Subject: Please respond as soon as possible! Wachovia Bank.

[an error occurred while processing this directive] The report for this spam can be found at: 2008 Phis Scam Edition.
Return-Path: <update@wachovia.com>
Received: from rslr-smtpout-2.cpwnetworks.com (62.24.218.34) by  studio42.com 
with ESMTP (Eudora Internet Mail Server 3.2.10) for <chris@studio42.com>; 
Mon, 20 Oct 2008 08:58:17 -0700
Received: from wmsmtp.opaltelecom.net (HELO rslr-smtp-2.cpwnetworks.com) 
([62.24.128.253])  by rslr-smtpout-2.cpwnetworks.com with ESMTP; 
19 Oct 2008 19:33:22 +0100
Received: from [62.24.236.187] (helo=srv1.network-support.info)	by 
rslr-smtp-2.cpwnetworks.com with smtp (Exim 4.63)	(envelope-from <update@wachovia.com>)	
id 1KrcvN-0003Dy-Av; Sun, 19 Oct 2008 19:22:45 +0100
Received: from maweb-aat8cmm45 ([70.64.129.70])	by srv1.network-support.info	
with hMailServer ; Sun, 19 Oct 2008 19:35:41 +0100
Message-ID: <BC7093AE-7CAC-4C02-90EB-9AB63B9AD8FD@srv1.network-support.info>
From: "Wachovia"<update@wachovia.com>
Subject: Please respond as soon as possible! Wachovia Bank.
Date: Sun, 19 Oct 2008 12:33:47 -0600
MIME-Version: 1.0
Content-Type: text/plain;	charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
To: undisclosed-recipients:;

Dear Wachovia Bank Customer,

We recently noticed one or more attempts to log in to your Wachovia
account from a foreign IP address.

If you recently accessed your account while traveling, the unusual log
in attempts may have been initiated by you. However, if you did not
initiate the login's, we will have to limit your access to sensitive Wachovia account features.
Please respond as soon as possible!
http://message-alert-security-wachoviabank.com

If you have any trouble clicking the link, simply copy and paste the entire link 
into your browser's address bar.

Changing your password is a security measure that will ensure that you
are the only person with access to the account.

Thanks for your patience as we work together to protect your account.

Sincerely,
The Wachovia Bank Team
----------------------------------------------------------------
Please do not reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, log in to your Wachovia account and choose the
"Help" link in the header of any page.



[studio42@flatus studio42]$ host 62.24.218.34
34.218.24.62.in-addr.arpa domain name pointer rslr-smtpout-2.cpwnetworks.com.
[studio42@flatus studio42]$ whois 62.24.218.34@whois.ripe.net
[whois.ripe.net]
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag

% Information related to '62.24.218.0 - 62.24.218.255'

inetnum:        62.24.218.0 - 62.24.218.255
netname:        OPAL-DSL
tech-c:         GD1052-RIPE
descr:          Opal Telecom DSL Network
country:        GB
admin-c:        PM58-RIPE
tech-c:         PM58-RIPE
status:         ASSIGNED PA
mnt-by:         OPAL-MNT
source:         RIPE # Filtered

person:       Phill Magill
address:      Opal Telecommunications Plc
address:      Northbank Industrial Estate
address:      Irlam
address:      Manchester
address:      M44 5BL
address:      United Kingdom
phone:        +44 161 222-2000
fax-no:       +44 161 222-2008
e-mail:       pmagill@opaltelecom.co.uk
nic-hdl:      PM58-RIPE
mnt-by:       OPAL-MNT
source:       RIPE # Filtered

person:         Gavin Ditchfield
address:        Opal Telecommunications Plc
address:        Northbank Industrial Estate
address:        Irlam
address:        Manchester
address:        M44 5BL
address:        United Kingdom
phone:          +44 161 222-2000
fax-no:         +44 161 222-2008
e-mail:         gditchfield@opaltelecom.co.uk
nic-hdl:        GD1052-RIPE
mnt-by:         OPAL-MNT
source:         RIPE # Filtered

% Information related to '62.24.128.0/17AS13285'

route:        62.24.128.0/17
descr:        Opal-Net Autonomous System
origin:       AS13285
mnt-by:       OPAL-MNT
source:       RIPE # Filtered

Not a zombie. Looks like it bounced off one of their internal users which was zombied.

[studio42@flatus studio42]$ host 70.64.129.70
70.129.64.70.in-addr.arpa domain name pointer S0106000d88040d2d.ss.shawcable.net
.
[studio42@flatus studio42]$ whois 70.64.129.70@whois.arin.net
[whois.arin.net]

OrgName:    Shaw Communications Inc.
OrgID:      SHAWC
Address:    Suite 800
Address:    630 - 3rd Ave. SW
City:       Calgary
StateProv:  AB
PostalCode: T2P-4L4
Country:    CA

ReferralServer: rwhois://rwhois.shawcable.net:4321/

NetRange:   70.64.0.0 - 70.79.255.255
CIDR:       70.64.0.0/12
NetName:    SHAW-COMM
NetHandle:  NET-70-64-0-0-1
Parent:     NET-70-0-0-0-0
NetType:    Direct Allocation
NameServer: NS7.NO.CG.SHAWCABLE.NET
NameServer: NS8.SO.CG.SHAWCABLE.NET
Comment:
RegDate:    2004-06-18
Updated:    2006-02-08

OrgAbuseHandle: SHAWA-ARIN
OrgAbuseName:   SHAW ABUSE
OrgAbusePhone:  +1-403-750-7420
OrgAbuseEmail:  internet.abuse@sjrb.ca

OrgTechHandle: ZS178-ARIN
OrgTechName:   Shaw High-Speed Internet
OrgTechPhone:  +1-403-750-7428
OrgTechEmail:  ipadmin@sjrb.ca

# ARIN WHOIS database, last updated 2008-10-19 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Nope. Zombie is on a different network.

Onto scammer site:

[studio42@flatus studio42]$ host message-alert-security-wachoviabank.com
Host message-alert-security-wachoviabank.com not found: 2(SERVFAIL)

[studio42@flatus studio42]$ host message-alert-security-wachoviabank.com
;; connection timed out; no servers could be reached

[studio42@flatus studio42]$ whois message-alert-security-wachoviabank.com
[whois.crsnic.net]

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: MESSAGE-ALERT-SECURITY-WACHOVIABANK.COM
   Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
   Whois Server: whois.melbourneit.com
   Referral URL: http://www.melbourneit.com
   Name Server: YNS1.YAHOO.COM
   Name Server: YNS2.YAHOO.COM
   Status: ok
   Updated Date: 20-oct-2008
   Creation Date: 18-oct-2008
   Expiration Date: 18-oct-2009

>>> Last update of whois database: Mon, 20 Oct 2008 12:07:56 EDT <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
[whois.melbourneit.com]

Domain Name.......... message-alert-security-wachoviabank.com
  Creation Date........ 2008-10-18
  Registration Date.... 2008-10-18
  Expiry Date.......... 2009-10-18
  Organisation Name.... Betty Dempsey
  Organisation Address. 103 W 2nd St
  Organisation Address.
  Organisation Address. Waxahachie
  Organisation Address. 75165
  Organisation Address. TX
  Organisation Address. UNITED STATES

Admin Name........... Betty Dempsey
  Admin Address........ 103 W 2nd St
  Admin Address........
  Admin Address........ Waxahachie
  Admin Address........ 75165
  Admin Address........ TX
  Admin Address........ UNITED STATES
  Admin Email.......... need0112@yahoo.com
  Admin Phone.......... +1.2147553358
  Admin Fax............

Tech Name............ YahooDomains TechContact
  Tech Address......... 701 First Ave.
  Tech Address.........
  Tech Address......... Sunnyvale
  Tech Address......... 94089
  Tech Address......... CA
  Tech Address......... UNITED STATES
  Tech Email........... domain.tech@yahoo-inc.com
  Tech Phone........... +1.6198813096
  Tech Fax.............
  Name Server.......... yns1.yahoo.com
  Name Server.......... yns2.yahoo.com