Leo Kuvayev / BadCow ANZ Bank Phish

Discussion in 'NZ Computing' started by Anony Mouse, Oct 15, 2006.

  1. Anony Mouse

    Anony Mouse Guest

    Here we go...
    The usual group of criminals involved in these bank phishes.

    Criminal registrar Melbourne IT through there New Zealand branch
    Domainz. Need I say that this type of behaviour is typical of Melbourne
    IT. They most certainly need to have criminal charges laid against them
    for allowing such a domain name to be registered. It clearly shows that
    they do not do any due diligence at all.

    Criminal hosting service EV1 hosts the web site.
    Note this is the service that has hosted the illegal meds sites
    listed on spam.co.nz and has such clients as Bill Stanley umongst
    others. Also note that the source ip address that the spam was sent from
    is also an EV1 address. Most certainly due to the nature of their
    business their servers are very secure. They are regularly attacked due
    to their involvement in illegal spam.

    It is my considered opinion that EV1 needs to have charges laid against
    them for aiding and abetting criminal spam gangs.

    Possibally the DNS host does not know who is using their service.
    A hat check on layeredtech.com added to this post would be much
    appeciated. I can't say I know much about them.

    Note the email address the spam was sent to is an address that Leo has
    been using for a while.


    From - Sun Oct 15 11:27:29 2006
    X-UIDL: 1160864867.9458.mail6
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 10000000
    Return-Path: <>
    Delivered-To:
    Received: (qmail 9293 invoked from network); 14 Oct 2006 22:27:45 -0000
    Received: from ironport4.ihug.co.nz (203.109.254.24)
    by mail6.ihug.co.nz with SMTP; 14 Oct 2006 22:27:45 -0000
    Received: from grunt15.ihug.co.nz ([203.109.254.62])
    by ironport4.ihug.co.nz with ESMTP; 15 Oct 2006 11:27:45 +1300
    X-Testing-Not: Yes
    X-Ironport-Seen: Yes
    X-BrightmailFiltered: true
    X-Brightmail-Tracker: AAAAAQAAA+k=
    X-IronPort-AV: i="4.09,311,1157284800";
    d="gif'147?scan'147,208,217,147"; a="253036700:sNHT48628140"
    X-Spam-Status: No
    X-IHUG-iSpy: Doesn't appear to be Spam
    Received: from ironport4.ihug.co.nz [203.109.254.24]
    by grunt15.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian))
    id 1GYryk-0002aH-00; Sun, 15 Oct 2006 11:27:38 +1300
    Received: from mars.linuxsystems.net.nz ([202.27.219.162])
    by ironport4.ihug.co.nz with ESMTP; 15 Oct 2006 11:27:38 +1300
    X-Ironport-MID: 253036548
    X-Reputation: 3.5
    Received: from serv4.slavhost.ru (serv4.slavhost.ru [67.15.70.4])
    by mars.linuxsystems.net.nz (Postfix) with SMTP id AC078A9ECA
    for <>; Sun, 15 Oct 2006 11:22:05 +1300 (NZDT)
    Received: from yaumk (180.234.157.221)
    by serv4.slavhost.ru; Sun, 15 Oct 2006 02:27:35 +0400
    Message-ID: <001a01c42018$ee67b4ca$ea7fca3e@yaumk>
    Reply-To: Dontreply <>
    From: "ANZ.com surveys" <>
    To: 3f5927a4.8030604 <>
    Subject: review: Random surveys asking for valuable feedback on how we
    are doing and how we can improve
    Date: Sun, 15 Oct 2006 02:27:35 +0400
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_001D_01C4CA3E.EA7FB4CA"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2800.1158
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

    ------=_NextPart_000_001D_01C4CA3E.EA7FB4CA

    URL from spam http://www.anzfeedback.co.nz/inetbank/bankmain.php

    whois anzfeedback.co.nz
    % New Zealand Domain Name Registry Limited
    % Users confirm on submission their agreement to all published Terms
    %
    version: 1.23.0
    query_datetime: 2006-10-15T11:32:11+13:00
    domain_name: anzfeedback.co.nz
    query_status: 200 Active
    domain_dateregistered: 2006-10-01T18:05:04+13:00
    domain_datebilleduntil: 2007-10-01T18:05:04+12:00
    domain_datelastmodified: 2006-10-02T07:15:23+13:00
    domain_delegaterequested: yes
    %
    registrar_name: Domainz Limited
    registrar_address1: Private Bag 1810
    registrar_city: Wellington
    registrar_country: NZ (NEW ZEALAND)
    registrar_phone: +64 4 473 4567
    registrar_fax: +64 4 473 4569
    registrar_email:
    %
    registrant_contact_name: cindy cole
    registrant_contact_address1: Meadow Glen Pkwy
    registrant_contact_city: Fairburn
    registrant_contact_country: US (UNITED STATES)
    registrant_contact_phone: +16 78 4325443
    registrant_contact_email:
    %
    admin_contact_name: cindy cole
    admin_contact_address1: Meadow Glen Pkwy
    admin_contact_city: Fairburn
    admin_contact_country: US (UNITED STATES)
    admin_contact_phone: +16 78 4325443
    admin_contact_email:
    %
    technical_contact_name: cindy cole
    technical_contact_address1: Meadow Glen Pkwy
    technical_contact_city: Fairburn
    technical_contact_country: US (UNITED STATES)
    technical_contact_phone: +16 78 4325443
    technical_contact_email:
    %
    ns_name_01: ns1.cc-dns.net
    ns_name_02: ns2.cc-dns.net

