Discuss February 2005

discuss@lists.surbl.org

36 participants
47 discussions

Fw: TKO Notice: Urgent Fraud Investigation
by Kevin A. McGrail 14 Mar '05

14 Mar '05

Is ebay running an open relay now???? See this phish below and look at this url! http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&Doma… Regards, KAM ----- Original Message ----- From: eBay(a)reply3.ebay.com To: kmcgrail(a)peregrinehw.com Sent: Wednesday, February 16, 2005 8:44 PM Subject: TKO Notice: Urgent Fraud Investigation Place or Update Credit Card on File Dear Kmcgrail(a)peregrinehw.com , This is your final warning about the safety of your eBay account. If you do not update your billing informations your access on eBay will be restricted and the user deleted. This might be due to either following reasons: - A recent change in your personal information (i.e. change of address) - Submiting invalid information during the initial sign up process. - An inability to accurately verify your selected option of payment due an internal error within our processors. Your credit card on file with eBay Card number: XXXX-XXXX-XXXX-4322 (Not shown for security purposes) Expiration date: 11/05 Please sign in to your eBay account and update your billing information: https://signin.ebay.com/saw-cgi/eBayISAPI.dll?SignIn&UsingSSL=1 If your account information is not updated, your ability to sell or bid on eBay will become restricted. Thank you, eBay Billing Department -------------------------------------------------------------------- eBay treats your personal information with the utmost care, and our Privacy Policy is designed to protect you and your information. eBay will never ask their users for personal information, such as bank account numbers, credit card numbers, pin numbers, passwords, or Social Security numbers in an email. For more information on how to protect your eBay password and your account, please visit User Account Protection. This eBay notice was sent to you based on your eBay account preferences and in accordance with our Privacy Policy. To change your notification preferences, click here. If you would like to receive this email in text format, click here. Copyright © 2005 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are trademarks of eBay Inc.

5 5

Spammer Anti-SURBL tactic
by David B Funk 08 Mar '05

08 Mar '05

I'm seeing a new spam varient that is clearly designed to get past SURBL. It is an HTML message that contains many (50~100) 'invisible' links; links that have no target text, just: <A href="http://garbage.sitename.tld"></A> The intention is clear, they want to fill up the 20 'slots' of the spamcop_uri_limit with their junk links so the real "payload" URL can slip past unchecked. That's playing a statistical game, there's a 1 in 20 chance of the "payload" getting picked by the randomizer but that means that 95% slip by. To add insult to injury, they're tossing in random "\r" (ASCII-CR) characters into the "payload" hostname to try to break spamassasin's URI parsing. Is it time to create rules to penalize large numbers of 'invisible' links? The one thing that has me worried is that people may just start cranking up the spamcop_uri_limit value to do a brute-force response to this trash (or have a simple-minded client that doesn't have that kind of limit). This will add an ever-increasing load on the SURBL dns servers. I'm already seeing a steady-state average of 130 queries/second against my two servers (with spikes in the 150~175) range. The trend has been a steady increase (passed the 100 Q/S mark last fall). -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{

8 13

Re: SP91011 your recent report to eBay's Trust and Safety Department (KMM157050156V37604L0KM)
by Kevin A. McGrail 04 Mar '05

