« Are Dictionary Attackers Getting Desperate? | Main | More To: Field Inanity »

November 05, 2007

Another day, another batch of phishing sites to report.

It's not always easy to reach the owner of a hijacked web site being used by a phisher. Many abused sites are dormant, meaning that contact info on the site is useless. Domain registration data is also less than reliable, especially if the domain was registered for a now-failed enterprise.

As is my practice, I try to locate the domain owner before ratting him or her out to the hosting firm because it may take only a quick fix to get rid of the phishing stuff while the rest of the site continues to operate normally. A lot of hosting firms, however, take a more heavy-handed approach, cutting off access to the entire site now and asking questions later.

One of today's phishing messages linked to a beauty products site, where a redirector page had been inserted. The main site didn't look quite finished, meaning that it was still under construction or had been abandoned mid-development. Checking the domain registration, I found that it had been created in August of this year.

The domain registration record had a contact email address of support@[theDomainName]. I gave it a 50-50 chance of still being good, and fired off my usual phishing notification, which included a copy of the message showing the hijacked URL (which I also highlight in my brief intro so the recipient doesn't have to dig through all kinds of HTML code to find the offending location).

In short order, I received a "Mail delivery failed" backscatter message from the recipient ISP's email server. The ISP uses the MessageLabs spam/malware filtering service for incoming email. MessageLabs reported that my message was filtered. No specific reason was provided, but it could be because my message included the spammy evidence needed to support my assertion or even because I initiate my message from a Comcast access point. It's not the first time my good intentions have been so blocked.

To my surprise, however, the delivery failure notice revealed some information that the recipient probably doesn't want spread around. You see, the ISP's backscatter message showed me the actual email address to which the support@[theDomainName] address relayed the message. In other words, in its effort to shield the user from my "spam," the ISP also reported back to me the real address of my intended recipient. D'oh!

Worse still, the recipient appears to be using a government email address as a contact point for this beauty products site. A little side business on taxpayer time?

I sent my notice again (sans evidence to satisfy MessageLabs) through a completely different email system directly to the newly revealed email address. This person may be surprised that I now know the secret identity. Lucky for this person that I am not a blackmailer (or blackemailer).

In the end, this is a case of unintended consequences. Holding onto the privacy of an email address is next to impossible—even more so when your ISP helps disseminate it.

And to the beauty products sideliner potentially abusing government resources, I have one simple message: Take down the damned phishing redirector page and secure the site!