[nsp-sec] ATTN Google, phish using Google docs and email

Peter Moody pmoody at google.com
Thu Oct 13 14:49:59 EDT 2011 

ack.  while we wait for the spreadsheet abuse process to putter along, I'll
get the gamil account shuttered.

On Thu, Oct 13, 2011 at 7:47 AM, RuthAnne Bevier <ruthanne at caltech.edu>wrote:

> ----------- nsp-security Confidential --------
>
> I'm not sure if either of these addresses might be spoofed (
> coordinator at gmail.com and webmail.coordinator at gmail.com), but here is a
> sample with full headers.  I've already clicked "report abuse" on the form
> itself.
>
>     --RuthAnne
>
>
> From coordinator at gmail.com Thu Oct 13 03:19:15 2011
> Return-Path: <coordinator at gmail.com>
> X-Original-To: thanne at caltech.edu
> Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
>        by fire-doxen-postvirus (Postfix) with ESMTP id 568FB3280B0;
>        Thu, 13 Oct 2011 03:19:16 -0700 (PDT)
> X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
> X-Spam-Flag: NO
> X-Spam-Score: -1.001
> X-Spam-Level:
> X-Spam-Status: No, score=-1.001 tagged_above=-10000 required=5
>        tests=[DKIM_SIGNED=0.001, DKIM_VERIFIED=-0.001,
> RCVD_IN_DNSWL_LOW=-1,
>        SPF_PASS=-0.001] autolearn=unavailable
> Received: from jonola.caltech.edu (jonola.caltech.edu [131.215.239.176])
>        by fire-doxen-external (Postfix) with ESMTP id 132D532820C;
>        Thu, 13 Oct 2011 03:19:12 -0700 (PDT)
> Received: by jonola.caltech.edu (Postfix, from userid 60001)
>        id EF91A1713F; Thu, 13 Oct 2011 03:19:11 -0700 (PDT)
> X-Original-To: ipoffice at treqs.caltech.edu
> Delivered-To: ipoffice at treqs.caltech.edu
> Received: from outgoing-mail.its.caltech.edu (
> outgoing-mail.its.caltech.edu [131.215.239.19])   by jonola.caltech.edu(Postfix) with ESMTP id 6C25216EFC        for <
> ipoffice at treqs.caltech.edu>; Thu, 13 Oct 2011 03:19:10 -0700 (PDT)
> Received: from treqs-delivery.caltech.edu (localhost [127.0.0.1])       by
> fire-doxen-postvirus (Postfix) with ESMTP id 389833280B0     for <
> ipoffice at treqs.caltech.edu>; Thu, 13 Oct 2011 03:19:10 -0700 (PDT)
> X-Mailbox-Line: From webmail.coordinator at gmail.com  Thu Oct 13 03: 19:09
> 2011
> X-Original-To: ipoffice at caltech.edu
> Delivered-To: ipoffice at caltech.edu
> Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])      by
> fire-doxen-postvirus (Postfix) with ESMTP id E51F0328056     for <
> ipoffice at caltech.edu>; Thu, 13 Oct 2011 03:19:09 -0700 (PDT)
> X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
> Received: from mail-ww0-f43.google.com (mail-ww0-f43.google.com[74.125.82.43]) by fire-doxen-external (Postfix) with ESMTP id 7FD603280B0
>    for <ipoffice at caltech.edu>; Thu, 13 Oct 2011 03:19:07 -0700 (PDT)
> Received: by wwf27 with SMTP id 27so1406179wwf.0        for <
> ipoffice at caltech.edu>; Thu, 13 Oct 2011 03:19:05 -0700 (PDT)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=gmail.com;
> s=gamma;        h=mime-version:date:message-id:subject:from:to:content-type;
>        bh=PwfHyWC+T2PS0IGy2vLexQzI8LnzQWBI4A99TZuyw8w=;
>  b=h/WM95Sr5NqNjK3zCXQu1C92jde73s0BChLwYL6Syvb8RgMD8VOMjuHBtkZKwUO4db
>   CqCHpyvHv2GHaTqquEzH0S5tEEXscj4q5gf01rHrfZqfC6M4AGU1KfICaa52PxHP9s1f
>   CBFxXzNEtmCCfotw62pV1FsgGR9pU2iSz/CJY=
> MIME-Version: 1.0
> Received: by 10.216.180.132 with SMTP id j4mr2086020wem.75.1318501145822;
> Thu, 13 Oct 2011 03:19:05 -0700 (PDT)
> Received: by 10.216.51.75 with HTTP; Thu, 13 Oct 2011 03:19:05 -0700 (PDT)
> Date: Thu, 13 Oct 2011 11:19:05 +0100
> Message-ID: <
> CAEcNzO0a73kwRe1eAKU_fajZfvy4Bzv4KKNXRVVa4LwdTBh8vw at mail.gmail.com>
> Subject: [TR #2269843] Webmail Upgrade
> From: Webmail Administrator <webmail.coordinator at gmail.com>
> To: undisclosed-recipients:;
> Content-Type: text/plain; charset=ISO-8859-1
> X-TBCK-ID: e6ef9da1c34c453143fe4cd8673a9a2a
> X-TBCK-Status: First;AllClear;0
> Precedence: bulk
> X-Caltech-ITS-T-Reqs-Initiated: yes
> X-Caltech-ITS-T-Reqs-URL:
> https://treqs.caltech.edu/cgi-bin/ars-get-ticket.pl?ticket_id=2269843
> X-Caltech-ITS-T-Reqs-Group: IP Office
>
> A Computer Database Maintainance is currently going on our Webmail
> Message Center.
> Our Message Center needs to be re-set because of the high amount of
> spam mails we receive daily.
> A Quarantine Maintainance will help us prevent this everyday dilemma.
> To protect your account from unauthorized access and revalidate
> yourmailbox, Click the link below and confirm your webmail account
> information:
>
> (Click Here To Continue)
>
> https://docs.google.com/spreadsheet/viewform?formkey=dFZ3N053S3JtZUFfcWdnT0dvODBQcUE6MQ
>
>
> Failure to revalidate your mailbox will render your e-mail in-active
> from our database.
> Thanks
> System Administrator
>
>
>
> --
> RuthAnne Bevier
> Director, Information Security
> California Institute of Technology
> ruthanne at caltech.edu
> 626-395-2671
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

More information about the nsp-security mailing list