[Owasp-Malaysia] Email Scam In Malay
Harisfazillah Jamel
(1) This email scam, what we call Nigerian scam now in Malay (bahasa
melayu)... Or its may origin from Malaysia...
http://en.wikipedia.org/wiki/Advance-fee_fraud
(2) Check the header
http://whatismyipaddress.com/trace-email
(3) Hmm its from Malaysia maybe yes or maybe not ...
% APNIC found the following authoritative answer from: whois.apnic.net
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 120.140.0.0 - 120.141.255.255
netname: P1NETWORKS-MY
descr: Packet One Networks (M) Sdn
descr: Internet Service Provider
descr: Kuala Lumpur, Malaysia
country: MY
admin-c: SL2018-AP
tech-c: CL1719-AP
status: ALLOCATED PORTABLE
(4) The origin may be being spoof or server or PC is hijack by trojan
and installed with bot ...
Security in ICT is all about you ... Use common sense and alway in doubt....
Thank you
Harisfazillah Jamel
http://blog.harisfazillah.info/
------------- Content after the email header. This header will be use
for investigation ...
>From Nur Rina binti mohamed Thu Oct 7 07:50:06 2010
X-Apparently-To: linuxm...@yahoo.com via 98.138.83.126; Thu, 07
Oct 2010 00:51:19 -0700
Return-Path: <nur-ri...@msn.com>
Received-SPF: pass (mta1017.mail.mud.yahoo.com: domain of
nur-ri...@msn.com designates 65.55.90.146 as permitted sender)
X-YMailISG: THP15E4cZAoq7z_pqScDn6lbJCaSYaMwgA_gfVyuTJ4b67dP
ExVUJ.kjAaFbjFm03XVW4sylN7hTS.pEHQIL1qOPhrAgyfpXFLXJSpgwSU4J
HcNADO7NwNqnMfanQKiiQEppZ1pZ4MojGE2grI8RTzNt_zACKPLj0ykBGtKL
xIwZtFwKVuo5Vf_eFqldDxJg.tx8tXUkWT9vL5O_1jUqK76h5IfpX3NOnLcR
McKsMEUdGXopiITq3XRP6_z7l74GKLl9eS_p0UBEMo_lcTdmlxnVPcIQGiYC
zC_BSMAp1tZhoKE1.EW0VvTceOWdIc.j4gFG8wsNXyfUn6e_RT7d6j8hyvPf
iME2b3OaLgNFjabCJpjB9V46_nRRtg7fxJSLU07XzHc5kiO2JYhgYu2uD.RR
ljEUSmNqsxM3n5ZmQ1iv0NTJ7ThLT3QcSU.DhP6YgIOQC24COyoZZ8jagSdV
9g.s3CbuiUW2CWvSDnjSmxDJjK1CjIrpVDxegMOvYhDHmPSCqML78PYASy2j
sKogGbPgX5ymM99da7gBK9h1.jUCEjlXc26lA.l51Wl6kZKk4COJ8S77yy0P
6txOiedxbzDjcNvVVKbQCUJR.GyLI32Fy_xP8Qd8cK1hBbClCYfliJ99Y.AH
q4h7e7FcJMimmMVo6inPMgEexjmSt0_I2ROZpTzsTx0r5fpPXMh9yGOeDgKn
QGdCUIUCrBD_ZJjXO9upHFVzraqwR6jffZS8vO6g646MssfQcaA5V46jEaH2
jmqSCTmA8RSWX7.h.3KTvk5nv8qSTfyz2bftegvgzVmMt709sqYpFeuwuHM.
