Spoof email--ebay style

Discussion in 'Software' started by mag00, Mar 11, 2004.

  1. mag00

    mag00 Sergeant

    Hi, got this email today and was real curious how these people get away with this.
    I figured the best way to dissect this was to post the source and see who wanted a go at it.So far all I can figure is it may be coming from amen-pro.com, Who are they and where are they sending from. I forwarded it to spoof at ebay already so they can go after em.

    So just as a kindof fun thing I'd like to go over this with all who are interested. Could be fun diversion.

    I mean these spoofs are very clever and convincing, but I think the people here are better. :)

    MIME-Version: 1.0
    <br>Received: from smtp002.bizmail.yahoo.com ([216.136.172.126]) by
    mc2-f21.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Wed, 10 Mar 2004
    19:44:09 -0800
    <br>Received: from unknown (HELO webmaster@saolon.com)
    (webmaster@saolon.com@210.245.33.83 with login) by smtp002.bizmail.yahoo.com
    with SMTP; 11 Mar 2004 03:44:08 -0000
    <br>X-Message-Info: 6sSXyD95QpVmW8mAqej9C1i/K2NDB5Y+
    <br>X-MSMail-Priority: Normal
    <br>X-Mailer: Microsoft Outlook Express 6.00.2800.1106
    <br>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
    <br>Return-Path: aw-confirm@ebay.com
    <br>Message-ID: &lt;MC2-F21XQ1h8Xq466AR0007ef00@mc2-f21.hotmail.com&gt;
    <br>X-OriginalArrivalTime: 11 Mar 2004 03:44:09.0391 (UTC)
    FILETIME=[1C52B3F0:01C4071B]</td>
    </tr>
    </table>
    <table border=0 cellpadding=0 cellspacing=0 width=100%>
    <tr>
    <td colspan=2><hr color=#A0C6E5 size=1></td>
    </tr>
    <tr>
    <td width=100% nowrap style="padding-bottom:5px">
    <a href="http://lw11fd.law11.hotmail.msn.com/cgi-bin/saferd?_lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e16%2e250%2fcgi%2dbin%2fgetmsg&hm___qs=curmbox%3dF000000001%26a%3dc6cf386fc98854074381f19e5de2a04f%26msg%3dMSG1078976650%2e13%26start%3d168036%26len%3d7989%26raw%3d0%26disk%3d64%2e4%2e16%2e69_d1182%26login%3djag440jag%26domain%3dhotmail%252ecom%26_lang%3dEN%26country%3dUS&hm___cacheh=1&hm___fl=attrd&domain=hotmail.com" target="_blank">View E-mail Message Source</a>
    </td>
    </tr>
    </table>
    <table bgcolor=#FFFFFF height=209 width=100%>
    <tr>
    <td valign=top>
    <table border=0 cellspacing=8 cellpadding=0 width=100% align=center nowrap style='border: solid #FFFFFF 1px;'>

    <tr><td>

    <pre><a href="http://lw11fd.law11.hotmail.msn.com/cgi-bin/saferd?_lang=EN&hm___tg=http%3a%2f%2f64%2e4%2e16%2e250%2fcgi%2dbin%2fgetmsg&hm___qs=curmbox%3dF000000001%26a%3dc6cf386fc98854074381f19e5de2a04f%26msg%3dMSG1078976650%2e13%26start%3d168036%26len%3d7989%26mimepart%3d1%26disk%3d64%2e4%2e16%2e69_d1182%26login%3djag440jag%26domain%3dhotmail%252ecom%26_lang%3dEN%26country%3dUS&hm___cacheh=1&hm___fl=attrd&domain=hotmail.com" target="_blank">Content-Type: text/html</a>; charset=&quot;us-ascii&quot;
    </pre>
    </td></tr>

