4.35.9: phishers of phools pheature questions

Tue Nov 2 21:27:02 GMT 2004

Dear Julian Phield,

I've turned on the phishing phraud pheature in 4.3.59, and I've noticed
a couple of strange things in some emails.  One had empty quotes in
the warning:

I invite you to visit the Citizen Advocate=s for=20
Private Philanthropy website&nbsp;<A href=3D""><font color=3D"red"><b>MailS=
canner has detected a possible fraud attempt from "" claiming to be</b></fo=
nt> http://www.capp.info</A>

and another had a quoted URL that agreed with the real URL:

   Do you Yahoo!?<BR>Check out the new Yahoo! Front Page. <A=20
   href=3D"http://www.yahoo.com"><font color=3D"red"><b>MailScanner has dete=
cted a possible fraud attempt from "www.yahoo.com" claiming to be</b></font=
> www.yahoo.com&lt;/a</A></BLOCKQUOTE><FONT SIZE=3D3><BR>

Whats going on here?  Does DNS play a role in this, whereby a dig for
www.yahoo.com produces:

www.yahoo.com.          298     IN      CNAME   www.yahoo.akadns.net.
www.yahoo.akadns.net.   6       IN      A       68.142.226.32
(etc)

ie, yahoo.com does not match akadns.net, so the phishing pheature barks?
Some advice please, before the phone starts ringing...

Jephph (Jeff) Earickson
Colby College

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).