[nsp-sec] ATTN Google, gmail dropbox at accountverifier14 at gmail.com

RuthAnne Bevier ruthanne at caltech.edu
Thu Aug 25 12:22:04 EDT 2011 

Caltech users are being phished with a reply-to phish using accountverifier14 at gmail.com as the dropbox.  

Sample with full headers:


  
Return-path: <upgrading.accountlmu at googlemail.com>
Received: from psmtp.com ([::ffff:64.18.3.178])
  by cefcu-groupwise.cefcu.org with SMTP; Thu, 25 Aug 2011 07:38:33 -0700
Received: from outgoing-mail.its.caltech.edu ([131.215.239.19]) by exprod8mx199.postini.com ([64.18.7.10]) with SMTP;
  Thu, 25 Aug 2011 09:38:33 CDT
Received: by fire-doxen.caltech.edu (Postfix, from userid 60008)
  id D43FF32826A; Thu, 25 Aug 2011 07:38:32 -0700 (PDT)
X-Original-To: jbarn at caltech.edu
Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
  by fire-doxen-postvirus (Postfix) with ESMTP id 7FBAC3282A0
  for <jbarn at caltech.edu>; Thu, 25 Aug 2011 07:38:32 -0700 (PDT)
X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
X-Spam-Flag: NO
X-Spam-Score: -2.492
X-Spam-Level: 
X-Spam-Status: No, score=-2.492 tagged_above=-10000 required=5
  tests=[DKIM_SIGNED=0.001, DKIM_VERIFIED=-0.001, RCVD_IN_DNSWL_LOW=-1,
  SNF4SA=-1.491, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail-vw0-f65.google.com (mail-vw0-f65.google.com [209.85.212.65])
  by fire-doxen-external (Postfix) with ESMTP id 41658328297
  for <jbarn at caltech.edu>; Thu, 25 Aug 2011 07:38:30 -0700 (PDT)
Received: by vws18 with SMTP id 18so407468vws.0
         for <jbarn at caltech.edu>; Thu, 25 Aug 2011 07:38:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
         d=googlemail.com; s=gamma;
         h=mime-version:reply-to:date:message-id:subject:from:to:content-type;
         bh=P7210FHDt+gP+OsyLbuy3FNRAMlXBGEGjAQSj4BfXM0=;
         b=RH0MwAqIFVpEXcrOhPE0g6gYXgSeHL8WNIgAnyZ9sZNe0JTNTiJjOZ+ya9sxvZ2aUQ
          vfdERtFDKC8D2ouzYKGvVQGCpzi3BsQZIt/EJsmevNrt/6pYCG2h2PO0EVJ+SjjsAXvb
          0WnGrbOGLBk8MKG+iXBHBVkuLta7nZ3+ULPmk=
MIME-Version: 1.0
Received: by 10.220.151.135 with SMTP id c7mr1895038vcw.266.1314283110241;
  Thu, 25 Aug 2011 07:38:30 -0700 (PDT)
Received: by 10.220.192.10 with HTTP; Thu, 25 Aug 2011 07:38:30 -0700 (PDT)
Reply-To: accountverifier14 at gmail.com
Date: Thu, 25 Aug 2011 15:38:30 +0100
Message-ID: <CAJ=_UWpja88CBX5LS8U-xtU+ZVGZGXDoPjmZh_NMQPFH_GnO8Q at mail.gmail.com>
Subject: Dear Caltech WebMail Subscriber
From: SYSTEM ADMINSTARTOR <upgrading.accountlmu at googlemail.com>
To: undisclosed-recipients:;
Content-Type: text/plain; charset=ISO-8859-1
X-pstn-levels:     (S: 5.73574/99.90000 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 4 (1.5000:1.5000) s cv gt3 gt2 gt1 r p m c 
X-pstn-addresses: from <upgrading.accountlmu at googlemail.com> [3010/124] 
  
Dear Caltech WebMail Subscriber,
  
We would like to inform you that we are currently carrying out
scheduled maintenance and upgrade of our webmail service and as a
result our email client has been changed and your original password
will be reset. We are sorry for any inconvenience caused.
  
To complete your webmail account, you must reply to this email
immediately and enter your
  
Username here (************)
password here (************)
  
Failure to do this will immediately render your email address deactivated from
our database.
  
Thank you for using our webmail !
Sincerely,
WebMail Support





-- 
RuthAnne Bevier
Director, Information Security
California Institute of Technology
ruthanne at caltech.edu
626-395-2671

More information about the nsp-security mailing list