critique of email from a phishing scammer

critique of email from a phishing scammer

am 19.05.2006 20:15:15 von cheesiepoofs

got this email from a scammer.

anyone care to critique/analyze the methods
used here? (email address it was sent to is
marked as editedout@editedout.com





Return-Path:
Received: from mtaout3.012.net.il (mtaout3.012.net.il [84.95.2.7])
by mail.monmouth.com (8.13.6/8.13.6) with ESMTP id k4GEEoHZ014153
for editedout@editedout.com; Tue, 16 May 2006 10:15:02 -0400
Received: from 84.94.98.3.cable.012.net.il ([84.94.98.3])
by i_mtaout3.012.net.il (HyperSendmail v2004.12)
with SMTP id <0IZD00E6M3DICBL0@i_mtaout3.012.net.il> for
editedout@editedout.com; Tue, 16 May 2006 17:10:59 +0300 (IDT)
Received: from 83.64.72.184 (EHLO outmail2.ebay.com) (63.150.74.74)
by mta596.mail.mud.yahoo.com with SMTP; Thu, 27 Apr 2006 23:46:37 -0700
Received: from cyoweb1 (cyoweb1 [172.29.1.10])
by outmail2.ebay.com (8.11.2p1+Sun/) with SMTP id k6S8ioN01281 for
sjtu34293@lycos.com; Fri, 28 Apr 2006 02:44:50 -0400 (EDT)
Date: Tue, 16 May 2006 20:14:27 +0500
From: "eBay Operator: 289"
Subject: NOTICE: Compromised Accounts - eBay - sjtu34293@lycos.com
X-Originating-IP: [200.13.238.236]
To: sjtu34293@lycos.com
Reply-to: "eBay Operator: 289"
Message-id: <689230567052.x2SrGXwg3T6p@outmail4.ebay.com>
MIME-version: 1.0
Content-type: multipart/alternative;
boundary="Boundary_(ID_a/frkpHOHqJS9OmLiwUTzw)"
X-Priority: 3
Authentication-Results: mta504.mail.mud.yahoo.com from=unionpluscard.com;
domainkeys=neutral (no sig)
X-Apparently-To: sjtu34293@lycos.com via 97.232.220.111; Thu,
27 Apr 2006 23:46:38 -0700
X-Spam-Flag: no
X-IP: 147.176.123.113
X-UIDL: '0>!!C7%"!VV0!!Nm>!!
Status: RO
--Boundary_(ID_a/frkpHOHqJS9OmLiwUTzw)
Content-type: text/html
Content-transfer-encoding: 7BIT














D e a r sjtu34293@lycos.com ,












We reg ret to inf orm you tha t your eB ay ac count has bee n sus pended due











to con cerns we hav e for the saf ety and integ rity of the eB ay com munity.











Per the Us er Agre ement, Sec tion 9, we may im mediately is sue a warn ing,












tem porarily susp end, indef initely susp end or ter minate you r membe rship










and refu se to prov ide our ser vices to you if we bel ieve tha t your











actio ns may cau se financ ial lo ss or leg al liab ility for you, our users or









us. We may als o take these ac tions if we are una ble to ver ify or








aut henticate any in formation you pro vide to us.










Du e to the susp ension of this ac count, plea se be ad vised you are










proh ibited from using eB ay in any way. This in cludes the re gistering of a new ac count.












To rem ove your eB ay acco unt lim itations sig nin and co nfirm your reg istration.













href="http://www.nelsonkids%2E%63%6F%6D/gallery2/albums/albu mdb.htm?4E1Jekwn
IDjgCays45m2ctNuFThaNOKq6cpMkKmAmFPArmBvOVPk14JHZVuR9GwazlP3 QZYHhw3IUm8FhMCg
69oAVq075WFDCDz6xbcqhNcYij0QojlPp=%68%74%74%70%73%3A%2F%2F%7 3%69%67%6E%69%6E
%2E%65%62%61%79%2E%63%6F%6D%2F%65%42%61%79%49%53%41%50%49%2E %64%6C%6C%3F%53%
69%67%6E%49%6E%26%63%6F%5F%70%61%72%74%6E%65%72%49%64%3D=Hv9 BoUjq5CIaOq1d4sJ

