[nsp-sec] ATTN Google, another spreadsheet phish

RuthAnne Bevier ruthanne at caltech.edu
Fri Dec 9 13:50:41 EST 2011 

I've done "report abuse" from two different IP addresses, but here's the URL:

https://docs.google.com/spreadsheet/viewform?formkey=dFZkV29JdFNrYlFjd0ljdFh6QUlkWkE6MQ

Sample message (bounced into our ticket system by a sysadmin, so it's a bit unsightly):

>From acs-root-bounces at caltech.edu  Fri Dec  9 10:18:45 2011
Return-Path: <acs-root-bounces at caltech.edu>
X-Original-To: security at treqs.caltech.edu
Delivered-To: security at treqs.caltech.edu
Received: from outgoing-mail.its.caltech.edu (outgoing-mail.its.caltech.edu
[131.215.239.19])
	by jonola.caltech.edu (Postfix) with ESMTP id 1D3F716F01
	for <security at treqs.caltech.edu>; Fri,  9 Dec 2011 10:18:45 -0800 (PST)
Received: from treqs-delivery.caltech.edu (localhost [127.0.0.1])
	by fire-doxen-postvirus (Postfix) with ESMTP id DF3743280D6
	for <security at treqs.caltech.edu>; Fri,  9 Dec 2011 10:18:44 -0800 (PST)
X-Mailbox-Line: From mckinnon at caltech.edu  Fri Dec  9 10: 18:44 2011
X-Original-To: security at caltech.edu
Delivered-To: security at caltech.edu
Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
	by fire-doxen-postvirus (Postfix) with ESMTP id 092353280EB
	for <security at caltech.edu>; Fri,  9 Dec 2011 10:18:44 -0800 (PST)
X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level: 
X-Spam-Status: No, score=-1.899 tagged_above=-10000 required=5
	tests=[CIT_AUTH_SMTP=-1.5, HTML_MESSAGE=0.001, PBJ_RCV_UNKNOWN=0.3,
	RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled
Received: from geyser.gps.caltech.edu (geyser.gps.caltech.edu
[131.215.65.56])
	by fire-doxen-external (Postfix) with ESMTP id EE3B63280D6
	for <security at caltech.edu>; Fri,  9 Dec 2011 10:18:41 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by geyser.gps.caltech.edu (Postfix) with ESMTP id CFA01550E6B
	for <security at caltech.edu>; Fri,  9 Dec 2011 10:18:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at gps.caltech.edu
Received: from geyser.gps.caltech.edu ([127.0.0.1])
	by localhost (geyser.gps.caltech.edu [127.0.0.1]) (amavisd-new, port
10024)
	with ESMTP id OgVm6KfCR8Td for <security at caltech.edu>;
	Fri,  9 Dec 2011 10:18:41 -0800 (PST)
Received: from abazaba.caltech.edu (abazaba.caltech.edu [131.215.234.71])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by geyser.gps.caltech.edu (Postfix) with ESMTP id A73E8550E69
	for <security at caltech.edu>; Fri,  9 Dec 2011 10:18:41 -0800 (PST)
Resent-From: Aaron McKinnon <mckinnon at caltech.edu>
Resent-To: Aaron McKinnon / Information Security Group
<security at caltech.edu>
Resent-Date: Fri, 9 Dec 2011 10:18:32 -0800
Resent-Message-Id: <4EE250F8.3090505 at caltech.edu>
Resent-User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0)
Gecko/20111105 Thunderbird/8.0
X-Original-To: mckinnon at gps.caltech.edu
Received: from localhost (localhost.localdomain [127.0.0.1])
	by geyser.gps.caltech.edu (Postfix) with ESMTP id 809FA550E69
