"New" e-mail phishing scam

Fri Feb 20 23:09:36 GMT 2009

It is interesting that the owner of the netblock is yahoo.com:

nslookup email-helpdesk.com
Server:		137.146.28.132
Address:	137.146.28.132#53

Non-authoritative answer:
Name:	email-helpdesk.com
Address: 68.180.151.74

whonum 68.180.151.74
[Querying whois.arin.net]
[whois.arin.net]

OrgName:    Yahoo
OrgID:      YHOO
Address:    701 First Ave
City:       Sunnyvale
StateProv:  CA
PostalCode: 94089
Country:    US

NetRange:   68.180.128.0 - 68.180.255.255
CIDR:       68.180.128.0/17
NetName:    A-YAHOO-US6
NetHandle:  NET-68-180-128-0-1
Parent:     NET-68-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.YAHOO.COM
NameServer: NS2.YAHOO.COM
NameServer: NS3.YAHOO.COM
NameServer: NS4.YAHOO.COM
NameServer: NS5.YAHOO.COM
Comment:
RegDate:    2006-09-22
Updated:    2007-05-02

RAbuseHandle: NETWO857-ARIN
RAbuseName:   Network Abuse
RAbusePhone:  +1-408-349-3300
RAbuseEmail:  network-abuse at cc.yahoo-inc.com

RTechHandle: NA258-ARIN
RTechName:   Netblock Admin
RTechPhone:  +1-408-349-3300
RTechEmail:  jluster at yahoo-inc.com

OrgAbuseHandle: NETWO857-ARIN
OrgAbuseName:   Network Abuse
OrgAbusePhone:  +1-408-349-3300
OrgAbuseEmail:  network-abuse at cc.yahoo-inc.com

OrgTechHandle: NA258-ARIN
OrgTechName:   Netblock Admin
OrgTechPhone:  +1-408-349-3300
OrgTechEmail:  jluster at yahoo-inc.com

# ARIN WHOIS database, last updated 2009-02-19 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

On Sat, 21 Feb 2009, James Gray wrote:

> Date: Sat, 21 Feb 2009 09:54:01 +1100
> From: James Gray <james at gray.net.au>
> Reply-To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> To: MailScanner Discussion List <mailscanner at lists.mailscanner.info>
> Subject: "New" e-mail phishing scam
> 
> http://isc.sans.org/diary.html?storyid=5905
>
> Nothing particularly novel about the approach, but instead of sending out 
> messages from a spoofed "known" domain (foo at yahoo.com, foo at gmail.com etc) the 
> phishers registered "email-helpdesk.com".  I've black-holed that domain at 
> the MTA.  Thought it was worth sharing :)
>
> Cheers,
>
> James