I had one a couple months back from Cisco Systems asking for some updated
information regarding my Cisco Certifications, looked totally bogus going to
a non Cisco.com domain hosted in a foreign country, the links listed in the
email went to a different spot than they said they were for.  I put in a TAC
case to let them know someone was phishing asking for Cisco certification
info and CCO logins, I got the response back from Cisco to just click the
links and all would be fine, this time they sent legitimate links though.
After asking them to escalate as they seemed to have no clue, 2 weeks later
I got a response back from someone who actually knew what they were doing
saying they made the mistake of outsourcing that email to a legitimate
foreign company who was tracking responses through their overseas servers
and then redirecting back to Cisco.com.  It's really bad when the big guys
don't even know what they are doing.    

Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]

 


-----Original Message-----
From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of John T (Lists)
Sent: Wednesday, May 24, 2006 9:59 AM
To: Message Sniffer Community
Subject: Re: [sniffer]Possible Paypal Phishing

That is what has me worried.

John T
eServices For You

"Seek, and ye shall find!"


> -----Original Message-----
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf
Of Jay
> Sudowski - Handy Networks LLC
> Sent: Wednesday, May 24, 2006 9:51 AM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> The owner of a domain need not authorize a reverse DNS PTR record in any
> way, shape or form.  If the netblock was owned, or the netblock owner
> had delegated rDNS to a malicious customer, they could easily set rDNS
> to whatever they wanted.  Aol.com, paypal.com, ebay.com, chase.com ...
> 
> -Jay
> -----Original Message-----
> From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On
> Behalf Of Colbeck, Andrew
> Sent: Wednesday, May 24, 2006 12:38 PM
> To: Message Sniffer Community
> Subject: Re: [sniffer]Possible Paypal Phishing
> 
> It's really from PostDirect.com aka YesMail.com ...
> 
> You can tell that it's authorized because the reverse DNS which ends in
> PayPal.com (ok, that does set off alarm bells when it's someone else's
> netblock) matches the forward lookup of the resulting address at PayPal.
> 
> Therefore, PayPal is deliberately allowing that reverse IP in someone
> else's netblock.
> 
> That, or both the netblock and PayPal's DNS have been p0wned.
> 
> Andrew 8)
> 
> 
> 
> > -----Original Message-----
> > From: Message Sniffer Community
> > [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)
> > Sent: Wednesday, May 24, 2006 9:31 AM
> > To: Message Sniffer Community
> > Subject: [sniffer]Possible Paypal Phishing
> >
> > Attached are the headers to an e-mail I am suspecting as a
> > clever phising that has me worried.
> >
> > It looks like a legit message sent on behalf of Paypal,
> > however, it is sent from an IP address not owned by Paypal
> > BUT which has a REVDNS that ends in paypal.com.
> >
> > The message is full of links to images.postdirect.com but
> > does have legit links to paypal.com.
> >
> > John T
> > eServices For You
> >
> > "Seek, and ye shall find!"
> >
> >
> 
> 
> #####################################################
> ########
> This message is sent to you because you are subscribed to
>   the mailing list <sniffer@sortmonster.com>.
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>
> 
> 
> 
> 
> #####################################################
> ########
> This message is sent to you because you are subscribed to
>   the mailing list <sniffer@sortmonster.com>.
> To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
> Send administrative queries to  <[EMAIL PROTECTED]>




#############################################################
This message is sent to you because you are subscribed to
  the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>







#############################################################
This message is sent to you because you are subscribed to
  the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to  <[EMAIL PROTECTED]>

Reply via email to