04 Mar '05

Dear eBay: Wow, your form letter has changed my mind. Your security is perfect. Your commitment to security is stellar. Running an open redirector is a great idea. Sorry I didn't see the light earlier. However, on a new topic, I was shocked and dismayed that eBay is allowing and assumingly SUPPORTING pornography to be distributed through your website. Does this include child pornography or is that only in Europe and places where the age of consent for pornography is under 18? Please advise based on the following link from eBay --WARNING: The following pages contains naked photos: http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&Doma… What is the meaning of this? eBay is facilitating porn now? OK, now that I have your attention maybe this extreme last resort will ACTUALLY get you to forward this to someone at your company with an understanding of phishing and security that is slightly higher than the Trust and Safety department? If not, I give up and wish you well in your support of the child pornography industry that your company is facilitating by turning a blind eye to glaring security issues. Sincerely, Kevin A. McGrail ----- Original Message ----- From: "eBay Customer Support" <rswebhelp(a)ebay.com> To: "Kevin A. McGrail" <kmcgrail(a)pccc.com> Sent: Saturday, February 26, 2005 12:06 PM Subject: RE: SP91011 your recent report to eBay's Trust and Safety Department (KMM157050156V37604L0KM) > Hello, > > Thank you for writing back. > > I truly apologize if you felt we were not concerned about the email you > received. We are aware of the potential for fraud that these emails > pose. > > Let me assure you that we do work actively and aggressively in > partnership with many agencies, ISP's, and law enforcement groups to > investigate these fraudulent entities. Please keep in mind that eBay is > a public company and not associated with any legislative or police > entity. We rely on the same agencies you do to pursue these fraudulent > activities. We are very much concerned about our member's safety, but we > cannot control the actions of those intent on committing fraud. > > If you have already received a spoofed email once, your email address > has already been harvested. Sadly, you may continue to receive spoofed > emails for some time as these groups migrate from ISP to ISP setting up > fraudulent sites or sending fraudulent emails. > > We advise you to be very cautious of all email messages that ask you to > submit information such as your credit card number or your email > password. eBay (and most other Internet companies) will never ask you > for sensitive personal information such as passwords, bank account or > credit card numbers, Personal Identification Numbers (PINs), or Social > Security numbers in an email. If you ever need to provide information to > eBay please open a new Web browser, type www.ebay.com, and click on the > "site map" link located at the top the page to access the eBay page you > need. > > To keep your eBay experience safe, we have set up a new tutorial about > Spoof Emails to educate our members spotting a fake email. To check it > out, please click on the help link located at the top of all eBay page. > Once the help window appears, click on the link to eBay's Security > Center. From the Security Center you will find a variety of safety > related links. On the right hand side you will see a link to "Protect > yourself from spoof emails". > > Help > Security Center > Protect yourself from spoof emails > > Once again, thank you for alerting us to the spoof email you received. > Your vigilance helps us ensure that eBay remains a safe and vibrant > online marketplace. > > > Regards, > > Marcel > eBay SafeHarbor > Investigations Team > ______________________________ > eBay Inc. > The World's Online Marketplace® > ******************************************* > > Important: eBay will not ask you for sensitive personal information > (such as your password, credit card and bank account numbers, Social > Security numbers, etc.) in an email. Learn more account protection tips > at: > > http://pages.ebay.com/help/confidence/isgw-account-theft-reporting.html > > _____________________________________________ > > For our latest announcements, please check: > > http://www2.ebay.com/aw/announce.shtml > _____________________________________________ > > In order to better serve you, we'd occasionally like to > request feedback on our service. If you would rather > not participate, please click on the link below and send > us an email with the word "REMOVE" in the subject line. > If that does not work, please send an email to the > email address below. Your request will be processed > within 5 days. > > mailto:cssremove@ebay.com > > ******************************************* >

8 22

RE: [SURBL-Discuss] Fw: Account Verification
by Chris Santerre 21 Feb '05

21 Feb '05

Let me know and we could forward Kevin's post to the SPAM-L list. That would create some preasure ;) --Chris (Top posting because of my stupid MUA!!!) > Thanks Kevin, > I'm asking around if anyone has contacts at eBay. I've heard back from some folks at eBay that they're now working on this issue. Jeff C.

1 0

linkshield(dot)com ?
by RD 21 Feb '05

21 Feb '05

Hello SURBL Team, Please review linkshield(dot)com. It's a URL cloaking service but no abuse policy, etc. It may have legit uses but their service may actually benefits spammers. Just wanted to get everyone's opinion :-) -RD

