[nsp-sec] ATTN Google, gmail phish dropbox

RuthAnne Bevier ruthanne at caltech.edu
Sun Mar 6 21:02:24 EST 2011 

Looks like webalert2020 at gmail.com is a phish dropbox.  Here is a
sample message with full headers:


>From nobody at jonola.caltech.edu Sat Mar  5 22:06:13 2011
Return-Path: <nobody at jonola.caltech.edu>
X-Original-To: thanne at caltech.edu
Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
	by fire-doxen-postvirus (Postfix) with ESMTP id 6978E2E5125F;
	Sat,  5 Mar 2011 22:05:50 -0800 (PST)
X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
X-Spam-Flag: NO
X-Spam-Score: -1.142
X-Spam-Level: 
X-Spam-Status: No, score=-1.142 tagged_above=-10000 required=5
	tests=[PBJ_RCV_UNKNOWN=0.3, RDNS_NONE=0.1, SNF4SA=-1.542]
	autolearn=unavailable
Received: from jonola.caltech.edu (jonola.caltech.edu [131.215.239.176])
	by fire-doxen-external (Postfix) with ESMTP id 25B8C2E5125D;
	Sat,  5 Mar 2011 22:05:32 -0800 (PST)
Received: from jonola.caltech.edu (localhost [127.0.0.1])
	by jonola.caltech.edu (Postfix) with ESMTP id BC5861713C;
	Sat,  5 Mar 2011 22:05:55 -0800 (PST)
Received: (from nobody at localhost)
	by jonola.caltech.edu (8.13.7+Sun/8.13.7/Submit) id p2665thr003812;
	Sat, 5 Mar 2011 22:05:55 -0800 (PST)
X-Original-To: network-d at treqs.caltech.edu
Delivered-To: network-d at treqs.caltech.edu
Received: from outgoing-mail.its.caltech.edu (outgoing-mail.its.caltech.edu [131.215.239.19])
	by jonola.caltech.edu (Postfix) with ESMTP id 3B18F16EF5
	for <network-d at treqs.caltech.edu>; Sat,  5 Mar 2011 22:05:53 -0800 (PST)
Received: from treqs-delivery.caltech.edu (localhost [127.0.0.1])
	by earth-doxen-postvirus (Postfix) with ESMTP id 6934B66E0172
	for <network-d at treqs.caltech.edu>; Sat,  5 Mar 2011 22:05:53 -0800 (PST)
X-Mailbox-Line: From info at systemadmin.com  Sat Mar  5 22: 05:53 2011
X-Original-To: noc at caltech.edu
Delivered-To: noc at caltech.edu
Received: from earth-doxen.imss.caltech.edu (localhost [127.0.0.1])
	by earth-doxen-postvirus (Postfix) with ESMTP id 16CE066E01AD
	for <noc at caltech.edu>; Sat,  5 Mar 2011 22:05:53 -0800 (PST)
X-Spam-Scanned: at Caltech-IMSS on earth-doxen by amavisd-new
Received: from asg.pagasa.dost.gov.ph (unknown [202.90.128.204])
	by earth-doxen-external (Postfix) with ESMTP id A884566E019A
	for <noc at caltech.edu>; Sat,  5 Mar 2011 22:05:48 -0800 (PST)
Received: from [192.168.255.2] (port=57522 helo=ulan.pagasa.dost.gov.ph)
	by asg.pagasa.dost.gov.ph with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.69)
	(envelope-from <info at systemadmin.com>)
	id 1Pw4zC-0006Ox-14
	for noc at caltech.edu; Sun, 06 Mar 2011 04:50:36 +0100
Received: (qmail 12068 invoked by uid 89); 6 Mar 2011 03:24:04 -0000
Received: from unknown (HELO webmail.pagasa.dost.gov.ph) (127.0.0.1)
  by 0 with SMTP; 6 Mar 2011 03:24:04 -0000
Received: from 41.138.184.219
        (SquirrelMail authenticated user danny.cambay)
        by webmail.pagasa.dost.gov.ph with HTTP;
        Sun, 6 Mar 2011 11:24:04 +0800 (PHT)
Message-ID: <1155.41.138.184.219.1299381844.squirrel at webmail.pagasa.dost.gov.ph>
Date: Sun, 6 Mar 2011 11:24:04 +0800 (PHT)
Subject: ATTN PLS
From: "System Administrator" <info at systemadmin.com>
Reply-To: webalert2020 at gmail.com
User-Agent: SquirrelMail/1.4.6
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Priority: 3 (Normal)
Importance: Normal
To: undisclosed-recipients:;
X-TBCK-ID: 0513247075334a9fa72e921bd53c9b71
X-TBCK-Status: First;AllClear;0
Precedence: bulk

Dear Webmail Account User,

This message is from webmail messaging center to all webmail account
owners. We are currently upgrading our data base and e-mail account
center. We are deleting all unused webmail account to create more space
for new accounts.

We are currently performing maintenance for our Digital Webmail Customers.
We intend upgrading our Digital Webmail Security Server for better online
services.

Confirm Your WebMail Details.
1. First Name & Last Name:
2. Full Login Email Address:
3. Username:
4  Password:
5. Retype Password:
6. Date of Birth:

Warning!!! Any account owner that refuses to update his or her account
within Three days of this update notification will loose his or her
account permanently.

Thank you for using our webmail!
Webmail Support Team
Warning Code : ID71388991


--=20
http://www.pagasa.dost.gov.ph=0D
=0D
This email was Anti Virus checked by Astaro Security Gateway.

CONFIDENTIALITY NOTICE AND DISCLAIMER:=0D
The information contained in this e-mail message is intended only for the u=
se of the individual or entity named above. If the reader of this message i=
s not the intended recipient, or is not the employee responsible for delive=
ring it to the intended recipient, you are hereby notified that any dissemi=
nation, distribution or copying of this communication is STRICTLY PROHIBITE=
D.  If you have received this message in error, PLEASE NOTIFY US IMMEDIATEL=
Y BY TELEPHONE OR REPLY BY E-MAIL AND THEN PROMPTLY DELETE THE MESSAGE. Tha=
nk you.



-- 
RuthAnne Bevier
Information Security
California Institute of Technology   
626-395-2671
ruthanne at caltech.edu

More information about the nsp-security mailing list