62jmBN36miwBtDPQoFe0UC4GrvVhAkcHqkN7ZTzN40MXC1yox8W68EvrJE97
IGOb9xF_4w8.dZNmXpzd0wB1FNkcQwJ_IhbgRlzKvQbnHpGpMmCY4ZeVRfqK
IiA3EvuulwqwmoDq4VI8VqpPgJgKQIi3qgxNFNq.oRUiy.SIDs5cDG_u5RqV
0Jy1B0YzFMc7DxyG.qlh8LW5qRNHXD6RUxaMGzm7WgEnhAdzp2EJXbMks2NH
fmAzMQzAcG2ujQabzjyGGAWIgAo_pPaaU4RtZ6tVtux_DmAXhdP_2FBbKupN
t34IWI5vpnA3GuPZ2Qxo5WIyCMhGIOCmQ2e94ZO78hMXTq3Y3QudAU6O9VJf
UdLZrH_xDpAPqlZDbnnbW4jH45XoxelfjELa9UnPgUD.6Sa773JM1MfN35JY
XurJiFcKPklqYFaSkbEEo6dz2QBRuIN14mMWG4cVIipT9j7Ag7XRbsedjcqn
5bk-
X-Originating-IP: [65.55.90.146]
Authentication-Results: mta1017.mail.mud.yahoo.com from=msn.com;
domainkeys=neutral (no sig); from=msn.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (EHLO snt0-omc3-s7.snt0.hotmail.com) (65.55.90.146)
by mta1017.mail.mud.yahoo.com with SMTP; Thu, 07 Oct 2010 00:51:17 -0700
Received: from SNT143-W14 ([65.55.90.137]) by
snt0-omc3-s7.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 7 Oct 2010 00:50:06 -0700
Message-ID: <SNT143-w14C013610...@phx.gbl>
Return-Path: nur-ri...@msn.com
Content-Type: multipart/alternative;
boundary="_dc09a759-a9d3-4b36-86bd-808ac0fde2c7_"
X-Originating-IP: [120.140.22.218]
Reply-To: <nur_rinabi...@yahoo.com>
From: Nur Rina binti mohamed <nur-ri...@msn.com>
Subject: Terima kasih
Date: Thu, 7 Oct 2010 07:50:06 +0000
Importance: Normal
MIME-Version: 1.0
Bcc:
X-OriginalArrivalTime: 07 Oct 2010 07:50:06.0804 (UTC)
FILETIME=[423EF940:01CB65F4]
Content-Length: 7047
------------ end header
----- Forwarded Message ----
From: Nur Rina binti mohamed <nur-ri...@msn.com>
Sent: Thu, October 7, 2010 3:50:06 PM
Subject: Terima kasih
Salam ,
Saya Nur Rina binti Mohamed, saya bekerja sebagai Marketing Officer di
sebuah syarikat pemprosesan batu mulia di UK.di sini Saya ingin
memperkenalkan kepada encik peluang perniagaan yang besar
kenuntungannya,saya memerlukan bantuan encik dan kerjasama encik untuk
memajukan perniagaan ini.saya menghubungi encik kerana saya tidak
ingin kehilangan rakan kongsi saya di dalam perniagaan ini.saya tahu
bahawa saya dan encik akan mendapatkan feadah yang baik daripada
perniagaan ini di masa akan datang. Sekarang saya hanya ingin encik
menjadi pembekal (agent) kepada syarikat saya bekerja dan encik boleh
mendapat keuntungan daripada peluang perniagaan ini . Syarikat saya
memerlukan sebuah produk yang disebut (GLYCOL ROUGH GEMSTONE POLISH).
Para pemurnian belerang liquid adalah cecair kimia saintifik bar
substansi, sejenis pelincir, terutama digunakan di makmal untuk
gemological pemurnian merawat atau menerangkan,memasuki ke dalam
berlian dan mengewap keluar kotoran di dalam berlian dan batu-batu
berharga sepertinya.
Pembekal asal produk ini adalah di (Malaysia) sehingga lah pembekal
produk langsung syarikat kami ini mengalami kemalangan di sini {uk}
,dia adalah pengurus pemasaran dan sejak dia kemalangan monopoli ini
telah tergendala.saya hanya ingin encik menjadi agen di antara penjual
dan pembeli .Ini adalah perniagaan besar untuk saya dan encik dan akan
mendapat keuntungan besar.saya hanya memerlukan kerjasama untuk
menjadikan perniagaan ini berjaya.Saya akan memberi anda maklumat
lebih lanjut tentang hal ini jika anda bersedia untuk menjadi sebagai
agen untuk membekalkan produk ke syarikat kami.
