Last visit was: Sat Jul 05, 2014 1:54 pm
It is currently Sat Jul 05, 2014 1:54 pm

Your Webmail Provider phish on a zombie domain

All times are UTC - 5 hours [ DST ]

 [ 2 posts ] 
Author Message
 PostPosted: Sat Sep 12, 2009 11:15 am   
Spammer Exterminator
User avatar

Joined: Mon Feb 26, 2007 11:13 pm
Posts: 1132
Found the following email:
Return-Path: <[email protected]>
Received: from ( [])
        by x (8.13.6/8.13.6) with ESMTP id n8CCPDZR029294
        for <[email protected]>; Sat, 12 Sep 2009 08:25:16 -0400
Received: (qmail 27364 invoked by uid 33); 12 Sep 2009 12:46:26 -0000
Date: 12 Sep 2009 12:46:26 -0000
Message-ID: <[email protected]>
To: spurious
From: "[email protected]" <[email protected]>
Reply-To: [email protected]
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
X-SpamBouncer: 2.2 (04/16/06)
X-SBNote: From Admin
X-SBRule: Received IP: is in no-more-funn (spam sources)
X-SBNote: Spamcop Standard Report submitted.
X-SBClass: Spam
X-Folder: Spam


A new email server with secure E-mail has been implemented and configuration to replace old CS email server. As a result, we are shutting down your account.

To confirm your active/inactive account you, are required to send us your E-mail account details listed below for verification. These information would be needed to verify your account and to avoid being shut down;

Click on reply and fill the information below correctly.

* Email:
* User name:
* Password:
* Password Again:
* Date of Birth:

Warning!!! All account owner are advised to follow this instruction immediately to avoid loosing your email account permanently.

Thanks for your understanding!

                 .:: WEBMAIL ADMINISTRATOR::.

The sending network is bogus and blocklisted, but the Reply-to network is particularly interesting:
$ dig mx         

; <<>> DiG 9.2.3rc4 <<>> mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22711
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;            IN      MX

;; ANSWER SECTION:     86400   IN      MX      10     86400   IN      MX      5

;; AUTHORITY SECTION:     172724  IN      NS     172724  IN      NS

;; Query time: 121 msec
;; WHEN: Sat Sep 12 10:52:21 2009
;; MSG SIZE  rcvd: 137

These four hosts are on four entirely different networks:

$ host has address
$ host has address
$ host has address
$ host has address (

mail2world, Inc SAVV-S265634-1 (NET-209-67-128-0-1)

Reported to SAVVIS, though I don't expect much to come of that.

Only on our site you will find a SPICE under the comprehensible prices!

 PostPosted: Sat Sep 12, 2009 2:01 pm   
Site Admin
User avatar

Joined: Tue May 09, 2006 9:18 am
Posts: 5022 is another freemail provider. Numerous 419 spammers use mail2world addresses as an alternative to both GMail and Hotmail, both of whom have become far more efficient at shutting down accounts used in 419 scams. is not a malicious domain.

ADD: you can report this message by emailing: [email protected]


 [ 2 posts ] 

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: Wayback machine and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Style originally created by Volize © 2003 • Redesigned SkyLine by MartectX © 2008