[anti-abuse-wg] Fw: Spam-phishing

ohh dear was meant to do reply to all...

You know we are when we get a chance making a Public Honeypot called
Xortify.com we have a couple of sleeping drones already for XOOPS and
Wordpress in trial... for all kinds of cross selectable filters like all
ranged of age and creedence type bans..

Tanty
http://twitter.com/Cipherhouse
http://cipher.labs.coop



On Thu, 2015-08-20 at 19:48 -0300, Marilson wrote:
> The same phishing using Banco Itaú by the same criminal with the
> knowing of the same provider.
>  
> The Provider (ISP) is Aruba S.p.A. Network
> The Host is aruba.it
> And the spammer is dyodue.com but this spammer doesn’t exist, so...
> Shame on you Aruba!
>  
> ID BY DBIP
> IP address 62.149.158.86
> Address type
> IPv4   
> Hostname
> smartcmd0186.aruba.it
> ISP
> Aruba S.p.A. Network
> Timezone
> Europe/Rome (UTC+2)
> Local time
> 00:40:13
> Country
> Italy   
> State / Region
> Tuscany
> HEADER
> Delivered-To: marilson.mapa at gmail.com
> Received: by 10.202.183.198 with SMTP id h189csp26168oif;
>         Tue, 18 Aug 2015 18:37:03 -0700 (PDT)
> X-Received: by 10.194.248.201 with SMTP id
> yo9mr18050902wjc.31.1439948222853;
>         Tue, 18 Aug 2015 18:37:02 -0700 (PDT)
> Return-Path: <anonymous at webxc44s04.ad.aruba.it>
> Received: from smtpdb86.aruba.it (smartcmd0186.aruba.it.
> [62.149.158.86])
>         by mx.google.com with ESMTP id
> jg6si30851679wid.4.2015.08.18.18.37.01
>         for <marilson.mapa at gmail.com>;
>         Tue, 18 Aug 2015 18:37:02 -0700 (PDT)
> Received-SPF: pass (google.com: domain of
> anonymous at webxc44s04.ad.aruba.it designates 62.149.158.86 as permitted
> sender) client-ip=62.149.158.86;
> Authentication-Results: mx.google.com;
>        spf=pass (google.com: domain of
> anonymous at webxc44s04.ad.aruba.it designates 62.149.158.86 as permitted
> sender) smtp.mailfrom=anonymous at webxc44s04.ad.aruba.it
> Received: from webxc44s04.ad.aruba.it ([62.149.145.38])
>     by smartcmd01.ad.aruba.it with bizsmtp
>     id 6Rd11r00W0pvj5a01Rd1wX; Wed, 19 Aug 2015 03:37:01 +0200
> Received: (qmail 16220 invoked by uid 19176666); 19 Aug 2015 01:37:01
> -0000
> Date: 19 Aug 2015 01:37:01 -0000
> Message-ID: <20150819013701.16218.qmail at webxc44s04.ad.aruba.it>
> To: marilson.mapa at gmail.com
> Subject: ULTIMA TENTATIVA DE CONTATO - 19/08/2015 03:37:00
> X-PHP-Originating-Script: 19176666:index.php
> MIME-Version: 1.0
> Content-type: text/html; charset=iso-8859-1
> From: Atendimento viak at dyodue.com
>  
> TEXT
> From: Atendimento 
> Sent: Tuesday, August 18, 2015 10:37 PM
> To: marilson.mapa at gmail.com 
> Subject: ULTIMA TENTATIVA DE CONTATO - 19/08/2015 03:37:00
>  
> 
>  
>  
>  
>  
> From: Marilson 
> Sent: Tuesday, August 11, 2015 3:49 PM
> To: crime.internet at dpf.gov.br 
> Cc: abuse at staff.aruba.it ; ethics-hotline at arubanetworks.com ;
> gmail-abuse at google.com 
> Subject: Fw: Spam-phishing
>  
> Four phishing in last 24 hours sent by the same sociopath.
>  
> Someone will do something? Someone will give some information about
> this FK p*rr*?
>  
> ID BY AbuseIPDB.com
> 62.149.158.70 was found in our database!
> This IP was reported 1 time. Click here for details.
> 
> 
> ISP:
> Aruba S.p.A.
