by ampman
Mon May 05, 2014 6:34 am
I need to know more about sender of the following email. I suspect he's phishing for my password.
Delivered-To: [email protected]
Received: by 10.96.131.198 with SMTP id oo6csp119678qdb;
Mon, 5 May 2014 01:50:03 -0700 (PDT)
X-Received: by 10.42.201.212 with SMTP id fb20mr1559396icb.56.1399279802890;
Mon, 05 May 2014 01:50:02 -0700 (PDT)
Return-Path: <[email protected]>
Received: from nm2-vm1.bullet.mail.ne1.yahoo.com (nm2-vm1.bullet.mail.ne1.yahoo.com. [98.138.91.33])
by mx.google.com with ESMTPS id b4si5089095icf.12.2014.05.05.01.50.02
for <[email protected]>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Mon, 05 May 2014 01:50:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 98.138.91.33 as permitted sender) client-ip=98.138.91.33;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 98.138.91.33 as permitted sender) [email protected];
dkim=pass [email protected];
dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.com
Received: from [98.138.100.111] by nm2.bullet.mail.ne1.yahoo.com with NNFMP; 05 May 2014 08:50:02 -0000
Received: from [98.138.89.163] by tm100.bullet.mail.ne1.yahoo.com with NNFMP; 05 May 2014 08:50:02 -0000
Received: from [127.0.0.1] by omp1019.mail.ne1.yahoo.com with NNFMP; 05 May 2014 08:50:02 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: [email protected]
Received: (qmail 40284 invoked by uid 60001); 5 May 2014 08:50:02 -0000
Received: from [41.138.178.108] by web124705.mail.ne1.yahoo.com via HTTP; Mon, 05 May 2014 01:50:01 PDT
X-Rocket-MIMEInfo:
X-Mailer: YahooMailWebService/0.8.188.663
References: <CAH-ugKa6Ru+E-ZDt-p2+4qz-8dgg0HL+7EWHs0FMnNDONB_1qw@mail.gmail.com> <[email protected]> <CAH-ugKaUGy0ddtntGOTicP3SFTyJ2NJU65SHKwPGjVFttF-1Jw@mail.gmail.com> <[email protected]> <CAH-ugKY_ZUr+r=V1J=jdqkgjYVwbsh6uFTH+QjpBGGmC8tMPiA@mail.gmail.com> <CAH-ugKbVAgjzG5f7vBasM5Dn0sPiiEBFBK8nTCQLmHxstTpAMw@mail.gmail.com> <[email protected]> <CAH-ugKapvA8UN792nVBD417N9-XkjZySD-c6U+BeF=EBwTd29A@mail.gmail.com>
Message-ID: <[email protected]>
Date: Mon, 5 May 2014 01:50:01 -0700 (PDT)
From: Samuel Gibson <[email protected]>
Reply-To: Samuel Gibson <[email protected]>
Subject: GOOD NEWS- TRANSFER DOCUMENTS
To: ZZZZZZ <[email protected]>
In-Reply-To: <CAH-ugKapvA8UN792nVBD417N9-XkjZySD-c6U+BeF=EBwTd29A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="578871877-204992688-1399279801=:84224"
He asked me to click on a link whose domain name is prroduct.weis.pw
Whois.com provides these domain name info:
Domain ID:CNIC-DO2158715
Domain Name:WEIS.PW
Created On:2014-03-11T01:35:00.0Z
Last Updated On:2014-03-16T01:42:10.0Z
Expiration Date:2015-03-11T23:59:59.0Z
Status:clientTransferProhibited
Status:serverTransferProhibited
Registrant ID:H280468
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:ID#10760, PO Box 16
Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Registrant City:Nobby Beach
Registrant Postal Code:QLD 4218
Registrant Country:AU
Registrant Phone:+45.36946676
Registrant Email:[email protected]
Admin ID:H280468
Admin Name:Domain Admin
Admin Organization:PrivacyProtect.org
Admin Street1:ID#10760, PO Box 16
Admin Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Admin City:Nobby Beach
Admin Postal Code:QLD 4218
Admin Country:AU
Admin Phone:+45.36946676
etc....
=============================================
The domain has been only recently established! Supposedly to steal people's passwords via a phishing website:
http:// prroduct .weis.pw /viewer .php?l=_JeHFU q_VJOXK0QWHtoGYDw_Product-UserID& userid=scammer @gmail.com
That website decidedly needs to be reported as malicious. It claimed to be a Google doc website with very real logos of known companies using its cloud service.
Scammers don't stop at anything and are becoming good website designers!
