[nsp-sec] ATTN Google, phish using Google docs and email

RuthAnne Bevier ruthanne at caltech.edu
Thu Oct 13 10:47:55 EDT 2011 

I'm not sure if either of these addresses might be spoofed (coordinator at gmail.com and webmail.coordinator at gmail.com), but here is a sample with full headers.  I've already clicked "report abuse" on the form itself.

     --RuthAnne


>From coordinator at gmail.com Thu Oct 13 03:19:15 2011
Return-Path: <coordinator at gmail.com>
X-Original-To: thanne at caltech.edu
Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
	by fire-doxen-postvirus (Postfix) with ESMTP id 568FB3280B0;
	Thu, 13 Oct 2011 03:19:16 -0700 (PDT)
X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
X-Spam-Flag: NO
X-Spam-Score: -1.001
X-Spam-Level: 
X-Spam-Status: No, score=-1.001 tagged_above=-10000 required=5
	tests=[DKIM_SIGNED=0.001, DKIM_VERIFIED=-0.001, RCVD_IN_DNSWL_LOW=-1,
	SPF_PASS=-0.001] autolearn=unavailable
Received: from jonola.caltech.edu (jonola.caltech.edu [131.215.239.176])
	by fire-doxen-external (Postfix) with ESMTP id 132D532820C;
	Thu, 13 Oct 2011 03:19:12 -0700 (PDT)
Received: by jonola.caltech.edu (Postfix, from userid 60001)
	id EF91A1713F; Thu, 13 Oct 2011 03:19:11 -0700 (PDT)
X-Original-To: ipoffice at treqs.caltech.edu
Delivered-To: ipoffice at treqs.caltech.edu
Received: from outgoing-mail.its.caltech.edu (outgoing-mail.its.caltech.edu [131.215.239.19])	by jonola.caltech.edu (Postfix) with ESMTP id 6C25216EFC	for <ipoffice at treqs.caltech.edu>; Thu, 13 Oct 2011 03:19:10 -0700 (PDT)
Received: from treqs-delivery.caltech.edu (localhost [127.0.0.1])	by fire-doxen-postvirus (Postfix) with ESMTP id 389833280B0	for <ipoffice at treqs.caltech.edu>; Thu, 13 Oct 2011 03:19:10 -0700 (PDT)
X-Mailbox-Line: From webmail.coordinator at gmail.com  Thu Oct 13 03: 19:09 2011
X-Original-To: ipoffice at caltech.edu
Delivered-To: ipoffice at caltech.edu
Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])	by fire-doxen-postvirus (Postfix) with ESMTP id E51F0328056	for <ipoffice at caltech.edu>; Thu, 13 Oct 2011 03:19:09 -0700 (PDT)
X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
Received: from mail-ww0-f43.google.com (mail-ww0-f43.google.com [74.125.82.43])	by fire-doxen-external (Postfix) with ESMTP id 7FD603280B0	for <ipoffice at caltech.edu>; Thu, 13 Oct 2011 03:19:07 -0700 (PDT)
Received: by wwf27 with SMTP id 27so1406179wwf.0        for <ipoffice at caltech.edu>; Thu, 13 Oct 2011 03:19:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=gmail.com; s=gamma;        h=mime-version:date:message-id:subject:from:to:content-type;        bh=PwfHyWC+T2PS0IGy2vLexQzI8LnzQWBI4A99TZuyw8w=;        b=h/WM95Sr5NqNjK3zCXQu1C92jde73s0BChLwYL6Syvb8RgMD8VOMjuHBtkZKwUO4db         CqCHpyvHv2GHaTqquEzH0S5tEEXscj4q5gf01rHrfZqfC6M4AGU1KfICaa52PxHP9s1f         CBFxXzNEtmCCfotw62pV1FsgGR9pU2iSz/CJY=
MIME-Version: 1.0
Received: by 10.216.180.132 with SMTP id j4mr2086020wem.75.1318501145822; Thu, 13 Oct 2011 03:19:05 -0700 (PDT)
Received: by 10.216.51.75 with HTTP; Thu, 13 Oct 2011 03:19:05 -0700 (PDT)
Date: Thu, 13 Oct 2011 11:19:05 +0100
Message-ID: <CAEcNzO0a73kwRe1eAKU_fajZfvy4Bzv4KKNXRVVa4LwdTBh8vw at mail.gmail.com>
Subject: [TR #2269843] Webmail Upgrade
From: Webmail Administrator <webmail.coordinator at gmail.com>
To: undisclosed-recipients:;
Content-Type: text/plain; charset=ISO-8859-1
X-TBCK-ID: e6ef9da1c34c453143fe4cd8673a9a2a
X-TBCK-Status: First;AllClear;0
Precedence: bulk
X-Caltech-ITS-T-Reqs-Initiated: yes
X-Caltech-ITS-T-Reqs-URL: https://treqs.caltech.edu/cgi-bin/ars-get-ticket.pl?ticket_id=2269843
X-Caltech-ITS-T-Reqs-Group: IP Office

A Computer Database Maintainance is currently going on our Webmail
Message Center.
Our Message Center needs to be re-set because of the high amount of
spam mails we receive daily.
A Quarantine Maintainance will help us prevent this everyday dilemma.
To protect your account from unauthorized access and revalidate
yourmailbox, Click the link below and confirm your webmail account
information:

(Click Here To Continue)
https://docs.google.com/spreadsheet/viewform?formkey=dFZ3N053S3JtZUFfcWdnT0dvODBQcUE6MQ


Failure to revalidate your mailbox will render your e-mail in-active
from our database.
Thanks
System Administrator



-- 
RuthAnne Bevier
Director, Information Security
California Institute of Technology
ruthanne at caltech.edu
626-395-2671

More information about the nsp-security mailing list