[Dshield] CNN?

Tony Earnshaw tonni at hetnet.nl
Tue Oct 16 04:27:19 GMT 2007

M Cook skrev, on 15-10-2007 20:04:

> Anyone see the mail from CNN about a desktop alerter? It offers a link 
> to download it:
> Download it now! 
> http://downloadpl.cnn.com/cnn/services/alerter/CNNAlerter.exe
> But if you hover over it, the link is actually
> http://www.access.cnn.com/xyyabbxx_xzenozx.html
> Now I realize this is probably innocent, probably just to implement some 
> sort of tracking; but don't these folks realize it is the same strategy 
> used by phishers (list one URL, hide the real one)? Why don't they just 
> say "click here", or make the text match the linked URL. Wouldn't it be 
> better if legitimate businesses were straightforward, so only the shady 
> ones were sneaky? Plus if they want to be really helpful, they'd put it 
> on an HTTPS page, so the certificate could be validated...

I've read the whole thread up to 01:33 16th October and would just 
remark the following.

I run my own Postfix MTA on my home FC6 workstation/server. I chose 
Clamav running from amavisd-new as one of 2 AV scanners; Clamav has 
specialized in recognizing phishing mails, signals these to amavisd-new, 
which quarantines them.

For the hell I sometimes release these messages and inspect them, follow 
the links. I've found cracked, otherwise innocent, Apache and IIS 
servers redirecting to phishing sites. I'd always be vary wary of 
following links to services on "foreign" servers, notwithstanding that 
the Norwegian web "papers" that I regularly read often redirect to 
advertising or video sites in Denmark or other countries, without warning.


Tony Earnshaw
Email: tonni at hetnet dot nl

More information about the list mailing list