[an error occurred while processing this directive]
The report for this spam can be found at: 2008 Phish Scam Edition.
Return-Path: <webform@hsbc.co.uk>
Received: from x-svr.com (62.141.56.136) by studio42.com with ESMTP
(Eudora Internet Mail Server 3.2.10) for <webmaster@studio42.com>;
Fri, 3 Oct 2008 16:00:02 -0700
Received: from User ([193.213.31.96]) (authenticated bits=0) by x-svr.com
(8.12.11.20060308/8.12.11) with ESMTP id m93GLn6F023752;
Fri, 3 Oct 2008 18:21:50 +0200
Message-Id: <200810031621.m93GLn6F023752@x-svr.com>
Reply-To: <webform@hsbc.co.uk>
From: "HSBC Online Banking"<webform@hsbc.co.uk>
Subject: Security Measures !
Date: Fri, 3 Oct 2008 18:52:41 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0016_01C2A9A6.54125794"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
To: undisclosed-recipients:;
<img src="http://www.picamatic.com/show/2008/07/06/05/562620_453x88.GIF"></img>
<p><strong>Dear Customer,
<p>Because of unusual number of invalid login attempts<br>
on your account, we belive that, their might be some<br>
security problems on your account.<br>
So we decided to put an extra verification process to<br>
ensure your identity and account security.<br>
To continue the verification process and ensure your<br>
account security
<a href="http://57.204-78-194.adsl-fix.skynet.be/login.php">
Sign in to Internet Banking</a>.<br><br>
<p><b><font color="#333333" face="Arial" size="2">Thank
you for being a valued HSBC Bank client.</font></b><font color="#333333" face="Arial" size="2"><br>
<i>Security Advisor<br>
HSBC Bank </i></font>
[studio42@flatus studio42]$ host 62.141.56.136
136.56.141.62.in-addr.arpa domain name pointer ns.x-svr.com.
[studio42@flatus studio42]$ whois 62.141.56.136@whois.ripe.net
[whois.ripe.net]
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag
% Information related to '62.141.56.0 - 62.141.63.255'
inetnum: 62.141.56.0 - 62.141.63.255
netname: DE-KEYWEB-I
descr: Keyweb AG IP Network
country: DE
admin-c: KWAG-RIPE
tech-c: KWAG-RIPE
status: ASSIGNED PA
mnt-by: KEYWEB-MNT
source: RIPE # Filtered
person: Hostmaster Day
address: Keyweb AG
address: Neuwerkstr. 45/46
address: 99084 Erfurt
address: Germany
phone: +49-361-658530
abuse-mailbox: abuse@keyweb.de
fax-no: +49-361-6585366
nic-hdl: KWAG-RIPE
mnt-by: KEYWEB-MNT
source: RIPE # Filtered
% Information related to '62.141.48.0/20AS31103'
route: 62.141.48.0/20
descr: Keyweb AG IP Network
origin: AS31103
mnt-by: KEYWEB-MNT
source: RIPE # Filtered
Possibly the outgoing server. Highly probable.
Onto what appears to be where it came from:
[studio42@flatus studio42]$ host 193.213.31.96
Host 96.31.213.193.in-addr.arpa not found: 3(NXDOMAIN)
[studio42@flatus studio42]$ whois 193.213.31.96@whois.ripe.net
[whois.ripe.net]
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '193.213.28.0 - 193.213.31.255'
inetnum: 193.213.28.0 - 193.213.31.255
netname: NO-TELENOR-NORGE-XDSL-CUSTOMERS-2-NET
descr: Telenor Norge xDSL customers
country: NO
admin-c: TBS-RIPE
tech-c: TBS-RIPE
status: ASSIGNED PA
remarks: INFRA-AW
mnt-by: TNXHM-MNT
source: RIPE # Filtered
irt: IRT-TELENOR
address: Abuse Response Team
address: Snar yveien 31
address: 1331 Fornebu
address: Norway
signature: PGPKEY-D823A253
encryption: PGPKEY-D823A253
admin-c: TBS-RIPE
tech-c: TBS-RIPE
auth: PGPKEY-CD6DAD17
auth: PGPKEY-3AB6D28A
irt-nfy: abuse@telenor.net
mnt-by: TNXHM-MNT
source: RIPE # Filtered
role: TBS AS - Customer Internet Access
address: Telenor Telecom Solutions AS
address: Snaroyveien 30
address: NO-1331 Fornebu
address: Norway
phone: +47 67890000
abuse-mailbox: abuse@telenor.net
admin-c: EAO-RIPE
admin-c: OG-RIPE
admin-c: MARY-RIPE
tech-c: MZ-RIPE
tech-c: DAHL-RIPE
tech-c: MS16606-RIPE
tech-c: MHE12-RIPE
tech-c: FH1273-RIPE
nic-hdl: TBS-RIPE
mnt-by: TNXHM-MNT
source: RIPE # Filtered
% Information related to '193.212.0.0/14AS2119'
route: 193.212.0.0/14
descr: Telenor Networks AS, Norway
origin: AS2119
mnt-by: AS8210-MNT
source: RIPE # Filtered
% Information related to '193.213.0.0/16AS2119'
route: 193.213.0.0/16
descr: TELENOR-INTERNET
descr: Telenor Networks AS, Norway
origin: AS2119
mnt-by: AS8210-MNT
source: RIPE # Filtered
Possible, but could be a zombie.
