[nsp-sec] ATTN Google, Gmail dropboxes used in phish

RuthAnne Bevier ruthanne at caltech.edu
Thu Nov 3 16:11:50 EDT 2011 

Here's another one.  Do you guys want to be notified via the list about this kind of thing?  Reply-to on this one is agt.michael1 at gmail.com, which is also referenced in the attachment.

Full headers.  Attachment omitted:

>From chiochi2013 at gmail.com Thu Nov  3 11:18:12 2011
Return-Path: <chiochi2013 at gmail.com>
X-Original-To: thanne at caltech.edu
Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
	by fire-doxen-postvirus (Postfix) with ESMTP id 291A4328148;
	Thu,  3 Nov 2011 11:18:13 -0700 (PDT)
X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
X-Spam-Flag: NO
X-Spam-Score: 2.408
X-Spam-Level: **
X-Spam-Status: No, score=2.408 tagged_above=-10000 required=5
	tests=[DKIM_SIGNED=0.001, HTML_MESSAGE=0.001, PBJ_FRM_NUM1=0.6,
	SUBJ_ALL_CAPS=1.806] autolearn=disabled
Received: from jonola.caltech.edu (jonola.caltech.edu [131.215.239.176])
	by fire-doxen-external (Postfix) with ESMTP id 053892E50BA7;
	Thu,  3 Nov 2011 11:18:03 -0700 (PDT)
Received: by jonola.caltech.edu (Postfix, from userid 60001)
	id 52BC117142; Thu,  3 Nov 2011 11:18:02 -0700 (PDT)
X-Original-To: security at treqs.caltech.edu
Delivered-To: security at treqs.caltech.edu
Received: from outgoing-mail.its.caltech.edu (outgoing-mail.its.caltech.edu [131.215.239.19])	by jonola.caltech.edu (Postfix) with ESMTP id D348B16D15	for <security at treqs.caltech.edu>; Thu,  3 Nov 2011 11:17:56 -0700 (PDT)
Received: from treqs-delivery.caltech.edu (localhost [127.0.0.1])	by earth-doxen-postvirus (Postfix) with ESMTP id 0FAAD66E00EB	for <security at treqs.caltech.edu>; Thu,  3 Nov 2011 11:17:56 -0700 (PDT)
X-Mailbox-Line: From chiochi2013 at gmail.com  Thu Nov  3 11: 17:55 2011
X-Original-To: security at caltech.edu
Delivered-To: security at caltech.edu
Received: from earth-doxen.imss.caltech.edu (localhost [127.0.0.1])	by earth-doxen-postvirus (Postfix) with ESMTP id 75FFF66E011F	for <security at caltech.edu>; Thu,  3 Nov 2011 11:17:55 -0700 (PDT)
X-Spam-Scanned: at Caltech-IMSS on earth-doxen by amavisd-new
Received: from nm26-vm0.access.bullet.mail.mud.yahoo.com (nm26-vm0.access.bullet.mail.mud.yahoo.com [66.94.236.225])	by earth-doxen-external (Postfix) with SMTP id D19C766E00EB	for <security at caltech.edu>; Thu,  3 Nov 2011 11:17:51 -0700 (PDT)
Received: from [66.94.237.200] by nm26.access.bullet.mail.mud.yahoo.com with NNFMP; 03 Nov 2011 18:17:51 -0000
Received: from [66.94.237.96] by tm11.access.bullet.mail.mud.yahoo.com with NNFMP; 03 Nov 2011 18:17:50 -0000
Received: from [127.0.0.1] by omp1001.access.mail.mud.yahoo.com with NNFMP; 03 Nov 2011 18:17:50 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 150004.64686.bm at omp1001.access.mail.mud.yahoo.com
Received: (qmail 43822 invoked by uid 60001); 3 Nov 2011 18:17:47 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1320344267; bh=wXyz8Z1jzr5Dh26m5dWRP3iVy3LUEmo/98DMn7KPY/4=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=vszv7BoFaETVhMwMYw24wA9YNNmWCUca6pyMG3LnnhkoxLldZVXG33yDw9OEEfbdcNoKXaCees//8huRuQHeGCkXL4hBxHMmJTz18dRi9iNEREikPt0MeQGzkyAy1DgMrtZ6hMduIfhHeIecKxpoxbh+v+Pi1GUTZFkhSle8Nv8=
X-YMail-OSG: 4mEKZRUVM1ki6Lkk3yGhaf03YdCHOHpka2UKKCnkH1QKKvc aPHB0AXYaHdBq1oQCvQdEz1yQbj3E15TJdOh3upebeZrM94s6AfjVbYj5xXH _TCHQUj5JyRkRzeA6HK10s4Zi2sSfxaC6sOQ1UWm.KHirriaVHtW2gzUusdN eDeiZLAGY7TY2Sc1PrSLwHwuzJHtmXXY3t8fGm8gfCXgvT_INkB_Gj3Rtesp a4g4GgZ8IGYaqwyvtfNPNw4S.jqZNtk7yT0Vi4hufkifYrSpUVOfseqlW6dz rcDgbWEovbNKGZtytoCYBRfSXgLixoLTAgJ.CgjQKMVH9tv0lV0aluKS82Xy syv4WmMiI2m4_HSCFSrjqCyydglNq64yA2J02UYHfqXD3IsnQUeAe3OyFOZe zKCmAC8fLpAWb5AWaV7179YFx9_tNbTjORmlhKE2Sad8MHBaqh_CldK1jNEO JJdpmSqAHyv7sc9hldgkK
Received: from [41.241.183.241] by web180914.mail.ne1.yahoo.com via HTTP; Thu, 03 Nov 2011 11:17:47 PDT
X-RocketYMMF: webcc1015 at att.net
X-Mailer: YahooMailClassic/14.0.11 YahooMailWebService/0.8.115.325013
Message-ID: <1320344267.17061.YahooMailClassic at web180914.mail.ne1.yahoo.com>
Date: Thu, 3 Nov 2011 11:17:47 -0700 (PDT)
From: BIG BIG UK NATIONAL LOTTO <chiochi2013 at gmail.com>
Reply-To: agt.michael1 at gmail.com
Subject: [TR #2291037] GOOD NEWS
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1552809443-1320344267=:17061"
X-TBCK-ID: 2a199cfd5d3952fbf7dffc0952ec6949
X-TBCK-Status: First;AllClear;0
Precedence: bulk
X-Caltech-ITS-T-Reqs-Initiated: yes
X-Caltech-ITS-T-Reqs-URL: https://treqs.caltech.edu/cgi-bin/ars-get-ticket.pl?ticket_id=2291037
X-Caltech-ITS-T-Reqs-Group: Information Security

--0-1552809443-1320344267=:17061
Content-Type: multipart/alternative; boundary="0-758874132-1320344267=:17061"

--0-758874132-1320344267=:17061
Content-Type: text/plain; charset=us-ascii

OPEN ATTACHMENT YOU HAVE WON
--0-758874132-1320344267=:17061
Content-Type: text/html; charset=us-ascii

<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;">OPEN ATTACHMENT YOU HAVE WON</td></tr></table>
--0-758874132-1320344267=:17061--

--0-1552809443-1320344267=:17061
Content-Type: application/rtf; name=WINNING
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="WINNING NOTIFICATION.rtf"




-- 
RuthAnne Bevier
Director, Information Security
California Institute of Technology
ruthanne at caltech.edu
626-395-2671

More information about the nsp-security mailing list