Results 1 to 25 of 47
Thread: Odd scam alert
-
05-27-2011, 02:28 PM #1Web Hosting Master
- Join Date
- Jul 2007
- Location
- Tech Belt
- Posts
- 8,160
Odd scam alert
I've noticed a rather odd "copyright infringement" notice in my inbox today and the headers pretty much gave it away.
Code:Return-path: <roebben@adv-roebbenvelkeneers.be> Envelope-to: <<snip>> Delivery-date: Fri, 27 May 2011 13:07:37 -0400 Received: from s01.gt-networks.be ([94.103.146.92]) (envelope-from <roebben@adv-roebbenvelkeneers.be>) id 1QQ0Vb-0003BG-Bp for <<snip>>; Fri, 27 May 2011 13:07:37 -0400 Received: from apache by s01.gt-networks.be with local (Exim 4.76) (envelope-from <roebben@adv-roebbenvelkeneers.be>) id 1QQ0VZ-0006P0-1z for <<snip>>; Fri, 27 May 2011 19:07:33 +0200 To: <<snip>> Subject: Cease and desist copyright infrigement! X-PHP-Script: adv-roebbenvelkeneers.be/ad/sendme.php for 82.195.232.218 From: Andrew Webber - Arizonakey.com <andrew.webber@arizonakey.com> Reply-To: MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Message-Id: <E1QQ0VZ-0006P0-1z@s01.gt-networks.be> Date: Fri, 27 May 2011 19:07:33 +0200
Dear Sir,
Attached is a list of the copyrighted material you are infriging on.
We are the proprietors of all copyrighted material that is being fringed upon on your companies webste.
We have reserved all rights regarding these trademarked files.
Permission was neither asked nor granted to reproduce our copyrighted material, therefore what your company is doing constitutes infringement of our rights. In terms of the Copyright Statutes, we are entitled to an injunction against your continued infringement, as well as to recover damages from you for the loss we have suffered as a result of your infringing conduct.
In the circumstances, we demand that you immediately:
1. remove all infringing content and notify us in writing that you have done so;
2. pay a licensing fee in the amount of 160,000 USD;
3. immediately cease the use and distribution of copyrighted material;
We await to hear from you by.
This is written without prejudice to our rights, all of which are hereby expressly reserved.
Yours faithfully,
CEO Andrew Webber
www.arizonakey.comNothing here right now.
-
05-27-2011, 02:30 PM #2Newbie
- Join Date
- May 2011
- Posts
- 14
Thanks for the heads up!
-
05-27-2011, 02:37 PM #3
We received the same email earlier too.
Edit: just received it again only with an added attachment as they forgot to add it the first time.HostXNow - Shared Web Hosting | Semi Dedicated Hosting | Enterprise Reseller Hosting | VPS Hosting
-
05-27-2011, 02:45 PM #4Web Hosting Master
- Join Date
- Mar 2009
- Location
- NL
- Posts
- 594
Same here. Attachment doesn't work (only pdf image) with openoffice
YISP - High Bandwidth dedicated servers and colocation in YISP-AS(Amsterdam)!
Website: http://www.yisp.nl
Contact: info "(AT)" yisp.nl
-
05-27-2011, 02:45 PM #5Web Hosting Master
- Join Date
- Jan 2008
- Location
- Jax, FL
- Posts
- 2,707
Yeah, I received it as well... But to my personal email account that is not published anywhere o.O
-
05-27-2011, 02:48 PM #6Rockin' the beer gut
- Join Date
- May 2006
- Location
- NJ, USA
- Posts
- 6,645
-
05-27-2011, 02:49 PM #7Web Hosting Master
- Join Date
- Jan 2002
- Location
- UK
- Posts
- 1,040
you guys have directadmin by any chance?
the email list DB was hacked 2 days back
I also got the email on 2 email accounts. one of them private, the other not private but also not used for things like registrations.
-
05-27-2011, 02:49 PM #8Web Hosting Guru
- Join Date
- Mar 2006
- Posts
- 283
We got it too - first time without attachment. Second one with an attached 'Document.doc' which has an embedded exe disguised to look like a pdf. Bad spelling, mistakes etc, obviously a scam. I have alerted the arizonakey.com website.
