From a guy I trust and work on anti-spam algorithm's who also works at Network Solutions:
The system running here detected a rash of ebay and paypal phishing earlier today and it is still going on. Hope this info can help find and stop it before someone gets damaged.
Here are the IP addresses of the mail servers sending them and the sites they point to. 84.0.191.93: http://61.8.248.242/paypal/
211.207.71.179: http://ebay-loginpage.com/
222.121.181.227: http://ebay-loginpage.com/
82.155.149.110: http://61.8.248.242/paypal/
81.153.23.110: http://61.8.248.242/paypal/
66.169.92.212: http://ebay-loginpage.com/
68.161.50.212: http://ebay-loginpage.com/
220.77.245.178: http://ebay-loginpage.com/
220.77.180.56: http://ebay-loginpage.com
12.207.38.75: http://ebay-loginpage.com/
61.223.193.166: http://ebay-loginpage.com/
85.137.184.131: http://ebay-loginpage.com/
211.212.84.200: http://ebay-loginpage.com/
24.147.168.88: http://ebay-loginpage.com/
143.107.228.233: http://ebay-loginpage.com/
24.175.96.61: http://ebay-loginpage.com/
24.175.96.61: http://ebay-loginpage.com/
80.99.29.32: http://ebay-loginpage.com/
199.222.69.90: http://211.92.164.43/paypal/login.html
66.163.169.223: http://62.14.104.42/popcond/cgi-bin/webscr/cmd_login/submit/login_cmd/login_...
66.163.169.227: http://62.14.104.42//popcond/cgi-bin/webscr/cmd_login/submit/login_cmd/login...
66.163.170.7: 62.14 one
218.71.219.118: http://61.8.248.242/paypal/
201.3.200.130: http://200.126.231.52/verify/paypalDLLUPDATE/index.html
81.154.223.105: http://61.8.248.242/paypal/
There are too many, here are all the ip addresses so far. Except for the paypal one, nearly all of them point to that ebay-loginpage link.:
12.207.38.75
143.107.228.233
143.107.228.233
161.67.47.158
161.67.47.158
172.193.163.214
194.126.113.99
201.132.84.249
202.160.31.55
207.14.190.25
210.124.50.122
211.204.200.248
211.207.71.179
211.207.71.179
211.212.84.200
211.238.88.66
213.10.229.235
218.20.62.11
218.52.113.198
218.52.113.198
218.74.7.184
219.74.51.148
220.117.95.86
220.117.95.86
220.75.20.2
220.77.180.56
220.77.245.178
220.91.135.89
220.92.95.169
221.143.218.203
221.220.115.241
222.116.57.65
222.121.181.227
222.136.148.24
222.209.126.58
222.248.162.59
222.97.136.193
222.97.136.193
24.12.180.41
24.12.180.41
24.132.102.192
24.136.234.85
24.136.234.85
24.147.168.88
24.147.168.88
24.161.195.248
24.171.68.170
24.175.96.61
59.189.82.23
59.19.143.13
59.23.88.148
61.110.240.238
61.223.193.166
61.84.102.163
61.91.197.226
65.184.247.8
66.169.92.212
67.163.166.132
68.161.28.204
68.161.50.212
68.59.7.246
69.250.34.189
80.131.76.88
80.48.131.35
80.8.64.78
80.99.29.32
81.153.23.110
81.9.129.170
81.9.129.170
82.123.168.1
82.155.149.110
83.145.180.107
84.0.191.93
84.121.40.154
84.94.184.172
84.94.192.145
85.137.184.131
On Thu, 28 Apr 2005, Kevin A. McGrail wrote:
From a guy I trust and work on anti-spam algorithm's who also works at Network Solutions:
The system running here detected a rash of ebay and paypal phishing earlier today and it is still going on. Hope this info can help find and stop it before someone gets damaged.
Here are the IP addresses of the mail servers sending them and the sites they point to. 84.0.191.93: http://61.8.248.242/paypal/
Submit a few samples of those to SURBL so the target URL gets listed. Also feed them to the ClamAV people (http://www.clamav.net/).
ClamAv now has anti-phishing rules in its virus scanner and recently I've seen its blocked phishes outnumber the blocked viri.
Can't send them for privacy reasons as they are addressed to users :-(
Submit a few samples of those to SURBL so the target URL gets listed. Also feed them to the ClamAV people (http://www.clamav.net/).
ClamAv now has anti-phishing rules in its virus scanner and recently I've seen its blocked phishes outnumber the blocked viri.
KAM
On Thursday, April 28, 2005, 10:40:25 AM, Kevin McGrail wrote:
From a guy I trust and work on anti-spam algorithm's who also works at Network Solutions:
The system running here detected a rash of ebay and paypal phishing earlier today and it is still going on. Hope this info can help find and stop it before someone gets damaged.
Here are the IP addresses of the mail servers sending them and the sites they point to.
84.0.191.93: http://61.8.248.242/paypal/
211.207.71.179: http://ebay-loginpage.com/
[...]
199.222.69.90: http://211.92.164.43/paypal/login.html
66.163.169.223: http://62.14.104.42/popcond/cgi-bin/webscr/cmd_login/submit/login_cmd/login_...
[...]
201.3.200.130: http://200.126.231.52/verify/paypalDLLUPDATE/index.html
[...]
Thanks for those, Kevin! I've added them to SURBLs as:
61.8.248.242 ebay-loginpage.com 211.92.164.43 62.14.104.42 200.126.231.52
Good places to send phishing info to include:
postmaster at corp.mailsecurity.net.au reportphishing at antiphishing.org spam at uce.gov spam at mailpolice.com admin at fraudwatchinternational.com
Would you please let your friend know about these reporting addresses?
Jeff C. -- "If it appears in hams, then don't list it."
-
David B Funk -
Jeff Chan -
Kevin A. McGrail