    <tr><td>

    <table border=0 cellspacing=8 cellpadding=0 width=100% align=center nowrap>
    <tr><td>
    <DIV><SCRIPT>
    <!--
    function Filtered()
    {
    return 0
    }
    //-->
    </SCRIPT>




    <div style="BACKGROUND-COLOR:#FFFFFF">
    <table cellpadding="0" cellspacing="0" width="600">
    <tr>
    <td width="600" style="word-wrap: break-word; ">
    <table cellpadding="0" cellspacing="0" width="600">
    <table cellpadding="2" cellspacing="0" border="0" bgcolor="#D6DCFE" width="100%">
    <tr>
    <td><a href="http://64.4.16.250/cgi-bin/linkrd?_lang=EN&lah=20206b7bfadeb9decbef660b0d46d166&lat=1079040980&hm___action=http%3a%2f%2fwww%2eebay%2ecom%2f" target="_blank"><img src="http://pics.ebaystatic.com/aw/pics/email/eBayLogo.gif" border="0" align="right" target="_blank"></a><font size="3" face="Arial, Verdana">Hello jag440jag, place or change your account information on file</font>
    </td>
    </tr>
    <tr bgcolor="#9999CC" height="2"><td></td></tr></table>
    <tr><td colspan="2"><IMG height="27" alt=" " src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="1"></td></tr>
    <tr>
    <td colspan="2"><font face="Arial, Verdana" size="2">
    &nbsp;Dear <font style="font-size: x-small; font-family: arial, sans-serif; font-weight:bold ">jag440jag,</font></font>
    </td>
    </tr>
    <tr><td colspan="2"><IMG height="15" alt=" " src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="1"></td></tr>
    <tr>
    <td colspan="2"><font face="Arial, Verdana" size="2">&nbsp; eBay requires correct credit card information in full each month on accounts with balances of $1.00 or greater and if your account becomes past due.
    You have been pre-indefinitely suspended from eBay because our records indicate your account was involved in activities that violate our policy governing the sale of potentially infringing items, and you may be responsible for collection costs.
    If you feel you have been suspended in error or want to appeal this decision by providing additional
    information, we offer you the ability to place or change the information you submit to us by <a target="_blank" href="<A href="http://64.4.16.250/cgi-bin/linkrd?_lang=EN&lah=bc06ec9510e007864bf9527791b0d3e5&lat=1079040980&hm___action=http%3a%2f%2fscgi%2eebay%2ecom%26saw%2dcgieBayISAPIdll%26SignIn%26UsingSSL%3d0%26siteid%3d0%26changeUser%3d0%26pUserId%3d%26pNextPage%3dPlaceCCInfoSignIn%26UsingSSL%3d0%26siteid%3d0%26changeUser%3d0%26pUserId%3d%26pNextPage%3aac%3dsecure%2eupdate%40vds%2d238488%2eamen%2dpro%2ecom%2fmotd%2ehtml">click">http://64.4.16.250/cgi-bin/linkrd?_lang=EN&lah=bc06ec9510e007864bf9527791b0d3e5&lat=1079040980&hm___action=http%3a%2f%2fscgi%2eebay%2ecom%26saw%2dcgieBayISAPIdll%26SignIn%26UsingSSL%3d0%26siteid%3d0%26changeUser%3d0%26pUserId%3d%26pNextPage%3dPlaceCCInfoSignIn%26UsingSSL%3d0%26siteid%3d0%26changeUser%3d0%26pUserId%3d%26pNextPage%3aac%3dsecure%2eupdate%40vds%2d238488%2eamen%2dpro%2ecom%2fmotd%2ehtml">click here</a>
    and entering the new information yourself
    <b> </b> in your
    account.Or click to this link below :<br><br>

