On Saturday, September 18, 2004, 5:26:13 PM, Jay Swackhamer wrote:
On Saturday, September 18, 2004 3:33 AM, Jeff Chan wrote:
Most of the data looks pretty regular, but one difference is that the mailpolice data has some records like these: 1380781-usd10.e-gold.com [ ... ] Some of these also don't make sense. e-gold.com is legitimate, and www.e-gold.com and 1380781-usd10.e-gold.com resolve to the same IP address. Why would e-gold phish themselves or allow a phisher to be hosted on their main web server?
There was a phishing attempt a couple months ago using a legitimate e-gold.com account for donations to the Red Cross. E-gold expresses their accounts as subdomains to the e-gold.com domain. After contacting e-gold, they did disable the account, but there still were emails with that subdomain being circulated AND the page still did resolve.
The same for other domains that allow signups using subdomains, like "paypal-cgi-bin.tripod.com" etc.
I do lookups on the entire URI, without shortening it. And then I use wildcards in the DNS zone (which should be shortened as much as possible down to the second or third subdomain) so they resolve. That's worked very well in my experience for the past year. Most of the fraud data is reviewed and added manually because of the high subdomain abuse.
Thanks for clarifying that point. I guessed from the data that yours was working with the whole URI instead of trying to reduce to a base domain like we do. It's a different design decision.
The two strategies can be compatible in a somewhat kludgey way if we chose to not reduce the whole URI data, causing them to not match the domains extracted by SURBL code from messages found in the wild.
I'd still be interested to hear if you may be able to provide a version of the fraud data without sender domains or sender IPs. (On the other hand, the fraud list is probably too short to be including those, so is it already the case that senders are not in fraud?)
Jeff C.