[Spambayes] Exceptionally well-done identity-theft spam
Skip Montanaro
skip at pobox.com
Mon Dec 29 16:08:18 EST 2003
Tim> If you get something like the attached, don't go to the website and
Tim> "update" your PayPal account information. I just got this, and my
Tim> classifier scored it at 1% (0.01). It looks a lot like real email
Tim> from PayPal -- both to me, and to my classifier.
Yeah, this is a stinker. I get them all the time. Interestingly enough,
your message scored 0.69 for me. It probably would have scored as spam
except it came from you. ;-)
The real kicker here is this URL:
http://www.paypal.com%65%6B%6A%68%61%73%6B%6A%71%70%77%6F%70%77%6F@%32%31%31.%36%33.%31%36%32.%39%33:%37%33%30%31/%70%61%79%70%61%6C.%68%74%6D
which unmangles to:
http://www.paypal.comekjhaskjqpwopwo@211.63.162.93:7301/paypal.htm
I'm not about to visit that URL, but I'm almost certain it will look just
like a PayPal page and that 211.63.162.93 is not in PayPal's universe.
This suggests some more possible things to try:
* URLs which have usernames in them
* URLs which refer to non-standard ports
* URLs with IP addresses instead of hostnames (in addition to specific
hosts or networks)
I haven't looked to see if any of these are already recognized, but all
three techniques seem to be prevalent or required by such scams.
Skip
More information about the Spambayes
mailing list