Re: Phishies (was Re: Virus)
David Lesher said: The Phish wars are way past that... Past what? I see gif's with the URL embedded in the GIF similar. Your point being? In a text-only email message Gifs are largely irrelevant, reside on the hard disk or in my case, because of scripting, in my trash can. If one allow messages to automatically fetch materials from the net, then that is a serious security risk. I still maintain that you can't redirect a URL pointing to server A and make it go to server B, unless you hack server A or intercept the browser call and pretend to be server A while you're not. But of course you can make it seem, to a unknowing user, like it points to server A even in a text-only message by calling the URL something like: servera.serverb.com, but if the user knows that it is the first domain string to the immediate left of the .com top domain that determines the server, that won't fool him/her. Hmmm, I suppose you could also hack the DNS server. How would anyone determine that and protect themselves? This all said, it's also still good advice to skip the URL inside the email message and go to your browser and log in where you usually log in -- G-Books is sponsored by http://lowendmac.com/ and... Small Dog Electronicshttp://www.smalldog.com | Refurbished Drives | -- Check our web site for refurbished PowerBooks | CDRWs on Sale! | Support Low End Mac http://lowendmac.com/lists/support.html G-Books list info: http://lowendmac.com/lists/g-books.html -- AOL users, remove mailto:; Send list messages to: mailto:[EMAIL PROTECTED] To unsubscribe, email: mailto:[EMAIL PROTECTED] For digest mode, email: mailto:[EMAIL PROTECTED] Subscription questions: mailto:[EMAIL PROTECTED] Archive: http://www.mail-archive.com/g-books%40mail.maclaunch.com/ --- The Think Different Store http://www.ThinkDifferentStore.com ---
Re: Phishies (was Re: Virus)
At 10:56 +0100 2004:11:16, Mikael Byström wrote: David Lesher said: The Phish wars are way past that... Past what? His mentioned phish bait... I see gif's with the URL embedded in the GIF similar. Your point being? In a text-only email message Gifs are largely irrelevant, reside on the hard disk or in my case, because of scripting, in my trash can. If one allow messages to automatically fetch materials from the net, then that is a serious security risk. I agree; and that's why I use elm on my Linux box. But there are an ever increasing number of phish hooks out there to get less wary victims.. -- G-Books is sponsored by http://lowendmac.com/ and... Small Dog Electronicshttp://www.smalldog.com | Refurbished Drives | -- Check our web site for refurbished PowerBooks | CDRWs on Sale! | Support Low End Mac http://lowendmac.com/lists/support.html G-Books list info: http://lowendmac.com/lists/g-books.html -- AOL users, remove mailto:; Send list messages to: mailto:[EMAIL PROTECTED] To unsubscribe, email: mailto:[EMAIL PROTECTED] For digest mode, email: mailto:[EMAIL PROTECTED] Subscription questions: mailto:[EMAIL PROTECTED] Archive: http://www.mail-archive.com/g-books%40mail.maclaunch.com/ --- The Think Different Store http://www.ThinkDifferentStore.com ---
Re: Phishies (was Re: Virus)
Bruce Johnson said: Most often you're shown a html mail, which will display the correct link, or an obsfucated link which shows the correct link but actually takes you to the wrong place. It's not possible to show the correct link and end up anywhere else if you use only text, but it's equally true of course that a HTML link may point to something else. Which is why a status preview is vital in HTML email clients. -- G-Books is sponsored by http://lowendmac.com/ and... Small Dog Electronicshttp://www.smalldog.com | Refurbished Drives | -- Check our web site for refurbished PowerBooks | CDRWs on Sale! | Support Low End Mac http://lowendmac.com/lists/support.html G-Books list info: http://lowendmac.com/lists/g-books.html -- AOL users, remove mailto:; Send list messages to: mailto:[EMAIL PROTECTED] To unsubscribe, email: mailto:[EMAIL PROTECTED] For digest mode, email: mailto:[EMAIL PROTECTED] Subscription questions: mailto:[EMAIL PROTECTED] Archive: http://www.mail-archive.com/g-books%40mail.maclaunch.com/ --- The Think Different Store http://www.ThinkDifferentStore.com ---
Re: Phishies (was Re: Virus)
