Deadbeats' Hall of Lame
2009 Phish Scam Edition

WARNING!

This page created on January 1, 2009 for 2009 Deadbeats

Subject: New notification from Barclays - Update immediately!
Date:        2/3/2009 02:08
Received:    2/3/2009 11:12
From:        Barclays, service@barclays.co.uk
Reply-To:    no.reply@barclays.co.uk
To:          undisclosed-recipients:;

See the spam

First phish scam of the year involving a blind server forwarding to another server.
Raping an Italian broadband idiot for the scammer site.

See the lookups

This is followed up by a pair of denials from the Italian ISP, who list unknown or
non-existant addresses in their whois, and from the netblock where the spam made
it's way onto the internet from.

See the denial
See the denial

Subject: Payment Information ATM Card
Date:        2/17/2009 09:51
Received:    2/17/2009 09:59
From:        Mr Samson Egobiah, sampsonegobiah11@gmail.com
Reply-To:    deskofficiall@albawaba.com
To:          undisclosed-recipients:;

See the spam

Based on new information, apparently this is the new phish scam trend.
Uses a Gmail drop for sending, but sends via Dutch rape from Benin.
Afrinic-listed ISP boasts a Yahoo drop. Spammer uses two other spam-friendly drops to try to
complete the scam.

See the lookups

Subject: mailbox has exceeded the storage limit
Date:        3/13/2009 07:47
Received:    3/13/2009 09:21
From:        d.banks@rgu.ac.uk

See the spam

This retard uses some UK abuse in order to spew lies about my account being over limit.
Odd, last I checked, I have NO LIMIT on this account of mine ON MY OWN SERVER.
Uses a Hotmail drop for trying to phish for data.

See the lookups
UPDATE: April 12, 2009

Took Hotmail almost a month to shut down this idiot.

See the lookups

Subject: Confermare i dati del Suo conto Online Banking 
Date:        3/15/2009 14:43
Received:    3/15/2009 14:39
From:        CartaSi S.p.A, cartasi_informa@cartasi.it

See the spam

Wow. UK involvement for an Italian phish scam based in the US. How the heck is this
gonna work? I only use accounts on my own server, AND are in English only? Stupid.
They just aren't trying anymore like they used to.

See the lookups

Subject: Confermare i dati del Suo conto Online Banking 
Date:        3/15/2009 15:07
Received:    3/15/2009 16:13
From:        CartaSi S.p.A, cartasi_informa@cartasi.it

See the spam

Repeat with the same UK rape, but different hijacking. Same scam, same site.
Sent to webmaster. Right, total idiots. And still in A HREF="italy.shtml">Italian.

See the lookups

SSubject: Hotmail Alert!!!
Date:        5/5/2009 13:52
Received:    5/5/2009 13:49
From:        Windows Live Team, arshad151@hotmail.com
Reply-To:    upgradeservive@live.com
To:          MUHAMMAD HUSSAIN, arshad151@hotmail.com

See the spam

Being sent to all Hotmail users? Really? I'm not a Hotmail user. Why do I get this?
Sent via Hotmail from a Nigerian. Really explains it well, doesn't it?
Just a lame phish plot.

See the lookups

Subject: Your Mailbox has been de-activated
Date:        5/12/2009 00:12
Received:    5/12/2009 10:26
From:        Square, James, James.Square@fwisd.org
To:          undisclosed-recipients:;

See the spam

Really? The administrator, who is me, according to this scam, shut down its own email
address and is being threatened that it may be removed and I have to email some other
idiot to bring it back. No, sorry. I'm just gonna move over to the mail server and go
directly do administrative stuff to it on my schedule, not some spammer's schedule.
School rape, Spanish drop.

See the lookups

The ARIN drop listed for the abused school is invalid, hence earning this denial

See the denial

Subject: Bank of America Alert: Confirm Your Online Banking Access
Date:        5/21/2009 17:45
Received:    5/22/2009 11:17
From:        Bank of America Alert, Service@orange.fr
To:          Chris Pickett, chris@studio42.com

See the spam

Bank of American phish scam. French ISP abuse via Orange, and Czech Republic for
scammer site. Not een remotely convincing since I don't have an account with this
bank.

See the lookups

Subject: Paypal Member Alert
Date:        5/28/2009 08:21
Received:    5/28/2009 08:38
From:        paypal.notify@50677.com, paypal.notify@50677.com
To:          Chris Pickett, chris@indiciumtechnologies.com

See the spam

Taiwan hosting of a fresh domain apparently created to enable phishing. Non-profit
abuse via Indian rape.

See the lookups

The Taiwan whois SWIP contact is not reachable. I guess complaints are easier to deal with
when they can't be received.

See the denial

Subject: YOU HAVE A PACKAGE
Date:        5/30/2009 07:00
Received:    5/30/2009 13:46
From:        fedexdeliveryoffice@btinternet.com, litehouseseafood@bellnet.ca
To:          ...@bellnet.ca

See the spam

Fake package scam that leads to ID theft. Nigerian origination, BellNexia enabled.

