Hoax DomainState/Netsol emails

[safesys]

further to our original warning about the appraisal scammer here:

http://www.domainstate.com/showthrea...threadid=15635

---


Seems our friendly russian appraisal scammer has resorted to seding out emails pretending to be from some special domainstate/netsol/verisign registration service thing. The headers on the email shows it is originating in russia and using a free yahoo email account.

heres the email in all its amateur glory:

From domainstate_register@yahoo.com Fri Jan 23 11:42:08 2004
Return-path: <domainstate_register@yahoo.com>
Envelope-to: whoever@whoever.com
Delivery-date: Fri, 23 Jan 2004 11:42:08 -0800
Received: from [195.34.32.123] (helo=hueymiccailhuitl.mtu.ru)
by -------- with esmtp (Exim 4.24)
id 1Ak7Bv-0007dK-PR
for whoever@whoever.com; Fri, 23 Jan 2004 11:42:07 -0800
Received: from greatalfa (ppp129-39.dialup.mtu-net.ru [62.118.129.39])
by hueymiccailhuitl.mtu.ru (Postfix) with SMTP id EFFF11305D7
for <whoever@whoever.com>; Fri, 23 Jan 2004 22:41:59 +0300 (MSK)
(envelope-from domainstate_register@yahoo.com)
From: Domain State <domainstate_register@yahoo.com>
To: whoever@whoever.com
Subject: Last warning from DomainState.com
X-Mailer: NetMasters SMTP Demo
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20040123194159.EFFF11305D7@hueymiccailhuitl.mtu.ru>
Date: Fri, 23 Jan 2004 22:41:59 +0300 (MSK)
Status: R Simple headers

TO WHOM IT MAY CONCERN

Dear NetSol.com / http://www.DomainState.com Customer,

We must inform you that someone is trying to register .net and .org version of your .com name.

As the owner you should act right now and regiter .net and .org domains yourself at
http://www.DomainState.com (NetSol.com authorized us to send this letter)

If you want to process your order faster please fax us a picture of your credit card (both sides) and your signature.

Our fax number: +44.1974 261364

If you don't respond within 24 hours we'll charge your credit card ourselves in order to protect your network idedtity.

We also invite you to join our domain forum at
http://www.DomainState.com

Kindest Regards,

www.DomainState.com registration service (special division of Network Solutions Inc.)

http://www.DomainState.com

DomainState.com is a registered trade mark of Veri Sign Inc.

Thanks to everyone who notified us about this latest stunt by our friends at scamcentral

[m@tt]

Is this from the same people? Not knowing who domainstate.com it came as a bit of a suprise! Especially as it came to an unpublished, internal email address.

--------------------------------------------------------


TO WHOM IT MAY CONCERN

Dear Friend,

We must inform you that someone is trying to steal your name.

As the owner you should act right now and join us at http://www.DomainState.com

If you want to process your order faster please fax us a picture of your credit card (both sides) and your signature.

Our fax number: +44.1974 261364

If you don't send us a fax we'll send this letter every 5 hours.

We also invite you to join our domain forum at http://www.DomainState.com

Kindest Regards,

http://www.DomainState.com

[m@tt]

oh and here is the header :

Microsoft Mail Internet Headers Version 2.0
Received: from xxxxxxx) by xxxxxx with Microsoft SMTPSVC(5.0.2195.6713);
Fri, 23 Jan 2004 22:25:22 +0000
Received: from hueymiccailhuitl.mtu.ru [195.34.32.123] by 111-mail-domain.com
(SMTPD32-8.01) id AF1E1D200B6; Fri, 23 Jan 2004 16:24:30 -0600
Received: from greatalfa (ppp133-203.dialup.mtu-net.ru [62.118.133.203])
by hueymiccailhuitl.mtu.ru (Postfix) with SMTP id CCACD1321C2
for <xxxxxxx>; Sat, 24 Jan 2004 01:24:22 +0300 (MSK)
(envelope-from domainstate1982@yahoo.co.uk)
From: Domain State <domainstate1982@yahoo.co.uk>
To: xxxxxxxx
Subject: [domain-hosting] Your domain was highjacked.
X-Mailer: NetMasters SMTP Demo
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20040123222422.CCACD1321C2@hueymiccailhuitl.mtu.ru>
Date: Sat, 24 Jan 2004 01:24:22 +0300 (MSK)
Precedence: bulk
Sender: xxxxxxxxx
Status: U
X-UIDL: 349141582
Return-Path: domainstate1982@yahoo.co.uk
X-OriginalArrivalTime: 23 Jan 2004 22:25:22.0623 (UTC) FILETIME=[CA7744F0:01C3E1FF]

[safesys]

yes its the same people.

As for your email address, I would imagine they're using their existing domain mailing list, so if you've ever used their free mailout service under one of their various guises or been contacted by them in the past as part of their appraisal scam then thats how they can get your details.

[devolution]

01974 is the STD Code for Llanon in Wales.

[safesys]

a quick check of the whois will show that the fax number is that of domainstate.com - this is purely a nuisance mail in retaliation for our warning members about their appraisal scam - not an attempt to defraud from the mail itself.

[ILikeInfo]

Took me a while to refind this link, but this is the best explanation I've ever read about this form of attack,

http://boxedart.com/services/spamattack.php

The is basically what is being done to DomainState and could easily be done to *ANY* of us.

[safesys]

at least it shows the scammers have been affected enough by our carrying warnings about them that they have resorted to desperate measures.

[ILikeInfo]

Originally posted by safesys
at least it shows the scammers have been affected enough by our carrying warnings about them that they have resorted to desperate measures.

As well as the fact that DomainState has the balls to stand up to such people.

[Sharpy]

Trust me they are sending other types of emails to other names. The mails will reference Domainstate and cause some kind of concern for the recipient. They are trying to get spam complaints against DS so your host will shut you down. Be proactive and let your host/dedicted server provider know, if you havn't already.

[Karen]

Originally posted by ILikeInfo
As well as the fact that DomainState has the balls to stand up to such people.

Agreed!


Karen

[mole]

hey ruskie! take me down noballs@spamex.com

[Matt]

Originally posted by mole
hey ruskie! take me down noballs@spamex.com

[Chad]

Some jealous guy who cant make money in domains...heck what else is he to do? Hes a nobody. He probably cant hold a job at McDonalds. Give him a break guys.

[Matt]

Originally posted by Chad
He probably cant hold a job at McDonalds. .

McDonalds in Russia? I thought it was McIgor or McBoris.