On Saturday, September 18, 2004 3:33 AM, Jeff Chan wrote:
Most of the data looks pretty regular, but one difference is that the mailpolice data has some records like these: 1380781-usd10.e-gold.com [ ... ] Some of these also don't make sense. e-gold.com is legitimate, and www.e-gold.com and 1380781-usd10.e-gold.com resolve to the same IP address. Why would e-gold phish themselves or allow a phisher to be hosted on their main web server?
There was a phishing attempt a couple months ago using a legitimate e-gold.com account for donations to the Red Cross. E-gold expresses their accounts as subdomains to the e-gold.com domain. After contacting e-gold, they did disable the account, but there still were emails with that subdomain being circulated AND the page still did resolve.
The same for other domains that allow signups using subdomains, like "paypal-cgi-bin.tripod.com" etc.
I do lookups on the entire URI, without shortening it. And then I use wildcards in the DNS zone (which should be shortened as much as possible down to the second or third subdomain) so they resolve. That's worked very well in my experience for the past year. Most of the fraud data is reviewed and added manually because of the high subdomain abuse.
-- Jay Swackhamer jswack@nebularis.com Nebularis Inc http://www.nebularis.com MailPolice Spam&Virus Elimination http://www.mailpolice.com Tel: 1-613-843-9358 Fax: 1-613-825-5960