[Spambayes] Exceptionally well-done identity-theft spam
skip at pobox.com
Mon Dec 29 16:08:18 EST 2003
Tim> If you get something like the attached, don't go to the website and
Tim> "update" your PayPal account information. I just got this, and my
Tim> classifier scored it at 1% (0.01). It looks a lot like real email
Tim> from PayPal -- both to me, and to my classifier.
Yeah, this is a stinker. I get them all the time. Interestingly enough,
your message scored 0.69 for me. It probably would have scored as spam
except it came from you. ;-)
The real kicker here is this URL:
which unmangles to:
I'm not about to visit that URL, but I'm almost certain it will look just
like a PayPal page and that 184.108.40.206 is not in PayPal's universe.
This suggests some more possible things to try:
* URLs which have usernames in them
* URLs which refer to non-standard ports
* URLs with IP addresses instead of hostnames (in addition to specific
hosts or networks)
I haven't looked to see if any of these are already recognized, but all
three techniques seem to be prevalent or required by such scams.
More information about the Spambayes