> Host Name:
> smtplqs-out30.aruba.it
> Organization:
> Aruba S.p.A. - Shared Hosting and
> Mail services
> Country:
> Italy (IT) 
>  
>  
>  
>  
>  
>  
> HEADER
> Delivered-To: marilson.mapa at gmail.com
> Received: by 10.27.37.212 with SMTP id l203csp1244523wll;
>         Tue, 11 Aug 2015 08:35:35 -0700 (PDT)
> X-Received: by 10.194.118.227 with SMTP id
> kp3mr5322711wjb.97.1439307334978;
>         Tue, 11 Aug 2015 08:35:34 -0700 (PDT)
> Return-Path: <CentraldeAvisos at centralavisos.com.br>
> Received: from smtplqs-out30.aruba.it (smtplqs-out30.aruba.it.
> [62.149.158.70])
>         by mx.google.com with ESMTP id
> q10si5274003wiw.112.2015.08.11.08.35.34
>         for <marilson.mapa at gmail.com>;
>         Tue, 11 Aug 2015 08:35:34 -0700 (PDT)
> Received-SPF: neutral (google.com: 62.149.158.70 is neither permitted
> nor denied by best guess record for domain of
> CentraldeAvisos at centralavisos.com.br) client-ip=62.149.158.70;
> Authentication-Results: mx.google.com;
>        spf=neutral (google.com: 62.149.158.70 is neither permitted nor
> denied by best guess record for domain of
> CentraldeAvisos at centralavisos.com.br)
> smtp.mailfrom=CentraldeAvisos at centralavisos.com.br
> Received: from webxc46s06.ad.aruba.it ([62.149.145.56])
>     by smartcmd03.ad.aruba.it with bizsmtp
>     id 3Tba1r0031DDpAN01Tba0u; Tue, 11 Aug 2015 17:35:34 +0200
> Received: (qmail 4868 invoked by uid 19230025); 11 Aug 2015 15:35:34
> -0000
> Date: 11 Aug 2015 15:35:34 -0000
> Message-ID: <20150811153534.4866.qmail at webxc46s06.ad.aruba.it>
> To: marilson.mapa at gmail.com
> Subject: Ultimo Aviso
> X-PHP-Originating-Script: 19230025:index.php
> MIME-Version: 1.0
> Content-type: text/html; charset=iso-8859-1
> From: <CentraldeAvisos at centralavisos.com.br>
> Reply-To: CentraldeAvisos at centralavisos.com.br
>  
> TEST 
> From: CentraldeAvisos at centralavisos.com.br 
> Sent: Tuesday, August 11, 2015 12:35 PM
> To: marilson.mapa at gmail.com 
> Subject: Ultimo Aviso
>  
> 
> 
>  
>  
> From: Marilson 
> Sent: Tuesday, August 11, 2015 1:13 AM
> To: crime.internet at dpf.gov.br 
> Cc: abuse at staff.aruba.it ; mail-abuse at cert.br ; mail-abuse at nic.br ;
> ethics-hotline at arubanetworks.com ; gmail-abuse at google.com 
> Subject: Spam-phishing
>  
> Another phishing using Banco do Brasil and Itau.
>  
> Sirs of Aruba S.p.A. Network, your client bbcom.com.br (domain) BBCom
> Propaganda Ltda (owner) Enio Marcos Babireski Barcelos (responsible)
>  
> and itaucom.com.br (domain) who has two IP 200.189.40.11 and
> 200.192.232.11, both owned by NIC.BR (????), are practicing phishing.
>  
> Follow criminals: http://www.intodns.com/itaucom.com.br  ==>
> http://whois.domaintools.com/200.192.232.11 
>  
> Enjoy!
> Marilson
>  
> ID BY Public Domain Registry
>  
> domain: bbcom.com.br
> owner: BBCom Propaganda Ltda
> responsible: Enio Marcos Babireski Barcelos
> country: BR
> owner-c: EMB97
> admin-c: EMB97
> tech-c: EMB97
> billing-c: EMB97
> nserver: ns1.locaweb.com.brinetnum:     
>  
> ID BY DOMAINTOOLS
>  
> IP Address
> 200.189.40.11
> Reverse IP
> 1 website uses this address.
> inetnum:     200.189.40/24
> aut-num:     AS10906
> abuse-c:     FAN
> owner:       Núcleo de Inf. e Coord. do Ponto BR - NIC.BR
> ownerid:     005.506.560/0001-36
> responsible: Demi Getschko
> country:     BR
> nic-hdl-br:  FAN
> person:      Frederico Augusto de Carvalho Neves
> e-mail:      
> HEADER 1/2
> Delivered-To: marilson.mapa at gmail.com
> Received: by 10.27.37.212 with SMTP id l203csp829500wll;
>         Mon, 10 Aug 2015 13:42:24 -0700 (PDT)
> X-Received: by 10.195.13.200 with SMTP id
> fa8mr47845321wjd.9.1439239344633;
>         Mon, 10 Aug 2015 13:42:24 -0700 (PDT)
> Return-Path: <atendimento at bb.com.br>
> Received: from smtpdb86.aruba.it (smartcmd0186.aruba.it.
