Luxumborj. ELect Trading <info@Luxumborjelect.com>

[SlapHappy]

* 114.199.125.186 Pt Solusi Aksesindo Pratama Jakarta Indonesia
199.116.112.19 Colo At 55, Llc Atlanta United States
*Probable originating IP address

Return-Path: <ysmcom@server.customerdrivencomputing.net>
Received: from server.customerdrivencomputing.net ([199.116.112.19])
by mx.google.com with ESMTPS id ge8si6973797qab.114.2014.01.09.12.33.56
for
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 09 Jan 2014 12:33:57 -0800 (PST)
Received-SPF: neutral (google.com: 199.116.112.19 is neither permitted nor denied
by best guess record for domain of ysmcom@server.customerdrivencomputing.net)
client-ip=199.116.112.19;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 199.116.112.19 is neither permitted nor denied by best guess record for domain of ysmcom@server.customerdrivencomputing.net) smtp.mail=ysmcom@server.customerdrivencomputing.net
Received: from ysmcom by server.customerdrivencomputing.net with local (Exim 4.82)
(envelope-from <ysmcom@server.customerdrivencomputing.net>)
id 1W1MIc-0007ot-Mj
for ; Thu, 09 Jan 2014 15:33:54 -0500
To:
Subject: Re : Invoice Payment Confirmation‏
X-PHP-Script: www. yousurvme.com/plugins/kunena/uddeim/sain.php for
114.199.125.186
From: Luxumborj. ELect Trading <info@Luxumborjelect.com>
Reply-To:
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id: <E1W1MIc-0007ot-Mj@server.customerdrivencomputing.net>
Date: Thu, 09 Jan 2014 15:33:54 -0500
X-AntiAbuse: This header was added to track abuse, please include it with
any abuse report
X-AntiAbuse: Primary Hostname - server.customerdrivencomputing.net
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [558 555] / [47 12]
X-AntiAbuse: Sender Address Domain - server.customerdrivencomputing.net
X-Get-Message-Sender-Via: server.customerdrivencomputing.net:
authenticated_id: ysmcom/only user confirmed/virtual account not confirmed


Dear Sir,

Thanks for your mail and sorry for our late response to your message.
The payment has been made, please find swift copy of pament

Regards,
Hassan Youzbachi
Luxumborj Elect. Trading
Tel: +971 6 5347536

1 attachments (total 53.9 KB)
"View slide show (1)
Redirects to: "http:/ /www.collegedominicain.ca/new/forms.asp.htm"
==
+97165347536
Number billable as geographic number
Country or destination United Arab Emirates
City or exchange location Ash Shāriqah (Sharjah)
Original network provider* Etisalat

[SlapHappy]

* 66.147.236.32 Hostrocket Web Services Clifton Park United States

Return-Path: <btlalpha@reseller7.hrwebservices.net>
Received: from reseller7.hrwebservices.net ([66.147.236.32])
by mx.google.com with ESMTP id e16si13470321qej.15.2014.01.10.21.45.46
for <>;
Fri, 10 Jan 2014 21:45:47 -0800 (PST)
Received-SPF: neutral (google.com: 66.147.236.32 is neither permitted nor denied
by best guess record for domain of btlalpha@reseller7.hrwebservices.net)
client-ip=66.147.236.32;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 66.147.236.32 is neither permitted nor denied by
best guess record for domain of btlalpha@reseller7.hrwebservices.net) smtp.mail=btlalpha@reseller7.hrwebservices.net
Received: from btlalpha by reseller7.hrwebservices.net with local (Exim 4.82)
(envelope-from <btlalpha@reseller7.hrwebservices.net>)
id 1W1rOE-0003eX-7Y
for Sat, 11 Jan 2014 00:45:46 -0500
To:
Subject: Re : Invoice Payment Confirmation
From: Luxumborj Elect. Trading <info@Luxumborjelect.com>
Message-Id: <130746201.197@Luxumborjelect.com>
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Date: Sat, 11 Jan 2014 00:45:46 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any
abuse report
X-AntiAbuse: Primary Hostname - reseller7.hrwebservices.net
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [2796 32003] / [47 12]
X-AntiAbuse: Sender Address Domain - reseller7.hrwebservices.net
X-Get-Message-Sender-Via: reseller7.hrwebservices.net: authenticated_id:
btlalpha/only user confirmed/virtual account not confirmed
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/btlalpha/public_html/babadee.php
X-Source-Dir: btlalpha.org:/public_html

Dear Sir,

Thanks for your mail and sorry for our late response to your message.
The payment has been made, please find swift copy of pament

Regards,
Hassan Youzbachi
Luxumborj Elect. Trading
Tel: +971 6 5347536

1 attachments (total 53.9 KB)
"View slide show (1)
Download all as zip

Redirects to:

"http:/ /www.collegedominicain.ca/new/forms.asp.htm" << Phishing link. Suspect hacked real website page.
==

+97165347536
Number billable as geographic number
Country or destination United Arab Emirates UAE
City or exchange location Ash Shāriqah (Sharjah)
Original network provider* Etisalat

[SlapHappy]

