Jump to content
Sign in to follow this  
amenex

Strange behavior forwarding ebay.resolve.at spoof

Recommended Posts

Hello SpamCop Mail !

Those eBay spoofs just keep coming like the Energizer Bunny.

Today I got one that simply asked me to click on a URL that

looked like this: http://ebay.resolve.at ... nothing more.

I did not go to that site. However, when I started to forward

the offending spam to spoof[at]eBay.com from my SpamCop

webmail page, as soon as I finished entering the eBay email

address in the To: field, A small term, "expanding" popped up

to the right of that field, and then a small popup window

exclaimed, "cannot expand." The window was labelled

"java scri_pt application" or something to that effect.

So I clicked off the javacript button in my Mozilla preferences.

Same thing happened again. So I stopped Mozilla and started

it again. Same popups. Then I shut off my PC running W98SE

and, guess what ? With the "enable java" box still not checked

the same behavior occurred again. I am running Norton AV and

FW. No dire warnings ...

Note that I did expand the offending email so as to copy and paste

the complete message source into the text above the forwarded

email. Was there some nasty java scri_pt in there, I wonder ?

Here's the portion of the message source that was below the

headers. It was X-matched to a Verizon IP address. I'm quoting it

here 'cuz it's short:

-------------------------------------------------------------------------------

Content-Type: text/plain; charset=iso-8859-1

Content-Transfer-Encoding: quoted-printable

Dear eBay member,

Your account has been Suspended/Locked for some security issues. If you feel =

this is an error or would like to view these issues please review the link =

below.

Your security issues cannot be resovled through E-mail. To resolve this =

matter please go here,

eBay Security Center: http://ebay.resolve.at

Sincerely,

eBay SafeHarbor Security Team

Copyright =A9 1995-2004 eBay Inc. All Rights Reserved.

--1ca0eac5-50ef-46cd-a894-021cb350809b--

-------------------------------------------------------------------------------

The "expanding" message and the "cannot expand" popup

never happened to me before. Is this normal ? I have only

just started to use Mozilla, as Netscape 4.72 just crashed too

often on unfriendly java scri_pt. It's the latest Mozilla. What

bothers me most is that I'm seeing a java scri_pt error message

when I do not have java enabled. Looks sinister indeed.

I apologize if this turns out simply to be a Mozilla feature.

Best regards,

George Langford (amenex)

amenex[at]amenex.com

Share this post


Link to post
Share on other sites

Webmail is able to expand spoof[at]ebay.com just fine for me. Please test this with a blank email, trying to expand each address you're adding to Webmail, one at a time. Thanks!

Edited by JeffG

Share this post


Link to post
Share on other sites

Use of the java buttons on your browser should have no bearing on the simple act of inputting an e-mail address, so I have to suggest that there's something left out of your trouble depiction. (another note: java and java scri_pt are not the same thing.)

That you say you expanded the spam, but then ask if there might have been an included java scri_pt actionseems also lacking .. if you'd have scrolled down in the just pasted text, you should have been able to see the scripting code, if it was present.

As JeffG has already indicated, just popping the spoof address into the To: line doesn't seem to trigger anything .. maybe you'd want to try this all over again and see just when / where things happen .. like putting the address in before pasting the spam for instance ...???

And the fact that hitting the offered link tries to take me to members.aol.com and makes a couple of calls to www.has.it means what? To me, it sure as hell isn't e-bay .... snippet from SamSpade's GET;

</HEAD>

<!-- frames -->

<FRAMESET ROWS="100%,*" FRAMEBORDER="no" FRAMESPACING="0">

<FRAME NAME="REDIRECTION_MAIN" SRC="http://members.aol.com/Mavrick26772/ebay.htm" MARGINWIDTH="0" MARGINHEIGHT="0" SCROLLING="auto" FRAMEBORDER="0">

<FRAME NAME="AD_BOTTOM" SRC="/ad.html" MARGINWIDTH="0" MARGINHEIGHT="0" SCROLLING="auto" FRAMEBORDER="0">

</FRAMESET>

<NOFRAMES>

Click <a href="http://members.aol.com/Mavrick26772/ebay.htm">here</a> to enter the eBay Security Center website.

</NOFRAMES>

Trace ebay.resolve.at (64.235.234.138)

Mzima Networks, Inc. NETBLK-MZIMA-01 (NET-64-235-224-0-1)

64.235.224.0 - 64.235.255.255

Lunarpages MZIMA01-CUST-LUNARPAGES (NET-64-235-234-0-1)

64.235.234.0 - 64.235.234.255

OrgName: Lunarpages

OrgID: LUNAR

Address: 14730 Beach Blvd. Suite 102

Address: IP Management Department

City: La Mirada

StateProv: CA

PostalCode: 90638

Country: US

NetRange: 64.235.234.0 - 64.235.234.255

CIDR: 64.235.234.0/24

NetName: MZIMA01-CUST-LUNARPAGES

NetHandle: NET-64-235-234-0-1

Parent: NET-64-235-224-0-1

NetType: Reassigned

NameServer: NS1.LUNARPAGES.COM

NameServer: NS2.LUNARPAGES.COM

Comment:

RegDate: 2002-12-19

Updated: 2002-12-19

AbuseHandle: LUNAR1-ARIN

AbuseName: Lunarpages Abuse

AbusePhone: +1-714-521-8150

AbuseEmail: abuse[at]lunarpages.com

Edited by Wazoo

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×