Jump to content

Trouble reporting two phishing attempts


Guest art101

Recommended Posts

If this is covered elsewhere, please excuse the duplication and point me to an appropriate thread. Couldn't find anything directly related to this issue when searching the forums.

Nestled among about 50 held mails this morning, I received two obvious phishing attempts pretending to come from Sun Trust. I reported the rest of the spew with Quick reporting, but singled these phishing attempts out for special attention. Since I'm not even a Sun Trust customer, that was my first clue that something was fishy, so to speak. Anyway, they were in my SpamCop "held mail" folder and I reported them using the "Queue for reporting (and move to trash)" popup.

The first one was parsed just fine and I reported it. The second one ran into a slight bog. The body was identical to the first and included a link to a fake Sun Trust website. But the report said "no links found." Since the first report parsed the link, I was a bit confused. Instead of reporting it, I backtracked to the beginning and refreshed the report. This time, the parsing was fine and the link was properly listed.

Does anyone know why this may have happened? The only obvious difference I see between the two is that the email appears to have originated on a different server.

The tracking URLs are listed below. The second link is the one that originally didn't parse correctly. Thanks.

http://www.spamcop.net/sc?id=z700540786zce...6d6ad5b23dedf1z

http://www.spamcop.net/sc?id=z700540788z59...77301814a0bb24z

Note to others who receive similar "Sun Trust" phishing attempts: I called the toll free fraud alert number on the Sun Trust website. The rep I spoke with said they wanted copies of any similar reports sent to abuse (at) suntrust.com - so consider adding that address to any reports you file. Obviously, you'll want to use the "[at]" symbol in the address... I wrote it out this way to help keep it from being harvested by spider bots.

Link to comment
Share on other sites

Actually, your scenario has been touched a number of times, but I'm not sure what search term to offer that'd pull them up. Would have to guess that your second parse triggered the refresh of a cache, which then led to the infamous "DNS timeout" ... such that the results weren't brought back in time for that specific processor thread to react ... but the lookup continued in the background and thus did refresh the cache so that your re-parse found what it needed.

The usual "complaint" is based on "why didn't SpamCop resolve this when I have no problem" .. and the typical suggestion is to do just what you did .. re-parse ...

A recent posting by Mike Easter over in the spamcop newsgroup ...

R. Asby Dragon wrote:

> So far today:

> 4 out of 8 submiisions have come back as "Cannot Resolve" the

> spamvertised URL; but I can open them here.  All of them are CN

> hosted sites. They *are* "slow to open"; looks like things aren't

> well on the routing.

>

> Is it possible that the spammers (or possibly the hosts) are blocking

> requests from known Spamcop IP addresses ?  Or has somebody at SC set

> the "resolve" time too short to see these?

In the past, the most common condition of those which the poster can

resolve and SC can't is that the nameservice is a bit of a mess;  or

rather, quite a bit of a mess.

'We' can only see how bad the nameservice is according to our own

resolvers, other resolvers we might access elsewhere, and the resolving

'analysis' tools somewhere like dnsstuff.

Weird and pokey nameservice /might/ also choose to block the nameservice

to spamcop.

The only way to talk about a specific site resolution condition is by

posting it.

--

Mike Easter

kibitzer, not SC admin

Link to comment
Share on other sites

Thanks, Wazoo, I'll remember this. Maybe this thread will help other users, too... especially the part about Ccing reports to Sun Trust's abuse team.

Back to work I go. Got more spam to report and maybe even do some "real" work for my company <g>.

Link to comment
Share on other sites

Note dropped to Marjolein for inclusion on her Ban-spam page at http://banspam.javawoman.com/index.html (in the FAQ here) .. though noting that the background justification/authorization isn't really what she wants for a listing there, but ... data is data)

And noting also another link in the FAQ here for the Anti-Phishing Working Group website at http://www.antiphishing.org/

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...