How not to phish.

In the issue of public for spammers I suggest that whoever took over Timothy Bridges email, which I will not link to because it is an education account and I hope the sysadmins at the University of Oklahoma are competent.

Because whoever hacked his account and sent me a phish is not. Let us have a look at what appears in your email box

Your Outlook Web Access/App account has exceeded its storage limit. You will not be able to receive or send message. In order to restore your account please ClickHere and login your webmail required information.

Thanks.
IT security Service Desk 2014
**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary!

**CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited.

Well, the confidentiality statement will be ignored, because this is so obvious. I don’t use windows. I do not have an Outlook access web app account. I do not just “click here”. It’s even more amusing when I get the same information from a bank I do not use. some of which are not even in New Zealand…. in fact I delete automatically any such emails from banks I do use.

Now, for those of you who do not know how to view source, if you use a good email client you should be able to look at the text attached. This is a worthwhile thing to do. I have redacted emails to protect the innocent.

Return-path: 
 Envelope-to: 
 Delivery-date: Thu, 17 Jul 2014 18:30:00 -0400
 Received: from dns-bn1lp0143.outbound.protection.outlook.com ([207.46.163.143]:33137 helo=na01-bn1-obe.outbound.protection.outlook.com)
 by a2ss3.a2hosting.com with esmtps (TLSv1:AES256-SHA:256)
 (Exim 4.82)
 (envelope-from <[email protected]>)
 id 1X7uBQ-002zxh-QS
 for ; Thu, 17 Jul 2014 18:30:00 -0400
 Received: from BN1PR08CA007.namprd08.prod.outlook.com (10.255.197.37) by
 BY2PR08MB266.namprd08.prod.outlook.com (10.242.237.144) with Microsoft SMTP
 Server (TLS) id 15.0.990.7; Thu, 17 Jul 2014 22:29:42 +0000
 Received: from BN1BFFO11FD013.protection.gbl (2a01:111:f400:7c10::1:188) by
 BN1PR08CA007.outlook.office365.com (2a01:111:e400:400::37) with Microsoft
 SMTP Server (TLS) id 15.0.990.7 via Frontend Transport; Thu, 17 Jul 2014
 22:29:42 +0000
 Received: from edge02.uco.edu (192.206.65.97) by
 BN1BFFO11FD013.mail.protection.outlook.com (10.58.144.76) with Microsoft SMTP
 Server (TLS) id 15.0.980.11 via Frontend Transport; Thu, 17 Jul 2014 22:29:42
 +0000
 Received: from cas01.uco.local (192.206.65.91) by edge02.uco.edu
 (192.206.65.97) with Microsoft SMTP Server (TLS) id 8.3.348.2; Thu, 17 Jul
 2014 17:29:39 -0500
 Received: from EXCHANGE.uco.local ([172.16.16.76]) by cas01.uco.local
 ([192.206.65.91]) with mapi; Thu, 17 Jul 2014 17:29:37 -0500
 From: Timothy Bridges 
 To: "[email protected]" 
 Date: Thu, 17 Jul 2014 17:29:36 -0500
 Subject: To re-new your Email Account
 Thread-Topic: To re-new your Email Account
 Thread-Index: AQHPog6X75PE6IK5h0aRai/KblEYEA==
 Message-ID: <[email protected]>
 Accept-Language: en-US
 Content-Language: en-US
 X-MS-Has-Attach:
 X-MS-TNEF-Correlator:
 acceptlanguage: en-US
 Content-Type: multipart/alternative;
 boundary="_000_D48E5DB8A21E674F8246977ADFB89AB84ED8A4BA9FEXCHANGEucolo_"
 MIME-Version: 1.0
 X-EOPAttributedMessage: 0
 X-Forefront-Antispam-Report:
 CIP:192.206.65.97;CTRY:US;IPV:NLI;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(438002)(189002)(199002)(46102001)(21056001)(71186001)(99396002)(33656002)(75432001)(20776003)(15202345003)(19580395003)(98436002)(16796002)(79102001)(2351001)(107886001)(83322001)(229853001)(44976005)(88552001)(81342001)(80022001)(54356999)(31966008)(575854001)(92566001)(86362001)(19617315012)(16236675004)(84326002)(55846006)(74662001)(2656002)(89122001)(512934002)(92726001)(76482001)(566704002)(85852003)(87936001)(85306003)(74502001)(95666004)(77982001)(6806004)(106466001)(15975445006)(106116001)(81542001)(4396001)(50986999)(83072002)(110136001)(107046002)(64706001)(84626002)(101616002)(224973001)(425024013);DIR:OUT;SFP:;SCL:1;SRVR:BY2PR08MB266;H:edge02.uco.edu;FPR:;MLV:nov;PTR:edge02.uco.edu;MX:1;A:1;LANG:en;
 X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:
 X-Forefront-PRVS: 027578BB13
 Received-SPF: Pass (: domain of uco.edu designates 192.206.65.97 as permitted
 sender) receiver=; client-ip=192.206.65.97; helo=edge02.uco.edu;
 Authentication-Results: spf=pass (sender IP is 192.206.65.97)
 [email protected];
 X-OriginatorOrg: ucok.onmicrosoft.com
 X-Spam-Status: No, score=-1.9
 X-Spam-Score: -18
 X-Spam-Bar: -
 X-Ham-Report: Spam detection software, running on the system "a2ss3.a2hosting.com", has
 identified this incoming email as possible spam. The original message
 has been attached to this so you can view it (if it isn't spam) or label
 similar future email. If you have any questions, see
 root\@localhost for details.

Content preview: Your Outlook Web Access/App account has exceeded its storage
 limit. You will not be able to receive or send message. In order to restore
 your account please ClickHere<http://onlineservweb.edicy.co/en> and login
 your webmail required information. [...]

Content analysis details: (-1.9 points, 3.0 required)

pts rule name description
 ---- ---------------------- --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
 trust
 [207.46.163.143 listed in list.dnswl.org]
 -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
 -0.0 SPF_PASS SPF: sender matches SPF record
 -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 [score: 0.0000]
 0.0 HTML_MESSAGE BODY: HTML included in message
 X-Spam-Flag: NO

--_000_D48E5DB8A21E674F8246977ADFB89AB84ED8A4BA9FEXCHANGEucolo_
 Content-Type: text/plain; charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable

Your Outlook Web Access/App account has exceeded its storage limit. You wil=
 l not be able to receive or send message. In order to restore your account =
 please ClickHere<http://onlineservweb.edicy.co/en> and login your webmail r=
 equired information.

Thanks.
 IT security Service Desk 2014

**Bronze+Blue=3DGreen** The University of Central Oklahoma is Bronze, Blue,=
 and Green! Please print this e-mail only if absolutely necessary!

**CONFIDENTIALITY** -This e-mail (including any attachments) may contain co=
 nfidential, proprietary and privileged information. Any unauthorized disclo=
 sure or use of this information is prohibited.

--_000_D48E5DB8A21E674F8246977ADFB89AB84ED8A4BA9FEXCHANGEucolo_
 Content-Type: text/html; charset="iso-8859-1"
 Content-Transfer-Encoding: quoted-printable

Your Outlook Web Access/App account has exceeded it=
 s storage limit. You will not be able to receive or send message. In order =
 to restore your account please
 Cl=
 ickHere and login your webmail required inf=
 ormation.

 Thanks.

 IT security Service Desk 2014

**Bronze+Blue=3DGreen** The University of Central Oklahoma is Br=
 onze, Blue, and Green! Please print this e-mail only if absolutely necessar=
 y!
 
 **CONFIDENTIALITY** -This e-mail (including any attachments) may con=
 tain confidential, proprietary and privileged information. Any unauthorized=
 disclosure or use of this information is prohibited.

--_000_D48E5DB8A21E674F8246977ADFB89AB84ED8A4BA9FEXCHANGEucolo_--

Well, the phisher was smart enough to OwnZOr the university of Oklahoma IT service (Don’t use microsoft outlook, children) and by using a trusted domain he got throu Spamasssasin. Full marks for dishonesty, sneakiness, and general script kiddiness.

But he forgot one thing. I run my own mail server, and I know what stack I use to do it.

For the rest of you, if there is a link in a webmail, unless you know who is sending it or it is samething fairly benign (like survey monkey) then leave it well alone. It it pretends to be a bank, leave it alone, Even if it pretends to be the police or customs, do not click that link.

It is all too easy to fake html. If in doubt, read the code.