[SURBL-Discuss] Re: Why you should check Phish IPs first :/

Jeff Chan jeffc at surbl.org
Sat Aug 6 07:51:52 CEST 2005

On Friday, August 5, 2005, 12:25:25 PM, Catherine Hampton wrote:
> In today's spamtrap take, I got a phish targeting eBay that 
> contained a link to the following IP:


> The link was inside a JavaScript and looked, at first and second
> glance, like a link to a phish site.  As a habit, I do an rDNS
> on all IPs, however, before listing them.  That's fortunate, in
> this case -- that IP resolves as hp-core.ebay.com.  Yes, a genuine
> eBay IP pointing to a genuine eBay server, one that has nothing
> to do with the phish, of course.

> The actual phish link in this spam was:

> http://www.doje.de/bbs/eBayISAPI.dllhdsh6ds65bcgadhgd43as676bsda6gwcv7zfcageName=BayISAPI.dll/

> It appeared well down the spam, after not one, but two, decoy
> links to the eBay IP above. 

> By the way, I'm not listing doje.de as a Phish Domain either.  
> It's a Chinese language web site (yes, at a German national
> domain, probably something for expatriates), and the format 
> of the URL suggests that the phisher exploited an insecure
> web BBS package.  This is one where blocking on the URL is
> the appropriate approach.  <sigh>

> Posted because I'm seeing quite a few phishes with this sort
> of decoy information/links lately. :/  Phishers are clearly
> trying to poison the blocklisting process.  We have to be
> careful.

A good cautionary tale to be careful about analyzing these.

Pretty sneaky of the phishers to have plausible looking decoys
like that.  Or maybe the legitimate ebay message they copied had
phishy looking links originally.

Jeff C.
Don't harm innocent bystanders.

More information about the Discuss mailing list