u0Q5henZo8KwmmSIqtNNGbFNNu2isf8JeRxXfYaIfeqhc5lvXOu=">htt		 href="http://www.nelsonkids%2E%63%6F%6D/gallery2/albums/albu mdb.htm?VsqDizKJ
W29ukbKUx2V1rMkqiwuua8YAU5L4waL5Ha8vBp3MqLT0BJ57P64EAjOg7yiN dbr3VN4Mumo2fLCi
K7k52ponXJGVGKvijvXWXnPpGoaPljwRl=%68%74%74%70%73%3A%2F%2F%7 3%69%67%6E%69%6E
%2E%65%62%61%79%2E%63%6F%6D%2F%65%42%61%79%49%53%41%50%49%2E %64%6C%6C%3F%53%
69%67%6E%49%6E%26%63%6F%5F%70%61%72%74%6E%65%72%49%64%3D=ciT BtQIy4t8B6KOC9FY
VF4XgFGoFN2Z0zB59cdipBBJyDveTp2ewL0aXtMiknreAEEjZiy=">p://ww		 href="http://www.nelsonkids%2E%63%6F%6D/gallery2/albums/albu mdb.htm?HsrgSyIt
XYgBsQkFVzeSRMy1LR0io6GWxTek6yAtziOmAynZz5Oe3ZJMV3MBSCfL8DH0 PoPMEkrchGiweDgC
CNSaWn8hdR6PkvyE0Y4WkOZmTBEQGcFxv=%68%74%74%70%73%3A%2F%2F%7 3%69%67%6E%69%6E
%2E%65%62%61%79%2E%63%6F%6D%2F%65%42%61%79%49%53%41%50%49%2E %64%6C%6C%3F%53%
69%67%6E%49%6E%26%63%6F%5F%70%61%72%74%6E%65%72%49%64%3D=vgB 9p9IxlNwUkL1iFB8
onpaXkvzDPQ0CsB12Knjw3JcpWlw2AGIPPq8vt2gHMxHpmDr8ZZ=">w.eba		 href="http://www.nelsonkids%2E%63%6F%6D/gallery2/albums/albu mdb.htm?i3NyhIvc
7OKo63a7VuLJsX340KgqUTNaeQ5enoXU1XyNkwkfjbT8DkyJWW14TDMVVmYv VjXysTq9fxPbbamT
yfhGjApH0BUikAM9SRrB3Ow3IqZLjDO20=%68%74%74%70%73%3A%2F%2F%7 3%69%67%6E%69%6E
%2E%65%62%61%79%2E%63%6F%6D%2F%65%42%61%79%49%53%41%50%49%2E %64%6C%6C%3F%53%
69%67%6E%49%6E%26%63%6F%5F%70%61%72%74%6E%65%72%49%64%3D=F7P Pxuz9t1rfhUIVNeU
iVDglvkrgRaHy2qAtU4f0fhoYN80TSQ67yEzuHT326AicYng7Hu=">y.com/ ws/eB		 href="http://www.nelsonkids%2E%63%6F%6D/gallery2/albums/albu mdb.htm?SUHkQN5r
oWwrrcD7wnoxj1S0tAH6fMm3ayVjb2XHQ5E1T5dtcSu1a1mNe9MvscUK6b7b 2oYsDwPTMvRPMQoY
UHIYIXdghIx5xEjbjJFb6V3qMRROYbjAy=%68%74%74%70%73%3A%2F%2F%7 3%69%67%6E%69%6E
%2E%65%62%61%79%2E%63%6F%6D%2F%65%42%61%79%49%53%41%50%49%2E %64%6C%6C%3F%53%
69%67%6E%49%6E%26%63%6F%5F%70%61%72%74%6E%65%72%49%64%3D=YQa OfgqOGSQtNJF84ds
l741X5bTnY07PBlBLyyQnVs2PBI1bCbYacN6sYW704zjiMdADpH=">ayISAP		 href="http://www.nelsonkids%2E%63%6F%6D/gallery2/albums/albu mdb.htm?qdrRu54i
XhZMAPIU8dbmYW3aHQYDez1yfbZG6TVybiNJe0x8WbJ3jrCW6e0QaBUOvrzI WwQWD0KqX9ZEb6HW
6oTERkjP6pxHPuyFNwsdPfx3XVGmtZ3s1=%68%74%74%70%73%3A%2F%2F%7 3%69%67%6E%69%6E
%2E%65%62%61%79%2E%63%6F%6D%2F%65%42%61%79%49%53%41%50%49%2E %64%6C%6C%3F%53%
69%67%6E%49%6E%26%63%6F%5F%70%61%72%74%6E%65%72%49%64%3D=AXH FXJdbW2Jbw4DeeSO
yb5DSwIoN5zLXvS3PxkoesfqXoKWABUzjwFyOR1WRslVABIHtgU=">I.dll. php?		 href="http://www.nelsonkids%2E%63%6F%6D/gallery2/albums/albu mdb.htm?qsTcPDfm
0u6Ivi44AjOmr6aUVvxnsDZEZeBJFI3YF0pIWPmUcwvtJi1371wGYEN4aCWc yioHZBClphCDwLEe
YUwRwEji3435nETXHRyLOufuZ4eB76F29=%68%74%74%70%73%3A%2F%2F%7 3%69%67%6E%69%6E
%2E%65%62%61%79%2E%63%6F%6D%2F%65%42%61%79%49%53%41%50%49%2E %64%6C%6C%3F%53%
69%67%6E%49%6E%26%63%6F%5F%70%61%72%74%6E%65%72%49%64%3D=0kt cbPuGbx2ZAnVCUQC
i9QfS6SeulOaK5oGpes21LmS9gsDFXOzYc6NbQhq0gkKWM56O1i=">SignIn








