[Spambayes] Exceptionally well-done identity-theft spam

Tim Peters tim.one at comcast.net
Mon Dec 29 20:05:19 EST 2003

>> The real kicker here is this URL:
>> which unmangles to:
>> http://www.paypal.comekjhaskjqpwopwo@
>> I'm not about to visit that URL, but I'm almost certain
>> it will look just like a PayPal page and that
>> is not in PayPal's universe.

[Tony Meyer]
> I was curious, so had a look.  It certainly does look nice and
> PayPal-like (although there's one little bit of broken html at the
> bottom).

Most of the links on the page point to graphics on the PayPal site, so they
couldn't look more genuine.

> (I removed the comekjhaskjqpwopwo in case that sent some
> sort of "Tim Peters is an idiot" message <wink>).

That's peculiar -- I *added* tony_meyer to it <wink>.

> Still curious, I tokenized the paypal.htm file, which scored .98 for
> me, but then I haven't trained on any PayPal mail either, so that's
> probably meaningless :)  OTOH, urllib2 couldn't demangle the URL (the
> username bit, I think) so it would have actually generated a "bad
> url" token with the experimental URL 'slurper' option.  Still, one
> token wouldn't make much difference.

Nope, it sure wouldn't.  I tracked the IP address to this tiny block:

IP Address         :
Network Name       : KORNET-HOTLINE2003239528
Connect ISP Name   : KORNET
Connect Date       : 20031202
Registration Date  : 20031224

This required going from an Anglocentric "whois" database, to an
Asian-Pacific one, and then to Korea.  That seems darned hard to automate
too.  If you want to complain, here's the contact info <heh>:

Name               : inseob bak
Org Name           : bakinseob
State              : KYONGGI
Address            : sehwajeongmil(ju) ho 0001 beonji 0707 namsabuk yonginsi
Zip Code           : 111-222
Phone              : +82-31-334-1511
E-Mail             : ktmen1 at kt.co.kr

More information about the Spambayes mailing list