[SpamCop-List] Re: Even more elusive phishes ... and SpamCop missed 'em

Sun Aug 14 09:30:12 EDT 2005

What would it take to get kornet black holed?
"J G" <anon at coks.net> wrote in message news:ddl0fm$gkv$1 at news.spamcop.net...
> On 8/12/2005 3:25 PM George Langford, Sc.D. scribbled:
>
> > This morning I LART'ed a bunch of folks about this phish:
> >
http://www.spamcop.net/sc?id=z795535919zae2ec8dd5c434f95e3cae21de4945dbez
> > and then this afternoon I got another, with the same URL:
> >
http://www.spamcop.net/sc?id=z795623485zef6253f4225790672d6703da7e6758e1z
> >
> > Both of these contained a twisted URL if I ever saw one:
> >
http://www.google.de/url?sa=U&start=4&q=http://218.158.9.7/webmail/java/index.php
> >
> > Spamcop resolutely refused to notify Google.de about this URL
> > (as did I, as Google as nothing to do with the phishing site).
> >
> > But I did get hysterical about this tagalong URL:
> > http://218.158.9.7/webmail/java/index.php
> > Which is where the real code is (still).
> >
> > When I TraceRT'ed the IP address (218.158.9.7), I got evidence
> > of a redirect to svr135.datacom.co.kr (218.54.195.135) so I sent
> > my LART's to: abuse at svr135.datacom.co.kr,
postmaster at svr135.datacom.co.kr,
> > spamcop at kisa.or.kr, spoof at millersmiles.co.uk, and spam at uce.gov.
> > That list was based in part on this result from CompleteWhoIs:
> >
> >>[OTHER (whois.abuse.net) whois information for SVR135.DATACOM.CO.KR ]
> >>[whois.abuse.net]
> >>abuse at svr135.datacom.co.kr (for kr)
> >>postmaster at svr135.datacom.co.kr (for kr)
> >>spamcop at kisa.or.kr (for kr)
> >
> >
> > This afternoon I got another, seemingly identical phish,
> > but now the TraceRT goes this way: traceroute to 218.158.9.7 ...
> > which is a wholly different pathway.  Not even close.
> >
> > However, EasyWhoIs and WhoIs.SC tell me to look here:
> >
> >>remarks:      http://whois.nida.or.kr/english/index.html
> >
> > Where I find for 218.158.9.7:
> >
> >>IPv4 Address       : 218.158.9.0-218.158.9.255
> >>Network Name       : KORNET-EXPRESS2003297921
> >>Connect ISP Name   : KORNET
> >>Connect Date       : 20031204
> >>Registration Date  : 20040115
> >>... snippage ...
> >>[ Admin Contact Information]
> >>Name               : sujin nam
> >>Org Name           : ubangjeongbokisul
> >>State              : TAEGU
> >>Address            : jeonsansil ubangraendeu ho 0011 beonji 0302
duryou2dong dalseoku
> >>Zip Code           : 704-062
> >>Phone              : +82-53-740-9196
> >>E-Mail             : bluerose at kt.co.kr
> >>... snippage ...
> >>If the above contacts are not reachable, please see the following
> >>ISP contacts for further information or network abuse.
> >>[ ISP IPv4 Admin Contact Information ]
> >>Name               : IP Administrator
> >>Phone              : +82-2-3674-5708
> >>Fax                : +82-2-747-8701
> >>E-Mail             : ip at ns.kornet.net
> >
> >
> > amenex
> >
>
> forward that to spoof at ebay.com as well. if you still have it and haven't
> done so already...