[LINK] eBay Security Advice
kim at holburn.net
Thu Sep 27 23:09:25 EST 2007
On 2007/Sep/27, at 10:48 AM, Craig Sanders wrote:
> On Thu, Sep 27, 2007 at 09:08:51AM +0200, Kim Holburn wrote:
>> Just today I got an interesting ebay phish.
>> Looking carefully in the received headers (Surely there is some
>> way this
>> could be made easy for unsophisticated users)
> dunno if it's suitable for "unsophisticated users", but i have
> email addresses for my ebay and my paypal accounts, that aren't
> used for
> *ANYTHING* else (one of the advantages of running my own mail server).
> if an ebay or paypal phish comes in, the first thing i look at is the
> address it was sent to. if it's not to the correct address, then i
> automatically that it's a phish - no further investigation required.
> so far (since the accounts were created in 2002), not one phish (or
> other spam) has been sent to my dedicated email or paypal
> addresses, but
> i still closely examine the headers of any messages
> almost all (99.99+%) ebay/paypal/bank phishes get caught by my
> spamassassin and other anti-spam rules, anyway. very few ever get
> delivered to a mailbox...i can't remember the last time that happened.
Most of mine do too.
> in fact, the only spam that was ever sent to my ebay address was from
> an ebay trader that i bought something from once - and he thought that
> entitled him to subscribe me to his mailing list. he was wrong.
> me gets him on my boycott list. he was also stupid enough not to set
> up his list so that only he could post to it, so when my complaint was
> CC-ed to his list, it started a mini-flamewar on his list about why
> spamming is evil.
> BTW, one other advantage of using dedicated addresses for particular
> sites is so you know if the site has sold your personal
> if they have, the email address can easily be deleted.
> sometimes i use "plussed" addresses, e.g. cas+SITENAME at taz.net.au, but
> some cretinous web site developers mistakenly think that "+" isn't a
> valid character in email addresses and refuse to accept it. in that
> case, i just edit /etc/aliases and create a new alias. an alias is
> slightly more work, but it's better than a plussed address anyway -
> anyone can strip off the plussed portion of the address to get my
> i use plussed addresses when i'm pretty sure the site isn't going to
> spam me, and aliases when i'm not so sure.
> sites that i'm pretty sure ARE going to spam me, i just ignore.
>> I found it was from a domain called emailebay.com.
> are you sure it was a phish? according to whois, this domain
> appears to
> be owned by ebay, and has been registered since 2001. the NS records
> for the domain point to the same name-servers as ebay.com (i.e. ebay's
Yeah I didn't notice that. It may be a genuine ebay email. I wish
they wouldn't send out crap like this that looks like phishing emails.
>> The links to click look like this:
>>> Your registered name is included to show this message originated
>>> eBay. Learn more.
> both hostnames (rover and click3) in that url are valid ebay
>> The page is real but my noscript says there are scripts from a
>> site called:
> was that a typo? i.e. ebaTstatic or ebaYstatic? ebay uses
> to server static page elements (i.e. non-dynamically generated -
typo, it was ebaystatic.com
>> It looks so legit. Have ebay servers been compromised? I can't
>> see how
>> they could add anything that wasn't from ebay, yet clearly they did
> dunno. it's theoretically possible that their entire DNS *AND* the
> server for .com domains has been hijacked but it's unlikely - it would
> require more effort, skill, co-ordination and timing than is usual for
> net scammers (it doesn't take much skill to screw things up, but it
> takes a lot to do it without leaving any trace).
> but, as ever, *NEVER* under any circumstances click on a link in email
> no matter how legitimate it looks, even if you're 100% certain that it
> is legit.
I only do that with a locked down version of firefox on a machine I
don't use for normal work, just to see what happens if I can't figure
it out by examining the URL.
> especially if it is to a banking or trading site.
> instead, type in the URL in the location bar of your browser.
> oh, and set your ebay preferences to send you plain text only, not
> HTML-mail. that's another good way of auto-detecting ebay phishes -
> *always* come as HTML mail. HTML in email is wrong, anyway.
I so rarely use ebay that I didn't notice this option. Good catch.
> craig sanders <cas at taz.net.au>
> Link mailing list
> Link at mailman.anu.edu.au
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3494957443
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the Link