	for <mckinnon at gps.caltech.edu>; Fri,  9 Dec 2011 10:15:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at gps.caltech.edu
Received: from geyser.gps.caltech.edu ([127.0.0.1])
	by localhost (geyser.gps.caltech.edu [127.0.0.1]) (amavisd-new, port
10024)
	with ESMTP id v2G3y-Cxrr1L for <mckinnon at gps.caltech.edu>;
	Fri,  9 Dec 2011 10:15:36 -0800 (PST)
Received: from barracuda.gps.caltech.edu (sawtooth.gps.caltech.edu
[131.215.235.108])
	by geyser.gps.caltech.edu (Postfix) with ESMTP id 23652550E5F
	for <mckinnon at gps.caltech.edu>; Fri,  9 Dec 2011 10:15:36 -0800 (PST)
X-ASG-Debug-ID: 1323454535-4b1801090000-kfHsqW
X-Barracuda-URL: http://barracuda.gps.caltech.edu:8000/cgi-bin/mark.cgi
Received: from outgoing-mail.its.caltech.edu (localhost [127.0.0.1])
	by barracuda.gps.caltech.edu (Spam Firewall) with ESMTP id 8ED19D824
	for <mckinnon at gps.caltech.edu>; Fri,  9 Dec 2011 10:15:35 -0800 (PST)
Received: from outgoing-mail.its.caltech.edu (outgoing-mail.its.caltech.edu
[131.215.239.19]) by barracuda.gps.caltech.edu with ESMTP id
MbNTOEvMndLugvFv for <mckinnon at gps.caltech.edu>; Fri, 09 Dec 2011 10:15:35
-0800 (PST)
Received: by fire-doxen.caltech.edu (Postfix, from userid 60008)
	id 5DE513280F1; Fri,  9 Dec 2011 10:15:35 -0800 (PST)
X-Original-To: mckinnon at caltech.edu
Received: from shift.caltech.edu (shift [192.168.1.23])
	by fire-doxen-postvirus (Postfix) with ESMTP id 7F7763280EB;
	Fri,  9 Dec 2011 10:15:34 -0800 (PST)
Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
	by fire-doxen-postvirus (Postfix) with ESMTP id C0BC63280ED
	for <acs-root at caltech.edu>; Fri,  9 Dec 2011 10:15:32 -0800 (PST)
X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
Received: from mail.alumni.caltech.edu (mail.alumni.caltech.edu
	[131.215.239.119])
	by fire-doxen-external (Postfix) with ESMTP id AF1B63280D6
	for <acs-root at caltech.edu>; Fri,  9 Dec 2011 10:15:30 -0800 (PST)
Received: by mail.alumni.caltech.edu (Postfix)
	id 565EA102BC; Fri,  9 Dec 2011 10:15:30 -0800 (PST)
Received: from CHLAMG01.chla.usc.edu (smtpchla.usc.edu [128.125.179.22])
	by mail.alumni.caltech.edu (Postfix) with ESMTPS id C9368102BC
	for <postmaster at alumni.caltech.edu>;
	Fri,  9 Dec 2011 10:15:22 -0800 (PST)
X-DKIM: Sendmail DKIM Filter v2.8.3 mail.alumni.caltech.edu C9368102BC
Authentication-Results: alumni.caltech.edu; dkim=none (no signature)
	header.i=unknown; x-dkim-adsp=none
X-M-MSG: 
X-TMWD-Spam-Summary: TS=20111209181449; ID=1; SEV=2.4.2; DFV=B2011120918;
	IFV=NA; AIF=B2011120918; 
	RPD=NA; ENG=NA; RPDID=NA; CAT=NONE; CON=NONE;
	SIG=AAAAAAAAAAAAAAAACmQL7QAAfQ==
X-WSS-ID: 0LVY80P-02-0N5-03
Received: from CIMTA (unknown [10.100.11.237]) (using TLSv1 with cipher
	ADH-AES256-SHA (256/256
	bits)) (No client certificate requested) by CHLAMG01.chla.usc.edu
	(Postfix) with ESMTP id
	2D403174C7ED; Fri, 9 Dec 2011 10:14:48 -0800 (PST)
Received: from CIMTA (localhost.localdomain [127.0.0.1]) by CIMTA (Postfix)
	with ESMTP id F1D2B85; Fri, 9 Dec 2011 18:14:52 +0000 (GMT)
Received: from CHLAEXVS01.LA.AD.CHLA.ORG (chlaexmb1.la.ad.chla.org
	[10.100.11.30]) by CIMTA (
	Postfix) with ESMTP id BD0D77D; Fri, 9 Dec 2011 18:14:52 +0000 (GMT)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01CCB69E.721E8815"
Date: Fri, 9 Dec 2011 10:14:52 -0800
Message-ID:
<CEF943FB2A593D4EB7F139BCB3257CDA39F720 at CHLAEXVS01.LA.AD.CHLA.ORG>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: From System Administrator
Thread-Index: Acy2nm9QhjCvwHU4R+uUtJG0r7Mj2w==
From: "Estrella, Alex" <AEstrella at chla.usc.edu>
To: inf at mail.com
X-MailScanner-Information-Alumni: 
X-Alumni-MailScanner-ID: C9368102BC.A8709
X-MailScanner-Alumni: No Virii found
X-Spam-Status-Alumni: not spam, SpamAssassin (not cached, score=-3.802,
	required 5, autolearn=not spam, BAYES_00 -1.90,
	RCVD_IN_DNSWL_LOW -0.70, RP_MATCHES_RCVD -1.20, SPF_PASS -0.00)
X-MailScanner-From: prvs=732496da7b=aestrella at chla.usc.edu
X-ASG-Orig-Subj: [ACS root] From System Administrator
Subject: [ACS root] From System Administrator
X-BeenThere: acs-root at caltech.edu
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IMSS-IO-ACS root mail <acs-root.caltech.edu>
List-Unsubscribe:
<https://utils.its.caltech.edu/mailman/listinfo/acs-root>,
	<mailto:acs-root-request at caltech.edu?subject=unsubscribe>
List-Post: <mailto:acs-root at caltech.edu>
List-Help: <mailto:acs-root-request at caltech.edu?subject=help>
List-Subscribe: <https://utils.its.caltech.edu/mailman/listinfo/acs-root>,
	<mailto:acs-root-request at caltech.edu?subject=subscribe>
Sender: acs-root-bounces at caltech.edu
Errors-To: acs-root-bounces at caltech.edu
X-Barracuda-Connect: outgoing-mail.its.caltech.edu[131.215.239.19]
X-Barracuda-Start-Time: 1323454535
X-Barracuda-Virus-Scanned: by Barracuda Spam Firewall at gps.caltech.edu
X-ASG-Whitelist: Sender (Per-User)
X-TBCK-ID: 5c6fe5a3a4934bc6aa2c4f9852f19e8b
X-TBCK-Status: First;AllClear;0

This is a multi-part message in MIME format.

------_=_NextPart_001_01CCB69E.721E8815
Content-Type: text/plain;
 charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

=20
=20
Dear Webmail User,
=20
Your mailbox has exceeded the allocated storage limit as set by the =
administrator, you may not be able to send or receive new mail until you =
upgrade your allocated quota.
=20
To upgrade your quota, Please clickhere =
<https://docs.google.com/spreadsheet/viewform=3Fformkey=3DdFZkV29JdFNrYlFjd=
0ljdFh6QUlkWkE6MQ>=
=20
Thank you for your anticipated cooperation.
=20
System Administrator
=46or Webmail Support Team.


---------------------------------------------------------------------
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,=20
is for the sole use of the intended recipient(s) and may contain =
confidential
or legally privileged information. Any unauthorized review, use, disclosure
or distribution is prohibited. If you are not the intended recipient,
please
contact the sender by reply e-mail and destroy all copies of this original
=
=
message. =20





-- 
RuthAnne Bevier
Director, Information Security
California Institute of Technology
ruthanne at caltech.edu
626-395-2671

More information about the nsp-security mailing list