Same email text and phishing link. Different header info/

* 114.199.125.186 Pt Solusi Aksesindo Pratama Jakarta Indonesia

Return-Path: <admin@alexaryacorp.com>
Received: from rightmx.dnsracks.net (h20.e2enetworks.net.in. [182.18.164.20])
by mx.google.com with ESMTP id qx4si10512816pbc.135.2014.01.11.07.40.15
for <multiple recipients>;
Sat, 11 Jan 2014 07:40:37 -0800 (PST)
Received-SPF: pass (google.com: domain of admin@alexaryacorp.com designates
182.18.164.20 as permitted sender) client-ip=182.18.164.20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of admin@alexaryacorp.com designates 182.18.164.20
as permitted sender) smtp.mail=admin@alexaryacorp.com;
dkim=pass header.i=@alexaryacorp.com
Message-Id: <52d165f5.e4df440a.6df2.0233SMTPIN_ADDED_MISSING@mx.google.com>
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns;
d=alexaryacorp.com; s=alexaryacorp.com;
h=received:from:subject:date:mime-version:content-type
:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer
-mimeole;
b=e1HPCzknKyoezcHApdM/i7/Am7Uctz9oKZox5kAjqdfS9vZ8wUCflqyEe8+NoN1ZD
8zCyMpy6QD7OYbKaSCsN9oSrMG2BRdj0Ny2v1epUh1ZG7Nb2WMK/QYPofxB916gg/
37iLoeIfqikzZ8ynmPisBnZCVdSCW3Uf0M4eSp6Uo=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=alexaryacorp.com; s=alexaryacorp.com;
h=x-mimeole:x-mailer:x-msmail-priority:x-priority
:content-transfer-encoding:content-type:mime-version:date:subject
:from;
bh=7R9+bXJGJDhUTRow0CbFzwfutE1zbRgpsna91jT4DSM=;
b=AQTXzPgxTRpeQLTje5cMA+XNAZvymfyqpAn2sbMsAGdXMLiwpb04wPG9uD2iT7bud
MIIhWsALQxQHEg4CZJUEjTG5bp+GJ7OWyuhxjlT3Zg9HZzxO8k+vhh+5xiklNSjpI
Al8zLgu9ZymajCBohlo7AMIjDthzFr8HIDv3f19Is=
Received: from User (UnknownHost [114.199.125.186]) by rightmx.dnsracks.net with SMTP;
Sat, 11 Jan 2014 21:06:20 +0530
From: "Luxumborj Elect. Trading"<admin@alexaryacorp.com>
Subject: Re : Invoice Payment Confirmation
Date: Sat, 11 Jan 2014 22:36:18 +0700

[SlapHappy]

* 114.199.125.186 Pt Solusi Aksesindo Pratama Jakarta Indonesia

Return-Path: <admin@alexaryacorp.com>
Received: from rightmx.dnsracks.net (h20.e2enetworks.net.in. [182.18.164.20])
by mx.google.com with ESMTP id n8si10597176pax.218.2014.01.11.08.30.06
for <multiple recipients>;
Sat, 11 Jan 2014 08:30:17 -0800 (PST)
Received-SPF: pass (google.com: domain of admin@alexaryacorp.com designates
182.18.164.20 as permitted sender) client-ip=182.18.164.20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of admin@alexaryacorp.com designates 182.18.164.20
as permitted sender) smtp.mail=admin@alexaryacorp.com;
dkim=pass header.i=@alexaryacorp.com
Message-Id: <52d17199.0850420a.39da.2255SMTPIN_ADDED_MISSING@mx.google.com>
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns;
d=alexaryacorp.com; s=alexaryacorp.com;
h=received:from:subject:date:mime-version:content-type
:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer
-mimeole;
b=Qa0o9l9ytfFBBqrqmHD6NPYkT8RlpcIc/PeiPg2TPbPUhZWNNcebcMt0rLOm9n3F3
Enn3FmAkNKGtPYy+SgKFPJpLf6DbDUp0vhGh7w75nAVFZYvrNrozBfW7bbef43e8r
y5rO4frLuh2OhFUqMwN08nQ+aZs/jPQOMO7VDV47k=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=alexaryacorp.com; s=alexaryacorp.com;
h=x-mimeole:x-mailer:x-msmail-priority:x-priority
:content-transfer-encoding:content-type:mime-version:date:subject
:from;
bh=/jRSorSZr6qhVLlpjq91Y7ImNnCb8a4EstGHvYffDWE=;
b=ZB7RVtMJyV38pE4M755vWscVPjNt3/G1HLIaUxkHJsFA+Mwde7zTBbEZTWBKZeqMv
S5XDiXVBUs+VyjJsNNN64Bmc6XoJizOFxCyjHLFBJO0pEqdiXkb3UUzw/sSHWbpvO
zJDFbt2R88sJxjL6t9LwqaxlzM734rLMBbEBWoMtg=
Received: from User (UnknownHost [114.199.125.186]) by rightmx.dnsracks.net with SMTP;
Sat, 11 Jan 2014 21:55:45 +0530
From: "Luxumborj Elect. Trading"<admin@alexaryacorp.com>
Subject: Re : Invoice Payment Confirmation
Date: Sat, 11 Jan 2014 23:25:44 +0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

"http:/ /www.junweivt.com.tw/swf/OnlineTTcopy.htm" << phishing document link.

Dear Sir,

Thanks for your mail and sorry for our late response to your message.
The payment has been made, please find swift copy of pament

Regards,
Hassan Youzbachi
Luxumborj Elect. Trading
Tel: +971 6 5347536

1 attachments (total 53.9 KB)
"View slide show (1)
Download all as zip
redirects to:
"http:/ /www.junweivt.com.tw/swf/OnlineTTcopy.htm" << phishing document link.