Jump to content

Spammers Using Hak5 Email Addresses?


Guest Deleted_Account

Recommended Posts

Guest Deleted_Account

Just wanted to give a heads up to the community as i just got a second scam/spam email from "darren@hak5.org" except some minor flaws. But heres a snap shot and the headers (although gmail strips the info but just incase):

Delivered-To: shadowdavidson@gmail.com
Received: by 10.216.202.79 with SMTP id c57cs205302weo;
        Mon, 9 Aug 2010 10:46:00 -0700 (PDT)
Received: by 10.213.14.208 with SMTP id h16mr3237862eba.7.1281375958987;
        Mon, 09 Aug 2010 10:45:58 -0700 (PDT)
Return-Path: <darren@hak5.org>
Received: from WEB23.corp.parking.ru ([195.128.121.26])
        by mx.google.com with ESMTP id q1si13631506eeh.99.2010.08.09.10.45.58;
        Mon, 09 Aug 2010 10:45:58 -0700 (PDT)
Received-SPF: neutral (google.com: 195.128.121.26 is neither permitted nor denied by best guess record for domain of darren@hak5.org) client-ip=195.128.121.26;
Authentication-Results: mx.google.com; spf=neutral (google.com: 195.128.121.26 is neither permitted nor denied by best guess record for domain of darren@hak5.org) smtp.mail=darren@hak5.org
Received: from WEB23 ([127.0.0.1]) by WEB23.corp.parking.ru with Microsoft SMTPSVC(7.0.6002.18222);
     Mon, 9 Aug 2010 21:45:58 +0400
thread-index: Acs36rl6DeYSfJsMRxa5Zzjhy9g0vA==
Thread-Topic: DOWNLOADS!
From: "Darren#@!" <darren@hak5.org>
To: <shadowdavidson@gmail.com>
Cc: 
Subject: DOWNLOADS!
Date: Mon, 9 Aug 2010 21:45:58 +0400
Message-ID: <A2FC987D909149AFA1FFE4659F9CACCE@corp.parking.ru>
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_058D_01CB380C.408C7160"
X-Mailer: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18197
Return-Path: darren@hak5.org
X-OriginalArrivalTime: 09 Aug 2010 17:45:58.0390 (UTC) FILETIME=[B97AD160:01CB37EA]

This is a multi-part message in MIME format.

------=_NextPart_000_058D_01CB380C.408C7160
Content-Type: text/plain;
    charset="koi8-r"
Content-Transfer-Encoding: 7bit

post-15260-1281376797_thumb.png

Anyone else get such emails? also checked the site i was sent in a VM lots of "hacking" tools almost everything is trojans or viruses. There are even a few root kits in there.

Link to comment
Share on other sites

Guest Deleted_Account
There isn't much any one can do as the headers are spoofed. The headers indicate that the hak5 email server is not even slightly involved in this (the email originates from a Russian domain).

Yeah sorry just realized that after reading your post. I was just surprised about it and thought others should know. But yeah should have thought about that one :P doh!

Link to comment
Share on other sites

Yeah sorry just realized that after reading your post. I was just surprised about it and thought others should know. But yeah should have thought about that one :P doh!

One thing that can be done, for every one on gmail who receives it, if they report it as spam, eventually it will just go straight in to the spam folder for every one who uses gmail. unfortunately, this would mean darren would never be able to email people on gmail ever again lol.

Link to comment
Share on other sites

This is most likely the real person who emailed you: glj12@flanga.net

Since they are using paypal, they have to provide a real email address for processing, and with the link on their site, you can see who they are from clicking the links. It clearly shows glj12@flanga.net as the address. I hate spammers, so it only serves them right to add them to one, but thats up to you...

Link to comment
Share on other sites

Guest Deleted_Account
theres a special place in hell for spammers.

btw: you blocked out your email in your image but not in the header you pasted.

ha I forgot about that! ah well its in my form profile anyways just did it out of habit lol :P

Link to comment
Share on other sites

Might I also add that those are some interesting headers. It would seem if not 100% spoofed, that the person sending the email was using windows 2000 as well as koi8-r which is definately russian, as sparda pointed out.

The website itself is a Germany based provider, might be able to contact them for abuse and get the site taken down all together:

http://whois.domaintools.com/85.25.149.220

Tell them it came from their customer located at 195.128.121.26 = glj12@flanga.net

Also contact godaddy, as they host the flanga.net domain and could revoke the users account for abuse.

edit: found out some other interesting things. For one, that user name, glj12 also exists on its SMF forums (not as the full email address, just the name). There is also a vulnerability in its RSS feed, or bad feature not sure, that exposes other users on the forums, as it shows the email address for the authors of the post in the XML data. You have to enter the url in such a way, that it processes older feeds, as recent ones don't show the author, but I put in 9999 to go back as far as that would show, and as far back as 2007 it shows me email addresses for some of its forum authors. Just sayin...

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...