I think it might just be coincidence. I've gotten about 10 of them and
haven't been to ebay or amazon in months.
Most of them have been for >60 dollar books.

Nick Olsen
Network Operations (855) FLSPEED x106

I think it's a troll, trying to shock you into clicking on something.

Examination of the raw messages confirms phishing messages. Visible URLS do not match effective URLs.

Yup. They hope that the message contents are a coincidence and scare
you into seeing (i.e. clicking on..) what's it's about.

This happened to me a few years ago where I changed my ebay password,
and about 30 minutes later got a phishing email that my password
change failed. So I clicked the link and re-did it. As soon as I
clicked on the submit button I noticed that the URl I was forwarded to
was to some server in Russia. /facepalm.

I went and sheepishly changed my ebay password AGAIN that very moment,
with a bit of awe towards the clever con I had fallen into. Luckily I
noticed. But how many others didn't?


I have gotten them from "amazon" stating "order number X was cancelled and please click on the below file for more information". Because I order so much on amazon, I almost thought it was real and clicked on it but then went to the amazon site and looked at "my open orders". It always pays to goto the site, not believe email.

Sometimes I wonder how many nanog'ers would fall for a phishing email sent to this DL. I suspect the number is more than 0.


I have a spam pit email address which I monitor for trends to have a little bit of jump on the possible things users might touch at work. I started seeing the amazon, ebay and paypal ones a few weeks back. The other one I have started to see a lot of is the "Free or cheaper home phone service through magic jack" ones. Again as expected they link to some .ru domain and look just like the normal sign up page. Also my handy dandy virtual machine was instantly owned with malware just by loading the page. The VM runs Windows 7 as a non administrative user, UAC cranked up and IE9. Something like 10 installed apps showed up including "Adobe Flash Player Latest."

The other cool one I have been seeing is along the lines of "How to better utilize your office phone system" or "New Business Phone systems" with supposed links to "popular new phone system trends". This one is rather crafty as it has an embedded image which is a nice weblink to an infected jpg. So you click show picture in outlook, or in your browser and you get another installed piece of nastyware.

These are exploit kit teasers.

Black hole exploit kit specifically. I wouldn't click on any of the links in there.

Anyone who would like to send me copies of these, I'll take.

Security Settings in the Trust Center:
  "Read as Plain Text"
  "Even Signed Messages as Plain Text"
  "Never Download Images"
  "Require Confirmation when Forwarding or Replying will Download Anything at all"

Disable the AutoInfect options:
  "Turn off the Preview"
  "Turn off the Reading Pain"

You will never fall for a phishing scam or other malicious e-mail message ever again. I could never quite understand how anyone could get "phished" by e-mail since I have never ever seen a "phishing" or other malicious message that was not obviously so, even when I don't have me spectacles on!

And for everyone who sends you a web-page-by-email, tear them a new a**hole. If they do not mend their ways, get rid of em. Banish them to bh0 where they belong. If routing them to bh0 doesn't work, then at least send their drivel to /dev/nul.

1. This is why (particularly when dealing with older and/or non-technical
people who are incredibly easy to scam) I recommend (a) bookmarking
their critical sites, such as banks, and (b) training them to never,
ever, EVER use anything but those bookmarks to get to those sites.

2. Of course, many of those same critical sites have been ardently
training their customers to be phish victims by their appallingly
stupid insistence on HTML markup in email, which is why (1) is necessary.


Not too long ago I received 3 phone calls, with a strong Indian
accent and broken english, claiming to be a computer support
firm that has noticed virus activities on my Windows computer.

First time I told them I don't have any Windows machines. They
then hung up.

The second time, I asked them what IP they saw this from. They
didn't know. Then they hung up.

The third time, I told them I had 15 machines, and asked which
one. They hung up again.

The calls came from different Los Angeles area codes, but had
to be VoIP.