IP Address Inspector
ATTENTION |
|
195.121.247.22
The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail server and dictionary attacker. Below we've reported some other data associated with this IP. This interrelated data helps map spammers' networks and aids in law enforcement efforts. If you know something about this IP, please leave a comment.
Lookup IP In: Domain Tools | SpamHaus | Spamcop | SenderBase | Google Groups | Google
Geographic Location | Netherlands (Utrecht) |
First Received From | approximately 17 years, 1 month, 2 weeks ago |
Last Received From | within 13 years, 5 months, 3 weeks |
Number Received | 230 email(s) sent from this IP |
Dictionary Attacks | 15 email(s) sent from this IP |
First Received From | approximately 15 years, 1 month, 4 weeks ago |
Last Received From | within 13 years, 6 months, 5 weeks |
4 comment(s) - Comment on this IP | Collapse All
|
P.Hauser commented...
Received some Criminal Phishing Fraud from this Dutch IP. The fraudulent link in the SPAM points to a server with hostname
fondolinux.fondolisiados.gob.sv in El Salvador / San Salvador. San Salvador was chosen, because it does not own WHOIS-Servers. We'll come back to that later. The following harvesters for this fraudulent spammer can be confirmed from here so far from within CIDR-24-ranges: 62.194.11.96 - - [06/May/2005:09:21:06 +0200] "GET /[Imprint] HTTP/1.1" 200 48421 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 62.194.11.96 - - [06/May/2005:10:30:03 +0200] "GET / HTTP/1.1" 302 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 62.194.11.96 - - [06/May/2005:10:30:08 +0200] "GET /[URL] HTTP/1.1" 200 66207 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 62.194.11.96 - - [01/Jul/2005:22:35:55 +0200] "GET / HTTP/1.1" 302 214 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)" 62.194.11.96 - - [01/Jul/2005:22:35:58 +0200] "GET / HTTP/1.1" 200 66075 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)" 62.194.11.96 - - [09/Jul/2005:12:40:43 +0200] "GET / HTTP/1.1" 302 214 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)" 62.194.11.96 - - [09/Jul/2005:12:40:46 +0200] "GET / HTTP/1.1" 200 66069 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)" 62.194.11.221 - - [24/Nov/2006:02:10:59 +0100] "GET / HTTP/1.1" 200 66560 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 62.194.11.221 - - [02/Feb/2007:19:52:10 +0100] "GET / HTTP/1.1" 200 66555 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" Different frauds from this server were already published at http://www.phishtank.com/phish_detail.php?phish_id=318302&frame=site http://www.siteadvisor.com/sites/fondolinux.fondolisiados.gob.sv/postid/?p=470170 Check GOOGLE for that issue. September 13 2007 09:06 AM |
P.Hauser commented...
Here's the fraud in two parts. The header:
Return-Path: (onlinebanking@bankofamerica.com) Received: from xx (xx) by xx with LMTP; Thu, 13 Sep 2007 00:31:10 +0200 X-Sieve: CMU Sieve 2.2 Received: from psmtp08.wxs.nl ([195.121.247.22]) by xx with esmtp id 1IVajZ-10m6Ea0; Thu, 13 Sep 2007 00:30:57 +0200 Received: from server02.Doxa.nl ([194.121.79.169]) by psmtp08.wxs.nl (iPlanet Messaging Server 5.2 HotFix 2.15 (built Nov 14 2006)) with ESMTP id (0JOA005YT17KXH@psmtp08.wxs.nl) for xx@xx; Thu, 13 Sep 2007 00:30:57 +0200 (MEST) Received: from User ([216.138.96.71]) by server02.Doxa.nl with Microsoft SMTPSVC(6.0.3790.1830); Thu, 13 Sep 2007 00:28:36 +0200 Date: Wed, 12 Sep 2007 17:31:07 -0500 From: Bank Of America (onlinebanking@bankofamerica.com) Subject: Bank Of America Online Bcc: Reply-to: onlinebanking@bankofamerica.com Message-id: (SERVER028zQXKXJs0sB00006075@server02.Doxa.nl) X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Content-type: text/html; charset=iso-8859-1 Content-transfer-encoding: 7BIT X-Priority: 3 X-MSMail-priority: Normal X-OriginalArrivalTime: 12 Sep 2007 22:28:36.0125 (UTC) FILETIME=[426154D0:01C7F58C] X-TOI-SPAM: u;0;2007-09-12T22:31:10Z X-TOI-VIRUSSCAN: unchecked X-TOI-MSGID: 7e10b3c6-8f1e-4825-85e2-cba546877d00 X-Seen: false X-ENVELOPE-TO: (xx@xx) [...] September 13 2007 06:05 AM |
P.Hauser commented...