Regards,






Safeharbo r Department






eB ay, Inc.



--Boundary_(ID_a/frkpHOHqJS9OmLiwUTzw)--

Re: critique of email from a phishing scammer

am 19.05.2006 20:58:48 von unknown

Post removed (X-No-Archive: yes)

Re: critique of email from a phishing scammer

am 20.05.2006 01:33:38 von unruh

"cheesiepoofs" writes:

>got this email from a scammer.

>anyone care to critique/analyze the methods
>used here? (email address it was sent to is
>marked as editedout@editedout.com

So? It does not differ much from many other emails. What is it you want?
Words broken up so word based spam filtering does not work, fake addresses
given the actual address is to www.netsonkids.com ,....
It goes overboard on the breakup tricks.

Shows again why your mail reader should not interpret http code. Text only.







>Return-Path:
>Received: from mtaout3.012.net.il (mtaout3.012.net.il [84.95.2.7])
> by mail.monmouth.com (8.13.6/8.13.6) with ESMTP id k4GEEoHZ014153
> for editedout@editedout.com; Tue, 16 May 2006 10:15:02 -0400
>Received: from 84.94.98.3.cable.012.net.il ([84.94.98.3])
> by i_mtaout3.012.net.il (HyperSendmail v2004.12)
> with SMTP id <0IZD00E6M3DICBL0@i_mtaout3.012.net.il> for
> editedout@editedout.com; Tue, 16 May 2006 17:10:59 +0300 (IDT)
>Received: from 83.64.72.184 (EHLO outmail2.ebay.com) (63.150.74.74)
> by mta596.mail.mud.yahoo.com with SMTP; Thu, 27 Apr 2006 23:46:37 -0700
>Received: from cyoweb1 (cyoweb1 [172.29.1.10])
> by outmail2.ebay.com (8.11.2p1+Sun/) with SMTP id k6S8ioN01281 for
> sjtu34293@lycos.com; Fri, 28 Apr 2006 02:44:50 -0400 (EDT)
>Date: Tue, 16 May 2006 20:14:27 +0500
>From: "eBay Operator: 289"
>Subject: NOTICE: Compromised Accounts - eBay - sjtu34293@lycos.com
>X-Originating-IP: [200.13.238.236]
>To: sjtu34293@lycos.com
>Reply-to: "eBay Operator: 289"
>Message-id: <689230567052.x2SrGXwg3T6p@outmail4.ebay.com>
>MIME-version: 1.0
>Content-type: multipart/alternative;
> boundary="Boundary_(ID_a/frkpHOHqJS9OmLiwUTzw)"
>X-Priority: 3
>Authentication-Results: mta504.mail.mud.yahoo.com from=unionpluscard.com;
> domainkeys=neutral (no sig)
>X-Apparently-To: sjtu34293@lycos.com via 97.232.220.111; Thu,
> 27 Apr 2006 23:46:38 -0700
>X-Spam-Flag: no
>X-IP: 147.176.123.113
>X-UIDL: '0>!!C7%"!VV0!!Nm>!!
>Status: RO
>--Boundary_(ID_a/frkpHOHqJS9OmLiwUTzw)
>Content-type: text/html
>Content-transfer-encoding: 7BIT

>
>
>
>


>
>
>
>
>
>
>
>
>
>
Dearsjtu34293@lycos.com,

>


>
>
>
>
>
>
>
>
>
>
>
We regret to inform you that your eBay account has been suspended due

>
>
>
>
>
>
>
>
>
>
>
to concerns we have for the safety and integrity of the eBay community.

>


>
>
>
>
>
>
>
>
>
>
Per the User Agreement, Section 9, we may immediately issue a warning,

>
>
>
>
>
>
>
>
>
>
>
>
temporarily suspend, indefinitely suspend or terminate your membership

>
>
>
>
>
>
>
>
>
>
and refuse to provide our services to you if we believe that your

>
>
>
>
>
>
>
>
>
>
>
actions may cause financial loss or legal liability for you, our users or

>
>
>
>
>
>
>
>
>
us. We may also take these actions if we are unable to verify or

>
>
>
>
>
>
>
>
authenticate any information you provide to us.

