LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   I just had this idea after dealing with a bunch of paypal scam emails trying to steal people's cc's and paypal account info.  How about a filter where you can feed it a domain name and it checks the hostname that it gets when doing a reverse dns lookup with the domain name of the email from address.
For example, obviously legitimate email from whoever@paypal.com is going to come from an IP address that reverse DNS back to paypal.com.  If it reverses back to chartertn.net, comcast.com, bellsouth.net, etc then it's obviously a scam since paypal has their own domain.  Doing a search for paypal.com in all the spam filter logfiles made this very apparent to me as to which were legite and which were fake and some of the fake ones are using legitimate return addresses from paypal.com such as payment@paypal.com and are using IP addresses at random so I have no way of blocking these without this sort of feature.

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
Fred Dickey Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote Fred Dickey Thanks(0) Quote Reply Topic: Feature Request Posted: 07 July 2004 at 10:43am
	I just had this idea after dealing with a bunch of paypal scam emails trying to steal people's cc's and paypal account info. How about a filter where you can feed it a domain name and it checks the hostname that it gets when doing a reverse dns lookup with the domain name of the email from address. For example, obviously legitimate email from whoever@paypal.com is going to come from an IP address that reverse DNS back to paypal.com. If it reverses back to chartertn.net, comcast.com, bellsouth.net, etc then it's obviously a scam since paypal has their own domain. Doing a search for paypal.com in all the spam filter logfiles made this very apparent to me as to which were legite and which were fake and some of the fake ones are using legitimate return addresses from paypal.com such as payment@paypal.com and are using IP addresses at random so I have no way of blocking these without this sort of feature.

Desperado Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 27 January 2005 Location: United States Status: Offline Points: 1143	Post Options Post Reply Quote Desperado Report Post Thanks(0) Quote Reply Posted: 07 July 2004 at 2:09pm
	Nice idea on the surface but .... once paypal supports SPF, the issue should reduce. Also, my strategy, which is working so far is as follows: In my Blocked From list: *@paypal.com in my KeywordWhiteList: https://www.paypal.com If there is an actual link to an SSL page at paypal, then I accept the message. I have received no more paypal scams as a result and all my customers still get valid paypal email because ALL seem to have that link somewhere in the message body. Just my input. Dan S.

Fred Dickey Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote Fred Dickey Thanks(0) Quote Reply Posted: 07 July 2004 at 3:21pm
	Thanks for the idea there! I never thought about manipulating it that way by whitelisting the ssl URL and blacklisting the email addresses. I can't believe I never thought of that one before...lol.

Desperado Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 27 January 2005 Location: United States Status: Offline Points: 1143	Post Options Post Reply Quote Desperado Report Post Thanks(0) Quote Reply Posted: 07 July 2004 at 3:32pm
	Fred, The idea popped into my head while I was in the shower of all places but I also spent some time on the phone with PayPal and thats where the idea solidified so don't feel too bad! Dan S.

Alan Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote Alan Thanks(0) Quote Reply Posted: 07 July 2004 at 4:24pm
	FYI, I just recieved a response to a Buyer Complain I sent in to PayPal and their response from service@paypal.com did not have the SSL link you mentioned. The only link in the email was to their unsecured Security Tips page.

Fred Dickey Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote Fred Dickey Thanks(0) Quote Reply Posted: 07 July 2004 at 4:47pm
	Ok...now I just got one for ebay.com along the same lines ROFL. Think the same method will work for it too? Perhaps I should check with ebay.com. This is nuts..lol. I did a tracert of the IP address in the fake link on both of them and sent abuse notices to the ISP's being used and in ebay's case, I also sent a copy to ebay.com. I'm sure even if it does get shutdown though it'll pop up somewhere else soon. I have a word for describing these people along with spammers and spyware authors but I'll refrain from saying it on such a public forum. :-)

Fred Dickey Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote Fred Dickey Thanks(0) Quote Reply Posted: 07 July 2004 at 4:52pm
	One common denominator in both scam emails I've received...ebay and paypal is that the REAL hyperlink points to a numeric IP address/~secure/ebay or /~secure/paypal perhaps that is what should be blacklisted?

Desperado Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 27 January 2005 Location: United States Status: Offline Points: 1143	Post Options Post Reply Quote Desperado Report Post Thanks(0) Quote Reply Posted: 07 July 2004 at 5:24pm
	I filter ALL "dotted IP" in an http link in email. If you have a ligit site, put real DNS on it ... thats my attatude. Also, I have a lot of nice strong trees and some very good rope ... for the Spammers of course. Dan S.

Fred Dickey Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote Fred Dickey Thanks(0) Quote Reply Posted: 07 July 2004 at 7:02pm
	what wild card keyword flags all dotted ips in a url in email? or am I missing something?

Desperado Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 27 January 2005 Location: United States Status: Offline Points: 1143	Post Options Post Reply Quote Desperado Report Post Thanks(0) Quote Reply Posted: 07 July 2004 at 7:31pm
	Fred, You need to use a RegEx (Regular Expression) Dan S.

Fred Dickey Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote Fred Dickey Thanks(0) Quote Reply Posted: 07 July 2004 at 7:36pm
	Thanks...never taken the time to understand regex yet, but I found one of your posts on how to block them using a regex you posted. Way cool! That'll have a major effect on these types of emails.

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

Feature Request