[Spambayes] Exceptionally well-done identity-theft spam
Tony Meyer
tameyer at ihug.co.nz
Mon Dec 29 19:17:36 EST 2003
[Skip]
> The real kicker here is this URL:
>
http://www.paypal.com%65%6B%6A%68%61%73%6B%6A%71%70%77%6F%70%77%6F@%32%31%31
.%36%33.%31%36%32.%39%33:%37%33%30%31/%70%61%79%70%61%6C.%68%74%6D
> which unmangles to:
> http://www.paypal.comekjhaskjqpwopwo@211.63.162.93:7301/paypal.htm
> I'm not about to visit that URL, but I'm almost certain
> it will look just like a PayPal page and that 211.63.162.93
> is not in PayPal's universe.
I was curious, so had a look. It certainly does look nice and PayPal-like
(although there's one little bit of broken html at the bottom). (I removed
the comekjhaskjqpwopwo in case that sent some sort of "Tim Peters is an
idiot" message <wink>).
Still curious, I tokenized the paypal.htm file, which scored .98 for me, but
then I haven't trained on any PayPal mail either, so that's probably
meaningless :) OTOH, urllib2 couldn't demangle the URL (the username bit, I
think) so it would have actually generated a "bad url" token with the
experimental URL 'slurper' option. Still, one token wouldn't make much
difference.
=Tony Meyer
More information about the Spambayes
mailing list