[nsp-sec] ATTN Gmail, dropbox used in phish

RuthAnne Bevier ruthanne at caltech.edu
Sun Jul 15 11:22:44 EDT 2012 

Hi -- webmaildesk1 at gmail.com is a dropbox used in a return-mail password phish.  Sample with full headers below:

>From webmaildesk1 at gmail.com  Sun Jul 15 06:51:59 2012
Return-Path: <webmaildesk1 at gmail.com>
X-Original-To: help-gps at treqs.caltech.edu
Delivered-To: help-gps at treqs.caltech.edu
Received: from outgoing-mail.its.caltech.edu (outgoing-mail.its.caltech.edu
[131.215.239.19])
	by jonola.caltech.edu (Postfix) with ESMTP id 68684D47D
	for <help-gps at treqs.caltech.edu>; Sun, 15 Jul 2012 06:51:59 -0700 (PDT)
Received: from treqs-delivery.caltech.edu (localhost [127.0.0.1])
	by fire-doxen-postvirus (Postfix) with ESMTP id 536C62E50CB6
	for <help-gps at treqs.caltech.edu>; Sun, 15 Jul 2012 06:51:59 -0700 (PDT)
X-Mailbox-Line: From webmaildesk1 at gmail.com  Sun Jul 15 06: 51:59 2012
X-Original-To: help-gps at caltech.edu
Delivered-To: help-gps at caltech.edu
Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
	by fire-doxen-postvirus (Postfix) with ESMTP id 12A572E50D4E
	for <help-gps at caltech.edu>; Sun, 15 Jul 2012 06:51:59 -0700 (PDT)
X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
X-Spam-Flag: NO
X-Spam-Score: 1.435
X-Spam-Level: *
X-Spam-Status: No, score=1.435 tagged_above=-10000 required=5
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	DKIM_VERIFIED=0, FREEMAIL_ENVFROM_END_DIGIT=2.223,
	FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7,
	T_TO_NO_BRKTS_FREEMAIL=0.01] autolearn=disabled
Received: from geyser.gps.caltech.edu (geyser.gps.caltech.edu
[131.215.65.56])
	by fire-doxen-external (Postfix) with ESMTP id 3E5362E50CB6
	for <help-gps at caltech.edu>; Sun, 15 Jul 2012 06:51:57 -0700 (PDT)
Received: by geyser.gps.caltech.edu (Postfix)
	id 3004A550FD5; Sun, 15 Jul 2012 06:51:57 -0700 (PDT)
Delivered-To: help at gps.caltech.edu
Received: from localhost (localhost.localdomain [127.0.0.1])
	by geyser.gps.caltech.edu (Postfix) with ESMTP id 2E2F2550FD4
	for <help at gps.caltech.edu>; Sun, 15 Jul 2012 06:51:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at gps.caltech.edu
Received: from geyser.gps.caltech.edu ([127.0.0.1])
	by localhost (geyser.gps.caltech.edu [127.0.0.1]) (amavisd-new, port
10024)
	with ESMTP id ChSAejaaDVoM for <help at gps.caltech.edu>;
	Sun, 15 Jul 2012 06:51:57 -0700 (PDT)
Received: from barracuda.gps.caltech.edu (sawtooth.gps.caltech.edu
[131.215.235.108])
	by geyser.gps.caltech.edu (Postfix) with ESMTP id 0B3E8550FD1
	for <help at gps.caltech.edu>; Sun, 15 Jul 2012 06:51:57 -0700 (PDT)
X-ASG-Debug-ID: 1342360310-412000990000-RQx4pD
X-Barracuda-URL: http://barracuda.gps.caltech.edu:8000/cgi-bin/mark.cgi
Received: from mail-vc0-f196.google.com (localhost [127.0.0.1])
	by barracuda.gps.caltech.edu (Spam Firewall) with ESMTP id D1D672EFCD1
	for <help at gps.caltech.edu>; Sun, 15 Jul 2012 06:51:50 -0700 (PDT)
Received: from mail-vc0-f196.google.com (mail-vc0-f196.google.com
[209.85.220.196]) by barracuda.gps.caltech.edu with ESMTP id
fqY07KNaD7ouk8Fl for <help at gps.caltech.edu>; Sun, 15 Jul 2012 06:51:50
-0700 (PDT)
Received: by vcbfw7 with SMTP id fw7so105991vcb.11
        for <help at gps.caltech.edu>; Sun, 15 Jul 2012 06:51:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=0sDJo+S1lCxHovdd2GUbgXf1e1EvrC0uR1rGU5pKrh4=;
       
b=NfWn3ONnkPesDTCld6pubQelElm2+ga1MB8RfROu9My5yVUZlEjvj5o412EijN1KUd
        
wTRD2qSB79QViQqz77nb9GMQ6cDqQqOKI5S51c7cYLpVyUPz5KfxbqfPJMTICYCCWJcW
        
WZJp8Z8YxQkm6YZv206TxObdE9A2Fz6Mgc6pOcYLuuuzVCZKtphhJLW/FETJX3Z/BZRG
        
2qaNYlXyjl5PB1tSUcW6WtxH2N4dvhyQ5cjXN/cAPfrgAQzsltyrCd5XElb7Ueh4kNqw
        
ubxQhYq4YD7R/mTHUojV69q8xXiG1UKT8McNisjesWIzaFHGIfdGHBHIo9vkX1ndkOCS
         1tsw==
MIME-Version: 1.0
Received: by 10.52.65.51 with SMTP id u19mr3256683vds.17.1342360310127;
Sun,
 15 Jul 2012 06:51:50 -0700 (PDT)
Received: by 10.220.90.202 with HTTP; Sun, 15 Jul 2012 06:51:50 -0700 (PDT)
Date: Sun, 15 Jul 2012 19:21:50 +0530
Message-ID:
<CAG9WxEmOLFR-hfO678ew+-R+ecAeJfWqoUU=k9ZBLJVCwMgypQ at mail.gmail.com>
X-ASG-Orig-Subj: Dear User,
Subject: Dear User,
From: Help Desk <webmaildesk1 at gmail.com>
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary=20cf3071d0b2721bf004c4de9d0d
X-Barracuda-Connect: mail-vc0-f196.google.com[209.85.220.196]
X-Barracuda-Start-Time: 1342360310
X-Barracuda-Virus-Scanned: by Barracuda Spam Firewall at gps.caltech.edu
X-Barracuda-Spam-Score: 2.00
X-Barracuda-Spam-Status: No, SCORE=2.00 using global scores of
TAG_LEVEL=3.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=7.0 tests=BSF_SC7_MJ2332,
HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.102772
	Rule breakdown below
	 pts rule name              description
	---- ----------------------
--------------------------------------------------
	0.00 HTML_MESSAGE           BODY: HTML included in message
	2.00 BSF_SC7_MJ2332         Custom Rule MJ2332
X-TBCK-ID: 0ac3fde60a9464e090051e6080224178
X-TBCK-Status: First;AllClear;0

--20cf3071d0b2721bf004c4de9d0d
Content-Type: text/plain; charset=ISO-8859-1

Dear User,


You have exceeded the storage limit on your mailbox. You will not be able
to send or receive new mail until you upgrade your email quota. Kindly
update your account by filling the details below.

User Name:
Password
Confirm Password

Verifying your email address ensures that you can securely retrieve your
account information if your password is lost or stolen. You must verify
your email address before you can use it on Your Email Service Provider
that require an email address.


Regards,
Technical Team



-- 
RuthAnne Bevier
Director, Information Security
California Institute of Technology
ruthanne at caltech.edu
626-395-2671

More information about the nsp-security mailing list