dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3
share rss forum feed


sm5w2

join:2004-10-13
St Thomas, ON
reply to sm5w2

Re: WARNING -> fake MyBell credit-card-declined spam

A buddy of mine just got one of these today. The fake Bell login portal is:

»polishmarket.home.pl/bell/Login.html

That domain currently has this IP: 79.96.60.221 (located somewhere in Poland)

As for the computer that sent this spam:

=========
Received: from unknown (HELO acer-cde29c9033) ([76.70.32.43])
by toip52-bus.srvr.bell.ca with ESMTP; 09 Aug 2013 12:31:20 -0400
=========

It's our friend - the infected ACER computer. IP geo-location puts that IP at:

QUEBEC, METABETCHOUAN-LAC-A-LA-CROIX

There's no rDNS on that IP

So Bell continues to allow infected machines on it's Sympatico network to act as spam zombies.

Does anyone else find it ironic that Bell's own servers are forwarding these credit-card fraud attempts to log into a bogus version of it's own MyBell portal?

So here's the list of misbehaving Bell IP's so far:

76.70.29.15
174.94.154.30
174.94.73.194
69.159.211.214
79.96.60.221



Gitane59

@bell.ca

I just got the email today. Has the Canadian Anti-Fraud agency been notified? It is insidious in its attempt to scam info from users. I do use Bell DSL, but do not pay by credit card so I instantly knew it was a phishing scam, but my wife was not certain until I showed her the misdirected weblinks embedded in the header.


donkey

join:2008-04-08
Montreal, QC
Reviews:
·Acanac
·TekSavvy DSL
reply to sm5w2

the polish folk seem to have taken down the fake site, good job!
--
WestLink Cable is a SCAM


sm5w2

join:2004-10-13
St Thomas, ON
reply to Gitane59

> I just got the email today.

Post the link!
Post the IP address where the e-mail came from!



Ontario

@bell.ca

Received: from toip32.srvr.bell.ca ([67.69.240.34]) by BAY0-PAMC1-F4.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
Fri, 16 Aug 2013 06:21:14 -0700

The credit card we have on file for your MyBell Internet service was declined when we attempted to bill you on 07/10/2013 for your most recent service fees. For this reason, your service could be suspended. Please visit our Account Information pages, located at
»www.ashirochester.com/calendar/t···ndex.php
and update your credit card information as soon as possible.



Ontario

@bell.ca

Bah. Wrong header information.

Authentication-Results: hotmail.com; spf=neutral (sender IP is 207.236.237.40) smtp.mailfrom=mybellaccount@cox.net; dkim=none header.d=cox.net; x-hmca=none header.id=mybellaccount@cox.net



sm5w2

join:2004-10-13
St Thomas, ON

4 edits

Still wrong. The source IP is not 207.236.237.40. That is an intermediate Bell SMTP server (toroondcbmts06.bellnexxia.net)

Downorjustforme says that www.ashirochester.com is up, but I can't get a connection to it. Archive.org says that it's the "Greater Rochester Chapter of the American Society of Home Inspectors".

I suspect Bell is blocking it. Try doing a tracert to 209.217.235.135. It dies on the 3'rd hop.

Yup - Bell is blocking it.

Try accessing it from here: »zendproxy.com/

Enter this URL: www.ashirochester.com/calendar/tools/index.php



Ontario

@bell.ca

x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uensydyekesGC2M=
Authentication-Results: hotmail.com; spf=neutral (sender IP is 207.236.237.40) smtp.mailfrom=mybellaccount@cox.net; dkim=none header.d=cox.net; x-hmca=none header.id=mybellaccount@cox.net
X-SID-PRA: mybellaccount@cox.net
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0wO0Q9MDtHRD0wO1NDTD00
X-Message-Info: 9dBmIzkiBYuDHP2v+MoYbLECjmqxdC7CBNRY4QJ6XKnGH45aqfqauiBlUit+sbcti59xyQbfa+3lTb6Bo23CJNpFO+tR7/Fx/AW8NGPPdWhu/5ftjmb8rNFRFBo1g3ExWdzMW487CzEB7C8F9Z4PAIwLMaASLAdvFbpKmhj58gpw0vQM+j8BRQ==
Received: from toip32.srvr.bell.ca ([67.69.240.34]) by BAY0-PAMC1-F4.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
Fri, 16 Aug 2013 06:21:14 -0700
Received: from toip17.srvr.bell.ca ([67.69.240.19])
by toip32.srvr.bell.ca with ESMTP; 16 Aug 2013 09:21:08 -0400
Received: from toroondcbmts06.bellnexxia.net (HELO toroondcbmts06-srv.bellnexxia.net) ([207.236.237.40])
by toip17.srvr.bell.ca with ESMTP; 16 Aug 2013 09:21:08 -0400
Received: from toip52-bus.srvr.bell.ca ([67.69.240.55])
by toroondcbmts06-srv.bellnexxia.net
(InterMail vM.8.00.01.00 201-2244-105-20090324) with ESMTP
id
for ; Fri, 16 Aug 2013 09:21:08 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiITADIaDlJMRlVM/2dsb2JhbABBEweCUjQ1jCOifpBKAQEegQcXdIJcQh4HASiJGQwymQiGfIgugXCGYIgvjxMHdjMHFwyDfAO BKI1blQQEhS6DOCCBLAIHFwM
X-IronPort-AV: E=Sophos;i="4.89,895,1367985600";
d="scan'208,217";a="430959729"
Received: from bas1-toronto50-1279677772.dsl.bell.ca (HELO WINSSIL7N84M2Bgateway2wirenet) ([76.70.85.76])
by toip52-bus.srvr.bell.ca with ESMTP; 16 Aug 2013 09:21:01 -0400
Return-Path: mybellaccount@cox.net
MIME-Version: 1.0
From: "MyBell Account"
Reply-To: mybellaccount@cox.net

OK, so which is the correct source IP? That's the full header.


sm5w2

join:2004-10-13
St Thomas, ON

Received: from bas1-toronto50-1279677772.dsl.bell.ca (HELO WINSSIL7N84M2Bgateway2wirenet) ([76.70.85.76])

76.70.85.76 = bas1-toronto50-1279677772.dsl.bell.ca

It's a hacked computer, a Bell customer. Someone from Bell needs to come here and explain why they are incapable of detecting this FORM LETTER that their mail servers accept from from infected customers and pass it on to other customers.

These fraud attempt emails have the same format, the same wording and phrases. Why can't their spam filters catch this?

Why can't their servers detect an inordinate amount of SMTP activity coming from these infected systems?



Ontario

@bell.ca

The odd thing about that phishing message is the email address that received it. It's a sympatico.ca address that I created specifically to use when registering an account with Sony Online Entertainment over 10 years ago, and haven't used it for anything else. So how did the hacked machine get that address? So far the address gets 0 spam...hope that isn't about to change.



Ontario

@bell.ca

New one targeting BMO customers.

Received: from barion18-1242538297.sdsl.bell.ca (HELO memmento.com) ([74.15.161.57])
by toip36-bus.srvr.bell.ca with ESMTP; 19 Aug 2013 09:28:20 -0400
Return-Path: bmomontreal@cox.net

Dear Customer,
Your account has been SUSPENDED, as an error was detected on your profile
The reason for the error might be:
1. You have changed your billing address.
2. You have Submitted incorrect information during bill payment process.
3. Your credit/debit card has expired.
4. You didn't update your BMO profile.
We need you to update your information here. [links to multiserviciosalfil.com/calendar/tools/index.php]

Thank you for your cooperation