Hi there, At about 1300 GMT today one of my mailservers rejected a message as being an obvious scam. As it happened I took a look at it. It's a typical bank phishing attempt.
Here's a part of the mail which includes a part of the link which the reader is invited to visit. Obviously I've removed the protocol name and the trailing colon from the URI, and replaced them by "xxxxx". Hopefully now the text won't trigger too many scanners. :) ---------------------------------------------------------------------- [snip, snip] place a new [snip, snip] cookie on your computer. To securely <B><A href="xxxxx//95.11064393/www1.firstdirec[snip] ---------------------------------------------------------------------- The string "11064393" concatenated after the string "95." is converted without fuss by browsers to the IP address of the criminal server. I use most of the third party databases available for ClamAV. Using clamscan I scanned the text in its original form and it wasn't flagged as suspect. Is this one for Mr. Basford, or does it have wider implications? Despite an hour or so of trying I haven't thought of a legitimate reason for obfuscating an IP address in this way. -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
