RE: [Declude.JunkMail] This one eBay fraud.. came right through..
Hi Matt: :) on /pics/ Actually we have had (surprisingly) good results with that. I just checked and our weight on this is 10. Question.. I did not think that the filter weight is cumulative on a single hit, meaning if I have 10 of the /pics/ in the body of email I do not think the final weight will be 100. I thought once a filter is hit it is only counted once. Scott... True? False? As for Spamdomains.. You are right. We have PayPal as: @paypal.com .paypal.com But not eBay. eBay is added now.. @ebay.com .ebay.com Has anyone seen any other variation for eBay? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Thursday, November 20, 2003 6:53 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] This one eBay fraud.. came right through.. Kami, Your Body URL filter caught /pics/ in this message (just once though). Even though that didn't cause it to fail, a site that includes this in each of their links could easily go over the delete weight on your system as it stands right now without a MAXSCORE feature. Just a heads up as this seems to be a common directory name. There seems to be some code in there to help it get some credit. The offending URL of course is: cgi5-update[dot]com Looked it up and also found he has cgi4-update[dot]com freshly registered through a different registrar than that, but both are less than 3 days old. I'd say block the URL's, but how long do these things live? Suggestion...put Ebay in your SPAMDOMAINS file. Same goes for PayPal and every other source that might be the target of such fraud or a virus spoof such as Norton, McAfee and Microsoft. I don't have all the REVDNS info, but I'll bet you can find at least some of their mail servers by searching SenderBase and doing some MX lookups. This would be a good thing to share, and you could put it in separate file and score it higher since most of us don't have people sending us greeting cards and the like using addresses from these corporate domains. ISP's should be scored lower due to such problems. There was also an IP in there with a reverse DNS that points to www.aquirerealty.com which was registered only a month ago from yet another registrar.: Registrant: aQuire Realty 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Domain Name: AQUIREREALTY.COM Administrative Contact: Priest, Lonnelle [EMAIL PROTECTED] 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Technical Contact: Priest, Lonnelle [EMAIL PROTECTED] 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Record last updated 08-22-2003 01:02:57 PM Record expires on 06-18-2005 Record created on 06-18-2003 Domain servers in listed order: NS11A.VERIO-WEB.COM 161.58.148.38 NS11B.VERIO-WEB.COM 161.58.148.98 I'm guessing that this is fake info, although they have an account with Verio, so there is some financial trail there if anyone wants to try and jail the punk. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] This one eBay fraud.. came right through..
so there is some financial trail there if anyone wants to try and jail the punk. Funny indeed Matt... These guys are in the business of stealing credit cards and bank information... What are the chances they used their own credit card? H Regards, Kami --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] This one eBay fraud.. came right through..
Question.. I did not think that the filter weight is cumulative on a single hit, meaning if I have 10 of the /pics/ in the body of email I do not think the final weight will be 100. I thought once a filter is hit it is only counted once. Scott... True? False? That is correct. The weight for a filter will be the total of the weight for the filter itself (in the test definition line) plus the weights of all lines in the filter that are triggered. But each line in the filter will only be counted once. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you've been missing: Ask about our free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] This one eBay fraud.. came right through..
Kami, I wasn't thinking there for a second :) Matt Kami Razvan wrote: Hi Matt: :) on /pics/ Actually we have had (surprisingly) good results with that. I just checked and our weight on this is 10. Question.. I did not think that the filter weight is cumulative on a single hit, meaning if I have 10 of the /pics/ in the body of email I do not think the final weight will be 100. I thought once a filter is hit it is only counted once. Scott... True? False? As for Spamdomains.. You are right. We have PayPal as: @paypal.com .paypal.com But not eBay. eBay is added now.. @ebay.com .ebay.com Has anyone seen any other variation for eBay? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Thursday, November 20, 2003 6:53 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] This one eBay fraud.. came right through.. Kami, Your Body URL filter caught /pics/ in this message (just once though). Even though that didn't cause it to fail, a site that includes this in each of their links could easily go over the delete weight on your system as it stands right now without a MAXSCORE feature. Just a heads up as this seems to be a common directory name. There seems to be some code in there to help it get some credit. The offending URL of course is: cgi5-update[dot]com Looked it up and also found he has cgi4-update[dot]com freshly registered through a different registrar than that, but both are less than 3 days old. I'd say block the URL's, but how long do these things live? Suggestion...put Ebay in your SPAMDOMAINS file. Same goes for PayPal and every other source that might be the target of such fraud or a virus spoof such as Norton, McAfee and Microsoft. I don't have all the REVDNS info, but I'll bet you can find at least some of their mail servers by searching SenderBase and doing some MX lookups. This would be a good thing to share, and you could put it in separate file and score it higher since most of us don't have people sending us greeting cards and the like using addresses from these corporate domains. ISP's should be scored lower due to such problems. There was also an IP in there with a reverse DNS that points to www.aquirerealty.com which was registered only a month ago from yet another registrar.: Registrant: aQuire Realty 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Domain Name: AQUIREREALTY.COM Administrative Contact: Priest, Lonnelle [EMAIL PROTECTED] 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Technical Contact: Priest, Lonnelle [EMAIL PROTECTED] 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Record last updated 08-22-2003 01:02:57 PM Record expires on 06-18-2005 Record created on 06-18-2003 Domain servers in listed order: NS11A.VERIO-WEB.COM 161.58.148.38 NS11B.VERIO-WEB.COM 161.58.148.98 I'm guessing that this is fake info, although they have an account with Verio, so there is some financial trail there if anyone wants to try and jail the punk. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] This one eBay fraud.. came right through..
For ebay, you may want to add to spamdomains: .ebay.com .emailebay.com Bill - Original Message - From: Kami Razvan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 21, 2003 2:02 AM Subject: RE: [Declude.JunkMail] This one eBay fraud.. came right through.. Hi Matt: :) on /pics/ Actually we have had (surprisingly) good results with that. I just checked and our weight on this is 10. Question.. I did not think that the filter weight is cumulative on a single hit, meaning if I have 10 of the /pics/ in the body of email I do not think the final weight will be 100. I thought once a filter is hit it is only counted once. Scott... True? False? As for Spamdomains.. You are right. We have PayPal as: @paypal.com .paypal.com But not eBay. eBay is added now.. @ebay.com .ebay.com Has anyone seen any other variation for eBay? Regards, Kami -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble Sent: Thursday, November 20, 2003 6:53 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] This one eBay fraud.. came right through.. Kami, Your Body URL filter caught /pics/ in this message (just once though). Even though that didn't cause it to fail, a site that includes this in each of their links could easily go over the delete weight on your system as it stands right now without a MAXSCORE feature. Just a heads up as this seems to be a common directory name. There seems to be some code in there to help it get some credit. The offending URL of course is: cgi5-update[dot]com Looked it up and also found he has cgi4-update[dot]com freshly registered through a different registrar than that, but both are less than 3 days old. I'd say block the URL's, but how long do these things live? Suggestion...put Ebay in your SPAMDOMAINS file. Same goes for PayPal and every other source that might be the target of such fraud or a virus spoof such as Norton, McAfee and Microsoft. I don't have all the REVDNS info, but I'll bet you can find at least some of their mail servers by searching SenderBase and doing some MX lookups. This would be a good thing to share, and you could put it in separate file and score it higher since most of us don't have people sending us greeting cards and the like using addresses from these corporate domains. ISP's should be scored lower due to such problems. There was also an IP in there with a reverse DNS that points to www.aquirerealty.com which was registered only a month ago from yet another registrar.: Registrant: aQuire Realty 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Domain Name: AQUIREREALTY.COM Administrative Contact: Priest, Lonnelle [EMAIL PROTECTED] 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Technical Contact: Priest, Lonnelle [EMAIL PROTECTED] 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Record last updated 08-22-2003 01:02:57 PM Record expires on 06-18-2005 Record created on 06-18-2003 Domain servers in listed order: NS11A.VERIO-WEB.COM 161.58.148.38 NS11B.VERIO-WEB.COM 161.58.148.98 I'm guessing that this is fake info, although they have an account with Verio, so there is some financial trail there if anyone wants to try and jail the punk. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] This one eBay fraud.. came right through..
Kami, Your Body URL filter caught /pics/ in this message (just once though). Even though that didn't cause it to fail, a site that includes this in each of their links could easily go over the delete weight on your system as it stands right now without a MAXSCORE feature. Just a heads up as this seems to be a common directory name. There seems to be some code in there to help it get some credit. The offending URL of course is: cgi5-update[dot]com Looked it up and also found he has cgi4-update[dot]com freshly registered through a different registrar than that, but both are less than 3 days old. I'd say block the URL's, but how long do these things live? Suggestion...put Ebay in your SPAMDOMAINS file. Same goes for PayPal and every other source that might be the target of such fraud or a virus spoof such as Norton, McAfee and Microsoft. I don't have all the REVDNS info, but I'll bet you can find at least some of their mail servers by searching SenderBase and doing some MX lookups. This would be a good thing to share, and you could put it in separate file and score it higher since most of us don't have people sending us greeting cards and the like using addresses from these corporate domains. ISP's should be scored lower due to such problems. There was also an IP in there with a reverse DNS that points to www.aquirerealty.com which was registered only a month ago from yet another registrar.: Registrant: aQuire Realty 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Domain Name: AQUIREREALTY.COM Administrative Contact: Priest, Lonnelle [EMAIL PROTECTED] 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Technical Contact: Priest, Lonnelle [EMAIL PROTECTED] 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Record last updated 08-22-2003 01:02:57 PM Record expires on 06-18-2005 Record created on 06-18-2003 Domain servers in listed order: NS11A.VERIO-WEB.COM 161.58.148.38 NS11B.VERIO-WEB.COM 161.58.148.98 I'm guessing that this is fake info, although they have an account with Verio, so there is some financial trail there if anyone wants to try and jail the punk. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] This one eBay fraud.. came right through..
Kami,
Would you care to share your FILTER-BODYURL filter? I'm
interested in seeing what you filter on -
Thanks!
-Nick Hayer
From: Kami Razvan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject:[Declude.JunkMail] This one eBay fraud.. came right through..
Date sent: Thu, 20 Nov 2003 17:52:27 -0500
Organization: ClickandPledge.com
Send reply to: [EMAIL PROTECTED]
Hi..
This just came in.. definitely NOT eBay not caught as SPAM.. filters
are in order.
HEADER
=
Received: from rainer.bnt.com [12.4.218.18] by foroosh.com with ESMTP
(SMTPD32-8.04) id A2D2B700C2; Thu, 20 Nov 2003 17:40:18 -0500
Received: from adsl-068-016-167-035.sip.jan.bellsouth.net
(adsl-068-016-167-035.sip.jan.bellsouth.net [68.16.167.35])
by rainer.bnt.com (8.12.8p2/8.12.8) with SMTP id hAKMiesG012219
for [EMAIL PROTECTED]; Thu, 20 Nov 2003 17:44:43 -0500 (EST)
(envelope-from [EMAIL PROTECTED])
Received: from [134.150.44.174] by
adsl-068-016-167-035.sip.jan.bellsouth.net id 08pT0M675jj3; Thu, 20
Nov 2003 23:38:43 +0100 Message-ID: [EMAIL PROTECTED] From:
[EMAIL PROTECTED] [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: eBay Fraud
Verification Process Date: Thu, 20 Nov 2003 23:38:43 +0100 X-Mailer:
Microsoft Outlook, Build 10.0.2616 MIME-Version: 1.0 Content-Type:
multipart/alternative;
boundary=E5BEC_9EF7B6C21F_C4D68
X-Priority: 3
X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED]
X-RBL-Warning: IPNOTINMX:
X-RBL-Warning: NOLEGITCONTENT: No content unique to legitimate E-mail
detected. X-RBL-Warning: FILTER-BODYURL: Message failed FILTER-BODYURL
test (158) X-RBL-Warning: FILTER-BODY-GIBBERISH: Message failed
FILTER-BODY-GIBBERISH test (110) X-RBL-Warning:
FILTER-BODY-ANTIGIBBERISH: Message failed FILTER-BODY-ANTIGIBBERISH
test (73) X-RBL-Warning: COUNTRY: Message failed COUNTRY test (36)
X-Declude-Sender: [EMAIL PROTECTED] [68.16.167.35] X-Declude-Spoolname:
D42d200b700c29886.SMD X-Note: This E-mail was scanned filtered by
Declude [1.76i26] for SPAM virus. X-Weight: 10 X-Note: Sent from
Reverse DNS: adsl-068-016-167-035.sip.jan.bellsouth.net X-Hello:
adsl-068-016-167-035.sip.jan.bellsouth.net X-Spam-Tests-Failed:
NOABUSE, IPNOTINMX, NOLEGITCONTENT, FILTER-BODYURL,
FILTER-BODY-GIBBERISH, FILTER-BODY-ANTIGIBBERISH, COUNTRY X-Note:
Recipient(s): [EMAIL PROTECTED] X-Country-Chain: CANADA-UNITED
STATES-destination X-RCPT-TO: [EMAIL PROTECTED] Status: U X-UIDL:
360625165 == !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0
Transitional//EN
html
head
titleUntitled/title
/head
bodyBR
DIV id=message
TABLE cellSpacing=0 cellPadding=0 width=100% border=0 ?
