On Thursday, August 4, 2005, 7:36:11 AM, Bil Cook wrote:
Have yet to hit a FP on SC2 and that is over almost three weeks now
On Thursday, August 4, 2005, 5:29:00 AM, Rob McEwen wrote:
Last night, I ran SC2 against a corpus of 119,000 messages consisting of about 97-99% ham. This was a corpus of mostly ham mail which had made it past my filter over the past few months. (BTW, my percentages keep getting better, so most of that small percentage of spam in this corpus was from a few months ago).
SC2 caught about 150 messages from this corpus. ALL of these caught messages were spam. It did NOT "block" a single ham.
Thanks much for the feeback Bil, Rob and others earlier and off-list.
If the SA folks don't have time to do a corpus check on SC2, then maybe we should go ahead and put SC2 into production. I'd still feel better with a large ham check from them before doing it though.
Jeff C. -- Don't harm innocent bystanders.
In today's spamtrap take, I got a phish targeting eBay that contained a link to the following IP:
66.135.192.124
The link was inside a JavaScript and looked, at first and second glance, like a link to a phish site. As a habit, I do an rDNS on all IPs, however, before listing them. That's fortunate, in this case -- that IP resolves as hp-core.ebay.com. Yes, a genuine eBay IP pointing to a genuine eBay server, one that has nothing to do with the phish, of course.
The actual phish link in this spam was:
http://www.doje.de/bbs/eBayISAPI.dllhdsh6ds65bcgadhgd43as676bsda6gwcv7zfcage...
It appeared well down the spam, after not one, but two, decoy links to the eBay IP above.
By the way, I'm not listing doje.de as a Phish Domain either. It's a Chinese language web site (yes, at a German national domain, probably something for expatriates), and the format of the URL suggests that the phisher exploited an insecure web BBS package. This is one where blocking on the URL is the appropriate approach. <sigh>
Posted because I'm seeing quite a few phishes with this sort of decoy information/links lately. :/ Phishers are clearly trying to poison the blocklisting process. We have to be careful.
In today's spamtrap take, I got a phish targeting eBay that contained a link to the following IP:
66.135.192.124
The link was inside a JavaScript and looked, at first and second glance, like a link to a phish site. As a habit, I do an rDNS on all IPs, however, before listing them. That's fortunate, in this case -- that IP resolves as hp-core.ebay.com. Yes, a genuine eBay IP pointing to a genuine eBay server, one that has nothing to do with the phish, of course.
The actual phish link in this spam was:
http://www.doje.de/bbs/eBayISAPI.dllhdsh6ds65bcgadhgd43as676bs da6gwcv7zfcageName=BayISAPI.dll/
It appeared well down the spam, after not one, but two, decoy links to the eBay IP above.
I have seen a few likes this with many real links and only one very obscure (in both construction AND in location) phish link.
Just this week, I found a Dun & Bradstreet phish, disguised as a D & B SPAM -- they made it look like D&B was spamming customers or potential customers. One's first thought might be "damn spam", and that is a very sneaky psychological trick for those who after a moment's reflection realize that they might actually be interested in the D&B "Product".
For those who follow this mental path (to product interest) the idea of PHISH might well be long gone by this point.
Method: Phish hidden as Spam hiding as "Important business site"
Surely this would cut down on the success ratio IF no one knew about Phish, but as awareness grows this will catch a percentage of people who would NOT normally click on a phish.
Herb Martin, MCT, MCSD, MCSE, MVP HerbM@LearnQuick.Com http://LearnQuick.Com 512 388 7339 -or- 1 800 MCSE PRO Accelerated MCSE in a Week Seminars
-----Original Message----- From: discuss-bounces@lists.surbl.org [mailto:discuss-bounces@lists.surbl.org] On Behalf Of Catherine Hampton Sent: Friday, August 05, 2005 2:25 PM To: Jeff Chan; SURBL Discussion list Subject: [SURBL-Discuss] Why you should check Phish IPs first :/
In today's spamtrap take, I got a phish targeting eBay that contained a link to the following IP:
66.135.192.124
The link was inside a JavaScript and looked, at first and second glance, like a link to a phish site. As a habit, I do an rDNS on all IPs, however, before listing them. That's fortunate, in this case -- that IP resolves as hp-core.ebay.com. Yes, a genuine eBay IP pointing to a genuine eBay server, one that has nothing to do with the phish, of course.
