[SURBL-Discuss] Additional phish/fraud list

Jeff Chan jeffc at surbl.org
Sun Sep 19 03:06:28 CEST 2004

On Saturday, September 18, 2004, 5:26:13 PM, Jay Swackhamer wrote:
> On Saturday, September 18, 2004 3:33 AM, Jeff Chan wrote:
>> Most of the data looks pretty regular, but one difference
>> is that the mailpolice data has some records like these:
>> 1380781-usd10.e-gold.com
>> [ ... ]
>> Some of these also don't make sense.  e-gold.com is legitimate,
>> and www.e-gold.com and 1380781-usd10.e-gold.com resolve to
>> the same IP address.  Why would e-gold phish themselves or allow
>> a phisher to be hosted on their main web server?

> There was a phishing attempt a couple months ago using a legitimate
> e-gold.com account for donations to the Red Cross. E-gold expresses
> their accounts as subdomains to the e-gold.com domain. After contacting
> e-gold, they did disable the account, but there still were emails with
> that subdomain being circulated AND the page still did resolve.

> The same for other domains that allow signups using subdomains, like
> "paypal-cgi-bin.tripod.com" etc.

> I do lookups on the entire URI, without shortening it. And then I use
> wildcards in the DNS zone (which should be shortened as much as possible
> down to the second or third subdomain) so they resolve.  That's worked
> very well in my experience for the past year. Most of the fraud data is
> reviewed and added manually because of the high subdomain abuse.

Thanks for clarifying that point.  I guessed from the data that
yours was working with the whole URI instead of trying to reduce
to a base domain like we do.  It's a different design decision.

The two strategies can be compatible in a somewhat kludgey way if
we chose to not reduce the whole URI data, causing them to not
match the domains extracted by SURBL code from messages found in
the wild.

I'd still be interested to hear if you may be able to provide
a version of the fraud data without sender domains or sender IPs.
(On the other hand, the fraud list is probably too short to be
including those, so is it already the case that senders are
not in fraud?)

Jeff C.

More information about the Discuss mailing list