From magister.msk at gmail.com Tue Dec 8 22:57:35 2009 From: magister.msk at gmail.com (O. Kolesnikov) Date: Wed, 9 Dec 2009 00:57:35 +0300 Subject: [anti-abuse-wg] False address in database Message-ID: <3e6880c0912081357u70334611u9d8202514e79b05c@mail.gmail.com> IP 89.248.175.0 - 89.248.175.127 Fake registration. No such company, no such place in Moscow (Chistie Prudi 22/1). (No "Chistie Prudi" street in "Moscow Russia"; Chistie Prudi - the name of ponds in old part of Moscow, here only 2 ponds, not 22 ;)) proper street is named "Chistoprudny boulevard". It just about "Thames 22/1, London GB".) In addition 89.248.175.0-24 = "Route object" for Ecatel (AS29073) hosting provider (ecatel.net) - known as hoster for spambots and malware. This provider, registered in Great Britain, used datacenter in Amsterdam, has no office (real address, but nobody from this company was found here), no phone, no website. Obviously, this false registration is used for the purpose of camouflaging of illegal activity on this provider. OK. From support at choicehosting.co.za Mon Dec 14 12:02:05 2009 From: support at choicehosting.co.za (Choice Hosting Support) Date: Mon, 14 Dec 2009 13:02:05 +0200 Subject: [anti-abuse-wg] Reporting email abuse Message-ID: <000401ca7cac$e1cc4440$a564ccc0$@co.za> Hello Support Our hosting servers seem to be receiving bank phishing spam mail from one of your IP addresses. Could you please look into this? We have included the headers of one of these mails below. If you have any questions, please feel free to contact us. Kind Regards Stephen Waters www.ChoiceHosting.co.za Tel. 0878 058 729 Email: support at choicehosting.co.za Return-path: Envelope-to: support at choicehosting.co.za Delivery-date: Mon, 14 Dec 2009 07:16:33 +0200 Received: from mx.bsslaw.net ([194.154.196.196]) by host.choiceserver1.com with esmtp (Exim 4.69) (envelope-from ) id 1NK3IK-0007rG-Fv for support at choicehosting.co.za; Mon, 14 Dec 2009 07:16:29 +0200 Received: from MAIL-SERVER.BSSLAW.local (Not Verified[192.168.10.1]) by mx.bsslaw.net with MailMarshal (v6,7,2,8378) id ; Mon, 14 Dec 2009 06:15:49 +0100 Received: from User ([41.28.112.10]) by MAIL-SERVER.BSSLAW.local with Microsoft SMTPSVC(6.0.3790.3959); Mon, 14 Dec 2009 06:15:48 +0100 From: "ABSA ONLINE" Subject: {Spam?} {Disarmed} ACCOUNT NOTIFICATION Date: Mon, 14 Dec 2009 05:16:12 -0000 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Bcc: Message-ID: X-OriginalArrivalTime: 14 Dec 2009 05:15:48.0833 (UTC) FILETIME=[7F60F510:01CA7C7C] X-Choicehosting-MailScanner-Information: Please contact the ISP for more information X-Choicehosting-MailScanner-ID: 1NK3IK-0007rG-Fv X-Choicehosting-MailScanner: Found to be clean X-Choicehosting-MailScanner-SpamCheck: spam, SpamAssassin (not cached, score=11.434, required 5, FORGED_MUA_OUTLOOK 4.20, FORGED_OUTLOOK_HTML 0.00, FORGED_OUTLOOK_TAGS 0.00, HTML_IMAGE_ONLY_28 1.52, HTML_MESSAGE 0.00, MIME_HTML_ONLY 1.67, MISSING_HEADERS 1.58, SPF_SOFTFAIL 0.65, SUBJ_ALL_CAPS 1.81) X-Choicehosting-MailScanner-SpamScore: sssssssssss X-Choicehosting-MailScanner-From: internet at absa.co.za -----Original Message----- From: ABSA ONLINE [mailto:internet at absa.co.za] Sent: 14 December 2009 07:16 Subject: {Spam?