Hi Craig, If it's of interest to you, here's another example (forwarded separately.) This one's a Citibank phish - and where the westpac one was clearly sent direct, this one has a received line which would suggest that it was routed through a relay. I don't believe it. The relay, if that's what it was, appeared to be a student dorm at a french speaking university also in canada. The first received: line alleges to be from "pormexico.com", but the IP address belongs to Hewlett Packard according to whois. I think those URLs are kind of interesting. The citibank one references an IP address belonging in Korea (according to whois). The westpac one refers to at least a URL redirection service in russia (www.da.ru) and to something calling itself jablow.kir.jp, which on the face of it appears to be a legitimate site of some kind. I wonder if this is some kind of worm-like infestation, which would account for the broad number of connection attempts, IP addresses and the apparent lack of relays. A student dorm, a dial up/DSL address and an HP address seem like an unlikely real source for these things. Dave.
Just a thought
Anything to do with the previous discussion on the Polish SPAM service via
trojaned machines ???
Tikiri
----- Original Message -----
From: "David Miller"
Hi Craig,
If it's of interest to you, here's another example (forwarded separately.) This one's a Citibank phish - and where the westpac one was clearly sent direct, this one has a received line which would suggest that it was routed through a relay.
I don't believe it. The relay, if that's what it was, appeared to be a student dorm at a french speaking university also in canada. The first received: line alleges to be from "pormexico.com", but the IP address belongs to Hewlett Packard according to whois.
I think those URLs are kind of interesting. The citibank one references an IP address belonging in Korea (according to whois). The westpac one refers to at least a URL redirection service in russia (www.da.ru) and to something calling itself jablow.kir.jp, which on the face of it appears to be a legitimate site of some kind.
I wonder if this is some kind of worm-like infestation, which would account for the broad number of connection attempts, IP addresses and the apparent lack of relays. A student dorm, a dial up/DSL address and an HP address seem like an unlikely real source for these things.
Dave.
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
On 3 Nov 2003 at 20:20, David Miller wrote:
I don't believe it. The relay, if that's what it was, appeared to be a student dorm at a french speaking university also in canada. The first received: line alleges to be from "pormexico.com", but the IP address belongs to Hewlett Packard according to whois.
If I can help with phone calls, etc, let me know (I'm in Ottawa). -- Dan Langille : http://www.langille.org/
participants (3)
-
Dan Langille -
David Miller -
Tikiri Wicks