IP Address Inspector

ATTENTION
  • This IP has not seen any suspicious activity within the last 3 months. This IP is most likely clean and trustworthy now. (This record will remain public for historical purposes, however.)

195.121.247.22 Spam ServerDictionary Attacker

The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail server and dictionary attacker. Below we've reported some other data associated with this IP. This interrelated data helps map spammers' networks and aids in law enforcement efforts. If you know something about this IP, please leave a comment.

Lookup IP In: Domain Tools | SpamHaus | Spamcop | SenderBase | Google Groups | Google

Geographic Location Netherlands Netherlands (Utrecht)
First Received From approximately 17 years, 1 month, 2 weeks ago
Last Received From within 13 years, 5 months, 3 weeks
Number Received 230 email(s) sent from this IP
Dictionary Attacks 15 email(s) sent from this IP
First Received From approximately 15 years, 1 month, 4 weeks ago
Last Received From within 13 years, 6 months, 5 weeks
Associated Harvesters
65.93.225.232 | H Canada
70.104.252.22 | H United States
72.26.133.189 | H United States
217.129.225.2 | HS Portugal
70.85.113.242 | H United States
88.254.180.95 | H Turkey
88.254.119.160 | H Turkey
195.229.235.38 | HC United Arab Emirates
62.140.22.130 | HS Germany
65.82.191.251 | H United States
81.91.235.239 | HSD Benin
75.125.194.194 | HS United States
81.83.1.66  Belgium
216.40.222.66 | H United States
74.12.54.189 | H Canada
74.12.45.40 | HS Canada
64.56.65.65 | H United States
122.193.50.185  China
74.12.41.226  Canada
64.231.229.232 | H Canada
70.50.189.249 | H Canada
213.196.11.4 | H Netherlands
195.229.242.53 | HCR United Arab Emirates
74.53.249.34 | HW United States
64.60.205.138 | HS United States
209.62.25.34 | HC United States
62.193.225.36 | H France
195.241.28.245 | HS Netherlands
75.125.194.178 | HW United States
142.162.50.210 | H Canada
62.193.27.250 | H Iran
67.19.250.26 | H United States
88.190.12.165 | H France
74.86.14.10 | H United States
208.66.195.7 | H United States
66.131.212.214 | H Canada
172.174.59.70 | H United States
216.40.222.50 | H United States
209.160.65.42 | H United States
216.40.220.18 | H United States
208.66.195.5 | H United States
75.125.52.162 | H United States
200.81.167.149 | H Argentina
66.90.101.66 | H Netherlands
208.66.195.22 | H United States
75.125.34.66 | H United States
74.86.249.98 | H United States
74.124.192.3 | H United States
81.169.224.162 | H Germany
75.125.167.2 | H United States
124.115.189.203 | H China
208.66.195.2 | H United States
174.142.104.81 | HS Canada
207.150.196.48 | HS United States
173.45.77.106 | HS United States
66.232.125.137 | HS United States
207.150.196.49 | HS United States
209.160.64.102 | HSD United States
209.160.64.124 | HS United States
222.76.215.122 | H China
41.250.73.20 | HS Morocco
61.230.85.148 | H Taiwan
62.162.198.21 | H Macedonia
62.194.11.56  Netherlands
64.229.238.23 | H Canada
64.229.238.97 | H Canada
64.231.133.136 | H Canada
64.231.134.147 | H Canada
64.231.142.241 | H Canada
64.231.156.11 | H Canada
64.231.156.155 | H Canada
65.92.120.206 | H Canada
65.92.122.115 | H Canada
65.92.122.214 | H Canada
65.93.201.84 | H Canada
IPs In The Neighborhood
195.121.247.0 Netherlands
195.121.247.1 Netherlands
195.121.247.2 Netherlands
195.121.247.3 Netherlands
195.121.247.4 | SD Netherlands
195.121.247.5 | SD Netherlands
195.121.247.6 | SD Netherlands
195.121.247.7 | S Netherlands
195.121.247.8 | SD Netherlands
195.121.247.9 Netherlands
195.121.247.10 | SD Netherlands
195.121.247.11 | SD Netherlands
195.121.247.12 | S Netherlands
195.121.247.13 | SD Netherlands
195.121.247.14 | SD Netherlands
195.121.247.23 | SD Netherlands
195.121.247.24 | SD Netherlands
195.121.247.25 | SD Netherlands
195.121.247.26 | SD Netherlands
195.121.247.27 | SD Netherlands
195.121.247.28 | S Netherlands
195.121.247.29 | SD Netherlands
195.121.247.31 Netherlands
195.121.247.32 | SD Netherlands
195.121.247.33 Netherlands
195.121.247.46 | S Netherlands
Example Messages Sent From 195.121.247.22
Subject: NOTICE
Subject: Brev
Subject: Brev
Example User Names Used By 195.121.247.22
User-name: fdsr
User-name: mlcherrigeister
User-name: ruffled
User-name: heavedow20
User-name: softlyfth23
User-name: hydraulicso3
User-name: houndsuq276
User-name: gastrichx75
User-name: neremohc
User-name: nerenefu
User-name: flossie.d.daguio
User-name: ivey.e.hoysradt
User-name: latashasfarness
User-name: penelope_pocius
User-name: selma.bakker
P.Hauser commented...
Received some Criminal Phishing Fraud from this Dutch IP. The fraudulent link in the SPAM points to a server with hostname