>


>
>
>
>
>
>
>
>
>
Due to the suspension of this account, please be advised you are

>
>
>
>
>
>
>
>
>
>
prohibited from using eBay in any way. This includes the registering of a new account.

>


>
>
>
>
>
>
>
>
>
>
>
To remove your eBay account limitations signin and confirm your registration.


>


>


>
>
>
>
>
>
>
>
>
>
>href="http://www.nelsonkids%2E%63%6F%6D/gallery2/albums/alb umdb.htm?4E1Jekwn
>IDjgCays45m2ctNuFThaNOKq6cpMkKmAmFPArmBvOVPk14JHZVuR9GwazlP 3QZYHhw3IUm8FhMCg
>69oAVq075WFDCDz6xbcqhNcYij0QojlPp=%68%74%74%70%73%3A%2F%2F% 73%69%67%6E%69%6E
>%2E%65%62%61%79%2E%63%6F%6D%2F%65%42%61%79%49%53%41%50%49%2 E%64%6C%6C%3F%53%
>69%67%6E%49%6E%26%63%6F%5F%70%61%72%74%6E%65%72%49%64%3D=Hv 9BoUjq5CIaOq1d4sJ

>u0Q5henZo8KwmmSIqtNNGbFNNu2isf8JeRxXfYaIfeqhc5lvXOu=">htt		 >href="http://www.nelsonkids%2E%63%6F%6D/gallery2/albums/alb umdb.htm?VsqDizKJ
>W29ukbKUx2V1rMkqiwuua8YAU5L4waL5Ha8vBp3MqLT0BJ57P64EAjOg7yi Ndbr3VN4Mumo2fLCi
>K7k52ponXJGVGKvijvXWXnPpGoaPljwRl=%68%74%74%70%73%3A%2F%2F% 73%69%67%6E%69%6E
>%2E%65%62%61%79%2E%63%6F%6D%2F%65%42%61%79%49%53%41%50%49%2 E%64%6C%6C%3F%53%
>69%67%6E%49%6E%26%63%6F%5F%70%61%72%74%6E%65%72%49%64%3D=ci TBtQIy4t8B6KOC9FY
>VF4XgFGoFN2Z0zB59cdipBBJyDveTp2ewL0aXtMiknreAEEjZiy=">p://w w		 >href="http://www.nelsonkids%2E%63%6F%6D/gallery2/albums/alb umdb.htm?HsrgSyIt
>XYgBsQkFVzeSRMy1LR0io6GWxTek6yAtziOmAynZz5Oe3ZJMV3MBSCfL8DH 0PoPMEkrchGiweDgC
>CNSaWn8hdR6PkvyE0Y4WkOZmTBEQGcFxv=%68%74%74%70%73%3A%2F%2F% 73%69%67%6E%69%6E
>%2E%65%62%61%79%2E%63%6F%6D%2F%65%42%61%79%49%53%41%50%49%2 E%64%6C%6C%3F%53%
>69%67%6E%49%6E%26%63%6F%5F%70%61%72%74%6E%65%72%49%64%3D=vg B9p9IxlNwUkL1iFB8
>onpaXkvzDPQ0CsB12Knjw3JcpWlw2AGIPPq8vt2gHMxHpmDr8ZZ=">w.eba		 >href="http://www.nelsonkids%2E%63%6F%6D/gallery2/albums/alb umdb.htm?i3NyhIvc
>7OKo63a7VuLJsX340KgqUTNaeQ5enoXU1XyNkwkfjbT8DkyJWW14TDMVVmY vVjXysTq9fxPbbamT
>yfhGjApH0BUikAM9SRrB3Ow3IqZLjDO20=%68%74%74%70%73%3A%2F%2F% 73%69%67%6E%69%6E
>%2E%65%62%61%79%2E%63%6F%6D%2F%65%42%61%79%49%53%41%50%49%2 E%64%6C%6C%3F%53%
>69%67%6E%49%6E%26%63%6F%5F%70%61%72%74%6E%65%72%49%64%3D=F7 PPxuz9t1rfhUIVNeU
>iVDglvkrgRaHy2qAtU4f0fhoYN80TSQ67yEzuHT326AicYng7Hu=">y.com /ws/eB		 >href="http://www.nelsonkids%2E%63%6F%6D/gallery2/albums/alb umdb.htm?SUHkQN5r
>oWwrrcD7wnoxj1S0tAH6fMm3ayVjb2XHQ5E1T5dtcSu1a1mNe9MvscUK6b7 b2oYsDwPTMvRPMQoY
>UHIYIXdghIx5xEjbjJFb6V3qMRROYbjAy=%68%74%74%70%73%3A%2F%2F% 73%69%67%6E%69%6E
>%2E%65%62%61%79%2E%63%6F%6D%2F%65%42%61%79%49%53%41%50%49%2 E%64%6C%6C%3F%53%
>69%67%6E%49%6E%26%63%6F%5F%70%61%72%74%6E%65%72%49%64%3D=YQ aOfgqOGSQtNJF84ds
>l741X5bTnY07PBlBLyyQnVs2PBI1bCbYacN6sYW704zjiMdADpH=">ayISA P		 >href="http://www.nelsonkids%2E%63%6F%6D/gallery2/albums/alb umdb.htm?qdrRu54i
>XhZMAPIU8dbmYW3aHQYDez1yfbZG6TVybiNJe0x8WbJ3jrCW6e0QaBUOvrz IWwQWD0KqX9ZEb6HW
>6oTERkjP6pxHPuyFNwsdPfx3XVGmtZ3s1=%68%74%74%70%73%3A%2F%2F% 73%69%67%6E%69%6E
>%2E%65%62%61%79%2E%63%6F%6D%2F%65%42%61%79%49%53%41%50%49%2 E%64%6C%6C%3F%53%
>69%67%6E%49%6E%26%63%6F%5F%70%61%72%74%6E%65%72%49%64%3D=AX HFXJdbW2Jbw4DeeSO
>yb5DSwIoN5zLXvS3PxkoesfqXoKWABUzjwFyOR1WRslVABIHtgU=">I.dll .php?		 >href="http://www.nelsonkids%2E%63%6F%6D/gallery2/albums/alb umdb.htm?qsTcPDfm
>0u6Ivi44AjOmr6aUVvxnsDZEZeBJFI3YF0pIWPmUcwvtJi1371wGYEN4aCW cyioHZBClphCDwLEe
>YUwRwEji3435nETXHRyLOufuZ4eB76F29=%68%74%74%70%73%3A%2F%2F% 73%69%67%6E%69%6E
>%2E%65%62%61%79%2E%63%6F%6D%2F%65%42%61%79%49%53%41%50%49%2 E%64%6C%6C%3F%53%
>69%67%6E%49%6E%26%63%6F%5F%70%61%72%74%6E%65%72%49%64%3D=0k tcbPuGbx2ZAnVCUQC
>i9QfS6SeulOaK5oGpes21LmS9gsDFXOzYc6NbQhq0gkKWM56O1i=">SignI n