The actual phish link in this spam was:
http://www.doje.de/bbs/eBayISAPI.dllhdsh6ds65bcgadhgd43as676bs da6gwcv7zfcageName=BayISAPI.dll/
It appeared well down the spam, after not one, but two, decoy links to the eBay IP above.
By the way, I'm not listing doje.de as a Phish Domain either. It's a Chinese language web site (yes, at a German national domain, probably something for expatriates), and the format of the URL suggests that the phisher exploited an insecure web BBS package. This is one where blocking on the URL is the appropriate approach. <sigh>
Posted because I'm seeing quite a few phishes with this sort of decoy information/links lately. :/ Phishers are clearly trying to poison the blocklisting process. We have to be careful.
-- Catherine Hampton ariel@spambouncer.org The SpamBouncer * http://www.spambouncer.org/ Personal Home Page * http://www.devsite.org/ _______________________________________________ Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Friday, August 5, 2005, 7:46:08 PM, Herb Martin wrote:
I have seen a few likes this with many real links and only one very obscure (in both construction AND in location) phish link.
Just this week, I found a Dun & Bradstreet phish, disguised as a D & B SPAM -- they made it look like D&B was spamming customers or potential customers. One's first thought might be "damn spam", and that is a very sneaky psychological trick for those who after a moment's reflection realize that they might actually be interested in the D&B "Product".
For those who follow this mental path (to product interest) the idea of PHISH might well be long gone by this point.
Method: Phish hidden as Spam hiding as "Important business site"
Surely this would cut down on the success ratio IF no one knew about Phish, but as awareness grows this will catch a percentage of people who would NOT normally click on a phish.
Herb Martin, MCT, MCSD, MCSE, MVP HerbM@LearnQuick.Com http://LearnQuick.Com 512 388 7339 -or- 1 800 MCSE PRO Accelerated MCSE in a Week Seminars
Definitely an interesting tactic to imitate D & B.
Jeff C. -- Don't harm innocent bystanders.
Definitely an interesting tactic to imitate D & B.
I agree, which was what stood out about the sneakyness.
Basic pitch (with possible user reactions in parens):
Mail from D&B (Oh, that could be important to my busines) Recent activity on your credit rating (Oh my, is this for real? That's scary) (Wait a minute -- I haven't done any 'credit' stuff -- this could be a PHISH or FRAUD!) We at D&B want to sell you a service to watch over this... (Oh, it's really D&B and they are trying to SELL me something.)
The phish possibility is likely forgotten; Final reactions:
(Complaint to D&B about spam; delete or investigate the purchase;
Only in the latter case does the phish get a shot, but that jui-jutsu (or close up magician's trick of misdirection) is very powerful psychologically.
-- Herb Martin
On Friday, August 5, 2005, 12:25:25 PM, Catherine Hampton wrote:
In today's spamtrap take, I got a phish targeting eBay that contained a link to the following IP:
66.135.192.124
The link was inside a JavaScript and looked, at first and second glance, like a link to a phish site. As a habit, I do an rDNS on all IPs, however, before listing them. That's fortunate, in this case -- that IP resolves as hp-core.ebay.com. Yes, a genuine eBay IP pointing to a genuine eBay server, one that has nothing to do with the phish, of course.
The actual phish link in this spam was:
http://www.doje.de/bbs/eBayISAPI.dllhdsh6ds65bcgadhgd43as676bsda6gwcv7zfcage...
It appeared well down the spam, after not one, but two, decoy links to the eBay IP above.
By the way, I'm not listing doje.de as a Phish Domain either. It's a Chinese language web site (yes, at a German national domain, probably something for expatriates), and the format of the URL suggests that the phisher exploited an insecure web BBS package. This is one where blocking on the URL is the appropriate approach. <sigh>
Posted because I'm seeing quite a few phishes with this sort of decoy information/links lately. :/ Phishers are clearly trying to poison the blocklisting process. We have to be careful.
A good cautionary tale to be careful about analyzing these.
Pretty sneaky of the phishers to have plausible looking decoys like that. Or maybe the legitimate ebay message they copied had phishy looking links originally.
Jeff C. -- Don't harm innocent bystanders.
-
ariel@spambouncer.org -
Herb Martin -
Jeff Chan