See the lookups

Subject: Account Alert
Date:        6/15/2009 03:03
Received:    6/15/2009 09:13
From:        paypal@70144.com, paypal@70144.com
To:          remved@studio42.com

See the spam

Sent to 3 innapropriate accounts via being sent to an invalid account.
Abused server is on Comcast, rape is via Saudi Arabia, scammer site is in Russia

See the lookups

Subject: Regarding Your Account
Date:        6/15/2009 02:52
Received:    6/15/2009 09:34
From:        paypal@53056.com, paypal@53056.com
To:          removed@studio42.com

See the spam

Russian Relay, Comcast zombie rape and Polish dynamic hosting rape.

See the lookups

Subject: Dear EDU.TR Account User
Date:        6/23/2009 10:02
Received:    6/23/2009 10:02
From:        Upgrade Team, dee@aristotle.net
Reply-To:    update.team1@9.cn
To:          info@upgrade.net

See the spam

Some idiot trying to tell me a non-existant account that I don't have is in some sort
of violation. Whatever. Coming via a network sitting on the dirty Qwest network.

See the lookups

Subject: Warning Storage quota full
Date:        7/13/2009 08:19
Received:    7/13/2009 08:51
From:        Pilar.LOPEZ@ec.europa.eu

See the spam

Idiot out of Luxembourg telling me my email account is full. Odd, I'm my own admin.
Israeli domain registered to a Hotmail drop box.

See the lookups

In a not totally convincing display, Hotmail wants to inform me that the Hotmail
drop I reported in the contact of a domain does not exist. That is a terms of
service violation for that domain registrar. Since Hotail doesn't mention deletion,
removal, shutting down or words to indicate an account having administrative actions
taken against it to remove it or shut it down, this counts as an action.

See the lookups

Subject: Warning Storage quota full
Date:        7/13/2009 21:49
Received:    7/13/2009 22:13
From:        Forster Fink Ruth, ruth.forster@bfh.ch
To:          Undisclosedrecipients:;

See the spam

Idiots raping Switzerland to direct me to domestically hosted forms to tell me lies
about my mail server. GoDaddy and Romanian registered domains and a slime trail. Web site hosted by ServInt.
Domain registered through Enom.com

See the lookups

Subject: Update Information
Date:        7/22/2009 20:28
Received:    7/22/2009 20:26
From:        mailbot@bankofamerica.com, Service@studio42.com

See the spam

Still don't have  Bank Of America account. Raped server for botted hosting.

See the lookups

Subject: Notification
Date:        7/24/2009 06:43
Received:    7/24/2009 09:44
From:        no-reply@fmb.com, do-not-reply@fmb-online.com
Reply-To:    do-not-reply@fmb.com
To:          undisclosed-recipients:;

See the spam

Bank account phish scam involving a freshly registered domain on Yahoo's network.
Privacy protected, for maximum criminal benefit. Triple rape(zombie sends to
misconfigured server that in turn forwards to another server for relay).

See the lookups

Subject: ATTENTION
Date:        7/28/2009 11:44
Received:    7/28/2009 13:00
From:        Schwantje, Helen  ENV:EX, Helen.Schwantje@gov.bc.ca
To:          admin@helpdesk.org

See the spam

Phish site hosted by ServInt, and registered to a Romanian. Clearly, ServInt has taken
no actual action against their abusive clients. Go figure. Repeat of this one.
Domain registered through Enom.com

See the lookups

Subject: Nell'ambito di un progetto di verifica dei data anagrafici 
Date:        8/9/2009 10:35
Received:    8/9/2009 12:48
From:        Banca Popolare Di Vicenza, servizi@popolarevicenza.it

See the spam

Lottery scam in Italian, bouncing off a blind British Server to send to an address
that clearly has no interest in this.

See the lookups

Subject: Scarica il documento per attivare!
Date:        8/10/2009 04:04
Received:    8/10/2009 11:02
From:        Banca Fideuram, servizi@fideuramonline.it

See the spam

British scam operations raping Australia. Spam in Italian and using an Italian
web site, despite the fact that it is hosted in Germany.

See the lookups

Subject: Scarica il documento per attivare!
Date:        8/10/2009 03:00
Received:    8/10/2009 11:45
From:        Banca Fideuram, servizi@fideuramonline.it

See the spam

British scam operations raping different server on the same ISP inAustralia. Spam in Italian and using an Italian
web site, despite the fact that it is hosted in Germany.

See the lookups

Subject:  Account Upgrade/Maintenance.
Date:        8/18/2009 07:09
Received:    8/28/2009 22:55
From:        Account Upgrade/Maintenance., helpdesk@webmail.com
Reply-To:    chungliproject5@yahoo.com.hk

See the spam

Retard bouncing of a Russian zombie to rape an Italian server with their
Yahoo Kong Kong account for retarded webmail phishing.
Owning my own server, I would think I would know when I'm doing maintenance.

