I agree with Matt's analysis, the payload link is the one that points to cgi5-update[dot]com, and that text could be banned with a JunkMail Pro text filter.
The IP address embedded in the long "verification" HREF is a tracking bug. By viewing the message in HTML, the webserver at that IP is logging that someone viewed it. Maybe there is useful data in the URL to him, maybe not. The server, www.aquirerealty[dot]com may be an insecure host, and not the phisher himeself. Another interesting link is the one at the bottom with the counter statistics. There is a geo.yahoo.com tracking bug, which may be a red herring, or may really be tracking statistics for the phisher. The source of the http://domainpending[dot]com/js_source/geov2.js however is heavily blacklisted and SPEWS fingers the server as being associated with "Richard Girard / mtlmarketing[dot]com" YMMV... Andrew 8) -----Original Message----- From: Matthew Bramble [mailto:[EMAIL PROTECTED] Sent: Thursday, November 20, 2003 3:53 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] This one eBay fraud.. came right through.. Kami, Your Body URL filter caught "/pics/" in this message (just once though). Even though that didn't cause it to fail, a site that includes this in each of their links could easily go over the delete weight on your system as it stands right now without a MAXSCORE feature. Just a heads up as this seems to be a common directory name. There seems to be some code in there to help it get some credit. The offending URL of course is: cgi5-update[dot]com Looked it up and also found he has cgi4-update[dot]com freshly registered through a different registrar than that, but both are less than 3 days old. I'd say block the URL's, but how long do these things live? Suggestion...put Ebay in your SPAMDOMAINS file. Same goes for PayPal and every other source that might be the target of such fraud or a virus spoof such as Norton, McAfee and Microsoft. I don't have all the REVDNS info, but I'll bet you can find at least some of their mail servers by searching SenderBase and doing some MX lookups. This would be a good thing to share, and you could put it in separate file and score it higher since most of us don't have people sending us greeting cards and the like using addresses from these corporate domains. ISP's should be scored lower due to such problems. There was also an IP in there with a reverse DNS that points to www.aquirerealty.com which was registered only a month ago from yet another registrar.: Registrant: aQuire Realty 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Domain Name: AQUIREREALTY.COM Administrative Contact: Priest, Lonnelle [EMAIL PROTECTED] 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Technical Contact: Priest, Lonnelle [EMAIL PROTECTED] 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Record last updated 08-22-2003 01:02:57 PM Record expires on 06-18-2005 Record created on 06-18-2003 Domain servers in listed order: NS11A.VERIO-WEB.COM 161.58.148.38 NS11B.VERIO-WEB.COM 161.58.148.98 I'm guessing that this is fake info, although they have an account with Verio, so there is some financial trail there if anyone wants to try and jail the punk. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