    dig anzfeedback.co.nz

    ; <<>> DiG 9.2.4 <<>> anzfeedback.co.nz
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19996
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

    ;; QUESTION SECTION:
    ;anzfeedback.co.nz. IN A

    ;; ANSWER SECTION:
    anzfeedback.co.nz. 78 IN A 67.15.70.4

    ;; AUTHORITY SECTION:
    anzfeedback.co.nz. 78 IN NS ns1.cc-dns.net.

    ;; ADDITIONAL SECTION:
    ns1.cc-dns.net. 170174 IN A 72.232.49.98

    ;; Query time: 1014 msec
    ;; SERVER: 203.109.252.42#53(203.109.252.42)
    ;; WHEN: Sun Oct 15 11:36:35 2006
    ;; MSG SIZE rcvd: 95

    whois 67.15.70.4

    OrgName: Everyones Internet
    OrgID: EVRY
    Address: 390 Benmar
    Address: Suite 200
    City: Houston
    StateProv: TX
    PostalCode: 77060
    Country: US

    NetRange: 67.15.0.0 - 67.15.255.255
    CIDR: 67.15.0.0/16
    NetName: EVRY-BLK-15
    NetHandle: NET-67-15-0-0-1
    Parent: NET-67-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.EV1.NET
    NameServer: NS2.EV1.NET
    Comment:
    RegDate: 2004-02-06
    Updated: 2005-12-16

    RTechHandle: RW172-ARIN
    RTechName: Williams, Randy
    RTechPhone: +1-713-579-2850
    RTechEmail:

    OrgAbuseHandle: ABUSE477-ARIN
    OrgAbuseName: Abuse Department
    OrgAbusePhone: +1-713-579-2850
    OrgAbuseEmail:

    OrgNOCHandle: NOC1445-ARIN
    OrgNOCName: NOC
    OrgNOCPhone: +1-713-579-2850
    OrgNOCEmail:

    OrgTechHandle: RW172-ARIN
    OrgTechName: Williams, Randy
    OrgTechPhone: +1-713-579-2850
    OrgTechEmail:

    OrgTechHandle: VST3-ARIN
    OrgTechName: Stinson, Valarie
    OrgTechPhone: +1-713-579-2850
    OrgTechEmail:

    # ARIN WHOIS database, last updated 2006-10-13 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    whois 72.232.49.98

    OrgName: Layered Technologies, Inc.
    OrgID: LAYER-3
    Address:
    Address: 1647 Witt Road Suite#201
    City: Frisco
    StateProv: TX
    PostalCode: 75034
    Country: US

    ReferralServer: rwhois://rwhois.layeredtech.com:4321

    NetRange: 72.232.0.0 - 72.232.255.255
    CIDR: 72.232.0.0/16
    NetName: LAYERED-TECH-
    NetHandle: NET-72-232-0-0-1
    Parent: NET-72-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.LAYEREDTECH.COM
    NameServer: NS2.LAYEREDTECH.COM
    Comment: Please send all abuse complaints to
    Comment:
    RegDate: 2005-09-07
    Updated: 2006-03-07

    RTechHandle: JPS66-ARIN
    RTechName: Suo-Anttila, Jeremy Paul
    RTechPhone: +1-972-398-7998
    RTechEmail:

    OrgAbuseHandle: LAT-ARIN
    OrgAbuseName: LT Abuse Team
    OrgAbusePhone: +1-972-398-7998
    OrgAbuseEmail:

    OrgNOCHandle: LIT-ARIN
    OrgNOCName: LT IP-Network Team
    OrgNOCPhone: +1-972-398-7998
    OrgNOCEmail:

    OrgTechHandle: LNT3-ARIN
    OrgTechName: LT NOC Team
    OrgTechPhone: +1-972-398-7998
    OrgTechEmail:

    # ARIN WHOIS database, last updated 2006-10-13 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.


    Found a referral to rwhois.layeredtech.com:4321.

