Guest Deleted_Account Posted August 9, 2010 Share Posted August 9, 2010 Just wanted to give a heads up to the community as i just got a second scam/spam email from "darren@hak5.org" except some minor flaws. But heres a snap shot and the headers (although gmail strips the info but just incase): Delivered-To: shadowdavidson@gmail.com Received: by 10.216.202.79 with SMTP id c57cs205302weo; Mon, 9 Aug 2010 10:46:00 -0700 (PDT) Received: by 10.213.14.208 with SMTP id h16mr3237862eba.7.1281375958987; Mon, 09 Aug 2010 10:45:58 -0700 (PDT) Return-Path: <darren@hak5.org> Received: from WEB23.corp.parking.ru ([195.128.121.26]) by mx.google.com with ESMTP id q1si13631506eeh.99.2010.08.09.10.45.58; Mon, 09 Aug 2010 10:45:58 -0700 (PDT) Received-SPF: neutral (google.com: 195.128.121.26 is neither permitted nor denied by best guess record for domain of darren@hak5.org) client-ip=195.128.121.26; Authentication-Results: mx.google.com; spf=neutral (google.com: 195.128.121.26 is neither permitted nor denied by best guess record for domain of darren@hak5.org) smtp.mail=darren@hak5.org Received: from WEB23 ([127.0.0.1]) by WEB23.corp.parking.ru with Microsoft SMTPSVC(7.0.6002.18222); Mon, 9 Aug 2010 21:45:58 +0400 thread-index: Acs36rl6DeYSfJsMRxa5Zzjhy9g0vA== Thread-Topic: DOWNLOADS! From: "Darren#@!" <darren@hak5.org> To: <shadowdavidson@gmail.com> Cc: Subject: DOWNLOADS! Date: Mon, 9 Aug 2010 21:45:58 +0400 Message-ID: <A2FC987D909149AFA1FFE4659F9CACCE@corp.parking.ru> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_058D_01CB380C.408C7160" X-Mailer: Microsoft CDO for Windows 2000 Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6002.18197 Return-Path: darren@hak5.org X-OriginalArrivalTime: 09 Aug 2010 17:45:58.0390 (UTC) FILETIME=[B97AD160:01CB37EA] This is a multi-part message in MIME format. ------=_NextPart_000_058D_01CB380C.408C7160 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit Anyone else get such emails? also checked the site i was sent in a VM lots of "hacking" tools almost everything is trojans or viruses. There are even a few root kits in there. Quote Link to comment Share on other sites More sharing options...
Sparda Posted August 9, 2010 Share Posted August 9, 2010 There isn't much any one can do as the headers are spoofed. The headers indicate that the hak5 email server is not even slightly involved in this (the email originates from a Russian domain). Quote Link to comment Share on other sites More sharing options...
Guest Deleted_Account Posted August 9, 2010 Share Posted August 9, 2010 There isn't much any one can do as the headers are spoofed. The headers indicate that the hak5 email server is not even slightly involved in this (the email originates from a Russian domain). Yeah sorry just realized that after reading your post. I was just surprised about it and thought others should know. But yeah should have thought about that one :P doh! Quote Link to comment Share on other sites More sharing options...
Sparda Posted August 9, 2010 Share Posted August 9, 2010 Yeah sorry just realized that after reading your post. I was just surprised about it and thought others should know. But yeah should have thought about that one :P doh! One thing that can be done, for every one on gmail who receives it, if they report it as spam, eventually it will just go straight in to the spam folder for every one who uses gmail. unfortunately, this would mean darren would never be able to email people on gmail ever again lol. Quote Link to comment Share on other sites More sharing options...
digip Posted August 9, 2010 Share Posted August 9, 2010 This is most likely the real person who emailed you: glj12@flanga.net Since they are using paypal, they have to provide a real email address for processing, and with the link on their site, you can see who they are from clicking the links. It clearly shows glj12@flanga.net as the address. I hate spammers, so it only serves them right to add them to one, but thats up to you... Quote Link to comment Share on other sites More sharing options...
okiwan Posted August 9, 2010 Share Posted August 9, 2010 theres a special place in hell for spammers. btw: you blocked out your email in your image but not in the header you pasted. Quote Link to comment Share on other sites More sharing options...
Sparda Posted August 9, 2010 Share Posted August 9, 2010 This was a useful post, but not any more. Quote Link to comment Share on other sites More sharing options...
Guest Deleted_Account Posted August 9, 2010 Share Posted August 9, 2010 theres a special place in hell for spammers. btw: you blocked out your email in your image but not in the header you pasted. ha I forgot about that! ah well its in my form profile anyways just did it out of habit lol :P Quote Link to comment Share on other sites More sharing options...
digip Posted August 9, 2010 Share Posted August 9, 2010 (edited) Might I also add that those are some interesting headers. It would seem if not 100% spoofed, that the person sending the email was using windows 2000 as well as koi8-r which is definately russian, as sparda pointed out. The website itself is a Germany based provider, might be able to contact them for abuse and get the site taken down all together: http://whois.domaintools.com/85.25.149.220 Tell them it came from their customer located at 195.128.121.26 = glj12@flanga.net Also contact godaddy, as they host the flanga.net domain and could revoke the users account for abuse. edit: found out some other interesting things. For one, that user name, glj12 also exists on its SMF forums (not as the full email address, just the name). There is also a vulnerability in its RSS feed, or bad feature not sure, that exposes other users on the forums, as it shows the email address for the authors of the post in the XML data. You have to enter the url in such a way, that it processes older feeds, as recent ones don't show the author, but I put in 9999 to go back as far as that would show, and as far back as 2007 it shows me email addresses for some of its forum authors. Just sayin... Edited August 9, 2010 by digip Quote Link to comment Share on other sites More sharing options...
okiwan Posted August 9, 2010 Share Posted August 9, 2010 lol you should do it. he deserves it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.