[Spambayes] Exceptionally well-done identity-theft spam

Skip Montanaro skip at pobox.com
Mon Dec 29 16:08:18 EST 2003

    Tim> If you get something like the attached, don't go to the website and
    Tim> "update" your PayPal account information.  I just got this, and my
    Tim> classifier scored it at 1% (0.01).  It looks a lot like real email
    Tim> from PayPal -- both to me, and to my classifier.

Yeah, this is a stinker.  I get them all the time.  Interestingly enough,
your message scored 0.69 for me.  It probably would have scored as spam
except it came from you. ;-)

The real kicker here is this URL:


which unmangles to:


I'm not about to visit that URL, but I'm almost certain it will look just
like a PayPal page and that is not in PayPal's universe.

This suggests some more possible things to try:

    * URLs which have usernames in them

    * URLs which refer to non-standard ports

    * URLs with IP addresses instead of hostnames (in addition to specific
      hosts or networks)

I haven't looked to see if any of these are already recognized, but all
three techniques seem to be prevalent or required by such scams.


More information about the Spambayes mailing list