[unisog] Problems with EDU.COM domain

GREGORY SEIBERT gregs at kent.edu
Fri Mar 24 00:54:26 GMT 2006

I see four totally different pages for  these -


Kent gets the " We don't know you here - go away" treatment.
Yale get the "Come a little closer, fill in the blanks and let us spam you"
ZZ Top U gets the generic ad page as our colleague from Yale mentioned.
Duke gets an entirely different treatment because apparently their lawyers
have already yelled quite loudly - even different from the treatment
that ksu.edu.com receives and we have heard how they also complained.

Hmmm...I just checked the yale example again and they now get the "Duke"
treatment.You guys must have loud-yelling lawyers also!


Gregory A. Seibert, CISM
Director of Security and Compliance
Suite 384 Library
Kent State University
330-672-0383 (Voice)
330-672-9374 (FAX)

             "Haeusser,  Jens"                                             
             <jens.haeusser at ubc.c                                          
             a>                                                         To 
             Sent by:                     UNIversity Security Operations   
             unisog-bounces at lists         Group <unisog at lists.sans.org>    
             .sans.org                                                  cc 
             03/23/2006 06:20 PM          Re: [unisog] Problems with       
                                          EDU.COM domain                   
              Please respond to                                            
             UNIversity Security                                           
               Operations Group                                            
             <unisog at lists.sans.o                                          

I see a generic page no matter what URL I use. Perhaps the site is
presenting content based on the originating IP of the http connection (ie
Morrow sees a yale.edu.com page when looking at www.yale.edu.com since his
reverse lookup points to yale.edu), rather than just the URL.

Jens Haeusser
Chief Information Security Officer
University of British Columbia


From: unisog-bounces at lists.sans.org on behalf of H. Morrow Long
Sent: Thu 23/03/2006 1:15 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Problems with EDU.COM domain

As well as anything at zzz.edu.com such as XXX.ZZZ.EDU.COM

They all resolve to the same IP for me (

Thing is, if you use a name it recognizes (www.yale.edu.com)
it presents a Yale University specific web page.  If you use a
name it doesn't ( http://xxx.zzz.edu.com/ ) you just get a
generic advertising page.

- H. Morrow Long, CISSP, CISM, CEH

  University Information Security Officer

  Director -- Information Security Office

  Yale University, ITS

On Mar 23, 2006, at 3:37 PM, David Lundy wrote:

             It looks like a wild card.  Things like zzz.edu.com resolve.

             David Lundy
             Acting IT Security Officer
             University of the Pacific

                                                 YorkJ at brcc.edu 03/23/06
11:09 AM >>>

             Wow, even lowly community colleges are listed in the phishing
             edu.com.  They must have copied the entire .edu domain.  I
just called
             Educause (.edu registrar) to let them know about it--the lady
I talked
             to hadn't seen it yet, but promised to send the info to their

             John York
             Network Engineer
             Blue Ridge Community College

             unisog mailing list
             unisog at lists.sans.org
             unisog mailing list
             unisog at lists.sans.org

(See attached file: winmail.dat)
unisog mailing list
unisog at lists.sans.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/octet-stream
Size: 7134 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20060323/c05363a7/winmail.obj

More information about the unisog mailing list