Neither phish nor spam... so...

[MrLinus]

Tiger: the IP info in question is all there. The website we're talking about is direct from the IPs listed there...

[Tiger Shark]

Silly me..... The first one wasn't a link.... the second was..... neither of the originating IP's have a 1.php available - only one is reachable by HTTP.....

Note to self: Detail, Detail, Detail....

Great, so the "contact" link is a link to Google and there is no redirection in the whole transaction - per Ethereal too..... I'd suggest that this behaviour goes further to imply that it isn't a screwed up spam..... But it still fits my theory.... S/he doesn't want to be traceable....

I guess the question is "are they going to play silly games sending insulting emails or are they going to try to have more 'fun'?"..... I guess that's a wait and see..... I think I'll give them a quick scan while we wait....

[Edit]

One common port open..... 139..... Today.... The two scans do not look right... Look...

********************************************************************
C:\NMap-3-75>nmap -sS -P0 -O -vv -T 3 4.26.133.216

Starting nmap 3.75 ( http://www.insecure.org/nmap ) at 2005-01-30 17:34 Eastern
Standard Time
Initiating SYN Stealth Scan against wbar3.sjo1-4.26.133.216.sjo1.dsl-verizon.net
(4.26.133.216) [1663 ports] at 17:34
Discovered open port 80/tcp on 4.26.133.216
Discovered open port 443/tcp on 4.26.133.216
Discovered open port 5000/tcp on 4.26.133.216
Discovered open port 139/tcp on 4.26.133.216
SYN Stealth Scan Timing: About 47.79% done; ETC: 17:36 (0:00:32 remaining)
The SYN Stealth Scan took 129.42s to scan 1663 total ports.
For OSScan assuming port 80 is open, 1 is closed, and neither are firewalled
Host wbar3.sjo1-4.26.133.216.sjo1.dsl-verizon.net (4.26.133.216) appears to be u
p ... good.
Interesting ports on wbar3.sjo1-4.26.133.216.sjo1.dsl-verizon.net (4.26.133.216)
:
(The 1659 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
5000/tcp open UPnP
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Pro or Advan
ced Server, or Windows XP
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=14EC8%TS=0)
T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RIPCK=F%UCK=F%ULEN=134%DAT=E)

TCP Sequence Prediction: Class=random positive increments
Difficulty=85704 (Worthy challenge)
TCP ISN Seq. Numbers: 7FED1752 7FEEC3E1 7FEF56AE 7FF367A4 7FF4B94C
IPID Sequence Generation: Busy server or unknown class

Nmap run completed -- 1 IP address (1 host up) scanned in 139.100 seconds
**********************************************************************

The other one...

**********************************************************************
C:\NMap-3-75>nmap -sS -P0 -O -vv -T 3 141.150.161.74

Starting nmap 3.75 ( http://www.insecure.org/nmap ) at 2005-01-30 17:37 Eastern
Standard Time
Initiating SYN Stealth Scan against pool-141-150-161-74.atc.east.verizon.net (14
1.150.161.74) [1663 ports] at 17:37
Increasing send delay for 141.150.161.74 from 0 to 5 due to 11 out of 22 dropped
probes since last increase.
SYN Stealth Scan Timing: About 2.96% done; ETC: 17:54 (0:16:44 remaining)
SYN Stealth Scan Timing: About 8.48% done; ETC: 17:49 (0:11:08 remaining)
Discovered open port 81/tcp on 141.150.161.74
SYN Stealth Scan Timing: About 53.36% done; ETC: 17:46 (0:03:59 remaining)
Discovered open port 139/tcp on 141.150.161.74
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
The SYN Stealth Scan took 566.50s to scan 1663 total ports.
For OSScan assuming port 81 is open, 1 is closed, and neither are firewalled
For OSScan assuming port 81 is open, 1 is closed, and neither are firewalled
For OSScan assuming port 81 is open, 1 is closed, and neither are firewalled
Host pool-141-150-161-74.atc.east.verizon.net (141.150.161.74) appears to be up
... good.
Interesting ports on pool-141-150-161-74.atc.east.verizon.net (141.150.161.74):
(The 1660 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp filtered http
81/tcp open hosts2-ns
139/tcp open netbios-ssn
No exact OS matches for host (If you know what OS is running on it, see http://w
ww.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.75%P=i686-pc-windows-windows%D=1/30%Tm=41FD6410%O=81%C=1)
TSeq(Class=TD%gcd=1%SI=26%IPID=RPI%TS=U)
TSeq(Class=TD%gcd=1%SI=19%IPID=RPI%TS=U)
TSeq(Class=TD%gcd=3%SI=47%IPID=RPI%TS=U)
T1(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M)
T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=S%Flags=R%Ops=)
T4(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=S++%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RIPCK=F%UCK=F%ULEN=134%DAT=E)


TCP Sequence Prediction: Class=trivial time dependency
Difficulty=71 (Easy)
TCP ISN Seq. Numbers: FD401B5 FD4039B FD403A4 FD403E9
IPID Sequence Generation: Random positive increments

Nmap run completed -- 1 IP address (1 host up) scanned in 603.027 seconds
*********************************************

It's "odd".... I need to think more about what's going on.... But it doesn't seem right.... run Ethereal while you try to connect to 141.150.161.74:81.... It's open but it RST's me.... I dunno..... It isn't right... Need to think about it some more.....

[/Edit]