    <a target="_blank" href="<A href="http://64.4.16.250/cgi-bin/linkrd?_lang=EN&lah=bc06ec9510e007864bf9527791b0d3e5&lat=1079040980&hm___action=http%3a%2f%2fscgi%2eebay%2ecom%26saw%2dcgieBayISAPIdll%26SignIn%26UsingSSL%3d0%26siteid%3d0%26changeUser%3d0%26pUserId%3d%26pNextPage%3dPlaceCCInfoSignIn%26UsingSSL%3d0%26siteid%3d0%26changeUser%3d0%26pUserId%3d%26pNextPage%3aac%3dsecure%2eupdate%40vds%2d238488%2eamen%2dpro%2ecom%2fmotd%2ehtml">http://signin.ebay.com//aw-cgi/eBayIASPI.dll?PlaceCCInfo&&UserId=ge4mDtry3sy2328XZe</a><br><br">http://64.4.16.250/cgi-bin/linkrd?_lang=EN&lah=bc06ec9510e007864bf9527791b0d3e5&lat=1079040980&hm___action=http%3a%2f%2fscgi%2eebay%2ecom%26saw%2dcgieBayISAPIdll%26SignIn%26UsingSSL%3d0%26siteid%3d0%26changeUser%3d0%26pUserId%3d%26pNextPage%3dPlaceCCInfoSignIn%26UsingSSL%3d0%26siteid%3d0%26changeUser%3d0%26pUserId%3d%26pNextPage%3aac%3dsecure%2eupdate%40vds%2d238488%2eamen%2dpro%2ecom%2fmotd%2ehtml">http://signin.ebay.com//aw-cgi/eBayIASPI.dll?PlaceCCInfo&&UserId=ge4mDtry3sy2328XZe</a><br><br>

    &nbsp; Per the User Agreement, Section 9, we may immediately issue a
    warning,temporarily suspend, indefinitely suspend or terminate your membership
    and refuse to provide our services to you if we believe that your actions may
    cause financial loss or legal liability for you, our users or us. We may also
    take these actions if we are unable to verify or authenticate any information
    you provide to us.Due to the suspension of this account, please be advised you
    are prohibited from using eBay in any way. This includes the registering of a
    new account.<b><br>
    </b><br>
    An email regarding this was sent to you at jag440jag@hotmail.com.<br><br>

