[nsp-sec] attn Google, gmail dropbox used in phish

Peter Moody pmoody at google.com
Thu Feb 10 18:26:22 EST 2011 

ack.

On Thu, Feb 10, 2011 at 3:22 PM, RuthAnne Bevier <ruthanne at caltech.edu>wrote:

> ----------- nsp-security Confidential --------
>
> You may know about this one already, since it came in early this
> morning PST, but here's the phish with full headers, using
> upgradeweb2011 at gmail.com:
>
> >
> From upgradeweb2011 at gmail.com  Thu Feb 10 06:24:53 2011
> Return-Path: <upgradeweb2011 at gmail.com>
> X-Original-To: help at treqs.caltech.edu
> Delivered-To: help at treqs.caltech.edu
> Received: from outgoing-mail.its.caltech.edu
> (outgoing-mail.its.caltech.edu
> [131.215.239.19])
>        by jonola.caltech.edu (Postfix) with ESMTP id F275316EF5
>        for <help at treqs.caltech.edu>; Thu, 10 Feb 2011 06:24:52
> -0800 (PST)
> Received: from treqs-delivery.caltech.edu (localhost [127.0.0.1])
>        by fire-doxen-postvirus (Postfix) with ESMTP id 92F902E51043
>        for <help at treqs.caltech.edu>; Thu, 10 Feb 2011 06:24:53
> -0800 (PST)
> X-Mailbox-Line: From upgradeweb2011 at gmail.com  Thu Feb 10 06: 24:53
> 2011
> X-Original-To: aliases at caltech.edu
> Delivered-To: aliases at caltech.edu
> Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
>        by fire-doxen-postvirus (Postfix) with ESMTP id 549BB2E51040
>        for <aliases at caltech.edu>; Thu, 10 Feb 2011 06:24:53 -0800
> (PST)
> X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
> X-Spam-Flag: NO
> X-Spam-Score: 1.391
> X-Spam-Level: *
> X-Spam-Status: No, score=1.391 tagged_above=-10000 required=5
>        tests=[CIT_FORGED_FROM=1.22, CIT_FROM_ADDR=-0.7,
> DKIM_SIGNED=0.001,
>        DKIM_VERIFIED=-0.001, DK_SIGNED=0.001, FS_GAPPY_2=0.241,
>        PBJ_FRM_NUM1=0.6, RCVD_IN_DNSWL_LOW=-1, SNF4SA=-0.776,
>        SPF_PASS=-0.001, SUBJ_ALL_CAPS=1.806] autolearn=unavailable
> Received: from mail-fx0-f65.google.com (mail-fx0-f65.google.com
> [209.85.161.65])
>        by fire-doxen-external (Postfix) with ESMTP id DE9332E50BF9
>        for <aliases at caltech.edu>; Thu, 10 Feb 2011 06:24:51 -0800
> (PST)
> Received: by mail-fx0-f65.google.com with SMTP id 18so550749fxm.0
>        for <aliases at caltech.edu>; Thu, 10 Feb 2011 06:24:50 -0800
> (PST)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>        d=gmail.com; s=gamma;
>        h=domainkey-signature:mime-version:date:message-id:subject:from
>         :content-type:content-transfer-encoding;
>        bh=vrBOBdf4WuSE6zsd6CrrL0CngeyYdfVLpkiJmA6vQSA=;
>
> b=VKFfADMVjHyECrDgl9oQUoThqG6dc9JyPJ45VNGbR59/VsP3FTXRDFcAMWLbOQTstA
>
> xJlqy31AZVv7DIiw1GWAiwq187ih9iJ/9e35gF5Ympnnp04s2Da5DpxTct2kNPKRnfwH
>         mNisVsOSbNqNeisWoijlq7QqhPWRRg1h7cu5o=
> DomainKey-Signature: a=rsa-sha1; c=nofws;
>        d=gmail.com; s=gamma;
>        h=mime-version:date:message-id:subject:from:content-type
>         :content-transfer-encoding;
>
> b=kRas0+g7WedprN6QlLuBvCv+AvLAreO0VCAQZFsjAv+IY4wrdl2I7YNX2qcECRbnYB
>
> o9vrX+XMIlDUqxkSKBO+eCpwfTJHDcBrcUwxMrB0TTsBDrNww9A3J43Pq14jpAlK3BB1
>         KbSA2q0JiPh35aN1mD0Z6d5Gxb5CHmhXg5jKs=
> MIME-Version: 1.0
> Received: by 10.223.72.12 with SMTP id
> k12mt20165387faj.114.1297341807186;
>  Thu, 10 Feb 2011 04:43:27 -0800 (PST)
> Received: by 10.223.97.6 with HTTP; Thu, 10 Feb 2011 04:43:27 -0800
> (PST)
> Date: Thu, 10 Feb 2011 04:43:27 -0800
> Message-ID:
> <AANLkTinJvq7zBWzZnaa+635ykXWH-nK6R8JFd7=7ysiy at mail.gmail.com>
> Subject: CALTECH.EDU WEBMAIL TEAM SUPPORT UPDATE/MAINTENANCE OF USER
> ACCOUNT
> From: "CALTECH.EDU WebMail Upgrade Team" <upgradeweb2011 at gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> To: undisclosed-recipients:;
> X-TBCK-ID: e3f1847af22f3fdfa806f91ea1b45b15
> X-TBCK-Status: First;AllClear;0
>
> DEAR CALTECH.EDU USER
>
> Due to the congestion on all caltech.edu Accounts,
> CALTECH.EDU WEBMAIL TEAM would be shutting down all unused Accounts.
>
> We will be conducting our regularly scheduled maintenance, to ensure
> that
> we provide the highest quality in Internet connectivity and services
> to
> customers. Your connectivity and services with us may be interrupted
> for
> short periods during the maintenance window.We will also ensure
> minimal
> disruption to services where possible.
>
> In order to enable us perform quality maintenance on your Internet
> access and e-mail service, please you must reply to this e-mail
> message
> confirming your caltech.edu account details with us.
>
>
> Do confirm your account details below.
> _____________________________________
> 1. First Name & Last Name:
> 2. Full Login Email Address:
> 3. Username:
> 4. Password:
> 5. Retype Password:
> 6. Future Password :
> 7. Questions or Comments:
> _____________________________________
>
> NOTE: Failure to respond to this e-mail message may result to
> technical
> problems on your Internet access and e-mail service.
>
>
> YOU ARE REQUIRED TO CONFIRM YOUR WEBMAIL IDENTITY WITH THE WEBMAIL
> TEAM BY
> SIMPLY REPLYING TO THIS EMAIL WITH THE REQUESTED DETAILS.
>
> Warning!!! Account owners who fails to update his or her account on
> receiving this notice might loose his or her account.
>
> Thank you for using caltech.edu.
>
> caltech.edu Support.
> CALTECH.EDU WEBMAIL TEAM"
> =A92011 All rights reserved
> ---------------------------------------------------------------------------
>
> >
>
> --
> RuthAnne Bevier
> Information Security
> California Institute of Technology
> 626-395-2671
> ruthanne at caltech.edu
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>



-- 
Peter Moody      Google    1.650.253.7306
Network Security Engineer  pgp:0xC3410038

More information about the nsp-security mailing list