InBoxRevenge KS Forum

The top level of the site is open and there is a log dir with log info.
Fill out the survey and you go to a page wanting to steal your CC info.


http://cbl.abuseat.org/lookup.cgi?ip=81 ... mit=Lookup = SendSafe bot net

Which has been spewing spam for a few weeks now.
The mail box was created & harvested recently and has only one spammer in it.


Return-Path: <[email protected]>
Received: from console.nzart.org.nz (red.nzart.org.nz [202.191.43.86])
by bencom.co.nz (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o7SNU2KG000705
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
for <[email protected]>; Sun, 29 Aug 2010 11:30:05 +1200
Received: from mail.wptb.com (mail.wptb.com [216.7.131.2])
by console.nzart.org.nz (Postfix) with ESMTP id 539A25FF1F
for <[email protected]>; Sun, 29 Aug 2010 11:30:01 +1200 (NZST)
Received: from host81-149-137-229.in-addr.btopenworld.com [81.149.137.229] by mail.grogans.com with SMTP;
Sat, 28 Aug 2010 19:27:35 -0400
From: "Coca-Cola"<[email protected]>
Subject: Coca-cola Payed Survey
Date: Sun, 29 Aug 2010 00:28:11 +0100
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <[email protected]>
To: undisclosed-recipients:;
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.4 with clamscan / ClamAV 0.96.1/11728/Sun Aug 29 02:29:20 2010

<HTML>
<HEAD>
<TITLE>Coca-Cola Survey</TITLE>
</HEAD>
<BODY style="font-family: Arial; font-size: 12px;">
<TABLE border=0 width="590px">
<TR>
<TD><b>Dear Coca-Cola's client,<BR><BR>
Drive Thru for a chance to <font color="#CC0000">WIN</font> one of <font color="#CC0000">6</font> stylish Honda CR-V's (one a week for 6 weeks).<BR><font color="#CC0000">PLUS</font> one of 24 Caltex StarCash $100 petrol cards every day.<BR>It's simple! Click the image bellow and complete the steps. And by doing this you are officially the winner of $50 - <font color="#CC0000">GUARANTEED</font>.<p><center><a href="http://www.datachecksite.com/coca-cola.survey/"><img src="http://img844.imageshack.us/img844/8307/100x45mycokepromothumbe.jpg" border="0"></a></center></p><BR>Individuals <font color="#CC0000">must</font> be 18 years old or over to enter competition.<BR>Terms and Conditions Applied By Coca-Cola's®.<p>Your opinion matters to us,<BR>Coca-Cola's Team.</p>

</TD>
</TR>
</TABLE>
</BODY>
</HTML>

I've asked the people at phishtank.com what they think of that "survey" at datachecksite.com, which is running on the Yahoo network.

http://www.phishtank.com/phish_detail.php?phish_id=1040888

Actually "the people at phishtank.com" is us, anyone who has registered to submit votes on whether a site is phish or legit.

This one was registered two days ago and only for one year, so it's not a tough call:


You can register to submit and vote on sites at phishtank here:
http://www.phishtank.com/register.php

I went to the website and it's no longer active. 404 error for http://www.datachecksite.com/coca-cola.survey

I have left the email address umunged as it is now closed.
It was harvested from nanae along with this one...

Aug 30 01:52:37 bencom sm-mta[17541]: o7TDqZw1017541: ruleset=check_rcpt, arg1=<[email protected], relay=host86-139-209-41.range86-139.btcentralplus.com [86.139.209.41], reject=553 5.1.8 <[email protected]>... Domain of sender address [email protected] does not exist

So we have the same scammer harvesting addresses from nanae and infoline, an amateur radio E newsletter.

The spam has already been identified as coming from the send safe bot net.

I have no doubt who this is. Can I ask the board admin to check accesses to this thread.
For your private investigation just in case that shows anything. As I have said before about joe jobs against anti's there is something very familiar about this...

From - Mon Aug 23 02:29:27 2010
X-Account-Key: account3
X-UIDL: jO,!!(kc"!5F*#!YU,"!
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <[email protected]>
X-Spam-CN: Bencom Ltd
X-Spam-ASN: AS6983 97.67.164.0/23
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on bencom.co.nz
X-Spam-Level:
X-Spam-Status: No, score=0.1 required=5.0 tests=RDNS_NONE shortcircuit=no
autolearn=no version=3.2.5
Received: from itmtoner.com ([97.67.164.157])
by bencom.co.nz (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o7MEQKmn006019
for <[email protected]>; Mon, 23 Aug 2010 02:26:22 +1200
Received: from [192.168.0.6] ([94.0.127.122] RDNS failed) by itmtoner.com with Microsoft SMTPSVC(6.0.3790.4675);
Sun, 22 Aug 2010 10:26:10 -0400
Date: Sun, 22 Aug 2010 15:26:10 +0100
Mime-version: 1.0
Subject: REF:ZI0010-GB0NSW
From: "=?ISO-8859-1?Q?=A92010.Coca-Cola_Great_Britain?=" <[email protected]>
To: spamtrap <[email protected]>
Message-Id: <[email protected]>
Reply-To: [email protected]
Original-recipient: rfc822;[email protected]
Content-type: text/plain; charset="ISO-8859-1"; format=flowed
Content-transfer-encoding: quoted-printable
X-OriginalArrivalTime: 22 Aug 2010 14:26:17.0005 (UTC) FILETIME=[FB634DD0:01CB4205]
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.4 with clamscan / ClamAV 0.96.1/11609/Sun Aug 22 10:51:15 2010
X-UIDL: jO,!!(kc"!5F*#!YU,"!

=A92010.Coca-Cola Great Britain
1 Queen Caroline Street
Hammersmith
London
W6 9HQ
United Kingdom.

REF:ZI0010-GB0NSW


You have won the sum of =A3950,000.00 (Great British Pounds) from The Coca-=
Cola Company UK=A9.I wish to announce you as one of the 2nd lucky winners i=
n our INTERNATIONAL ONLINE sweepstakes Lotto draw held on the 22th of Augus=
t 2010.
Your email address emerged along side 3 others as a 2nd category winner in =
this year's Annual Online Promotion Draw.

Requirements:
1. Name:
2. Address:
3. Age:
4. Sex:
5. Occupation:
6. Telephone Number:
7. Country of Residence:

Kindly Contact:
Mr. Paul Figures
TEL: +44 758 675 6960
FAX: +85 230 176 776
EMAIL:HYPERLINK "mailto:[email protected]"[email protected].=
uk



Be further advised to maintain the strictest level of confidentiality until=

the end of proceedings to circumvent problems associated with fraudulent
claims.This is a part of our precautionary measure to avoid double claiming=

and unwarranted abuse of this program

CONGRATULATIONS!!!
Yours faithfully,
Dir. Alexandre Baker
Online Sweepstakes Coordinator
=A9Copyright 2010

I don't have access to the logs, but I can tell you that despite a rather long list of blocked IP addresses, there are bots crawling the public pages multiple times a day, trying to register as members. I doubt the logs would narrow your search down much.