    Regards,<br><br>

    eBay SafeHarbor Team<br>
    <hr style="WIDTH: 600px " align="center" width="600" SIZE="2">
    <table cellSpacing="0" cellPadding="0" width="600" border="0">
    </font>
    <table cellSpacing="0" cellPadding="0" width="600" border="0">
    <tr>
    <td style="font-family: arial,helvetica,sans-serif; font-size: x-small ">
    <font size="1" color="#666666">&nbsp; </font>
    <cursive src="http://include.ebay.com/aw/pics/js/stats/ss2.js">
    <b>
    <font style="line-height: 1.35em " face="Arial, Verdana" color="#666666" size="1">
    <font face="Arial" size="1" color="#666666">eBay treats your personal information with the utmost care, and our Privacy Policy is designed to protect you and your information. eBay will never ask their users for personal information, such as bank accounts numbers, credit card numbers, pin numbers, passwords, or Social Security numbers in an email. For more information on how to protect your eBay password and your account, please visit <a href="http://64.4.16.250/cgi-bin/linkrd?_lang=EN&lah=57eb2c411c36d13105c8b8314d435d81&lat=1079040980&hm___action=http%3a%2f%2fpages%2eebay%2ecom%2fhelp%2faccount_protection%2ehtml" xonclick="return openNonHelpWindow(this.href);" target="_blank">User Account Protection</a>.</font></font></b></td>
    </tr>
    <tr>
    <td><IMG height="15" alt=" " src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="1"></td></tr>
    <tr>
    <td>
    <font face="Arial" size="1" color="#666666">&nbsp;This eBay notice was sent to jag440jag@hotmail.com&nbsp; based on your eBay account preferences and in accordance with our <a href="http://64.4.16.250/cgi-bin/linkrd?_lang=EN&lah=9220924f3de9fc933828a6c2210f35d3&lat=1079040980&hm___action=http%3a%2f%2fpages%2eebay%2ecom%2fhelp%2fcommunity%2fpng%2dpriv%2ehtml" xonclick="return openNonHelpWindow(this.href);" target="_blank">
    Privacy Policy</a>. To change your notification preferences, please visit <a href="http://64.4.16.250/cgi-bin/linkrd?_lang=EN&lah=b62b9bd09812bd8ad8f00d764c6ea495&lat=1079040980&hm___action=http%3a%2f%2fcgi3%2eebay%2ecom%2faw%2dcgi%2feBayISAPI%2edll%3fOptinLoginShow" xonclick="return openNonHelpWindow(this.href);" target="_blank">click here</a>. If you would like to receive this email in text format, <a href="http://64.4.16.250/cgi-bin/linkrd?_lang=EN&lah=b62b9bd09812bd8ad8f00d764c6ea495&lat=1079040980&hm___action=http%3a%2f%2fcgi3%2eebay%2ecom%2faw%2dcgi%2feBayISAPI%2edll%3fOptinLoginShow" xonclick="return openNonHelpWindow(this.href);" target="_blank">click here</a>.</font></td>
    </tr>
    <tr>
    <td><IMG height="15" alt=" " src="http://pics.ebaystatic.com/aw/pics/spacer.gif" width="1"></td>
    </tr>
    <tr>
    <td>
    <p align="center">
    <font face="Arial" size="1" color="#666666">
    Copyright © 2003 eBay Inc. All Rights Reserved. <br>Designated trademarks and brands are the property of their respective owners.<br>eBay and the eBay logo are trademarks of eBay Inc.</font>
    </p>
    </td>
    </tr>
    </table>
    </table>
    </td>
    </tr>
    </table>

    <font color=#000000></div>
    </div>
     
  2. Kodo

    Kodo SNATCHSQUATCH

    even better is if you scan for smpt open relays that some chuckle head left open on a windows 2k+ box.. you can bounce emails right through their system. You can put in ANY email address you want.
     
  3. mag00

    mag00 Sergeant

    From the address header I don't see any way to figure where it originated, I think the big mail providers are working on some pact as to supplying the IP address or the mail won't go. Could be a good thing, but then maybe not. Anominity is a wonderful thing even if your not an email pest.

    So in this little section below, what is the language? Can it be called language? I get the first two lines (except linkrd?) but what is the rest? In past post I have inquired as to front page and dos and the likes, where does this fall into the frey?

    Did I inadvertently load any unwanteds on my friends computer?
    Fourth line the part ISAPIdll should I worry?

    <a target="_blank" href="<A
    href="http://64.4.16.250/cgi-bin/linkrd?_lang=EN&lah=bc06ec9510e007864bf9527791b0d3e5&lat=1079040980&hm___action=http%3a%2f%2fscgi%2eebay%2ecom%26saw%2dcgieBayISAPIdll%26SignIn%26UsingSSL%3d0%26siteid%3d0%26changeUser%3d0%26pUserId%3d%26pNextPage%3dPlaceCCInfoSignIn%26UsingSSL%3d0%26siteid%3d0%26changeUser%3d0%26pUserId%3d%26pNextPage%3aac%3dsecure%2eupdate%40vds%2d238488%2eamen%2dpro%2ecom%2fmotd%2ehtml">click">http://64.4.16.250/cgi-bin/linkrd?_lang=EN&lah=bc06ec9510e007864bf9527791b0d3e5&lat=1079040980&hm___action=http%3a%2f%2fscgi%2eebay%2ecom%26saw%2dcgieBayISAPIdll%26SignIn%26UsingSSL%3d0%26siteid%3d0%26changeUser%3d0%26pUserId%3d%26pNextPage%3dPlaceCCInfoSignIn%26UsingSSL%3d0%26siteid%3d0%26changeUser%3d0%26pUserId%3d%26pNextPage%3aac%3dsecure%2eupdate%40vds%2d238488%2eamen%2dpro%2ecom%2fmotd%2ehtml">click here</a>

    Usually I'll go to the link and fill in the text fields with obscenities, but I do that from an Imac. No worries, but I think out of curisity I did click the link, forgetting that this box is more vulnerable. Usually these guys just want Identity / cc stuff and not malware type people. However, could something be coded and sit dormant till the desired info was entered into IE pages like for online ordering?
     
