Author |
Message |
Amigwyn
Master Baiter
Joined: 03 Aug 2010
Posts: 106
Location: Corner booth in the shadows ...
|
Posted:
Fri Sep 17, 2010 10:01 pm |
|
I am very new at this bait stuff and even more new at e-mail headers and how scammers can get into your PC and/or websites... so I have a question.
I recently received an e-mail from a loan lad which I posted in Surplus because I haven't read up enough on that type of bait. When I did I noticed the funky headers. Or at least I think they're funky? I'm attempting to wade my way through them and found something odd...
Quote: |
Delivered-To: [email protected]
Received: by xxxx
Fri, 17 Sep 2010 03:52:08 -0700 (PDT)
Received: by xxxx
Fri, 17 Sep 2010 03:52:07 -0700 (PDT)
Return-Path: <[email protected]>
Received: from exchange.bavfc.org (mail.bavfc.org [67.62.41.238])
by mx.google.com with ESMTP id l6si7014616qca.37.2010.09.17.03.51.51;
Fri, 17 Sep 2010 03:52:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 67.62.41.238 as permitted sender) client-ip67.62.41.238;
Authentication-Results: mx.google.com; spfpass (google.com: domain of [email protected] designates 67.62.41.238 as permitted sender) [email protected]
MIME-Version: 1.0
Content-Type: text/plain;
charset"iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Ensure you send your response to this email address: [email protected]
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Fri, 17 Sep 2010 06:49:04 -0400
Message-ID: <[email protected]>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Ensure you send your response to this email address: [email protected]
Thread-Index: ActWVemlNkR4C/xcRuCc/VoAkBYdag
From: "Tom Zecha" <[email protected]> |
If I'm reading it right (which is highly possible I'm not), this is coming from a volunteer fire department site in Maryland (www.bavfc.org). Does this mean they were hacked? If so, what can be done to warn them? I noticed in the original mail the sender was very clear to reply to a different e-mail, I assume because they were using a hijacked server.
Mods: I did post these headers with the e-mail in the surplus forums as well as a question about the website/server but wasn't sure how much traffic it would get there. I apologize if this is considered a duplication and this thread needs to be locked. |
|
|
|
|
Master
Baiting Guru
Joined: 29 Jan 2008
Posts: 2531
Location: AU
|
Posted:
Fri Sep 17, 2010 10:18 pm |
|
I believe this is called spoofing.
I don't know exactly how it is done but they somehow make it appear it has come from that address. You will get them from all sorts of different legit companies and organisations. It is the reply to address which the scammer is really using.
I don't think there is any hacking into the website involved.
Someone else might come along shortly with more knowledge |
_________________ 2,633 miles:"i am coming to safari myself"
All you did is a bunches of fucked-up!FIRE burn the G0mers!
Shorty & Hectard escape from guantanamo
it was all a big fuck of disappointed
you are the fooliest baboom!
You are dead MUMU!!!! |
|
|
|
Amigwyn
Master Baiter
Joined: 03 Aug 2010
Posts: 106
Location: Corner booth in the shadows ...
|
Posted:
Fri Sep 17, 2010 10:39 pm |
|
^^ I understand about spoofing. At least I think. That is where they send it from their own account but the e-mail looks like it's legit like from Microsoft or something. Then you hit reply and it is the real e-mail address.
But does that effect the headers? Just saying an e-mail is from Microsoft doesn't automatically use their servers to send an e-mail, does it? Or is that not what the info in the headers indicates? I'm just so noob at this stuff. |
|
|
|
|
foo
Elite Baiter
Joined: 12 Nov 2009
Posts: 1271
Location: Itteh Bitteh Kitteh Citteh
|
Posted:
Fri Sep 17, 2010 10:52 pm |
|
Code: |
Received-SPF: pass (google.com: domain of [email protected] designates 67.62.41.238 as permitted sender) client-ip67.62.41.238; |
Code: |
mail.bavfc.org. 14316 IN A 67.62.41.238 |
It was sent via their mail server, probably with their webmail. It's not Gmail (which would prepend a Sender: header) and that's the only IP there. I suspect a phished account. |
_________________ *15 []*244
Unopenable image file | mtcntool | IBMP
"Having acknowledge your email with the content well noted and understood,see we have had enough off this shit from you." --Lamido Sanusi
"i want to scam you ! please understand . i am scamer !" --a scamer
"shit happens. but there's always a silver lining" --Slightly |
|
|
|
Amigwyn
Master Baiter
Joined: 03 Aug 2010
Posts: 106
Location: Corner booth in the shadows ...
|
Posted:
Sat Sep 18, 2010 3:55 pm |
|
Quote: |
I suspect a phished account. |
Can anything be done about it? |
|
|
|
|
foo
Elite Baiter
Joined: 12 Nov 2009
Posts: 1271
Location: Itteh Bitteh Kitteh Citteh
|
Posted:
Sat Sep 18, 2010 8:58 pm |
|
I'd report it to this guy:
|
_________________ *15 []*244
Unopenable image file | mtcntool | IBMP
"Having acknowledge your email with the content well noted and understood,see we have had enough off this shit from you." --Lamido Sanusi
"i want to scam you ! please understand . i am scamer !" --a scamer
"shit happens. but there's always a silver lining" --Slightly |
|
|
|
manbiteslion
Baiting Guru
Joined: 12 Dec 2007
Posts: 4816
Location: Connecting my chair and keyboard
|
Posted:
Sat Sep 18, 2010 9:43 pm |
|
I expect it is a google apps service for the bavfc.org domain (sorrry, on my phone, can't do MX record lookup, but I'd be surprised if it doesn't point to a google mail server), so a phished account.
Small companies can pay google a fee to get a branded version of gmail, and that may reflect in the headers as we see above. It may also be a gmail account associated with multiple addresses and sent from the @bavfc address, but I'd guess the former first, then the latter in terms of likelihood.
Email the admin contact for bavfc.org, or find some number from their website to give them a quick call. This is not a spoofed header, but a legit google mail (or badged google mail) header |
_________________ Premium Wimp Convincer - Click Me! |
|
|
|
Ghost
419Eater Admin
Joined: 26 Jun 2004
Posts: 6162
Location: Dating Gal Gadot... in my mind.
|
Posted:
Sat Sep 18, 2010 10:35 pm |
|
I suspect MS live is more likely the Email provider.
Anyway, it's a phished account. |
_________________
8/11/07-12/15/08 i am totally a looser -Bruce The trophy machine
2/25/08-4/10/10 It is going to cost me more this time - Lawrence, EFCC Lad Deck participant
3/3/08-6/6/10 i know some day you'll send me some real good bucks ok - Byran The Eater Bunny
3/13/08-3/25/10 i have played my path and now I am waiting for the pay - Wale Wild card |
|
|
|
wangching
Hello I'm New here!
Joined: 28 Jun 2010
Posts: 1
|
Posted:
Sun Sep 19, 2010 5:19 am |
|
In this case, Google is receiving the mail. I suspect the OP is using gmail. That's why you see Google checking the SPF record of the domain from which the email originates.
The mail likely coming from an exchange server running on 67.62.41.238. I'd say they forgot to change a defualt pw, or perhaps even just left their SMTP wide open, and their SPF, to allow anyone to send from through their server.
Someone might want to drop a note to the sysadmin of the originating domain. |
|
|
|
|
|