[nsp-sec] server-vonage.com

Michael Sinatra michael at rancid.berkeley.edu
Mon Aug 17 16:15:55 EDT 2009 

Yes.  Forwarding is fine, and I haven't yet pinged the vonage folks
directly--I am trying to get the site taken down at this point.  Looks
like the original got stripped, so I have appended it as text with full
headers after this message.

On 08/17/09 12:27, Chris Morrow wrote:
> someone's poked vonage directly for this? there's at least 1 vonage
> person on another security list I can send this along to if not. (and if
> the email's forwardable sanitized)
> 
> -chris
> 
> On Mon, 17 Aug 2009, Michael Sinatra wrote:
> 
>> ----------- nsp-security Confidential --------



Received: from malcolm.berkeley.edu (localhost [127.0.0.1])
	by malcolm.berkeley.edu (8.14.3/8.13.8m1) with ESMTP id n7G1RAr8070572
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Sat, 15 Aug 2009 18:27:10 -0700 (PDT)
	(envelope-from mailnull at malcolm.berkeley.edu)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.95.2 at malcolm.berkeley.edu
Received: (from mailnull at localhost)
	by malcolm.berkeley.edu (8.14.3/8.13.3/Submit) id n7G1RAmN070571;
	Sat, 15 Aug 2009 18:27:10 -0700 (PDT)
	(envelope-from mailnull)
Received: from smtp-out1.berkeley.edu (smtp-out1.Berkeley.EDU
 [128.32.61.106])	by malcolm.berkeley.edu (8.14.3/8.13.8m1) with ESMTP id
 n7G1R90G070567	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
 verify=NO)	for <noc at ack.berkeley.edu>; Sat, 15 Aug 2009 18:27:10 -0700
 (PDT)	(envelope-from notice at vonage.com)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.95.2 at malcolm.berkeley.edu
Received: from cpe-144-131-132-233.static.nsw.bigpond.net.au
 ([144.131.132.233] helo=prestigepartyhire.com.au)	by fe2.calmail with
 esmtp (Exim 4.69)	(envelope-from <notice at vonage.com>)	id 1McUWQ-0005mF-8L
 for noc at berkeley.edu; Sat, 15 Aug 2009 18:27:04 -0700
Received: from vonage.com ([66.237.145.76]) by prestigepartyhire.com.au
 with Microsoft SMTPSVC(6.0.3790.3959);	 Sun, 16 Aug 2009 11:14:33 +1000
From: Vonage Customer Care <notice at vonage.com>
To: noc at berkeley.edu
Subject: [ Unauthorized Access ] - You have 1 new alert message!
Date: 15 Aug 2009 20:14:25 -0500
Message-ID: <20090815201424.341AEFE5EF6CAF06 at vonage.com>
MIME-Version: 1.0
Content-Type: text/html;	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Originalarrivaltime: 16 Aug 2009 01:14:33.0466 (UTC)
FILETIME=[E9D13DA0:01CA1E0E]
X-Ucb-Scan-Signature: 6a9fa750d141f3aa3d3ab1f076214a88b904e99a
X-Ucb-Spam: Gauge=XXXXXXXXI, Probability=81%,	Report='HTML_IMAGE_ONLY_24
 2.207, HTML_MESSAGE 0.001, MIME_HTML_ONLY 1.672,	MIME_QP_LONG_LINE 1.819,
 RAZOR2_CF_RANGE_51_100 0.5,	RAZOR2_CF_RANGE_E8_51_100 1.5, RAZOR2_CHECK
 0.5, TVD_PH_SUBJ_META 0'
X-Ucb-Notice: This message has been processed by a spam tagging system.
	See http://mailinfo.berkeley.edu/ for more information.
X-List: noc

<html>
<img border=3D"0" src=3D"http://i29.tinypic.com/a0fbqo.gif"
width=3D"161" he=
ight=3D"37"><p>
<font color=3D"#FF0000" size=3D2 face=3D"Arial"><br></font>
<font color=3D"#F99424" size=3D2 face=3D"Arial">Dear Vonage
Member,</font><f=
ont face=3DArial size=3D2><font color=3D"FF9933" size=3D4><br></font>

<br>
 We have reason to believe that your Vonage account has been
fraudulent=
ly accessed by a third party using other ISP (Internet=20
Service Provider)<br>
<br>
 This might have happened due to the following reasons:<br><br>
- You accessed your account from a different computer or you have
changed yo=
ur Operating System.<br>
- You have dynamic IP address and due to that our system might have
interpre=
tated=20
it as an unauthorized attempt.<br>
- You entered a wrong password 3 times when you tried to connect to your
Von=
age=20
account.<br>
<br>
 Please understand that your account is safe but is currently=20
<font color=3D"#F99424"><b>Suspended</b></font><br><br>

 This suspension can be easily removed by logging in, by <strong>
<a href=3D"http://server-vonage.com/"><font color=3D"#F99424">Clicking=20
Here</font></a></strong><font color=3D"#F99424"> </font>or the link
below:<b=
r>
<br><strong><a href=3D"http://server-vonage.com/"><font color=3D"#F99424">
https://secure.vonage.com/vonage-web/public/login.htm</font></a></strong><br=
>

<br>
* We will check your IP Address, Time Zone, and if all matches, your
account=
 was never fraudulently accessed.<br>
<br>
 <u>We are very sorry if this affects you in any way but our
clients se=
curity is a top priority for=20
Vonage.</u><br>
<br>
<br>

Regards,<br>
Vonage Customer Care<font size=3D1 color=3DCCCCCC><br><br></font></font>
<font face=3D"Arial"><span class=3D"opDefaultContent" id=3D"opmodule_body">

<font size=3D"2" color=3D"#CCCCCC">Vonage 911 service operates
differently t=
han=20
traditional 911. See </font><font size=3D"2"><a
href=3D"http://www.vonage.co=
m/911/">
<font color=3D"#CCCCCC">www.vonage.com/911</font></a></font><font
color=3D"#=
CCCCCC"><font size=3D"2">=20
for details. =A9 2009 Vonage Marketing LLC. All Rights Reserved.</font>
</fo=
nt>
</span></font>

</p>

More information about the nsp-security mailing list