[nsp-sec] ATTN Google, another spreadsheet phish

Peter Moody pmoody at google.com
Fri Dec 9 16:39:12 EST 2011 

ack.

On Fri, Dec 9, 2011 at 10:50 AM, RuthAnne Bevier <ruthanne at caltech.edu>wrote:

> ----------- nsp-security Confidential --------
>
> I've done "report abuse" from two different IP addresses, but here's the
> URL:
>
>
> https://docs.google.com/spreadsheet/viewform?formkey=dFZkV29JdFNrYlFjd0ljdFh6QUlkWkE6MQ
>
> Sample message (bounced into our ticket system by a sysadmin, so it's a
> bit unsightly):
>
> From acs-root-bounces at caltech.edu  Fri Dec  9 10:18:45 2011
> Return-Path: <acs-root-bounces at caltech.edu>
> X-Original-To: security at treqs.caltech.edu
> Delivered-To: security at treqs.caltech.edu
> Received: from outgoing-mail.its.caltech.edu (
> outgoing-mail.its.caltech.edu
> [131.215.239.19])
>        by jonola.caltech.edu (Postfix) with ESMTP id 1D3F716F01
>        for <security at treqs.caltech.edu>; Fri,  9 Dec 2011 10:18:45 -0800
> (PST)
> Received: from treqs-delivery.caltech.edu (localhost [127.0.0.1])
>        by fire-doxen-postvirus (Postfix) with ESMTP id DF3743280D6
>        for <security at treqs.caltech.edu>; Fri,  9 Dec 2011 10:18:44 -0800
> (PST)
> X-Mailbox-Line: From mckinnon at caltech.edu  Fri Dec  9 10: 18:44 2011
> X-Original-To: security at caltech.edu
> Delivered-To: security at caltech.edu
> Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
>        by fire-doxen-postvirus (Postfix) with ESMTP id 092353280EB
>        for <security at caltech.edu>; Fri,  9 Dec 2011 10:18:44 -0800 (PST)
> X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
> X-Spam-Flag: NO
> X-Spam-Score: -1.899
> X-Spam-Level:
> X-Spam-Status: No, score=-1.899 tagged_above=-10000 required=5
>        tests=[CIT_AUTH_SMTP=-1.5, HTML_MESSAGE=0.001, PBJ_RCV_UNKNOWN=0.3,
>        RCVD_IN_DNSWL_LOW=-0.7] autolearn=disabled
> Received: from geyser.gps.caltech.edu (geyser.gps.caltech.edu
> [131.215.65.56])
>        by fire-doxen-external (Postfix) with ESMTP id EE3B63280D6
>        for <security at caltech.edu>; Fri,  9 Dec 2011 10:18:41 -0800 (PST)
> Received: from localhost (localhost.localdomain [127.0.0.1])
>        by geyser.gps.caltech.edu (Postfix) with ESMTP id CFA01550E6B
>        for <security at caltech.edu>; Fri,  9 Dec 2011 10:18:41 -0800 (PST)
> X-Virus-Scanned: amavisd-new at gps.caltech.edu
> Received: from geyser.gps.caltech.edu ([127.0.0.1])
>        by localhost (geyser.gps.caltech.edu [127.0.0.1]) (amavisd-new,
> port
> 10024)
>        with ESMTP id OgVm6KfCR8Td for <security at caltech.edu>;
>        Fri,  9 Dec 2011 10:18:41 -0800 (PST)
> Received: from abazaba.caltech.edu (abazaba.caltech.edu [131.215.234.71])
>        (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
>        (No client certificate requested)
>        by geyser.gps.caltech.edu (Postfix) with ESMTP id A73E8550E69
>        for <security at caltech.edu>; Fri,  9 Dec 2011 10:18:41 -0800 (PST)
> Resent-From: Aaron McKinnon <mckinnon at caltech.edu>
> Resent-To: Aaron McKinnon / Information Security Group
> <security at caltech.edu>
> Resent-Date: Fri, 9 Dec 2011 10:18:32 -0800
> Resent-Message-Id: <4EE250F8.3090505 at caltech.edu>
> Resent-User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0)
> Gecko/20111105 Thunderbird/8.0
> X-Original-To: mckinnon at gps.caltech.edu
> Received: from localhost (localhost.localdomain [127.0.0.1])
>        by geyser.gps.caltech.edu (Postfix) with ESMTP id 809FA550E69
>        for <mckinnon at gps.caltech.edu>; Fri,  9 Dec 2011 10:15:36 -0800
> (PST)
> X-Virus-Scanned: amavisd-new at gps.caltech.edu
> Received: from geyser.gps.caltech.edu ([127.0.0.1])
>        by localhost (geyser.gps.caltech.edu [127.0.0.1]) (amavisd-new,
> port
> 10024)
>        with ESMTP id v2G3y-Cxrr1L for <mckinnon at gps.caltech.edu>;
>        Fri,  9 Dec 2011 10:15:36 -0800 (PST)
> Received: from barracuda.gps.caltech.edu (sawtooth.gps.caltech.edu
> [131.215.235.108])
>        by geyser.gps.caltech.edu (Postfix) with ESMTP id 23652550E5F
>        for <mckinnon at gps.caltech.edu>; Fri,  9 Dec 2011 10:15:36 -0800
> (PST)
> X-ASG-Debug-ID: 1323454535-4b1801090000-kfHsqW
> X-Barracuda-URL: http://barracuda.gps.caltech.edu:8000/cgi-bin/mark.cgi
> Received: from outgoing-mail.its.caltech.edu (localhost [127.0.0.1])
>        by barracuda.gps.caltech.edu (Spam Firewall) with ESMTP id
> 8ED19D824
>        for <mckinnon at gps.caltech.edu>; Fri,  9 Dec 2011 10:15:35 -0800
> (PST)
> Received: from outgoing-mail.its.caltech.edu (
> outgoing-mail.its.caltech.edu
> [131.215.239.19]) by barracuda.gps.caltech.edu with ESMTP id
> MbNTOEvMndLugvFv for <mckinnon at gps.caltech.edu>; Fri, 09 Dec 2011 10:15:35
> -0800 (PST)
> Received: by fire-doxen.caltech.edu (Postfix, from userid 60008)
>        id 5DE513280F1; Fri,  9 Dec 2011 10:15:35 -0800 (PST)
> X-Original-To: mckinnon at caltech.edu
> Received: from shift.caltech.edu (shift [192.168.1.23])
>        by fire-doxen-postvirus (Postfix) with ESMTP id 7F7763280EB;
>        Fri,  9 Dec 2011 10:15:34 -0800 (PST)
> Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
>        by fire-doxen-postvirus (Postfix) with ESMTP id C0BC63280ED
>        for <acs-root at caltech.edu>; Fri,  9 Dec 2011 10:15:32 -0800 (PST)
> X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
> Received: from mail.alumni.caltech.edu (mail.alumni.caltech.edu
>        [131.215.239.119])
>        by fire-doxen-external (Postfix) with ESMTP id AF1B63280D6
>        for <acs-root at caltech.edu>; Fri,  9 Dec 2011 10:15:30 -0800 (PST)
> Received: by mail.alumni.caltech.edu (Postfix)
>        id 565EA102BC; Fri,  9 Dec 2011 10:15:30 -0800 (PST)
> Received: from CHLAMG01.chla.usc.edu (smtpchla.usc.edu [128.125.179.22])
>        by mail.alumni.caltech.edu (Postfix) with ESMTPS id C9368102BC
>        for <postmaster at alumni.caltech.edu>;
>        Fri,  9 Dec 2011 10:15:22 -0800 (PST)
> X-DKIM: Sendmail DKIM Filter v2.8.3 mail.alumni.caltech.edu C9368102BC
> Authentication-Results: alumni.caltech.edu; dkim=none (no signature)
>        header.i=unknown; x-dkim-adsp=none
> X-M-MSG:
> X-TMWD-Spam-Summary: TS=20111209181449; ID=1; SEV=2.4.2; DFV=B2011120918;
>        IFV=NA; AIF=B2011120918;
>        RPD=NA; ENG=NA; RPDID=NA; CAT=NONE; CON=NONE;
>        SIG=AAAAAAAAAAAAAAAACmQL7QAAfQ==
> X-WSS-ID: 0LVY80P-02-0N5-03
> Received: from CIMTA (unknown [10.100.11.237]) (using TLSv1 with cipher
>        ADH-AES256-SHA (256/256
>        bits)) (No client certificate requested) by CHLAMG01.chla.usc.edu
>        (Postfix) with ESMTP id
>        2D403174C7ED; Fri, 9 Dec 2011 10:14:48 -0800 (PST)
> Received: from CIMTA (localhost.localdomain [127.0.0.1]) by CIMTA (Postfix)
>        with ESMTP id F1D2B85; Fri, 9 Dec 2011 18:14:52 +0000 (GMT)
> Received: from CHLAEXVS01.LA.AD.CHLA.ORG (chlaexmb1.la.ad.chla.org
>        [10.100.11.30]) by CIMTA (
>        Postfix) with ESMTP id BD0D77D; Fri, 9 Dec 2011 18:14:52 +0000 (GMT)
> X-MimeOLE: Produced By Microsoft Exchange V6.5
> Content-class: urn:content-classes:message
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>        boundary="----_=_NextPart_001_01CCB69E.721E8815"
> Date: Fri, 9 Dec 2011 10:14:52 -0800
> Message-ID:
> <CEF943FB2A593D4EB7F139BCB3257CDA39F720 at CHLAEXVS01.LA.AD.CHLA.ORG>
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> Thread-Topic: From System Administrator
> Thread-Index: Acy2nm9QhjCvwHU4R+uUtJG0r7Mj2w==
> From: "Estrella, Alex" <AEstrella at chla.usc.edu>
> To: inf at mail.com
> X-MailScanner-Information-Alumni:
> X-Alumni-MailScanner-ID: C9368102BC.A8709
> X-MailScanner-Alumni: No Virii found
> X-Spam-Status-Alumni: not spam, SpamAssassin (not cached, score=-3.802,
>        required 5, autolearn=not spam, BAYES_00 -1.90,
>        RCVD_IN_DNSWL_LOW -0.70, RP_MATCHES_RCVD -1.20, SPF_PASS -0.00)
> X-MailScanner-From: prvs=732496da7b=aestrella at chla.usc.edu
> X-ASG-Orig-Subj: [ACS root] From System Administrator
> Subject: [ACS root] From System Administrator
> X-BeenThere: acs-root at caltech.edu
> X-Mailman-Version: 2.1.9
> Precedence: list
> List-Id: IMSS-IO-ACS root mail <acs-root.caltech.edu>
> List-Unsubscribe:
> <https://utils.its.caltech.edu/mailman/listinfo/acs-root>,
>        <mailto:acs-root-request at caltech.edu?subject=unsubscribe>
> List-Post: <mailto:acs-root at caltech.edu>
> List-Help: <mailto:acs-root-request at caltech.edu?subject=help>
> List-Subscribe: <https://utils.its.caltech.edu/mailman/listinfo/acs-root>,
>        <mailto:acs-root-request at caltech.edu?subject=subscribe>
> Sender: acs-root-bounces at caltech.edu
> Errors-To: acs-root-bounces at caltech.edu
> X-Barracuda-Connect: outgoing-mail.its.caltech.edu[131.215.239.19]
> X-Barracuda-Start-Time: 1323454535
> X-Barracuda-Virus-Scanned: by Barracuda Spam Firewall at gps.caltech.edu
> X-ASG-Whitelist: Sender (Per-User)
> X-TBCK-ID: 5c6fe5a3a4934bc6aa2c4f9852f19e8b
> X-TBCK-Status: First;AllClear;0
>
> This is a multi-part message in MIME format.
>
> ------_=_NextPart_001_01CCB69E.721E8815
> Content-Type: text/plain;
>  charset=iso-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> =20
> =20
> Dear Webmail User,
> =20
> Your mailbox has exceeded the allocated storage limit as set by the =
> administrator, you may not be able to send or receive new mail until you =
> upgrade your allocated quota.
> =20
> To upgrade your quota, Please clickhere =
> <
> https://docs.google.com/spreadsheet/viewform=3Fformkey=3DdFZkV29JdFNrYlFjd=
> 0ljdFh6QUlkWkE6MQ>=
> =20
> Thank you for your anticipated cooperation.
> =20
> System Administrator
> =46or Webmail Support Team.
>
>
> ---------------------------------------------------------------------
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,=20
> is for the sole use of the intended recipient(s) and may contain =
> confidential
> or legally privileged information. Any unauthorized review, use, disclosure
> or distribution is prohibited. If you are not the intended recipient,
> please
> contact the sender by reply e-mail and destroy all copies of this original
> =
> =
> message. =20
>
>
>
>
>
> --
> RuthAnne Bevier
> Director, Information Security
> California Institute of Technology
> ruthanne at caltech.edu
> 626-395-2671
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

More information about the nsp-security mailing list