[Spambayes] Exceptionally well-done identity-theft spam
Tim Peters
tim.one at comcast.net
Mon Dec 29 20:05:19 EST 2003
[Skip]
>> The real kicker here is this URL:
>>
>>
http://www.paypal.com%65%6B%6A%68%61%73%6B%6A%71%70%77%6F%70%77%6F@%32%31%31
.%36%33.%31%36%32.%39%33:%37%33%30%31/%70%61%79%70%61%6C.%68%74%6D
>> which unmangles to:
>> http://www.paypal.comekjhaskjqpwopwo@211.63.162.93:7301/paypal.htm
>> I'm not about to visit that URL, but I'm almost certain
>> it will look just like a PayPal page and that 211.63.162.93
>> is not in PayPal's universe.
[Tony Meyer]
> I was curious, so had a look. It certainly does look nice and
> PayPal-like (although there's one little bit of broken html at the
> bottom).
Most of the links on the page point to graphics on the PayPal site, so they
couldn't look more genuine.
> (I removed the comekjhaskjqpwopwo in case that sent some
> sort of "Tim Peters is an idiot" message <wink>).
That's peculiar -- I *added* tony_meyer to it <wink>.
> Still curious, I tokenized the paypal.htm file, which scored .98 for
> me, but then I haven't trained on any PayPal mail either, so that's
> probably meaningless :) OTOH, urllib2 couldn't demangle the URL (the
> username bit, I think) so it would have actually generated a "bad
> url" token with the experimental URL 'slurper' option. Still, one
> token wouldn't make much difference.
Nope, it sure wouldn't. I tracked the IP address to this tiny block:
IP Address : 211.63.162.64-211.63.162.95
Network Name : KORNET-HOTLINE2003239528
Connect ISP Name : KORNET
Connect Date : 20031202
Registration Date : 20031224
This required going from an Anglocentric "whois" database, to an
Asian-Pacific one, and then to Korea. That seems darned hard to automate
too. If you want to complain, here's the contact info <heh>:
Name : inseob bak
Org Name : bakinseob
State : KYONGGI
Address : sehwajeongmil(ju) ho 0001 beonji 0707 namsabuk yonginsi
Zip Code : 111-222
Phone : +82-31-334-1511
E-Mail : ktmen1 at kt.co.kr
More information about the Spambayes
mailing list