Tracking down a PayPal scammer (02 May 2004)

I was bored last night (you know, revision, makes you do strange things...). So I actually opened one of those scam PayPal emails:

It has come to our attention that your PayPal account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service.

The link text is at, but the destination is That's a solaris box running every service under the sun. I've no doubt that it's a hacked box, so I've emailed the netblock owner (no answer). I also emailed the netblock owner for the host where the email came from - pretty prompt answer from them (they are looking into it). But let's have a look at the HTML from the scam page (which looks identical to a real PayPal page):

<FORM action= method=post><INPUT type=hidden name=.email_target> <INPUT type=hidden value=username-password name=.mail_subject> <INPUT type=hidden value= name=.thanks_url>

Basically, it's emailing him via (I've emailed linuxmail and told them this). But that's about as far as I can go. I can't find out who is reading that email account. Or can I?

Subject: New remote root exploit for OpenSSH 3.7.x

I hear that you're an elite hacker. I'd like to share exploits with you, so as
a gesture of good faith (to get the ball rolling) this exploit is doing the
blackhat rounds but hasn't hit the mainstream yet. Many juicy boxes are running
vulnerable sshds:

Hope to hear from you...

And the contents of

Well, that'll be your IP in the weblogs.


And indeed: - - [02/May/2004:11:54:26 +0100] "GET
/~guest01/openssh-xploit.c HTTP/1.1" 200 51
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
inetnum: -
netname:      MTnet-ADSL_subnet
descr:        ADSL subnet
descr:        Skopje, Macedonia
country:      MK

Very little chance of getting him in Macedonia. Oh well, at the very least he probably wet himself :)