The Phish, scaled and gutted

You can sit around pointing fingers at someone else when you get phished, or you can do your homework and quit worrying about getting scammed. I would have posted the following “phishing lure” in the Spamples database, but I was too lazy to modify the code so I could get the GIF attachment stuffed in. Make sure you view this on a decent sized monitor, as the GIF is pretty large and was subject to scaling problems. Here you go:

What it looks like (a GIF attachment in the email)…

And the source (identifying information for the recipient, along with some “<>” tags altered of course)…

Return-Path:
Received: from XXX.com (root@localhost)
by XXX.com (8.12.10/8.12.10) with ESMTP id jBK648SB004302
for ; Tue, 20 Dec 2005 00:04:08 -0600
NOTE: THE REAL SENDER HERE
X-ClientAddr: 83.199.116.66
Received: from APuteaux-154-1-45-66.w83-199.abo.wanadoo.fr (APuteaux-154-1-45-66.w83-199.abo.wanadoo.fr [83.199.116.66])
by XXX.com (8.12.10/8.12.10) with SMTP id jBK63vbf004285
for ; Tue, 20 Dec 2005 00:04:00 -0600
Message-Id: <200512200604.jBK63vbf004285@XXX.com>
FCC: mailbox://identdep_op8979355@ebay.com/Sent
X-Identity-Key: id1
Date: Tue, 20 Dec 2005 00:56:56 -0500
From: eBay
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: XXX@XXX.com
Subject: EBAY INC ALERT – UNAUTHORIZED LOGIN ATTEMPTS
Content-Type: multipart/related;
boundary=”————000006030501050905030001″
X-XXX.com-MailScanner-Information: Please contact the ISP for more information
X-XXX.com-MailScanner: Not scanned: please contact your Internet E-Mail Service Provider for details
X-MailScanner-From: identdep_op8979355@ebay.com
Status:

This is a multi-part message in MIME format.
————–000006030501050905030001
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

“<"html>

“<"A HREF="https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&sid=verify&co_partnerId=2&siteid=0"> “<"map name="dpyzhl">“<"area coords="0, 0, 646, 569" shape="rect" NOTE: THE URL REDIRECT HERE “<"href="http://ebtptay.ms2u.net/rock/e/">

“<"img SRC="cid:part1.02010502.08000800@support_ref_112108111@ebay.com" border="0" usemap="#dpyzhl">

NOTE: THE SPAM FILTER FOOLING GIBBERISH HERE“<"font color="#FFFFF9">in 1961 Robert Blake XFL good days to leave a message “<"/font>

“<"/html>

————–000006030501050905030001
NOTE: THE LINKED GIF IMAGE HERE
Content-Type: image/gif;
name=”maintain.GIF”
Content-Transfer-Encoding: base64
Content-ID: Content-Disposition: inline;
filename=”maintain.GIF”

December 20, 2005

In Spamroll

# #