The Phish, scaled and gutted
December 20th, 2005You can sit around pointing fingers at someone else when you get phished, or you can do your homework and quit worrying about getting scammed. I would have posted the following “phishing lure” in the Spamples database, but I was too lazy to modify the code so I could get the GIF attachment stuffed in. Make sure you view this on a decent sized monitor, as the GIF is pretty large and was subject to scaling problems. Here you go:
What it looks like (a GIF attachment in the email)…
And the source (identifying information for the recipient, along with some “<>” tags altered of course)…
Return-Path:
Received: from XXX.com (root@localhost)
by XXX.com (8.12.10/8.12.10) with ESMTP id jBK648SB004302
for
NOTE: THE REAL SENDER HERE
X-ClientAddr: 83.199.116.66
Received: from APuteaux-154-1-45-66.w83-199.abo.wanadoo.fr (APuteaux-154-1-45-66.w83-199.abo.wanadoo.fr [83.199.116.66])
by XXX.com (8.12.10/8.12.10) with SMTP id jBK63vbf004285
for
Message-Id: <200512200604.jBK63vbf004285@XXX.com>
FCC: mailbox://identdep_op8979355@ebay.com/Sent
X-Identity-Key: id1
Date: Tue, 20 Dec 2005 00:56:56 -0500
From: eBay
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: XXX@XXX.com
Subject: EBAY INC ALERT - UNAUTHORIZED LOGIN ATTEMPTS
Content-Type: multipart/related;
boundary=”————000006030501050905030001″
X-XXX.com-MailScanner-Information: Please contact the ISP for more information
X-XXX.com-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details
X-MailScanner-From: identdep_op8979355@ebay.com
Status:
This is a multi-part message in MIME format.
————–000006030501050905030001
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
“<"html>
“<"A HREF="https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&sid=verify&co_partnerId=2&siteid=0"> “<"map name="dpyzhl">“<"area coords="0, 0, 646, 569" shape="rect" NOTE: THE URL REDIRECT HERE “<"href="http://ebtptay.ms2u.net/rock/e/">
“<"img SRC="cid:part1.02010502.08000800@support_ref_112108111@ebay.com" border="0" usemap="#dpyzhl">
NOTE: THE SPAM FILTER FOOLING GIBBERISH HERE“<"font color="#FFFFF9">in 1961 Robert Blake XFL good days to leave a message “<"/font>
“<"/html>
————–000006030501050905030001
Content-Type: image/gif;
name=”maintain.GIF”
Content-Transfer-Encoding: base64
Content-ID:
filename=”maintain.GIF”
Posted in Spamroll on Tuesday, December 20th, 2005 at 8:19 am
| Tags: lure, phishing
Feed 
on comments
but note that pings and trackbacks are closed
|
Share
| 
Sphere