3 4

Blind CC's
by Doc Schneider 21 Feb '05

21 Feb '05

I'm asking here because I know some of you probably can figure this one out. My Wife owns raogk.org (Random Acts Of Genealogical Kindness) and has a person who is having e-mail issues. A bit of background. I designed the full backend of this site which once you figure out the country,state,county of where you're wanting information you click on the volunteers name and a form pops up which allows you to enter your name/e-mail and what you want this person to lookup. And once it is sent it sends you a BCC of what you asked. Anyway, this one person is using MSN. And is not getting his BCC's we've had him do a complete search through his Outlook Express for the subject of these. Nada. And we've had no complaints from anyone else using MSN, so doubt it is the issue. Could this person be running something like an e-mail filter which is eatting his BCCs? Any of you heard of this? We're not sure what is running on this persons computer, so unknown if or what could be causing this. I'm out of ideas. We have the headers from some test messages we had this person do. Funny thing is they're getting all the other @raogk.org e-mail. Please include the raogk-admin(a)raogk.org address if you reply. Thanks, -Doc

2 1

Fw: Account Verification
by Kevin A. McGrail 21 Feb '05

21 Feb '05

This is a follow-up to my initial discovery that eBay has it's own redirector and this redirector was now showing up in Phishing scams. Despite my adamant, fervent & rabid inquiries, eBay has done nothing. With the rise of the use of the redirector on eBay and this more obscure url now being used, I believe even more phish-aware users would be caught: http://cgi4-munged.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDoma… Anyone who knows anyone at eBay that understands security should email them and tell them to turn this redirector OFF. In the meantime, here's an SA Rule to help catch it which I would appreciate feedback about: # This rule is to mark emails using the exploit of the eBay redirector uri KAM_EBAYREDIR /.*.ebay.com.*RedirectToDomain/i describe KAM_EBAYREDIR Attempted use of eBay redirector - high probability of fraud score KAM_EBAYREDIR 7.0 More posted at: http://www.peregrinehw.com/downloads/SpamAssassin/contrib/KAM.cf Regards, KAM

2 2

RE: [SURBL-Discuss] Is something wrong with SURBL-checker?
by Chris Santerre 18 Feb '05

18 Feb '05

> >Jeff Chan wrote: > >> I'm not getting matches either. Let's ask Dallas to please look >> into it for us. > >Alright! I noticed spam got hits from SURBL-lists anyway (as >you pointed >out in your other message). > >I'll wait report my spam-mails until the problems are solved. > I sent the Ninja in charge an email. We recently did an update that may have messed up the public one. --Chris

2 1

RE: [SURBL-Discuss] Fw: TKO Notice: Urgent Fraud Investigation
by Matthew.van.Eerde＠hbinc.com 17 Feb '05

17 Feb '05

Rob McEwen wrote: >> http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&Doma >> inUrl=http://mymt.co.kr/.cgi-bin/eBaySuspension/signin.ebay.com/aw->cgi/sec > ure/eBayISAPI.dllSignIn-ssPageName->hhsin.php?MfcISAPICommand=SignInFPP&Usin > gSSL=1&email= > >> Erm, it's called a redirector. Did you try the >> URL? ebay's site redirects >> to the URL in the DomainURL parameter. > > Whatever you call it, it's bad news for any parser which might not > grab and extract the referenced URL for SURBL checking. > > Also, this leads to additional questions: > > (1) Are there legitimate "business purposes" for ebay to have such a > redirector in the first place? To a certain limited extent, yes > (2) If so, are there legitimate reasons for such a redirector to EVER > show up in legitimate e-mails? To that extent, yes > (3) If not, does anyone know of a "clearinghouse" page where ALL such > types of redirectors are listed so that rules could be built to block > e-mails containing these (using rules-based blocking)? Also, are > there already SA rules for such? > > Rob McEwen eBay should certainly realize that they are imparting a degree of authority to URLs that are redirected in this manner. They may even be liable for damages. Best practices probably dictate that they keep a list of URLs that are legitimate redirection destinations, and limit redirection to those URLs - on attempts to feed the redirector any other URL, they should pop up big ugly error messages saying "someone's trying to phish you (or maybe we forgot to update our list)" Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"

1 0

Is something wrong with SURBL-checker?
by Martin 15 Feb '05

15 Feb '05

Hi, Is there something wrong with the SURBL-checker at http://www.rulesemporium.com/cgi-bin/uribl.cgi ? I get no matches of any domains i'm testing. Even with spam-domains that hits the multi-list isn't listed as blocked. Is this problem related to the "FP-rate" thread? / Martin

2 3

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Discuss February 2005