[SURBL-Discuss] Why you should check Phish IPs first :/

Catherine Hampton ariel at spambouncer.org
Fri Aug 5 21:25:25 CEST 2005


In today's spamtrap take, I got a phish targeting eBay that 
contained a link to the following IP:

66.135.192.124

The link was inside a JavaScript and looked, at first and second
glance, like a link to a phish site.  As a habit, I do an rDNS
on all IPs, however, before listing them.  That's fortunate, in
this case -- that IP resolves as hp-core.ebay.com.  Yes, a genuine
eBay IP pointing to a genuine eBay server, one that has nothing
to do with the phish, of course.

The actual phish link in this spam was:

http://www.doje.de/bbs/eBayISAPI.dllhdsh6ds65bcgadhgd43as676bsda6gwcv7zfcageName=BayISAPI.dll/

It appeared well down the spam, after not one, but two, decoy
links to the eBay IP above. 

By the way, I'm not listing doje.de as a Phish Domain either.  
It's a Chinese language web site (yes, at a German national
domain, probably something for expatriates), and the format 
of the URL suggests that the phisher exploited an insecure
web BBS package.  This is one where blocking on the URL is
the appropriate approach.  <sigh>

Posted because I'm seeing quite a few phishes with this sort
of decoy information/links lately. :/  Phishers are clearly
trying to poison the blocklisting process.  We have to be
careful.


-- 
Catherine Hampton <ariel at spambouncer.org>
The SpamBouncer         *     <http://www.spambouncer.org/>
Personal Home Page      *         <http://www.devsite.org/>


More information about the Discuss mailing list