[nsp-sec] ATTN Google, spreadsheet phish

Peter Moody pmoody at google.com
Wed Sep 28 12:39:04 EDT 2011 

aaand, it's down.  the abuse link looks like it's working.

On Tue, Sep 27, 2011 at 7:45 AM, RuthAnne Bevier <ruthanne at caltech.edu>wrote:

> ----------- nsp-security Confidential --------
>
> Also clicked report abuse for
>
>
> https://docs.google.com/spreadsheet/viewform?formkey=dGoxRTd0YkhEM1l3c3hQRWR0MVZvdVE6MQ
>
> Sample with full headers:
>
> From pagoramu at purdue.edu  Tue Sep 27 07:04:08 2011
> Return-Path: <pagoramu at purdue.edu>
> X-Original-To: help at treqs.caltech.edu
> Delivered-To: help at treqs.caltech.edu
> Received: from outgoing-mail.its.caltech.edu (
> outgoing-mail.its.caltech.edu
> [131.215.239.19])
>        by jonola.caltech.edu (Postfix) with ESMTP id 31AFF1713A
>        for <help at treqs.caltech.edu>; Tue, 27 Sep 2011 07:04:08 -0700 (PDT)
> Received: from treqs-delivery.caltech.edu (localhost [127.0.0.1])
>        by earth-doxen-postvirus (Postfix) with ESMTP id 01EAF66E03EE
>        for <help at treqs.caltech.edu>; Tue, 27 Sep 2011 07:04:07 -0700 (PDT)
> X-Mailbox-Line: From pagoramu at purdue.edu  Tue Sep 27 07: 04:07 2011
> X-Original-To: help at its.caltech.edu
> Delivered-To: help at its.caltech.edu
> Received: from earth-doxen.imss.caltech.edu (localhost [127.0.0.1])
>        by earth-doxen-postvirus (Postfix) with ESMTP id 9E83566E03F5;
>        Tue, 27 Sep 2011 07:04:07 -0700 (PDT)
> X-Spam-Scanned: at Caltech-IMSS on earth-doxen by amavisd-new
> X-Spam-Flag: NO
> X-Spam-Score: 0.807
> X-Spam-Level:
> X-Spam-Status: No, score=0.807 tagged_above=-10000 required=5
>        tests=[HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1,
> SUBJ_ALL_CAPS=1.806]
>        autolearn=disabled
> Received: from mailhub130.itcs.purdue.edu (mailhub130.itcs.purdue.edu
> [128.210.5.130])
>        by earth-doxen-external (Postfix) with ESMTP id 393FD66E03EE;
>        Tue, 27 Sep 2011 07:04:03 -0700 (PDT)
> Received: from WPPEXHUB02F.purdue.lcl (wppexhub02f.itap.purdue.edu
> [172.21.6.91])
>        by mailhub130.itcs.purdue.edu (8.14.4/8.14.4/
> mta-nopmx.smtp.purdue.edu)
> with ESMTP id p8RE2JSZ001556;
>        Tue, 27 Sep 2011 10:02:45 -0400
> Received: from vpexch07.purdue.lcl ([169.254.1.207]) by
> WPPEXHUB02F.purdue.lcl
>  ([::1]) with mapi; Tue, 27 Sep 2011 10:02:28 -0400
> From: "Agoramurthy, Poornima" <pagoramu at purdue.edu>
> To: "Agoramurthy, Poornima" <pagoramu at purdue.edu>
> Date: Tue, 27 Sep 2011 09:58:16 -0400
> Subject: RE: YOU HAVE EXCEED YOUR STORAGE LIMIT
> Thread-Topic: YOU HAVE EXCEED YOUR STORAGE LIMIT
> Thread-Index: AQHMfRyQyWzDnZ43vEm+vRrvM7HV55VhPvbHgAABFZuAAAC/VQ==
> Message-ID:
> <9CB29B76E50D7F4DA541B794F18039C501799271CC27 at VPEXCH07.purdue.lcl>
> References:
> <9CB29B76E50D7F4DA541B794F18039C501799271CC08 at VPEXCH07.purdue.lcl
> >,<9CB29B76E50D7F4DA541B794F18039C501799271CC0E at VPEXCH07.purdue.lcl
> >,<9CB29B76E50D7F4DA541B794F18039C501799271CC20 at VPEXCH07.purdue.lcl>
> In-Reply-To:
> <9CB29B76E50D7F4DA541B794F18039C501799271CC20 at VPEXCH07.purdue.lcl>
> Accept-Language: en-US
> Content-Language: en-US
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> acceptlanguage: en-US
> Content-Type: multipart/alternative;
>
>  boundary="_000_9CB29B76E50D7F4DA541B794F18039C501799271CC27VPEXCH07pur_"
> MIME-Version: 1.0
> X-PMX-Version: 5.5.9.388399
> X-PerlMx-Virus-Scanned: Yes
> X-TBCK-ID: b573cfd69a7c20387895bfc71f65a124
> X-TBCK-Status: First;AllClear;0
>
> --_000_9CB29B76E50D7F4DA541B794F18039C501799271CC27VPEXCH07pur_
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> 20GB 23GB
> Current size Maximum size
> Your Webmail Quota Has Exceeded The Set Quota/Limit Which Is 20GB. You Are
> =
> Currently Running On 23GB Due To Hidden Files And Folder On Your
> Mailbox.Pl=
> ease
> Click<https://docs.google.com/spreadsheet/viewform?formkey=3DdGoxRTd0Y=
> khEM1l3c3hQRWR0MVZvdVE6MQ> the Link Below To Validate Your Mailbox And
> Incr=
> ease Your storage limit
>
> --_000_9CB29B76E50D7F4DA541B794F18039C501799271CC27VPEXCH07pur_
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
>
> <html dir=3D"ltr"><head>
> <meta http-equiv=3D"Content-Type" content=3D"text/html;
> charset=3Diso-8859-=
> 1">
> <style id=3D"owaTempEditStyle"></style><style title=3D"owaParaStyle"><!--P
> =
> {
>        MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
> }
> --></style>
> <meta name=3D"GENERATOR" content=3D"MSHTML 8.00.6001.23216">
> </head>
> <body ocsi=3D"x">
> <div style=3D"FONT-FAMILY: Times New Roman; DIRECTION: ltr; COLOR:
> #000000;=
>  FONT-SIZE: 16px">
> <div style=3D"FONT-FAMILY: Times New Roman; DIRECTION: ltr; COLOR:
> #000000;=
>  FONT-SIZE: 16px">
> 20GB 23GB<br>
> Current size Maximum size<br>
> Your Webmail Quota Has Exceeded The Set Quota/Limit Which Is 20GB. You Are
> =
> Currently Running On 23GB Due To Hidden Files And Folder On Your
> Mailbox.Pl=
> ease
> <u><a
> href=3D"https://docs.google.com/spreadsheet/viewform?formkey=3DdGoxRT=
> d0YkhEM1l3c3hQRWR0MVZvdVE6MQ" target=3D"_blank">Click</a></u> the Link
> Belo=
> w To Validate Your Mailbox And Increase Your storage limit</div>
> </div>
> </body>
> </html>
>
> --_000_9CB29B76E50D7F4DA541B794F18039C501799271CC27VPEXCH07pur_--
> ---------------------------------------------------------------------------
>
>
>
> --
> RuthAnne Bevier
> Director, Information Security
> California Institute of Technology
> ruthanne at caltech.edu
> 626-395-2671
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

More information about the nsp-security mailing list