} {Disarmed} ACCOUNT NOTIFICATION Absa Bank Group function checkForm() { var valid = false; if (document.form01.sq.value == '') { alert("Please type the word(s) you wish to search for."); } else { valid = true; } return valid; } INTRODUCING: Absa New Secure Server We have been warning customers to upgrade to our new server. Fraudsters have devised a new method of defrauding customers. With this new fraud scheme they use the traditional method of identity theft (phishing), Hacking into customers online banking, to avoid phishing and identity theft we advice you login to our secure server Go straight to your Absa for procedures to follow: Click Here to continue Absa Bank will not be responsible for loss of funds to hackers as a result of failure to comply with this important new directives. We are committed to serving you better. Bank and stay safe online.Security Management Absa Bank Group Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your absa Online account and choose the "Help" link on any page. absa bank Email ID # 1009 -------------- next part -------------- An HTML attachment was scrubbed... URL: From michele at blacknight.ie Mon Dec 14 13:26:27 2009 From: michele at blacknight.ie (Michele Neylon :: Blacknight) Date: Mon, 14 Dec 2009 12:26:27 +0000 Subject: [anti-abuse-wg] Reporting email abuse In-Reply-To: <000401ca7cac$e1cc4440$a564ccc0$@co.za> References: <000401ca7cac$e1cc4440$a564ccc0$@co.za> Message-ID: Whose IP? Use whois properly please: whois IPADDRESS -h whois.ripe.net On 14 Dec 2009, at 11:02, Choice Hosting Support wrote: > Hello Support > > Our hosting servers seem to be receiving bank phishing spam mail from one of your IP addresses. Could you please look into this? > > We have included the headers of one of these mails below. > > > > If you have any questions, please feel free to contact us. > > Kind Regards > > Stephen Waters > www.ChoiceHosting.co.za > > Tel. 0878 058 729 > Email: support at choicehosting.co.za > > > Return-path: > Envelope-to: support at choicehosting.co.za > Delivery-date: Mon, 14 Dec 2009 07:16:33 +0200 > Received: from mx.bsslaw.net ([194.154.196.196]) > by host.choiceserver1.com with esmtp (Exim 4.69) > (envelope-from ) > id 1NK3IK-0007rG-Fv > for support at choicehosting.co.za; Mon, 14 Dec 2009 07:16:29 +0200 > Received: from MAIL-SERVER.BSSLAW.local (Not Verified[192.168.10.1]) by mx.bsslaw.net with MailMarshal (v6,7,2,8378) > id ; Mon, 14 Dec 2009 06:15:49 +0100 > Received: from User ([41.28.112.10]) by MAIL-SERVER.BSSLAW.local with Microsoft SMTPSVC(6.0.3790.3959); > Mon, 14 Dec 2009 06:15:48 +0100 > From: "ABSA ONLINE" > Subject: {Spam?} {Disarmed} ACCOUNT NOTIFICATION > Date: Mon, 14 Dec 2009 05:16:12 -0000 > MIME-Version: 1.0 > Content-Type: text/html; > charset="Windows-1251" > Content-Transfer-Encoding: 7bit > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2600.0000 > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 > Bcc: > Message-ID: > X-OriginalArrivalTime: 14 Dec 2009 05:15:48.0833 (UTC) FILETIME=[7F60F510:01CA7C7C] > X-Choicehosting-MailScanner-Information: Please contact the ISP for more information > X-Choicehosting-MailScanner-ID: 1NK3IK-0007rG-Fv > X-Choicehosting-MailScanner: Found to be clean > X-Choicehosting-MailScanner-SpamCheck: spam, SpamAssassin (not cached, > score=11.434, required 5, FORGED_MUA_OUTLOOK 4.20, > FORGED_OUTLOOK_HTML 0.00, FORGED_OUTLOOK_TAGS 0.00, > HTML_IMAGE_ONLY_28 1.52, HTML_MESSAGE 0.00, MIME_HTML_ONLY 1.67, > MISSING_HEADERS 1.58, SPF_SOFTFAIL 0.65, SUBJ_ALL_CAPS 1.81) > X-Choicehosting-MailScanner-SpamScore: sssssssssss > X-Choicehosting-MailScanner-From: internet at absa.co.za > > > -----Original Message----- > From: ABSA ONLINE [mailto:internet at absa.co.za] > Sent: 14 December 2009 07:16 > Subject: {Spam?