[an error occurred while processing this directive]
The report for this spam can be found at: 2008 Phish Scam Edition.
Received: from jlucas.han-solo.net (83.138.65.120) by studio42.com with
ESMTP (Eudora Internet Mail Server 3.2.10) for <webmaster@studio42.com>;
Thu, 20 Nov 2008 21:29:49 -0800
Received: from User ([217.10.144.118])
(authenticated bits=0)
by jlucas.han-solo.net (8.13.6/8.13.6) with ESMTP id mAL5RDMp014453;
Fri, 21 Nov 2008 06:27:17 +0100
Message-Id: <200811210527.mAL5RDMp014453@jlucas.han-solo.net>
Reply-To: <aw-fraud@hsbc.co.uk>
From: "customerservice@hsbc.co.uk"<aw-fraud@hsbc.co.uk>
Subject: warning message !
Date: Thu, 20 Nov 2008 23:27:51 -0600
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_010C_01C2A9A6.6C2CFB02"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Apparently-To: <webmaster@suttoncoldfieldchurches.org.uk>
Apparently-To: <webmaster@surreycvys.org.uk>
Apparently-To: <webmaster@surreycc.gov.uk>
Apparently-To: <webmaster@surrey-scouts.org.uk>
Apparently-To: <webmaster@surplusembargo.com>
Apparently-To: <webmaster@surgicalresearch.org.uk>
Apparently-To: <webmaster@surgeradio.co.uk>
Apparently-To: <webmaster@superpopstars.com>
Apparently-To: <webmaster@superkids.com>
Apparently-To: <webmaster@supercasuals.com>
Apparently-To: <webmaster@sunworld.com>
Apparently-To: <webmaster@suntpct.nhs.uk>
Apparently-To: <webmaster@sunset02.com>
Apparently-To: <webmaster@sunnygrp.com>
Apparently-To: <webmaster@sunnyfields.co.uk>
Apparently-To: <webmaster@sunderland.gov.uk>
Apparently-To: <webmaster@summitnetwork.org.uk>
Apparently-To: <webmaster@summerglau.co.uk>
Apparently-To: <webmaster@suffolkcc.gov.uk>
Apparently-To: <webmaster@sudburyscouts.org.uk>
Apparently-To: <webmaster@sudburycanoeclub.org.uk>
Apparently-To: <webmaster@submitpartners.com>
Apparently-To: <webmaster@stvincent.ac.uk>
Apparently-To: <webmaster@studyoverseas.com>
Apparently-To: <webmaster@studynet.co.uk>
Apparently-To: <webmaster@studiodm.co.uk>
Apparently-To: <webmaster@studioarts.co.uk>
Apparently-To: <webmaster@studio42.com>
Apparently-To: <webmaster@studentradio.org.uk>
Apparently-To: <webmaster@stuartmortimer.com>
Apparently-To: <webmaster@sttudy.org.uk>
Apparently-To: <webmaster@strubi.ox.ac.uk>
Apparently-To: <webmaster@stroudvolleyball.co.uk>
Apparently-To: <webmaster@stroud.ac.uk>
Apparently-To: <webmaster@strongcrocodiles.com>
Apparently-To: <webmaster@strokit.co.uk>
Apparently-To: <webmaster@stringfellows.co.uk>
Apparently-To: <webmaster@strictlysalsa.uk.com>
Apparently-To: <webmaster@streetlymotorclub.co.uk>
Apparently-To: <webmaster@strathclyde.police.uk>
Apparently-To: <webmaster@stratforduponavonrugbyclub.co.uk>
Apparently-To: <webmaster@stratfordgliding.co.uk>
Apparently-To: <webmaster@stran.ac.uk>
Apparently-To: <webmaster@str8up.co.uk>
Apparently-To: <webmaster@stpt.com38396>
Apparently-To: <webmaster@stpt.com>
Apparently-To: <webmaster@stpeterscarnivalclub.co.uk>
Apparently-To: <webmaster@stpaulsacademy.org.uk>
Apparently-To: <webmaster@st-stephens.org.uk>
Apparently-To: <webmaster@st-peter.webspace.fish.co.uk>
This is a multi-part message in MIME format.
