Valhalla Legends Forums Archive | General Discussion | Spammer faking as an "illicit use of your email address is being made" email

AuthorMessageTime
Yoni
Screen shot:

[img]http://yoni.valhallalegends.com/stuff/paypal.png[/img]

Full source:
http://yoni.valhallalegends.com/stuff/paypal.txt

The interesting part:
[code]<a target="_parent"
href="http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://1092229727:9999/https-www.paypal.com/webscrr/index.php">Click
here to cancel your new email address</a>[/code]
This appears twice, once for the text/plain part and once for the text/html part.

Note the "adurl" part of the link:
[code]adurl=http://1092229727:9999/https-www.paypal.com/webscrr/index.php[/code]

I guess it redirects there or something. To IP address 1092229727, port 9999, directory /https-www.paypal.com/webscrr/index.php.
Yeah, that seems valid.

What's that IP address? Basically, that's a dword comprising of 4 bytes that make up the address.
You can convert it using inet_addr... The quickest way to do that is using a Windows program, such as ping.exe, or even nslookup.exe.

[code][21:19:36] C:\Misc>nslookup 1092229727
[my dns server details snipped]

Name:    CPE-65-26-26-95.kc.res.rr.com
Address:  65.26.26.95
[/code]

Some guy's private cable account, I guess. Oh well, poor guy.


EDIT: Almost forgot - the link to click is "Report phishing". Do this.
July 22, 2006, 6:28 PM
Yoni
Great.

[img]http://yoni.valhallalegends.com/stuff/ebay.png[/img]
July 24, 2006, 4:27 PM

Search