  4. mag00

    mag00 Sergeant

    balogna sanwich?

    smpt? Ive configed mail etc, but what is that really. How can you leave the relay open? Is that not automated with outlook and the likes? Actually I thought the provider had all thos controls. :confused:

    PS is that a bologna sandwich?
     
  5. Kodo

    Kodo SNATCHSQUATCH

    the scam is called phishing.. They played off a vulnerability in IE that allowed someone to actually spoof the domain as well. (patch issues by the way). So basically they set up a site that looks EXACTLY like ebay and looks authentic enough and they fool people into entering their personal information.

    Other scams phish through spam email saying you won something and hope you're gullible enough to enter credit card inforation for shipping costs..
     
  6. Kodo

    Kodo SNATCHSQUATCH

    It's a cannoli :)

    Windows 2000/XP and their server counter parts have the ability to run a Simple Mail Transport Protocol server. It doesn't require outlook. It's a webservices server.

    You can scan to see who has port 25 open with a port scanner. Get their ip and then put that in your mail script and off you go. They won't be the wiser for a while.
     
  7. Vlad902

    Vlad902 Guest

    I don't think they need zombies or proxies, although they may need zomibes/proxies if they were spamming, but in a general case all you need is an SMTP server that's an open relay, there actually some databases that have thousands of IPs' of open relays to block.

    IP Spoofing, I doubt they would have gone that far, now a days in the days after the big DDoS revolution, modern ISPs' stop in coming packets on the external interface to the internal with an internal IP (Which of course isn't necessary, but outgoing may stop from non-internal), and if they did get away with it, they would have to get atleast 3-4 packets in, guessing a bunch of information (SEQ/ISN (If a good OS)/etc.), and bassicly they would kill themselves trying :p

    And I'm not sure about header programs, but the SMTP server usually does the headers (With extra info slapped on as it gets passed to other SMTP servers).


    A fun way to play with spammers, is that there are special servers, that act as extremely lagged down open relays, and when spammers try to connect to them, they generally waste several hours, possibly, they may also think the spams actually got sent out :)
     
  8. Kodo

    Kodo SNATCHSQUATCH

    OT:

    VLAD!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! welcome home!!! :)
    damn good to see ya son!
     
  9. mag00

    mag00 Sergeant

    No need for me to spam, I'm eventually going to have a legit business going where my emails are welcome.

    So as far as sending the email quite easy to get away with I guess.
    What's the point unless it is for money? In the above spoof, they are soliciting for credit info so they can go on spending sprees right?

    Is the space which holds the ficticious ebay page not traceable? Then why not just track that and get em. Yet I never hear in the news about anyone actually catching these guys. I remember a while back they caught one guy in California, but he was so sheilded with corporate paperwork they couldn't touch him. They basically shut down an empty office with no real assets to go after.

    Ok , so just for grins this is what I came up with for who is trying to profit off of the spoof. Best I can figure the place is in amsterdam then registered in france then networksolutions.

    I'm not sure where the melbourn thing fits in, but it came up as a registrar also I think. (in Oz)

    Anyone come up with anything different or a better way to research?

    I just had a thought, if I had stolen info to register a name under, this could be anywhere right?

