[SURBL-Discuss] Why you should check Phish IPs first :/

List Mail User track at Plectere.com
Sat Aug 6 06:14:54 CEST 2005

>In today's spamtrap take, I got a phish targeting eBay that 
>contained a link to the following IP:
>The link was inside a JavaScript and looked, at first and second
>glance, like a link to a phish site.  As a habit, I do an rDNS
>on all IPs, however, before listing them.  That's fortunate, in
>this case -- that IP resolves as hp-core.ebay.com.  Yes, a genuine
>eBay IP pointing to a genuine eBay server, one that has nothing
>to do with the phish, of course.
>The actual phish link in this spam was:
>It appeared well down the spam, after not one, but two, decoy
>links to the eBay IP above. 
>By the way, I'm not listing doje.de as a Phish Domain either.  
>It's a Chinese language web site (yes, at a German national
>domain, probably something for expatriates), and the format 
>of the URL suggests that the phisher exploited an insecure
>web BBS package.  This is one where blocking on the URL is
>the appropriate approach.  <sigh>
>Posted because I'm seeing quite a few phishes with this sort
>of decoy information/links lately. :/  Phishers are clearly
>trying to poison the blocklisting process.  We have to be
>Catherine Hampton <ariel at spambouncer.org>
>The SpamBouncer         *     <http://www.spambouncer.org/>
>Personal Home Page      *         <http://www.devsite.org/>
>Discuss mailing list
>Discuss at lists.surbl.org

	I think it is Korean, not Chinese.

	Paul Shupak
	track at plectere.com

More information about the Discuss mailing list