Onto the scammer site:
[studio42@flatus studio42]$ host 57.204-78-194.adsl-fix.skynet.be
57.204-78-194.adsl-fix.skynet.be has address 194.78.204.57
[studio42@flatus studio42]$ whois 194.78.204.57@whois.ripe.net
[whois.ripe.net]
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag
% Information related to '194.78.204.0 - 194.78.204.255'
inetnum: 194.78.204.0 - 194.78.204.255
netname: BE-SKYNET-20011108
descr: ADSL-PRO
descr: Belgacom ISP SA/NV
country: BE
admin-c: SN2068-RIPE
tech-c: SN2068-RIPE
rev-srv: ns1.skynet.be
rev-srv: ns2.skynet.be
rev-srv: ns3.skynet.be
rev-srv: ns4.skynet.be
status: ASSIGNED PA
mnt-by: SKYNETBE-MNT
mnt-by: SKYNETBE-ROBOT-MNT
source: RIPE # Filtered
role: Skynet NOC administrators
address: Belgacom SA de droit public
address: ANS/ROC/RNO/IEC - TGX Building
address: Boulevard du Roi Albert II, 27
address: B-1030 Bruxelles
address: Belgium
phone: +32 2 202-4111
fax-no: +32 2 203-6593
abuse-mailbox: abuse@skynet.be
admin-c: BIEC1-RIPE
tech-c: BIEC1-RIPE
nic-hdl: SN2068-RIPE
remarks: ******************************************
remarks: Abuse notifications to: abuse@belgacom.be
remarks: Abuse mails sent to other addresses will be ignored !
remarks: ******************************************
remarks: Network problems to: noc@skynet.be
remarks: Peering requests to: peering@skynet.be
mnt-by: SKYNETBE-MNT
source: RIPE # Filtered
% Information related to '194.78.0.0/16AS5432'
route: 194.78.0.0/16
descr: SKYNETBE-CUSTOMERS
origin: AS5432
mnt-by: SKYNETBE-MNT
source: RIPE # Filtered
How god damn lame!
Return-Path: <abuse@telenor.net>
Received: from greylin.nsc.no (193.213.112.58) by studio42.com with ESMTP
(Eudora Internet Mail Server 3.2.10) for <webmaster@studio42.com>;
Sun, 5 Oct 2008 11:14:59 -0700
Received: from martell.nsc.no (martell.nsc.no [148.122.46.133]) by
greylin.nsc.no (Postfix) with ESMTP id 6921011BC8;
Sat, 4 Oct 2008 22:03:02 +0200 (CEST)
Received: (from ha@localhost) by martell.nsc.no (8.9.3/8.9.3)
id WAA20294; Sat, 4 Oct 2008 22:03:02 +0200 (CEST)
From: Telenor Abuse Response Team <abuse@telenor.net>
To: Studio42 Webmaster <webmaster@studio42.com>
Cc: abuse@telenor.net
MIME-Version: 1.0
Message-ID: <20081004-5352.93382447853@telenor.net>
References: <989041530-1663654@studio42.com>
In-Reply-To: <989041530-1663654@studio42.com>
Content-Type: text/plain; charset="iso-8859-1"
Date: Sat, 04 Oct 2008 21:41:38 +0200
Subject: SPAM 00507-10-007: Security Measures !
Lines: 26
At 02:40 CEST 2008-10-04 Studio42 Webmaster <webmaster@studio42.com> wrote:
> [studio42@flatus studio42]$ host 62.141.56.136
> 136.56.141.62.in-addr.arpa domain name pointer ns.x-svr.com.
> [studio42@flatus studio42]$ whois 62.141.56.136@whois.ripe.net
> [whois.ripe.net]
> % This is the RIPE Whois query server #2.
> % The objects are in RPSL format.
> %
> % Rights restricted by copyright.
> % See http://www.ripe.net/db/copyright.html
>
> % Note: This output has been filtered.
> % To receive output for a database update, use the "-B" flag
>
> % Information related to '62.141.56.0 - 62.141.63.255'
We will inform our customer that they have an infected or relaying
system, and ask them to do something about it. Hopefully that
will be sufficient. We apologise for the inconvenience.
--
Abuse Response Team
abuse@telenor.net
Telenor
