You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Chris Santerre <cs...@MerchantsOverseas.com> on 2006/10/12 17:42:46 UTC

New ebay phish

New phish looks like a LEGIT ebay messege from another user

"I'm still waiting payment for my item for about 1 week. What happened?
Please mail me ASAP or I will report you to ebay."
Only one link doesn't point back to ebay site, of course its the "Respond
Now" button. 
Be on the lookout!

Thanks,

Chris Santerre
SysAdmin and Spamfighter
www.rulesemporium.com
www.uribl.com

Re: New ebay phish

Posted by "John D. Hardin" <jh...@impsec.org>.

On Tue, 17 Oct 2006, Peter H. Lemieux wrote:

> Date: Tue, 17 Oct 2006 16:33:49 -0400
> From: Peter H. Lemieux <ph...@cyways.com>
> To: John D. Hardin <jh...@impsec.org>
> Cc: "users@spamassassin.apache.org" <us...@spamassassin.apache.org>
> Subject: Re: New ebay phish
> 
> John D. Hardin wrote:
> >> The Obtuse daemon also has a function that can reject mail
> >> according to the domain of the sending server's DNS host.  That
> >> works well with some spamming operations that have dozens of bogus
> >> domains all pointing at a common DNS host.
> > 
> > Any stats for that?
> 
> I'm not sure I know what kind of stats you're looking for, John.

Primarily % hit rate, but...
 
> Uncovering situations like this requires a bit of detective work. 
> Sometimes when I get messages from obviously spammy domains like 
> randomword-anotherrandomword.com, I'll do some checking into their IP and 
> domain whois records.  I might also use nmap to ping-scan their class-C 
> subnet to see what other hostnames are nearby.  Following those domains 
> back can often uncover a common DNS server.  If the DNS server doesn't 
> have reverse-DNS configured (e.g., dns[12].superduperspecials.com), it's 
> *really* suspicious.
> 
> My list isn't all that long because this takes a bit of work.  I usually 
> resort to such measures when I get really annoyed by a particular set of 
> spams.  Most of my rules depend on the IP/hostname of the sending server, 
> not this indirect approach based on DNS servers, but the latter can come 
> in handy sometimes.

...this is useful, too.

I was thinking of perhaps extending my spamfriendly-registrar plugin
to do domain DNS checks like this and was wondering if it looked to be
worth it.

You'd still have to have somebody do the work to identify the
spamfriendly DNS domains...

It's probably not worth it.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
-----------------------------------------------------------------------
 14 days until Halloween

Re: New ebay phish

Posted by "Peter H. Lemieux" <ph...@cyways.com>.

John D. Hardin wrote:
>> The Obtuse daemon also has a function that can reject mail
>> according to the domain of the sending server's DNS host.  That
>> works well with some spamming operations that have dozens of bogus
>> domains all pointing at a common DNS host.
> 
> Any stats for that?

I'm not sure I know what kind of stats you're looking for, John.

Uncovering situations like this requires a bit of detective work. 
Sometimes when I get messages from obviously spammy domains like 
randomword-anotherrandomword.com, I'll do some checking into their IP and 
domain whois records.  I might also use nmap to ping-scan their class-C 
subnet to see what other hostnames are nearby.  Following those domains 
back can often uncover a common DNS server.  If the DNS server doesn't 
have reverse-DNS configured (e.g., dns[12].superduperspecials.com), it's 
*really* suspicious.

My list isn't all that long because this takes a bit of work.  I usually 
resort to such measures when I get really annoyed by a particular set of 
spams.  Most of my rules depend on the IP/hostname of the sending server, 
not this indirect approach based on DNS servers, but the latter can come 
in handy sometimes.

Peter

Re: New ebay phish

Posted by "John D. Hardin" <jh...@impsec.org>.

On Tue, 17 Oct 2006, Peter H. Lemieux wrote:

> The Obtuse daemon also has a function that can reject mail
> according to the domain of the sending server's DNS host.  That
> works well with some spamming operations that have dozens of bogus
> domains all pointing at a common DNS host.

Any stats for that?

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
-----------------------------------------------------------------------
 14 days until Halloween

Re: New ebay phish

Posted by "Peter H. Lemieux" <ph...@cyways.com>.

> New phish looks like a LEGIT ebay messege from another user

I handle all problems like this at the SMTP level using the old, but 
extremely powerful Obtuse smtpd daemon (http://sd.inodes.org/).  All 
inbound mail is collected by the smtpd daemon on my MX server, then 
passed to another machine for SA scanning and delivery.

The Obtuse daemon lets you write rules based on the sending server's 
identity (both IP and domain name) and the data contained in the MAIL 
FROM and RCPT TO fields in the SMTP exchange.

In the case of eBay, we only accept messages with an @ebay.com From 
address if they come from a server in *.ebay.com.  I've found this to be 
a very effective deterrent to phishing scams and use it with a number of 
banking and financial domains.  I also apply similar rules to messages 
from commonly-forged domains like AOL, Yahoo, hotmail, etc.

This approach occasionally runs afoul of people, usually on residential 
connections, who erroneously use their AOL or Yahoo address in the From, 
but mail out through another ISP's server.  When this happens I politely 
explain why there is a Reply-To header.  We process about 100K messages a 
week; these problems arise at most once a month.

The Obtuse daemon also has a function that can reject mail according to 
the domain of the sending server's DNS host.  That works well with some 
spamming operations that have dozens of bogus domains all pointing at a 
common DNS host.


Peter

Re: New ebay phish

Posted by Evan Platt <ev...@espphotography.com>.

At 08:42 AM 10/12/2006, you wrote:

>New phish looks like a LEGIT ebay messege from another user
>
>"I'm still waiting payment for my item for about 1 week. What 
>happened? Please mail me ASAP or I will report you to ebay."
>
>Only one link doesn't point back to ebay site, of course its the 
>"Respond Now" button.
>Be on the lookout!

Not really new unfortunately. I've seen those for a good 3 months.

The rule of thumb for eBay is eBay messages will address you by full 
name and your eBay id, ie Dear Joe Smith (widgetseller123).

They will not contain a link to click on, but say "Open a web 
browser, go to ebay.com , log in, go to my messages.

As to why (ref: your followup), it has two different seller ID's?

Spammer stupidity?

I saw a bank phish from "Bank A Customer Service <su...@banka.com>.

Dear Bank A Customer:

Here at Bank B, we take your business seriously...."

Yeahhhhhhh