* www.valuevps.co.uk - Quality VPS's at affordable prices in the UK | Telephone: +44 (0)1325 586003
* Full and part cabinets - Dedicated Servers - Colocation - cPanel Hosting - Windows VPS - DirectAdmin Hosting - Reseller Accounts
-
05-27-2011, 02:52 PM #9Web Hosting Master
- Join Date
- Jan 2002
- Location
- UK
- Posts
- 1,040
incidently both MSE and nod32 say there is no malware but I am going to submit the file regardless.
-
05-27-2011, 02:52 PM #10Web Hosting Master
- Join Date
- Apr 2001
- Location
- Paradise
- Posts
- 12,052
Got the same too, and I do have an account with DA.
█ Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
█ LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
█ Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
█ DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore
-
05-27-2011, 02:55 PM #11Rockin' the beer gut
- Join Date
- May 2006
- Location
- NJ, USA
- Posts
- 6,645
-
05-27-2011, 02:55 PM #12HostXNow - Shared Web Hosting | Semi Dedicated Hosting | Enterprise Reseller Hosting | VPS Hosting
-
05-27-2011, 02:58 PM #13Web Hosting Master
- Join Date
- Jan 2010
- Location
- San Francisco
- Posts
- 1,800
Yep, I have a DA account. It's most likely the same attacker. These emails were sent to 3 of my addresses and DA is the only place I've used all 3 to communicate with in the past.
Crafty to use a subject that most web hosts would care about -- copyright infringing files on our servers.
-
05-27-2011, 03:00 PM #14Rockin' the beer gut
- Join Date
- May 2006
- Location
- NJ, USA
- Posts
- 6,645
-
05-27-2011, 03:05 PM #15Web Hosting Guru
- Join Date
- Mar 2002
- Location
- Mobile, AL USA
- Posts
- 325
I just got it too. Pretty sure this is from DirectAdmin hack from yesterday. This sucks.
Nik Martin
nfina Technologies, Inc.
+1.251.243.0043 x1003
Server Hardware, Storage, and Turnkey systems for Service Providers
-
05-27-2011, 03:06 PM #16Web Hosting Master
- Join Date
- Jan 2010
- Location
- San Francisco
- Posts
- 1,800
Thanks Dougy for informing DA of this thread. Was just about to do the same.
-
05-27-2011, 03:06 PM #17Web Hosting Master
- Join Date
- Jan 2002
- Location
- UK
- Posts
- 1,040
yeah I think its DA related since you all confirming.
Both my email address's I guess are on there, one defenitly is, will need to check the other.
-
05-27-2011, 03:08 PM #18Web Hosting Guru
- Join Date
- Mar 2002
- Location
- Mobile, AL USA
- Posts
- 325
Oh, this may be VERY BAD:
Looking at the mail headers, is this:
adv-roebbenvelkeneers.be/ad/sendme.php
That site: adv-roebbenvelkeneers.be
is a directadmin site. The hackers may have compromised WAAAAY more than we thoughtNik Martin
nfina Technologies, Inc.
+1.251.243.0043 x1003
Server Hardware, Storage, and Turnkey systems for Service Providers
-
05-27-2011, 03:12 PM #19Rockin' the beer gut
- Join Date
- May 2006
- Location
- NJ, USA
- Posts
- 6,645
-
05-27-2011, 03:13 PM #20Web Hosting Master
- Join Date
- Jan 2010
- Location
- San Francisco
- Posts
- 1,800
I could be wrong, but wouldn't that indicate an insecure php mailer script that was being used to relay? I don't think that domain being hosted on a DA server means that DA itself was compromised.
-
05-27-2011, 03:17 PM #21Web Hosting Master
- Join Date
- Jan 2010
- Location
- San Francisco
- Posts
- 1,800
Different header on the later email w/ attachment:
Return-Path: <andrew.webber@arizonakey.com>
Delivered-To: <snip>
Received: (qmail 18076 invoked by uid 0); 27 May 2011 18:34:17 -0000
Received: from bbdns1.dnsx1.com.au (69.50.198.190)
by <snip> with (DHE-RSA-AES256-SHA encrypted) SMTP; 27 May 2011 18:34:16 -0000
Received: from localhost ([127.0.0.1]:42045 helo=bbdns1.dnsx1.com.au)
by bbdns1.dnsx1.com.au with esmtp (Exim 4.69)
(envelope-from <andrew.webber@arizonakey.com>)
id 1QQ1rT-0006j3-3y
for <snip>; Sat, 28 May 2011 04:34:15 +1000
Content-Type: multipart/mixed; boundary="===============1632328096=="
MIME-Version: 1.0
Subject: Cease and desist copyright infrigement!