Pertama, saya akan perkenalkan anda pembekal (agent)kepada syarikat
saya nanti. Mengikut peratusan, awalnya harga beli yang sebenarnya
produk tersebut oleh syarikat per Carton adalah 4,250.00 USD,
sedangkan di (Malaysia) harga jual tempatan adalah 2,100.00 USD dan
syarikat saya memerlukan tidak kurang daripada 200 Cartons.
saya ingin encik menjadi agen link kami yang menghubungkan penjual
tempatan di Malaysia secaralangsung kepada syarikat membeli maka
margin keuntungan akan digunakan bersama berdua 50% untuk encik,
sementara 50% kepada saya.sekiranya encik dapat membantu saya
mengurus perniagaan jual beli produk ini saya amat
berterimakasih.kemudian saya akan membincangkan pekara ini bersama
pengurus syarikat saya. saya yakin dan percaya encik boleh menyediakan
produk ini kepada syarikat.di sini juga saya memfailkan butiran dari
segi harga dan cara bayaran maka kita boleh mengambil daripada
permulaan perniagaan ini. encik saya mengharap agar encik dapat
membalas email saya ini secepat mungkin, agar saya dapat mengemailkan
number telephone penjual di malaysia gar encik dapat menghubungi
penjual untuk bertanya sama ada penjual tersebut masih mempunyai stock
untuk di bekalkan kepada encik.sebelum syarikat kami akan menghantar
pengurus pembelian pergi ke Malaysia untuk membeli produk dari encik
secara tunai.Terima kasih atas kerjasama encik,saya mengharap dan
menunggu balasan email daripada encik.
Wassalam...
Nur .
_______________________________________________
Owasp-Malaysia mailing list
Owasp-M...@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-malaysia
OWASP Malaysia Wiki
http://www.owasp.org/index.php/Malaysia
OWASP Malaysia Wiki Facebook
http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
Mohamad Imran
berbahasa Melayu. Kalau guna alatan terjemah pun mesti dah diedit.
--
Aku Tetap Aku™
http://maklan.blogspot.com/
https://launchpad.net/~maklanx
http://www.facebook.com/mohamadimranishak
Ir. Tejinder Singh
X-Originating-IP: [65.55.90.146] and X-Originating-IP: [120.140.22.218]
ran the tool , got this
Source:
The source IP address is 120.140.22.218.
is this correct?
/t
Mohd Harpizi Anuar
Saya ni budak baru belajar...ada tak sesiapa yang boleh bagi info pasal TCP
Hijack false positive alert...dan apa puncanya
Thanks
The information in this e-mail and any attachment(s) here to is only for the use of the intended recipient and may be confidential or privileged. If you are not the intended recipient, any use of, reliance on, reference to, disclosure of, alteration to or copying of the information for any purpose is prohibited. Any information not related to BNM's official business is solely the author's and does not necessarily represent BNM's view and is not necessarily endorsed by BNM. BNM shall not be liable for loss or damage caused by viruses transmitted by this e-mail or its attachments. BNM is not responsible for any unauthorised changes made to the information or for the effect of such changes.
Hasanuddin Abu Bakar
Hi...Salam perkenalan.....
Saya ni budak baru belajar...ada tak sesiapa yang boleh bagi info pasal TCP
Hijack false positive alert...dan apa puncanya
Thanks
The information in this e-mail and any attachment(s) here to is only for the use of the intended recipient and may be confidential or privileged. If you are not the intended recipient, any use of, reliance on, reference to, disclosure of, alteration to or copying of the information for any purpose is prohibited. Any information not related to BNM's official business is solely the author's and does not necessarily represent BNM's view and is not necessarily endorsed by BNM. BNM shall not be liable for loss or damage caused by viruses transmitted by this e-mail or its attachments. BNM is not responsible for any unauthorised changes made to the information or for the effect of such changes.
_______________________________________________
Owasp-Malaysia mailing list
Owasp-M...@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-malaysia
OWASP Malaysia Wiki
http://www.owasp.org/index.php/Malaysia
OWASP Malaysia Wiki Facebook
http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
+6017 913 1983
Sigma Rectrix Systems (M) Sdn Bhd
No.15 & 15-1, Jalan Equine 9A,
Equine Park, Bandar Putra Permai
43300 Seri Kembangan Selangor
URL : www.sigmarectrix.com
Phone : 03-89486696
Fax : 03-89487796
Helpdesk : 03-89486596
Faizul
Mohd Harpizi Anuar
to know is it because this server or application on this server have mis
configuration such as programming or server setting that can be possibility
cause this alert.
