The Main IP Address its coming from that I can see is: 66.206.6.48 (any others that people know of) Link to http://004c256.netsolhost.com (left a message with contact of netblock) Redirects to: http://66.206.0.140/cgi-bin/secure/login.htm (can't contact the admin for this site) Blocking this helps alot. but a lot of trademe messages are forwarded from other places who are not blocking it. Thanks Craig --------------------------------- Return-path: Recieved from vtf-kys-18.corp.trademe.co.nz (dumasallestimenti.com [66.206.6.48] (may be forged)) by dbmail-mx1.orcon.net.nz (8.13.2/8.13.2/Debian-1) with ESMTP id j7Q0LCv2010906 for ; Fri, 26 Aug 2005 12:21:18 +1200 Received from mxpool21 (127.0.0.1) by vtf-kys-18.corp.trademe.co.nz (LSMTP for Windows NT v1.1b) with SMTP id <0.0000003F(a)vtf-kys-18.corp.trademe.co.nz>; Thu, 25 Aug 2005 19:20:02 -0500 From: "mailer(a)trademe.co.nz" To:jrosvall(a)orcon.net.nz Subject: Your Trade Me Bid was Cancelled !!! Date: Thu, 25 Aug 2005 19:20:02 -0500 Mime-version: 1.0 X-mailer: Internal Email Service (4.4.0.701) Message-id: Reply-to: mailer(a)trademe.co.nz Content-type: text/html; charset="iso-8859-1" Content-transfer-encoding: quoted-printable --------------------------------------------- ----- Original Message ----- From: "Simon Lyall" To: "nznog" Sent: Friday, August 26, 2005 12:14 PM Subject: RE: [nznog] Trade Me phishing scam??

Hmm, if people are going to post copies next time could they include full headers. For example it looks like (from a couple of have seen) the timezone in the emails is at -0500 and there don't seem to be many different originating IPs.

-- Simon J. Lyall. | Very Busy | Mail: simon(a)darkmere.gen.nz "To stay awake all night adds a day to your life" - Stilgar | eMT.

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

As of when I post, it's still up. Currently it redirects to: http://66.206.0.140/cgi-bin/secure/login.htm AW On Fri, 26 Aug 2005 12:50, Hadley Rich wrote: | On Fri, 26 Aug 2005 12:44, Craig Whitmore wrote: | > The Main IP Address its coming from that I can see is:  66.206.6.48  (any | > others that people know of) | > Link to http://004c256.netsolhost.com      (left a message with contact | > of netblock) | | I've just been on the phone with Network Solutions (owner of the | netsolhost.com domain) and placed a request to have that redirect removed | which I got escalated to a "VIP" status. Let's see if they actually do | anything. |

I've also emailed every contact I can find.. (Owners of IP Addresses/Owners of machines which have been Hacked, Website owners, Web site company ,... and nothing yet). I even tried calling on the phone a few of the people and left messages, but alas nothing.. Thanks

Well actually trademe should be able to do something. Have they? I presume they know all about this.. Can they not just check the referrer and if its the phish website, deny it.. The phish is running on a windows server under the epnix.com website which is easy to find out when you don't put proper information into the form (+ other ways) Notice: Undefined index: user_email in D:\Inetpub\epnix.com\cgi-bin\secure\email.php on line 129 As you are a registred member of Notice: Undefined offset: 1 in D:\Inetpub\epnix.com\cgi-bin\secure\email.php on line 132 Notice: Undefined offset: 1 in D:\Inetpub\epnix.com\cgi-bin\secure\email.php on line 132 , confirm your email account password for validation. Thanks Craig ----- Original Message ----- From: "Erin Salmon - Unleash Computers Ltd"

There's simply so much money in spam. The people on the receiving end of the cheques will drag it out as long as possible. I think a public announcement of who ever turns out to be behind it would be a good idea, so we can all go and egg his house.

On Sat, 27 Aug 2005 11:39, Craig Whitmore wrote:

Well actually trademe should be able to do something. Have they? I presume they know all about this..

After more than a little looking around their site I found that while going through their 'Contact Us' forms, that they had a note of recent issues, in which was a listing: --- "26 August - Phishing emails update The fraudulent "phishing" email mentioned below is still being distributed. Do not click on the link in this email. Please read our online help about phishing emails. Whenever you login to Trade Me please ensure the website address begins with www.trademe.co.nz Trade Me will never ask for your password in an email and will always use your first name to address you." --- That tracks down to be off the "Community" > "Message Boards" > "Site Announcements" (http://www.trademe.co.nz/announcement.asp), which is great, but how many people honestly check that regularly? So they at least know and acknowledge it, but something that was visible from the home page would have been nicer idea imho. Regards, Daniel Hopkirk ----------------------------------------+ Beware the fury of a patient man. -- John Dryden ----------------------------------------+

Though, throwing a nice "Change your password NOW plzkthxbye." would be appropriate in a trigger to clicking a link off the site.

On undernet if we detect them coming from a phishing site, we just change their password to something they don't know. Then they have to go through the forgotten password procedure. We also have several "dummy" accounts that when we detect phishing we "login" as. Then when the dummy accounts turn up being used on our site we can use that to figure out which other accounts have been lost.

Here is one for you: Microsoft Mail Internet Headers Version 2.0 Received: from vtf-kys-18.corp.trademe.co.nz ([10.184.0.196]) by mail.newjobz.co.nz with Microsoft SMTPSVC(6.0.3790.211); Fri, 26 Aug 2005 11:43:39 +1200 Received: from mxpool21 (127.0.0.1) by vtf-kys-18.corp.trademe.co.nz (LSMTP for Windows NT v1.1b) with SMTP id <12.0000059D(a)vtf-kys-18.corp.trademe.co.nz>; Thu, 25 Aug 2005 18:34:53 -0500 From: "=?iso-8859-1?B?bWFpbGVyQHRyYWRlbWUuY28ubno=?=" To: info(a)newjobz.co.nz Subject: Your Trade Me Bid was Cancelled !!! Date: Thu, 25 Aug 2005 18:34:52 -0500 MIME-Version: 1.0 X-Mailer: Internal Email Service (4.4.0.701) Message-ID: Reply-To: mailer(a)trademe.co.nz Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-Path: mailer(a)trademe.co.nz X-OriginalArrivalTime: 25 Aug 2005 23:43:41.0046 (UTC) FILETIME=[D288B960:01C5A9CE] James Butler IT Manager Stu Macann & Associates Ltd -----Original Message----- From: Simon Lyall [mailto:simon(a)darkmere.gen.nz] Sent: Friday, 26 August 2005 12:14 To: nznog Subject: RE: [nznog] Trade Me phishing scam?? Hmm, if people are going to post copies next time could they include full headers. For example it looks like (from a couple of have seen) the timezone in the emails is at -0500 and there don't seem to be many different originating IPs. -- Simon J. Lyall. | Very Busy | Mail: simon(a)darkmere.gen.nz "To stay awake all night adds a day to your life" - Stilgar | eMT. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog