dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
1442
share rss forum feed

GraysonPeddi
Grayson Peddie

join:2010-06-28
Tallahassee, FL

[Spam] Delta Air Lines and Microsoft Outlook Express

I'll need to get in touch with Delta Air Lines. My suspicion level is 100% and something tells me this is not right.

Return-Path:
Delivered-To: [...]graysonpeddie.com
Received: from localhost (localhost [127.0.0.1])
by graysonpeddie.com (Postfix) with ESMTP id 166B99C2D53
for ; Wed, 18 Jul 2012 17:19:15 -0400 (EDT)
X-Virus-Scanned: amavisd-new at graysonpeddie.com
Received: from graysonpeddie.com ([127.0.0.1])
by localhost (graysonpeddie.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id eK2U+j4wUzEN for ;
Wed, 18 Jul 2012 17:19:14 -0400 (EDT)
Received: by graysonpeddie.com (Postfix, from userid 1005)
id 64DE99C3B65; Wed, 18 Jul 2012 17:19:14 -0400 (EDT)
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on graysonpeddie.com
X-Spam-Level:
X-Spam-Status: No, score=-93.2 required=2.0 tests=BASE64_LENGTH_79_INF,
DOS_OE_TO_MX,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,INVALID_DATE,
MIME_QP_LONG_LINE,RDNS_NONE,USER_IN_WHITELIST autolearn=no version=3.3.2
Received: from delta.com (unknown [71.80.221.103])
by graysonpeddie.com (Postfix) with SMTP id 9599E9C2D53
for ; Wed, 18 Jul 2012 17:19:07 -0400 (EDT)
Message-ID:
From: "Delta Air Lines"
To:
Subject: Your ticket #5649 is ready
Date: Wed, 18 Jul 2012 A.D. 14:18:55 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000D_01CD64F0.43B50D80"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180


Is it safe for me to discard X-Mailer: Microsoft Outlook Express in Postfix as I don't want to receive e-mail from someone using Outlook Express but couldn't they use Outlook Express to forge e-mail headers? I feel like I'm about to delete it and as for the e-mail, the attachment may contain malware. My hunch is that Delta Air Lines might be using an open relay for their mail server--I don't know. There are just too many factors to know what is going on in their end.

Here's a body of an e-mail:

quote:
Hello,

E-TICKET NUMBER / EH351745489
SEAT / 71E/ZONE 2
DATE / TIME 18 AUGUST, 2012, 09:55 AM
ARRIVING / Columbus
FORM OF PAYMENT / CC
TOTAL PRICE / 256.35 USD
REF / OE.0508 ST / OK
BAG / 1PC

Your bought ticket is attached.
You can print your ticket.

Thank you for your attention.
Delta Air Lines.
--
Phone: Yealink SIP-T22P + CSipSimple in Optimus V
Phone System: Asterisk 10.1; Server: Debian Sid+Exp

I'm in heaven with VoIP except for 3G wireless.


DC DSL
There's a reason I'm Command.
Premium
join:2000-07-30
Washington, DC
kudos:2

These are all totally bogus. I keep getting these "purchase approved/confirmation" and "your boarding pass is attached" emails and it is not worth the time even trying to decipher the header (though just a quick look is plainly obvious to me that it did not originate with an airline).

If you are concerned, check your credit and debit cards to make sure there is nothing bogus going on. (You should be doing that as a matter of routine as it is.)
--
"Dance like the photo isn't being tagged; love like you've never been unfriended; and tweet like nobody is following."


GraysonPeddi
Grayson Peddie

join:2010-06-28
Tallahassee, FL

I've checked it and made sure everything is okay. I'm not carrying any balance in my credit card.

And hell yeah that's what gets me. Somehow I couldn't get it out of my head. Gosh, something tells me that the header is bogus, but then-- oh--hush up I'm deleting it and just move in even if I really want to confirm with Delta Airlines.

I'm going to block Microsoft Outlook Express as well. I don't know who is using it.



NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

What parts of the header are "bogus"? Depends upon what you know about your mail host. I would assume that "From: Delta Air Lines" is bogus, but one "Received:" header only has some bogosity: The "from delta.com" doesn't match up with the IP address, which has rDNS suggesting a Charter residential host in Reno, Nevada.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum



nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to GraysonPeddi

I agree with NormanS See Profile that the best header clue in this case is the IP address (71.80.221.103). If you want to block on that, then try to find blocklists of IP ranges for residential end-users. And check only the IP address from which your system received the mail. If the residential customer sends mail through his ISP mail server or other legitimate mail server, then that is normal and usually legitimate.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.1; firefox 13.0


MGD
Premium,MVM
join:2002-07-31
kudos:9

1 edit

1 recommendation

reply to GraysonPeddi

said by GraysonPeddi:

....
.....
Received: from delta.com (unknown [71.80.221.103])
by graysonpeddie.com (Postfix) with SMTP id 9599E9C2D53
for ; Wed, 18 Jul 2012 17:19:07 -0400 (EDT)
Message-ID:
From: "Delta Air Lines"
....
......

.
As noted by NormanS See Profile and nwrickert See Profile, the sender cannot forge the last received line in the email header since it is added by the recipient's email server.

quote:
Received: from delta.com (unknown [71.80.221.103])
If you are running your own email server directly then you should refuse connections from non RFC compliant mail servers that do not have proper RDNS configured. That connection to IP 71.80.221.103 would have been refused. Your headers do not indicate that you are running the SpamAssassin SPF and DKIM modules?. They can be used as additional potential spam filtering.

Be advised that mass mailing software allow for "X-Mailer" forging, either as a specific selection or the X-Mailer can be randomized. It is very unlikely that that "Microsoft Outlook Express 6.00.2900.2180" was the actual mailer. The received from IP appears to be bot compromised and is sending exploit laden attachments to random users.

There is unlikely to be any connection between this email and your card and identity data, at least not until you successfully succumb to the exploit.

MGD


Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to GraysonPeddi

It's a ploy to get you to open and run the attachment, which contains a virus.

I've gotten these in my Yahoo spam folder a few times, and just delete them. Delta Air Lines has nothing to do with them.
--
I, for one, welcome our new Computer Overlords.


GraysonPeddi
Grayson Peddie

join:2010-06-28
Tallahassee, FL

I bet spammers can do a lot better than sending e-mails with attachments.

And thanks to others for your help.


Chubbysumo

join:2009-12-01
Superior, WI
Reviews:
·Charter

said by GraysonPeddi:

I bet spammers can do a lot better than sending e-mails with attachments.

And thanks to others for your help.

I would report that IP address to charters abuse team, along with the stuff you posted in the OP(abuse@charter.net). This way, they can shut the bot thats sending it down.