Home
Up


Following are full text of the messages received in reference to the bogus auctions.
All messages have been forward to spoof@ebay.com for action.   Message 2 and Message 3 are
auctioning identical items, linking the messages.  The IP addresses used in the messages for the
attack are:
 

bullet24.196.86.115:5678
bullet24.196.86.115:5678
bulletmonsterman.com (does not "dns lookup" but belongs to monsterman.ukr i.e. Ukrainian)

Since message 2 and 3 are essentially the same, One can surmise that the attack is being led by
Eastern European organized crime, like many of the current phishing attacks.

If you receive any sort of suspicious phishing or spoofing attack, you can report it to reportphishing@antiphishing.org
to help combat this sort of crime.  Remember, phishing attacks are not harmless - they can be used to
enable criminals to steal credit cards, steal bank accounts, or enable identity theft.

Message 3

Return-Path: <sbabsaey-knfd@msn.com>
Delivered-To: knnon.net%bll@knnon.net
Received: (cpmta 26021 invoked from network); 29 Feb 2004 06:23:11 -0800
Received: from 217.216.119.6 (HELO cliente-217216119006.uBRaga01.supercable.es)
by smtp.c011.snv.cp.net (209.228.34.209) with SMTP; 29 Feb 2004 06:23:11 -0800
X-Received: 29 Feb 2004 14:23:11 GMT
Date: Sun, 29 Feb 2004 14:07:24 +0000
From: galvin nathanil <sbabsaey-knfd@msn.com>
To: bll@knnon.net
Subject: RE: Question for seller -- Item #829945136
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Status: RO
X-UIDL: QEH109HkItFl3gE

<html>
<body>
<br>Hi, please add another $2 for shipping to Kentucky.
<br>sbabsaey-knfd@msn.com wrote:
<br>Hello, what is the shipping cost to North Dakota?
<br>
<br>--------------------
<br>
<br>Question from: ypeytuexu
<br>Title of item: HUGE 17" WIDESCREEN LCD & 802.11g WIRELESS G
<br>Seller: qoufreyne
<br>Starts: Jan-29-03 19:51:23 PDT
<br>Ends: Feb-05-03 19:51:23 PDT
<br>Price: Starts at $76.05
<br>To view the item, go to: <a href="http://24.196.86.115:5678/ws/eBayISAPI.dll&ViewItem&item=6054938804&category=93735.html">http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=741627771</a></td>
<br>
<br>
<br>Visit eBay, The World's Online Marketplace TM at
<br>http://www.ebay.com
<br>Do you Yahoo!?
<br>Yahoo! SitefBuilder - Free, easy-to-use web site desoign software
<br>
<br>
<img dynsrc=javascript:window.open('http://24.196.86.115:5678/ws/eBayISAPI.dll/ViewItem&item=3579363262&category=85423.html')>
<br>
</body>
</html>
 

Message 2

Return-Path: <ahlmsjjw-lyoc@msn.com>
Delivered-To: knnon.net%bll@knnon.net
Received: (cpmta 17656 invoked from network); 29 Feb 2004 02:22:38 -0800
Received: from 62.73.39.81 (HELO dsl-XXI-81.kotikaista.weppi.fi)
by smtp.c011.snv.cp.net (209.228.34.209) with SMTP; 29 Feb 2004 02:22:38 -0800
X-Received: 29 Feb 2004 10:22:38 GMT
Date: Sun, 29 Feb 2004 10:07:00 +0000
From: durant hershel <ahlmsjjw-lyoc@msn.com>
To: bll@knnon.net
Subject: RE: Question for seller -- Item #869628444
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Status: RO
X-UIDL: QEG9cNHkItFFEwE

<html>
<body>
<br>Hi, please add another $20 for shipping to NEW JERSEY.
<br>ahlmsjjw-lyoc@msn.com wrote:
<br>Hello, what is the shipping cost to ARIZONA?
<br>
<br>--------------------
<br>
<br>Question from: ueteyrou
<br>Title of item: Motorola T720i GSM mobile
<br>Seller: zeartu
<br>Starts: Jan-29-03 19:51:23 PDT
<br>Ends: Feb-05-03 19:51:23 PDT
<br>Price: Starts at $60.20
<br>To view the item, go to: <a href="http://24.196.86.115:5678/ws/eBayISAPI.dll/ViewItem&item=3931902421&category=74981.html">http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=459120823</a></td>
<br>
<br>
<br>Visit eBay, The World's Online Marketplace TM at
<br>http://www.ebay.com
<br>Do you Yahoo!?
<br>Yahoo! SitehBuilder - Free, easy-to-use web site deswign software
<br>
<br>
<img dynsrc=javascript:window.open('http://24.196.86.115:5678/ws/eBayISAPI.dll/ViewItem&item=3482388241&category=47209.html')>
<br>
</body>
</html>
 

Message 1

Return-Path: <phvnlgsl-hrof@t-online.de>
Delivered-To: knnon.net%bll@knnon.net
Received: (cpmta 16026 invoked from network); 25 Feb 2004 06:57:43 -0800
Received: from 200.140.154.192 (HELO 200-140-154-192.gnace7006.dsl.brasiltelecom.net.br)
by smtp.c011.snv.cp.net (209.228.34.208) with SMTP; 25 Feb 2004 06:57:43 -0800
X-Received: 25 Feb 2004 14:57:43 GMT
Date: Wed, 25 Feb 2004 14:56:22 +0000
From: stanislaw chrissy <phvnlgsl-hrof@t-online.de>
To: bll@knnon.net
Subject: RE: Question for seller -- Item #382796666
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Status: U
X-UIDL: QDy36NHkItA@zgE

<html>
<body>
<br>Hi, please add another $5 for shipping to WASHINGTON.
<br>phvnlgsl-hrof@t-online.de wrote:
<br>Hello, what is the shipping cost to BRITISH COLUMBIA?
<br>
<br>--------------------
<br>
<br>Question from: coufet
<br>Title of item: Motorola T720i GSM mobile
<br>Seller: peyxue
<br>Starts: Jan-29-03 19:51:23 PDT
<br>Ends: Feb-05-03 19:51:23 PDT
<br>Price: Starts at $117.73
<br>To view the item, go to: <a href="http://monsterman2004.com/ws/eBayISAPI.dll/ViewItem&item=3516302881&category=94352.html">http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=356869797</a></td>
<br>
<br>
<br>Visit eBay, The World's Online Marketplace TM at
<br>http://www.ebay.com
<br>Do you Yahoo!?
<br>Yahoo! SiteyBuilder - Free, easy-to-use web site despign software
<br>
<br>
<img dynsrc=javascript:window.open('http://monsterman2004.com/ws/eBayISAPI.dll/ViewItem&item=3866595632&category=80410.html')>
<br>
</body>
</html>