ail@declude.com
> Subject: RE: [Declude.JunkMail] Phishing
>
> Without my so much as glancing at the potential false positives, this
> is
> a treasure trove or actual phishing URLs:
>
> http://www.phishtank.com/phish_archive.php
>
> A glance at which tells me that another usef
Without my so much as glancing at the potential false positives, this is
a treasure trove or actual phishing URLs:
http://www.phishtank.com/phish_archive.php
A glance at which tells me that another useful PCRE would be to (pseudo
code follows):
IPADDRESS then (/ character) then stuff including D
D] On Behalf Of
Darrell ([EMAIL PROTECTED])
Sent: Tuesday, June 06, 2006 8:54 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] phishing
SANE - too quick on the type..
http://www.sanesecurity.com/clamav/
---
Check out http://www.i
, June 06, 2006 9:32 AM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] phishing
Roger,
Are you using the SANS phish signatures? Since we started using we
have
seen virtually zero get through.
Darrell
---
fpReview - The quick way
9:32 AM
> To: declude.junkmail@declude.com
> Subject: Re: [Declude.JunkMail] phishing
>
> Roger,
>
> Are you using the SANS phish signatures? Since we started using we
have
> seen virtually zero get through.
>
> Darrell
>
> ---
Roger,
Are you using the SANS phish signatures? Since we started using we have
seen virtually zero get through.
Darrell
---
fpReview - The quick way to reviewing false positives.
http://www.invariantsystems.com
Schmeits, Roger writes:
What are p
PROTECTED]
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Matt
> Sent: Thursday, May 12, 2005 4:33 PM
> To: Declude.JunkMail@declude.com
> Subject: Re: [Declude.JunkMail] Phishing Question
>
> One slight corr
One slight correction here. The domain haukelid.com doesn't belong to
the phisher. This is an active site that was likely just simply hacked
and then the PHP code was placed on it...it's a pretty ingenious way to
get a clean address.
Matt
Goran Jovanovic wrote:
Hi,
I do not understand how th
Whoops, slip of the finger, there. That second email address should
have been:
[EMAIL PROTECTED]
Andrew 8)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
Sent: Thursday, May 12, 2005 1:17 PM
To: Declude.JunkMail@declude.com
Su
Goran,
It's probably DHTML being used to fake an address bar in a window that
doesn't have one, or it is placing a fake address bar on top of the real
one. It might look real, but it isn't. It is safe to blacklist
haukelid.com, and that's all that you need to do about it.
Matt
Goran Jovanov
You're seeing a full-size browser window, with a graphic that is the
fake bar, and a form that is designed to look like the address bar.
In other words, they're using fake graphic elements to make you think
you're at the right site.
Yes, block the site.
Also, send a copy of the original spam to:
I use two things to 2 things use to combat phish.
1. Prescan off in Declude Virus and use clamav as a scanner. This caught 656
in January. It's a beast on your CPU utilization as almost every mail will
need to be virus scanned.
2. A MINWEIGHTTOFAIL filter that means the filter must match 4 or mor
dead now
- Original Message -
From:
Kami Razvan
To: [EMAIL PROTECTED]
Sent: Monday, October 04, 2004 6:05
AM
Subject: [Declude.JunkMail] phishing-
live
Hi;
Phishing.. still
alive
http://221.139.2.111/citifi/
Regards,
Kami
email:
: [EMAIL PROTECTED]
WWW: http://www.twu.ca/technology
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Tuesday, June 08, 2004 2:23 PM
To: Kami Razvan
Subject: Re: [Declude.JunkMail] Phishing attempt- site is live
We've had this o
: [Declude.JunkMail] Phishing attempt- site is live
When I went to http://200.97.91.210/citi/ I get a page not found??
Goran Jovanovic
The LAN Shoppe
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail
To: Kami Razvan
> Subject: Re: [Declude.JunkMail] Phishing attempt- site is live
>
> We've had this one in Sniffer for a while.
> They were originally going after Sun Trust:
>
> Rule ID - 99546
> Created - 2004-03-22
> From Source - http://200.97.91.
> Rule Type
We've had this one in Sniffer for a while.
They were originally going after Sun Trust:
Rule ID - 99546
Created - 2004-03-22
From Source - http://200.97.91.
Rule Type - Numbered Link
Origin - Spam Trap
Original Rule Name - suntrust phishing
Current Strength - 2.68760205
_M
On Tuesday, June 8, 200
TECTED] [mailto:Declude.JunkMail-
> [EMAIL PROTECTED] On Behalf Of Goran Jovanovic
> Sent: Saturday, April 24, 2004 9:13 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] Phishing attempt- CitiBank
>
> John,
>
> Do you have a filter that searches for URLs in the BODY
s)
> Sent: Saturday, April 24, 2004 12:11 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Declude.JunkMail] Phishing attempt- CitiBank
>
> Thanks.
>
> I also added ".citibankonline.com:" without the quotes to the filter.
> (Note
> the colon.)
>
> John Tolmac
Thanks.
I also added ".citibankonline.com:" without the quotes to the filter. (Note
the colon.)
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan
Sent: Saturday, April 24, 2004 8:43 A
Not knowing enough about the way WHOIS works, could a test be set up that
would heavily weight any e-mails that come from a "New" domain? This
would really help the pill/porn pushers
It's something that we would like to do, but automated WHOIS lookups are a
Bad Thing. Domain registrars wo
D] [mailto:[EMAIL PROTECTED]
On Behalf Of Colbeck, AndrewSent: Saturday, April 03, 2004
7:17 PMTo: '[EMAIL PROTECTED]'Subject: RE:
[Declude.JunkMail] Phishing?
The DNS and web
server for this domain were on dynamic-range hosts and have already been shut
down. The WHOIS regi
Title: Message
The DNS and web
server for this domain were on dynamic-range hosts and have already been shut
down. The WHOIS registration is a little more than a week old.
Googling the net-abuse groups turns up:
http://groups.google.ca/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=30cd601n6r
We got a copy of this in our system also. Norton detects a virus when
you visit the page.
Matt
Kami Razvan wrote:
Hi;
I
just received the following in our info account. I believe it is a
phishing attempt.
Attached
is the actual email.
The
source:
==
Hi Rami-
I think you can safely conclude that when the link
shows a well-formed URL to the viewer and has a different address in the
link that there's something phishy going on.
I wonder if anybody's written something to detect
this?
-Dave
- Original Message -
From:
Gerald,
There is a great little COM addin available at
http://www.xintercept.com/pkpeek.htm, I use it to open mail/examine headers
all the time.
Fritz
Frederick P. Squib, Jr.
Network Operations/Mail Administrator
Citizens Telephone Company of Kecksburg
http://www.wpa.net
() ascii ribbon campai
On Sun, 22 Feb 2004 22:51:34 -0800
John Tolmachoff \(Lists\) said something about RE: [Declude.JunkMail] phishing scam:
> > I hate Outlook. I've never figured out how to get a real 'exact' copy
> > of what was delivered back out of it the way you can when using any M
ists) [mailto:[EMAIL PROTECTED]
Sent: Sunday, February 22, 2004 10:52 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.JunkMail] phishing scam
> Below is what I could figure out how to retrieve from Outlook -- I hate
> Outlook. I've never figured out how to get a real 'exact'
> Below is what I could figure out how to retrieve from Outlook -- I hate
> Outlook. I've never figured out how to get a real 'exact' copy of what was
> delivered back out of it the way you can when using any MUA that stores in
> mbox or maildir format.
Ever try searching the MS KB for view header
29 matches
Mail list logo