It's not possible to show the correct link and end up anywhere else if you use only text, but it's equally true of course that a HTML link may point to something else. Which is why a status preview is vital in HTML email clients. What would be even better? A warning when you are about to follow an obfuscated link. I think we'll see some of this soon, I vaguely remember mentions of this kind of solutions already being implemented in some email clients/browsers. I also presume junk filters are pretty sensitive to this kind of stuff. Marcin Wichary e:\ [EMAIL PROTECTED] w:\ www.aci.com.pl/mwichary Attached w:\ www.aci.com.pl/mwichary/gui Graphical User Interface gallery w:\ www.10yearsofbeingboring.com 10 years of Being Boring w:\ www.usability.pl Usability.pl -- G-Books is sponsored by http://lowendmac.com/ and... Small Dog Electronicshttp://www.smalldog.com | Refurbished Drives | -- Check our web site for refurbished PowerBooks | CDRWs on Sale! | Support Low End Mac http://lowendmac.com/lists/support.html G-Books list info: http://lowendmac.com/lists/g-books.html -- AOL users, remove mailto:; Send list messages to: mailto:[EMAIL PROTECTED] To unsubscribe, email: mailto:[EMAIL PROTECTED] For digest mode, email: mailto:[EMAIL PROTECTED] Subscription questions: mailto:[EMAIL PROTECTED] Archive: http://www.mail-archive.com/g-books%40mail.maclaunch.com/ --- The Think Different Store http://www.ThinkDifferentStore.com ---
Re: Phishies (was Re: Virus)
The Phish wars are way past that... I see gif's with the URL embedded in the GIF similar. I report them to that anti-phish clearinghouse... -- G-Books is sponsored by http://lowendmac.com/ and... Small Dog Electronicshttp://www.smalldog.com | Refurbished Drives | -- Check our web site for refurbished PowerBooks | CDRWs on Sale! | Support Low End Mac http://lowendmac.com/lists/support.html G-Books list info: http://lowendmac.com/lists/g-books.html -- AOL users, remove mailto:; Send list messages to: mailto:[EMAIL PROTECTED] To unsubscribe, email: mailto:[EMAIL PROTECTED] For digest mode, email: mailto:[EMAIL PROTECTED] Subscription questions: mailto:[EMAIL PROTECTED] Archive: http://www.mail-archive.com/g-books%40mail.maclaunch.com/ --- The Think Different Store http://www.ThinkDifferentStore.com ---
Re: Phishies (was Re: Virus)
. Original Message ... On Mon, 15 Nov 2004 18:45:05 +0100 Mikael Byström [EMAIL PROTECTED] wrote: Which is why a status preview is vital in HTML email clients. Opera solves by letting you prefer plain text over HTML and by alerting you to malformed URLs. and of course not using IE and Windows helps. -- G-Books is sponsored by http://lowendmac.com/ and... Small Dog Electronicshttp://www.smalldog.com | Refurbished Drives | -- Check our web site for refurbished PowerBooks | CDRWs on Sale! | Support Low End Mac http://lowendmac.com/lists/support.html G-Books list info: http://lowendmac.com/lists/g-books.html -- AOL users, remove mailto:; Send list messages to: mailto:[EMAIL PROTECTED] To unsubscribe, email: mailto:[EMAIL PROTECTED] For digest mode, email: mailto:[EMAIL PROTECTED] Subscription questions: mailto:[EMAIL PROTECTED] Archive: http://www.mail-archive.com/g-books%40mail.maclaunch.com/ --- The Think Different Store http://www.ThinkDifferentStore.com ---
Re: Phishies (was Re: Virus)
Bruce Johnson said: always go and enter the direct web site address in your browser, log in and check from there. Don't click on the link. Good advice. Odds are the link will look very real, too, taking you to a realistic copy of the target's web site. But, if the URL really does revolve around ebay.com, how could there be any real risk clicking? To hijack the click the email sender would have to intercept and take over the domain itself, no? I'm a bit annoyed that ccsurvey.com sends me messages with ebay.com URLs. But these are non login URLs, but neverthesame I'd, for some reason, prefer the message would come from ebay themselves. -- G-Books is sponsored by http://lowendmac.com/ and... Small Dog Electronicshttp://www.smalldog.com | Refurbished Drives | -- Check our web site for refurbished PowerBooks | CDRWs on Sale! | Support Low End Mac http://lowendmac.com/lists/support.html G-Books list info: http://lowendmac.com/lists/g-books.html -- AOL users, remove mailto:; Send list messages to: mailto:[EMAIL PROTECTED] To unsubscribe, email: mailto:[EMAIL PROTECTED] For digest mode, email: mailto:[EMAIL PROTECTED] Subscription questions: mailto:[EMAIL PROTECTED] Archive: http://www.mail-archive.com/g-books%40mail.maclaunch.com/ --- The Think Different Store http://www.ThinkDifferentStore.com ---
Re: Phishies (was Re: Virus)
On Saturday, November 13, 2004, at 04:26 AM, Mikael Byström wrote: Bruce Johnson said: always go and enter the direct web site address in your browser, log in and check from there. Don't click on the link. Good advice. Odds are the link will look very real, too, taking you to a realistic copy of the target's web site. But, if the URL really does revolve around ebay.com, how could there be any real risk clicking? To hijack the click the email sender would have to intercept and take over the domain itself, no? No. Most often you're shown a html mail, which will display the correct link, or an obsfucated link which shows the correct link but actually takes you to the wrong place. A clue look for a link with lots and lots of %'s in it, as % is the escape character for URL's. -- Wherever you go, there you are. - B. Banzai, Ph.D. Bruce Johnson -- G-Books is sponsored by http://lowendmac.com/ and... Small Dog Electronicshttp://www.smalldog.com | Refurbished Drives | -- Check our web site for refurbished PowerBooks | CDRWs on Sale! | Support Low End Mac http://lowendmac.com/lists/support.html G-Books list info: http://lowendmac.com/lists/g-books.html -- AOL users, remove mailto:; Send list messages to: mailto:[EMAIL PROTECTED] To unsubscribe, email: mailto:[EMAIL PROTECTED] For digest mode, email: mailto:[EMAIL PROTECTED] Subscription questions: mailto:[EMAIL PROTECTED] Archive: http://www.mail-archive.com/g-books%40mail.maclaunch.com/ --- The Think Different Store http://www.ThinkDifferentStore.com ---
Phishies (was Re: Virus)
At 12:53 PM -0700 11/11/2004, Bruce Johnson wrote: On Thursday, November 11, 2004, at 05:51 AM, PETE wrote: The list (server?) sent me an attachment with a virus. How is this possible? All viruses for the last few years have forged the 'From:' header Speaking of forged from headers... There are a lot of phishies from eBay, Half, and PayPal flying around these days. They're getting awfully good -- the From header and message body are exact dups of real notices from those sites! BUT... eBay (who owns both Half and PayPal) has done their mail servers RIGHT. If you look at the full Received headers of recent notices from those sites, you'll notice that eBay's notices actually come from ebay.com. Half's from half.com. And PayPal's from paypal.com... Checking those Received headers is an easy way to verify the phishy stink, or lack thereof! Here's an example from the latest eBay sales blert: Received: from smf-camp13.smf.ebay.com (smfcamppool13.emailebay.com [66.135.215.242]) by mx1.punkass.com (Postfix) with ESMTP id 92B5015031E for [EMAIL PROTECTED]; Thu, 11 Nov 2004 16:31:53 + (UTC) From: eBay [EMAIL PROTECTED] You can do a WHOIS at ARIN on that server's IP address too. It's registered to eBay! Phishies can't show that... FWIW, - Dan. -- G-Books is sponsored by http://lowendmac.com/ and... Small Dog Electronicshttp://www.smalldog.com | Refurbished Drives | -- Check our web site for refurbished PowerBooks | CDRWs on Sale! | Support Low End Mac http://lowendmac.com/lists/support.html G-Books list info: http://lowendmac.com/lists/g-books.html -- AOL users, remove mailto:; Send list messages to: mailto:[EMAIL PROTECTED] To unsubscribe, email: mailto:[EMAIL PROTECTED] For digest mode, email: mailto:[EMAIL PROTECTED] Subscription questions: mailto:[EMAIL PROTECTED] Archive: http://www.mail-archive.com/g-books%40mail.maclaunch.com/ --- The Think Different Store http://www.ThinkDifferentStore.com ---
Re: Phishies (was Re: Virus)
On Thursday, November 11, 2004, at 02:18 PM, [EMAIL PROTECTED] wrote: At 12:53 PM -0700 11/11/2004, Bruce Johnson wrote: On Thursday, November 11, 2004, at 05:51 AM, PETE wrote: The list (server?) sent me an attachment with a virus. How is this possible? All viruses for the last few years have forged the 'From:' header Speaking of forged from headers... There are a lot of phishies from eBay, Half, and PayPal flying around these days. They're getting awfully good -- the From header and message body are exact dups of real notices from those sites! BUT... Yeah...a good rule of thumb is to pretty much never believe who an e-mail says it's from anymore... (Hmmm...I wonder...is that the *real* Dan ? :-] If you get a notice from your bank, credit card or someplace like Paypal, and want to check it out, always go and enter the direct web site address in your browser, log in and check from there. Don't click on the link. Odds are the link will look very real, too, taking you to a realistic copy of the target's web site. If you really DO have something up with your Paypal account, for example, they'll tell you about it when you log in... The latest virus cruising the net is one just like this, except rather than the link taking you to a phishing site to extract your credit card info, it will cheerfully infect you computer with the latest MyDoom virus. Or, at least it would if you're dumb enough to use a PC running Internet Explorer that's not patched to within an inch of it's life... Us Mac users, we laugh at the feeble attempts! Ha! -- Wherever you go, there you are. - B. Banzai, Ph.D. Bruce Johnson -- G-Books is sponsored by http://lowendmac.com/ and... Small Dog Electronicshttp://www.smalldog.com | Refurbished Drives | -- Check our web site for refurbished PowerBooks | CDRWs on Sale! | Support Low End Mac http://lowendmac.com/lists/support.html G-Books list info: http://lowendmac.com/lists/g-books.html -- AOL users, remove mailto:; Send list messages to: mailto:[EMAIL PROTECTED] To unsubscribe, email: mailto:[EMAIL PROTECTED] For digest mode, email: mailto:[EMAIL PROTECTED] Subscription questions: mailto:[EMAIL PROTECTED] Archive: http://www.mail-archive.com/g-books%40mail.maclaunch.com/ --- The Think Different Store http://www.ThinkDifferentStore.com ---
Re: Phishies (was Re: Virus)
At 12:53 PM -0700 11/11/2004, Bruce Johnson wrote: On Thursday, November 11, 2004, at 05:51 AM, PETE wrote: The list (server?) sent me an attachment with a virus. How is this possible? All viruses for the last few years have forged the 'From:' header Speaking of forged from headers... There are a lot of phishies from eBay, Half, and PayPal flying around these days. They're getting awfully good -- the From header and message body are exact dups of real notices from those sites! BUT... I had 5 today from PP and Ebay. But as usual none had my registered name in the them - it was all dear ebay customer and the like. Not a guaranteed filter but a good starting point. Malcolm -- G-Books is sponsored by http://lowendmac.com/ and... Small Dog Electronicshttp://www.smalldog.com | Refurbished Drives | -- Check our web site for refurbished PowerBooks | CDRWs on Sale! | Support Low End Mac http://lowendmac.com/lists/support.html G-Books list info: http://lowendmac.com/lists/g-books.html -- AOL users, remove mailto:; Send list messages to: mailto:[EMAIL PROTECTED] To unsubscribe, email: mailto:[EMAIL PROTECTED] For digest mode, email: mailto:[EMAIL PROTECTED] Subscription questions: mailto:[EMAIL PROTECTED] Archive: http://www.mail-archive.com/g-books%40mail.maclaunch.com/ --- The Think Different Store http://www.ThinkDifferentStore.com ---
Re: Phishies (was Re: Virus)
At 2:05 AM + 11/12/04, Malcolm Cornelius wrote: At 12:53 PM -0700 11/11/2004, Bruce Johnson wrote: On Thursday, November 11, 2004, at 05:51 AM, PETE wrote: The list (server?) sent me an attachment with a virus. How is this possible? All viruses for the last few years have forged the 'From:' header Speaking of forged from headers... There are a lot of phishies from eBay, Half, and PayPal flying around these days. They're getting awfully good -- the From header and message body are exact dups of real notices from those sites! BUT... I had 5 today from PP and Ebay. But as usual none had my registered name in the them - it was all dear ebay customer and the like. Not a guaranteed filter but a good starting point. When I started with my current ISP I setup several e-mail addresses. In addition to addresses for personal communications I setup one for Usenet, a few for mailing lists and one for e-bay. Most of the scam e-mail I get is sent to the Usenet address. I don't think any of it comes in on my e-bay address. Fortunately my ISP filters most of this stuff. -- Clark Martin Redwood City, CA, USA Macintosh / Internet Consulting I'm a designated driver on the Information Super Highway -- G-Books is sponsored by http://lowendmac.com/ and... Small Dog Electronicshttp://www.smalldog.com | Refurbished Drives | -- Check our web site for refurbished PowerBooks | CDRWs on Sale! | Support Low End Mac http://lowendmac.com/lists/support.html G-Books list info: http://lowendmac.com/lists/g-books.html -- AOL users, remove mailto:; Send list messages to: mailto:[EMAIL PROTECTED] To unsubscribe, email: mailto:[EMAIL PROTECTED] For digest mode, email: mailto:[EMAIL PROTECTED] Subscription questions: mailto:[EMAIL PROTECTED] Archive: http://www.mail-archive.com/g-books%40mail.maclaunch.com/ --- The Think Different Store http://www.ThinkDifferentStore.com ---