Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Megahack?
19 views
Skip to first unread message
Andy
Apr 21, 2013, 8:27:46 AM4/21/13
to
I've just received an email purporting to be from NatWestBank; headers
follow. The text is a list of 999 email addys, including a surprising
number of Demonites. I haven't checked any but I recognise a few of
them! All the names begin with 'an' - I hadn't realised there were so
many Andys around :)
Any thoughts on what/whence/why?
ps: I have no accounts with NatWest.
==============
Received: from mail.demon.co.uk by kitzbuhel.demon.co.uk with POP3
id <7251."admini...@kitzbuhel.demon.co.uk"@mail.demon.co.uk>
for <"admini...@kitzbuhel.demon.co.uk"@mail.demon.co.uk>;
Sun, 21 Apr 2013 12:08:38 +0100
Received: from smtp.demon.co.uk (91.221.168.53) by HVUT04.thus.corp
(192.168.70.44) with Microsoft SMTP Server (TLS) id 14.1.355.2; Sun, 21
Apr
2013 11:56:49 +0100
Received: from mdfmta012.tbr.inty.net (unknown [91.221.168.53]) by
mdfmta012.tbr.inty.net (Postfix) with ESMTP id 3565F8C005B for
<admini...@kitzbuhel.demon.co.uk>; Sun, 21 Apr 2013 11:56:49 +0100
(BST)
Received: from mdfmta012.tbr.inty.net (unknown [91.221.168.53]) by
mdfmta012.tbr.inty.net (Postfix) with ESMTP id 0C0128C0061 for
<admini...@kitzbuhel.demon.co.uk>; Sun, 21 Apr 2013 11:56:49 +0100
(BST)
Received: from mdfmta012.tbr.inty.net (unknown [127.0.0.1]) by
mdfmta012.tbr.inty.net (Postfix) with ESMTP id D90CA8C005B for
<an...@kitzbuhel.demon.co.uk>; Sun, 21 Apr 2013 11:56:48 +0100 (BST)
Received: from server18.cretaforce.gr (unknown [95.154.254.24]) (using
TLSv1
with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate
requested)
by mdfmta012.tbr.inty.net (Postfix) with ESMTP for
<an...@kitzbuhel.demon.co.uk>; Sun, 21 Apr 2013 11:56:48 +0100 (BST)
Received: by server18.cretaforce.gr (Postfix, from userid 1011) id
A42AB279F68; Sun, 21 Apr 2013 13:55:50 +0300 (EEST)
To: <an...@kitzbuhel.demon.co.uk>
Subject: Important E-mail Notification.
X-PHP-Script: www.ypertash.gr/tmp/creative.php for 213.123.168.14
X-PHP-Originating-Script: 1011:creative.php
From: National Westminster Bank <internet...@natwest.com>
Reply-To:
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-ID: <2013042110571...@server18.cretaforce.gr>
Date: Sun, 21 Apr 2013 13:55:50 +0300
X-MDF-HostID: 25
X-MDF-HostID: 25
Return-Path: tsio...@server18.cretaforce.gr
X-MS-Exchange-Organization-AuthSource: HVUT04.thus.corp
X-MS-Exchange-Organization-AuthAs: Anonymous
MIME-Version: 1.0
--
Andy Taylor [Editor, Austrian Philatelic Society].
Visit <URL:http://www.austrianphilately.com>
follow. The text is a list of 999 email addys, including a surprising
number of Demonites. I haven't checked any but I recognise a few of
them! All the names begin with 'an' - I hadn't realised there were so
many Andys around :)
Any thoughts on what/whence/why?
ps: I have no accounts with NatWest.
==============
Received: from mail.demon.co.uk by kitzbuhel.demon.co.uk with POP3
id <7251."admini...@kitzbuhel.demon.co.uk"@mail.demon.co.uk>
for <"admini...@kitzbuhel.demon.co.uk"@mail.demon.co.uk>;
Sun, 21 Apr 2013 12:08:38 +0100
Received: from smtp.demon.co.uk (91.221.168.53) by HVUT04.thus.corp
(192.168.70.44) with Microsoft SMTP Server (TLS) id 14.1.355.2; Sun, 21
Apr
2013 11:56:49 +0100
Received: from mdfmta012.tbr.inty.net (unknown [91.221.168.53]) by
mdfmta012.tbr.inty.net (Postfix) with ESMTP id 3565F8C005B for
<admini...@kitzbuhel.demon.co.uk>; Sun, 21 Apr 2013 11:56:49 +0100
(BST)
Received: from mdfmta012.tbr.inty.net (unknown [91.221.168.53]) by
mdfmta012.tbr.inty.net (Postfix) with ESMTP id 0C0128C0061 for
<admini...@kitzbuhel.demon.co.uk>; Sun, 21 Apr 2013 11:56:49 +0100
(BST)
Received: from mdfmta012.tbr.inty.net (unknown [127.0.0.1]) by
mdfmta012.tbr.inty.net (Postfix) with ESMTP id D90CA8C005B for
<an...@kitzbuhel.demon.co.uk>; Sun, 21 Apr 2013 11:56:48 +0100 (BST)
Received: from server18.cretaforce.gr (unknown [95.154.254.24]) (using
TLSv1
with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate
requested)
by mdfmta012.tbr.inty.net (Postfix) with ESMTP for
<an...@kitzbuhel.demon.co.uk>; Sun, 21 Apr 2013 11:56:48 +0100 (BST)
Received: by server18.cretaforce.gr (Postfix, from userid 1011) id
A42AB279F68; Sun, 21 Apr 2013 13:55:50 +0300 (EEST)
To: <an...@kitzbuhel.demon.co.uk>
Subject: Important E-mail Notification.
