Hi just received the following email from do.not.reply@dreamhost.com iv stared out some details.
Subject: Dreamhost Inc. l***y***er.com: Tariff plan changes…
To: ******@gmail.com
Cc:
Dear DreamHost client,
In your account has been created request for changing of a tariff plan.
It is necessary confirmation of this request.
You can do it in the section (Change tariff) Virtual Offices :
Sincerely,
DreamHost hosting Team.
Is this spam or aim I over paranoid
While this is undoubtedly spam, as was confirmed by Andrew F in another recent thread, I do have a question about the link, which starts with ‘https://dreamhost.com/login.aspx’ followed by some arguments involving a long string of alphanumeric payload.
My question is that, although of course such a link should never be clicked on, nevertheless, how can a link which starts with the characters ‘https://dreamhost.com/login.aspx’ be dangerous? One must of course check that the actual link in the original html tag is the same as what textually appears, and one must also consider the possibility that the appearance could be deceptive, it could be Russian characters which only look like the Latin alphabet, so one must do a grep-check that these characters are what they appear to be. The link in the OP passes those checks, but it’s still possible that the link in the original email was dangerous and has become sanitized in the course of being pasted into a post in this forum.
But bearing all that in mind, is there any possibility that an alphanumeric payload could dangerously subvert the real dreamhost login panel? If so, that would be a bug.
Thanks to anyone who can educate us on this point.
Random thought: perhaps the hidden purpose of this spam is to make people needlessly worry about the possibility of a bug in the dreamhost panel.
The text of the link was to the described page (which doesn’t exist), but the target of the link was completely different. Kind of like this:
And yes, the email you received was a phishing email. Delete it.
Thanks for that and I had to look up rickrolling in wikipedia so it was educative.
To clarify, I didn’t receive one of these phishing emails and am basing my comments on what is posted here and in the other thread. In the other thread you removed the link and in this thread you haven’t.
I’m not saying you’re being inconsistent. There could be good reasons for the difference but readers will naturally wonder what’s going on. Possibly the poster in the other thread managed to paste the hidden part of the link so it was dangerous whereas in this thread only the visible part got pasted so it’s safe.
Maybe, in a webhosting support forum, there would be a case for automatically filtering out rickrolling links. If that is possible. For example: if the visible part of the link begins with the characters ‘http://’ or ‘https://’ then it must be identical to the hidden part of the link.
No inconsistency intended, I just hadn’t gotten around to filtering out that link yet. Changed now.
For what it’s worth, that particular link is harmless, but the point is that it shouldn’t be clicked on in the email.
I also got that email, it looked very realistic because the fake URL started with https:://dreamhost.com and it included DreamHost official logo, however, the bad English made me suspicious.
Looking at the email headers shows that it was sent from an open proxy in the Netherlands, if you disable HTML view and go into text view you will also see an obfuscated URL from a website in Kenya.
Spammers are checking what sites are hosted with Dreamhost looking at the site DNS, I know because the email where I received this can not be found in my DreamHost account, they took it from the whois service and targeted their spam against DreamHost customers.
This spam is very realistic, I think that many people will fall for it.