dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
3966
share rss forum feed

peterboro
Avatars are for posers
Premium
join:2006-11-03
Peterborough, ON

Google gibberish?

Got this email on one of my scambaiter/Kijiji user accounts. Seems the lads, or someone I pissed off tried to hack me. Probably to find my location for the clique mob and the govenor to engage in covert surveillance before they dead me by death. Anywho, my IP delineation kungfoo fighting style has been defeated by this unintelligible sequence of gibberish from Google. Any takers?

accounts-noreply@google.com
Dec 1

to me

p,

Someone recently tried to sign in to your Google Account - xxxxxxxxxx@gmail.com. We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:

Saturday, December 1, 2012 5:47:19 PM UTC
IP Address: 2607:5300:60:1128:0:481b:7bfe:a17e
Location: Unknown Location

If you do not recognize this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately. Find out how at »support.google.com/accounts?p=reset_pw

Note: This email address cannot accept replies.

Sincerely,
The Google Accounts Team



nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

I suggest you look carefully at the mail, including headers. It might not have come from google, and that link might have been to a phishing site.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.2; firefox 17.0



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to peterboro

Yes, without headers it's not possible to determine an emails legitimacy.
The body copy of the email is consistent with Gmail's enhanced security with regards to unfamiliar appliances or locations being flagged as potential hack attempts to a specific account.
The blocking only occurs when the person attempting to login cannot pass a secondary authentication.
You should post the headers, this could be a real security issue if the email is legit.


peterboro
Avatars are for posers
Premium
join:2006-11-03
Peterborough, ON

Delivered-To: xxxxxxx@gmail.com
Received: by 10.64.13.142 with SMTP id h14csp255328iec;
Sat, 1 Dec 2012 10:17:28 -0800 (PST)
Return-Path:
Received-SPF: pass (google.com: domain of 3t0m6UBAKCr4eggsyrxw-rsvitp2ksskpi.gsqt.yp.oipp2kqemp.gsq@gaia.bounces.google.com designates 10.42.33.9 as permitted sender) client-ip=10.42.33.9
Authentication-Results: mr.google.com; spf=pass (google.com: domain of 3t0m6UBAKCr4eggsyrxw-rsvitp2ksskpi.gsqt.yp.oipp2kqemp.gsq@gaia.bounces.google.com designates 10.42.33.9 as permitted sender) smtp.mail=3t0m6UBAKCr4eggsyrxw-rsvitp2ksskpi.gsqt.yp.oipp2kqemp.gsq@gaia.bounces.google.com; dkim=pass header.i=3t0m6UBAKCr4eggsyrxw-rsvitp2ksskpi.gsqt.yp.oipp2kqemp.gsq@gaia.bounces.google.com
Received: from mr.google.com ([10.42.33.9])
by 10.42.33.9 with SMTP id g9mr6534704icd.25.1354385847780 (num_hops = 1);
Sat, 01 Dec 2012 10:17:27 -0800 (PST)

Looks authentic to me. Seems I must have pissed off some scammer enough to try to hack the account. Google has a feature called "Activity on this account" that shows no activity from any other IP for the last month other than this attempt. It shows the hacker IP as 253.20.137.249


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

The headers look good but I'll defer to nwrickert See Profile's opinion on that.
If the headers prove out as coming from Gmail you should to change the password for that account because AFAIK, that warning is only sent when the unfamiliar appliance used the correct password.
I hope I'm wrong about that.
Any chance this account is sharing a common password with any other account of any nature?


peterboro
Avatars are for posers
Premium
join:2006-11-03
Peterborough, ON

I don't think that the correct password was used as much as this appears an automated response to a threshold of login attempts. This password is unique to this account. The account is one of about 30 of mine and has no retention of any emails.



nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse

said by peterboro:

I don't think that the correct password was used as much as this appears an automated response to a threshold of login attempts.

That's entirely possible. I got such a message from amazon, a few years ago. It was actually a message reminding me of the procedure to recover from lost password, but I figure that it must have been prompted by break-in attempts.

I changed the email address I was using for amazon, to one less likely to be guessed (an address with a randomish string in it). Since that change, I have not had any problems.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.2; firefox 17.0


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to peterboro

said by peterboro:

I don't think that the correct password was used as much as this appears an automated response to a threshold of login attempts.

That's entirely possible.

said by peterboro:

The account is one of about 30 of mine and has no retention of any emails.