    %rwhois V-1.5:003eff:00 rwhois.layeredtech.com (by Network Solutions,
    Inc. V-1.5.7.3)
    network:Class-Name:network
    network:ID:ORG-LAYER-3.72.232.0.0/18
    network:Auth-Area:72.232.0.0/18
    network:Network-Name:ORG-LAYER-3-72.232.49.97
    network:IP-Network:72.232.49.97/29
    network:Organization;I:Qc1 Internet
    network:Org-Name:radiokoha.qc1.net
    network:Street-Address:2 Jacobs Green
    network:City:Saffron Walden
    network:State:England
    network:postal-Code:CB10 1DH
    network:Country-Code:GB
    network:phone:972-398-7998
    network:Tech-Contact;I:
    network:Admin-Contact;I:
    network:Abuse-Contact;I:
    network:Created:20060361
    network:Updated:20060361
    network:Updated-By:

    Source of the spam

    whois 67.15.70.4

    OrgName: Everyones Internet
    OrgID: EVRY
    Address: 390 Benmar
    Address: Suite 200
    City: Houston
    StateProv: TX
    PostalCode: 77060
    Country: US

    NetRange: 67.15.0.0 - 67.15.255.255
    CIDR: 67.15.0.0/16
    NetName: EVRY-BLK-15
    NetHandle: NET-67-15-0-0-1
    Parent: NET-67-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.EV1.NET
    NameServer: NS2.EV1.NET
    Comment:
    RegDate: 2004-02-06
    Updated: 2005-12-16

    RTechHandle: RW172-ARIN
    RTechName: Williams, Randy
    RTechPhone: +1-713-579-2850
    RTechEmail:

    OrgAbuseHandle: ABUSE477-ARIN
    OrgAbuseName: Abuse Department
    OrgAbusePhone: +1-713-579-2850
    OrgAbuseEmail:

    OrgNOCHandle: NOC1445-ARIN
    OrgNOCName: NOC
    OrgNOCPhone: +1-713-579-2850
    OrgNOCEmail:

    OrgTechHandle: RW172-ARIN
    OrgTechName: Williams, Randy
    OrgTechPhone: +1-713-579-2850
    OrgTechEmail:

    OrgTechHandle: VST3-ARIN
    OrgTechName: Stinson, Valarie
    OrgTechPhone: +1-713-579-2850
    OrgTechEmail:

    The web site is up and operational.

    http://www.anzfeedback.co.nz/inetbank/bankmain.php

    The top level of the domain http://www.anzfeedback.co.nz/ has the
    standard EV1 CPanel interface.

    http://www.anzfeedback.co.nz/inetbank/anz.txt
    Contains the login and password information gathered.

    The first entry shows a Road Runner Ip address.
    It is thought that this is the ip of the phisher and is most likely a
    trojaned machine. The second entry was the same and phishy testing
    as at first the password I entered was rejected.

    whois 66.108.255.162

    OrgName: Road Runner HoldCo LLC
    OrgID: RRNY
    Address: 13241 Woodland Park Road
    City: Herndon
    StateProv: VA
    PostalCode: 20171
    Country: US

    ReferralServer: rwhois://ipmt.rr.com:4321

    NetRange: 66.108.0.0 - 66.108.255.255
    CIDR: 66.108.0.0/16
    NetName: ROADRUNNER-NYC-1
    NetHandle: NET-66-108-0-0-1
    Parent: NET-66-0-0-0-0
    NetType: Direct Allocation
    NameServer: DNS1.RR.COM
    NameServer: DNS2.RR.COM
    NameServer: DNS3.RR.COM
    NameServer: DNS4.RR.COM
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    RegDate: 2001-04-13
    Updated: 2001-07-13

    RTechHandle: ZS30-ARIN
    RTechName: ServiceCo LLC
    RTechPhone: +1-703-345-3416
    RTechEmail:

    OrgAbuseHandle: ABUSE10-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-703-345-3416
    OrgAbuseEmail:

    OrgTechHandle: IPTEC-ARIN
    OrgTechName: IP Tech
    OrgTechPhone: +1-703-345-3416
    OrgTechEmail:

    # ARIN WHOIS database, last updated 2006-10-13 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.


    Found a referral to ipmt.rr.com:4321.

    %rwhois V-1.5:003fff:00 ipmt-01.rr.com (by Network Solutions, Inc.
    V-1.5.7.3)
    network:Class-Name:network
    network:ID:NETBLK-isrr-66.108.248.0-21
    network:Auth-Area:66.108.248.0/21
    network:Network-Name:isrr-66.108.248.0
    network:IP-Network:66.108.248.0/21
    network:IP-Network-Block:66.108.248.0 - 66.108.255.255
    network:Organization;I:Road Runner
    network:Tech-Contact;I:
    network:Admin-Contact;I:IPADD-ARIN
    network:Created:20061014
    network:Updated:20061014
    network:Updated-By:

    network:Class-Name:network
    network:ID:NETBLK-ISRR-66.108.128.0/17
    network:Auth-Area:66.108.128.0/17
    network:Network-Name:ISRR-66.108.128.0
    network:IP-Network:66.108.128.0/17
    network:IP-Network-Block:66.108.128.0 - 66.108.255.255
    network:Organization;I:Road Runner
    network:Tech-Contact;I:
    network:Admin-Contact;I:IPADD-ARIN
    network:Created:20061014
    network:Updated:20061014
    network:Updated-By:

    The web server is configured to with a host name of
    www.thequicksoftware.com which has been registered to Go Daddy and is
    currently parked.

