Is ebay running an open relay now????
See this phish below and look at this url!
http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&D...
Regards, KAM
----- Original Message ----- From: eBay@reply3.ebay.com To: kmcgrail@peregrinehw.com Sent: Wednesday, February 16, 2005 8:44 PM Subject: TKO Notice: Urgent Fraud Investigation
Place or Update Credit Card on File
Dear Kmcgrail@peregrinehw.com ,
This is your final warning about the safety of your eBay account. If you do not update your billing informations your access on eBay will be restricted and the user deleted. This might be due to either following reasons:
- A recent change in your personal information (i.e. change of address) - Submiting invalid information during the initial sign up process. - An inability to accurately verify your selected option of payment due an internal error within our processors.
Your credit card on file with eBay
Card number: XXXX-XXXX-XXXX-4322 (Not shown for security purposes) Expiration date: 11/05
Please sign in to your eBay account and update your billing information:
https://signin.ebay.com/saw-cgi/eBayISAPI.dll?SignIn&UsingSSL=1
If your account information is not updated, your ability to sell or bid on eBay will become restricted.
Thank you, eBay Billing Department
--------------------------------------------------------------------
eBay treats your personal information with the utmost care, and our Privacy Policy is designed to protect you and your information. eBay will never ask their users for personal information, such as bank account numbers, credit card numbers, pin numbers, passwords, or Social Security numbers in an email. For more information on how to protect your eBay password and your account, please visit User Account Protection.
This eBay notice was sent to you based on your eBay account preferences and in accordance with our Privacy Policy. To change your notification preferences, click here. If you would like to receive this email in text format, click here.
Copyright © 2005 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are trademarks of eBay Inc.
on Thu, Feb 17, 2005 at 09:38:32AM -0500, Kevin A. McGrail wrote:
Is ebay running an open relay now????
Erm, it's called a redirector. Did you try the URL? ebay's site redirects to the URL in the DomainURL parameter.
See this phish below and look at this url!
http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&D...
http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&D... inUrl=http://mymt.co.kr/.cgi-bin/eBaySuspension/signin.ebay.com/aw-%3Ecgi/sec
ure/eBayISAPI.dllSignIn-ssPageName->hhsin.php?MfcISAPICommand=SignInFPP&Usin gSSL=1&email=
Erm, it's called a redirector. Did you try the URL? ebay's site redirects to the URL in the DomainURL parameter.
Whatever you call it, it's bad news for any parser which might not grab and extract the referenced URL for SURBL checking.
Also, this leads to additional questions:
(1) Are there legitimate "business purposes" for ebay to have such a redirector in the first place?
(2) If so, are there legitimate reasons for such a redirector to EVER show up in legitimate e-mails?
(3) If not, does anyone know of a "clearinghouse" page where ALL such types of redirectors are listed so that rules could be built to block e-mails containing these (using rules-based blocking)? Also, are there already SA rules for such?
Rob McEwen
On Thursday, February 17, 2005, 1:52:24 PM, Rob McEwen wrote:
(1) Are there legitimate "business purposes" for ebay to have such a redirector in the first place?
(2) If so, are there legitimate reasons for such a redirector to EVER show up in legitimate e-mails?
(3) If not, does anyone know of a "clearinghouse" page where ALL such types of redirectors are listed so that rules could be built to block e-mails containing these (using rules-based blocking)? Also, are there already SA rules for such?
IMO The correct answer is for eBay not to have an open redirector or for them to protect it better, for example as Matthew suggests.
We could ask them follow the lead of other redirection sites and use SURBLs to check the URIs:
http://www.surbl.org/redirect.html
Jeff C. -- "If it appears in hams, then don't list it."
On Thursday, February 17, 2005, 4:46:28 PM, Jeff Chan wrote:
IMO The correct answer is for eBay not to have an open redirector or for them to protect it better, for example as Matthew suggests.
We could ask them follow the lead of other redirection sites and use SURBLs to check the URIs:
Jeff C.
Kevin McGrail reports that eBay has closed their open redirector.
Jeff C. -- "If it appears in hams, then don't list it."
On Thu, 17 Feb 2005, Kevin A. McGrail wrote:
Is ebay running an open relay now????
See this phish below and look at this url!
http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&D...
That's a redirector service at eBay. Report that phish to ebay's security address, maybe they'll actually rethink that redirector thing now.
-
David B Funk -
Jeff Chan -
Kevin A. McGrail -
Rob McEwen -
Steven Champeon