[nsp-sec] google docs phish site

Mon Aug 29 15:05:04 EDT 2011

this looks to be already kilt.

Cheers,
peter

On Sun, Aug 28, 2011 at 2:28 PM, RuthAnne Bevier <ruthanne at caltech.edu>wrote:

> ----------- nsp-security Confidential --------
>
> Another google docs phish site is at:
> https://docs.google.com/**spreadsheet/viewform?formkey=**
> dG1rbmlnYnJCYXpLYmEtSV9MenZpQn**c6MQ<https://docs.google.com/spreadsheet/viewform?formkey=dG1rbmlnYnJCYXpLYmEtSV9MenZpQnc6MQ>
>
> A sample message with full headers is below:
>
> From bruskey at susqu.edu Sun Aug 28 14:13:05 2011
> Return-Path: <bruskey at susqu.edu>
> X-Original-To: thanne at caltech.edu
> Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
>        by fire-doxen-postvirus (Postfix) with ESMTP id 313F232809F;
>        Sun, 28 Aug 2011 14:13:06 -0700 (PDT)
> X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
> X-Spam-Flag: NO
> X-Spam-Score: -3.189
> X-Spam-Level: X-Spam-Status: No, score=-3.189 tagged_above=-10000
> required=5
>        tests=[HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SNF4SA=-2.189,
>        SPF_PASS=-0.001] autolearn=unavailable
> Received: from jonola.caltech.edu (jonola.caltech.edu [131.215.239.176])
>        by fire-doxen-external (Postfix) with ESMTP id EAED5328056;
>        Sun, 28 Aug 2011 14:13:01 -0700 (PDT)
> Received: by jonola.caltech.edu (Postfix, from userid 60001)
>        id CF64C17171; Sun, 28 Aug 2011 14:13:01 -0700 (PDT)
> X-Original-To: ipoffice at treqs.caltech.edu
> Delivered-To: ipoffice at treqs.caltech.edu
> Received: from outgoing-mail.its.caltech.edu (
> outgoing-mail.its.caltech.edu [131.215.239.19])   by jonola.caltech.edu(Postfix) with ESMTP id 5DAE917135        for <
> ipoffice at treqs.caltech.edu>; Sun, 28 Aug 2011 14:13:00 -0700 (PDT)
> Received: from treqs-delivery.caltech.edu (localhost [127.0.0.1])       by
> earth-doxen-postvirus (Postfix) with ESMTP id 3388566E025F   for <
> ipoffice at treqs.caltech.edu>; Sun, 28 Aug 2011 14:13:00 -0700 (PDT)
> X-Mailbox-Line: From bruskey at susqu.edu  Sun Aug 28 14: 12:59 2011
> X-Original-To: ipoffice at caltech.edu
> Delivered-To: ipoffice at caltech.edu
> Received: from earth-doxen.imss.caltech.edu (localhost [127.0.0.1])     by
> earth-doxen-postvirus (Postfix) with ESMTP id E5C7B66E026C   for <
> ipoffice at caltech.edu>; Sun, 28 Aug 2011 14:12:59 -0700 (PDT)
> X-Spam-Scanned: at Caltech-IMSS on earth-doxen by amavisd-new
> Received: from mail-vw0-f45.google.com (mail-vw0-f45.google.com
> [209.85.212.45])      by earth-doxen-external (Postfix) with ESMTP id
> 763D666E025F    for <ipoffice at caltech.edu>; Sun, 28 Aug 2011 14:12:57
> -0700 (PDT)
> Received: by vws17 with SMTP id 17so5635255vws.18        for <
> ipoffice at caltech.edu>; Sun, 28 Aug 2011 14:12:56 -0700 (PDT)
> MIME-Version: 1.0
> Received: by 10.220.7.82 with SMTP id c18mr1274368vcc.225.**1314565976446;
> Sun, 28 Aug 2011 14:12:56 -0700 (PDT)
> Received: by 10.220.108.20 with HTTP; Sun, 28 Aug 2011 14:12:56 -0700 (PDT)
> Date: Sun, 28 Aug 2011 22:12:56 +0100
> Message-ID: <CAF6DyxN62pwJSAane15Z-**ToV0rkjtqu9RvKT8WwJYn8qQDW8dQ@**
> mail.gmail.com<CAF6DyxN62pwJSAane15Z-ToV0rkjtqu9RvKT8WwJYn8qQDW8dQ at mail.gmail.com>
> >
> Subject: [TR #2212049] Important: Database Maintenance Update !!!
> From: "Bruskey, Frank" <bruskey at susqu.edu>
> To: undisclosed-recipients:;
> Content-Type: multipart/alternative; boundary=**
> 000325573fc60f5c1004ab973e56
> X-TBCK-ID: acc1980ae0e481d8aebe46c97b6e9c**d0
> X-TBCK-Status: First;AllClear;0
> Precedence: bulk
> X-Caltech-ITS-T-Reqs-**Initiated: yes
> X-Caltech-ITS-T-Reqs-URL: https://treqs.caltech.edu/cgi-**
> bin/ars-get-ticket.pl?ticket_**id=2212049<https://treqs.caltech.edu/cgi-bin/ars-get-ticket.pl?ticket_id=2212049>
> X-Caltech-ITS-T-Reqs-Group: IP Office
>
> --000325573fc60f5c1004ab973e56
> Content-Type: text/plain; charset=ISO-8859-1
>
> A Computer Database Maintenance is currently going on our Webmail
> Message Center. Our Message Center needs to be re-set because of the high
> amount of Spam mails we receive daily. A Quarantine Maintenance will help
> us
> prevent this everyday dilemma.To re-validate your mailbox Please
> CLICKHERE<https://docs.google.**com/spreadsheet/viewform?**formkey=**
> dG1rbmlnYnJCYXpLYmEtSV9MenZpQn**c6MQ<https://docs.google.com/spreadsheet/viewform?formkey=dG1rbmlnYnJCYXpLYmEtSV9MenZpQnc6MQ>
> >
>
> Failure to re-validate your mailbox will render your e-mail in-active
> from our database.
> Thanks.
>
> --000325573fc60f5c1004ab973e56
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> <div id=3D"yiv1141694339">A Computer Database Maintenance is currently
> goin=
> g on our Webmail<br>Message Center. Our Message Center needs to be re-set
> b=
> ecause of the high<br>amount of Spam mails we receive daily. A Quarantine
> M=
> aintenance will help us<br>
> prevent this everyday dilemma.To re-validate your mailbox Please <a
> href=3D=
> "https://docs.google.com/**spreadsheet/viewform?formkey=**
> 3DdG1rbmlnYnJCYXpLYmE=<https://docs.google.com/spreadsheet/viewform?formkey=3DdG1rbmlnYnJCYXpLYmE=>
> tSV9MenZpQnc6MQ">CLICKHERE</a>**<font color=3D"#234786"><br></font><**
> br>Failur=
> e to re-validate your mailbox will render your e-mail in-active<br>
> from our database.<br>Thanks.<br></div>
>
> --**000325573fc60f5c1004ab973e56--
> --
> RuthAnne Bevier
> Director, Information Security
> California Institute of Technology
> ruthanne at caltech.edu
> 626-395-2671
>
>
> ______________________________**_________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/**mailman/listinfo/nsp-security<https://puck.nether.net/mailman/listinfo/nsp-security>
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> ______________________________**_________________
>

-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038