    While looking at the web site the top level directory was reconfigered
    and access to the directory was closed and then access to the file
    anz.txt was closed off.

    In other words as soon as the phishers saw that things were no secure he
    moved quickly to close off access.

    Finally the EV1 admin watches the news group Nanae and is most certainly
    aware of the acitivities of his clients. He knows who they are and is
    profiting from their illegal activities.

    Law enforcement most certainly needs to action a search and seziure
    warrant against EV1.

    Anony Mouse
     
    Anony Mouse, Oct 15, 2006
    #1
    1. Advertising

  2. Anony Mouse

    Anony Mouse Guest

    Within minutes of investigating this phish site and posting here and
    nz.comp dns no longer resolves.

    I guess phishy got very nervous.

    Chalk one up to the anti-spammers...

    **** you Leo and the EV1 scum that supports you.
    You were not quick enough covering your tracks.

    Just like I said. The scum bags are watching this news group and
    probably nz.comp where I also post from time to time.

    dig anzfeedback.co.nz @ns1.cc-dns.net

    ; <<>> DiG 9.2.4 <<>> anzfeedback.co.nz @ns1.cc-dns.net
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43362
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;anzfeedback.co.nz. IN A

    ;; Query time: 402 msec
    ;; SERVER: 72.232.49.98#53(ns1.cc-dns.net)
    ;; WHEN: Sun Oct 15 13:07:59 2006
    ;; MSG SIZE rcvd: 35


    Anony Mouse
    Spam NZ IP space and I will find you.
    Ruslan, Leo and Alex your days are numbered.
     
    Anony Mouse, Oct 15, 2006
    #2
    1. Advertising

  3. Anony Mouse

    Donchano Guest

    On Sun, 15 Oct 2006 13:16:08 +1300, Anony Mouse <>
    magnanimously proffered:

    >Within minutes of investigating this phish site and posting here and
    >nz.comp dns no longer resolves.
    >
    >I guess phishy got very nervous.
    >
    >Chalk one up to the anti-spammers...
    >
    >**** you Leo and the EV1 scum that supports you.
    >You were not quick enough covering your tracks.
    >
    >Just like I said. The scum bags are watching this news group and
    >probably nz.comp where I also post from time to time.
    >
    >dig anzfeedback.co.nz @ns1.cc-dns.net
    >
    >; <<>> DiG 9.2.4 <<>> anzfeedback.co.nz @ns1.cc-dns.net
    >;; global options: printcmd
    >;; Got answer:
    >;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43362
    >;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    >
    >;; QUESTION SECTION:
    >;anzfeedback.co.nz. IN A
    >
    >;; Query time: 402 msec
    >;; SERVER: 72.232.49.98#53(ns1.cc-dns.net)
    >;; WHEN: Sun Oct 15 13:07:59 2006
    >;; MSG SIZE rcvd: 35
    >
    >
    >Anony Mouse
    >Spam NZ IP space and I will find you.
    >Ruslan, Leo and Alex your days are numbered.


    I would very much like to know who or what is responsible for all of
    the html stock report spams that are regularly getting past Xtra's
    spam filters and into my inbox because they can't be filtered by
    Thunderbird. Nor does reporting them to SpamCop do any good.

    Whoever is sending them should have their fingers broken one at a
    time.
     
    Donchano, Oct 15, 2006
    #3
  4. Anony Mouse

    Anony Mouse Guest

    Looks like an MS machine on RR to me.

    nmap -sS -P0 66.108.255.162

    Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-10-15 12:45
    NZDT
    RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
    RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
    Interesting ports on cpe-66-108-255-162.nyc.res.rr.com (66.108.255.162):
    (The 1656 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE
    135/tcp filtered msrpc
    136/tcp filtered profile
    137/tcp filtered netbios-ns
    138/tcp filtered netbios-dgm
    139/tcp filtered netbios-ssn
    445/tcp filtered microsoft-ds
    593/tcp filtered http-rpc-epmap
     
    Anony Mouse, Oct 15, 2006
    #4
  5. Anony Mouse

    Anony Mouse Guest


    >>Anony Mouse
    >>Spam NZ IP space and I will find you.
    >>Ruslan, Leo and Alex your days are numbered.

    >
    >
    > I would very much like to know who or what is responsible for all of
    > the html stock report spams that are regularly getting past Xtra's
    > spam filters and into my inbox because they can't be filtered by
    > Thunderbird. Nor does reporting them to SpamCop do any good.
    >
    > Whoever is sending them should have their fingers broken one at a
    > time.
    >

    Firstly I don't want to post this to nanae so I have not close posted it.

