Sunday, September 20, 2009

Mining Tax Shelter

This was sent to one of our customers - probably illegal or some kind of scam.

Hello,
My name is George Deden and I am President of Glacier Valley Mining and Metals. We have an opportunity for your company while assisting us in our company goals. We are seeking a company that is proactive and responsive to their client?s needs and one that has a data base of potential investors in our IRS registered tax shelter. We are seeking a company to place these investment units. The IRS provides for a fee for placement of these units. This is an active involvement and not a passive investment. Please visit our web site at www.gvmtaxshelter.com for further information.
This mining tax shelter is for those who receive no benefit from the current economic stimulus package, and for those who will see their tax rates go higher in the future. This also provides the investor with a three to one write off with a potential three to one return.
Simply put this is not a gamble. It is an opportunity. We value gold at $400.00 per ounce. We are the source. For example if you bought a head of lettuce at the market and paid two dollars for it?that is what it cost. If you go to the wholesaler you can get it for a dollar fifty, but if you go to the source (farmer) you can get it for a dollar a head. We are the source.
Best Regards, George Deden
President, GVMM
562-400-0411
gjdeden@gvmtaxshelter.com
___

Came from this IP: 66.91.83.205

OrgName: Road Runner HoldCo LLC
OrgID: RRWE
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US

ReferralServer: rwhois://ipmt.rr.com:4321

NetRange: 66.91.0.0 - 66.91.255.255

Saturday, September 19, 2009

Strange referrer - stream://1/ - speakeasy network

We're getting some strange traffic from this u: stream://1/

The traffic is coming from the Speakeasy network: 216.231.44.147

Speakeasy, Inc. SPEAKEASY-1 (NET-216-231-32-0-1)
216.231.32.0 - 216.231.63.255
Speakeasy Network -- DSL SPEK-DSL-BR1-1 (NET-216-231-42-0-1)
216.231.42.0 - 216.231.50.255

Bad Traffic - Hurricane Electric (again)

Seems like we often get mysterious traffic from Hurrican Electric. In this case, traffic from the network below is attempting to access non-existent shopping carts on our system:

Hurricane Electric, Inc. HURRICANE-4 (NET-65-19-128-0-1)
65.19.128.0 - 65.19.191.255
EGIHosting HURRICANE-CE1290-5430 (NET-65-19-129-16-1)
65.19.129.16 - 65.19.129.31
BSNEWLINE BSNEWLINE-1 (NET-65-19-129-16-2)
65.19.129.16 - 65.19.129.31

Thursday, September 03, 2009

Weird Job Proposals from Mary Kay

Getting proposals to work for a job and wondering if this is legit.

The email is supposedly from MaryKay but I always get responses in the middle of the night at like 3 a.m.

They don't respond to the emails correctly and when I said I'm still not interested they keep trying to get reference contact information and personal details.

Maybe it's legit, I'm not sure. Just kind of weird.

