General Discussion | Spammer faking as an "illicit use of your email address is being made" email

Author	Message	Time
Yoni	Screen shot: [img]http://yoni.valhallalegends.com/stuff/paypal.png[/img] Full source: http://yoni.valhallalegends.com/stuff/paypal.txt The interesting part: [code]<a target="_parent" href="http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://1092229727:9999/https-www.paypal.com/webscrr/index.php">Click here to cancel your new email address</a>[/code] This appears twice, once for the text/plain part and once for the text/html part. Note the "adurl" part of the link: [code]adurl=http://1092229727:9999/https-www.paypal.com/webscrr/index.php[/code] I guess it redirects there or something. To IP address 1092229727, port 9999, directory /https-www.paypal.com/webscrr/index.php. Yeah, that seems valid. What's that IP address? Basically, that's a dword comprising of 4 bytes that make up the address. You can convert it using inet_addr... The quickest way to do that is using a Windows program, such as ping.exe, or even nslookup.exe. [code][21:19:36] C:\Misc>nslookup 1092229727 [my dns server details snipped] Name: CPE-65-26-26-95.kc.res.rr.com Address: 65.26.26.95 [/code] Some guy's private cable account, I guess. Oh well, poor guy. EDIT: Almost forgot - the link to click is "Report phishing". Do this.	July 22, 2006, 6:28 PM
Yoni	Great. [img]http://yoni.valhallalegends.com/stuff/ebay.png[/img]	July 24, 2006, 4:27 PM

Screen shot:

[img]http://yoni.valhallalegends.com/stuff/paypal.png[/img]

Full source:
http://yoni.valhallalegends.com/stuff/paypal.txt

The interesting part:
[code]<a target="_parent"
href="http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://1092229727:9999/https-www.paypal.com/webscrr/index.php">Click
here to cancel your new email address</a>[/code]
This appears twice, once for the text/plain part and once for the text/html part.

Note the "adurl" part of the link:
[code]adurl=http://1092229727:9999/https-www.paypal.com/webscrr/index.php[/code]

I guess it redirects there or something. To IP address 1092229727, port 9999, directory /https-www.paypal.com/webscrr/index.php.
Yeah, that seems valid.

What's that IP address? Basically, that's a dword comprising of 4 bytes that make up the address.
You can convert it using inet_addr... The quickest way to do that is using a Windows program, such as ping.exe, or even nslookup.exe.

[code][21:19:36] C:\Misc>nslookup 1092229727
[my dns server details snipped]

Name: CPE-65-26-26-95.kc.res.rr.com
Address: 65.26.26.95
[/code]

Some guy's private cable account, I guess. Oh well, poor guy.

EDIT: Almost forgot - the link to click is "Report phishing". Do this.

Valhalla Legends Forums Archive | General Discussion | Spammer faking as an "illicit use of your email address is being made" email