This morning I got a notice from Chase Bank that my account had been accessed from a different location. Could I please go to their website and verify my identity? Considering I that I haven't banked at Chase in at least 5 years it seemed a wee bit suspicious. My gut told me it was spam, but what did the message itself tell me?
The source code concealed as much as it revealed, but my inquiry showed me how these new fangled criminals cover their tracks.
I told my trusty "Mail" program to reveal the original source of the message so I could see where it actually came from. It certainly wasn't from Chase. Examining the source told me a few things:
* Columbia University rates incoming messages with a spam score--not sure how Apple Mail uses it, but this got a spam score of 7.4/10 and was tagged "CU_PHISHY"
* To make the mail look authentic they rely upon images from the Chase website itself.
* The site they want you to click on resides in China--
http://www.langoit.com.cn The attached image of the site provides a
serious hint that they're Phishing--it doesn't use the actual chase
URL, rather a number. 
* I tried to find out who owned those domain names by doing a simple "Whois" search --both the mailer and the site in China--I wasn't able to learn anything other than that these folks own a bunch of domains. No physical addresses there.
I reported the Spam to Chase but how do you fight this new form of crime? It must require strong coordination of different law enforcement agencies in different countries and cost a good deal of money. It preys on the ignorance of users and their trust--and makes us all worse off. The Internet--so many new possibilities, so many yet to be imagined--some wonderful, some not so good. As my soon to be 95 year old grandmother often counsels, "be good, and if you can't be good, be careful." Good advice, regardless of context.
if you put this:
:0:
* ^X-Spam-Score:.*\*\*\*\*\*
mail/spam
into your .procmailrc on cunix, it will automatically move any incoming messages with a spam score of 6 or higher (that's about the best cutoff i've found. higher and too much spam comes through, lower and there are too many false positives) gets sent to a spam folder.
Posted by: anders | October 10, 2005 at 04:34 PM
Thanks Anders--great tip! I'll update my .procmail file.
Posted by: Ted Bongiovanni | October 10, 2005 at 04:48 PM