[nsp-sec] ATTN Gmail, dropbox used in phish

Peter Moody pmoody at google.com
Sun Jul 15 13:55:25 EDT 2012 

Hey Ruth,

these can be reported here:

https://support.google.com/mail/bin/request.py?hl=en&contact_type=abuse

Cheers,
peter

On Sun, Jul 15, 2012 at 8:22 AM, RuthAnne Bevier <ruthanne at caltech.edu> wrote:
> ----------- nsp-security Confidential --------
>
> Hi -- webmaildesk1 at gmail.com is a dropbox used in a return-mail password phish.  Sample with full headers below:
>
> From webmaildesk1 at gmail.com  Sun Jul 15 06:51:59 2012
> Return-Path: <webmaildesk1 at gmail.com>
> X-Original-To: help-gps at treqs.caltech.edu
> Delivered-To: help-gps at treqs.caltech.edu
> Received: from outgoing-mail.its.caltech.edu (outgoing-mail.its.caltech.edu
> [131.215.239.19])
>         by jonola.caltech.edu (Postfix) with ESMTP id 68684D47D
>         for <help-gps at treqs.caltech.edu>; Sun, 15 Jul 2012 06:51:59 -0700 (PDT)
> Received: from treqs-delivery.caltech.edu (localhost [127.0.0.1])
>         by fire-doxen-postvirus (Postfix) with ESMTP id 536C62E50CB6
>         for <help-gps at treqs.caltech.edu>; Sun, 15 Jul 2012 06:51:59 -0700 (PDT)
> X-Mailbox-Line: From webmaildesk1 at gmail.com  Sun Jul 15 06: 51:59 2012
> X-Original-To: help-gps at caltech.edu
> Delivered-To: help-gps at caltech.edu
> Received: from fire-doxen.imss.caltech.edu (localhost [127.0.0.1])
>         by fire-doxen-postvirus (Postfix) with ESMTP id 12A572E50D4E
>         for <help-gps at caltech.edu>; Sun, 15 Jul 2012 06:51:59 -0700 (PDT)
> X-Spam-Scanned: at Caltech-IMSS on fire-doxen by amavisd-new
> X-Spam-Flag: NO
> X-Spam-Score: 1.435
> X-Spam-Level: *
> X-Spam-Status: No, score=1.435 tagged_above=-10000 required=5
>         tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
>         DKIM_VERIFIED=0, FREEMAIL_ENVFROM_END_DIGIT=2.223,
>         FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7,
>         T_TO_NO_BRKTS_FREEMAIL=0.01] autolearn=disabled
> Received: from geyser.gps.caltech.edu (geyser.gps.caltech.edu
> [131.215.65.56])
>         by fire-doxen-external (Postfix) with ESMTP id 3E5362E50CB6
>         for <help-gps at caltech.edu>; Sun, 15 Jul 2012 06:51:57 -0700 (PDT)
> Received: by geyser.gps.caltech.edu (Postfix)
>         id 3004A550FD5; Sun, 15 Jul 2012 06:51:57 -0700 (PDT)
> Delivered-To: help at gps.caltech.edu
> Received: from localhost (localhost.localdomain [127.0.0.1])
>         by geyser.gps.caltech.edu (Postfix) with ESMTP id 2E2F2550FD4
>         for <help at gps.caltech.edu>; Sun, 15 Jul 2012 06:51:57 -0700 (PDT)
> X-Virus-Scanned: amavisd-new at gps.caltech.edu
> Received: from geyser.gps.caltech.edu ([127.0.0.1])
>         by localhost (geyser.gps.caltech.edu [127.0.0.1]) (amavisd-new, port
> 10024)
>         with ESMTP id ChSAejaaDVoM for <help at gps.caltech.edu>;
>         Sun, 15 Jul 2012 06:51:57 -0700 (PDT)
> Received: from barracuda.gps.caltech.edu (sawtooth.gps.caltech.edu
> [131.215.235.108])
>         by geyser.gps.caltech.edu (Postfix) with ESMTP id 0B3E8550FD1
>         for <help at gps.caltech.edu>; Sun, 15 Jul 2012 06:51:57 -0700 (PDT)
> X-ASG-Debug-ID: 1342360310-412000990000-RQx4pD
> X-Barracuda-URL: http://barracuda.gps.caltech.edu:8000/cgi-bin/mark.cgi
> Received: from mail-vc0-f196.google.com (localhost [127.0.0.1])