fondolinux.fondolisiados.gob.sv

in El Salvador / San Salvador. San Salvador was chosen, because it does not own WHOIS-Servers. We'll come back to that later.

The following harvesters for this fraudulent spammer can be confirmed from here so far from within CIDR-24-ranges:

62.194.11.96 - - [06/May/2005:09:21:06 +0200] "GET /[Imprint] HTTP/1.1" 200 48421 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

62.194.11.96 - - [06/May/2005:10:30:03 +0200] "GET / HTTP/1.1" 302 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
62.194.11.96 - - [06/May/2005:10:30:08 +0200] "GET /[URL] HTTP/1.1" 200 66207 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

62.194.11.96 - - [01/Jul/2005:22:35:55 +0200] "GET / HTTP/1.1" 302 214 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
62.194.11.96 - - [01/Jul/2005:22:35:58 +0200] "GET / HTTP/1.1" 200 66075 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"

62.194.11.96 - - [09/Jul/2005:12:40:43 +0200] "GET / HTTP/1.1" 302 214 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
62.194.11.96 - - [09/Jul/2005:12:40:46 +0200] "GET / HTTP/1.1" 200 66069 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"

62.194.11.221 - - [24/Nov/2006:02:10:59 +0100] "GET / HTTP/1.1" 200 66560 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

62.194.11.221 - - [02/Feb/2007:19:52:10 +0100] "GET / HTTP/1.1" 200 66555 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

Different frauds from this server were already published at

http://www.phishtank.com/phish_detail.php?phish_id=318302&frame=site
http://www.siteadvisor.com/sites/fondolinux.fondolisiados.gob.sv/postid/?p=470170

Check GOOGLE for that issue.
September 13 2007 09:06 AM
P.Hauser commented...
Here's the fraud in two parts. The header:

Return-Path: (onlinebanking@bankofamerica.com)
Received: from xx (xx)
by xx with LMTP; Thu, 13 Sep 2007 00:31:10 +0200
X-Sieve: CMU Sieve 2.2
Received: from psmtp08.wxs.nl ([195.121.247.22]) by xx
with esmtp id 1IVajZ-10m6Ea0; Thu, 13 Sep 2007 00:30:57 +0200
Received: from server02.Doxa.nl ([194.121.79.169])
by psmtp08.wxs.nl (iPlanet Messaging Server 5.2 HotFix 2.15 (built Nov 14
2006)) with ESMTP id (0JOA005YT17KXH@psmtp08.wxs.nl) for xx@xx;
Thu, 13 Sep 2007 00:30:57 +0200 (MEST)
Received: from User ([216.138.96.71]) by server02.Doxa.nl with Microsoft
SMTPSVC(6.0.3790.1830); Thu, 13 Sep 2007 00:28:36 +0200
Date: Wed, 12 Sep 2007 17:31:07 -0500
From: Bank Of America (onlinebanking@bankofamerica.com)
Subject: Bank Of America Online
Bcc:
Reply-to: onlinebanking@bankofamerica.com
Message-id: (SERVER028zQXKXJs0sB00006075@server02.Doxa.nl)

X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Content-type: text/html; charset=iso-8859-1
Content-transfer-encoding: 7BIT
X-Priority: 3
X-MSMail-priority: Normal
X-OriginalArrivalTime: 12 Sep 2007 22:28:36.0125 (UTC)
FILETIME=[426154D0:01C7F58C]
X-TOI-SPAM: u;0;2007-09-12T22:31:10Z
X-TOI-VIRUSSCAN: unchecked
X-TOI-MSGID: 7e10b3c6-8f1e-4825-85e2-cba546877d00
X-Seen: false
X-ENVELOPE-TO: (xx@xx)
[...]
September 13 2007 06:05 AM
P.Hauser commented...
Here's the body with the fraud:

(body)
(table HTML)
(tr)
(td HTML) (HTML)(HTML)Bank Of America Online® Department Notice(HTML) (HTML) (p)(br)
(HTML)You have received this email because you or someone had used your account from different locations. (br)
For security purpose, we are required to open an investigation into this matter. (br)
(br)
In order to safeguard your account, we require that you confirm your banking details. (br)
To help speed up this process, please access the following link so we can complete the verification of (br)
your Bank Of America Online® Banking Account registration information :(/span) (/p)
(p)(HTML)(HTML)(a href="http://fondolinux.fondolisiados.gob.sv/logs/online/update/update.html" target="_blank")http://www.bankofamerica.com/state.cgi?section=signin&update(/a)(/span)(/strong)(br)
(br)
(/p)
(table HTML)
(tr)
(td HTML)Please Note: (br)
If we do no receive the appropriate account verification within 48 hours, then we will assume this Bank Of America account is fraudulent and will be suspended. The purpose of this verification is to ensure that your bank account has not been fraudulently used and to combat the fraud from our community. (HTML)(/td)
(/tr)
(/table)
(p HTML)We appreciate your support and understanding and thank you for your prompt attention to this matter. (br)
(br)
Regards,(br)Bank Of America - Bank Of America Online® Banking Department (/p)
(table HTML)
(tr)
(td)(HTML)(HTML)Please do not reply to this email as this is only a notification. Mail sent to this address cannot be answered. (HTML)(HTML)(/td)
(/tr)
(/table)
(HTML)Bank of America, N.A. Member FDIC. Equal Housing Lender (br)
© 2007 Bank of America Corporation. All rights reserved. (/p) (/td)
(/tr)
(/table)
(/body)
(/html)
September 13 2007 06:04 AM
P.Hauser commented...
Hostname fondolisiados.gob.sv and fraudulent subdomain fondolinux.fondolisiados.gob.sv point to IP 168.243.199.98. If you check whois.lacnic.net you receive this range and owner:

168.243.0.0 - 168.243.255.0

SVNet
Bulevar Los Próceres, 1,
0 - San Salvador - SS
El Salvador
+503 2106636 []

Rafael Ibarra
ribarra@DI.UCA.EDU.SV
Bulevar Los Próceres, 0,
0 - San Salvador - SS
El Salvador
phone: +503 2106636 []

SV-SVNE1-LACNIC
Erstellt: 20-Sep-1994
Aktualisiert: 08-Jul-1996
Quelle: whois.lacnic.net

This points to http://di.uca.edu.sv/ in San Salvador. El Salvador has no WHOIS-servers. Its Root-Zone Information can be read at http://www.iana.org/root-whois/sv.htm From there you go to the registration services at http://www.svnet.org.sv/ . There choose "Consulta de Dominios (Whois)" and "Consulta de datos generales". You reach a form to enter the subdomain fondolisiados.gob.sv at http://www.svnet.org.sv/registro/consultas/whois.php and receive the following:

Subdominio http://www.fondolisiados.gob.sv/
Contacto Administrativo Lic. Nora Idalia Rodriguez Polanco de Ayala
Correo Electrónico administracion@fondolisiados.gob.sv
Teléfono 2280-8401
Fecha Vigencia 15-12-2007
Fecha Baja 14-01-2008

168.243.199.98 AKA fondolisiados.gob.sv is currently listed in APEWS :
Entry matching your Query: E-280497
168.243.199.0/24
CASE: C-925
AS12127 SV, ISP permits abuse and/or ignores criminal activity
Special Reason:
ISP permits abuse and/or ignores criminal activity
History:
Entry created 2007-07-31
September 13 2007 06:03 AM
Page generated on: April 24 2024 12:09:06 PM

Please note: being listed on these pages does not necessarily mean an IP address, domain name, or any other information is owned by a spammer. For example, it may have been hijacked from its true owner and used by a spammer.

Want to keep this IP address off your website? Start taking advantage of http:BL.

If you are the owner of this IP address, you can whitelist it by connecting to this page from the IP itself (or from an IP within /24). Alternatively, the IP will be auto excused after 90 days of no activity.

Follow us on Facebook

Follow projecthoneypot on Twitter

ceciliaschumacher299@yahoo.com megangoodman535@yahoo.com randylin362@yahoo.com marionkurtz639@vbwebmail.com
do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us

Copyright © 2004–24, Unspam Technologies, Inc. All rights reserved.

Advertisements displayed on this page are not necessarily endorsed by Project Honey Pot

contact | wiki | email