Phishing (Was Re: WashingtonPost computer security stories)

Eric Kuhnke eric at fnordsystems.com
Tue Aug 17 12:58:35 UTC 2004


>>The mail originated from 68.77.56.130 (an ameritech.net DSL connection,
>>right now not pingable) and loads some images from www.citibank.com.
>>It links to http://61.128.198.51/Confirm/ - an IP address hosted by
>>Chinanet (transit to there supplied by Savvis from my point of view).

It's a 1 line rule with mod_rewrite and apache to block 
nonexistant or off-site http referers attempting to display 
GIF/JPG/PNG images...  Sometimes I wonder why Citibank, 
Paypal and others don't do this.  It would cut down on the 
displayed authenticity level of many basic phishes.




More information about the NANOG mailing list