Heh, so THAT is why my filter wasn't forwarding me any trade-me scam emails.... 66.206.6.31 [00000B90] Fri, 26 Aug 2005 13:58:52 +1200 >>> 501 5.7.1 <mailer(a)trademe.co.nz>... Sender refused by the DNSBL sbl-xbl.spamhaus.org :D Mark. -----Original Message----- From: Bojan Zdrnja [mailto:b.zdrnja(a)auckland.ac.nz] Sent: Friday, 26 August 2005 1:54 p.m. To: 'nznog' Subject: [Spam] RE: [nznog] Trademe phishing
-----Original Message----- From: Joshua Brady [mailto:somitho(a)gmail.com] Sent: Friday, 26 August 2005 1:34 p.m. To: Craig Whitmore Cc: nznog Subject: Re: [nznog] Trademe phishing
On 8/25/05, Craig Whitmore <lennon(a)orcon.net.nz> wrote:
Another New IP Address: 66.206.6.31 its coming from...
Craig, provide the full link and I'll contact TW Telecom and get them to shut it down tonight, and contact the customer in the morning.
Btw, it seems like this spam is easily detectable by message ID they put. Message ID field in the spam looks like: message-id=<!~!84374D1c3858$508b8$430E1CD9(a)trademe.co.nz> While the legitimate trademe e-mails message ID looks like: message-id=<ed7b8401c5a9d4$3cd39fb0$0a0a0a0a(a)trademe.local> This means that the following rule should catch it. !!!!! <WARNING: I just briefly tested this. Use at your own risk. You'll have to change the score. I'm not responsible if you loose legitimate e-mail.> !!!!! header TRADEMEPHISH MESSAGEID =~ /^<!~!.*\@trademe\.co\.nz>/ describe TRADEMEPHISH Phishing e-mail directed to trademe users Score TRADEMEPHISH 0 0 0 0 Also, 66.206.0.0/19 is listed in SBL (Spamhaus). Cheers, Bojan -- Bojan Zdrnja, CISSP, RHCE Security Implementation Specialist Information Technology Systems and Services (ITSS) The University of Auckland, New Zealand _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog