Your IP:

Our Forums Have Moved!

Visit our new forums at http://community.opendns.com/forums/ to post on topics and read the latest content. These forums are now read-only archives.

K-12 Forums

Talk with other K-12 network administrators in your state.

Or see all states.

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

This discussion has been inactive for longer than 30 days, and is thus closed.
    • CommentAuthorlt.kije
    • CommentTimeAug 22nd 2010 edited
     permalink
    Hi everyone.

    I am new to OpenDNS, and have a question about phishing domains that are pointed to by spoof email.

    Today I received a very convincing amazon.com spoof that points to bestcomputerized.com which, according to whois.org, is registered in the Ukraine.

    This domain turns up no results in the OpenDNS’ "check a domain" search.

    PhishTank reports "Voting disabled" ("This suspected phishing site is unavailable, probably because its host removed it", which seems unlikely for a spoof I received to today.)

    The domain is not blocked by OpenDNS

    OpenDNS does not seem to support tagging domains ad “phishing” sites.

    Can anyone offer any insight?

    Thanks
  1.  permalink
    In the interest of clarity:

    Spoofing: Faking the "From" email address.
    Spam: Unsolicited advertising.
    Phish: An attempt to get personal information, frequently banking or credit card information, for illegal use.

    I don't see a phish on the page as shown at PhishTank, nor when loading the site itself. This is likely why voting is blocked for now. You may have received spam, even with an obfuscated link, but it is not phishing unless an attempt to get personal information for illegal use is made. If the phishing attempt is not made by bestcomputerized.com, then it would not be appropriate for bestcomputerized.com to be tagged as phishing.


    "OpenDNS does not seem to support tagging domains ad “phishing” sites."

    This is done at PhishTank, which is entirely devoted to tagging phishing sites.


    If you are positively convinced that the email is a phishing attempt made by bestcomputerized.com, you may open a support ticket noting your concern. Keep the email so you may attach it to further correspondence if needed.
    Thankful People: zelus
    • CommentAuthorrotblitz
    • CommentTimeAug 22nd 2010 edited
     permalink
    The "problem" is that spam mails with phishvertizing links often are sent out of botnets, even if the phish was removed already, or has not been taken online now, but is/was planned for future use. Under this perspective the phishvertizing spam mails are pretty unrelated and independent from the phishing site itself. Only if a site actually contains an active phish, it should/can be tagged accordingly.
    Thankful People: zelus, maintenance
    • CommentAuthorlt.kije
    • CommentTimeAug 22nd 2010
     permalink
    Thanks for the response.

    I had presumed it was phishing, and therefore did not visit the site so as to avoid exposure to anything.

    The email explicitly posed as an order confirmation email from amazon.com itself with no reference to any other amazon partner enterprise or similar. It showed an order number, price and delivery date. According to my mail host. it did come via Amazon;
    "Received: from mm-notify-out-209-10.amazon.com (mm-notify-out-209-10.amazon.com [72.21.209.10])"


    All of the hyperlinks pointed to bestcomputerized.com, (and no deeper), including a link to the order itself, to the amazon "Cart", "wish-list", "account", and an invitation to apply for an amazon credit card.

    Given your response, I clicked the link and was taken to a page offering a variety of big-name software packages (including Kaspersky!!) for PC's and Mac's at too-good-to-be-true prices.

    The site did not attempt to represent itself as Amazon, or try to get any account or password information from me, though I presume it would if I went ahead and ordered something.

    The site shows a phone number that is unlisted, and an address on Manhattan that is either fictitious, or contains a typo in the zip code.

    So, given your clarification, the email is Spoofed, is Spam but doesn't meet the criteria for a Phish attempt.

    My question is now:

    - is this a candidate for tagging in OpenDNS?
    - How should I suggest it be tagged?
    * It is at least "Advertising"
    * The email clearly seeks to mislead
    * It is evidently selling pirated software
    * I would not be surprised to learn that it is malicious.

    I can forward the email if you wish.

    Guidance appreciated.
  2.  permalink
    "I had presumed it was phishing, and therefore did not visit the site so as to avoid exposure to anything."

    If you don't enter any information, e.g., a credit card number, you have nothing to worry about from phishing sites.

    While certainly a misleading spam email, it does not sound like it is necessarily a phish. There is no reason so far to tag the referenced website for phishing. There is not particular evidence that the email came from bestcomputerized.com owners.

    However, the site does have a poor reputation at WOT.
    http://www.mywot.com/en/scorecard/bestcomputerized.com

    If you believe it is selling pirated software, notify or ask the companies who produce and own rights to the software, e.g., Microsoft.

    Advertising: Well, the email certainly is spam adverting, however, the site would be classified at OpenDNS under categories like e-commerce/shopping and software/technology. But in all of this, the email you received is not equivalent to the domain referenced. (Personally, I see email and forum spam all the time, sometimes referring to perfectly legitimate sites. What the spammers do is not necessarily related to the site they want to send you to.)

    Perhaps one may submit a new Category to the Idea Bank for suspicious, untrustworthy sites.
    • CommentAuthorrotblitz
    • CommentTimeAug 22nd 2010 edited
     permalink
    • CommentAuthorlt.kije
    • CommentTimeAug 23rd 2010
     permalink
    @rotblitz & Maintenance.

    Thanks for your input

    My mail host runs Barracuda, so I am "amused" by their rating of bestcomputerized. The spam continues to arrive, exact same message, all pointing to bestcomputerized, so I will continue to take it up with my mail host.

    I will flag best computerized, and contribute to the ideabank.

    Thanks again. Hope I will be able to reciprocate in time.
    Thankful People: maintenance
  3.  permalink
    Make sure you provide the mail headers to Barracuda - they will need the originating IPs and such. You can also, as I have done, report abuse to the abuse@ address for the originating mailserver/ISP. If the mail isn't coming from an MX address associated with bestcomputerized.com, blocking addresses related to bestcomputerized will have no effect.

    Good luck - I know spam can be overwhelming, especially in an enterprise network.
    •  
      CommentAuthortabacco
    • CommentTimeAug 23rd 2010
     permalink
    Administrator
    Not having seen the phish email in question, I just want to point out that whoever submitted it to Phishtank last time submitted only the base of the site: http://bestcomputerized.com

    If the phish is really hosted somewhere deeper on that site, you should resubmit the whole url to Phishtank so that it can be tagged properly. You can register at the site and submit it directly by forwarding the email to phish [at] phishtank.com from the address you registered with.
    Thankful People: maintenance, OpenDNS User
    • CommentAuthorlt.kije
    • CommentTimeAug 24th 2010
     permalink
    @tabacco

    I did not, in the end, submit bestcomputerized.com as a phish, since it fit the description of "spam" better than "phish". FWIW, the spam referred only to the based URL bestcomputerized.com I can forward them to anyone who has interest.

    In the end I received four identical spam emails, all pointing to the bestcomputerized.com, but all originating from different IP's. According to whois.net they are :
    117.207.164.242 - New delhi
    83.187.173.35 - Vienna
    114.38.16.128 - Chunghwa Telecom Data Communication Business Group
    82.178.198.144 - Oman

    Cunning buggers, aren't they.

    All have been forwarded to barracuda as pop attachments, which give all the headers.

This discussion has been inactive for longer than 30 days, and is thus closed.