My Dumb. There is a Reply-To:
web.info@y7mail.com
Wonder if I'll starve...
My Dumb. There is a Reply-To:
web.info@y7mail.com
Wonder if I'll starve...
Received the following email to: webmaster@wtfu.edu
This is a WebNews Email Account Update
Please see the bottom of this mailing on this information.
-------------------------------------------------------------------------------------------------THE
WTFU.EDU WEBSITE WISH TO INFORM YOU THAT WE HAVE SOME PROBLEMS ABOUT EACH CUSTOMER ACCOUNT EMAIL. DUE TO ERROR CODE 334409. WE DISCOVER THAT IN SOME FEW HOURS FROM NOW EACH CUSTOMER WILL NOT BE ABLE TO ACCESS HIS OR HER EMAIL ACCOUNT SO YOU ARE REQUIRE TO SEND YOUR FULL EMAIL ADDRESS AND PASSWORD FOR A NEW ACCOUNT UPDATE.SO YOU HAVE TO SEND THIS INFORMATION IMMEDIATELY SO THAT WE WILL UPDATE YOUR ACCOUNT AND YOU WILL STOP RECEIVING SPAM EMAILS YOU ARE TO SEND US THE INFORMATION TO ENABLE US TO UPDATE YOUR ACCOUNT
BELOW THE INFORMATION RQRUIRE FOR ACCOUT UPDATE
1)Full Email Address:
2)password:
3)age/country
4)date
5)First name/Last name.
©2008 Citrix online. All Rights Reserved. Under License by wtfu.edu
Standard bad grammar phishing, right?
Except that the 'From:' was an obviously spoofed 'webmaster@wtfstate.edu' so even if I were dumb as a stump, there's no place for me to send my password to.
Fidelity uses the term "PIN" to mean "Authentication could which can contain letters and numbers". On the phone I asked them WTF the 'N' in PIN stood for. I got a regurgitated description of what the "PIN" could contain.
Kind of like the laser printer which prints out a description of various error conditions. Like: "Out of paper" (which is always the first page printed when you load new paper...)
Can't remember which printer that was, but it was in the late 80s.
Did you try disabling javascript? I find that places that are dumb enough to do that kind of validation are also dumb enough to not do it on the server, so disabling javascript allows me to go ahead and post the data I want to.
Or someone has listed the DoD as a file sharer, and more than one person is running the same software that is updating the same list of servers, and going out to the DoD to get files.
As I said, the 2nd case is a bit stranger in that it's a single connection that is spewing UDP packets out to a bunch of random ports and various Universities. or PG2 has the source/dest mixed up, and someone has listed GeneWitch's IP and port 20742 as a file server, and a bunch of students are all trying to connect.
It would take one heck of a conspiracy for a bunch of universities to coordinate an 'attack' like that.
I disagree. I think his machine is repeatedly opening connections from sequential high numbered ports to 6.18.0.176 port 411 which is 'normal' behavior. Normal in that the ports are consistent with an outbound connection.
The 2nd case is a bit stranger, since the source connections are all from a single port to what seem to be random high numbered ports. Since they are UDP packets, there's no reply involved.
I'd strongly suggest that genewitch take a closer look at his own system. And use some better tools, like Wireshark to see what's really going on. And if you think people are really trying to get to your port 20742, open a dos prompt and enter 'netstat -a' to see all the current connections and listening ports on your machine.
Um, if THEY are scanning YOU, then why is the source a private 192.168, and the destination a public address? Looks to me like you are scanning them.
Early in 2000 I tried to do an office lookup by zip code on a Sunday night. The SSA web site at the time reported that this feature was only available during working hours.
And check out this problem waiting for a CSS solution:
http://www.ssa.gov/textsize.htm