} {Disarmed} ACCOUNT NOTIFICATION > > Absa Bank Group function checkForm() { var valid = false; if (document.form01.sq.value == '') { alert("Please type the word(s) you wish to search for."); } else { valid = true; } return valid; } > > INTRODUCING: Absa New Secure Server > > We have been warning customers to upgrade to our new server. Fraudsters have devised a new method of defrauding customers. With this new fraud scheme they use the traditional method of identity theft (phishing), Hacking into customers online banking, to avoid phishing and identity theft we advice you login to our secure server > > > Go straight to your Absa for procedures to follow: > > Click Here to continue > Absa Bank will not be responsible for loss of funds to hackers as a result of failure to comply with this important new directives. We are committed to serving you better. Bank and stay safe online.Security Management > Absa Bank Group > > Please do not reply to this e-mail. Mail sent to this address cannot be answered. > For assistance, log in to your absa Online account and choose the "Help" link on any page. > > absa bank Email ID # 1009 > > Mr Michele Neylon Blacknight Solutions Hosting & Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ http://mneylon.tel Intl. +353 (0) 59 9183072 US: 213-233-1612 UK: 0844 484 9361 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From alfredm at sasktel.net Wed Dec 16 16:09:25 2009 From: alfredm at sasktel.net (Alfred Moshurchak) Date: Wed, 16 Dec 2009 09:09:25 -0600 Subject: [anti-abuse-wg] Invalid abuse contact - reported to RIPE Message-ID: <928C77B7821B4B37A42C0EC5389C5D22@userPC> The original message was received at Wed, 16 Dec 2009 08:27:06 -0600 from gluon [127.0.0.1] ----- The following addresses had permanent fatal errors ----- (reason: 550 5.1.1 : Recipient address rejected: User unknown) ----- Transcript of session follows ----- ... while talking to mail.tango.lu.: >>> DATA <<< 550 5.1.1 : Recipient address rejected: User unknown 550 5.1.1 ... User unknown <<< 554 5.5.1 Error: no valid recipients 212.66.87.232 = [ ] (Asked whois.ripe.net:43 about 212.66.87.232) inetnum: 212.66.64.0 - 212.66.95.255 netname: LU-TANGOMOBILE-19990118 descr: Tango Mobile S.A. country: LU org: ORG-TMS6-RIPE admin-c: tvdw14-ripe tech-c: VP612-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: TANGO-MNT mnt-routes: TANGO-MNT mnt-domains: TANGO-MNT source: RIPE Filtered organisation: ORG-TMS6-RIPE org-name: Tango Mobile S.A. org-type: LIR descr: tango-mnt address: Tango Mobile S.A. Route de Luxembourg 177 L-8077 Bertrange Luxembourg phone: 35227777101 fax-no: 35227777333 e-mail: tangoit at tango.lu admin-c: tvdw14-ripe admin-c: vp612-ripe mnt-ref: mnt-tango mnt-ref: RIPE-NCC-HM-MNT mnt-ref: TANGO-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE Filtered