See the lookups

Subject: Il tuo account e stato sospeso.
Date:        9/18/2009 04:05
Received:    9/18/2009 09:52
From:        Poste Italiene, info@s3-poste.net

See the spam

Australian rape via way of AT&T for a Yahoo protected site for this Italian scam.
Apparently I've gotten my own email account suspended. You'd think as my own
admin, I know of this sort of stuff.
Privacy protected domain registation is always suspicious.

See the lookups


Date:        9/18/2009 05:37
Received:    9/18/2009 09:54
From:        Poste Italiene, info@s3-poste.net

See the spam

Same as above, but relaying via COX through an AT&T zombie rape, for the same Yahoo site.
Privacy protected domain registration. Italian spam.

See the lookups

Subject: Your account information Security upgrade
Date:        9/25/2009 19:15
Received:    9/28/2009 14:33
From:        Alliance & Liecester, security.online@alliance-leicester.co.uk
To:          LIST OMITTED

See the spam

Pan Wei wei, apparently one of this years gang of Chinese Bejing Buttholes, rapes a
blind American server for fake bank account phishing.

See the lookups

The server operator is apparently fine with relaying spam and being a conduit for spam, but
appears personally they don't want to take complaints about the spam since the spam content
is apparently too much to handle. Denial firmly counted.

See the denial

Subject: Please Restore Your Accont Access
Date:        10/2/2009 02:12
Received:    10/2/2009 08:06
From:        PayPal Billing Department, info@hi5.com

See the spam

Italian zombie rape which goes through a server in Portugal to push a scam site listed on
ThePlanet.

See the lookups

Subject: Dear Email Owner
Date:        10/19/2009 21:08
Received:    10/19/2009 21:09
From:        Turner, Susan (ESC), TurnerS@edmonds.wednet.edu
To:          info@helpdesk.org

See the spam

I"m apparently over my email quota again. Sort of lame since I admin my own box and
set no quota for myself.
Phish site on ThePlanet on a domain registered via GoDaddy with a Gmail drop.
School rape.

See the lookups

Subject: Dear Webmail Account User
Date:        10/22/2009 16:39
Received:    10/23/2009 09:00
From:        Woodall, Hannah R, hwoodall@HSD401.org
To:          upgrade@itweb.org

See the spam

Blind rape of a school server to try to tell me my account is almost over quota, which
is clearly impossible here.

See the lookups

Subject: Dear Webmail Account User
Date:        10/31/2009 11:31
Received:    10/31/2009 11:33
From:        Miltner, Jacqueline, jm400405@ohio.edu
To:          upgrade@itweb.org, upgrade@itweb.org

See the spam

Abuse of internal Hotmail resources hides the tracks of this idiot who is telling me
that my non-existant webmail is almost over-quota. Dude, I manage my own server, this
crap ain't ever going to work!

See the lookups

While I'm not pleased at the speed at which action is being taken, it appears right now
that action will be taken by the idiots in charge of the machine since their ISP is putting
pressure on them now. I expected a positive outcome.

See the action

Subject: Webmail helpdesk
Date:        11/9/2009 06:22
Received:    11/9/2009 10:15
From:        McDonald, Stephen, Stephen.McDonald@khnetwork.org
To:          info@notice.com

See the spam

More nuisance from spammers using formmailhosting.com, which lives on ThePlanet and
is registered via GoDaddy with a Gmail drop. Server abuse enabled the sending of this
garbage.

See the lookups

Subject: Webmail helpdesk 
Date: Mon, 9 Nov 2009 22:41:13 +01
Date:        11/9/2009 13:41
Received:    11/9/2009 14:56
From:        Sanz, D. (David), D.Sanz@uu.nl
To:          info@notice.com

See the spam

Another fake "webmail over quota" scam. Dutch rape.

See the lookups

Subject: Dear Email user
Date:        11/9/2009 13:44
Received:    11/9/2009 15:28
From:        Sanz, D. (David), D.Sanz@uu.nl
To:          info@notice.com

See the spam

This repeat of the above gives me filter information that pertains to multiple
spams today. Dutch rape.

See the lookups

Subject: Someone Tried To Access Your Account
Date:        11/27/2009 10:59
Received:    11/27/2009 11:19
From:        PayPal, nekwhv@customerscares.com

See the spam

All compromised machines, from the zombie, to the outgoing server in the Philipines 
and then the web site.

See the lookups

Subject: New Alert Message
Date:        12/7/2009 10:07
Received:    12/7/2009 10:15
From:        Paypal.com, mmmsd@ppla.com
To:          undisclosed-recipients:;

See the spam

Paypal Phish scam. Appears to originate via a network on Qwest.

See the lookups