New kind of spam (of course not, but...)

I get a lot of email, and a lot of that is spam of course. Several hundreds (if not thousand) spam messages a day. But today I got a new thing. A request from a registry (GoDaddy) that I should update my info with them. Of course one should never do whatever someone “just” request via email, but the bad thing is that registries normally do send out email similar to this.

If one look at the HTML rendering of the email, we see what you see here:

As you can see, it looks like if the link goes to www.godaddy,com. If we do look at the link one is supposed to click on (by viewing the source of the message) we see the following:

<a href="http://**godaddyupdate.com**/login.aspx.htm">www.godaddy.com/?isc=ICANN07a</a>

Note that the domain name in the URI is godaddyupdate.com. Pretty interesting that they have chosen a domain name that include godaddy. That is pretty smart, but not enough for me. The domain is hosted at Yahoo! (both DNS and web hosting). But if we go to whois and check who owns the domain godaddyupdate.com, we find the following:

Domain Name.......... godaddyupdate.com Creation Date........ 2007-11-06 Registration Date.... 2007-11-06 Expiry Date.......... 2008-11-06 Organisation Name.... jhefdj jkoiefj Organisation Address. 86B N. El Cerro Loop Organisation Address. Organisation Address. Los Lunas Organisation Address. 25487 Organisation Address. NM Organisation Address. UNITED STATES

You can also see that the domain was registered on Nov 6th. I would like to have an well defined protocol where I could ask a registry for how long a registrant has owned a domain. If the domain is very new, the risk the use of the domain name is fraud is pretty high. Something for spamassassin to include in their calculations (remember where you saw this idea the first time).

Curious as I was, I fired up my browsers to see what was on that page. First of course a wget to see what I get back.

`

Of course someone has already detected this web page. I was a bit slow this time… When I try this URL in Firefox, I also see that the page is added to their list of potential phishing sites. A good thing, and a feature that also other browsers should have.

It is good the registry in Sweden, .SE, is signing email with PGP.