[SURBL-Discuss] Why you should check Phish IPs first :/

Herb Martin HerbM at learnquick.com
Sat Aug 6 04:46:08 CEST 2005


> In today's spamtrap take, I got a phish targeting eBay that 
> contained a link to the following IP:
> 
> 66.135.192.124
> 
> The link was inside a JavaScript and looked, at first and 
> second glance, like a link to a phish site.  As a habit, I do 
> an rDNS on all IPs, however, before listing them.  That's 
> fortunate, in this case -- that IP resolves as 
> hp-core.ebay.com.  Yes, a genuine eBay IP pointing to a 
> genuine eBay server, one that has nothing to do with the 
> phish, of course.
> 
> The actual phish link in this spam was:
> 
> http://www.doje.de/bbs/eBayISAPI.dllhdsh6ds65bcgadhgd43as676bs
> da6gwcv7zfcageName=BayISAPI.dll/
> 
> It appeared well down the spam, after not one, but two, decoy 
> links to the eBay IP above. 

I have seen a few likes this with many real links and only
one very obscure (in both construction AND in location) 
phish link.

Just this week, I found a Dun & Bradstreet phish, disguised
as a D & B SPAM -- they made it look like D&B was spamming
customers or potential customers.  One's first thought might
be "damn spam", and that is a very sneaky psychological trick
for those who after a moment's reflection realize that they
might actually be interested in the D&B "Product".

For those who follow this mental path (to product interest)
the idea of PHISH might well be long gone by this point.

Method: Phish hidden as Spam hiding as "Important business site"

Surely this would cut down on the success ratio IF no one
knew about Phish, but as awareness grows this will catch a
percentage of people who would NOT normally click on a phish.


Herb Martin, MCT, MCSD, MCSE, MVP
HerbM at LearnQuick.Com http://LearnQuick.Com
512 388 7339   -or-   1 800 MCSE PRO
Accelerated MCSE in a Week Seminars 

> -----Original Message-----
> From: discuss-bounces at lists.surbl.org 
> [mailto:discuss-bounces at lists.surbl.org] On Behalf Of 
> Catherine Hampton
> Sent: Friday, August 05, 2005 2:25 PM
> To: Jeff Chan; SURBL Discussion list
> Subject: [SURBL-Discuss] Why you should check Phish IPs first :/
> 
> In today's spamtrap take, I got a phish targeting eBay that 
> contained a link to the following IP:
> 
> 66.135.192.124
> 
> The link was inside a JavaScript and looked, at first and 
> second glance, like a link to a phish site.  As a habit, I do 
> an rDNS on all IPs, however, before listing them.  That's 
> fortunate, in this case -- that IP resolves as 
> hp-core.ebay.com.  Yes, a genuine eBay IP pointing to a 
> genuine eBay server, one that has nothing to do with the 
> phish, of course.
> 
> The actual phish link in this spam was:
> 
> http://www.doje.de/bbs/eBayISAPI.dllhdsh6ds65bcgadhgd43as676bs
> da6gwcv7zfcageName=BayISAPI.dll/
> 
> It appeared well down the spam, after not one, but two, decoy 
> links to the eBay IP above. 
> 
> By the way, I'm not listing doje.de as a Phish Domain either.  
> It's a Chinese language web site (yes, at a German national 
> domain, probably something for expatriates), and the format 
> of the URL suggests that the phisher exploited an insecure 
> web BBS package.  This is one where blocking on the URL is 
> the appropriate approach.  <sigh>
> 
> Posted because I'm seeing quite a few phishes with this sort 
> of decoy information/links lately. :/  Phishers are clearly 
> trying to poison the blocklisting process.  We have to be careful.
> 
> 
> --
> Catherine Hampton <ariel at spambouncer.org>
> The SpamBouncer         *     <http://www.spambouncer.org/>
> Personal Home Page      *         <http://www.devsite.org/>
> _______________________________________________
> Discuss mailing list
> Discuss at lists.surbl.org
> http://lists.surbl.org/mailman/listinfo/discuss
> 



More information about the Discuss mailing list