From jeffc@surbl.org Wed Mar 8 23:24:49 2006 From: Jeff Chan To: discuss@lists.surbl.org Subject: Re: [SURBL-Discuss] Fw: Interesting Phishing Trick Date: Wed, 08 Mar 2006 14:24:39 -0800 Message-ID: <10010471189.20060308142439@surbl.org> In-Reply-To: <022a01c642d3$d558ff30$cc0a0a0a@thoughtworthy.internal> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3922965520330146136==" --===============3922965520330146136== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On Wednesday, March 8, 2006, 9:14:57 AM, Kevin McGrail wrote: > A co-worker of mine just pointed this out to me today. He tested it in > Thunderbird and I tested it in OE6. It warrants serious attention. > Ignoring the munged part, this would trick a very savvy internet user that > allows HTML email, clicks on a link and doesn't check the browser address > line. > Any input on rules or techniques to block this nasty fellow? > Sincerely, > KAM >> I just received a phishing e-mail claiming to be from eBay. All of the >> links LOOKED legit, including what displayed in the status bar when you >> moused over a link. I knew this was not legit, so I looked in the >> source code and found this: >> >>

href="https://signin.ebay-MUNGED.com/ws/eBayISAPI.dll?SignIn&sid=verify&co_p > artnerId=2&siteid=0">

>> >> Note the double use of an a href tag, one inside a caption tag, one > outside. The outside a href displays, while the a href within the caption > tag is what would actually be triggered. >> Interesting way of masking the true URL. It's an interesting use, but I don't believe it would confuse SpamAssassin, etc. The second URI should be visible enough to be checked, and I added the IP to ph.surbl.org. Please report phishing spams to: spam at mailpolice. com Jeff C. -- Don't harm innocent bystanders. --===============3922965520330146136==--