Identity Thefts via fake Ebay (and Paypal, Banks and others)

On Jan 28, 2007, at 7:43 PM, <webmaster1usa.com> wrote:

> Feedback please.
>

I am using CalmAV to trap a lot of Phishing email  Surgemail
gives a  
lot of them a 1.1 added score but, by getting trapped by the
virus  
filter, the whole message is dropped. I am not getting very
many  
leaks although some people must get some before the virus
signatures  
are updated. At least the known ones are being stopped. For
me I  
would guess that it is roughly 99% effective compared to
what is  
leaking.

Yes I use a tough SPF as well that is very helpful. I have
seen a few  
end up in the Friends challenge mode that obviously had not
been  
caught by ClamAV. My users are all happy with me chucking
mail that  
is bad as opposed to tagging it though.

Steve Hume

I'm mostly corporate so I educate my users to delete
anything from any 
bank/paypal/ebay/Amazon, etc.  And if they have a doubt than
log into 
the account via a url they have bookmarked (or type on their
own) to see 
if there are any messages.  Almost any respectable
establishment has 
messaging on their domain by now, if they don't than I tell
the user to 
forward emails to me, or better yet - switch to an
establishment that 
takes their security more seriously.

I've never had a user of mine get duped by such tactics, and
few use 
webmail. And I will not bounce emails due to a SPF failure
out of hand. 
   We cannot afford to discriminate against our customers
who have bad 
admin's, so as a result we get more of these.

I'm not rejecting your theory out of hand, just not seeing
any advantage 
outside what is already provided.  Maybe have a link on the
webmail to a 
"how-to-spot" x,y and z would be nice, but that's
the only suggestion I 
can see.  IMO - it'd just be something else to confuse the
user and 
would probably make up more support calls for me.

just my 2 cents.



