I’ve decided to start taking a more aggressive stance with regard to fraud and spam messages I get in my inbox. Still within the law, mind you… I’m just not being a passive recipient of things that make me think, “Thank God I didn’t fall for that one.” This is because I know somewhere someone is going to fall for them. Last week I received this really, really believable piece of spam that is sure to trap a number of people. The following text is the complaint I sent to the FBI’s IFCC (modified slightly for formatting and privacy reasons): 

Just received this spam today to my home address.  Wanted to pass it on
to everyone else in case you also have an account on ebay.  The short
version is that the spam looks like an official ebay mailing.  When you
click on the link, you will be directed to a site that looks like the
ebay login page.  It is not.  Don't submit this information, because it
will compromise your account.

I've passed the email onto the uce@ftc.gov address and filed a complaint
with the FBI's Internet Fraud group.  Below you will find a copy of the
complaint and the original email.  

Moral of the story: check those URL's closely.  : )

Sujal

------------- forwarded complaint ------------

There is an email purporting to be from recognition@ebay.com which
informs the recipient that they have qualified for a "thank you" gift
from ebay.  It then presents them with a URL that purports to direct the
user to http://pages.ebay.com/...  Instead, it is redirecting them to
the following URL:

http://pages.ebay.com@202.184.170.181:12123/community/recognition/Sign%20In.htm

This URL is really pointing at the IP address 202.184.170.181, which is
registered with APNIC and seems to be owned by people with a Malaysia
address.  I have already sent an email to the contacts listed in the IP
address record, as well as to uce@ftc.gov and fraud@ebay.  I wanted to
file a complaint here to hopefully raise a little more awareness of this
problem.  Judging from the forums at ebay.com, quite a few people have
been bitten by this particular scam.

I have a copy of the email saved including full headers.  The headers
indicate the email came from server.isv.net, IP address 213.137.49.4.
Both the IP address and domain name are registered to someone in
Bulgaria, specifically:

person:       Vesselin Pavlinov Denkov
address:      Ekoplast Ltd
address:      Ovtca Kupel 1 bl.403 entr.D ap.52
address:      Sofia 1832
address:      Bulgaria
phone:        +352 2 9560191
fax-no:       +359 2 9560191
e-mail:       v.denkov@isv.net
nic-hdl:      VPD1-RIPE
notify:       scc@internet-bg.net
changed:      scc@internet-bg.net 20011213
source:       RIPE

I have not contacted him.  

If you need any more information, please let me know.  I have included
the full source of the email below.

Thanks,

Sujal Shah

------------------------

Return-Path: <recognition@ebay.com>
Delivered-To: sujal@-----------------
Received: (qmail 18772 invoked from network); 28 Feb 2003 11:57:25 -0000
Received: from unknown (HELO wawrra.pair.com) ([209.68.1.227])
        (envelope-sender <recognition@ebay.com> ) by mail13.speakeasy.net
        (qmail-ldap-1.03) with SMTP for <sujal@---------->; 28 Feb
2003 11:57:25
        -0000
Received: (qmail 93196 invoked by uid 3118 ); 28 Feb 2003 11:57:05 -0000
Delivered-To: scenic-sujal:net-ebay@----------
Received: (qmail 93192 invoked from network); 28 Feb 2003 11:57:04 -0000
Received: from unknown (HELO server.isv.net) (213.137.49.4) by
        wawrra.pair.com with SMTP; 28 Feb 2003 11:57:04 -0000
Received: from server.isv.net (localhost [127.0.0.1]) by server.isv.net
        (8.11.4/8.11.4) with ESMTP id h1SBtKh31106 for <ebay@---------->;
Fri, 28
        Feb 2003 13:55:21 +0200
Date: Fri, 28 Feb 2003 13:55:21 +0200
Message-Id: <200302281155.h1SBtKh31106@server.isv.net>
To: ebay@----------
From: recognition@ebay.com
Subject: You deserve a special thank you from eBay
Content-type: text/html
X-Evolution-Source: -----------------------------------
Mime-Version: 1.0

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>CONGRATULATIONS</title>
<xmeta content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<xmeta content="MSHTML 5.00.2314.1000" name=GENERATOR>
</head>

<body>
<table align="center">
   <p><br><br> <TD align=middle bgColor=#ffffff height=11><center><IMG
height=119 width=454
src="http://pages.ebay.com@202.184.170.181:12123/community/recognition/orangeStarLogo.jpg"
></center></TD></TR></p>
    <p> </p>
    <TR>
    <TD bgColor=#ffffff height=22>
      <P align=center><FONT color=#333399 size=2><B>CONGRATULATIONS
      ON EARNING YOUR ORANGE
      STAR!</B></FONT></P></TD></TR>
  <TR>
    <TD bgColor=#ffffff vAlign=top><p><IMG align=left height=202
hspace=9
      vspace=9 width=202
src="http://pages.ebay.com@202.184.170.181:12123/community/recognition/orangeStar.jpg" >
We at eBay would like to congratulate you on obtaining feedback
points and
      reaching the
      Fidelity Star level. <BR>
      <BR>
      In order to thank you for your active support of
      the eBay marketplace and your dedication in obtaining feedback
points,
      something that's integral to the success of the marketplace, eBay
would
      like to offer a token of our esteem for all of your hard work and
      dedication. <BR>
      <BR>
      eBay is sending out this thank you and invitation to
      receive free gifts we are offering to our community members who
attained the Fidelity Star level. Below

      you have the promotion code needed to become eligible for this
promotion.</p>
      <p><strong>Promotion Code</strong>: 3830924      </p>
      <P>To activate the gift, just go to <A target="_blank"  

href="http://pages.ebay.com@202.184.170.181:12123/community/recognition/Sign In.htm"
>http://pages.ebay.com/community/recognition/index.htm</A>  and
        insert the verification code when prompted.</P>
      <P align=left>Again, congratulations. </P>
      <P align=left><FONT
size=1>_________________________________________________________________________________</FONT>
          </P>
      <P align=center> </P>
      <P align=center>Bay sent this e-mail to you because your
      Notification Preferences indicate that you want to receive
information
         about Special Promotion, Offers and Events. You are subscribed
as. To change your communication preferences simply reply
        to this e-mail with UNSUBSCRIBE in the subject line. Please note
that
        it
        may take up to
      14 days to process your request. Visit our <A target="_blank"
href="http://pages.ebay.com/help/community/png-priv.html" >Privacy
Policy</A>
          and <A target="_blank"
href="http://pages.ebay.com/help/community/png-user.html" >User
Agreement</A> if you have any questions.</P>
      <P align=left>---------------------------------------<br>
      TRADING GUIDELINES<br>

-----------------------------------------------------------------<br>
      eBay will not request personal data (password, credit card/bank
numbers, <br>
      and so on) in an email. Learn how to protect your account at <br>
      http://pages.ebay.com/help/account_protection.html<br>
      Thank you for using eBay!<br>
      <a href="http://www.ebay.com">http://www.ebay.com/</a></P>
      <p align="left"> Copyright © 2001 eBay Inc. All Rights
Reserved. Designated
        trademarks and brands are the property of their respective
owner. eBay
          and the eBay logo are trademarks of eBay Inc.<BR>
      </p></table>
    </body>
</html>

-----Forwarded Message-----
From: recognition@ebay.com
To: ebay@----------
Subject: You deserve a special thank you from eBay
Date: 28 Feb 2003 13:55:21 +0200

                                [image]
              CONGRATULATIONS ON EARNING YOUR ORANGE STAR!

[image] We at eBay would like to congratulate you on obtaining feedback
points and reaching the Fidelity Star level. 

In order to thank you for your active support of the eBay marketplace
and your dedication in obtaining feedback points, something that's
integral to the success of the marketplace, eBay would like to offer a
token of our esteem for all of your hard work and dedication. 

eBay is sending out this thank you and invitation to receive free gifts
we are offering to our community members who attained the Fidelity Star
level. Below you have the promotion code needed to become eligible for
this promotion.

Promotion Code: 3830924 

To activate the gift, just go to
http://pages.ebay.com/community/recognition/index.htm and insert the
verification code when prompted.

Again, congratulations. 

_________________________________________________________________________________

Bay sent this e-mail to you because your Notification Preferences
indicate that you want to receive information about Special Promotion,
Offers and Events. You are subscribed as. To change your communication
preferences simply reply to this e-mail with UNSUBSCRIBE in the subject
line. Please note that it may take up to 14 days to process your
request. Visit our Privacy Policy and User Agreement if you have any
questions.

---------------------------------------
TRADING GUIDELINES
-----------------------------------------------------------------
eBay will not request personal data (password, credit card/bank numbers,
and so on) in an email. Learn how to protect your account at
http://pages.ebay.com/help/account_protection.html
Thank you for using eBay!
http://www.ebay.com/

Copyright © 2001 eBay Inc. All Rights Reserved. Designated trademarks
and brands are the property of their respective owner. eBay and the eBay
logo are trademarks of eBay Inc.

If you didn’t look closely, you could probably miss the trick. HTML is nasty like that, which is why I usually HATE it. Anyway, in addition to complaining to the FTC and FBI, I sent an email to the contacts listed for the domain and IP addresses of the machine that was running this “fake” eBay login page. I was surprised to receive the following email a few days ago: 

Date: Wed, 5 Mar 2003 10:09:16 +0800 (MYT)
From: JARING Abuse Administrator <abuse@jaring.my>
To: Sujal Shah <sujalnet@---------->
cc: JARING Abuse Administrator <abuse @jaring.my>
Subject: Re: [ABUSE-20030303.000036] Re: Fraud occuring at an IP address
	managed by you (fwd)

Dear Sir/Madam,

This IP belongs to an organisation network. We will inform the
administrator of the organization regarding this case and ask them to take
the necessary action to stop such activities. Please notify
abuse@jaring.my if the activity continues.

We apologize for any inconvenience which may have been caused by this
incident.  We hope that we will be able to better serve your needs in
the future.

Thank you.

Regards,
abuse/..ninie

JARING Abuse Team (URL: http://www.jaring.my)
MIMOS Berhad, Taman Teknologi Malaysia, 57000 Kuala Lumpur
Tel: +60-3-8996 5000  Fax: +60-3-8996 1898

NONE

I feel so useful. :)