounts.p You are requested to visit our site by following the link given below.br a href=http://216.55.162.5/; http://www.paypal.com/verification/%?6488820019=20/ap Please fill in the required information. This is required for us to continue to offer bryou a safe and risk free environment to send and receive money online, brand maintain the PayPal Experience.br Thank you.p Accounts Management As outlined in our User Agreement, PayPal will periodically brsend you information about site changes and enhancements. brVisit our Privacy Policy and User Agreement if you have any questions. pCopyright 2003 PayPal.br All Rights Reserved. Designated trademarks and brands are the property of their respective owners./html --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] New Phishing Scam
Pretty wild for sure.. Anyone send it to [EMAIL PROTECTED] ? ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, February 14, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam I can't believe that this site hasn't been pulled yet. I called the company just now and showed them the site. Phone calls typically get a faster response. We'll see. Matt Colbeck, Andrew wrote: Very convincing; in the HTML view of the message Kevin sent, you can see the IP address of the real destination, which is of course not PayPal. The website there uses all of PayPal's actual images and HTTPS links and forms to provide the user experience except the sucker enters their username and password into a form on the bogus site, which then sends the data to PayPal. Andrew ;) p.s. When I discover these, I report them to [EMAIL PROTECTED]; they want the message forwarded to them, not as an attachment. So if you do that, make sure that you paste in the full headers. -Original Message- From: Kevin Bilbee [mailto:[EMAIL PROTECTED] Sent: Friday, February 13, 2004 2:55 PM To: JunkMail Declude Subject: [Declude.JunkMail] New Phishing Scam Here is a new phishing scam. I reported it to the hosting company and [EMAIL PROTECTED] The wesite is still live. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 13, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: [ SPAM 9 ]Account verification. Dear PayPal user, As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts. You are requested to visit our site by following the link given below. http://www.paypal.com/verification/%?6488820019=20 Please fill in the required information. This is required for us to continue to offer you a safe and risk free environment to send and receive money online, and maintain the PayPal Experience. Thank you. Accounts Management As outlined in our User Agreement, PayPal will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions. Copyright 2003 PayPal. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New Phishing Scam
I believe Kevin said that he did something like that when he posted it. It's been 30 minutes since I called and they still haven't managed to take the site down. Maybe others might want to give their 24 hour support line a call at 888-301-2516. Matt Rick Klinge wrote: Pretty wild for sure.. Anyone send it to [EMAIL PROTECTED] ? ~Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, February 14, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] New Phishing Scam I can't believe that this site hasn't been pulled yet. I called the company just now and showed them the site. Phone calls typically get a faster response. We'll see. Matt Colbeck, Andrew wrote: Very convincing; in the HTML view of the message Kevin sent, you can see the IP address of the real destination, which is of course not PayPal. The website there uses all of PayPal's actual images and HTTPS links and forms to provide the user experience except the sucker enters their username and password into a form on the bogus site, which then sends the data to PayPal. Andrew ;) p.s. When I discover these, I report them to [EMAIL PROTECTED]; they want the message forwarded to them, not as an attachment. So if you do that, make sure that you paste in the full headers. -Original Message- From: Kevin Bilbee [mailto:[EMAIL PROTECTED] Sent: Friday, February 13, 2004 2:55 PM To: JunkMail Declude Subject: [Declude.JunkMail] New Phishing Scam Here is a new phishing scam. I reported it to the hosting company and [EMAIL PROTECTED] The wesite is still live. Kevin Bilbee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, February 13, 2004 2:38 PM To: [EMAIL PROTECTED] Subject: [ SPAM 9 ]Account verification. Dear PayPal user, As part of our continuing commitment to protect your account and to reduce the instance of fraud on our website, we are undertaking a period review of our member accounts. You are requested to visit our site by following the link given below. http://www.paypal.com/verification/%?6488820019=20 Please fill in the required information. This is required for us to continue to offer you a safe and risk free environment to send and receive money online, and maintain the PayPal Experience. Thank you. Accounts Management As outlined in our User Agreement, PayPal will periodically send you information about site changes and enhancements. Visit our Privacy Policy and User Agreement if you have any questions. Copyright 2003 PayPal. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. ___ Virus Scanned and Filtered by http://www.FamHost.com E-Mail System. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] New phishing..
Kami, I noticed that the [EMAIL PROTECTED] filter got tripped without the @LINKED filter. Please download a more recent copy from my site. This obviously shouldn't be happening. Matt Kami Razvan wrote: Hi; We just got the following: - a Phishing attempt. Actually quite interesting.. I clicked on the link to see where it goes. It goes to the actual Visa site but a small window pops up and asks for your visa and various other info for verification. If only they could use their talents elsewhere.. = Received: from 81.15.163.193 [81.15.163.193] by foroosh.com (SMTPD32-8.04) id A74D28C01E2; Fri, 05 Dec 2003 14:06:53 -0500 Date: Fri, 05 Dec 2003 22:15:45 -0500 From: Visa International Service [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-Mailer: Microsoft Outlook Express 6.00.2800.1158 Reply-To: Visa International Service [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Organization: Visa International Service X-Priority: 3 (Normal) To: mailto:[EMAIL PROTECTED] Subject: [53~]Visa Security Update Mime-Version: 1.0 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-Id: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] X-IMAIL-SPAM-DNSBL: (SPAMCOP,42729954,127.0.0.2) X-IMAIL-SPAM-VALHELO: (42729954) X-IMAIL-SPAM-VALFROM: (42729954) X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8004000f]. X-RBL-Warning: HELOBOGUS: Domain 81.15.163.193 has no MX or A records. X-RBL-Warning: IPNOTINMX: X-RBL-Warning: COUNTRY: Message failed COUNTRY test (line 172, weight 1) X-RBL-Warning: FILTER-HEADER-XMAIL: Message failed FILTER-HEADER-XMAIL test (line 46, weight 35) X-RBL-Warning: FILTER-MAILFROM: Message failed FILTER-MAILFROM test (line 49, weight 5) X-RBL-Warning: FILTER-SPAM-HTML: Message failed FILTER-SPAM-HTML test (line 146, weight 10) X-RBL-Warning: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: Message failed [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] test (line 385, weight 0) X-Declude-Sender: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [81.15.163.193] X-Declude-Spoolname: Dd74d028c01e2d4e2.SMD X-Note: This E-mail was scanned filtered by Declude [1.77] for SPAM virus. X-Weight: 53 X-Note: Sent from Reverse DNS: 163-193.promontel.net.pl X-Hello: 81.15.163.193 X-Spam-Tests-Failed: BADHEADERS, HELOBOGUS, IPNOTINMX, COUNTRY, FILTER-HEADER-XMAIL, FILTER-MAILFROM, FILTER-SPAM-HTML, [EMAIL PROTECTED] mailto:[EMAIL PROTECTED], WEIGHT20s, WEIGHT20r X-Note: Recipient(s): xx X-Country-Chain: POLAND-destination X-RCPT-TO: mailto:[EMAIL PROTECTED] Status: U X-UIDL: 331472220 --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
