Subject: Caro cliente

[an error occurred while processing this directive] The report for this spam can be found at: 2008 PHish Scam Edition.
Return-Path: <aviso@quiubi.it>
Received: from sefin.it (212.31.235.39) by studio42.com with SMTP (Eudora 
Internet Mail Server 3.2.10) for <webmaster@studio42.com>; 
Thu, 25 Dec 2008 09:12:11 -0800
Received: from [81.137.224.43] (account ftp HELO user)  by sefin.it 
(CommuniGate Pro SMTP 4.2.9)  with ESMTP id 20976572; Thu, 25 Dec 2008 15:19:05 +0100
From: "Banca QUIUBI"<aviso@quiubi.it>
Subject: Caro cliente
Date: Thu, 25 Dec 2008 14:18:57 -0000
MIME-Version: 1.0
Content-Type: multipart/alternative;	boundary="----=_NextPart_000_0119_01C2A9A6.4C3FDFD6"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <auto-000020976572@sefin.it>
To: undisclosed-recipients:;

<html> 
<style type="text/css"> 
<!--
.style1 {color: #D74600}
--> 
</style> 
 
	<table cellpadding="4" cellspacing="0" border="0" width="100%"> 
	<tr> 
		<td class="alt2" style="border:1px inset"> 
			
				
<div align="left"><img src="http://www.ubibanca.it/img/header/logo.gif"><br /> 
 <br /> 
<font face="verdana"><font size="2">Caro cliente di <span class="style1">Banca QUIUBI</span>,</font></font><br /> 
</div> 
<table> <tr> <td width="470"><font face="verdana"><font size="2">Per i motivi di sicurezza abbiamo sospeso il Vostro conto corrente, una misura di sicurezza progettata per contribuire a proteggere Voi ed il Vostro conto. Dovete riconfermare i Vs. dati riguardanti il conto corrente  per ristabilire le funzionalità del vostro conto, e confermare quindi che non siete stati vittime di furto informatico.<br /> 
<br /> 
Dovete reinserire i Vs. dati alla seguente pagina per realizzare il processo di verifica.<br /> 
<br /> 
<a rel="nofollow" href="http://newconcept.co.il/content.asp?ContentId=598" target="_blank">https://www.quiubi.it/hb/login.do</a><br /> 
<br /> 
La ringraziamo per la Vostra cortese collaborazione.   <br /> 
<span class="style1"><br /> 
</span>©Gruppo UBI Banca 2007<br> 
P. I. 03053920165 <br /> 
<font face="verdana"><font size="2"><br /></font></font> 
</font></font></td> 
</tr></table> 
</html>


[studio42@flatus studio42]$ host 212.31.235.39
39.235.31.212.in-addr.arpa domain name pointer mail.sefin.it.
[studio42@flatus studio42]$ whois 212.31.235.39@whois.ripe.net
[whois.ripe.net]
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '212.31.235.0 - 212.31.235.255'

inetnum:      212.31.235.0 - 212.31.235.255
netname:      SEFIN-NET-1
descr:        Sefin S.p.A.
descr:        Milano , Italy
country:      IT
admin-c:      MA1509-RIPE
tech-c:       SG1258-RIPE
tech-c:       EZ101-RIPE
rev-srv:      ns.it.col.net
rev-srv:      ns2.it.colt.net
status:       assigned PA
mnt-by:       COLT-IT-MNT
source:       RIPE # Filtered

person:       Marco Alemanni
address:      Colt Telecom SPA
address:      Viale Jenner, 56
address:      20159 Milano
address:      IT
phone:        +39 02 303331
fax-no:       +39 02 30333569
e-mail:       marco.alemanni@colt-telecom.it
nic-hdl:      MA1509-RIPE
source:       RIPE # Filtered

person:       Emiliano Zibbra
address:      Colt Telecom S.p.A
address:      Viale Jenner, 56
address:      20159 Milano
address:      IT
phone:        +39 02 303331
fax-no:       +39 02 30333654
e-mail:       emiliano.zibbra@colt-telecom.it
nic-hdl:      EZ101-RIPE
source:       RIPE # Filtered

person:       Simone Grippa
address:      V.le Zara, 10
address:      20159  Milano
address:      IT
phone:        +39 02 693651
nic-hdl:      SG1258-RIPE
source:       RIPE # Filtered

% Information related to '212.31.224.0/19AS8220'

route:        212.31.224.0/19
descr:        COLT Internet IT
origin:       AS8220
mnt-by:       COLT-IT-MNT
source:       RIPE # Filtered

Outgoing located.