    Thats easy to answer...

    Alex Blood / Alexander Mosh / AlekseyB / Alex Polyakov

    http://www.spamhaus.org/rokso/listi...d / Alexander Mosh / AlekseyB / Alex Polyakov

    Leo Kuvayev / BadCow

    http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Leo Kuvayev / BadCow

    Supported by this man who writes the software that exploits the
    virus/trojan infected machines.

    Ruslan Ibragimov / send-safe.com

    http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Ruslan Ibragimov / send-safe.com

    There are several others that live on Undernet IRC who write the code to
    infect machines and the html/php that is used on the phishing web sites.

    And more people who do the pump & dump buying and selling.

    It is a huge gang and at this point I can't tell you who else is
    involved although I have several names in my files from my invesigations.

    Think work from home and tax fruad which are both subjects linked to
    this gang. Unfortunatly I am not a professional investigator and it is
    way to big for me to get my head around.

    As for reporting them it is just a waste of time. If you do not analyse
    the spam before reporting you will find that they use spam reports to
    confirm that the email address is active.

    If they find that you are attacking them they will attack your domain
    name just like they do with my multi-drop mail box at my domain. 3,500 +
    spam per week.

    Why do theay get pass xtra' spam filters... Because they use a different
    bot net to send the spam almost every day. As fast as the bot net ip
    addresses are listed they move on to another bot net.

    These people are the most notorious criminal spam gang on the net with
    links to at least one New Zealander that I know of. Well one that I am
    prepared to disclose.

    The New Zealanders name who I suspect is involved is ****** ******* of
    Christchurch. He runs a internet type bussiness and is thought to be
    involved in Credit Card fraud, Pay Pal fraud and money laundering.

    Sorry I just can't bring myself to post his name as it may land me in
    court if I publish it again. Lets say it has been published before.

    He has also been tracked to web sites hosted on EV1.

    As with these things it is very difficult to pin him down and despite
    evidence being sent to several Ministers he has not been arrested.

    How come I am so sure of myself... I have been tracking and watching
    these scum for many years and been an anti-spam activist for nearly ten
    years now.

    I was one of the people who helped track down Shane Atkinson of
    Christchurch. You can find info on his activities here.

    http://www.nzherald.co.nz/storydisp...8&thesection=technology&thesubsection=general
    http://www.nzherald.co.nz/storydisp...gy&thesubsection=general&thesecondsubsection=
    http://www.nzherald.co.nz/storydisplay.cfm?thesection=technology&thesubsection=&storyID=3518744

    This link needs windows media player which you should have on your PC.
    mms://media.tvnz.co.nz/holmes/spam_300104_128k.wmv

    As further evidence here is the source of a message the was bounced from
    the Kiwi Bank servers. Note the virus name is my company name and the
    phish was the first one the gang did targeting New Zealand and is the
    result of my anti-spam activities.

    In other words I am to blame for the ongoing targeting of New Zealand
    citizens most likely however it could be said that they would have
    targeted this country anyway as part of there ongoing expansion.

    Note that on the same day one year latter the first phish involving Kiwi
    Bank customers was reported. The first one was covered up and at that
    time the banks were not required to disclose such incidents.

    Anony Mouse


    From - Sat Dec 25 11:03:24 2004
    X-UIDL: ;^'#!Zl@!!@Um!!U0<!!
    X-Mozilla-Status: 0001
    X-Mozilla-Status2: 10000000
    Return-Path: <>
    Received: from localhost (fetchmail@localhost [127.0.0.1])
    by gate.nomax (8.12.3/8.12.3/Debian-6.6) with ESMTP id iBOM1uKZ017239
    for <pb@localhost>; Sat, 25 Dec 2004 11:01:59 í½
    Delivered-To:
    Received: from pop.ihug.co.nz [203.109.252.42]
    by localhost with POP3 (fetchmail-5.9.11)
    for pb@localhost (single-drop); Sat, 25 Dec 2004 11:01:59 í½ (NZDT)
    Received: (qmail 2067 invoked from network); 24 Dec 2004 21:59:43 -0000
    Received: from grunt2.ihug.co.nz (203.109.254.42)
    by mail3.ihug.co.nz with SMTP; 24 Dec 2004 21:59:43 -0000
    Received: from ironport2.ihug.co.nz [203.109.254.20]
    by grunt2.ihug.co.nz with esmtp (Exim 3.35 #1 (Debian))
    id 1ChxTL-0001ZB-00; Sat, 25 Dec 2004 10:59:43 í½
    Received: from mars.linuxsystems.net.nz (202.27.219.162)
    by ironport2.ihug.co.nz with ESMTP; 25 Dec 2004 10:59:39 í½
    X-Ironport-Seen: Yes
    X-BrightmailFiltered: true
    X-Brightmail-Tracker: AAAAAQAAA=
    X-IHUG-iSpy: Doesn't appear to be Spam
    Received: from wn-nzp-mgw-1.nzpost.co.nz (mail1.nzpost.co.nz
    [210.48.48.100])
    by mars.linuxsystems.net.nz (Postfix) with ESMTP id 1262EA9B5A
    for <>; Sat, 25 Dec 2004 10:59:36 í½ (NZDT)
    Received: from mail1.nzpost.co.nz (localhost.localdomain [127.0.0.1])
    by wn-nzp-mgw-1.nzpost.co.nz (8.11.6/8.11.6) with ESMTP id iBOLxdC24281
    for <>; Sat, 25 Dec 2004 10:59:39 í½
    Received: from fswndntexs01.corp.bank.nzpfs.co.nz
    (wn-nzp-fgw-1.nzpost.co.nz [210.48.48.103])
    by mail1.nzpost.co.nz (8.11.6/8.11.6) with ESMTP id iBOLxd124275
    for <>; Sat, 25 Dec 2004 10:59:39 í½
    From:
    To:
    Date: Sat, 25 Dec 2004 10:59:37 í½
    MIME-Version: 1.0
    Content-Type: multipart/report; report-type=delivery-status;
    boundary="9B095B5ADSN=_01C4E3F5B98F61010000B837fswndntexs01.cor"
    X-DSNContext: 335a7efd - 4460 - 00000001 - 80040546
    Message-ID: <>
    Subject: Delivery Status Notification (Failure)
    X-MailScanner: Clean
    X-MailScanner-Information: Mail Scanner Version 4.12-2
    X-MailScanner-SpamCheck: not spam, SpamAssassin (score=0.1, required 6,
    FAILURE_NOTICE_1, FAILURE_NOTICE_2, NO_REAL_NAME)
    X-UIDL: ;^'#!Zl@!!@Um!!U0<!!

    This is a MIME-formatted message.
    Portions of this message may be unreadable without a MIME-capable mail
    program.

    --9B095B5ADSN=_01C4E3F5B98F61010000B837fswndntexs01.cor
    Content-Type: text/plain; charset=unicode-1-1-utf-7

    This is an automatically generated Delivery Status Notification.

    Delivery to the following recipients failed.













































    --
    This message has been scanned for viruses and
    dangerous content by MailScanner, and is
    believed to be clean.



    --9B095B5ADSN=_01C4E3F5B98F61010000B837fswndntexs01.cor
    Content-Type: message/delivery-status

    Reporting-MTA: dns;fswndntexs01.corp.bank.nzpfs.co.nz
    Received-From-MTA: dns;wn-nzp-mgw-1.nzpost.co.nz
    Arrival-Date: Sat, 25 Dec 2004 10:59:37 í½

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    Final-Recipient: rfc822;
    Action: failed
    Status: 5.1.1

    --9B095B5ADSN=_01C4E3F5B98F61010000B837fswndntexs01.cor
    Content-Type: message/rfc822

    Received: from wn-nzp-mgw-1.nzpost.co.nz ([210.48.48.100]) by
    fswndntexs01.corp.bank.nzpfs.co.nz with Microsoft SMTPSVC(5.0.2195.6713);
    Sat, 25 Dec 2004 10:59:37 í½
    Received: from mail1.nzpost.co.nz (localhost.localdomain [127.0.0.1])
    by wn-nzp-mgw-1.nzpost.co.nz (8.11.6/8.11.6) with ESMTP id iBOLxcC24271;
    Sat, 25 Dec 2004 10:59:38 í½
    Received: from witgigmov.nz (222-152-241-66.jetstream.xtra.co.nz
    [222.152.241.66])
    by mail1.nzpost.co.nz (8.11.6/8.11.6) with SMTP id iBOLxO124265;
    Sat, 25 Dec 2004 10:59:25 í½
    From:
    To:
    Date: Fri, 24 Dec 2004 21:52:11 GMT
    Subject: invalid mail <error_:7648>
    Importance: Normal
    X-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    Message-ID: <>
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="======bc0a6d24b975eaff198d"
    Content-Transfer-Encoding: 7bit
    Return-Path:
    X-OriginalArrivalTime: 24 Dec 2004 21:59:37.0241 (UTC)
    FILETIME=[DC24B090:01C4EA03]

    This is a multi-part message in MIME format.

    --======bc0a6d24b975eaff198d

    This mail was generated automatically.
    More info about --xxxx-- under: http://www.xxxx.co.nz

    -------
    Occured_Errors:

    93.127.16.38_failed_after_I_sent_the_message.
    # 244: mailbox_unavailable
    # 198: This_account_has_been_discontinued_[#301].

    End
    -------

    The original mail is attached.

