[nsp-sec] GMail dropbox in use, webmail.supportteam09 at gmail.com

RuthAnne Bevier ruthanne at caltech.edu
Tue Mar 2 17:09:14 EST 2010 

Google, we're getting some phishes with a dropbox reply-to of
webmail.supportteam09 at gmail.com -- a sample with full headers is
below:


>From bredatwohig at eircom.net Tue Mar  2 14:00:08 2010
Return-Path: <bredatwohig at eircom.net>
X-Original-To: thanne at caltech.edu
Received: from earth-doxen.imss.caltech.edu (localhost [127.0.0.1])
	by earth-doxen-postvirus (Postfix) with ESMTP id 1757266E48F9;
	Tue,  2 Mar 2010 14:00:07 -0800 (PST)
X-Spam-Scanned: at Caltech-IMSS on earth-doxen by amavisd-new
X-Spam-Flag: NO
X-Spam-Score: 3.305
X-Spam-Level: ***
X-Spam-Status: No, score=3.305 tagged_above=-10000 required=5
	tests=[RCVD_IN_BL_SPAMCOP_NET=2.188, RCVD_IN_SORBS_WEB=1.117]
	autolearn=disabled
Received: from jonola.caltech.edu (jonola.caltech.edu [131.215.239.176])
	by earth-doxen-external (Postfix) with ESMTP id 340A730B0BFA;
	Tue,  2 Mar 2010 14:00:01 -0800 (PST)
Received: by jonola.caltech.edu (Postfix, from userid 60001)
	id D3E8316F01; Tue,  2 Mar 2010 14:00:01 -0800 (PST)
X-Original-To: network at treqs.caltech.edu
Delivered-To: network at treqs.caltech.edu
Received: from outgoing-mail.its.caltech.edu (outgoing-mail.its.caltech.edu [131.215.239.19])	by jonola.caltech.edu (Postfix) with ESMTP id 604B616D09	for <network at treqs.caltech.edu>; Tue,  2 Mar 2010 13:59:59 -0800 (PST)
Received: from treqs-delivery.caltech.edu (localhost [127.0.0.1])	by fire-doxen-postvirus (Postfix) with ESMTP id 19BAF328585	for <network at treqs.caltech.edu>; Tue,  2 Mar 2010 13:59:59 -0800 (PST)
X-Mailbox-Line: From bredatwohig at eircom.net  Tue Mar  2 13: 59:58 2010
X-Original-To: network at caltech.edu
Delivered-To: network at caltech.edu
Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])	by fire-doxen-postvirus (Postfix) with ESMTP id BF5F8328674	for <network at caltech.edu>; Tue,  2 Mar 2010 13:59:58 -0800 (PST)
X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
X-Spam-Flag: NO
X-Spam-Score: 3.305
X-Spam-Level: ***
X-Spam-Status: No, score=3.305 tagged_above=-10000 required=5	tests=[RCVD_IN_BL_SPAMCOP_NET=2.188, RCVD_IN_SORBS_WEB=1.117]	autolearn=disabled
Received: from mail02.svc.cra.dublin.eircom.net (mail02.svc.cra.dublin.eircom.net [159.134.118.18])	by fire-doxen-external (Postfix) with SMTP id 190DF3285B4	for <network at caltech.edu>; Tue,  2 Mar 2010 13:59:54 -0800 (PST)
Received: (qmail 78665 messnum 13155282 invoked from network[86.43.60.61/webmailbox101.eircom.net]); 2 Mar 2010 21:59:53 -0000
Received: from webmailbox101.eircom.net (86.43.60.61)  by mail02.svc.cra.dublin.eircom.net (qp 78665) with SMTP; 2 Mar 2010 21:59:53 -0000
Date: Tue, 2 Mar 2010 21:59:53 +0000 (GMT)
From: Webmail Support Team <bredatwohig at eircom.net>
Reply-To: "webmail.supportteam09 at gmail.com" <webmail.supportteam09 at gmail.com>
Message-ID: <33506852.191831267567193645.JavaMail.root at webmailbox101.eircom.net>
Subject: [TR #1932897] Attention Email Account Holder,Upgrade Your Account Now!!!
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [221.194.130.20]
To: undisclosed-recipients:;
X-TBCK-ID: 5dcaa593c0811f82479d7dde5374154c
X-TBCK-Status: First;AllClear;0
Precedence: bulk
X-Caltech-ITS-T-Reqs-Initiated: yes
X-Caltech-ITS-T-Reqs-URL: https://treqs.caltech.edu/cgi-bin/ars-get-ticket.pl?ticket_id=1932897
X-Caltech-ITS-T-Reqs-Group: Network

Attn: University Webmail Account Owner
This message is from University web mail admin messaging center to all University web mail account owners. We are currently upgrading our data base and e-mail account center.We are canceling unused web mail email account to create more space for new accounts.To prevent your account from closing you will have to update it below to know it's status as a currently used account.

CONFIRM YOUR EMAIL IDENTITY BELOW
Email Username :  ................................
Email Password :  .................................
Date of Birth .....................................

Warning!!! Any account owner that refuses to update his/her account within Three days of this update notification will loose his/her account permanently.
Thank you for using our University web mail

Support Team
Warning Code :ID67565434
Contact email:webaccount





-- 
RuthAnne Bevier
Information Security
California Institute of Technology   
626-395-2671
ruthanne at caltech.edu

More information about the nsp-security mailing list