Onto what may be the scammer:

[studio42@flatus studio42]$ host 81.137.224.43
43.224.137.81.in-addr.arpa domain name pointer host81-137-224-43.in-addr.btopenw
orld.com.
[studio42@flatus studio42]$ whois 81.137.224.43@whois.ripe.net
[whois.ripe.net]
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag

% Information related to '81.137.216.0 - 81.137.239.255'

inetnum:      81.137.216.0 - 81.137.239.255
remarks:      *******************************************************
remarks:      * Please send abuse reports to abuse@btopenworld.com  *
remarks:      *******************************************************
remarks:      * USED FOR CUSTOMERS WITH SINGLE STATIC IP ADDRESSES  *
remarks:      *******************************************************
netname:      BT-ADSL
descr:        Single Static IP Addresses
country:      GB
admin-c:      BTOW1-RIPE
tech-c:       BTOW1-RIPE
status:       ASSIGNED PA
mnt-by:       BTNET-MNT
mnt-lower:    BTNET-MNT
mnt-routes:   BTNET-MNT
source:       RIPE # Filtered

role:           BT OPENWORLD OPERATIONAL SUPPORT
address:        BT
address:        Openworld
address:        UK
abuse-mailbox:  abuse@btopenworld.com
admin-c:        NPT14-RIPE
tech-c:         DY128-RIPE
nic-hdl:        BTOW1-RIPE
mnt-by:         BTNET-MNT
source:         RIPE # Filtered

% Information related to '81.128.0.0/11AS2856'

route:        81.128.0.0/11
descr:        BT Public Internet Service
origin:       AS2856
mnt-by:       BTNET-MNT
source:       RIPE # Filtered

% Information related to '81.128.0.0/12AS2856'

route:          81.128.0.0/12
descr:          BT Public Internet Service
origin:         AS2856
mnt-by:         BTNET-MNT
source:         RIPE # Filtered

If not the spammer, then the spam enabler. BTOpenworld has a proven history of not
responding to complaints.

Onto the scammer site:

[studio42@flatus studio42]$ host newconcept.co.il
newconcept.co.il has address 74.53.118.115
[studio42@flatus studio42]$ whois 74.53.118.115@whois.arin.net
[whois.arin.net]

OrgName:    ThePlanet.com Internet Services, Inc.
OrgID:      TPCM
Address:    315 Capitol
Address:    Suite 205
City:       Houston
StateProv:  TX
PostalCode: 77002
Country:    US

ReferralServer: rwhois://rwhois.theplanet.com:4321

NetRange:   74.52.0.0 - 74.55.255.255
CIDR:       74.52.0.0/14
NetName:    NETBLK-THEPLANET-BLK-14
NetHandle:  NET-74-52-0-0-1
Parent:     NET-74-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
Comment:
RegDate:    2006-02-17
Updated:    2008-02-28

RTechHandle: PP46-ARIN
RTechName:   Pathos, Peter
RTechPhone:  +1-214-782-7800
RTechEmail:  admins@theplanet.com

OrgAbuseHandle: ABUSE271-ARIN
OrgAbuseName:   The Planet Abuse
OrgAbusePhone:  +1-281-714-3560
OrgAbuseEmail:  abuse@theplanet.com

OrgNOCHandle: THEPL-ARIN
OrgNOCName:   The Planet NOC
OrgNOCPhone:  +1-281-714-3555
OrgNOCEmail:  noc@theplanet.com

OrgTechHandle: TECHN33-ARIN
OrgTechName:   Technical Support
OrgTechPhone:  +1-214-782-7800
OrgTechEmail:  admins@theplanet.com

# ARIN WHOIS database, last updated 2008-12-24 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

On a spam friendly provider. How convenient.