Delivered-To: [email protected]
Received: by 10.96.131.198 with SMTP id oo6csp119678qdb;
Mon, 5 May 2014 01:50:03 -0700 (PDT)
X-Received: by 10.42.201.212 with SMTP id fb20mr1559396icb.56.1399279802890;
Mon, 05 May 2014 01:50:02 -0700 (PDT)
Return-Path: <[email protected]>
Received: from nm2-vm1.bullet.mail.ne1.yahoo.com (nm2-vm1.bullet.mail.ne1.yahoo.com. [98.138.91.33])
by mx.google.com with ESMTPS id b4si5089095icf.12.2014.05.05.01.50.02
for <[email protected]>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Mon, 05 May 2014 01:50:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 98.138.91.33 as permitted sender) client-ip=98.138.91.33;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of [email protected] designates 98.138.91.33 as permitted sender) [email protected];
dkim=pass [email protected];
dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.com
Received: from [98.138.100.111] by nm2.bullet.mail.ne1.yahoo.com with NNFMP; 05 May 2014 08:50:02 -0000
Received: from [98.138.89.163] by tm100.bullet.mail.ne1.yahoo.com with NNFMP; 05 May 2014 08:50:02 -0000
Received: from [127.0.0.1] by omp1019.mail.ne1.yahoo.com with NNFMP; 05 May 2014 08:50:02 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: [email protected]
Received: (qmail 40284 invoked by uid 60001); 5 May 2014 08:50:02 -0000
Received: from [41.138.178.108] by web124705.mail.ne1.yahoo.com via HTTP; Mon, 05 May 2014 01:50:01 PDT
X-Rocket-MIMEInfo:
X-Mailer: YahooMailWebService/0.8.188.663
References: <CAH-ugKa6Ru+E-ZDt-p2+4qz-8dgg0HL+7EWHs0FMnNDONB_1qw@mail.gmail.com> <[email protected]> <CAH-ugKaUGy0ddtntGOTicP3SFTyJ2NJU65SHKwPGjVFttF-1Jw@mail.gmail.com> <[email protected]> <CAH-ugKY_ZUr+r=V1J=jdqkgjYVwbsh6uFTH+QjpBGGmC8tMPiA@mail.gmail.com> <CAH-ugKbVAgjzG5f7vBasM5Dn0sPiiEBFBK8nTCQLmHxstTpAMw@mail.gmail.com> <[email protected]> <CAH-ugKapvA8UN792nVBD417N9-XkjZySD-c6U+BeF=EBwTd29A@mail.gmail.com>
Message-ID: <[email protected]>
Date: Mon, 5 May 2014 01:50:01 -0700 (PDT)
From: Samuel Gibson <[email protected]>
Reply-To: Samuel Gibson <[email protected]>
Subject: GOOD NEWS- TRANSFER DOCUMENTS
To: ZZZZZZ <[email protected]>
In-Reply-To: <CAH-ugKapvA8UN792nVBD417N9-XkjZySD-c6U+BeF=EBwTd29A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="578871877-204992688-1399279801=:84224"
He asked me to click on a link whose domain name is prroduct.weis.pw
Whois.com provides these domain name info:
Domain ID:CNIC-DO2158715
Domain Name:WEIS.PW
Created On:2014-03-11T01:35:00.0Z
Last Updated On:2014-03-16T01:42:10.0Z
Expiration Date:2015-03-11T23:59:59.0Z
Status:clientTransferProhibited
Status:serverTransferProhibited
Registrant ID:H280468
Registrant Name:Domain Admin
Registrant Organization:PrivacyProtect.org
Registrant Street1:ID#10760, PO Box 16
Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Registrant City:Nobby Beach
Registrant Postal Code:QLD 4218
Registrant Country:AU
Registrant Phone:+45.36946676
Registrant Email:[email protected]
Admin ID:H280468
Admin Name:Domain Admin
Admin Organization:PrivacyProtect.org
Admin Street1:ID#10760, PO Box 16
Admin Street2:Note - All Postal Mails Rejected, visit Privacyprotect.org
Admin City:Nobby Beach
Admin Postal Code:QLD 4218
Admin Country:AU
Admin Phone:+45.36946676
etc....
=============================================
The domain has been only recently established! Supposedly to steal people's passwords via a phishing website:
http:// prroduct .weis.pw /viewer .php?l=_JeHFU q_VJOXK0QWHtoGYDw_Product-UserID& userid=scammer @gmail.com
That website decidedly needs to be reported as malicious. It claimed to be a Google doc website with very real logos of known companies using its cloud service.
Scammers don't stop at anything and are becoming good website designers!
Last edited by Bryon Williams on Mon May 05, 2014 2:48 pm, edited 1 time in total.
Reason: Disable possible malicious link.
