dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1306
share rss forum feed


Krisnatharok
Caveat Emptor
Premium
join:2009-02-11
Earth Orbit
kudos:12

Phishing from an AZ .gov address?

AZDHS = AZ Department of Health Services. But routed through mx.google.com?

                                                                                                                                                                                                                                                               
Delivered-To: ______@gmail.com
Received: by 10.58.180.168 with SMTP id dp8csp795249vec;
        Wed, 2 Jan 2013 16:21:56 -0800 (PST)
X-Received: by 10.66.77.196 with SMTP id u4mr140759178paw.84.1357172514981;
        Wed, 02 Jan 2013 16:21:54 -0800 (PST)
Return-Path: <Sylvia.Puente-Araiza@azdhs.gov>
Received: from smg0.hs.azdhs.gov (securemail3.azdhs.gov. [159.36.129.203])
        by mx.google.com with ESMTPS id w3si45836365pbz.318.2013.01.02.16.21.53
        (version=TLSv1/SSLv3 cipher=OTHER);
        Wed, 02 Jan 2013 16:21:54 -0800 (PST)
Received-SPF: pass (google.com: domain of Sylvia.Puente-Araiza@azdhs.gov designates 159.36.129.203 as permitted sender) client-ip=159.36.129.203;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of Sylvia.Puente-Araiza@azdhs.gov designates 159.36.129.203 as permitted sender) smtp.mail=Sylvia.Puente-Araiza@azdhs.gov
Received: from [159.36.7.43] ([159.36.7.43])
by smg0.hs.azdhs.gov  with ESMTP id r030LpET002629
(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK);
Wed, 2 Jan 2013 17:21:52 -0700
Received: from HSPHXMEXMB01.hs.azdhs.gov ([159.36.7.40]) by
 hsphxmcas02.hs.azdhs.gov ([159.36.7.43]) with mapi; Wed, 2 Jan 2013 17:21:50
 -0700
From: Sylvia Puente-Araiza <Sylvia.Puente-Araiza@azdhs.gov>
Date: Wed, 2 Jan 2013 17:21:49 -0700
Subject:
Thread-Index: AQHN6UhSa8b3VevWPUmU67uMzkmUfA==
Message-ID: <AEBF21854B636040923B08BDAF56A3BF23D9B0FCB5@HSPHXMEXMB01.hs.azdhs.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative;
boundary="_000_AEBF21854B636040923B08BDAF56A3BF23D9B0FCB5HSPHXMEXMB01h_"
MIME-Version: 1.0
X-GlobalCerts-Milter: smg0.hs.azdhs.gov 02Jan2013-17:21:52.872
 
--_000_AEBF21854B636040923B08BDAF56A3BF23D9B0FCB5HSPHXMEXMB01h_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
 
In order to expand our activities, we render financial assistance to both p=
rivate individuals and corporate bodies at 3%/Annum, irrespective of their =
credit rating. If the offer interests you please contact us for further inf=
ormation. E-mail: jo.albert1@sbcglobal.net
 
________________________________
CONFIDENTIALITY NOTICE
 
NOTICE: This E-mail is the property of the Arizona Department of Health Ser=
vices and contains information that may be PRIVILEGED, CONFIDENTIAL or othe=
rwise exempt from disclosure by applicable law. It is intended only for the=
 person(s) to whom it is addressed. If you receive this communication in er=
ror, please do not retain or distribute it. Please notify the sender immedi=
ately by E-mail at the address shown above and delete the original message.=
 Thank you.
 
--_000_AEBF21854B636040923B08BDAF56A3BF23D9B0FCB5HSPHXMEXMB01h_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
 
<html dir=3D"ltr">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style id=3D"owaTempEditStyle"></style><style title=3D"owaParaStyle"><!--P =
{
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
--></style>
</head>
<body ocsi=3D"x">
<div style=3D"FONT-FAMILY: Tahoma; DIRECTION: ltr; COLOR: #000000; FONT-SIZ=
E: 13px">
<div></div>
<div dir=3D"ltr"><font color=3D"#000000" size=3D"2" face=3D"Tahoma"></font>=
&nbsp;</div>
<font size=3D"4" face=3D"Courier New">In order to expand our activities, we=
 render financial assistance to both private individuals and corporate bodi=
es at 3%/Annum, irrespective of their credit rating. If the offer interests=
 you please contact us for further information.
 E-mail: </font><font size=3D"4" face=3D"Courier New">jo.albert1@sbcglobal.=
net</font></div>
<br>
<hr>
<font face=3D"Arial" color=3D"Gray" size=3D"1">CONFIDENTIALITY NOTICE<br>
<br>
NOTICE: This E-mail is the property of the Arizona Department of Health Ser=
vices and contains information that may be PRIVILEGED, CONFIDENTIAL or othe=
rwise exempt from disclosure by applicable law. It is intended only for the=
 person(s) to whom it is addressed.
 If you receive this communication in error, please do not retain or distri=
bute it. Please notify the sender immediately by E-mail at the address show=
n above and delete the original message. Thank you.<br>
<br>
</font>
</body>
</html>
 
--_000_AEBF21854B636040923B08BDAF56A3BF23D9B0FCB5HSPHXMEXMB01h_--
 
 

--
Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety.


