Today I received another (although I have not received them in a few months) ebay phishing e-mail.
Mail headers below:
Return-path:
Envelope-to: XXXXX@runningwithbulls.com
Delivery-date: Thu, 10 May 2007 13:41:45 +0100
Received: from mail by server.XXXXXXX.net with spam-scanned (Exim 4.60)
(envelope-from
id 1Hm7xo-0000Tf-QT
for XXXXX@runningwithbulls.com; Thu, 10 May 2007 13:41:45 +0100
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on
server.XXXXXX.net
X-Spam-Level:
X-Spam-Status: No, score=0.6 required=5.0 tests=HTML_MESSAGE,
HTML_MIME_NO_HTML_TAG,HTML_TAG_EXIST_TBODY,MIME_HTML_ONLY autolearn=no
version=3.1.8
Received: from alexandria60.2mhost.com ([75.126.2.197])
by server.XXXXXX.net with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.60)
(envelope-from
id 1Hm7xo-0000Tb-Ch
for XXXXXXX@runningwithbulls.com; Thu, 10 May 2007 13:41:44 +0100
Received: from nobody by alexandria60.2mhost.com with local (Exim 4.63)
(envelope-from
id 1Hm8Du-00007R-Ky
for XXXXXX@runningwithbulls.com; Thu, 10 May 2007 07:58:22 -0500
To: XXXXX@runningwithbulls.com
Subject: Account Notice
From: eBay
Reply-To: noreply@notices.ebay.com
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id:
Date: Thu, 10 May 2007 07:58:22 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - alexandria60.2mhost.com
X-AntiAbuse: Original Domain - runningwithbulls.com
X-AntiAbuse: Originator/Caller UID/GID - [99 32002] / [47 12]
X-AntiAbuse: Sender Address Domain - alexandria60.2mhost.com
X-Source:
X-Source-Args: /usr/local/apache/bin/httpd -DSSL
X-Source-Dir: scrsm.org:/public_html/Photos/include/aa
The phishing page is hosted on mentos.ws. The whois information gives registration as:
Registrant:
ASP Solutions
Czwartakow 5/29
Bielsko Biala, slaskie 43-300
PL
+48.501705275
Domain Name: MENTOS.WS
Administrative Contact:
Nowak, Seweryn mentos@mentos.ws
Czwartakow 5/29
Bielsko Biala, slaskie 43-300
PL
+48.501705275
Technical Contact:
Nowak, Seweryn mentos@mentos.ws
Czwartakow 5/29
Bielsko Biala, slaskie 43-300
PL
+48.501705275
Report has been sent to ebay.
[tags] ebay phishing , ebay , runningwithbulls.com , scamming[/tags]
I just got one. Hover over the “Proceed to” GIF and it appears to point to 202.75.42.30 which is TELEKOM MALAYSIA BERHAD however a WHOIS on mentos.ws shows NOC4Hosts Tampa, FL