[SpamCop.net - protecting the internet through technology]

[SC-Help] Re: [webforum][bank phish]My brand new domain is blacklisted

Mike Easter MikeE at ster.invalid
Wed Dec 21 16:27:44 EST 2005 

John E. Malmberg wrote:
> On the webforum, on the topic "My brand new domain is blacklisted",
> the evidence posted looks like a phishing scam is being run through
> the server.

The thread is here^1, with a few interesting remarks beside the topic.

^1
http://forum.spamcop.net/forums/index.php?s=960be7584b771724d0387f3d53d6aaee&showtopic=5646
or http://snipurl.com/kva7

// your forum registration was delivered to my gmail spam folder, hehe
the irony of it //

I have never had a false positive gmailspam tag;  it's hard to imagine
how a SC reg would trip a gmail spamtag.

62.214.98.16 rDNS ftp.servage.net is the target in question, currently
no longer listed, and the poster's domain is bookwarez.org whose MX and
output servers are servage which has 8 output servers in senderbase, 1
in CBL, and 1 in SCbl, not the OP IP.

Website frontpage http://www.bookwarez.org/

> From what I have seen on other forums, there is a high probability
> that
> the criminal running the scam may have found a security hole that
> grants them administrative control of it and possibly other servers
> at the same site.

62.214.98.32 is the IP for 232 domains in the webhosting source I
looked, which doesn't even have bookwarez listed there yet.

Servage the provider has a /24 at

inetnum:        62.214.98.0 - 62.214.98.255
netname:        VTC-SERVAGEFL

routed by Versatel

route:        62.214.0.0/16
descr:        Versatel Deutschland
origin:       AS8881

> Apparently this phishing scam was started 4 days ago according to the
> posted spamcop report history.

Sightings has some of the Barclay's phish if you want to see them
http://snipurl.com/kzag

The messages show that they were received from IPs foreign to the
servage server and smtp stamped, like an open smtp relay or an insecure
webserver.  Running the regular abuse.net script on the server doesn't
demonstrate an open smtp relay on the Postfix server, so it is probably
some insecure webserving function.

> The original poster should ask their hosting company why they have
> allowed a criminal to be using their server for sending bank account
> phishes for well over 72 hours.

Servage's website is here http://www.servage.net/  which shows how many
webservice functions they offer.  Maybe one of their clients is abusing
servage's system.



-- 
Mike Easter
kibitzer, not SC admin

More information about the SpamCop-Help mailing list