Posted by: Mike P. | April 14, 2010

Phishing – Closer to Home Than I Thought

The following message was posted to the Email Administration in Higher Education mailing list. I believe this is a private list for higher-ed email administrators, so I will not give out the address here.

This posting has been edited to include more background information than what I originally wrote on the HEEA list.

For those of us that monitor our users sending messages to known phishing toolboxes, the list of addresses maintained at is an invaluable source of information. In many cases, we can either prevent the message from being sent, or at least disable the account and force the user to change their password if a message is sent.

A few weeks ago, we were subjected to a phishing attack. An email message directed our users to a mock-up of our webmail page which was hosted on a hacked system, and information that users entered was emailed to those backing the scheme. I contacted the site owners and they told me where the userids and passwords were being emailed. The domain name sounded familiar to me, so I looked it up. The MX record was surprising – the site was hosted by a major email provider. Equally surprising was that approximately 80 addresses for this domain have been reported since some time in 2008(1).

This led me to attempt to see who was actually hosting the primary class A addresses in the phishing-replies file. Class A addresses were used as Reply-to: addresses on phishes and generally represent the location a password would be sent to. I looked up the MX records for all the domains, and in some cases, looked up the IP addresses in ARIN and related registrars in an attempt to find something in common. The results are presented below.

Weaknesses in this report are:

  1. It is entirely possible that no one reports these dropboxes to the hosting email provider. I have tried to report a few, but never received a response.
  2. The look-ups for the domains were done within the past few weeks. It is possible that the domains were not hosted by the current email provider at the time the address was reported.
  3. This process was fairly manual, so mistakes are possible.
  4. Postini addressed domains were assigned to Google. Google may not actually be hosting the email, but they did process it.
  5. More work on the unknown email providers would be useful. There may be some groups in there that I have not been able to spot.
  6. Most of the accounts in this list have now been disabled.  The list represents a running view of the problem, not the problem as it currently exists.  I have no way to tell which accounts are disabled.  Even though an account receives mail, it could still be disabled.
  7. The addresses in this list come from a group of email administrators from various universities.  It only contains addresses used to receive userids and passwords for stolen higher-ed email accounts.  Bank fraud, general money phishes (so-called Nigerian phishes) and the like are not covered here.
  8. The addresses were typically listed as Reply-To: on phishing messages.  This does not prove the account has actually been stolen.  However, this is little reason to go to the effort of sending phishing messages only to be unable to recover the “goods”, so to speak.

I would like to suggest we attempt to set up a line of communication with at least the major email providers so these dropboxes can be shut down as soon as possible, and more importantly, a list of responding accounts provided.

The data can be provided as SQL or text files for anyone interested.

Owner              | Domains | Addresses |                 Comment
microsoft          |      87 |      3105 | All Microsoft Domains
google             |      28 |      1644 | All Google Domains
yahoo              |      37 |      1550 | All Yahoo Domains
unknown            |     340 |       554 | The Unknown
commtouch          |      45 |       526 | Commtouch Inc., mail2world, etc
aol                |      45 |       321 | All AOL Domains
internic-au        |       6 |       138 | internic Datenkommunikations GmbH.           |       1 |        81 | ASAHI Net,Inc.
zoner              |       1 |        72 | ZONER software, s.r.o., CZ
nfrance            |       2 |        71 | Nfrance
edu                |      67 |        70 | Higher-ed, no trending schools
lt-hostex          |       1 |        65 | LT-HOSTEX-20071212, UAB HOSTEX, LT          |       1 |        47 | Unresolvable at this time
godaddy            |       1 |        45 |
yesup              |       1 |        19 | Yesup Ecommerce Solutions Inc.
fanmail            |       8 |        17 | Ironic Design, Inc.
zzn                |      14 |        16 | CP Software Group, CA, USA
att                |       2 |        14 |
mediacom           |       1 |        12 | Mediacom Communications Corporation
euronet            |       1 |        11 | Smile Customers FixIp, IL
basefarm           |       1 |        10 | Basefarm AB, SE
webmaster          |       1 |         9 | WebMaster, Incorporated
comcast            |       1 |         6 |
verizon            |       1 |         5 | Verizon
earthlink          |       1 |         5 |
unresolvable       |       4 |         4 |
amadeus            |       1 |         3 | Amadeus IT Group, S.A. (AMADEUSI908)
cogeco             |       1 |         2 | Cogeco Telecom
eircom             |       1 |         2 | Eircom, Dublin, Ireland
global.frontbridge |       2 |         2 |
advertisnet        |       1 |         1 |        |       1 |         1 | Project
Slicehost          |       1 |         1 |
apple              |       1 |         1 |

1), 600 IN MX 20  Edit: well, now I feel a little silly. is a very large Indian ISP.  So, canceling is not going to happen.


Michael Porter
Systems Programmer V
University of Delaware

Mike Porter
PGP Fingerprint: F4 AE E1 9F 67 F7 DA EA 2F D2 37 F3 99 ED D1 C2

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: