Wednesday, September 21st, 2005 08:45 am

There's a new eBay phishing spoof in the wild.  It's not too badly done, and quite convincing at first glance; I'm guessing they're relying on you thinking "This is bullshit!  This idiot hasn't bought anything from me!" and clicking the "Respond" link before you think to actually examine it and see if it's legit.  Social engineering.  If you do stop to examine it, there's several flaws.

  • "Your registered name is included to show this message originated from eBay."  Well, actually, now that you mention it ... no, it isn't.  Not anywhere in the message.  "Oops."
  • That "Respond" button doesn't go to an eBay URL.  As a matter of fact, it goes to 62.193.212.56, which is vds-381430.amen-pro.com, registered in Paris, France.
  • Oh, and all the links in the right-side sidebars, and the "learn more" link?  They aren't.  Links, that is.  They're faked and don't connect to anything.  There's no anchor tag.  Mouse over them and see.
  • And did you notice that the "Thank you for using eBay" URL is to ebay.com, but all the other eBay links on the page are ebay.co.uk links?  A little bit inconsistent there, neh?
  • And of course, there's the minor problem that it doesn't come from an eBay address, and isn't even convincingly spoofed.  Mine came from "eBay <qezzobvasze@pisem.net>".  The X-mailer header is oddly curious, too:  "pig pen 3095 guardian angels"
  • And then there's the actual, non-HTML message body:  "When over marzipan takes a coffee break, cough syrup related to parking lot starts reminiscing about lost glory.When behind ski lodge procrastinates, from movie theater gets stinking drunk.toothaches remain nearest.pocket living with graduated cylinder reads a magazine, but bubble bath from short order cook learn a hard lesson from about pine cone."  Whoa!  Lay off the glue, dude.

Here it is, in all its phishy stench:


eBay sent this message to you.
Your registered name is included to show this message originated from eBay. Learn more.
Question from eBay Member -- Respond Now eBay
eBay sent this message on behalf of an eBay member via My Messages. Responses sent using email will go to the eBay member directly and will include your email address. Click the Respond Now button below to send your response via My Messages (your email address will not be included).
 Question from jell

    I have not received any item from you, what happend, I've sent you the money, now were is my item ? If you don't Respond Now I will contact ebay and I will report you, I will also go to the police !Lett me know, I am not a fool ! 

Thank you !

Respond to this question in My Messages.
Respond Now
Thank you for using eBay
http://www.ebay.com/
Marketplace Safety Tip Marketplace Safety Tip
If this message is an offer to sell an item without winning it on the eBay Web site (including Second Chance Offers sent through My Messages) please do not respond to the sender. These external transactions are unsafe and not covered by eBay purchase protection programmes.

Never pay for your eBay item through instant wire transfer services such as Western Union or MoneyGram. These payment methods are unsafe when paying someone you do not know.
Is this email inappropriate? Does it breach eBay policy? Help protect the community by reporting it.
Learn how you can protect yourself from spoof (fake) emails at:
http://pages.ebay.co.uk/education/spooftutorial
This eBay notice was sent to you on behalf of another eBay member through the eBay platform and in accordance with our Privacy Policy. If you would like to receive this email in text format, change your notification preferences.
See our Privacy Policy and User Agreement if you have questions about eBay's communication policies.
Privacy Policy: http://pages.ebay.co.uk/help/policies/privacy-policy.html
User Agreement: http://pages.ebay.co.uk/help/policies/user-agreement.html
Copyright © 2005 eBay, Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective owners.
eBay and the eBay logo are registered trademarks or trademarks of eBay, Inc.
Wednesday, September 21st, 2005 06:19 am (UTC)
I especially like this part:

Learn how you can protect yourself from spoof (fake) emails at:
http://pages.ebay.co.uk/education/spooftutorial
Wednesday, September 21st, 2005 06:55 am (UTC)
amen-pro is one of the biggest harbingers of spam in all of Europe. It's sort of like Comcast used to be - big thumping uncaring DSL provider. Their dynamic IP addresses go right to my bit-bucket in Postfix...

One of the many nice things about NOT being an eBay member is that *anything* I get that looks like it's from eBay goes right out the window. The fact that eBay is RFC-ignorant (abuse@ebay.com does NOT work) tells me just how much of a damn they really give.
Wednesday, September 21st, 2005 07:43 am (UTC)
Yeah, I'm afraid eBay has never been a particularly good net.citizen. Nor do they adhere to the Google mantra of "Don't be evil." They used to be better, but then I think profit and expediency took over.

I seldom use eBay myself, and normally only for low-demand items that I can BIN.
Wednesday, September 21st, 2005 07:45 am (UTC)
Oh, I meant to add: what syntax are you using to block their dynamic range?
Wednesday, September 21st, 2005 07:50 am (UTC)
In main.cf, amongst the smtp_recipient_restrictions:

check_client_access pcre:/etc/postfix/clientchecks

Then in clientchecks:

/\vds-.*.amen-pro.com$/ REJECT Use your ISP's Mail Server

Basically this lets DNS do it for you. They do actually bother to resolve PTR records, which makes it easy.
Wednesday, September 21st, 2005 07:57 am (UTC)
Huh. That's easier than trying to sort out all the netblocks. :)

Of course, this came in through Speakeasy, which lets a LOT more spam through than I do ..... I don't know if it would have made it through, had it come in to caerllewys.net.
Wednesday, September 21st, 2005 09:26 am (UTC)
It's always tricky getting backup MX's who are as draconian as you are. (Although I could hook you up with one who's probably *more* draconian if you wanted. *EG*)

One wonders if Speakeasy lets you get in to the shell account and play with .procmailrc...
Wednesday, September 21st, 2005 12:45 pm (UTC)
I don't actually even have an active Speakeasy account right now. They just let me continue to access the email account because we wanted -- and tried -- to re-establish service with Speakeasy, but we couldn't because of the whole Verizon-or-nothing thing. Mail to that account comes direct from Speakeasy's servers via POP3.
Wednesday, September 21st, 2005 07:13 am (UTC)
They always send it to my yahoo address, which I no longer use for ebay! When they first sent it, I was using it for ebay, but I didn't recognize bozo's name. I just popped over to ebay and checked to see if I had anything unconfirmed from recipients and concluded it was just phishing again. They didn't catch me!
Thursday, September 22nd, 2005 07:30 pm (UTC)
didja forward it to spoof@ebay.com ?
Thursday, September 22nd, 2005 07:38 pm (UTC)
Nope; didn't know that address. lemme see if I still have it in my trash ....





............nope.
Thursday, September 22nd, 2005 08:57 pm (UTC)
now ya does!