X-PHP-Script: www.ypertash.gr/tmp/creative.php for 213.123.168.14
X-PHP-Originating-Script: 1011:creative.php
From: National Westminster Bank <internet...@natwest.com>
Reply-To:
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-ID: <2013042110571...@server18.cretaforce.gr>
Date: Sun, 21 Apr 2013 13:55:50 +0300
X-MDF-HostID: 25
X-MDF-HostID: 25
Return-Path: tsio...@server18.cretaforce.gr
X-MS-Exchange-Organization-AuthSource: HVUT04.thus.corp
X-MS-Exchange-Organization-AuthAs: Anonymous
MIME-Version: 1.0
--
Andy Taylor [Editor, Austrian Philatelic Society].
Visit <URL:http://www.austrianphilately.com>
John Hall
Apr 21, 2013, 5:10:55 PM4/21/13
to
In article <jaUstwFC...@kitzbuhel.demon.co.uk>,
headers as multiple To addresses in addition to yours (or CC or BCC),
but that the spammer cocked it up.
--
John Hall
"Sir, I have found you an argument;
but I am not obliged to find you an understanding."
Dr Samuel Johnson (1709-1784)
Andy <an...@kitzbuhel.demon.co.uk> writes:
>I've just received an email purporting to be from NatWestBank;
>headers follow. The text is a list of 999 email addys, including a
>surprising number of Demonites. I haven't checked any but I
>recognise a few of them! All the names begin with 'an' - I hadn't
>realised there were so many Andys around :)
>
>Any thoughts on what/whence/why?
As to why, I'd guess that the 999 addresses were meant to be in the
>I've just received an email purporting to be from NatWestBank;
>headers follow. The text is a list of 999 email addys, including a
>surprising number of Demonites. I haven't checked any but I
>recognise a few of them! All the names begin with 'an' - I hadn't
>realised there were so many Andys around :)
>
>Any thoughts on what/whence/why?
headers as multiple To addresses in addition to yours (or CC or BCC),
but that the spammer cocked it up.
--
John Hall
"Sir, I have found you an argument;
but I am not obliged to find you an understanding."
Dr Samuel Johnson (1709-1784)
pe...@nospam.demon.co.uk
Apr 21, 2013, 2:01:24 PM4/21/13
to
On 21st Apr 2013 at 13:27 "Andy" <an...@kitzbuhel.demon.co.uk> wrote:
> I've just received an email purporting to be from NatWestBank; headers
> follow. The text is a list of 999 email addys, including a surprising
> number of Demonites. I haven't checked any but I recognise a few of
> them! All the names begin with 'an' - I hadn't realised there were so
> many Andys around :)
>
> Any thoughts on what/whence/why?
Not really, other than it is obviously not from NatWest, and probably
> I've just received an email purporting to be from NatWestBank; headers
> follow. The text is a list of 999 email addys, including a surprising
> number of Demonites. I haven't checked any but I recognise a few of
> them! All the names begin with 'an' - I hadn't realised there were so
> many Andys around :)
>
> Any thoughts on what/whence/why?
from an apparently clueless script kiddie abusing a weakness at
server18.cretaforce.gr (clueless in making no attempt to hide this
info in the headers).
> by mdfmta012.tbr.inty.net (Postfix) with ESMTP for
> <an...@kitzbuhel.demon.co.uk>; Sun, 21 Apr 2013 11:56:48 +0100 (BST)
> Received: by server18.cretaforce.gr (Postfix, from userid 1011) id
> A42AB279F68; Sun, 21 Apr 2013 13:55:50 +0300 (EEST)
> To: <an...@kitzbuhel.demon.co.uk>
> Subject: Important E-mail Notification.
> X-PHP-Script: www.ypertash.gr/tmp/creative.php for 213.123.168.14
> X-PHP-Originating-Script: 1011:creative.php
> From: National Westminster Bank <internet...@natwest.com>
> Reply-To:
> Content-Type: text/html
> Content-Transfer-Encoding: 8bit
> Message-ID: <2013042110571...@server18.cretaforce.gr>
> Date: Sun, 21 Apr 2013 13:55:50 +0300
> X-MDF-HostID: 25
> X-MDF-HostID: 25
> Return-Path: tsio...@server18.cretaforce.gr
unfortunate user's PC has been compromised).
> X-MS-Exchange-Organization-AuthSource: HVUT04.thus.corp
> X-MS-Exchange-Organization-AuthAs: Anonymous
> MIME-Version: 1.0
though.
Pete
--
Believe those who are seeking the truth.
Doubt those who find it. - André Gide
0 new messages