[nsp-sec] Attn Gmail: "nkprm345 at gmail.com" dropbox used in phish

Fri Aug 19 13:52:12 EDT 2011

Sample with full headers is below.

 From nkprm345 at gmail.com Fri Aug 19 06:03:57 2011
Return-Path: <nkprm345 at gmail.com>
X-Original-To: ruthanne at caltech.edu
Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
	by fire-doxen-postvirus (Postfix) with ESMTP id 19363328188
	for <ruthanne at caltech.edu>; Fri, 19 Aug 2011 06:03:57 -0700 (PDT)
X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
X-Spam-Flag: NO
X-Spam-Score: -3.091
X-Spam-Level: 
X-Spam-Status: No, score=-3.091 tagged_above=-10000 required=5
	tests=[DKIM_SIGNED=0.001, DKIM_VERIFIED=-0.001, RCVD_IN_DNSWL_LOW=-1,
	SNF4SA=-2.090, SPF_PASS=-0.001] autolearn=disabled
Received: from mail-ww0-f43.google.com (mail-ww0-f43.google.com [74.125.82.43])
	by fire-doxen-external (Postfix) with ESMTP id B80CC328412
	for <ruthanne at caltech.edu>; Fri, 19 Aug 2011 06:03:54 -0700 (PDT)
Received: by wwe32 with SMTP id 32so2979121wwe.0
         for <ruthanne at caltech.edu>; Fri, 19 Aug 2011 06:03:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
         d=gmail.com; s=gamma;
         h=mime-version:date:message-id:subject:from:to:content-type;
         bh=ZKipkqBVrOVwdKQyrLL9erKvr/Hc0B9Gb7VAeLqRaQI=;
         b=f7AT6zW4wWn8M9vfin8DGoyXe++TpsEeNhRVbEBiD2d7BijJ0SBRFFhIkG1y7wq7kG
          nCllrf1j/83lj+hh+ZxvRWToKg/0S5d6zpo96TlqfJHm5H6NEA5CSoPzaGYGWAWwhqw3
          KLBAzdTC+Mf8hG/Z97/Deolt44eZ6BiadJM/k=
MIME-Version: 1.0
Received: by 10.216.185.20 with SMTP id t20mr1689343wem.8.1313759032797; Fri,
  19 Aug 2011 06:03:52 -0700 (PDT)
Received: by 10.216.158.81 with HTTP; Fri, 19 Aug 2011 06:03:51 -0700 (PDT)
Date: Fri, 19 Aug 2011 06:03:51 -0700
Message-ID: <CAGx5WZcav4CwTL3UDvg+d=UErrMNqajyeiiAho+Y0OS6wCg_2g at mail.gmail.com>
Subject: Dear WebMail Subscriber
From: WEBMAIL ADMINSTRATOR <nkprm345 at gmail.com>
To: undisclosed-recipients:;
Content-Type: text/plain; charset=ISO-8859-1

Dear WebMail Subscriber,

We would like to inform you that we are currently carrying out
scheduled maintenance and upgrade of our webmail service and as a
result our email client has been changed and your original password
will be reset. We are sorry for any inconvenience caused.

To complete your webmail account, you must reply to this email
immediately and enter your

Username here (         )
password here (         )

Failure to do this will immediately render your email address deactivated from
our database.

Thank you for using our webmail !
Sincerely,
WebMail Support

-- 
RuthAnne Bevier
Director, Information Security
California Institute of Technology
ruthanne at caltech.edu
626-395-2671