RE: [Declude.JunkMail] Phishing

2007-05-15 Thread Kevin Bilbee
ail@declude.com > Subject: RE: [Declude.JunkMail] Phishing > > Without my so much as glancing at the potential false positives, this > is > a treasure trove or actual phishing URLs: > > http://www.phishtank.com/phish_archive.php > > A glance at which tells me that another usef

RE: [Declude.JunkMail] Phishing

2007-05-15 Thread Colbeck, Andrew
Without my so much as glancing at the potential false positives, this is a treasure trove or actual phishing URLs: http://www.phishtank.com/phish_archive.php A glance at which tells me that another useful PCRE would be to (pseudo code follows): IPADDRESS then (/ character) then stuff including D

RE: [Declude.JunkMail] phishing

2006-06-06 Thread Schmeits, Roger
D] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Tuesday, June 06, 2006 8:54 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] phishing SANE - too quick on the type.. http://www.sanesecurity.com/clamav/ --- Check out http://www.i

Re: [Declude.JunkMail] phishing

2006-06-06 Thread Darrell \([EMAIL PROTECTED])
, June 06, 2006 9:32 AM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] phishing Roger, Are you using the SANS phish signatures? Since we started using we have seen virtually zero get through. Darrell --- fpReview - The quick way

RE: [Declude.JunkMail] phishing

2006-06-06 Thread Goran Jovanovic
9:32 AM > To: declude.junkmail@declude.com > Subject: Re: [Declude.JunkMail] phishing > > Roger, > > Are you using the SANS phish signatures? Since we started using we have > seen virtually zero get through. > > Darrell > > ---

Re: [Declude.JunkMail] phishing

2006-06-06 Thread Darrell \([EMAIL PROTECTED])
Roger, Are you using the SANS phish signatures? Since we started using we have seen virtually zero get through. Darrell --- fpReview - The quick way to reviewing false positives. http://www.invariantsystems.com Schmeits, Roger writes: What are p

RE: [Declude.JunkMail] Phishing Question

2005-05-12 Thread Goran Jovanovic
PROTECTED] > -Original Message- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Matt > Sent: Thursday, May 12, 2005 4:33 PM > To: Declude.JunkMail@declude.com > Subject: Re: [Declude.JunkMail] Phishing Question > > One slight corr

Re: [Declude.JunkMail] Phishing Question

2005-05-12 Thread Matt
One slight correction here. The domain haukelid.com doesn't belong to the phisher. This is an active site that was likely just simply hacked and then the PHP code was placed on it...it's a pretty ingenious way to get a clean address. Matt Goran Jovanovic wrote: Hi, I do not understand how th

RE: [Declude.JunkMail] Phishing Question

2005-05-12 Thread Colbeck, Andrew
Whoops, slip of the finger, there. That second email address should have been: [EMAIL PROTECTED] Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic Sent: Thursday, May 12, 2005 1:17 PM To: Declude.JunkMail@declude.com Su

Re: [Declude.JunkMail] Phishing Question

2005-05-12 Thread Matt
Goran, It's probably DHTML being used to fake an address bar in a window that doesn't have one, or it is placing a fake address bar on top of the real one. It might look real, but it isn't. It is safe to blacklist haukelid.com, and that's all that you need to do about it. Matt Goran Jovanov

RE: [Declude.JunkMail] Phishing Question

2005-05-12 Thread Colbeck, Andrew
You're seeing a full-size browser window, with a graphic that is the fake bar, and a form that is designed to look like the address bar. In other words, they're using fake graphic elements to make you think you're at the right site. Yes, block the site. Also, send a copy of the original spam to:

Re: [Declude.JunkMail] Phishing

2005-02-16 Thread Scott Fisher
I use two things to 2 things use to combat phish. 1. Prescan off in Declude Virus and use clamav as a scanner. This caught 656 in January. It's a beast on your CPU utilization as almost every mail will need to be virus scanned. 2. A MINWEIGHTTOFAIL filter that means the filter must match 4 or mor

Re: [Declude.JunkMail] phishing- live

2004-10-04 Thread Dave Doherty
dead now - Original Message - From: Kami Razvan To: [EMAIL PROTECTED] Sent: Monday, October 04, 2004 6:05 AM Subject: [Declude.JunkMail] phishing- live Hi;   Phishing.. still alive   http://221.139.2.111/citifi/   Regards, Kami   email:

RE: [Declude.JunkMail] Phishing attempt- site is live

2004-06-12 Thread Richard Edge
: [EMAIL PROTECTED] WWW: http://www.twu.ca/technology -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil Sent: Tuesday, June 08, 2004 2:23 PM To: Kami Razvan Subject: Re: [Declude.JunkMail] Phishing attempt- site is live We've had this o

RE: [Declude.JunkMail] Phishing attempt- site is live

2004-06-08 Thread Kami Razvan
: [Declude.JunkMail] Phishing attempt- site is live When I went to http://200.97.91.210/citi/ I get a page not found?? Goran Jovanovic The LAN Shoppe --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail

RE: [Declude.JunkMail] Phishing attempt- site is live

2004-06-08 Thread Goran Jovanovic
To: Kami Razvan > Subject: Re: [Declude.JunkMail] Phishing attempt- site is live > > We've had this one in Sniffer for a while. > They were originally going after Sun Trust: > > Rule ID - 99546 > Created - 2004-03-22 > From Source - http://200.97.91. > Rule Type

Re: [Declude.JunkMail] Phishing attempt- site is live

2004-06-08 Thread Pete McNeil
We've had this one in Sniffer for a while. They were originally going after Sun Trust: Rule ID - 99546 Created - 2004-03-22 From Source - http://200.97.91. Rule Type - Numbered Link Origin - Spam Trap Original Rule Name - suntrust phishing Current Strength - 2.68760205 _M On Tuesday, June 8, 200

RE: [Declude.JunkMail] Phishing attempt- CitiBank

2004-04-24 Thread John Tolmachoff \(Lists\)
TECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Goran Jovanovic > Sent: Saturday, April 24, 2004 9:13 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Phishing attempt- CitiBank > > John, > > Do you have a filter that searches for URLs in the BODY

RE: [Declude.JunkMail] Phishing attempt- CitiBank

2004-04-24 Thread Goran Jovanovic
s) > Sent: Saturday, April 24, 2004 12:11 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Phishing attempt- CitiBank > > Thanks. > > I also added ".citibankonline.com:" without the quotes to the filter. > (Note > the colon.) > > John Tolmac

RE: [Declude.JunkMail] Phishing attempt- CitiBank

2004-04-24 Thread John Tolmachoff \(Lists\)
Thanks. I also added ".citibankonline.com:" without the quotes to the filter. (Note the colon.) John Tolmachoff Engineer/Consultant/Owner eServices For You -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kami Razvan Sent: Saturday, April 24, 2004 8:43 A

RE: [Declude.JunkMail] Phishing? (Possible test?)

2004-04-05 Thread R. Scott Perry
Not knowing enough about the way WHOIS works, could a test be set up that would heavily weight any e-mails that come from a "New" domain? This would really help the pill/porn pushers It's something that we would like to do, but automated WHOIS lookups are a Bad Thing. Domain registrars wo

RE: [Declude.JunkMail] Phishing? (Possible test?)

2004-04-04 Thread Jason
D] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, AndrewSent: Saturday, April 03, 2004 7:17 PMTo: '[EMAIL PROTECTED]'Subject: RE: [Declude.JunkMail] Phishing? The DNS and web server for this domain were on dynamic-range hosts and have already been shut down.  The WHOIS regi

RE: [Declude.JunkMail] Phishing?

2004-04-03 Thread Colbeck, Andrew
Title: Message The DNS and web server for this domain were on dynamic-range hosts and have already been shut down.  The WHOIS registration is a little more than a week old.  Googling the net-abuse groups turns up:   http://groups.google.ca/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=30cd601n6r

Re: [Declude.JunkMail] Phishing?

2004-04-03 Thread Matt
We got a copy of this in our system also.  Norton detects a virus when you visit the page. Matt Kami Razvan wrote: Hi;   I just received the following in our info account.  I believe it is a phishing attempt.   Attached is the actual email.   The source:   ==

Re: [Declude.JunkMail] Phishing?

2004-04-03 Thread Dave Doherty
Hi Rami-   I think you can safely conclude that when the link shows a well-formed URL to the viewer and has a different address in the link that there's something phishy going on.   I wonder if anybody's written something to detect this?   -Dave     - Original Message - From:

RE: [Declude.JunkMail] phishing scam

2004-02-23 Thread Fritz Squib
Gerald, There is a great little COM addin available at http://www.xintercept.com/pkpeek.htm, I use it to open mail/examine headers all the time. Fritz Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net () ascii ribbon campai

Re: [Declude.JunkMail] phishing scam

2004-02-23 Thread Gerald V. Livingston II
On Sun, 22 Feb 2004 22:51:34 -0800 John Tolmachoff \(Lists\) said something about RE: [Declude.JunkMail] phishing scam: > > I hate Outlook. I've never figured out how to get a real 'exact' copy > > of what was delivered back out of it the way you can when using any M

RE: [Declude.JunkMail] phishing scam

2004-02-23 Thread Colbeck, Andrew
ists) [mailto:[EMAIL PROTECTED] Sent: Sunday, February 22, 2004 10:52 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] phishing scam > Below is what I could figure out how to retrieve from Outlook -- I hate > Outlook. I've never figured out how to get a real 'exact'

RE: [Declude.JunkMail] phishing scam

2004-02-22 Thread John Tolmachoff \(Lists\)
> Below is what I could figure out how to retrieve from Outlook -- I hate > Outlook. I've never figured out how to get a real 'exact' copy of what was > delivered back out of it the way you can when using any MUA that stores in > mbox or maildir format. Ever try searching the MS KB for view header