[nsp-sec] ATTN Google, gmail phish dropbox

Chris Morrow morrowc at ops-netman.net
Sun Mar 6 22:17:47 EST 2011 

sent along. thnx!

On 03/06/11 21:02, RuthAnne Bevier wrote:
> Looks like webalert2020 at gmail.com is a phish dropbox.  Here is a
> sample message with full headers:
> 
> 
>>From nobody at jonola.caltech.edu Sat Mar  5 22:06:13 2011
> Return-Path: <nobody at jonola.caltech.edu>
> X-Original-To: thanne at caltech.edu
> Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
> 	by fire-doxen-postvirus (Postfix) with ESMTP id 6978E2E5125F;
> 	Sat,  5 Mar 2011 22:05:50 -0800 (PST)
> X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
> X-Spam-Flag: NO
> X-Spam-Score: -1.142
> X-Spam-Level: 
> X-Spam-Status: No, score=-1.142 tagged_above=-10000 required=5
> 	tests=[PBJ_RCV_UNKNOWN=0.3, RDNS_NONE=0.1, SNF4SA=-1.542]
> 	autolearn=unavailable
> Received: from jonola.caltech.edu (jonola.caltech.edu [131.215.239.176])
> 	by fire-doxen-external (Postfix) with ESMTP id 25B8C2E5125D;
> 	Sat,  5 Mar 2011 22:05:32 -0800 (PST)
> Received: from jonola.caltech.edu (localhost [127.0.0.1])
> 	by jonola.caltech.edu (Postfix) with ESMTP id BC5861713C;
> 	Sat,  5 Mar 2011 22:05:55 -0800 (PST)
> Received: (from nobody at localhost)
> 	by jonola.caltech.edu (8.13.7+Sun/8.13.7/Submit) id p2665thr003812;
> 	Sat, 5 Mar 2011 22:05:55 -0800 (PST)
> X-Original-To: network-d at treqs.caltech.edu
> Delivered-To: network-d at treqs.caltech.edu
> Received: from outgoing-mail.its.caltech.edu (outgoing-mail.its.caltech.edu [131.215.239.19])
> 	by jonola.caltech.edu (Postfix) with ESMTP id 3B18F16EF5
> 	for <network-d at treqs.caltech.edu>; Sat,  5 Mar 2011 22:05:53 -0800 (PST)
> Received: from treqs-delivery.caltech.edu (localhost [127.0.0.1])
> 	by earth-doxen-postvirus (Postfix) with ESMTP id 6934B66E0172
> 	for <network-d at treqs.caltech.edu>; Sat,  5 Mar 2011 22:05:53 -0800 (PST)
> X-Mailbox-Line: From info at systemadmin.com  Sat Mar  5 22: 05:53 2011
> X-Original-To: noc at caltech.edu
> Delivered-To: noc at caltech.edu
> Received: from earth-doxen.imss.caltech.edu (localhost [127.0.0.1])
> 	by earth-doxen-postvirus (Postfix) with ESMTP id 16CE066E01AD
> 	for <noc at caltech.edu>; Sat,  5 Mar 2011 22:05:53 -0800 (PST)
> X-Spam-Scanned: at Caltech-IMSS on earth-doxen by amavisd-new
> Received: from asg.pagasa.dost.gov.ph (unknown [202.90.128.204])
> 	by earth-doxen-external (Postfix) with ESMTP id A884566E019A
> 	for <noc at caltech.edu>; Sat,  5 Mar 2011 22:05:48 -0800 (PST)
> Received: from [192.168.255.2] (port=57522 helo=ulan.pagasa.dost.gov.ph)
> 	by asg.pagasa.dost.gov.ph with esmtps (TLSv1:AES256-SHA:256)
> 	(Exim 4.69)
> 	(envelope-from <info at systemadmin.com>)
> 	id 1Pw4zC-0006Ox-14
> 	for noc at caltech.edu; Sun, 06 Mar 2011 04:50:36 +0100
> Received: (qmail 12068 invoked by uid 89); 6 Mar 2011 03:24:04 -0000
> Received: from unknown (HELO webmail.pagasa.dost.gov.ph) (127.0.0.1)
>   by 0 with SMTP; 6 Mar 2011 03:24:04 -0000
> Received: from 41.138.184.219
>         (SquirrelMail authenticated user danny.cambay)
>         by webmail.pagasa.dost.gov.ph with HTTP;
>         Sun, 6 Mar 2011 11:24:04 +0800 (PHT)
> Message-ID: <1155.41.138.184.219.1299381844.squirrel at webmail.pagasa.dost.gov.ph>
> Date: Sun, 6 Mar 2011 11:24:04 +0800 (PHT)
> Subject: ATTN PLS
> From: "System Administrator" <info at systemadmin.com>
> Reply-To: webalert2020 at gmail.com
> User-Agent: SquirrelMail/1.4.6
> MIME-Version: 1.0
> Content-Type: text/plain; charset="utf-8"
> Content-Transfer-Encoding: quoted-printable
> X-Priority: 3 (Normal)
> Importance: Normal
> To: undisclosed-recipients:;
> X-TBCK-ID: 0513247075334a9fa72e921bd53c9b71
> X-TBCK-Status: First;AllClear;0
> Precedence: bulk
> 
> Dear Webmail Account User,
> 
> This message is from webmail messaging center to all webmail account
> owners. We are currently upgrading our data base and e-mail account
> center. We are deleting all unused webmail account to create more space
> for new accounts.
> 
> We are currently performing maintenance for our Digital Webmail Customers.
> We intend upgrading our Digital Webmail Security Server for better online
> services.
> 
> Confirm Your WebMail Details.
> 1. First Name & Last Name:
> 2. Full Login Email Address:
> 3. Username:
> 4  Password:
> 5. Retype Password:
> 6. Date of Birth:
> 
> Warning!!! Any account owner that refuses to update his or her account
> within Three days of this update notification will loose his or her
> account permanently.
> 
> Thank you for using our webmail!
> Webmail Support Team
> Warning Code : ID71388991
>

More information about the nsp-security mailing list