webmaster1usa.com wrote:
> It is very likely that all participants here on this
list are subject to 
> this hack, and we are inadvertently displaying Identity
Theft emails to 
> our customers.
> On the one hand, Surgemail provides the tools
(mfilter.rul and 
> friends.rul) to block/challenge these, however Admins
need to be 
> educated enough to know what to block and what to
challenge.
> There are 4 recommended improvements listed below. 
Feedback please.
>  
> Side Note:  On the Account page for an account, on the
SPF page, almost 
> all customers should choose to set SPF Features to
True.
> Experience has shown here at our domains that if a
customer changes this 
> setting to False (to not activate the SPF for their
account), that even 
> the most savvy user will someday get hogwashed by a
professional thief.
>  
> The main problem is that the users see an email in
their Held list, 
> which is the Friends Pending list.  Since they are an
active Ebayer and 
> receive emails like this all the time, there is nothing
unusual so far...
>  
>  
> Notice that the line from Ebay says the normal
things... from Ebay Inc, 
> From-Address is aw-confirm, even the "Question
about Item" in the 
> subject line is the standard.  However there are two
indications here 
> that this is not legit.
> #1 is the SpamGrade   #2 is the "Respond Now"
in the subject.
> *If* your customer knows how to read headers (but few
do...) they will 
> click on the message's View button... and the Show
Headers link.
> They will then get confused... and go back and answer
the email.... and 
> Viola... which (apparently) links to a fake ebay site.
> It's possible that this is a bad example... but the
threat is real just 
> the same.
>  
> It is very obvious to us Admins that the below headers
are not from 
> Ebay.  It is not as obvious to our customers, who rely
on us as their 
> advisors.
> The only thing changed in this example is the
recipient's account name. 
> The headers of this particular email are:
>  
> Received-SPF: soft (Last token {~all} (res=SOFT))
> client-ip=64.40.106.171;
envelope-from=<aw-confirmebay.com>;
> x-ip-name=realtycms_com;
>       X-Default-Received-SPF: fail (Last token 
(res=FAIL))
> client-ip=64.40.106.171;
envelope-from=<aw-confirmebay.com>;
> x-ip-name=realtycms_com;
>       Received: from mail.realtycms.com (realtycms.com
[64.40.106.171])
>       by ezstart.net (SurgeMail 3.8f2) with ESMTP id
25551-1851399
>       for <usermarshaegan.com <mailto:usermarshaegan.com>>; Thu, 25 
> Jan 2007 20:52:06 -0500
>       Return-Path: <aw-confirmebay.com>
>       Received: from webmaster ([203.229.154.204])
>       by mail.realtycms.com (Merak 7.5.2) with ASMTP id
JEA74780;
>       Thu, 25 Jan 2007 17:51:58 -0800
>       From: "eBay Inc."<aw-confirmebay.com>
>       Subject: [SPAM 30] Question about Item -- Respond
Now
>       Date: Fri, 26 Jan 2007 10:52:01 +0900
>       MIME-Version: 1.0
>       Content-Transfer-Encoding: 7bit
>       X-Priority: 3
>       X-MSMail-Priority: Normal
>       X-Mailer: Microsoft Outlook Express
6.00.2600.0000
>       X-MimeOLE: Produced By Microsoft MimeOLE
V6.00.2600.0000
>       Message-ID: <1169776326_152babble>
>       X-Rcpt-To: <usermarshaegan.com
<mailto:usermarshaegan.com>>
>       X-SpamDetect: ******************************:
84.500000 bad received
> for
ebay=40.0,spf_fail_notinmx=2.0,spf_forgery_both=22.0,Possibl
e url
> forgery/scam=2.0,SpamUrl=4.1,SPF
Soft=3.0,ImageSize=3.0,SPF Default
> Fail=1.0,High tags-to-text ratio=1.8,tenplus
images=0.2,Gifs in
> urls=0.8,X-Verify-MX present=1.6,Aspam=3.0
>       X-Aspam: Words
> 0.0 -principles -practical -conduct -cat -western
-holds -proud -areas -fro
>       X-Aspam: URLS scored 3.0 ebay.com
>       X-Aspam: Best match was sample
d:bad1384929598.tmp
>       X-Aspam: Total 3.0
>       X-UrlForgery: (http://0x51c0303e) (http://cgi.ebay.com)
>       X-SpamUrl: ebay.compp
>       X-Avast: Message is clean
>       X-Verify-MX: <aw-confirmebay.com> senders ip
(ch=64.40.106.171
> msg=64.40.106.171, net=64.40.) not in mx data
dom=ebay.com
> ipname=realtycms.com (66.135.195.180 66.135.195.181)
>       X-IP-stats: No info recorded yet
ip=64.40.106.171
>       X-Originating-IP: 64.40.106.171
> 
>       X-SpamDetect-Info: ------------- Start ASpam
results --------------- 
> X-SpamDetect-Info: 1USA SpamDetect Info: More info at
> http://
www.1usa.com/email/spamdetectinfo.html X-SpamDetect:
> ******************************: 84.500000 bad received
for
>
ebay=40.0,spf_fail_notinmx=2.0,spf_forgery_both=22.0,Possibl
e url
> forgery/scam=2.0,SpamUrl=4.1,SPF
Soft=3.0,ImageSize=3.0,SPF Default
> Fail=1.0,High tags-to-text ratio=1.8,tenplus
images=0.2,Gifs in
> urls=0.8,X-Verify-MX present=1.6,Aspam=3.0
X-SpamDetect-Info: 
> ------------- 
> End ASpam results -----------------
> ==============
> While the header clearly shows a X-UrlForgery line,
it's not displayed 
> to the customer in a way that they understand.
> I recommend that Surgemail make the following changes:
>  
> 1. In Webmail and in the Pending list, *add* the
From-Address along with 
> the From-Name.  This will display the many mis-labeled
From's.
>  
> 2. Add a new column for Received-From and display the
Received-From 
> line:  in this case Received: from mail.realtycms.com
(realtycms.com 
> [64.40.106.171])
>  
> 3.  If possible, also add the SpamDetect lines beneath
the Subject. <br> 
> and then display the g_spam_body that normally goes on
the top of the 
> body.  (Here. both  g_aspam_headers and g_spam_body is
turned On.)
>  
> 4.  Add Checkboxes in the Account Options section to
turn these on or off.
>  
> The offending URL in this particular body is:
> This eBay notice was sent to <A 
> href="http://0x51c0303e/~s.naoui/.ws/eB
ayISAPI.dll/SignIn/co_partnerId=2/pUserId/site > 
> from eBay.
> I am not familiar with URLs formatted like: 
_0x51c0303e_
> So I don't know if this is legit or not.  I do know
that the URL is not 
> live as of today.  Someone please enlighten me on this
type of URL 
> formatting.
>  
> If the rest of you guys & gals don't agree with
making these changes, 
> please speak up.
>  
> ====
> Yes, we Admins can write a mfilter.rul to REJECT these
emails - but us 
> Admins need to find them first!
> Yes, we Admins can write a mfilter.rul to REJECT these
emails, but most 
> Admins are hesitant to reject "what could be"
a good email from Ebay 
> that can affect our customers' income.  Customers will
quit & go 
> somewhere else if filtering is done incorrectly.
> It's important to do the correct filtering in the
correct place. 
>  
> Feedback please.
>  
> BarryZ
> 1USA
>  
> __________________________________________________
Tired of Spam?
> Check out what 1USA.Com <http://www.1usa.com>
has.