    Auto_Mail.System: [xxxx]


    *-*-* Attachment: No Virus found
    *-*-* KIWIBANK.CO- Anti_Virus Service
    *-*-* http://www.kiwibank.co.nz
    --======bc0a6d24b975eaff198d
    Content-Type: text/plain
    Content-Transfer-Encoding: 7bit

    [Filename: xxxx.4759.bat, Content-Type: application/octet-stream]
    New Zealand Post has blocked the attachment to this email. This file
    that was attached is of a type frequently used to transmit viruses. The
    attachment was blocked to limit the possibility of a virus entering or
    leaving New Zealand Post

    --======bc0a6d24b975eaff198d--



    --9B095B5ADSN=_01C4E3F5B98F61010000B837fswndntexs01.cor--
     
    Anony Mouse, Oct 15, 2006
    #5
  6. Anony Mouse

    Donchano Guest

    On Sun, 15 Oct 2006 15:32:49 +1300, Anony Mouse <>
    magnanimously proffered:

    >
    >>>Anony Mouse
    >>>Spam NZ IP space and I will find you.
    >>>Ruslan, Leo and Alex your days are numbered.

    >>
    >>
    >> I would very much like to know who or what is responsible for all of
    >> the html stock report spams that are regularly getting past Xtra's
    >> spam filters and into my inbox because they can't be filtered by
    >> Thunderbird. Nor does reporting them to SpamCop do any good.
    >>
    >> Whoever is sending them should have their fingers broken one at a
    >> time.
    >>

    >Firstly I don't want to post this to nanae so I have not close posted it.
    >
    >Thats easy to answer...


    I've read through your post twice and find the whole thing both
    fascinating and daunting. These guys don't sound very nice.

    Another thing I'm very curious about is how they got my Xtra email
    address. Since before I even changed my Xtra address (due to spam
    because some well-meaning friend published my original Xtra address on
    his website) I've only been using a couple of made-up email addresses
    set up using my domain name.

    I've organised it so any email is either forwarded to either my
    private (but unpublished) Xtra address or a Yahoo webmail address. Yet
    90% of the html/stock spam I receive is sent using the real Xtra
    address that nobody, except me (and Xtra and my webhost), is supposed
    to have ever seen.

    How the hell do these parasites get a hold of an unpublished Xtra
    address that, for all intents and purposes, hasn't been used except to
    forward email from my domain? Is there someone inside Xtra who is
    selling addresses to the spammers? Or do the spammers have some way to
    get inside Xtra's records to harvest the addresses?
     
    Donchano, Oct 15, 2006
    #6
  7. Anony Mouse

    Anony Mouse Guest

    Donchano wrote:
    > On Sun, 15 Oct 2006 15:32:49 +1300, Anony Mouse <>
    > magnanimously proffered:
    >
    >
    >>>>Anony Mouse
    >>>>Spam NZ IP space and I will find you.
    >>>>Ruslan, Leo and Alex your days are numbered.
    >>>
    >>>
    >>>I would very much like to know who or what is responsible for all of
    >>>the html stock report spams that are regularly getting past Xtra's
    >>>spam filters and into my inbox because they can't be filtered by
    >>>Thunderbird. Nor does reporting them to SpamCop do any good.
    >>>
    >>>Whoever is sending them should have their fingers broken one at a
    >>>time.
    >>>

    >>
    >>Firstly I don't want to post this to nanae so I have not close posted it.
    >>
    >>Thats easy to answer...

    >
    >
    > I've read through your post twice and find the whole thing both
    > fascinating and daunting.

    Yep it takes a lot of understanding it all and I only gave you less than
    half of what I know leaving most of the stuff I have gathered regarding
    the New Zealand side and the links to the spam gang. There are so many
    deviant people that use the spam gang it is not funny.

    For instances there was nearly 1,000 arrests recently for advanced fee
    fraud in a half dozen countries.

    > These guys don't sound very nice.

    No not at all nice. Leo (Wanted in the US where he used to live but fled
    to Russia after a court ruling in the millions) is the criminal mind
    behind the gang and Alex the knuckle dragging thug. Ruslan the software
    writer and botnet co-ordinator. Ruslan gets lists of bot nets from a
    gang (Romainians and others) and then sells it to Leo who then gives the
    list to Alex. They are so predictable. You can analyze how they work
    together.

    They are linked to the Russian mafia and it is suspected linked to the
    death of a Russian banker that has been trying to freeze and seize
    assets from crime.

    Shane Atkinson and Mike Van Essen were linked to the gang and after Van
    Essen seeded my email address for me I tracked down Ruslan. I talked to
    Mike after he was outed by Eyefive who I gave a hard time for a long
    time until they decided that I had to much on them so they gave up Van
    Essen.