>         by barracuda.gps.caltech.edu (Spam Firewall) with ESMTP id D1D672EFCD1
>         for <help at gps.caltech.edu>; Sun, 15 Jul 2012 06:51:50 -0700 (PDT)
> Received: from mail-vc0-f196.google.com (mail-vc0-f196.google.com
> [209.85.220.196]) by barracuda.gps.caltech.edu with ESMTP id
> fqY07KNaD7ouk8Fl for <help at gps.caltech.edu>; Sun, 15 Jul 2012 06:51:50
> -0700 (PDT)
> Received: by vcbfw7 with SMTP id fw7so105991vcb.11
>         for <help at gps.caltech.edu>; Sun, 15 Jul 2012 06:51:50 -0700 (PDT)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>         d=gmail.com; s=20120113;
>         h=mime-version:date:message-id:subject:from:to:content-type;
>         bh=0sDJo+S1lCxHovdd2GUbgXf1e1EvrC0uR1rGU5pKrh4=;
>
> b=NfWn3ONnkPesDTCld6pubQelElm2+ga1MB8RfROu9My5yVUZlEjvj5o412EijN1KUd
>
> wTRD2qSB79QViQqz77nb9GMQ6cDqQqOKI5S51c7cYLpVyUPz5KfxbqfPJMTICYCCWJcW
>
> WZJp8Z8YxQkm6YZv206TxObdE9A2Fz6Mgc6pOcYLuuuzVCZKtphhJLW/FETJX3Z/BZRG
>
> 2qaNYlXyjl5PB1tSUcW6WtxH2N4dvhyQ5cjXN/cAPfrgAQzsltyrCd5XElb7Ueh4kNqw
>
> ubxQhYq4YD7R/mTHUojV69q8xXiG1UKT8McNisjesWIzaFHGIfdGHBHIo9vkX1ndkOCS
>          1tsw==
> MIME-Version: 1.0
> Received: by 10.52.65.51 with SMTP id u19mr3256683vds.17.1342360310127;
> Sun,
>  15 Jul 2012 06:51:50 -0700 (PDT)
> Received: by 10.220.90.202 with HTTP; Sun, 15 Jul 2012 06:51:50 -0700 (PDT)
> Date: Sun, 15 Jul 2012 19:21:50 +0530
> Message-ID:
> <CAG9WxEmOLFR-hfO678ew+-R+ecAeJfWqoUU=k9ZBLJVCwMgypQ at mail.gmail.com>
> X-ASG-Orig-Subj: Dear User,
> Subject: Dear User,
> From: Help Desk <webmaildesk1 at gmail.com>
> To: undisclosed-recipients:;
> Content-Type: multipart/alternative; boundary=20cf3071d0b2721bf004c4de9d0d
> X-Barracuda-Connect: mail-vc0-f196.google.com[209.85.220.196]
> X-Barracuda-Start-Time: 1342360310
> X-Barracuda-Virus-Scanned: by Barracuda Spam Firewall at gps.caltech.edu
> X-Barracuda-Spam-Score: 2.00
> X-Barracuda-Spam-Status: No, SCORE=2.00 using global scores of
> TAG_LEVEL=3.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=7.0 tests=BSF_SC7_MJ2332,
> HTML_MESSAGE
> X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.102772
>         Rule breakdown below
>          pts rule name              description
>         ---- ----------------------
> --------------------------------------------------
>         0.00 HTML_MESSAGE           BODY: HTML included in message
>         2.00 BSF_SC7_MJ2332         Custom Rule MJ2332
> X-TBCK-ID: 0ac3fde60a9464e090051e6080224178
> X-TBCK-Status: First;AllClear;0
>
> --20cf3071d0b2721bf004c4de9d0d
> Content-Type: text/plain; charset=ISO-8859-1
>
> Dear User,
>
>
> You have exceeded the storage limit on your mailbox. You will not be able
> to send or receive new mail until you upgrade your email quota. Kindly
> update your account by filling the details below.
>
> User Name:
> Password
> Confirm Password
>
> Verifying your email address ensures that you can securely retrieve your
> account information if your password is lost or stolen. You must verify
> your email address before you can use it on Your Email Service Provider
> that require an email address.
>
>
> Regards,
> Technical Team
>
>
>
> --
> RuthAnne Bevier
> Director, Information Security
> California Institute of Technology
> ruthanne at caltech.edu
> 626-395-2671
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

More information about the nsp-security mailing list