The 30 accounts makes sense to my understanding of how Gmail is classifying mail accounts based on how likely or unlikely a specific mail account is in danger of hack attempts.
This is all guesswork but accounts that have logins to other accounts from the same browser have the highest level of scrutiny while accounts that show only a single mail account being accessed by the same browser getting a least likely to be hacked rating.
I'm not sure that this is about protecting email accounts as it is about flagging email accounts that have a higher probability of being involved with items that Gmail's TOS forbid.
Again, this is just a guess, far from anything I'd state as fact but it is noteworthy that you deal with multiple accounts, thanks for mentioning that.


KA0OUV
Premium
join:2010-02-17
Jefferson City, MO
reply to peterboro

said by peterboro:

Saturday, December 1, 2012 5:47:19 PM UTC
IP Address: 2607:5300:60:1128:0:481b:7bfe:a17e

Location: Unknown Location

IPV6 address......Interesting! Might help backtrack things. But safer to change PW just in case....


Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
kudos:18

»translate.google.com/translate?h···kQ7gEwAA

quote:
User: 2607:5300:60:1128:0:481 B: 7BFE: A17E
From Wikipedia, the free encyclopedia

It is likely that IP-address is open or anonymous proxy . Wikipedia's official policy prohibits the use of such servers to edit and administrators should block such addresses indefinitely.
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time?


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:11
Reviews:
·SONIC.NET
·Pacific Bell - SBC

1 recommendation

reply to peterboro

Authentic, but what origin? You truncated the best parts. By comparison, here is an "authentic" e-mail from Google to one of my Gmail accounts:

Delivered-To: ********@gmail.com
Received: by 10.112.42.166 with SMTP id p6csp75277lbl;
        Mon, 10 Dec 2012 07:02:42 -0800 (PST)
Received: by 10.236.151.79 with SMTP id a55mr21354358yhk.97.1355151762054;
        Mon, 10 Dec 2012 07:02:42 -0800 (PST)
Return-Path: <noreply-475ba29f@plus.google.com>
Received: from mail-gh0-f199.google.com (mail-gh0-f199.google.com [209.85.160.199])
        by mx.google.com with ESMTPS id i65si23836687yhm.6.2012.12.10.07.02.41
        (version=TLSv1/SSLv3 cipher=OTHER);
        Mon, 10 Dec 2012 07:02:42 -0800 (PST)
Received-SPF: pass (google.com: domain of noreply-475ba29f@plus.google.com designates 209.85.160.199 as permitted sender) client-ip=209.85.160.199;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of noreply-475ba29f@plus.google.com designates 209.85.160.199 as permitted sender) smtp.mail=noreply-475ba29f@plus.google.com; dkim=pass header.i=@plus.google.com
Received: by mail-gh0-f199.google.com with SMTP id r16so4927115ghr.10
        for <********@gmail.com>; Mon, 10 Dec 2012 07:02:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=plus.google.com; s=20120806;
        h=mime-version:x-notifications:x-ub:date:message-id:subject:from:to
         :content-type;
        bh=Ov6DLbFI6Iz3cp1POlTsnSXy0wAYNMbfNKHENR6CJL0=;
        b=KN1KoOTsIyn5JzokYq6qErSZOqZ+jzdLdZ7pi6UlaAIqurK3QlDRZXV/lzT5lyoS59
         jse69NRELJRyrv+pIaPbCab5v1BWACmhFlBHhuoBQ66t1zmyQ4+oNj5HpL+0stF3fpvT
         virnQ65S7b3G2wVbBDyxAb0mtjwLNRhrNqxULemGoBvPCev31ShQcwMGhmsdA1LFJP1B
         MKS9Drp6rCXCDa7wMwRAJew/uE+E3yl8ZP8M8XBZ+hcccbIQaQz2C/DnmiBVdFbPFcxm
         QPZMFao/rL/T9nXNjxiMujBjG8J1XdxvGYrb53ZfutIDmhxmygavzVX+71YGSCcXKn3s
         1WkQ==
MIME-Version: 1.0
Received: by 10.52.98.167 with SMTP id ej7mr3824450vdb.8.1355151761012; Mon,
 10 Dec 2012 07:02:41 -0800 (PST)
X-Notifications: XEAAAAKlcrE43JS0fdMa7vyf0wVA
X-UB: 37
Date: Mon, 10 Dec 2012 07:02:40 -0800 (PST)
Message-ID: <COCr09qNkLQCFced3Aod-AcAAA@plus.google.com>
Subject: Top 3 posts for you on Google+ this week
From: "Google+ team" <noreply-475ba29f@plus.google.com>
To: ********@gmail.com
Content-Type: multipart/alternative; boundary=20cf307ac03954f6d704d080dbaf
 
Of interest, to me, anyway, is the lack of a 'mr.google' host.