Here's the body with the fraud:
(body) (table HTML) (tr) (td HTML) (HTML)(HTML)Bank Of America Online® Department Notice(HTML) (HTML) (p)(br) (HTML)You have received this email because you or someone had used your account from different locations. (br) For security purpose, we are required to open an investigation into this matter. (br) (br) In order to safeguard your account, we require that you confirm your banking details. (br) To help speed up this process, please access the following link so we can complete the verification of (br) your Bank Of America Online® Banking Account registration information :(/span) (/p) (p)(HTML)(HTML)(a href="http://fondolinux.fondolisiados.gob.sv/logs/online/update/update.html" target="_blank")http://www.bankofamerica.com/state.cgi?section=signin&update(/a)(/span)(/strong)(br) (br) (/p) (table HTML) (tr) (td HTML)Please Note: (br) If we do no receive the appropriate account verification within 48 hours, then we will assume this Bank Of America account is fraudulent and will be suspended. The purpose of this verification is to ensure that your bank account has not been fraudulently used and to combat the fraud from our community. (HTML)(/td) (/tr) (/table) (p HTML)We appreciate your support and understanding and thank you for your prompt attention to this matter. (br) (br) Regards,(br)Bank Of America - Bank Of America Online® Banking Department (/p) (table HTML) (tr) (td)(HTML)(HTML)Please do not reply to this email as this is only a notification. Mail sent to this address cannot be answered. (HTML)(HTML)(/td) (/tr) (/table) (HTML)Bank of America, N.A. Member FDIC. Equal Housing Lender (br) © 2007 Bank of America Corporation. All rights reserved. (/p) (/td) (/tr) (/table) (/body) (/html) September 13 2007 06:04 AM |
P.Hauser commented...
Hostname fondolisiados.gob.sv and fraudulent subdomain fondolinux.fondolisiados.gob.sv point to IP 168.243.199.98. If you check whois.lacnic.net you receive this range and owner:
168.243.0.0 - 168.243.255.0 SVNet Bulevar Los Próceres, 1, 0 - San Salvador - SS El Salvador +503 2106636 [] Rafael Ibarra ribarra@DI.UCA.EDU.SV Bulevar Los Próceres, 0, 0 - San Salvador - SS El Salvador phone: +503 2106636 [] SV-SVNE1-LACNIC Erstellt: 20-Sep-1994 Aktualisiert: 08-Jul-1996 Quelle: whois.lacnic.net This points to http://di.uca.edu.sv/ in San Salvador. El Salvador has no WHOIS-servers. Its Root-Zone Information can be read at http://www.iana.org/root-whois/sv.htm From there you go to the registration services at http://www.svnet.org.sv/ . There choose "Consulta de Dominios (Whois)" and "Consulta de datos generales". You reach a form to enter the subdomain fondolisiados.gob.sv at http://www.svnet.org.sv/registro/consultas/whois.php and receive the following: Subdominio http://www.fondolisiados.gob.sv/ Contacto Administrativo Lic. Nora Idalia Rodriguez Polanco de Ayala Correo Electrónico administracion@fondolisiados.gob.sv Teléfono 2280-8401 Fecha Vigencia 15-12-2007 Fecha Baja 14-01-2008 168.243.199.98 AKA fondolisiados.gob.sv is currently listed in APEWS : Entry matching your Query: E-280497 168.243.199.0/24 CASE: C-925 AS12127 SV, ISP permits abuse and/or ignores criminal activity Special Reason: ISP permits abuse and/or ignores criminal activity History: Entry created 2007-07-31 September 13 2007 06:03 AM |
Page generated on: April 24 2024 12:09:06 PM
Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | Cloudflare Site Protection | Contact Us
Copyright © 2004–24, Unspam Technologies, Inc. All rights reserved.
Advertisements displayed on this page are not necessarily endorsed by Project Honey Pot