Krisnatharok
Caveat Emptor
Premium
join:2009-02-11
Earth Orbit
kudos:12
Could I get someone's confirmation that this was not a spoofed header? I might be contacting AZDHS IT--any ideas if it is this person's computer or perhaps the larger network that is infected?
--
Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety.


Angels

@verizon.net
I also received a message like that through my gmail, please let me know if it's fake or a scam or what. Thanks


Krisnatharok
Caveat Emptor
Premium
join:2009-02-11
Earth Orbit
kudos:12
It's obviously a fake or scam. I don't have the background in IT security to ascertain how it got sent from what seems like an actual AZ DHS computer on the .gov network.

Waiting for some questions to be answered here and I might give them a call.
--
Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety.

dsilvers

join:2009-05-17
Canyon Lake, TX
reply to Krisnatharok
said by Krisnatharok :
Could I get someone's confirmation that this was not a spoofed header? I might be contacting AZDHS IT--any ideas if it is this person's computer or perhaps the larger network that is infected?
Your hunch is likely correct: Appears to be from 159.36.7.43 Arizona Department of Health Services.


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET
said by dsilvers:


Your hunch is likely correct: Appears to be from 159.36.7.43 Arizona Department of Health Services.

Actually if the headers aren't forged then the email originally came from 159.36.7.40 (HSPHXMEXMB01.hs.azdhs.gov) and was relayed by 159.36.7.43 (hsphxmcas02.hs.azdhs.gov) and 159.36.129.203 (smg0.hs.azdhs.gov / securemail3.azdhs.gov).

Given that the hostname HSPHXMEXMB01 appears also in the message id and mime multipart separator either means the headers are valid or someone did an above average effort at faking them.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!

dsilvers

join:2009-05-17
Canyon Lake, TX

1 recommendation

My bad, you are correct, all those IP numbers belong to Arizona department of health.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to leibold
said by leibold:

Given that the hostname HSPHXMEXMB01 appears also in the message id and mime multipart separator either means the headers are valid or someone did an above average effort at faking them.

That name almost certainly identifies a specific computer at AZ-DHS.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum


Krisnatharok
Caveat Emptor
Premium
join:2009-02-11
Earth Orbit
kudos:12
I called their general intake line, and asked to be transferred to someone in IT to report phishing from one their employees, and they instead transferred me to the employee in question(!!), who was rather embarassed, and said I was probably the third person today to contact her and let her know her computer was infected.

She seemed sure it wasn't a virus, but it sounded like she was a rather typical, non-technical user, so I can only hope AZDHS is professional enough to be monitoring their own network.

You would think it would be easy enough for local law enforcement to subpoena the email address listed as the POC for the scam and go from there, but what do I know... I guess Sheriff Joe has other, more important priorities right now.
--
Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety.


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
This is better in scams and phishbusters. Maybe MGD See Profile can take a crack at it.
--
* seek help if having trouble coping
--Standard disclaimers apply.--


Krisnatharok
Caveat Emptor
Premium
join:2009-02-11
Earth Orbit
kudos:12
Not sure what there is to crack, I'm willing to bet the State of AZ has all sorts of nasty viruses flying around its network.
--
Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety.


goalieskates
Premium
join:2004-09-12
land of big
reply to AVD
I'm happy with it being here. It's a reminder that government entities can pose as much security risk to users as anyone else, if not more.

A sad reminder, at that.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Krisnatharok
Was going to say try contacting webmaster@azdhs.gov or spam / abuse@azdhs.gov and seeing what that got you.

I don't claim the expertise either to read thru the headers to see if they're forged or not, but you can definately
cross reference the IP address assignments with ARIN or similar.

I also hope AZDHS IT is SOMEHOW aware of this, but somehow I'm not getting warm fuzzies on that possibility.

Regards


Krisnatharok
Caveat Emptor
Premium
join:2009-02-11
Earth Orbit
kudos:12
Thanks for the advice.


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
just mark it as spam/phish as appropriate and move on with your life.
--
* seek help if having trouble coping
--Standard disclaimers apply.--