Now, here is a "authentic" e-mail from another of my Gmail accounts to the same Gmail account:
Delivered-To: ********@gmail.com
Received: by 10.112.42.166 with SMTP id p6csp80961lbl;
        Sun, 16 Dec 2012 16:01:23 -0800 (PST)
Return-Path: <********@gmail.com>
Received-SPF: pass (google.com: domain of ********@gmail.com designates 10.220.115.19 as permitted sender) client-ip=10.220.115.19
Authentication-Results: mr.google.com; spf=pass (google.com: domain of ********@gmail.com designates 10.220.115.19 as permitted sender) smtp.mail=********@gmail.com; dkim=pass header.i=@gmail.com
Received: from mr.google.com ([10.220.115.19])
        by 10.220.115.19 with SMTP id g19mr20493095vcq.69.1355702482625 (num_hops = 1);
        Sun, 16 Dec 2012 16:01:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=kmsi3V3ePoP2nysyaPzbIWKexPhd9zuyGS4fqTESZC0=;
        b=XM+KU4PbX7hAaO9uH1EbqvnHi8bus6j9XzIXbAJYz4niyaRBPGe4HpdfByr4H6Kcb0
         RKarGfNiYx5ZIRQclQb3+Mk902JgwtCsA5qCZrMXUITgvVJdrxjS3/VW/3hjxkA+lvv2
         99jsz5AzxKHmX6hhHh28NLXeu6ZEi0jS5K/EKFvTqy/zXn9s+Gl3+tXSIH6QDzH8mNLT
         pLYNzikdvG0FAPGw182gWqSYawh83xTZTQxepxy2dHVMeCekYEg7uAqrR0iKlk5c5g5j
         uzkD5yiABgCDofYp+dcG9EscMgCrb93wiQRzcZJWRcVsiZxckmqQYnJoGUdy+lFGm1WJ
         sKOQ==
MIME-Version: 1.0
Received: by 10.220.115.19 with SMTP id g19mr20493095vcq.69.1355702482608;
 Sun, 16 Dec 2012 16:01:22 -0800 (PST)
Received: by 10.52.17.20 with HTTP; Sun, 16 Dec 2012 16:01:22 -0800 (PST)
Date: Sun, 16 Dec 2012 16:01:22 -0800
Message-ID: <CAHWA80h5J2dEh=uiWOBbq8vuc+5d0DrB=-oYn+v_Agj-30UQ_A@mail.gmail.com>
Subject: [TEST] Internal headers ...
From: Proper Name <********@gmail.com>
To: ********@gmail.com
Content-Type: multipart/alternative; boundary=f46d042fd726e5a27d04d101148f
 
Of interest, to me, is the existence of a 'mr.google' host in the headers. I am guessing that the 'mr.google' host is not used by Google for notices to account holders, but is used for internal Gmail transfers between accounts. In other words, the actual source of your posted email is not Google, but another Gmail user impersonating Google!

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by NormanS:

Of interest, to me, is the existence of a 'mr.google' host in the headers. I am guessing that the 'mr.google' host is not used by Google for notices to account holders, but is used for internal Gmail transfers between accounts. In other words, the actual source of your posted email is not Google, but another Gmail user impersonating Google!

That's what I'd call attention to detail!
I was able to replicate your header for Gmail account to Gmail account mail.
Your Gmail notification headers also match the ones I have.
Bottom line is that Gmail's policy of not disclosing the senders IP is good for sender security but it makes authenticating mail purportedly from Gmail an issue.
Although I can't say with any authority or guarantee, I believe your "mr.google" theory is a reliable way of determining if the source is actually Gmail administration or a Gmail user.
Good catch!


pcdebb
RIP lil hurricane
Premium
join:2000-12-03
Brandon, FL
kudos:5
Reviews:
·Bright House
reply to peterboro

if google in fact is suspicious of a login attempt, you wont be able to login to your email. I did get a legit email a few months ago and I had to reset my account (I had just went back android after a while and I think an app kept hammering them so they shut me down as a result to be safe)
--
| map your city |