[nsp-sec] AOL mail to the WCP - Possible breach of TOS

Steve Peters steven.peters at corp.aol.com
Fri Jun 25 10:46:48 EDT 2010 

ack and forwarded over the our mail assassins. 

Steve Peters
AOL - Network Security


On Jun 25, 2010, at 10:01 AM, Daniel Robert Adinolfi wrote:

> ----------- nsp-security Confidential --------
> 
> AOLfolk,
> 
> Please destroy the mailbox <bendasbdb at aol.com>.  It is a phishing dropbox.
> 
> Thanks.
> 
> -Dan
> 
> Begin forwarded message:
> 
>> From: Glenn Forbes Fleming Larratt <gl89 at cornell.edu>
>> Date: June 25, 2010 06:53:22 EDT
>> To: "abuse at aol.com" <abuse at aol.com>
>> Subject: Possible breach of TOS
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> AOL account invoked as recipient for this phish for credentials. Please
>> take appropriate action.
>> 
>> Please note - the original message was base-64-encoded, so it was simpler 
>> to isolate the full headers and append them below the message body.
>> 
>> Thank You,
>> - --
>> Glenn Forbes Fleming Larratt
>> Cornell University IT Security Office
>> 
>> - ---------- Forwarded message ----------
>> Date: Thu, 24 Jun 2010 23:54:56 -0400
>> From: System Administrator <online597465 at telkomsa.net>
>> Reply-To: "bendasbdb at aol.com" <bendasbdb at aol.com>
>> 
>> 
>> 
>> A DGTFX virus has been detected in your folders. Your email account has to be upgraded to our new Secured DGTFX anti-virus 2010 version to prevent damages to our webmail log and your important files. Click your reply tab,Fill the columns below and send back to us or your email account will be terminated to avoid spread of the virus.
>> Username: ....
>> Password: ....
>> 
>> Note that your password will be encrypted with 1024-bit RSA keys for your password safety.
>> Director of Technical Team.
>> - ---------- Forwarded headers ----------
>> MIME-Version: 1.0
>> Received: from orchid.mail.cornell.edu (132.236.56.61) by
>> cashub08.exchange.cornell.edu (10.16.197.27) with Microsoft SMTP Server id
>> 8.1.393.1; Thu, 24 Jun 2010 23:55:15 -0400
>> Received: (from daemon at localhost)       by orchid.mail.cornell.edu (8.13.6/8.13.6)
>> id o5P3tGBX007010;     Thu, 24 Jun 2010 23:55:16 -0400 (EDT)
>> Received: from nmc.cit.cornell.edu (yucca.cit.cornell.edu [128.253.180.83])     by
>> orchid.mail.cornell.edu (8.13.6/8.13.6) with ESMTP id o5P3tFno006993;  Thu, 24
>> Jun 2010 23:55:15 -0400 (EDT)
>> Received: from hermes1.mail.cornell.edu (hermes1.mail.cornell.edu
>> [132.236.56.12])       by nmc.cit.cornell.edu (8.13.8/8.13.4) with ESMTP id
>> o5P3tACT011549 for <security-backline at yucca.cit.cornell.edu>; Thu, 24 Jun
>> 2010 23:55:10 -0400 (EDT)
>> Received: from soapstone1.mail.cornell.edu (soapstone1.mail.cornell.edu
>> [128.253.83.143])      by hermes1.mail.cornell.edu (8.13.6/8.12.6) with ESMTP id
>> o5P3t9o4028995 for <security-backline at nmc.cit.cornell.edu>; Thu, 24 Jun 2010
>> 23:55:09 -0400 (EDT)
>> Received: (from daemon at localhost)       by soapstone1.mail.cornell.edu
>> (8.13.6/8.13.6) id o5P3tAOF024178;     Thu, 24 Jun 2010 23:55:10 -0400 (EDT)
>> Received: from walnut.mail.cornell.edu (walnut.mail.cornell.edu
>> [128.253.83.153])      by soapstone1.mail.cornell.edu (8.13.6/8.13.6) with ESMTP
>> id o5P3t84Q024154;     Thu, 24 Jun 2010 23:55:08 -0400 (EDT)
>> Received: from sargas.telkomsa.net (sargas.telkomsa.net [196.25.211.69])        by
>> walnut.mail.cornell.edu (8.13.1/8.14.2) with ESMTP id o5P3svr5030701;  Thu, 24
>> Jun 2010 23:55:02 -0400
>> Received: from mail3.telkomsa.net (zimbra3-vm1.lb2.telkomsa.net
>> [192.168.16.224])      by sargas.telkomsa.net (Postfix) with ESMTP id DE48A2A0241;
>>    Fri, 25 Jun 2010 05:54:21 +0200 (SAST)
>> From: System Administrator <online597465 at telkomsa.net>
>> Date: Thu, 24 Jun 2010 23:54:56 -0400
>> Subject:
>> Thread-Index: AcsUGjiKocWObzawSb6YP/31bMa53w==
>> Message-ID:
>> <1011154786.253961277438096812.JavaMail.root at zimbra3-vm1.telkomsa.net>
>> Reply-To: "bendasbdb at aol.com" <bendasbdb at aol.com>
>> Accept-Language: en-US
>> Content-Language: en-US
>> X-MS-Exchange-Organization-AuthAs: Anonymous
>> X-MS-Exchange-Organization-AuthSource: cashub08.exchange.cornell.edu
>> X-MS-Has-Attach:
>> X-MS-TNEF-Correlator:
>> x-ph: V4.1 at orchid
>> x-pmx-version: 5.5.9.395186, Antispam-Engine: 2.7.2.376379, Antispam-Data:
>> 2010.6.25.34514
>> x-pmx-cornell-spam-checked: poppy
>> x-originating-ip: [192.168.16.51]
>> x-additional-recipients-added: 6
>> Content-Type: text/plain; charset="utf-8"
>> Content-Transfer-Encoding: base64
>> 
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (Darwin)
>> 
>> iEYEARECAAYFAkwkiqIACgkQLyw7nZwiKgTFVACfZNJ2c/hVnW4H7LiUseVXj2lG
>> JmIAnj9RGmJ4oaJ6zHAQ2RkAm8qvU3+R
>> =kE8z
>> -----END PGP SIGNATURE-----
> 
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

More information about the nsp-security mailing list