LOL, Orcon phishing email?

Discussion in 'NZ Computing' started by ~misfit~, Nov 11, 2005.

  1. ~misfit~

    ~misfit~ Guest

    Got this email today, adressed to my Orcon account, entitled "orcon.net.nz
    ID: " (My xxx's)

    Headers follow:

    Return-Path: <>
    Received: from 84.46.160.61 (p2p-84-46-160-61-ird.vln0 [84.46.160.61] (may
    be forged)) by dbmail-mx2.orcon.net.nz (8.13.2/8.13.2/Debian-1) with SMTP id
    jAA7CFCY025395 for <>; Thu, 10 Nov 2005 20:12:22 +1300
    Message-ID: <bdf501c5e5cc$81b14241$>
    From: Verification <>
    To:
    Subject: **SPAM**
    =?iso-8859-1?B?b3Jjb24ubmV0Lm56IElEOiBtaXNmaXRAb3Jjb24ubmV0Lm56?=
    Date: Thu, 10 Nov 2005 08:00:54 +0000
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express V6.00.2900.2180
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    X-Virus-Scanned: ClamAV version 0.87, clamav-milter version 0.87 on
    dbmail-mx2.orcon.net.nz
    X-Virus-Status: Clean
    X-Spam-Score: 6
    X-DSPAM-Confidence: 0.5636
    X-DSPAM-Probability: 1.0000
    X-Antivirus: AVG for E-mail 7.1.362 [267.12.8/166]
    Mime-Version: 1.0
    Content-Type: multipart/mixed; boundary="=======AVGMAIL-43740DFD2839======="
    X-RegEx-Score: 740.6
    X-RegEx-Warning: spam (740.6 > 499.9)
    X-RegEx: [110.9] FROM_NUMERIC_HELO sender helo'd with an IP address
    X-RegEx: [59.6] FROM_AND_RECEIVED_DO_NOT_MATCH FQDN in From and Received
    header do not match
    X-RegEx: [150.0] PRONOUNCE_BODY This can nobody pronounce
    X-RegEx: [150.0] INVALID_HTML_NOTHING_TAGS <HTML>Tag ohne </HTML>Tag
    X-RegEx: [50.0] INVALID_HTML_NOT_CORRECT_BODY_LINK HTML Link ohne korrekten
    HTML Body
    X-RegEx: [110.0] HTTP_ESCAPED_HOST Uses %-escapes inside a URL's hostname
    X-RegEx: [110.1] HTTP_EXCESSIVE_ESCAPES Completely unnecessary %-escapes
    inside a URL
    X-Bayesian-Result: Spam (100)
    X-Bayesian-Words: 2005 99 7.1.362 99 7bit 99 avg 99 certification 99 checked
    99 clamav 99 clamav-milter 99 clean 99 database 99 dbmail-mx2 99 e-mail 99
    edition 99 express 99 found 99
    X-SpamPal: SPAM REGEX ID#315162029-08

    The plain-text email was blank, with an HTML attachment. AVG7 gave it a
    clean bill of health so, contents of the HTML attachment follow:

    "De?ra? orcon.net.nz M?rebme?,

    We must ch?kce? t?ah?t y?ruo? orcon.net.nz ID was r?eretsige?d by re?la?
    p?oe?ple. So, to he?pl? orcon.net.nz pre?tnev? a?detamotu?
    regist?itar?ons, pl?ae?se cli?kc? on th?si? li?kn? and com?lp?ete co?ed?
    verifi?noitac? pr?seco?s:

    http://orcon.net.nz/eE9f9OryBEEdW6zXMyyMh3wgRmCKsXBtpshop2lx2H6SvU0QteDPemawk4kk0

    Th?kna? you"

    ++++++++++++++++++++++++++++

    Wow!! Weirdness! When I clicked the HTML link and it opened in Firefox it
    was all garbled. When I highlighted it and cut'n'pasted here it came out
    perfectly. Here it is cut'n'pasted into notepad, where it looked a mess,
    then here:

    ++++++++++++++++++++++++++++

    De?ra? orcon.net.nz M?rebme?,

    We must ch?kce? t?ah?t y?ruo? orcon.net.nz ID was r?eretsige?d by re?la?
    p?oe?ple. So, to he?pl? orcon.net.nz pre?tnev? a?detamotu?
    regist?itar?ons, pl?ae?se cli?kc? on th?si? li?kn? and com?lp?ete co?ed?
    verifi?noitac? pr?seco?s:

    http://orcon.net.nz/eE9f9OryBEEdW6zXMyyMh3wgRmCKsXBtpshop2lx2H6SvU0QteDPemawk4kk0

    Th?kna? you

    ++++++++++++++++++++++++++++

    Ok, wierdness again. It was a mess in notepad, but fine here. Maybe I should
    type it as I see it in Firefox?