To: Recipients <andrew.webber@arizonakey.com>
From: Andrew Webber - Arizonakey.com<andrew.webber@arizonakey.com>
Date: Sat, 28 May 2011 04:34:13 +1000
X-Mailer: sendmail
-
05-27-2011, 03:24 PM #22Web Hosting Guru
- Join Date
- Mar 2002
- Location
- Mobile, AL USA
- Posts
- 325
I hope so!
Headers:
Code:Delivered-To: xxxxxx@servercorps.com Received: by 10.52.156.169 with SMTP id wf9cs74230vdb; Fri, 27 May 2011 10:17:47 -0700 (PDT) Received: by 10.227.168.132 with SMTP id u4mr2328399wby.50.1306516666461; Fri, 27 May 2011 10:17:46 -0700 (PDT) Return-Path: <roebben@adv-roebbenvelkeneers.be> Received: from s01.gt-networks.be (s01.gt-networks.be [94.103.146.92]) by mx.google.com with ESMTPS id fe21si3953255wbb.84.2011.05.27.10.17.45 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 27 May 2011 10:17:46 -0700 (PDT) Received-SPF: pass (google.com: domain of roebben@adv-roebbenvelkeneers.be designates 94.103.146.92 as permitted sender) client-ip=94.103.146.92; Authentication-Results: mx.google.com; spf=pass (google.com: domain of roebben@adv-roebbenvelkeneers.be designates 94.103.146.92 as permitted sender) smtp.mail=roebben@adv-roebbenvelkeneers.be Received: from apache by s01.gt-networks.be with local (Exim 4.76) (envelope-from <roebben@adv-roebbenvelkeneers.be>) id 1QQ0fS-0002RU-Io for xxxxx@servercorps.com; Fri, 27 May 2011 19:17:46 +0200 To: xxxxxx@servercorps.com Subject: Cease and desist copyright infrigement! X-PHP-Script: adv-roebbenvelkeneers.be/ad/sendme.php for 82.195.232.218 From: Andrew Webber - Arizonakey.com <andrew.webber@arizonakey.com> Reply-To: MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit Message-Id: <E1QQ0fS-0002RU-Io@s01.gt-networks.be> Date: Fri, 27 May 2011 19:17:46 +0200
Last edited by nik martin; 05-27-2011 at 03:27 PM. Reason: added headers
Nik Martin
nfina Technologies, Inc.
+1.251.243.0043 x1003
Server Hardware, Storage, and Turnkey systems for Service Providers
-
05-27-2011, 03:29 PM #23Poooooonnyyy :*
- Join Date
- Jan 2003
- Location
- Canada
- Posts
- 5,073
Got 3 over here on the same email we contacted DA on for licensing.
FranciscoBuyVM - OpenVZ & KVM Based VPS Servers - Chat with us
- All popular VPN methods supported
- Affordable offloaded MySQL & DDoS protection
- 5GB backup space, unmetered private LAN bandwidth & native IPv6 included. All with a strong serving of pony
-
05-27-2011, 03:30 PM #24Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 3,816
If anyone has the PDF, upload it to virustotal.com and http://wepawet.iseclab.org and link a result page please
-
05-27-2011, 03:31 PM #25Internet Service Provider
- Join Date
- May 2010
- Location
- The Netherlands
- Posts
- 1,418
Yes, i have received it too! It is scam. Do not open it. I'll contact directadmin now!
Edit: contacted DirectAdmin.Last edited by HostSlim-R; 05-27-2011 at 03:35 PM.
★★★★★
HostSlim - Premium Managed Hosting Solutions
Dedicated & Premium Hosting - Premium Network - 1.6Tbps DDoS Protection Available - OWN DATACENTER NETHERLANDS
Resell Whitelabel Dedicated Servers - Twitter: @HostSlim - www.HostSlim.eu - Facebook: @HostSlimBV
Similar Threads
-
SCAM Alert ***
By Gusvision in forum Reseller HostingReplies: 52Last Post: 04-26-2010, 10:25 PM -
scam alert
By moreilly in forum Web Hosting LoungeReplies: 4Last Post: 02-26-2008, 12:52 AM -
Scam Alert!!!
By dtheehost in forum Reseller HostingReplies: 18Last Post: 02-12-2005, 02:49 AM