usernamenumber (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
usernamenumber) wrote2009-07-08 09:36 am
usernamenumber) wrote2009-07-08 09:36 am
Excuse me while I vent...
Update Mea culpa. It turns out I was the one who had it wrong after all. The email said to "reply to this message with.." all the phish'd information. I'd seen the url (which is still a suspicious-looking url) and thought it was directing people there. *sigh*. Well, that was embarrassing. Maybe that'll teach me to skim things and assume I understand. =:\
===============================================================================================================================
Going to have a little mini-rant here, so I can hopefully then move on and stop thinking about it (nothing heavy, just annoying, and the annoyance is taking up cycles I don't have to spare right now). Heck, maybe I'm missing something, too. If so I'd appreciate having it pointed out.
See, I received a phishing email that said "blah blah blah your account may have been compromised blah blah, go to https: //mail.sover.net/l and enter your username, old password, new password and DOB or we will de-activate your account" (the mis-formatting in the url was added by me to keep it from linking, even though the phishing site has since disappeared).
For those not familiar with phishing scams, a url like "https: //mail.sover.net/l" basically says "Hello, I am a server that someone broke into and set up a hostile site on in a subdir they hope no one will notice until they've hooked some victims".
I looked up the domain's support and abuse addresses and forwarded them the message. Their response was:
Ummmm... yes. And? I wasn't accusing you of sending the phishing attempt.
I responded:
Their response:
Ok, so, am I nuts or is this person actually being phenomenally stupid on multiple levels? I need either a reality-check or some validation here, 'cause I am seriously annoyed.
I should calm down in any case, I guess, since as I said the phishing site is now down. But the idea that someone whose email sig says he's part of the "Abuse Investigations/Webmaster Response Team" doesn't grok that when someone sends out a scam email pointing people to a site in your domain, they probably weren't just making up a random url that doesn't go somewhere, not to mention that having the hostname "mail" does not magically prevent people from running web servers on a machine, is friggin scary. =:(
===============================================================================================================================
Going to have a little mini-rant here, so I can hopefully then move on and stop thinking about it (nothing heavy, just annoying, and the annoyance is taking up cycles I don't have to spare right now). Heck, maybe I'm missing something, too. If so I'd appreciate having it pointed out.
See, I received a phishing email that said "blah blah blah your account may have been compromised blah blah, go to https: //mail.sover.net/l and enter your username, old password, new password and DOB or we will de-activate your account" (the mis-formatting in the url was added by me to keep it from linking, even though the phishing site has since disappeared).
For those not familiar with phishing scams, a url like "https: //mail.sover.net/l" basically says "Hello, I am a server that someone broke into and set up a hostile site on in a subdir they hope no one will notice until they've hooked some victims".
I looked up the domain's support and abuse addresses and forwarded them the message. Their response was:
Thanks...but, this is not from us:
Received: from unknown (HELO User) (helpdesk@80.146.214.107 with login)
It comes from elsewwhere:
morgan:~ $ whois -h whois.arin.net 80.146.214.107
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
ReferralServer: whois://whois.ripe.net:43
NetRange: 80.0.0.0 - 80.255.255.255
Ummmm... yes. And? I wasn't accusing you of sending the phishing attempt.
I responded:
I realize that the email came from elsewhere, but the url it directs
people to is https: //mail.sover.net/l. So though external entity is
sending the email, the site they point victims to is still hosted on
mail.sover.net.
That said, mail.sover.net doesn't seem to be responding to http
responses at all at the moment, so the problem has either gotten better
or worse depending on whether it ever hosted a legitimate site.
Their response:
The issue is where the mail came from...and, as said, it did not come
from us.
Of lesser note, there is no such site on our end named
https:// mail.sover.net/l.
mail.sover.net is a mail (not web) server.
Ok, so, am I nuts or is this person actually being phenomenally stupid on multiple levels? I need either a reality-check or some validation here, 'cause I am seriously annoyed.
I should calm down in any case, I guess, since as I said the phishing site is now down. But the idea that someone whose email sig says he's part of the "Abuse Investigations/Webmaster Response Team" doesn't grok that when someone sends out a scam email pointing people to a site in your domain, they probably weren't just making up a random url that doesn't go somewhere, not to mention that having the hostname "mail" does not magically prevent people from running web servers on a machine, is friggin scary. =:(