 >>Almost any respectable establishment has messaging
on their domain by 
now<<

Help me out. I run a little online store and I wonder what
you mean by 
this.

I was referring to banks like Chase, Wells Fargo, Ebay,
etc.

But mostly like Ebay does and Chase, etc.  you sign in via
their secured 
site.  And they have a section for messages to/from them.

Eric Vey wrote:
>  >>Almost any respectable establishment has
messaging on their domain by 
> now<<
> 
> Help me out. I run a little online store and I wonder
what you mean by 
> this.
> 
> 

Okay. I see what you mean, now.

Washington Mutual, the 6th largest bank in the US, founded
upon the 
wreckage of the Savings and Loans, doesn't do that. They
have (I think) 
an excellent on-line presence, one can make a deposit or
withdrawal in 
one of their branches, and see the increased or decreased
balance on 
their website in less than 10 minutes, but they don't send
people messages.

Navy Federal Credit Union, is the largest credit union in
the world and 
it constantly sends out messages, to the point that people
stop reading 
them.

Stuart Chase wrote:
> I was referring to banks like Chase, Wells Fargo, Ebay,
etc.
>
> But mostly like Ebay does and Chase, etc.  you sign in
via their 
> secured site.  And they have a section for messages
to/from them.
>
> Eric Vey wrote:
>>  >>Almost any respectable establishment has
messaging on their domain 
>> by now<<
>>
>> Help me out. I run a little online store and I
wonder what you mean 
>> by this.
>>
>>
>
>

WAMU does.  or at least, when they took over Providian
Online they 
retained that capability on that particular website.  That
would be 
interesting if the rest of WAMU doesn't.

Going the far extreme side is BCBS, you send them a message
on their 
website (cannot recall if it's secure or not) they respond
that they 
will respond via regular mail as they will not (basically)
trust any 
electronic form to send customer's information across.

At any rate, my instructions to my users is - log into the
respective 
site via bookmark or typed URL, pick up the phone or walk
into a branch. 
   For my store it's worked, nobody has been duped, I had
maybe a 
handful of people ask me to check out an email.

But I'm corporate vs an ISP, we've got differing needs and
far, far, far 
different levels of what we can get away with.






Eric Vey wrote:
> Okay. I see what you mean, now.
> 
> Washington Mutual, the 6th largest bank in the US,
founded upon the 
> wreckage of the Savings and Loans, doesn't do that.
They have (I think) 
> an excellent on-line presence, one can make a deposit
or withdrawal in 
> one of their branches, and see the increased or
decreased balance on 
> their website in less than 10 minutes, but they don't
send people messages.
> 
> Navy Federal Credit Union, is the largest credit union
in the world and 
> it constantly sends out messages, to the point that
people stop reading 
> them.
> 
> Stuart Chase wrote:
>> I was referring to banks like Chase, Wells Fargo,
Ebay, etc.
>>
>> But mostly like Ebay does and Chase, etc.  you sign
in via their 
>> secured site.  And they have a section for messages
to/from them.
>>
>> Eric Vey wrote:
>>>  >>Almost any respectable establishment
has messaging on their domain 
>>> by now<<
>>>
>>> Help me out. I run a little online store and I
wonder what you mean 
>>> by this.
>>>
>>>
>>
>>
> 
>