Heh, so THAT is why my filter wasn't forwarding me any trade-me scam
188.8.131.52 [00000B90] Fri, 26 Aug 2005 13:58:52 +1200 >>> 501 5.7.1
<mailer(a)trademe.co.nz>nz>... Sender refused by the DNSBL sbl-xbl.spamhaus.org
From: Bojan Zdrnja [mailto:firstname.lastname@example.org]
Sent: Friday, 26 August 2005 1:54 p.m.
Subject: [Spam] RE: [nznog] Trademe phishing
From: Joshua Brady [mailto:email@example.com]
Sent: Friday, 26 August 2005 1:34 p.m.
To: Craig Whitmore
Subject: Re: [nznog] Trademe phishing
On 8/25/05, Craig Whitmore <lennon(a)orcon.net.nz> wrote:
Another New IP Address: 184.108.40.206 its coming from...
Craig, provide the full link and I'll contact TW Telecom and get them
to shut it down tonight, and contact the customer in the morning.
Btw, it seems like this spam is easily detectable by message ID they put.
Message ID field in the spam looks like:
While the legitimate trademe e-mails message ID looks like:
This means that the following rule should catch it.
<WARNING: I just briefly tested this. Use at your own risk. You'll have to
change the score. I'm not responsible if you loose legitimate e-mail.>
header TRADEMEPHISH MESSAGEID =~ /^<!~!.*\(a)trademe\.co\.nz>/
describe TRADEMEPHISH Phishing e-mail directed to trademe users
Score TRADEMEPHISH 0 0 0 0
Also, 220.127.116.11/19 is listed in SBL (Spamhaus).
Bojan Zdrnja, CISSP, RHCE
Security Implementation Specialist
Information Technology Systems and Services (ITSS)
The University of Auckland, New Zealand
NZNOG mailing list