Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 16 July 2009

Dear e-mail user

Just received this in my inbox, and thought it was rather funny. Why you ask? Well first - this scammer evidently didn't bother taking the time to at least try and make the scam look legit, and second, other than "WEBMAIL E-mail messaging center", there's no company or website specified - something you're err, meant to include if you're trying to scam users of a particular website or service.

I thought at first, that the e-mail had just been converted to text by my e-mail client, but nope, it was already this apparently in plain text, complete with the god awful formatting.

Dear e-mail user,
This message is from WEBMAIL E-mail messaging center to all
our email account users. We are currently conducting a maintenance
exercise which is for upgrading our database and e-mail account center
Thisexercise involves the deactivation of dormant /unused/invalid email
accounts to make room for further upgrading.
To confirm the validity of your email and to prevent your account
from deactivation, you are advised to update it by proving us with
the following information to alexeifamily@cooperation.net
CONFIRM YOUR EMAIL IDENTITY BELOW
Email Username:
EMAIL Password:
Date of Birth:

Warning!!!
Account owners are expected to update their accounts within 10 working
days after receipt of this notice. Failure to comply with this notice
within the stipulated time will face the risk of loosing his or her
account.

Thanks for your co-operation!
Warning Code: VX2G99AAJ
Web Team
BETA!


The e-mails headers show only a single fake Received From line, with the real originating IP being;

121.241.210.105 - 121.241.210.105.static-kolkata.vsnl.net.in (India, AS4755)

The e-mail address they want you to respond to is alexeifamily@cooperation.net, a Brazillian website hosted at 80.80.229.46 (AS21217 - CH-SAFEHOST, PTR: www.cooperation.net), though unless I'm mistaken, it appears to be a French free e-mail account provider? (pretty wierd considering it's WhoIs references Brazil and Switzerland - not France).

domain: cooperation.net
reg_created: 1998-06-26 00:00:00
expires: 2010-06-25 04:00:00
created: 2001-06-24 11:55:40
changed: 2009-06-05 00:44:50
transfer-prohibited: yes
ns0: host-246.netzwirt.ch
ns1: host-247.netzwirt.ch
owner-c:
nic-hdl: TB100-GANDI
owner-name: Ynternet.org
organisation: Ynternet.org
person: Theo Bondolfi
address: "Fondation Ynternet.org \r\nch. de la branche 17"
zipcode: 1091
city: Grandvaux
country: Switzerland
phone: +41.213113047
fax: ''
email: 95c429c7b960758514471a4a1e2e9110-40616@contact.gandi.net
lastupdated: 2009-03-17 17:02:56
admin-c:
nic-hdl: TB100-GANDI
owner-name: Ynternet.org
organisation: Ynternet.org
person: Theo Bondolfi
address: "Fondation Ynternet.org \r\nch. de la branche 17"
zipcode: 1091
city: Grandvaux
country: Switzerland
phone: +41.213113047
fax: ''
email: 95c429c7b960758514471a4a1e2e9110-40616@contact.gandi.net
lastupdated: 2009-03-17 17:02:56
tech-c:
nic-hdl: AT1908-GANDI
organisation: ~
person: Antonio Terceiro
address: 'Rua Teixeira Barros, 800 apt 707B'
zipcode: 40279080
city: Salvador
country: Brazil
phone: +55.7133312299
fax: ''
email: d0a1291416fae0c9b419960cdf5f4fb4-822167@contact.gandi.net
lastupdated: 2009-04-16 15:44:25
bill-c:
nic-hdl: TB100-GANDI
owner-name: Ynternet.org
organisation: Ynternet.org
person: Theo Bondolfi
address: "Fondation Ynternet.org \r\nch. de la branche 17"
zipcode: 1091
city: Grandvaux
country: Switzerland
phone: +41.213113047
fax: ''
email: 95c429c7b960758514471a4a1e2e9110-40616@contact.gandi.net
lastupdated: 2009-03-17 17:02:56


WhoIs server: whois.gandi.net


I'm actually surprised that this e-mail address is only known to one anti-phishing project (at the time of checking the only two listed in the results led to this one);

http://www.google.co.uk/search?hl=en&q=%22alexeifamily@cooperation.net%22&meta=&aq=f&oq=

No comments: