You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by fchan <fc...@molsci.org> on 2009/06/18 23:53:00 UTC
Interesting phished domain name.
I was doing some reading some spam mail to feed sa-learn and found
this message with this interesting phished domain name. At least they
told me who they were:
http://pastebin.ca/1465411
Re: Interesting phished domain name.
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 6/18/2009 11:53 PM, fchan wrote:
> I was doing some reading some spam mail to feed sa-learn and found this
> message with this interesting phished domain name. At least they told me
> who they were:
>
> http://pastebin.ca/1465411
URI pointed to malware
site has been suspended
a toast to W3-Servers :-)
Re: Interesting phished domain name.
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 6/19/2009 12:28 AM, Benny Pedersen wrote:
> On Fri, June 19, 2009 00:22, Yet Another Ninja wrote:
>
>> w-crook.com.ar.multi.uribl.com has address 127.0.0.2
>> w-crook.com.ar.multi.surbl.org has address 127.0.0.46
>
> it now make sense with ttl in 300 sec :)
I've been told it was detected on 2009-06-17 15:34:06 GMT
Re: Interesting phished domain name.
Posted by Chris <cp...@embarqmail.com>.
On Fri, 2009-06-19 at 00:28 +0200, Benny Pedersen wrote:
> On Fri, June 19, 2009 00:22, Yet Another Ninja wrote:
>
> > w-crook.com.ar.multi.uribl.com has address 127.0.0.2
> > w-crook.com.ar.multi.surbl.org has address 127.0.0.46
>
> it now make sense with ttl in 300 sec :)
>
> but if i get time, i would make meta rules to spot the phish sometime
>
> is the exe even detected in clamav now ?
>
My setup detects it as:
X-Spam-Virus: Yes (Sanesecurity.Malware.9368.UNOFFICIAL)
--
KeyID 0xE372A7DA98E6705C
Re: Interesting phished domain name.
Posted by Benny Pedersen <me...@junc.org>.
On Fri, June 19, 2009 00:22, Yet Another Ninja wrote:
> w-crook.com.ar.multi.uribl.com has address 127.0.0.2
> w-crook.com.ar.multi.surbl.org has address 127.0.0.46
it now make sense with ttl in 300 sec :)
but if i get time, i would make meta rules to spot the phish sometime
is the exe even detected in clamav now ?
--
xpoint
Re: Interesting phished domain name.
Posted by Yet Another Ninja <sa...@alexb.ch>.
On 6/19/2009 12:10 AM, Benny Pedersen wrote:
> On Thu, June 18, 2009 23:53, fchan wrote:
>
>> http://pastebin.ca/1465411
>
> make a meta rule for line 24 25 35
>
> solved
>
> i would like to hold your credit card for a moment, and you would like to
> download phising report in a exe file ? :)
>
???
w-crook.com.ar.multi.uribl.com has address 127.0.0.2
w-crook.com.ar.multi.surbl.org has address 127.0.0.46
Re: Interesting phished domain name.
Posted by Benny Pedersen <me...@junc.org>.
On Thu, June 18, 2009 23:53, fchan wrote:
> http://pastebin.ca/1465411
make a meta rule for line 24 25 35
solved
i would like to hold your credit card for a moment, and you would like to
download phising report in a exe file ? :)
--
xpoint