Delivered-To:
Received: by 10.142.193.11 with SMTP id q11cs69747wff;
Thu, 3 Sep 2009 03:17:50 -0700 (PDT)
Received: by 10.90.22.18 with SMTP id 18mr7054118agv.20.1251973069978;
Thu, 03 Sep 2009 03:17:49 -0700 (PDT)
Return-Path:
Received: from psmtp.com (exprod7mx164.postini.com [64.18.2.69])
by mx.google.com with SMTP id 21si1589296agb.25.2009.09.03.03.17.47
(version=TLSv1/SSLv3 cipher=RC4-MD5);
Thu, 03 Sep 2009 03:17:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of marykayincorporated@gmail.com designates 64.18.2.69 as permitted sender) client-ip=64.18.2.69;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of marykayincorporated@gmail.com designates 64.18.2.69 as permitted sender) smtp.mail=marykayincorporated@gmail.com; dkim=pass (test mode) header.i=@gmail.com
Received: from source ([209.85.220.166]) by exprod7mx164.postini.com ([64.18.6.14]) with SMTP;
Thu, 03 Sep 2009 06:17:48 EDT
Received: by fxm10 with SMTP id 10so442739fxm.1
for <>; Thu, 03 Sep 2009 03:17:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:sender:received:in-reply-to
:references:date:x-google-sender-auth:message-id:subject:from:to
:content-type:content-transfer-encoding;
bh=CwZNcLXFIGZyzEfPyjZIHI56PCgsgs0XqS2STBQhGb8=;
b=Y+UooH+6VyEsb8BcIupC0QT1z9oaKkZei4wShf7jXTM9jH8uMCayulyoh7Mgt0JFqg
BpQ8Qtw2XYIrSHvS6XglNbBIMIiJCxGRU/WZFq21wdBxNYQ9Qx3Ihe8UQ6lgF+s4Zqjk
fOlAFlynC3JtUGqFc18PJ03wInW39Bjm/O/KA=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:sender:in-reply-to:references:date
:x-google-sender-auth:message-id:subject:from:to:content-type
:content-transfer-encoding;
b=LTSsjxvD9obo6MC4hhzER9fu0fGotOZSBMgNoiDdD2wgGlCovm+pdGMuP8zF1KrnaB
zoPsUI/ZH+LNl5n7xCab/58IbFo2iHhBPNM4J2cWvEuJ/rH8fh8RtWh5n4i6UWUhE9gB
48P3UidlIUOt+pO+k2xPa4UWrb1588N5GYa9o=
MIME-Version: 1.0
Sender: marykayincorporated@gmail.com
Received: by 10.204.8.21 with SMTP id f21mr7791449bkf.129.1251973066018; Thu,
03 Sep 2009 03:17:46 -0700 (PDT)
In-Reply-To: <7259BF6AEF584DF99A9C756D39D02220@>
References: <62166.64.12.112.193.1251693960.squirrel@gator985.hostgator.com>
<7259BF6AEF584DF99A9C756D39D02220@>
Date: Thu, 3 Sep 2009 11:17:44 +0100
X-Google-Sender-Auth: ec55662c1fd1dfa6
Message-ID: <9a93579d0909030317q7bee570ft5a5befd8ced8b03b@mail.gmail.com>
Subject: Re: Notice of Shortlistment for Vacant Position at Mary Kay Inc
From: Human Resources Department
To:
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels: (S:19.46979/99.90000 CV:99.9000 FC:95.5390 LC:93.6803 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) cv gt3 gt2 gt1 r p m c
X-pstn-addresses: from [447/28]

Tuesday, September 01, 2009

GoDaddy Hacking - Same as my last post

Same as the last post, a server with an old browser apparently has record of all the pages in a particular site and is scanning it, even though the software scanning the site cannot actually see the pages - they are blocked.

nefarious.

IP Address: 72.167.94.65

OrgName: GoDaddy.com, Inc.
OrgID: GODAD
Address: 14455 N Hayden Road
Address: Suite 226
City: Scottsdale
StateProv: AZ
PostalCode: 85260
Country: US

NetRange: 72.167.0.0 - 72.167.255.255

Dow Jones-Telerate: Bad Traffic

Getting some suspicious traffic from this network. Even after blocking them they are somehow able to scan every page in our site which tells us that basically they took a copy of the site and all the URLs in it. They cannot currently link from page to page because they are blocked, so possibly storing a copy of the whole site somewhere.

We have contacted this network but the suspicious traffic continues. One of the email addresses in the whois information bounced.

Additionally the traffic is coming from an IE6 browser which generally (not always) indicates the work of bad code.

205.203.134.197

OrgName: Dow Jones-Telerate
OrgID: DOWJON
Address: 4300 North Route 1
Address: Bldg. 1
City: South Brunswick
StateProv: NJ
PostalCode: 08852
Country: US

NetRange: 205.203.96.0 - 205.203.159.255