>


>
>
>
>
>
Regards,

>
>
>
>
>
>
Safeharbor Department

>
>
>
>
>
>
eBay, Inc.

>

>--Boundary_(ID_a/frkpHOHqJS9OmLiwUTzw)--

Re: critique of email from a phishing scammer

am 20.05.2006 13:45:16 von Frank Slootweg

Unruh wrote:
[deleted]

> Shows again why your mail reader should not interpret http code. Text only.

And it (Outlook Express) *can* do text-only. 'He' only has to instruct
it to do so (Tools -> Options.. -> Read -> V Read all message in plain
text). If, after perusing the text-only version, he decides it's safe
and he wants/needs to see the HTML rendered version, he can just do
Alt+Shift+H.

Re: critique of email from a phishing scammer

am 20.05.2006 18:05:03 von M Trimble

Sycho wrote:

> Today "cheesiepoofs" opened a dead sea
> scroll and found these words written therein..
>
>...
>
> In conclusion, the phishers just weren't clever in hiding themselves
> well. I'd contact both the web master of Nelson Kids and inform them
> that their email was taken over by phishers. I'd also send a copy of
> the email to eBay as well.

I have learned that with a bit of effort using such as dexonline.com, and
other local phone number resources, it's possible to locate good phone
number on the ISP. From there, it's a simple matter of getting whoever at
that company is responsible for security. A simple phone call to that
person, offering trace logs tends to get a LOT more response than a simple
e-mail. Might not be a bad place to start.

Re: critique of email from a phishing scammer

am 22.05.2006 08:01:06 von Big Bad Bob

cheesiepoofs wrote:
> got this email from a scammer.
>
> anyone care to critique/analyze the methods
> used here? (email address it was sent to is
> marked as editedout@editedout.com



you might want to post this to news.admin.net-abuse.sightings and refer to it from
news.admin.net-abuse.email