In the issue of public for spammers I suggest that whoever took over Timothy Bridges email, which I will not link to because it is an education account and I hope the sysadmins at the University of Oklahoma are competent.
Because whoever hacked his account and sent me a phish is not. Let us have a look at what appears in your email box
Your Outlook Web Access/App account has exceeded its storage limit. You will not be able to receive or send message. In order to restore your account please ClickHere and login your webmail required information.
Thanks.
IT security Service Desk 2014
**Bronze+Blue=Green** The University of Central Oklahoma is Bronze, Blue, and Green! Please print this e-mail only if absolutely necessary!**CONFIDENTIALITY** -This e-mail (including any attachments) may contain confidential, proprietary and privileged information. Any unauthorized disclosure or use of this information is prohibited.
Well, the confidentiality statement will be ignored, because this is so obvious. I don’t use windows. I do not have an Outlook access web app account. I do not just “click here”. It’s even more amusing when I get the same information from a bank I do not use. some of which are not even in New Zealand…. in fact I delete automatically any such emails from banks I do use.
Now, for those of you who do not know how to view source, if you use a good email client you should be able to look at the text attached. This is a worthwhile thing to do. I have redacted emails to protect the innocent.
Return-path: Envelope-to: Delivery-date: Thu, 17 Jul 2014 18:30:00 -0400 Received: from dns-bn1lp0143.outbound.protection.outlook.com ([207.46.163.143]:33137 helo=na01-bn1-obe.outbound.protection.outlook.com) by a2ss3.a2hosting.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.82) (envelope-from <[email protected]>) id 1X7uBQ-002zxh-QS for ; Thu, 17 Jul 2014 18:30:00 -0400 Received: from BN1PR08CA007.namprd08.prod.outlook.com (10.255.197.37) by BY2PR08MB266.namprd08.prod.outlook.com (10.242.237.144) with Microsoft SMTP Server (TLS) id 15.0.990.7; Thu, 17 Jul 2014 22:29:42 +0000 Received: from BN1BFFO11FD013.protection.gbl (2a01:111:f400:7c10::1:188) by BN1PR08CA007.outlook.office365.com (2a01:111:e400:400::37) with Microsoft SMTP Server (TLS) id 15.0.990.7 via Frontend Transport; Thu, 17 Jul 2014 22:29:42 +0000 Received: from edge02.uco.edu (192.206.65.97) by BN1BFFO11FD013.mail.protection.outlook.com (10.58.144.76) with Microsoft SMTP Server (TLS) id 15.0.980.11 via Frontend Transport; Thu, 17 Jul 2014 22:29:42 +0000 Received: from cas01.uco.local (192.206.65.91) by edge02.uco.edu (192.206.65.97) with Microsoft SMTP Server (TLS) id 8.3.348.2; Thu, 17 Jul 2014 17:29:39 -0500 Received: from EXCHANGE.uco.local ([172.16.16.76]) by cas01.uco.local ([192.206.65.91]) with mapi; Thu, 17 Jul 2014 17:29:37 -0500 From: Timothy Bridges To: "[email protected]" Date: Thu, 17 Jul 2014 17:29:36 -0500 Subject: To re-new your Email Account Thread-Topic: To re-new your Email Account Thread-Index: AQHPog6X75PE6IK5h0aRai/KblEYEA== Message-ID: <[email protected]> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_D48E5DB8A21E674F8246977ADFB89AB84ED8A4BA9FEXCHANGEucolo_" MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:192.206.65.97;CTRY:US;IPV:NLI;IPV:NLI;EFV:NLI;SFV:NSPM;SFS:(438002)(189002)(199002)(46102001)(21056001)(71186001)(99396002)(33656002)(75432001)(20776003)(15202345003)(19580395003)(98436002)(16796002)(79102001)(2351001)(107886001)(83322001)(229853001)(44976005)(88552001)(81342001)(80022001)(54356999)(31966008)(575854001)(92566001)(86362001)(19617315012)(16236675004)(84326002)(55846006)(74662001)(2656002)(89122001)(512934002)(92726001)(76482001)(566704002)(85852003)(87936001)(85306003)(74502001)(95666004)(77982001)(6806004)(106466001)(15975445006)(106116001)(81542001)(4396001)(50986999)(83072002)(110136001)(107046002)(64706001)(84626002)(101616002)(224973001)(425024013);DIR:OUT;SFP:;SCL:1;SRVR:BY2PR08MB266;H:edge02.uco.edu;FPR:;MLV:nov;PTR:edge02.uco.edu;MX:1;A:1;LANG:en; X-Microsoft-Antispam: