• Welcome to Valhalla Legends Archive.
 

Spammer faking as an "illicit use of your email address is being made" email

Started by Yoni, July 22, 2006, 01:28 PM

Previous topic - Next topic

Yoni

Screen shot:



Full source:
http://yoni.valhallalegends.com/stuff/paypal.txt

The interesting part:
<a target="_parent"
href="http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu-FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&num=5&adurl=http://1092229727:9999/https-www.paypal.com/webscrr/index.php">Click
here to cancel your new email address</a>

This appears twice, once for the text/plain part and once for the text/html part.

Note the "adurl" part of the link:
adurl=http://1092229727:9999/https-www.paypal.com/webscrr/index.php

I guess it redirects there or something. To IP address 1092229727, port 9999, directory /https-www.paypal.com/webscrr/index.php.
Yeah, that seems valid.

What's that IP address? Basically, that's a dword comprising of 4 bytes that make up the address.
You can convert it using inet_addr... The quickest way to do that is using a Windows program, such as ping.exe, or even nslookup.exe.

[21:19:36] C:\Misc>nslookup 1092229727
[my dns server details snipped]

Name:    CPE-65-26-26-95.kc.res.rr.com
Address:  65.26.26.95


Some guy's private cable account, I guess. Oh well, poor guy.


EDIT: Almost forgot - the link to click is "Report phishing". Do this.