    I was then vigeriously attacked by Dean Westbury an Aussie who now lives
    in the Phillipinnes. I have information that links the Christchurch man
    I know of to Westbury.
    >
    > Another thing I'm very curious about is how they got my Xtra email
    > address. Since before I even changed my Xtra address (due to spam
    > because some well-meaning friend published my original Xtra address on
    > his website) I've only been using a couple of made-up email addresses
    > set up using my domain name.
    >
    > I've organised it so any email is either forwarded to either my
    > private (but unpublished) Xtra address or a Yahoo webmail address. Yet
    > 90% of the html/stock spam I receive is sent using the real Xtra
    > address that nobody, except me (and Xtra and my webhost), is supposed
    > to have ever seen.
    >
    > How the hell do these parasites get a hold of an unpublished Xtra
    > address that, for all intents and purposes, hasn't been used except to
    > forward email from my domain? Is there someone inside Xtra who is
    > selling addresses to the spammers? Or do the spammers have some way to
    > get inside Xtra's records to harvest the addresses?
    >
    >

    Have you registered a domain name with a certain Christchurch registrar.
    There are actually two of them that are crooks in Christchurch.

    See http://www.spam.co.nz/linkspamming.html

    The other thing is that Ruslan writes software that guesses email addresses.

    They run this software in conjunction with web sites that log hits from
    the unique url in the spam. All you need to do is open the spam and they
    have got you.

    I doubt that Xtra staff have sold your address although it has been
    known to happen.

    Peter
     
    Anony Mouse, Oct 15, 2006
    #7
  8. Anony Mouse

    steve Guest

    Donchano wrote:

    > I would very much like to know who or what is responsible for all of
    > the html stock report spams that are regularly getting past Xtra's
    > spam filters and into my inbox because they can't be filtered by
    > Thunderbird. Nor does reporting them to SpamCop do any good.
    >
    > Whoever is sending them should have their fingers broken one at a
    > time.


    Agreed. On any given day those messages constitute roughly 60% of the spam I
    get.....and they are all the same message.
     
    steve, Oct 15, 2006
    #8
  9. In article <>,
    lid says...
    >
    > I've organised it so any email is either forwarded to either my
    > private (but unpublished) Xtra address or a Yahoo webmail address. Yet
    > 90% of the html/stock spam I receive is sent using the real Xtra
    > address that nobody, except me (and Xtra and my webhost), is supposed
    > to have ever seen.
    >
    > How the hell do these parasites get a hold of an unpublished Xtra
    > address that, for all intents and purposes, hasn't been used except to
    > forward email from my domain? Is there someone inside Xtra who is
    > selling addresses to the spammers? Or do the spammers have some way to
    > get inside Xtra's records to harvest the addresses?
    >


    Most likely they use a dictionary/10000monkey approach - in other words they
    send to briana@domain, brianb@, brianc@ ...brianz@, brianaa@, .... asmith@,
    bsmith@, et cetera et cetera at nauseam.

    I often get spam like that forwarded from ihug where I used to have an account
    as peterwh (rip, but it still gets forwarded to me) and they are addressed to
    some peterxxxxnnn instead of peterwh. Which is very much indicative of the
    method I described above.

    cheers, -Peter

    --
    =========================================
    firstname dot lastname at gmail fullstop com
     
    Peter Huebner, Oct 16, 2006
    #9
  10. In article <>, says...
    > Donchano wrote:
    >
    > > I would very much like to know who or what is responsible for all of
    > > the html stock report spams that are regularly getting past Xtra's
    > > spam filters and into my inbox because they can't be filtered by
    > > Thunderbird. Nor does reporting them to SpamCop do any good.
    > >
    > > Whoever is sending them should have their fingers broken one at a
    > > time.

    >
    > Agreed. On any given day those messages constitute roughly 60% of the spam I
    > get.....and they are all the same message.
    >
    >
    >

    What's even worse is that some spammer has (mis)appropriated the domain
    name I host to generate hundreds of false return addresses so as well as
    spam I'm getting inundated with bounced emails.
     
    Peter McCallum, Oct 16, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. anthonyberet

    drowning the phish

    anthonyberet, Jun 11, 2005, in forum: Computer Support
    Replies:
    7
    Views:
    570
    Blinky the Shark
    Jun 12, 2005
  2. Joel Rubin

    One way to deal with phish websites

    Joel Rubin, Jul 16, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    719
    =?ISO-8859-1?Q?R=F4g=EAr?=
    Jul 16, 2005
  3. mchiper

    Re: Bank of America or any Bank

    mchiper, Sep 6, 2003, in forum: Computer Security
    Replies:
    4
    Views:
    581
    Frode
    Sep 13, 2003
  4. Richard Pearrell

    salary at Chevy Chase Bank and PNC Bank

    Richard Pearrell, Jul 26, 2006, in forum: Computer Support
    Replies:
    2
    Views:
    1,037
    richard
    Jul 27, 2006
  5. ptdivh

    TWiT & Leo Laporte fans

    ptdivh, Jan 9, 2008, in forum: A+ Certification
    Replies:
    1
    Views:
    1,241
    in Technicolor®
    Jan 10, 2008
Loading...

Share This Page