    I guess this is just a waste of time huh, unless they are to stupid to cover their tracks.
    ***************************************
    amen-pro.com Back-order this name

    Registrant:
    AMEN (AMEN-PRO-DOM)
    12 Rond-point Des Champs-elysses
    PARIS 75008
    FR
    Domain Name: AMEN-PRO.COM
    Administrative Contact:
    AMEN (HFOXJWPYRO) amen@amen.fr
    12 Rond-point Des Champs-elysses
    PARIS 75008
    FR
    +33825280825 fax: +33146514951
    Technical Contact:
    AMEN (CNRCQDHXLO) internic@amen.fr
    12-14, rond point des Champs Elysees
    Paris, France 75008
    FR
    +33 892 55 66 77
    Record expires on 03-Oct-2006.
    Record created on 03-Oct-2001.
    Database last updated on 12-Mar-2004 19:20:01 EST.
    Domain servers in listed order:
    PARIS.AMEN.FR
    NS2.AMEN.FR 195.154.205.4


    [whois.melbourneit.com]

    Domain Name.......... melbourneit.com
    Creation Date........ 1999-04-05
    Registration Date.... 2000-05-23
    Expiry Date.......... 2013-04-05
    Organisation Name.... Melbourne IT Ltd
    Organisation Address. Level 2, 120 King Street
    Organisation Address.
    Organisation Address. Melbourne
    Organisation Address. 3000
    Organisation Address. Vic
    Organisation Address. AUSTRALIA

    Admin Name........... Account Manager
    Admin Address........ Level 2, 120 King Street
    Admin Address........
    Admin Address........ Melbourne
    Admin Address........ 3000
    Admin Address........ Vic
    Admin Address........ AUSTRALIA
    Admin Email.......... cdm@melbourneit.com
    Admin Phone.......... +61.386242465
    Admin Fax............

    Tech Name............ Account Manager
    Tech Address......... Level 2, 120 King Street
    Tech Address.........
    Tech Address......... Melbourne
    Tech Address......... 3000
    Tech Address......... Vic
    Tech Address......... AUSTRALIA
    Tech Email........... cdm@melbourneit.com
    Tech Phone........... +61.386242465
    Tech Fax.............
    Name Server.......... ns1.MelbourneIT.com.au
    Name Server.......... ns2.MelbourneIT.com.au
    Name Server.......... ns4.MelbourneIT.com.au


    Search results for: 195.154.205.4





    OrgName: RIPE Network Coordination Centre
    OrgID: RIPE
    Address: Singel 258
    Address: 1016 AB
    City: Amsterdam
    StateProv:
    PostalCode:
    Country: NL

    ReferralServer: whois://whois.ripe.net

    NetRange: 195.0.0.0 - 195.255.255.255
    CIDR: 195.0.0.0/8
    NetName: RIPE-CBLK3
    NetHandle: NET-195-0-0-0-1
    Parent:
    NetType: Allocated to RIPE NCC
    NameServer: NS.RIPE.NET
    NameServer: NS2.NIC.FR
    NameServer: SUNIC.SUNET.SE
    NameServer: AUTH03.NS.UU.NET
    NameServer: SEC1.APNIC.NET
    NameServer: SEC3.APNIC.NET
    NameServer: TINNIE.ARIN.NET
    Comment: These addresses have been further assigned to users in
    Comment: the RIPE NCC region. Contact information can be found in
    Comment: the RIPE database at http://www.ripe.net/whois
    RegDate: 1996-03-25
    Updated: 2003-09-19

    TechHandle: RIPE-NCC-ARIN
    TechName: RIPE NCC Hostmaster
    TechPhone: +31 20 535 4444
    TechEmail: search-ripe-ncc-not-arin@ripe.net

    OrgTechHandle: RIPE-NCC-ARIN
    OrgTechName: RIPE NCC Hostmaster
    OrgTechPhone: +31 20 535 4444
    OrgTechEmail: search-ripe-ncc-not-arin@ripe.net

    # ARIN WHOIS database, last updated 2004-03-11 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS database.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds