[73249] in North American Network Operators' Group
Re: Phishing (Was Re: WashingtonPost computer security stories)
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Tue Aug 17 11:38:07 2004
Date: Tue, 17 Aug 2004 15:36:58 +0000 (GMT)
From: "Christopher L. Morrow" <christopher.morrow@mci.com>
In-reply-to: <412200FB.1020209@fnordsystems.com>
To: Eric Kuhnke <eric@fnordsystems.com>
Cc: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 17 Aug 2004, Eric Kuhnke wrote:
>
> >>The mail originated from 68.77.56.130 (an ameritech.net DSL connection,
> >>right now not pingable) and loads some images from www.citibank.com.
> >>It links to http://61.128.198.51/Confirm/ - an IP address hosted by
> >>Chinanet (transit to there supplied by Savvis from my point of view).
>
> It's a 1 line rule with mod_rewrite and apache to block
> nonexistant or off-site http referers attempting to display
> GIF/JPG/PNG images... Sometimes I wonder why Citibank,
> Paypal and others don't do this. It would cut down on the
> displayed authenticity level of many basic phishes.
<cookie-foo>: 31-Dec-2014 00:00:00 GMT; path=/; domain=.usbank.com
Server: Microsoft-IIS/5.0
Date: Tue, 17 Aug 2004 15:34:02 GMT
Citibank.com returns: Server: ""
Perhaps the 1-line mod_rewrite isn't available to them because they don't
have mod_rewrite?