> [62.149.158.86])
>         by mx.google.com with ESMTP id
> gs6si18481102wib.46.2015.08.10.13.42.24
>         for <marilson.mapa at gmail.com>;
>         Mon, 10 Aug 2015 13:42:24 -0700 (PDT)
> Received-SPF: fail (google.com: domain of atendimento at bb.com.br does
> not designate 62.149.158.86 as permitted sender)
> client-ip=62.149.158.86;
> Authentication-Results: mx.google.com;
>        spf=fail (google.com: domain of atendimento at bb.com.br does not
> designate 62.149.158.86 as permitted sender)
> smtp.mail=atendimento at bb.com.br
> Received: from webxc46s02.ad.aruba.it ([62.149.145.52])
>     by smartcmd01.ad.aruba.it with bizsmtp
>     id 38iP1r00e1837pJ018iPjg; Mon, 10 Aug 2015 22:42:23 +0200
> Received: (qmail 46041 invoked by uid 19230025); 10 Aug 2015 20:42:23
> -0000
> Date: 10 Aug 2015 20:42:23 -0000
> Message-ID: <20150810204223.46039.qmail at webxc46s02.ad.aruba.it>
> To: marilson.mapa at gmail.com
> Subject: RES: Aviso
> X-PHP-Originating-Script: 19230025:index.php
> MIME-Version: 1.0
> Content-type: text/html; charset=iso-8859-1
> From: <Atendimento at bbcom.com.br>
> Reply-To: Atendimento at bbcom.com.br
>  
> HEADER 2/2
> Delivered-To: marilson.mapa at gmail.com
> Received: by 10.27.37.212 with SMTP id l203csp777616wll;
>         Mon, 10 Aug 2015 11:34:45 -0700 (PDT)
> X-Received: by 10.194.103.7 with SMTP id
> fs7mr46475107wjb.75.1439231685256;
>         Mon, 10 Aug 2015 11:34:45 -0700 (PDT)
> Return-Path: <atendimento at itau.com.br>
> Received: from smartcmd0187.aruba.it (smartcmd0188.aruba.it.
> [62.149.158.88])
>         by mx.google.com with ESMTP id
> bh6si17651852wib.28.2015.08.10.11.34.44
>         for <marilson.mapa at gmail.com>;
>         Mon, 10 Aug 2015 11:34:45 -0700 (PDT)
> Received-SPF: fail (google.com: domain of atendimento at itau.com.br does
> not designate 62.149.158.88 as permitted sender)
> client-ip=62.149.158.88;
> Authentication-Results: mx.google.com;
>        spf=fail (google.com: domain of atendimento at itau.com.br does
> not designate 62.149.158.88 as permitted sender)
> smtp.mail=atendimento at itau.com.br
> Received: from webxc46s02.ad.aruba.it ([62.149.145.52])
>     by smartcmd01.ad.aruba.it with bizsmtp
>     id 36ak1r00g1837pJ016akXV; Mon, 10 Aug 2015 20:34:44 +0200
> Received: (qmail 26736 invoked by uid 19230025); 10 Aug 2015 18:34:44
> -0000
> Date: 10 Aug 2015 18:34:44 -0000
> Message-ID: <20150810183444.26735.qmail at webxc46s02.ad.aruba.it>
> To: marilson.mapa at gmail.com
> Subject: Aviso:
> X-PHP-Originating-Script: 19230025:index.php
> MIME-Version: 1.0
> Content-type: text/html; charset=iso-8859-1
> From: <Atendimento at itaucom.com.br>
> Reply-To: Atendimento at itaucom.com.br
>  
> TEXT 1/2
> From: Atendimento at bbcom.com.br 
> Sent: Monday, August 10, 2015 5:42 PM
> To: marilson.mapa at gmail.com 
> Subject: RES: Aviso
>  
> Bloqueio de sua Conta - Ultimo Aviso (Comunicado Urgente) 
> 
> Private Bank
> 
> 
> 
> TEXT 2/2
> 
> From: Atendimento at itaucom.com.br 
> Sent: Monday, August 10, 2015 3:34 PM
> To: marilson.mapa at gmail.com 
> Subject: Aviso:
>  
> 
> 
>  
> 
> Bloqueio de sua Conta
>  
>