TR
TD
STYLE#message {
FONT-FAMILY: arial
}
/STYLE
XBODY
DIV
DIV/DIV
TABLE cellSpacing=0 cellPadding=0 width=600 border=0
TR
TD width=150A href=http://www.ebay.com/;
target=_blankIMG
height=80 alt=eBay logo hspace=0
src=http://pics.ebay.com/aw/pics/homepage/v2/logo_171x102
.gif width=173 border=0/A /TD
TD vAlign=top align=right width=450MAP
name=home_myebay_map_hasJSAREA shape=RECT
target=_blank
alt=Home
coords=209,0,256,15
href=http://pages.ebay.com/index.html;
http://pages.ebay.com/index.html AREA
shape=RECT target=_blank alt=My#10;eBay
coords=257,0,318,15
href=http://cgi1.ebay.com/aw-cgi/eBayISAPI.dll?MyEbayLo
gin
http://cgi1.ebay.com/aw-cgi/eBayISAPI.dll?MyEbayLogin AREA
shape=RECT target=_blank alt=Site Map
coords=319,0,383,15
href=http://pages.ebay.com/sitemap.html;
http://pages.ebay.com/sitemap.html AREA shape=RECT
target=_blank alt=Sign In/Out coords=384,0,447,15
href=http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn;
http://cgi3.ebay.com/aw-cgi/eBayISAPI.dll?SignIn /MAPBR
clear=all/TD/TR/TABLE
P align=leftDear eBay user, BRAs part of our continuing
commitment
to
protect your account and to reduce the instance of fraud on our
website,
we are undertaking a period review of our member accounts.
BRYou are
requested to visit our site by following the link given below
BRA
href=http://www.cgi5-update.com/ebay-verify-account-57435-5645-3765/d
irDllS
Sl856-4756-JkkLEbay-547864/newUseBay485-5754-575Hq35-56-SSL/Verify.htm
target=_blankhttp://www.ebay.com/aw-cgi/eBayISAPI.dll?verification/%?
708808 0019/A/
P
A
href=http://cgi3.ebay.com:aw-cgieBayISAPI.dllSignInRegisterEnte
rInfo
http://cgi3.ebay.com:aw-cgieBayISAPI.dllSignInRegisterEnterInfoamp;s
iteid= [EMAIL PROTECTED]/cgi_39ny5bay/
amp;[EMAIL
RE: [Declude.JunkMail] This one eBay fraud.. came right through..
I agree with Matt's analysis, the payload link is the one that points to cgi5-update[dot]com, and that text could be banned with a JunkMail Pro text filter. The IP address embedded in the long verification HREF is a tracking bug. By viewing the message in HTML, the webserver at that IP is logging that someone viewed it. Maybe there is useful data in the URL to him, maybe not. The server, www.aquirerealty[dot]com may be an insecure host, and not the phisher himeself. Another interesting link is the one at the bottom with the counter statistics. There is a geo.yahoo.com tracking bug, which may be a red herring, or may really be tracking statistics for the phisher. The source of the http://domainpending[dot]com/js_source/geov2.js however is heavily blacklisted and SPEWS fingers the server as being associated with Richard Girard / mtlmarketing[dot]com YMMV... Andrew 8) -Original Message- From: Matthew Bramble [mailto:[EMAIL PROTECTED] Sent: Thursday, November 20, 2003 3:53 PM To: [EMAIL PROTECTED] Subject: Re: [Declude.JunkMail] This one eBay fraud.. came right through.. Kami, Your Body URL filter caught /pics/ in this message (just once though). Even though that didn't cause it to fail, a site that includes this in each of their links could easily go over the delete weight on your system as it stands right now without a MAXSCORE feature. Just a heads up as this seems to be a common directory name. There seems to be some code in there to help it get some credit. The offending URL of course is: cgi5-update[dot]com Looked it up and also found he has cgi4-update[dot]com freshly registered through a different registrar than that, but both are less than 3 days old. I'd say block the URL's, but how long do these things live? Suggestion...put Ebay in your SPAMDOMAINS file. Same goes for PayPal and every other source that might be the target of such fraud or a virus spoof such as Norton, McAfee and Microsoft. I don't have all the REVDNS info, but I'll bet you can find at least some of their mail servers by searching SenderBase and doing some MX lookups. This would be a good thing to share, and you could put it in separate file and score it higher since most of us don't have people sending us greeting cards and the like using addresses from these corporate domains. ISP's should be scored lower due to such problems. There was also an IP in there with a reverse DNS that points to www.aquirerealty.com which was registered only a month ago from yet another registrar.: Registrant: aQuire Realty 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Domain Name: AQUIREREALTY.COM Administrative Contact: Priest, Lonnelle [EMAIL PROTECTED] 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Technical Contact: Priest, Lonnelle [EMAIL PROTECTED] 110 Ayala Court Los Gatos, CA 95032 US 408-358-9138 Fax:408-358-9138 Record last updated 08-22-2003 01:02:57 PM Record expires on 06-18-2005 Record created on 06-18-2003 Domain servers in listed order: NS11A.VERIO-WEB.COM 161.58.148.38 NS11B.VERIO-WEB.COM 161.58.148.98 I'm guessing that this is fake info, although they have an account with Verio, so there is some financial trail there if anyone wants to try and jail the punk. Matt --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
