52 States in 8 Months

UDel scam

Posted in University stuff by Ulf on April 10, 2009

Today I received an e-mail telling me to read an “urgent message”. They wanted me to go to…


Well… dear attacker, some lessons for your next attempt:


  • Why did you put the “?” into the URL?
  • Why don’t you use HTTPS? Can’t you get some certificate for your fake host?
  • And why is you server not reachable now? I mean, the e-mail is less than half an hour old. Did the  UDel admins already block the routing to your server? (Yes, they did. I can reach your server from Stuttgart.)

Some more info:

  • mail.udel-edu.net is resolved to The traceroute goes to somewhere in Japan.
  • The domain has been registered… well, tomorrow! I’m writing this on 03/17/09, and the whois entry says that the domain was created and registered on 2009-03-18.
  • Other information in the whois entry: jack williams, 25th avenue, new york city 65334, jaga.123enough@gmail.com, +1.8473993021. To bad the zip code belongs to some place in Missouri instead of New York… Maybe one should automatically check the consistency of DNS records before allowing some surfer to visit a website?
  • The route which the email took to come to me:
    bird-x.com []
    md2.nss.udel.edu [] 
    md3.nss.udel.edu []

    Yes, the mail was sent through the real UDel infrastructure!


2 Responses

Subscribe to comments with RSS.

  1. Martin said, on April 10, 2009 at 12:37 pm

    Hm Ulf are you indirectly telling me you let your mail client render html for you???
    Plaintext FTW!!!!

  2. Ulf said, on April 12, 2009 at 6:08 pm

    No, of course not!
    At least not rendering … my Claws Mail just filters out all the HTML-markup tags and displays some “unrendered” version of it.
    But I must admit that it at least “interprets” the HTML somehow, so there might be security holes in there… dunno.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: