[AlexanderHanff]

Quote:

Originally Posted by R Jones

Over on BT Beta forums we were assured recently by our forum moderator that webwise.bt.com was not a phishing site.

I have been trying to submit an enquiry via the webwise.bt.com/contact.php page, which appeared to be broken - but it seems although the confirmation page never showed up an email did get through. I got a reply today - the body text was the usual BT Webwise spin, and the headers are here (edited to protect the innocent)

X-Apparently-To: ******-webwise@yahoo.co.uk via 87.***.***.61; **, ** May 2008 **:30:45 +0000
X-Originating-IP: [217.32.164.151]
Authentication-Results: mta163.mail.ukl.yahoo.com from=bt.com; domainkeys=neutral (no sig)
Received: from 217.32.164.151 (EHLO smtp4.smtp.bt.com) (217.32.164.151)
by mta163.mail.ukl.yahoo.com with SMTP; **, ** May 2008 **:30:43 +0000
Received: from E03MVA2-UKBR.domain1.systemhost.net ([193.113.197.106]) by smtp4.smtp.bt.com with Microsoft SMTPSVC(6.0.3790.1830);
**, ** May 2008 **:30:43 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: FW: BT.webwise.com Contact Request
Date: **, ** May 2008 15:30:43 +0100
Message-ID: <***********@**********2-UKBR.domain1.systemhost.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: BT.webwise.com Contact Request
Thread-Index: ********3L4La2sQ69Q0WaQ3lWM+7bAgAia1zL
References: <********.************@ww3.phorm.com>
From: <bt.webwise.help.desk@bt.com>
To: <******@*******>
X-OriginalArrivalTime: ******** (UTC) FILETIME=[*************]


I'm a bit puzzled by the References: line

References: <*********.*******@ww3.phorm.com>

and wondering what that was doing in a reply to a contact form email made via what we were assured by an official BT forum moderator, was a genuine non-phishing site. In fact we were roundly told off for reporting the site as a phishing site and told to stop it.

I did a lookup on www3.phorm.com and got this:
Registrant:

Phorm, Inc.

264 W. 40th St., 16th Floor

New York, New York 10018

United States



Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)

Domain Name: PHORM.COM

Created on: 29-Apr-00

Expires on: 29-Apr-09

Last Updated on:



Administrative Contact:

Cote, Chris chris.cote@phorm.com

Phorm, Inc.

264 W. 40th St., 16th Floor

New York, New York 10018

United States

2123592030 Fax --



Technical Contact:

Clark, Allan allan.clark@phorm.com

Phorm, Inc

264 W40 Street

16th Floor

New York, New York 10018

United States

2123592030 Fax --



Domain servers in listed order:

NS1.PHORM.COM

NS2.PHORM.COM

I'm not up on the technicalities of headers so I would appreciate some advice before I take this further.

Here is some more info:

Quote:

$ dig ww3.phorm.com

; <<>> DiG 9.4.1-P1 <<>> ww3.phorm.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43499
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;ww3.phorm.com. IN A

;; ANSWER SECTION:
ww3.phorm.com. 900 IN A 88.208.250.85

;; AUTHORITY SECTION:
phorm.com. 900 IN NS ns2.phorm.com.
phorm.com. 900 IN NS ns1.phorm.com.

;; ADDITIONAL SECTION:
ns2.phorm.com. 142158 IN A 38.105.138.54
ns1.phorm.com. 142158 IN A 38.105.138.53

;; Query time: 123 msec
;; SERVER: 87.127.87.185#53(87.127.87.185)
;; WHEN: Wed May 28 20:14:44 2008
;; MSG SIZE rcvd: 128

The IP is registered to:

Quote:

$ whois 88.208.250.85
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '88.208.250.0 - 88.208.250.255'

inetnum: 88.208.250.0 - 88.208.250.255
netname: FASTHOSTS-UK-NETWORK
descr: UK's largest web hosting company based in Gloucester
descr: England
country: GB
admin-c: MW8691-RIPE
tech-c: GD8691-RIPE
status: ASSIGNED PA
mnt-by: AS15418-MNT
remarks: report abuse to abuse@fasthosts.co.uk
remarks: All reports via other channels will be ignored.
remarks: INFRA-AW
source: RIPE # Filtered

person: Mark Wood
address: Fasthosts Internet Limited
address: Suite 7, Discovery Court
address: 154 Southgate Street
address: Gloucester, GL1 2EX
phone: +44 1452 541251
fax-no: +44 1452 541633
nic-hdl: MW8691-RIPE
mnt-by: AS15418-MNT
source: RIPE # Filtered

person: George Daly
address: Fasthosts Internet Limited
address: Discovery House
address: 154 Southgate Street
address: Gloucester, GL1 2EX
phone: +44 1452 541251
fax-no: +44 1452 541633
nic-hdl: GD8691-RIPE
mnt-by: AS15418-MNT
source: RIPE # Filtered

% Information related to '88.208.192.0/18AS15418'

route: 88.208.192.0/18
descr: FasthostInternet Ltd
origin: AS15418
mnt-by: AS15418-MNT
source: RIPE # Filtered

Clearly, that contact form seems to touching Phorm's equipment somewhere along the line. This needs addressing.

A lookup on what the "References" header is reveals this:

Quote:

References: Message-ID of the message that this is a reply to, and the message-id of this message, etc.

This pretty much paints the whole scene. The email you got from BT is a reply to an email sent by a web site owned by Phorm (ww3.phorm.com) which confirms that the form you submitted was done on a Phorm server.

Angry does not even begin to describe how this makes me feel, especially given that BT have out and out lied in their response to this issue.

Alexander Hanff