... In today's spamtrap take, I got a phish targeting eBay that contained a link to the following IP:

66.135.192.124

The link was inside a JavaScript and looked, at first and second glance, like a link to a phish site. As a habit, I do an rDNS on all IPs, however, before listing them. That's fortunate, in this case -- that IP resolves as hp-core.ebay.com. Yes, a genuine eBay IP pointing to a genuine eBay server, one that has nothing to do with the phish, of course.

The actual phish link in this spam was:

http://www.doje.de/bbs/eBayISAPI.dllhdsh6ds65bcgadhgd43as676bsda6gwcv7zfcage...

It appeared well down the spam, after not one, but two, decoy links to the eBay IP above.

By the way, I'm not listing doje.de as a Phish Domain either. It's a Chinese language web site (yes, at a German national domain, probably something for expatriates), and the format of the URL suggests that the phisher exploited an insecure web BBS package. This is one where blocking on the URL is the appropriate approach. <sigh>

Posted because I'm seeing quite a few phishes with this sort of decoy information/links lately. :/ Phishers are clearly trying to poison the blocklisting process. We have to be careful.

-- Catherine Hampton ariel@spambouncer.org The SpamBouncer * http://www.spambouncer.org/ Personal Home Page * http://www.devsite.org/ _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss

I think it is Korean, not Chinese.

Paul Shupak track@plectere.com