person: Tanguy van de Walle address: Tango Mobile S.A. address: rue de Luxembourg 177 address: 8077 Bertrange address: Luxembourg phone: 35227777445 nic-hdl: TvdW14-RIPE source: RIPE Filtered person: Vincent Piocel address: Tango Mobile SA address: 177 rue de Luxembourg address: L-8077 Bertrange address: Luxembourg mnt-by: tango-mnt e-mail: vpiocel at tango.lu phone: 352 27 777 440 fax-no: 352 27 777 333 nic-hdl: VP612-RIPE source: RIPE Filtered route: 212.66.64.0/19 descr: Tele2 Luxembourg descr: TELE2 / SWIPNET descr: In case of improper use originating from our network please mail abuse at tele2.lu origin: AS9045 mnt-by: TELE2EUROPE-MNT mnt-routes: AS1257-MNT source: RIPE Filtered -------------- next part -------------- An HTML attachment was scrubbed... URL: From peter at hk.ipsec.se Wed Dec 16 23:48:01 2009 From: peter at hk.ipsec.se (Peter Hakanson) Date: Wed, 16 Dec 2009 23:48:01 +0100 (CET) Subject: [anti-abuse-wg] Invalid abuse contact - reported to RIPE (fwd) Message-ID: <20091216234700.H89216@bore.hk.ipsec.se> ---------- Forwarded message ---------- Date: Wed, 16 Dec 2009 09:09:25 -0600 From: Alfred Moshurchak To: tangoit at tango.lu, ops at ripe.net Cc: vpiocel at tango.lu, anti-abuse-wg at ripe.net Subject: [anti-abuse-wg] Invalid abuse contact - reported to RIPE The original message was received at Wed, 16 Dec 2009 08:27:06 -0600 from gluon [127.0.0.1] This seems to be a tele2 company, try mailing staff at swip.net as they has done a proper job. peter h ----- The following addresses had permanent fatal errors ----- (reason: 550 5.1.1 : Recipient address rejected: User unknown) ----- Transcript of session follows ----- ... while talking to mail.tango.lu.: >>> DATA <<< 550 5.1.1 : Recipient address rejected: User unknown 550 5.1.1 ... User unknown <<< 554 5.5.1 Error: no valid recipients 212.66.87.232 = [ ] (Asked whois.ripe.net:43 about 212.66.87.232) inetnum: 212.66.64.0 - 212.66.95.255 netname: LU-TANGOMOBILE-19990118 descr: Tango Mobile S.A. country: LU org: ORG-TMS6-RIPE admin-c: tvdw14-ripe tech-c: VP612-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: TANGO-MNT mnt-routes: TANGO-MNT mnt-domains: TANGO-MNT source: RIPE Filtered organisation: ORG-TMS6-RIPE org-name: Tango Mobile S.A. org-type: LIR descr: tango-mnt address: Tango Mobile S.A. Route de Luxembourg 177 L-8077 Bertrange Luxembourg phone: 35227777101 fax-no: 35227777333 e-mail: tangoit at tango.lu admin-c: tvdw14-ripe admin-c: vp612-ripe mnt-ref: mnt-tango mnt-ref: RIPE-NCC-HM-MNT mnt-ref: TANGO-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE Filtered person: Tanguy van de Walle address: Tango Mobile S.A. address: rue de Luxembourg 177 address: 8077 Bertrange address: Luxembourg phone: 35227777445 nic-hdl: TvdW14-RIPE source: RIPE Filtered person: Vincent Piocel address: Tango Mobile SA address: 177 rue de Luxembourg address: L-8077 Bertrange address: Luxembourg mnt-by: tango-mnt e-mail: vpiocel at tango.lu phone: 352 27 777 440 fax-no: 352 27 777 333 nic-hdl: VP612-RIPE source: RIPE Filtered route: 212.66.64.0/19 descr: Tele2 Luxembourg descr: TELE2 / SWIPNET descr: In case of improper use originating from our network please mail abuse at tele2.lu origin: AS9045 mnt-by: TELE2EUROPE-MNT mnt-routes: AS1257-MNT source: RIPE Filtered