The form action is this URL: http://www.tectite.com/hosted/001204/brentbook.com/formmail.php There's also a reference to tectiteformid bd11a1e3463f77ee364149936a2a84d3. Just saying in case someone finds this info useful. Do you think brentbook.com is connected to the phisher?