Faizul
<faizul@mysecurit
y.my> To
Sent by: "Open Web Application Security
owasp-malaysia-bo Project (OWASP) Malaysia Local
un...@lists.owasp Chapter"
.org <owasp-m...@lists.owasp.org>
cc
08/10/2010 10:54 Subject
Re: [Owasp-Malaysia] Email Scam In
Malay
Please respond to
"Open Web
Application
Security Project
\(OWASP\)
Malaysia Local
Chapter"
<owasp-malaysia@l
ists.owasp.org>
Hasanuddin Abu Bakar
IDS detect this alert but nothing wrong with related server....I just want
to know is it because this server or application on this server have mis
configuration such as programming or server setting that can be possibility
cause this alert.
Muhammad Najmi Ahmad Zabidi
bukan takleh bukak topik baru
On Fri, Oct 8, 2010 at 11:14 AM, Hasanuddin Abu Bakar
Hasanuddin Abu Bakar
Sori bro,orang menanya saya menjawap
Sent from Cyanogenmod Desire
Muhammad Najmi Ahmad Zabidi
(gurau je nih hahah)
On Fri, Oct 8, 2010 at 11:47 AM, Hasanuddin Abu Bakar
Faizul
Muhammad Najmi Ahmad Zabidi
Muhammad Najmi Ahmad Zabidi
mcm ni kot;
http://www.419legal.org/blog/2008/06/26/edna-fiedler-sentenced-email-scam/
orang lokal berhubungan global = glokal
On Fri, Oct 8, 2010 at 12:34 PM, Muhammad Najmi Ahmad Zabidi
Faizul
Rahezar Rahmat
Sent by AT&T from my BlackBerry® Smartphone
Harisfazillah Jamel
do this. From the header I do found it valid.
98.138.83.126 -> Address for Yahoo.. Yes Its to my Yahoo account.
65.55.90.146 -> Coming from Micorosft Network
http://www.ip-adress.com/ip_tracer/65.55.90.146
This email may origin from email client from IP 120.140.22.218 -> SMTP
send through MSN network.
Any comment?
On Fri, Oct 8, 2010 at 9:56 AM, Ir. Tejinder Singh <teji...@gmail.com> wrote:
> saw the email header, found two X-Originating IP
>
> X-Originating-IP: [65.55.90.146] and X-Originating-IP: [120.140.22.218]
>
> ran the tool , got this
>
> Source:
> The source IP address is 120.140.22.218.
>
> is this correct?
>
> /t
>
Ang Chin Han
<linuxm...@gmail.com> wrote:
> Anyone any idea. If the email address also been spoof? Any tools can
> do this. From the header I do found it valid.
>
> 98.138.83.126 -> Address for Yahoo.. Yes Its to my Yahoo account.
>
> 65.55.90.146 -> Coming from Micorosft Network
>
> http://www.ip-adress.com/ip_tracer/65.55.90.146
>
> This email may origin from email client from IP 120.140.22.218 -> SMTP
> send through MSN network.
>
> Any comment?
:(
Email admins should have known about Sender Policy Framework:
http://en.wikipedia.org/wiki/Sender_Policy_Framework
yahoo.com doesn't use it, though.
Say, f...@hotmail.com
$ dig txt hotmail.com
hotmail.com. 3600 IN TXT "v=spf1 include:spf-a.hotmail.com
include:spf-b.hotmail.com include:spf-c.hotmail.com
include:spf-d.hotmail.com ~all"
$ dig spf-a.hotmail.com spf-b.hotmail.com spf-c.hotmail.com | grep spf1
spf-a.hotmail.com. 3544 IN TXT "v=spf1 ip4:209.240.192.0/19
ip4:65.52.0.0/14 ip4:131.107.0.0/16 ip4:157.54.0.0/15
ip4:157.56.0.0/14 ip4:157.60.0.0/16 ip4:167.220.0.0/16
ip4:204.79.135.0/24 ip4:204.79.188.0/24 ip4:204.79.252.0/24
ip4:207.46.0.0/16 ip4:199.2.137.0/24 ~all"
spf-b.hotmail.com. 3565 IN TXT "v=spf1 ip4:199.103.90.0/23
ip4:204.182.144.0/24 ip4:204.255.244.0/23 ip4:206.138.168.0/21
ip4:64.4.0.0/18 ip4:65.54.128.0/17 ip4:207.68.128.0/18
ip4:207.68.192.0/20 ip4:207.82.250.0/23 ip4:207.82.252.0/23
ip4:209.1.112.0/23 ~all"
spf-c.hotmail.com. 3593 IN TXT "v=spf1 ip4:209.185.128.0/23
ip4:209.185.130.0/23 ip4:209.185.240.0/22 ip4:216.32.180.0/22
ip4:216.32.240.0/22 ip4:216.33.148.0/22 ip4:216.33.151.0/24
ip4:216.33.236.0/22 ip4:216.33.240.0/22 ip4:216.200.206.0/24
ip4:204.95.96.0/20 ~all"
And those should be the IP block ranges where f...@hotmail.com should
be coming in from.