    ++++++++++++++++++++++++++++

    "Dera orcon.net.nz Mrebme,

    We must chkce taht yruo orcon.net.nz ID was reretsiged by rela poeple. So,
    to hepl orcon.net.nz pretnev adetamotu registitarons, plaese clikc on thsi
    likn and comlpete coed verifinoitac prsecos

    <URL>

    Thkna you.

    +++++++++++++++++++++++++++++

    How come OE rearranges it all and makes it readable?

    So, is this a phishing expedition, an Orcon/firefox incompatibility issue or
    an attempt at spreading a virus? Running Windows I'm not about to click that
    link.

    I've had that Orcon free email for several years now, from the first month
    they were made available.

    Cheers,
    --
    ~misfit~
     
    ~misfit~, Nov 11, 2005
    #1
    1. Advertising


  2. >
    > http://orcon.net.nz/eE9f9OryBEEdW6zXMyyMh3wgRmCKsXBtpshop2lx2H6SvU0QteDPemawk4kk0
    >
    >
    >


    http://orcon.net.nz/OlsQD2UwvbRdoAnNYptGPio67KxwpCbPO9dzL9yu22QBbqF1A3jHZ2J5e106y4

    actually is a link to

    http://www.google.lv/url?q=http://sTaNdARtzA.cOm/c gi-bin /poch/redir .c gi?s=orcon.net.nz

    redirects to:

    http://sTaNdARtzA.cOm/c gi-bin /poch/redir .c gi?s=orcon.net.nz

    redirects to Orcon's Server..

    Strange.. doesn't seem to actually do anything ... (or I may be wrong)

    They seemed to stop at 11am this morning.

    Thanks
    Craig
     
    Craig Whitmore, Nov 11, 2005
    #2
    1. Advertising

  3. ~misfit~

    ~misfit~ Guest

    ~misfit~ wrote:

    <snip>

    > The plain-text email was blank, with an HTML attachment. AVG7 gave it
    > a clean bill of health so, contents of the HTML attachment follow:
    >
    > "De?ra? orcon.net.nz M?rebme?,
    >
    > We must ch?kce? t?ah?t y?ruo? orcon.net.nz ID was r?eretsige?d by
    > re?la? p?oe?ple. So, to he?pl? orcon.net.nz pre?tnev? a?detamotu?
    > regist?itar?ons, pl?ae?se cli?kc? on th?si? li?kn? and com?lp?ete
    > co?ed? verifi?noitac? pr?seco?s:
    >
    > http://orcon.net.nz/eE9f9OryBEEdW6zXMyyMh3wgRmCKsXBtpshop2lx2H6SvU0QteDPemawk4kk0
    >
    > Th?kna? you"
    >
    > ++++++++++++++++++++++++++++
    >
    > Wow!! Weirdness! When I clicked the HTML link and it opened in
    > Firefox it was all garbled. When I highlighted it and cut'n'pasted
    > here it came out perfectly. Here it is cut'n'pasted into notepad,
    > where it looked a mess, then here:


    Even more wierdness. Now I read my post the text *is* all garbled. In the
    post I sent it wasn't. WTF is going on?

    Colour me confused.
    --
    ~misfit~
     
    ~misfit~, Nov 11, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tom
    Replies:
    1
    Views:
    433
    Walter Roberson
    Mar 14, 2006
  2. joevan

    Phishing email.

    joevan, Jun 10, 2005, in forum: Computer Support
    Replies:
    11
    Views:
    758
  3. Brendan

    changing from Orcon UBS to Orcon Jetstream

    Brendan, Feb 25, 2005, in forum: NZ Computing
    Replies:
    2
    Views:
    569
    Brendan
    Feb 25, 2005
  4. Jamie Kahn Genet

    Orcon UBS 2MBit or stick with Telecom/Orcon 2MBit ADSL?

    Jamie Kahn Genet, Apr 29, 2005, in forum: NZ Computing
    Replies:
    3
    Views:
    528
    Jamie Kahn Genet
    Apr 29, 2005
  5. Nova

    Orcon's Forums (for orcon users)

    Nova, Mar 15, 2006, in forum: NZ Computing
    Replies:
    13
    Views:
    850
    Mutley
    Mar 18, 2006
Loading...

Share This Page