[SURBL-Discuss] Additional phish/fraud list

Jay Swackhamer jswack-lists at nebularis.com
Sun Sep 19 02:26:13 CEST 2004

On Saturday, September 18, 2004 3:33 AM, Jeff Chan wrote:
> Most of the data looks pretty regular, but one difference
> is that the mailpolice data has some records like these:
> 1380781-usd10.e-gold.com
> [ ... ]
> Some of these also don't make sense.  e-gold.com is legitimate,
> and www.e-gold.com and 1380781-usd10.e-gold.com resolve to
> the same IP address.  Why would e-gold phish themselves or allow
> a phisher to be hosted on their main web server?

There was a phishing attempt a couple months ago using a legitimate
e-gold.com account for donations to the Red Cross. E-gold expresses
their accounts as subdomains to the e-gold.com domain. After contacting
e-gold, they did disable the account, but there still were emails with
that subdomain being circulated AND the page still did resolve.

The same for other domains that allow signups using subdomains, like
"paypal-cgi-bin.tripod.com" etc.

I do lookups on the entire URI, without shortening it. And then I use
wildcards in the DNS zone (which should be shortened as much as possible
down to the second or third subdomain) so they resolve.  That's worked
very well in my experience for the past year. Most of the fraud data is
reviewed and added manually because of the high subdomain abuse.

Jay Swackhamer <jswack at nebularis.com>
Nebularis Inc <http://www.nebularis.com>
MailPolice Spam&Virus Elimination <http://www.mailpolice.com>
Tel: 1-613-843-9358  Fax: 1-613-825-5960

More information about the Discuss mailing list