Google phishing notification links to broken 'interstitial warning'
Bennett Haselton
message that I received below, is the line:
>>>
Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//www.liverparty.com/ejcllywj.php%3F5Nf5YYdvxXCVe2xEEzcpug%3DW7ebdgOmL39bhdDqaIqbIGeneEe2XaBioG9fXoc48evkxBiwjior3qZCt5k5pK0n8AsI%252BIZFCZbx1JRE4sLENZaB%252FE70bjCBvtFDYu%252BDqJJwQrHWdqQx6jInDKHuR6QOyIcysosChNg1R8fSTAX%252FCwQiIqTZgq2uNIdmWIgo2rKMHnNWCRa0iEpj9z36G%252FhQ2l4gFRcaKYMIF%252FjNJIiyCg%253D%253D%26axRn7C22c0TB1PS9bnXRg%3DNtCNyd%252BlPFteoyi5%252BCN2Vg%253D%253D
>>>
But if you try to go to that page on Google, you get:
>>>
Forbidden
Your client does not have permission to get URL
/interstitial?url=http%3A//www.liverparty.com/ejcllywj.php%3F5Nf5YYdvxXCVe2xEEzcpug%3DW7ebdgOmL39bhdDqaIqbIGeneEe2XaBioG9fXoc48evkxBiwjior3qZCt5k5pK0n8AsI%252BIZFCZbx1JRE4sLENZaB%252FE70bjCBvtFDYu%252BDqJJwQrHWdqQx6jInDKHuR6QOyIcysosChNg1R8fSTAX%252FCwQiIqTZgq2uNIdmWIgo2rKMHnNWCRa0iEpj9z36G%252FhQ2l4gFRcaKYMIF%252FjNJIiyCg%253D%253D%26axRn7C22c0TB1PS9bnXRg%3DNtCNyd%252BlPFteoyi5%252BCN2Vg%253D%253D
from this server. (Client IP address: [my ip here])
>>>
Perhaps someone working on the Safe Browsing API at Google could pass
the word on up that the automated "phishing notification" messages
are sending out a link to a broken script / page?
(Not that I don't appreciate the email in the first place, since
apparently most phishing blacklisting services don't even attempt to
notify you that your site is blocked.)
*********
X-Virus-Scanned: Debian amavisd-new at mxperim5.sea5.speakeasy.net
Received: from mxperim5.sea5.speakeasy.net ([127.0.0.1])
by localhost (mxperim5.sea5.speakeasy.net [127.0.0.1]) (amavisd-new,
port 10024)
with ESMTP id 1EI16jCBJtdG for <bh...@speakeasy.net>;
Tue, 10 Aug 2010 05:05:06 -0700 (PDT)
Received: from peacefire.org (www.peacefire.org [69.72.177.140])
by mxperim5.sea5.speakeasy.net (Postfix) with ESMTP
for <bh...@speakeasy.net>; Tue, 10 Aug 2010 05:05:06 -0700 (PDT)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195])
by peacefire.org (8.13.8/8.13.8) with ESMTP id o7AC55Ym009893
for <ben...@peacefire.org>; Tue, 10 Aug 2010 08:05:05 -0400
Received-SPF: pass (mxus2: domain of phishing.bounces.google.com
designates 209.85.210.70 as permitted sender)
client-ip=209.85.210.70;
envelope-from=3bkBhTAcKBVwHIL8JFSAIIAF...@phishing.bounces.google.com;
helo=mail-pz0-f70.google.com;
Received: from mail-pz0-f70.google.com (mail-pz0-f70.google.com
[209.85.210.70])
by mx.perfora.net (node=mxus2) with ESMTP (Nemesis)
id 0MHIMt-1OejEa25LP-00DnSc for ad...@liverparty.com; Tue, 10 Aug
2010 08:05:04 -0400
Received: by pzk9 with SMTP id 9so2923048pzk.9
for <ad...@liverparty.com>; Tue, 10 Aug 2010 05:05:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=beta;
h=domainkey-signature:mime-version:received:auto-submitted:message-id
:date:subject:from:to:content-type;
bh=Xn2Zwr8iUYh/ZhpDFIDBc3vPN2+6CP27W/cmwMNzYV0=;
b=FlM6dzAyi+s5fs76nOQWPLGtZUGJiLc/pCYWyWE1sQ/6r5n9gQrHubRjWsdhtxgXah
5ga8nX5d5mJEu29xN7Vw==
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=google.com; s=beta;
h=mime-version:auto-submitted:message-id:date:subject:from:to
:content-type;
b=MVtT6NU/cjCtIVSsJ6ctmjHxbZlN+ioabzJXBc+to+qMY2jC0QXnuN6/pU+eEiYvVq
hvhB3owljqqoJvXMpcgA==
MIME-Version: 1.0
Received: by 10.142.172.1 with SMTP id
u1mr4021024wfe.19.1281441902669; Tue,
10 Aug 2010 05:05:02 -0700 (PDT)
Auto-Submitted: auto-generated
Message-ID: <000e0cd2de5068...@google.com>
Date: Tue, 10 Aug 2010 12:05:02 +0000
Subject: Phishing notification regarding liverparty.com
From: nor...@google.com
To: ab...@liverparty.com, ad...@liverparty.com,
admini...@liverparty.com,
con...@liverparty.com, in...@liverparty.com,
postm...@liverparty.com,
sup...@liverparty.com, webm...@liverparty.com
Content-Type: multipart/alternative; boundary=000e0cd2de5068b35e048d76f1b3
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail16.sea5
X-Spam-Level: ***
X-Spam-Status: No, score=3.9 required=7.0 tests=BAYES_50,HTML_00_10,
HTML_MESSAGE,MIME_BASE64_TEXT,NO_REAL_NAME,RCVD_BY_IP,SORTED_RECIPS,
URI_REDIRECTOR autolearn=disabled version=3.0.4
Dear site owner or webmaster of liverparty.com,
We recently discovered that some pages on your site look like a
possible phishing attack, in which users are encouraged to give up
sensitive information such as login credentials or banking
information. We have removed the suspicious URLs from Google.com
search results and have begun showing a warning page to users who
visit these URLs in certain browsers that receive anti-phishing data
from Google.
Below are one or more example URLs on your site which may be part of
a phishing attack:
http://www.liverparty
.com/ejcllywj.php?5Nf5YYdvxXCVe2xEEzcpug=W7ebdgOmL39bhdDqaIqbIGeneEe2XaBioG9fXoc48evkxBiwjior3qZCt5k5pK0n8AsI%2BIZFCZbx1JRE4sLENZaB%2FE70bjCBvtFDYu%2BDqJJwQrHWdqQx6jInDKHuR6QOyIcysosChNg1R8fSTAX%2FCwQiIqTZgq2uNIdmWIgo2rKMHnNWCRa0iEpj9z36G%2FhQ2l4gFRcaKYMIF%2FjNJIiyCg%3D%3D&axRn7C22c0TB1PS9bnXRg=NtCNyd%2BlPFteoyi5%2BCN2Vg%3D%3D
http://www.liverparty
.com/ejcllywj.php?5Nf5YYdvxXCVe2xEEzcpug=W7ebdgOmL39bhdDqaIqbIGeneEe2XaBioG9fXoc48evkxBiwjior3qZCt5k5pK0n8AsI+IZFCZbx1JRE4sLENZaB/E70bjCBvtFDYu+DqJJwQrHWdqQx6jInDKHuR6QOyIcysosChNg1R8fSTAX/CwQiIqTZgq2uNIdmWIgo2rKMHnNWCRa0iEpj9z36G/hQ2l4gFRcaKYMIF/jNJIiyCg==
We strongly encourage you to investigate this immediately to protect
users who are being directed to a suspected phishing attack being
hosted on your web site. Although some sites intentionally host such
attacks, in many cases the webmaster is unaware because:
1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
If your site was compromised, it's important to not only remove the
content involved in the phishing attack, but to also identify and fix
the vulnerability that enabled such content to be placed on your
site. We suggest contacting your hosting provider if you are unsure
of how to proceed.
Once you've secured your site, and removed the content involved in
the suspected phishing attack, or if you believe we have made an
error and this is not actually a phishing attack, you can request
that the warning be removed by visiting
http://www.google.com/safebrowsing/report_error/?tpl=emailer
and reporting an "incorrect forgery alert." We will review this
request and take the appropriate actions.
Sincerely,
Google Search Quality Team
Note: if you have an account in Google's Webmaster Tools, you can
verify the authenticity of this message by logging into
https://www.google.com/webmasters/tools/siteoverview and going to the
Message Center, where a warning will appear shortly.