BCL:0;PCL:0;RULEID: X-Forefront-PRVS: 027578BB13 Received-SPF: Pass (: domain of uco.edu designates 192.206.65.97 as permitted sender) receiver=; client-ip=192.206.65.97; helo=edge02.uco.edu; Authentication-Results: spf=pass (sender IP is 192.206.65.97) [email protected]; X-OriginatorOrg: ucok.onmicrosoft.com X-Spam-Status: No, score=-1.9 X-Spam-Score: -18 X-Spam-Bar: - X-Ham-Report: Spam detection software, running on the system "a2ss3.a2hosting.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see root\@localhost for details.Content preview: Your Outlook Web Access/App account has exceeded its storage limit. You will not be able to receive or send message. In order to restore your account please ClickHere<http://onlineservweb.edicy.co/en> and login your webmail required information. [...]Content analysis details: (-1.9 points, 3.0 required)pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [207.46.163.143 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message X-Spam-Flag: NO--_000_D48E5DB8A21E674F8246977ADFB89AB84ED8A4BA9FEXCHANGEucolo_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printableYour Outlook Web Access/App account has exceeded its storage limit. You wil= l not be able to receive or send message. In order to restore your account = please ClickHere<http://onlineservweb.edicy.co/en> and login your webmail r= equired information.Thanks. IT security Service Desk 2014**Bronze+Blue=3DGreen** The University of Central Oklahoma is Bronze, Blue,= and Green! Please print this e-mail only if absolutely necessary!**CONFIDENTIALITY** -This e-mail (including any attachments) may contain co= nfidential, proprietary and privileged information. Any unauthorized disclo= sure or use of this information is prohibited.--_000_D48E5DB8A21E674F8246977ADFB89AB84ED8A4BA9FEXCHANGEucolo_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printableYour Outlook Web Access/App account has exceeded it= s storage limit. You will not be able to receive or send message. In order = to restore your account please Cl= ickHere and login your webmail required inf= ormation.Thanks. IT security Service Desk 2014**Bronze+Blue=3DGreen** The University of Central Oklahoma is Br= onze, Blue, and Green! Please print this e-mail only if absolutely necessar= y! **CONFIDENTIALITY** -This e-mail (including any attachments) may con= tain confidential, proprietary and privileged information. Any unauthorized= disclosure or use of this information is prohibited.--_000_D48E5DB8A21E674F8246977ADFB89AB84ED8A4BA9FEXCHANGEucolo_--
Well, the phisher was smart enough to OwnZOr the university of Oklahoma IT service (Don’t use microsoft outlook, children) and by using a trusted domain he got throu Spamasssasin. Full marks for dishonesty, sneakiness, and general script kiddiness.
But he forgot one thing. I run my own mail server, and I know what stack I use to do it.
For the rest of you, if there is a link in a webmail, unless you know who is sending it or it is samething fairly benign (like survey monkey) then leave it well alone. It it pretends to be a bank, leave it alone, Even if it pretends to be the police or customs, do not click that link.
It is all too easy to fake html. If in doubt, read the code.
And when the nice man with the heavy Indian accent calls you to tell you that Microsoft is deeeeeply concerned about your computer’s processing speed (or what have you) just hang up on him. (He calls me fairly frequently).