phishing

[John Coutts]

Our email filtering service now detects phishing attempts as virus. They are
not really virus's, they are just spam, but I guess the anti-virus people
succumbed to pressure from the banks. How anyone could be naive enough to fall
for one of these is beyond me.

Anyway, I noticed that practically all of them come direct to our server from a
freestanding IP address (i.e. they are not routed through a mail server). And I
also notice that the same IP is never used more than once. Which leads me to
the conclusion that they are being sent from hijacked machines. Interestingly
enough, with the increase in phishing attempts, there has been a corresponding
drop in the regular spam mail, which doesn't bother me because phishing
attempts are so easy to recognize (all the HTML).

Has anyone else recognized these patterns?

J.A. Coutts

 

[David H. Lipman]

I having looked closely at the phishing email but, McAfee has been flagging them for a
couple of months. They get past our Trend Border Gateway and SAV/NAV on our Exchange
servers. McAfee flags them in the Outlook XP InBox.

Dave



| Our email filtering service now detects phishing attempts as virus. They are
| not really virus's, they are just spam, but I guess the anti-virus people
| succumbed to pressure from the banks. How anyone could be naive enough to fall
| for one of these is beyond me.
|
| Anyway, I noticed that practically all of them come direct to our server from a
| freestanding IP address (i.e. they are not routed through a mail server). And I
| also notice that the same IP is never used more than once. Which leads me to
| the conclusion that they are being sent from hijacked machines. Interestingly
| enough, with the increase in phishing attempts, there has been a corresponding
| drop in the regular spam mail, which doesn't bother me because phishing
| attempts are so easy to recognize (all the HTML).
|
| Has anyone else recognized these patterns?
|
| J.A. Coutts
|

 

[Beauregard T. Shagnasty]

Quoth the raven John Coutts:

Anyway, I noticed that practically all of them come direct to our
server from a freestanding IP address (i.e. they are not routed
through a mail server). And I also notice that the same IP is never
used more than once. Which leads me to the conclusion that they
are being sent from hijacked machines.

I got four Citibank phishes yesterday. Three came from (three)
different US broadband users, and the fourth was from a Chinese IP
address. Clueless hijacked users are relaying just about everything
these days.

 

[Gnome de Plume]

Has anyone else recognized these patterns?

J.A. Coutts

that's probably how they work. it's easiest just to use SMTP protocol
to send out mass mail, than mucking with Sendmail or something as a
front-end. the different addresses may indeed be zombies, perhaps
acting as rotating proxies.

back in the first days of DCOM exploit, botnets of 10,000 machines were
not uncommon.

michael