[SURBL-Discuss] Why you should check Phish IPs first :/

List Mail User track at Plectere.com
Sat Aug 6 06:14:54 CEST 2005


>...
>In today's spamtrap take, I got a phish targeting eBay that 
>contained a link to the following IP:
>
>66.135.192.124
>
>The link was inside a JavaScript and looked, at first and second
>glance, like a link to a phish site.  As a habit, I do an rDNS
>on all IPs, however, before listing them.  That's fortunate, in
>this case -- that IP resolves as hp-core.ebay.com.  Yes, a genuine
>eBay IP pointing to a genuine eBay server, one that has nothing
>to do with the phish, of course.
>
>The actual phish link in this spam was:
>
>http://www.doje.de/bbs/eBayISAPI.dllhdsh6ds65bcgadhgd43as676bsda6gwcv7zfcageName=BayISAPI.dll/
>
>It appeared well down the spam, after not one, but two, decoy
>links to the eBay IP above. 
>
>By the way, I'm not listing doje.de as a Phish Domain either.  
>It's a Chinese language web site (yes, at a German national
>domain, probably something for expatriates), and the format 
>of the URL suggests that the phisher exploited an insecure
>web BBS package.  This is one where blocking on the URL is
>the appropriate approach.  <sigh>
>
>Posted because I'm seeing quite a few phishes with this sort
>of decoy information/links lately. :/  Phishers are clearly
>trying to poison the blocklisting process.  We have to be
>careful.
>
>
>-- 
>Catherine Hampton <ariel at spambouncer.org>
>The SpamBouncer         *     <http://www.spambouncer.org/>
>Personal Home Page      *         <http://www.devsite.org/>
>_______________________________________________
>Discuss mailing list
>Discuss at lists.surbl.org
>http://lists.surbl.org/mailman/listinfo/discuss
>

	I think it is Korean, not Chinese.

	Paul Shupak
	track at plectere.com


More information about the Discuss mailing list