Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 32

Thread: Possibably the Ultimate Scam

  1. #11
    Senior Member Raion's Avatar
    Join Date
    Dec 2003
    Location
    New York, New York
    Posts
    1,299
    Maybe they found an exploit in SP2 and they want everyone to download it to infect everyones computers??? Other than that, I'm just as confused..
    WARNING: THIS SIGNATURE IS SHAREWARE PLEASE REGISTER THIS SIGNATURE BY SENDING ME MONEY TO SEE THE COMPLETE SIGNATURE!

  2. #12
    Yeah, but even if there was an exploit in SP2, I doubt the benefit of it (to the cracker) would outweight having millions of unprotected computers out there ripe for the picking. SP2 fixes way to many of M$'s security issues.


    Oh yeah... I decided to vote for Jennifer Anniston. Bush and Kerry are just creepy.

  3. #13
    Senior Member
    Join Date
    Jul 2004
    Posts
    131
    Originally posted here by moxnix
    Well, I only have the info provided but check out the spelling and typos for one thing.
    1. "don't forget to get itfor free today"
    2. "Help your friendsand family"
    3. "More ofwhat you love about your computer"
    Just to show a few....there are more, and I don't think MSN would allow something with those erros to go out.
    i use SuSE and Konquerer. missing spaces between words. I get a lot of that in the email client from HTML emails.
    More cowbell! We need more cowbell!
    http://www.geocities.com/secure_lockdown/
    - - -
    \"Is the firewall there to protect you from the outside world or is it there to protect the outside world from *YOU*?\"

  4. #14
    Junior Member
    Join Date
    Sep 2004
    Posts
    27

    seems like microsoft's network

    try doing a trace route to the servers servera01.cpsmtpout3.msn.com and communications3.msn.com mentioned in the mail..... the last server is pos1-0.iuscixtukc1201.ntwk.msn.net before the request times out....

    now do a tracert to www.microsoft.com.... the last server again is pos1-0.iuscixtukc1201.ntwk.msn.net before the request times out....

    so basically the email seems to have originated somewhere from the microsoft's network.... now ofcourse that doesn't make the email totally legitimate

    pl correct me if i'm wrong!!!!
    keep smilling

  5. #15
    Senior Member
    Join Date
    Jun 2004
    Posts
    379
    Thats a weird one to crack. i have neavor seen one like that.

  6. #16
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    Rktak, I did a couple IP Block/WhoIs checks on a couple of the servers as well and found they were both part of registered domains of MicroSoft. (communications3 and servera01).
    It appears as though the email originated from here:
    Received: from communications3.msn.com ([207.46.153.61])
    which Sam Spade identifies as registered to Microsoft. That's not saying that someone couldn't have just injected a couple extra recieved: fields in order to make the email appear to have come from communications3.msn.com

    The path of the email runs through these server exchanges (from what I can see):
    communications3.msn.com
    servera01.cpsmtpout3.msn.com
    xprdmx9.nwk.excite.com
    0 (qmail-ldap-1.03) (I'm not sure about this one)

    The only actual exchange that seems to be a little odd is this:
    Received: from unknown (HELO xprdmx9.nwk.excite.com) ([10.50.30.30]) (envelope-sender <communications?wincs?fpp@communications3.msn.com> )
    by 0 (qmail-ldap-1.03) with SMTP
    If you look at Moxnix's WhoIs of this envelope sender, something seems somewhat fishy. In addition to that, if you do a WhoIs on xprdmx9.nwk.excite.com you'll see the IPs of the servers are not even remotely close to 10.50.30.30. That IP address actually belongs to IANA. Maybe I'm missing something?

    Anyways, something else bothers me about this being an effective scam.
    Remember,the easiest way to get SP2 is by turning on your AutomaticUpdate
    Why would they even bother putting this in here? very strange indeed.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  7. #17
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ahem... Girls and Boys.....

    10.50.30.30
    Is indeed an IANA address..... Look at it really, really carefully and you will see that it fits rather nicely into the 10.0.0.0/8 IP address block that is private.

    It would be almost impossible to spoof this address since all communication back to the initiator would be dropped by the internet routers, (MS' included), so this did indeed originate within the MS network.

    I'm about to leave... I'll take another look in a minute....

    [Edit]

    It looks kosher to me....

    Are you an MS Preferred Customer?

    [/Edit]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #18
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    Received: from unknown (HELO xprdmx9.nwk.excite.com) ([10.50.30.30])
    This seems very suspicious to me. The machine [xprdmx9.nwk.excite.com] is not identifying itself correctly. The associated IP address should not be resolving back to IANA but rather, some form of Excite's domains(I did a WhoIs on the server [xprdmx9.nwk.excite.com] and checked out the registered domains). Also, I believe the HELO field can be forged as well (if I remember correctly). This 10.50.30.30 is throwing me for a loop. Again, maybe I'm missing something?
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  9. #19
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Originally posted here by Tiger Shark
    Are you an MS Preferred Customer?
    No Tiger, except for getting a couple of free disks from them, I haven't comunicated with MSN in along time, and I don't think I used my excite account to do that.
    It still strikes me as a fake. If anyone wants to see the original email with the html intact, just pm me an email addy and I will forward it to you, and then maybe you can see what I mean.
    moxnix
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  10. #20
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Mox... ahah.... I was going to ask if there was any html.....

    Right near the top there will be a declaration of an image map. The image map covers a large area of the email itself.... as you run your cursor over the email you should notice that it is a hand rather than a pointer....

    Am I correct?

    If so the address the image map points to is where you will be sent..... That's why everything else looks really kosher.... because it is.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •