WTF? eBay says I can’t charge more than $3 to ship an item in the DVD category. I’m selling a 2-pound boxed set. The cheapest USPS rate is $3.16 for media mail. I appreciate the effort to prevent sellers from overcharging for shipping, and $3 leaves plenty of room for most DVDs…but apparently it hasn’t occurred to them that people might be selling larger boxed sets.

Anyway, I’m selling some Farscape DVDs on eBay. The auctions end Sunday, November 29.

Someone I know encountered a really sneaky eBay phish this weekend. It arrived through eBay’s official “Ask seller a question” system, and consisted of a simple request: Was his auction the same as the auction at the following About Me page?

The URL was a normal eBay URL of the form Pasting the link into another browser brought up the user’s About Me page… which consisted of a spoofed eBay login form that would submit the username and password to a page hosted at Yahoo.

So it not only came through eBay’s official messaging system, but the form appeared on eBay’s own website, meaning it bypasses many of the usual cues. It’s not a secured page, but use of SSL for login pages is still spotty enough that a user could easily miss that. And how many people have noticed that eBay only puts login forms on You have a slightly better chance if you have a browser like Opera, which shows you the target* of a form when you hover over a button. If you think to look at it. Continue reading

OK, I appreciate that eBay has a dedicated email address for reporting phishing attempts. I appreciate that their abuse department is a lot busier than I am, and therefore has to rely heavily on form letters. And I appreciate that they’re making an effort to educate the public on how to spot phishing and avoid getting caught.

But when I forward them a message with the comment, “Here’s a sample of a blatant phish,” is it really necessary to reply with the full two-page notice explaining, “This is a spoof, we didn’t send it, here’s how to avoid it, blah blah blah” and the entire body of the original message, complete with the links to the phishing site?

I’d think in this case a simple, “Thanks for the report, we’ve notified the authorities” note would be sufficient, especially since the “how to spot a phish” stuff is already in the auto-response. All it takes is giving their abuse staff an extra choice for the form letter.

And under no circumstances should they be including the full, original text of the phish. At best, it’s asking for the response to get lost in a spam box or blocked outright. At worst, it’s a security risk waiting to happen (since this copy really did come from eBay). Somewhere in the middle is the risk of mucking up adaptive filters as they try to reconcile the original message, which was spam, with the new message, which isn’t.

eBay must have some sort of blanket advertising deal with Google, because the “sponsored links” you get for some searches really don’t make any sense.

Case in point: I did a Google search for the phrase, “nigerian scam,” and saw the following ad:

Looking for Nigerian Scam? Find exactly what you want today

Wow, when they say, “Whatever it is, you can get it here.”—they really mean it! 😉

Interestingly, if you search for “419 scam,” you get the same type of ad, but not if you search for “advance fee fraud.”

I tried a few random search terms, and from what I can tell, eBay’s ad shows up on many—but not all—two-word searches. I’m not sure what the pattern is, but I can’t imagine someone at eBay deliberately asked to buy ad space for some of these phrases.

But in a show of accuracy, if you search for “random stuff,” you’ll find it!

Anyone whose email address is posted on a web site probably doesn’t bother to identify who sent them viruses anymore. With faked return addresses and the high probability that your only connection to the sender is the fact that they visited your web page sometime in the last month, there really isn’t much point.

Every once in a while, you’ll see something weird.

Today I received what looked like a classic credit-card theft scam: a notice supposedly from PayPal claiming that my account would be canceled unless I re-entered all my credit card information into the linked web page. Right. Normally I just report it to PayPal and delete it, but this one had an attachment instead of a link, and that attachment had been defanged. With a name like, it was pretty obviously a virus. Continue reading