52 States in 8 Months

UDel scam

Posted in University stuff by Ulf on April 10, 2009

Today I received an e-mail telling me to read an “urgent message”. They wanted me to go to…

http://mail.udel-edu.net/wm/?mail/login.html

Well… dear attacker, some lessons for your next attempt:

https://mail.udel.edu/wm/mail/login.html

  • Why did you put the “?” into the URL?
  • Why don’t you use HTTPS? Can’t you get some certificate for your fake host?
  • And why is you server not reachable now? I mean, the e-mail is less than half an hour old. Did the  UDel admins already block the routing to your server? (Yes, they did. I can reach your server from Stuttgart.)

Some more info:

  • mail.udel-edu.net is resolved to 210.188.206.230. The traceroute goes to somewhere in Japan.
  • The domain has been registered… well, tomorrow! I’m writing this on 03/17/09, and the whois entry says that the domain was created and registered on 2009-03-18.
  • Other information in the whois entry: jack williams, 25th avenue, new york city 65334, jaga.123enough@gmail.com, +1.8473993021. To bad the zip code belongs to some place in Missouri instead of New York… Maybe one should automatically check the consistency of DNS records before allowing some surfer to visit a website?
  • The route which the email took to come to me:
    bird-x.com [72.47.201.120]
    md2.nss.udel.edu [128.175.1.12] 
    md3.nss.udel.edu [128.175.1.13]
    mx0.gmx.net

    Yes, the mail was sent through the real UDel infrastructure!

Advertisements

2 Responses

Subscribe to comments with RSS.

  1. Martin said, on April 10, 2009 at 12:37 pm

    Hm Ulf are you indirectly telling me you let your mail client render html for you???
    Plaintext FTW!!!!

  2. Ulf said, on April 12, 2009 at 6:08 pm

    No, of course not!
    At least not rendering … my Claws Mail just filters out all the HTML-markup tags and displays some “unrendered” version of it.
    But I must admit that it at least “interprets” the HTML somehow, so there might be security holes in there… dunno.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: