RE: [Spam] RE: [nznog] Trademe phishing

Heh, so THAT is why my filter wasn't forwarding me any trade-me scam emails.... 66.206.6.31 [00000B90] Fri, 26 Aug 2005 13:58:52 +1200 >>> 501 5.7.1 ... Sender refused by the DNSBL sbl-xbl.spamhaus.org :D Mark. -----Original Message----- From: Bojan Zdrnja [mailto:b.zdrnja(a)auckland.ac.nz] Sent: Friday, 26 August 2005 1:54 p.m. To: 'nznog' Subject: [Spam] RE: [nznog] Trademe phishing

-----Original Message----- From: Joshua Brady [mailto:somitho(a)gmail.com] Sent: Friday, 26 August 2005 1:34 p.m. To: Craig Whitmore Cc: nznog Subject: Re: [nznog] Trademe phishing

On 8/25/05, Craig Whitmore wrote:

...

Another New IP Address: 66.206.6.31 its coming from...

Craig, provide the full link and I'll contact TW Telecom and get them to shut it down tonight, and contact the customer in the morning.

Btw, it seems like this spam is easily detectable by message ID they put. Message ID field in the spam looks like: message-id= While the legitimate trademe e-mails message ID looks like: message-id= This means that the following rule should catch it. !!!!! !!!!! header TRADEMEPHISH MESSAGEID =~ /^/ describe TRADEMEPHISH Phishing e-mail directed to trademe users Score TRADEMEPHISH 0 0 0 0 Also, 66.206.0.0/19 is listed in SBL (Spamhaus). Cheers, Bojan -- Bojan Zdrnja, CISSP, RHCE Security Implementation Specialist Information Technology Systems and Services (ITSS) The University of Auckland, New Zealand _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog