• Broken MIME in phish emails is not unusual. The last few we have seen here are also broken but in a slightly different way which results in the entire image bearing the phish being displayed twice -- once at the top, left of the message and once more below it, centred.
  
  The reason is probably not ineptitude on the part of the phisher, but an attempt to build MIME that renders with at least partial success in as many different MUAs as possible. The more victims that actually see it, the more chance that some will be suckered into filling out the phisher's feedback form.
  
  
• Phish emails are often delivered as in line images because the phisher has total control over how the image looks and it is therefore easier for him to make something that looks "official".
  
  
• It used to be that phish emails using in-line images in this way (always including what appears to be a link in the form of https://... which in turn is usually coloured blue and underlined in order to lend further verisimilitude to the illusion that it is a link) had the whole image linked with an href to a URL in the form of http://username:password@host_name_or_IP_address:port/path/payload.cgi. The username part of this URL was in turn something like www.somebank.com, so that a casual observer might conclude that the link actually does go to an official SomeBank site.
  
  But of course, Microsoft recently patched MSIE so that URLs that include user credentials no longer work, so the phisher must now use some other sleight of hand to confuse the victim into clicking his URL.
  
  
• In the case in hand, it appears likely that the old http://username:password@... behaviour has been taken out of the phish email source and its replacement has (probably accidentally) been omitted. But don't worry. It'll be back.

Oh, and Gerco... Look at that received header. Why on earth do you not have the sending host blocked?

Category: Phish
Technorati: Phish

1. Gerco Wolfswinkel06/04/2004 12:06:24
Homepage: http://www.wolfswinkel.net

Hi Chris, thanks for the analysis. It confirms what I was thinking - someone forgot to put in the link.

I was testing the server mail rule modifications you wrote about some time ago. But with DNSBL checks enabled, almost no illegit mail makes it past that check. I couldn't verify if these new mail rules were actually doing anything. So I disabled DNSBL to get some more spam and viruses
And yes, the mailrules are working!

2. Chris Linfoot06/04/2004 12:24:39

I have a huge and growing library of samples of spam and viruses. Would be happy to share with you to assist in your testing.

3. Rob Kirkland06/04/2004 18:38:04

Chris, what is it about the received header that makes you want to block it? Is it the word "adsl"?

4. Chris Linfoot07/04/2004 08:29:34

Yes, but not just that.

OpenRBL shows that host listed in 7 different lists. Some of those lists list hosts that have sent spam. Others list dialup/dynamically assigned addresses. And one (DSBL) lists hosts that are actually abuseable (open proxies and relays). The DSBL single hop list shows that the host in question is an abuseable HTTP connect proxy - probably trojaned.

All of these conspire to reinforce my firmly held belief that it is best to block known dialup/dynamic addresses on sight. Too many home users have no firewall, no current AV and no understanding that executing a .pif mailed to them by some unknown party may not be such a bright idea.

cwl

5. Rob Kirkland07/04/2004 16:12:10

Do you test every message received in your spamtrap against openRBL? If not, what criteria do you use to decide which ones to test? (And where do you find the time to do all this? Or do you have this situation so well in hand that only a few spams a day get through anymore?)

6. Chris Linfoot07/04/2004 16:30:40

You can't test directly against OpenRBL. That is just a web aggregator providing a human interface to do multiple DNSBL lookups easily.

We do use a range of DNSBLs here and these change occasionally. But for now they include Spamhaus, Spamcop, SORBS, DSBL, ORDB and one or two others.

Yes, we do have very few spams that arrive here, so are able to manage by exception but this takes patience to set up.

This entire site is intended to inform people in your situation about spam blocking, how to pick DNSBLs, what other techniques work and so on.

Browse around a bit more (and sorry the speed isn't so great -- Blogsphere is a great Notes app but it does make the server work pretty hard for its keep) -- you will find plenty to think about.

7. Gerco Wolfswinkel08/04/2004 10:40:36
Homepage: http://www.wolfswinkel.net

Thanks for the offer, Chris! Send me some stuff, we'll see what happens. Just not too nasty viruses please

Could be an interesting test!

8. Chris Linfoot08/04/2004 10:58:46

OK. How do you want it? This stuf is most useful as raw MIME. I could burn a copy of our spam trap .nsf on a CD - documents in there are all stored with native MIME.

9. Rob Kirkland08/04/2004 16:32:38

Chris, I guess my last post was sort of a muddle, because you didn't answer the question I was hoping you would. I've been a regular reader of your blog for awhile now and I've read lots and lots of your back posts. (How many? Who knows? There's no way to know what I might have missed. Your blog is such a treasure trove! And such a pleasure to read, but I digress ... .)

I got the impression from your earlier posts in this thread that you habitually block the IP addresses of all hosts from which you receive spam. I also noticed that you used openRBL to learn others' opinions of the IP address from which was received the phish that you received from Gerco. I was curious to know what routine you follow to examine the spams you receive and how you decide 1) what to block and 2) what else to do about a given spam. If you've discussed those things in the past and I missed those posts, I apologize for asking you to repeat yourself yet again!

The reason I was interested is because I don't block the IP addresses of all spam senders myself. It appears to me that most spams that I receive these days come from unique addresses. I've created views that sort my received spams by IP address. The vast majority of the sending IPs are singletons, with a few doubletons and a very few having sent me multiple spams. I've blocked the multiples. I've blocked singles or even whole IP address ranges where it appears that one sender is using hosts in consecutive address blocks to send me spams. But the random ones and twos I haven't bothered to block, because l don't feel it's worth the effort to block addresses that I may never hear from again. (I haven't automated the process, so it's tedious and time consuming. I think about writing an agent to automate the process, but, like you, I rarely "do code", so writing the agent would be a big project for me.)

Anyway, I got the impression that you do block them all, and I was curious to know if that's so and how you manage it. Thanks for reading this. rk

10. Chris Linfoot08/04/2004 16:57:15

No time for a detailed answer now, but I may elaborate later.

Briefly. Some hosts that spam I don't block, either because they are the smart hosts of some ISP or because they are (to use you expression) singletons.

Others I do, but rarely singly. Usually we block networks between /24 (256 hosts) and /16 (65,536 hosts). Rarely larger or small net blocks than these.

And we do block on certain resolved names like *.sfldmi.ameritech.net in the example above. This will block a lot of hosts without explicitly enumerating them.

And of course the DNSBLs mop up a lot too.

You can see a partial version of our local list at http://chris-linfoot.net/list

11. Robin Grimes15/09/2005 20:12:37
Homepage: http://Removed

Have a little fun with the Phishers. If you post the Phishers URL into [Removed], it will continously send false data to the Phishers website.

Unable to post a comment? Please read this for a possible explanation...