------=_NextPart_000_010C_01C2A9A6.6C2CFB02
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
www.abbey.co.uk
------=_NextPart_000_010C_01C2A9A6.6C2CFB02
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
<td><img src="http://www.hsbc.co.uk/1/themes/html/hsbc_ukpersonal/images/hsbc_logo_only.gif"
<P><FONT face=Verdana size=2><STRONG>Dear valued
HSBC Customer,</STRONG> </FONT></P>
<P align=left><FONT face=Verdana size=2>We recently have determined
that different computers have logged into your<br>HSBC Online
Banking account,and multiple password failures were present before the
logons.<br>We now need you to log into your account and verify your
account activity.<BR> ccount we have issued this warning
message.</FONT></P><P><FONT face=Verdana size=2>It has come to our
attention that your HSBC Online Banking account information needs
to be <BR>
reactivated as part of our continuing commitment to
protect your account and to <BR>reduce the instance of fraud on our
website in this new Season.<br>Once you have reactivated your account
records your HSBC account<BR> service will not be interrupted and
will continue as normal.
</FONT></P>
<P><FONT face=Verdana size=2>To reactivate your
HSBC Online Banking Account click on the following link: <BR>
</FONT><A
href="http://static-ip-86-239-104-152.anlai.com/login.php"
target=_blank><FONT
face=Verdana color=#003399
size=2>Sign In to Internet Banking
</FONT></A></P>
<P><FONT face=Verdana size=2>Thank You.</FONT></P>
<P><FONT face=Verdana size=1>Accounts Management
As outlined in our
User Agreement, HSBC will <BR>
periodically send you information about site
changes and
enhancements. </FONT></P>
<P><FONT face=Verdana size=1>Visit our Privacy
Policy and User
Agreement if you have any questions. <BR>
</FONT><FONT face=Verdana color=#003399
size=1>http://hsbc.co.uk/help
/index.html </FONT></A></P>
</DIV>
------=_NextPart_000_010C_01C2A9A6.6C2CFB02--
[studio42@flatus counter]$ host 83.138.65.120
120.65.138.83.in-addr.arpa domain name pointer jlucas.han-solo.net.
[studio42@flatus counter]$ whois 83.138.65.120@whois.ripe.net
[whois.ripe.net]
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '83.138.64.0 - 83.138.79.255'
inetnum: 83.138.64.0 - 83.138.79.255
netname: HOSTNET-NOC2
descr: hostNET Medien GmbH
country: DE
admin-c: SJ3530-RIPE
tech-c: SJ3530-RIPE
status: ASSIGNED PA
mnt-by: KSD-MNT
mnt-routes: KSD-MNT
source: RIPE # Filtered
person: Sebastian Jaeschke
address: Osterdeich 107
address: 28205 Bremen
address: Deutschland
phone: +49 421 379660
fax-no: +49 421 3796611
e-mail: sjaeschke@hostnet.de
nic-hdl: SJ3530-RIPE
mnt-by: KSD-MNT
source: RIPE # Filtered
% Information related to '83.138.64.0/22AS34895'
route: 83.138.64.0/22
descr: HOSTNET-NOC2
origin: AS34895
mnt-by: KSD-MNT
source: RIPE # Filtered
% Information related to '83.138.64.0/21AS34895'
route: 83.138.64.0/21
descr: HOSTNET-NOC2
origin: AS34895
mnt-by: KSD-MNT
source: RIPE # Filtered
Abused ISP spotted.
User is:
[studio42@flatus counter]$ host 217.10.144.118
Host 118.144.10.217.in-addr.arpa not found: 3(NXDOMAIN)
[studio42@flatus counter]$ whois 217.10.144.118@whois.ripe.net
[whois.ripe.net]
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '217.10.144.0 - 217.10.145.255'
inetnum: 217.10.144.0 - 217.10.145.255
netname: UKSHELLS
descr: UKShells www.ukshells.com
country: GB
admin-c: US5708-RIPE
tech-c: US5708-RIPE
status: ASSIGNED PA
mnt-by: UKS-MNT
source: RIPE # Filtered
role: UKSolutions Support
address: UKSolutions Network Operations Centre
address: UKS Limited
address: Birmingham Road
address: Studley
address: Warwickshire
address: B80 7BG
address: UNITED KINGDOM
remarks: ------------------------------------------------
remarks: Please do NOT e-mail abuse to the contacts given
remarks: here, e-mail them to abuse@uksolutions.co.uk
remarks: ------------------------------------------------
remarks: Information: http://www.uksolutions.co.uk/
remarks: ------------------------------------------------
remarks: ** Please contact by E-Mail ONLY ***
remarks: ------------------------------------------------
admin-c: DWL1-RIPE
tech-c: DWL1-RIPE
tech-c: TA975-RIPE
tech-c: PS7995-RIPE
nic-hdl: US5708-RIPE
mnt-by: UKS-MNT
source: RIPE # Filtered
abuse-mailbox: abuse@uksolutions.co.uk
% Information related to '217.10.128.0/19AS20547'
route: 217.10.128.0/19
descr: UKSOLUTIONS-217.10.128/19
origin: AS20547
mnt-by: UKS-MNT
source: RIPE # Filtered
Right here.
Scammer site:
[studio42@flatus counter]$ host static-ip-86-239-104-152.anlai.com
static-ip-86-239-104-152.anlai.com has address 152.104.239.86
[studio42@flatus counter]$ whois 152.104.239.86@whois.apnic.net
[whois.apnic.net]
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 152.104.0.0 - 152.104.255.255
netname: HONGKONG-NET
descr: imported inetnum object for HKI
country: HK
admin-c: NC30-AP
tech-c: NC30-AP
status: ALLOCATED PORTABLE
remarks: ----------
remarks: imported from ARIN object:
remarks:
remarks: inetnum: 152.104.0.0 - 152.104.255.255
remarks: netname: HONGKONG-NET
remarks: org-id: HKI
remarks: status: assignment
remarks: rev-srv: NS1.DIYIXIAN.COM
NS2.DIYIXIAN.COM
remarks: tech-c: NC260-ARIN
remarks: reg-date: 1991-07-30
remarks: changed: hostmaster@arin.net 20010925
remarks: source: ARIN
remarks:
remarks: ----------
notify: nathan.chow@dyxnet.com
mnt-by: APNIC-HM
changed: hostmaster@arin.net 20010925
changed: hm-changed@apnic.net 20040926
changed: hm-changed@apnic.net 20040224
changed: hm-changed@apnic.net 20041214
source: APNIC
person: Nathan Chow
address: Diyixian.com Ltd.
2705-2710 Prosperity Ctr., 25 Chong
Yip St.
country: HK
phone: +852-21877600
e-mail: nathan.chow@dyxnet.com
nic-hdl: NC30-AP
remarks: ----------
remarks: imported from ARIN object:
remarks:
remarks: poc-handle: NC260-ARIN
remarks: is-role: N
remarks: last-name: Chow
remarks: first-name: Nathan
remarks: street: Diyixian.com Ltd.
2705-2710 Prosperity Ctr., 25 Chong
Yip St.
remarks: country: HK
remarks: mailbox: nathan.chow@dyxnet.com
remarks: bus-phone: +852-21877600
remarks: reg-date: 2001-08-30
remarks: changed: hostmaster@arin.poc 20010925
remarks: source: ARIN
remarks:
remarks: ----------
notify: nathan.chow@dyxnet.com
mnt-by: MNT-ERX-HKINTERNET-NON-HK
changed: hostmaster@arin.poc 20010925
changed: hm-changed@apnic.net 20040224
source: APNIC
