kdeuser
join:2000-08-30
Suwanee, GA
| reply to kdeuser
Re: Phishing E-Mail
Header info:
X-Apparently-To: xxxxxxxxxxxxxxxxxx
; Wed, 01 Jul 2009 13:45:25 -0700
X-YMailISG: mrezqtEWLDsI2JRbdMMtaQGgJJtiePlAnkmu59F1QMMclAtZXYPO8BgrHUicsuMzSN8HBTqx1opKnl98XU NRInxyU.nyf5K1gZ0AdsD3GfZhsNPOe92vkjvCNFIpLeePHgY7TDL723IhqjHYU9J0X2RhBzdoWhoPAsp.rBDPCatS3MCSatuZ3bwK03zwaMg.XBicfYTpNYTQ4T1NyMYmfH9Hzf8VZszUFCTWmW10tOKGeMkZlJOi__JvVaeDMbinWaxeyo7SiOeMgS4KXg2ThpZBpfXUMNvhOrnRVgitLHxkaGmO_tWRauFhDa03vcbU93mnzYW8Fzrbn9LV4SAYMj2yiDTf11bgz3THEcljgnBWDO2zw1j42g--
X-Originating-IP: [65.55.111.174]
Authentication-Results: mta132.sbc.mail.re3.yahoo.com from=msn.com; domainkeys=neutral (no sig); from=msn.com; dkim=neutral (no sig)
Received: from 207.115.11.33 (EHLO fgateway03.isp.att.net) (207.115.11.33)
by mta132.sbc.mail.re3.yahoo.com with SMTP; Wed, 01 Jul 2009 13:45:20 -0700
Received: from blu0-omc4-s35.blu0.hotmail.com ([65.55.111.174])
by isp.att.net (frfwmxc03) with ESMTP
id ; Wed, 1 Jul 2009 20:45:18 +0000
X-Originating-IP: [65.55.111.174]
Received: from BLU114-W20 ([65.55.111.136]) by blu0-omc4-s35.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 1 Jul 2009 13:42:37 -0700
Message-ID:
Content-Type: multipart/alternative;
boundary="_1e74323f-0242-4fc9-be00-5b7e9093a024_"
X-Originating-IP: [8.9.222.1]
Reply-To:
From: ATT Customer Center
Subject: Notice To AT&T Internet Customers Account Upgrading And Phone
Package.
Date: Wed, 1 Jul 2009 20:42:38 +0000
Importance: Normal
MIME-Version: 1.0
Bcc:
X-OriginalArrivalTime: 01 Jul 2009 20:42:37.0931 (UTC) FILETIME=[78696BB0:01C9FA8C] |
|
graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL | Apparently originated from Hotmail. |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
 ·Pacific Bell - SBC
| reply to kdeuser
You should have bracketed those headers with a pair of "code" tags. That would have avoided the margin blow out.
The source of this email is some Hotmail account.
Bellsouth has long blocked outbound port 25, as has AT&T (Worldnet Service). SBC joined the list of ISPs blocking outbound port 25 in the Spring of 2005. So that covers the mergers bringing us to the current AT&T (all of which blocks outbound port 2). Many other ISPs block outbound port 25, or are moving toward such blocks. The result is that spammers are finding it harder to use compromised residential hosts to connect directly to domain gateway (MX) servers to inject spam into those systems.
In addition, more ISPs are setting up authenticated SMTP message submission servers in order to allow their users to access those servers from wireless hotspots, hotels, libraries, and the like. So spammers have found that it is worth the effort to use social engineering to "phish" for email login credentials (as your example demonstrates). The hapless user who complies with this bogus demand gives up his account access to a spammer, who can now send spam through the authenticated SMTP message submission server.
I have actually seen a couple of examples, where the spammer used a compromised Comcast account to send spam using stolen ATTIS email accounts. This resulted in the ATTIS SMTP servers being listed for spam, incidentally.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
