RE: [Declude.JunkMail] Phishing Question
I thought that it would be pretty stupid for a phishing person to use their own site (but you never know) and so the probability was that the site has been hacked. I have already blocked the whole site. I will report to the two addresses and if the guy has an e-mail address on his site I will send him a link to his own site :) He will probably be surprised when he clicks on it. Thanx for the answers Goran Jovanovic The LAN Shoppe 2345 Yonge Street, Suite 302 Toronto, Ontario M4P 2E5 Phone: (416) 440-1167 x-2113 Cell: (416) 931-0688 E-Mail: [EMAIL PROTECTED] > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Matt > Sent: Thursday, May 12, 2005 4:33 PM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] Phishing Question > > One slight correction here. The domain haukelid.com doesn't belong to > the phisher. This is an active site that was likely just simply hacked > and then the PHP code was placed on it...it's a pretty ingenious way to > get a clean address. > > Matt > > > > Goran Jovanovic wrote: > > >Hi, > > > >I do not understand how this is being displayed in IE. > > > >I got a phishing e-mail reported to me and I went to check it out. > > > >This is the HTML text > > > >To log into your account and verify your account > >activity, > >click here: >onmouseover="window.status='https://www1.royalbank.com/cgi-bin/rbaccess / > >rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" > >href="http://haukelid.com/hfl/.rbc/index.php"; > >target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUE S > >T=ClientSignin&LANGUAGE=ENGLISH > > > >Now I understand that this shows up in the e-mail as > >www1.royalbank.com/ > > > >So what I did was to go to the haukelic.com/... page directly in IE. > >When I get there the address in the address bar is > >http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSigni n > >&LANGUAGE=ENGLISH > > > >How is this possible to display some other address when I went to the > >haukelid.com address? > > > >What would people do to prevent this mail from getting through in the > >future? > > > >In the past I would have put into my phishing.txt filter > >http://haukelid.com but when I go there it is a "real" site and the > >first level down is also a real site. I am tempted to ban it at the top > >level as this person is either using his own site to do phishing from or > >his site is compromised and the next URL could be somewhere else on his > >site. > > > >Can I get some thoughts on this. > > > >Thanx > > > > > > Goran Jovanovic > > The LAN Shoppe > >--- > >This E-mail came from the Declude.JunkMail mailing list. To > >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > >type "unsubscribe Declude.JunkMail". The archives can be found > >at http://www.mail-archive.com. > > > > > > > > > > -- > = > MailPure custom filters for Declude JunkMail Pro. > http://www.mailpure.com/software/ > = > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Phishing Question
One slight correction here. The domain haukelid.com doesn't belong to the phisher. This is an active site that was likely just simply hacked and then the PHP code was placed on it...it's a pretty ingenious way to get a clean address. Matt Goran Jovanovic wrote: Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text To log into your account and verify your account activity, click here: https://www1.royalbank.com/cgi-bin/rbaccess/ rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" href="http://haukelid.com/hfl/.rbc/index.php"; target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES T=ClientSignin&LANGUAGE=ENGLISH Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin &LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a "real" site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Phishing Question
Whoops, slip of the finger, there. That second email address should have been: [EMAIL PROTECTED] Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, May 12, 2005 1:17 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Phishing Question Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text To log into your account and verify your account activity, click here: https://www1.royalbank.com/cgi-bin/rbaccess/ rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" href="http://haukelid.com/hfl/.rbc/index.php"; target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES T=ClientSignin&LANGUAGE=ENGLISH Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin &LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a "real" site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Phishing Question
Goran, It's probably DHTML being used to fake an address bar in a window that doesn't have one, or it is placing a fake address bar on top of the real one. It might look real, but it isn't. It is safe to blacklist haukelid.com, and that's all that you need to do about it. Matt Goran Jovanovic wrote: Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text To log into your account and verify your account activity, click here: https://www1.royalbank.com/cgi-bin/rbaccess/ rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" href="http://haukelid.com/hfl/.rbc/index.php"; target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES T=ClientSignin&LANGUAGE=ENGLISH Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin &LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a "real" site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Phishing Question
You're seeing a full-size browser window, with a graphic that is the fake bar, and a form that is designed to look like the address bar. In other words, they're using fake graphic elements to make you think you're at the right site. Yes, block the site. Also, send a copy of the original spam to: [EMAIL PROTECTED] and [EMAIL PROTECTED] Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, May 12, 2005 1:17 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Phishing Question Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text To log into your account and verify your account activity, click here: https://www1.royalbank.com/cgi-bin/rbaccess/ rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" href="http://haukelid.com/hfl/.rbc/index.php"; target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES T=ClientSignin&LANGUAGE=ENGLISH Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin &LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a "real" site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Phishing Question
Hi, I do not understand how this is being displayed in IE. I got a phishing e-mail reported to me and I went to check it out. This is the HTML text To log into your account and verify your account activity, click here: https://www1.royalbank.com/cgi-bin/rbaccess/ rbunxcgi?REQUEST=ClientSignin&LANGUAGE=ENGLISH'; return true;" href="http://haukelid.com/hfl/.rbc/index.php"; target=_blank>http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUES T=ClientSignin&LANGUAGE=ENGLISH Now I understand that this shows up in the e-mail as www1.royalbank.com/ So what I did was to go to the haukelic.com/... page directly in IE. When I get there the address in the address bar is http://www1.royalbank.com/cgi-bin/rbaccess/rbunxcgi?REQUEST=ClientSignin &LANGUAGE=ENGLISH How is this possible to display some other address when I went to the haukelid.com address? What would people do to prevent this mail from getting through in the future? In the past I would have put into my phishing.txt filter http://haukelid.com but when I go there it is a "real" site and the first level down is also a real site. I am tempted to ban it at the top level as this person is either using his own site to do phishing from or his site is compromised and the next URL could be somewhere else on his site. Can I get some thoughts on this. Thanx Goran Jovanovic The LAN Shoppe --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Custom Filter Diagnosis Help
Are you using anything like "SKIPIFWEIGHT" options in the filter or "ENDS" clauses. Darrell Kim Premuda writes: Also, one thing that can affect the filter files that I have seen in the past is spammers will put fake html tags in the middle of the URI to get it past filters Example: americaspharm.com - the email client will normally interpret this correctly and display americaspharm.com (i.e. not rendering the fake tag). My original post that contained the offending message was in plain-text format showing no embedded HTML tags in the domain name. I did save the 'D*.SMD' file...here is how the URL shows in plain-text: http://americaspharma.com/ I suspect that the test is not being run at all, and that something (another test, perhaps?) is preventing this...but, I have no idea what to look for. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Custom Filter Diagnosis Help
>Also, one thing that can affect the filter files that I have seen in the >past is spammers will put fake html tags in the middle of the URI to get it >past filters > >Example: americaspharm.com - the email client will normally >interpret this correctly and display americaspharm.com (i.e. not rendering >the fake tag). My original post that contained the offending message was in plain-text format showing no embedded HTML tags in the domain name. I did save the 'D*.SMD' file...here is how the URL shows in plain-text: http://americaspharma.com/ I suspect that the test is not being run at all, and that something (another test, perhaps?) is preventing this...but, I have no idea what to look for. -- Kim W. Premuda FastWave Internet Services San Diego, CA -- --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Little bit OT - HELO/EHLO with Smarthost?
If you use "Relay for Addresses" and put the IP(s) of the company in question, Imail will relay the messages (after scanning by Declude). If you are set to "No Mail Relay", then the company would have to authenticate to send, but since there isn't a host on the server for the company they won't be able to. (side note: If you are using ANY other relay method, you are an open relay and should change to one of the two methods listed above.) The outgoing HELO will be the OHN of your Imail server, since it doesn't know about your customer's domain. If you can't use "Relay for Addresses" for some reason (customer has dynamic IP's), or you need the HELO to change you need to add the domain (and users) to your Imail config. I am not positive about this last point, but I believe that for the HELO to change, the domain cannot be a "virtual" but must have an IP address. Dan Horne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hirthe, Alexander Sent: Thursday, May 12, 2005 7:57 AM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Little bit OT - HELO/EHLO with Smarthost? Hello, what happens to a mail that a customer sends to us to be checked and then should will be delivered to the world (see other mail, a customer with his own server, we checked their mail and forward it to them, this time vice versa) Them: [EMAIL PROTECTED] We: relay.siller.de Relayserver for company.domain is relay.siller.de The Domain "company.domain" does not exist on our server, what will happen to this mail? Imail will take the mail to look what's inside and pass it to declude. (I hope :) If it will be delivered, will the ehlo/helo name change to the customer's domain? Alex --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Little bit OT - HELO/EHLO with Smarthost?
Hello, what happens to a mail that a customer sends to us to be checked and then should will be delivered to the world (see other mail, a customer with his own server, we checked their mail and forward it to them, this time vice versa) Them: [EMAIL PROTECTED] We: relay.siller.de Relayserver for company.domain is relay.siller.de The Domain "company.domain" does not exist on our server, what will happen to this mail? Imail will take the mail to look what's inside and pass it to declude. (I hope :) If it will be delivered, will the ehlo/helo name change to the customer's domain? Alex --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.