Caveat lector: it's the first time I'm actually looking these up.
Hasanuddin Abu Bakar
Azharuddin Ahmad Jais
Malaysian who got even a D in BM will know that the sentence structure and
grammar used in the email are either wrong or weak and that indicates that
the writer either (i) used a translator (online or dictionary) or (ii) used
an Indonesian accomplice to write that email or (iii) is an Indonesian.
What gives it away?
Batu mulia = batu permata. The problem is - we don't use the term "batu
mulia" to describe gemstones in Malaysia. It's either straightforward 'batu
permata' for generic descriptions or straightforward accurate descriptors
i.e. berlian, zamrud, delima, akik, dan sebagainya. Even if there are, I'm
pretty certain that it's rare or very uncommon. Go ahead and google the term
& you'll find the websites are either based in Indonesia or operated by one.
*shakes head*
Best Regards,
Azharuddin Ahmad Jais
ARSA
Muhammad Najmi Ahmad Zabidi
http://translate.google.com/#auto|ms|gemstone%0A
batu mulia seems like holystone.
Ang Chin Han
<hasan...@sigmarectrix.com> wrote:
> DNSSEC will come in handy. Standby mister Amir Haris
I'm behind the times. How does that work? All outgoing emails from
authorized domains should and could be digitally signed automatically
by the originating SMTP server with a/the domain key?
Hasanuddin Abu Bakar
On Fri, Oct 8, 2010 at 3:19 PM, Hasanuddin Abu Bakar
<hasan...@sigmarectrix.com> wrote:
> DNSSEC will come in handy. Standby mister Amir Haris
I'm behind the times. How does that work? All outgoing emails from
authorized domains should and could be digitally signed automatically
by the originating SMTP server with a/the domain key?
_______________________________________________
Owasp-Malaysia mailing list
Owasp-M...@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-malaysia
OWASP Malaysia Wiki
http://www.owasp.org/index.php/Malaysia
OWASP Malaysia Wiki Facebook
http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
Raja Iskandar Shah
in this case, the email is
1. 'sent' by an alluringly named female (wanita)
2. 'claims' to someone in authority (takhta)
3. 'promises' the reader 'wealth' (harta)
it works like a charm to those middle aged people (in their late 30s and early 40s) who feels they are 'stuck' married with a fat spouse and screaming kids. working for a 'heartless' boss, with credit card debts creating a noose around their necks (keliling pinggang).
maybe someone on this list can create an algorithm based on these 3 'ta's ;p
Hazrul Hamzah
the content of that particular letter is similar with most of the
phising emails that I received on daily (almost) basis. I'll do some
posting about that later in my (long abandoned)blog since there are few
peculiar items that make me aware on the main purpose of the mail. (Just
for a second I thought I'm going to be a millionaire HAHAHA.. naah just
kidding.
Anyway regarding the false positive thingy. Mr Harpizi may I know how do
you validate/verify that particular alert message? Because first of all
we need to understand/identify why that particular alert triggered. What
are the characteristics of the network packets that matches its rules?
And what kind of IDS that u used? Last and not least sir, you need to
know also the TCP hijack scenario or condition..
Well that's my piece ;)
Abdul Hadi bin Omar
-----Original Message-----
From: Raja Iskandar Shah <rajais...@gmail.com>
To: "Open Web Application Security Project (OWASP) Malaysia Local Chapter" <owasp-m...@lists.owasp.org>
Date: 08-10-2010 16:01
Subject: Re: [Owasp-Malaysia] Email Scam In Malay
Muhammad Najmi Ahmad Zabidi
Hasanuddin Abu Bakar
seriously, mailing list is too geeky.
Amir Haris
Shaiffulnizam Mohamad
saya langgan versi digest, tapi ada kalanya masih masuk banyak2. Saya
ada dua emel yg subscribe ngan owasp, satu dah remove, tinggal yang
nih jer.
Muhammad Najmi Ahmad Zabidi
masuk(unless someone break the thread). or kalo gune mail reader mcm
thunder set view as thread :)