UK Stationary Engine Forum
 

Go Back   UK Stationary Engine Forum > Welcome! > Forum Help & FAQ's Section

Reply
 
Thread Tools Display Modes
Old 25-04-09, 11:29 AM   #1
listerdiesel
Admin Team
Forum Supporter
 
listerdiesel's Avatar
 
Join Date: Feb 2008
Posts: 15,833
Default Spoof Emails

Just a timely reminder about spoof of phishing emails.

If you use a graphical interface email client, and that programme interprets html code into on-screen graphics, then you need to be aware that the code can hide a false web address behind what you see on-screen.

Text-based email clients such as Agent and others will give you the full text of the message, with ALL urls and links shown.

I get quite a few spoof emails, mainly for PayPal and Ebay, and while most are in appalling English and easily recognisable for what they are, the scammers are getting clever and have upped their game.

NEVER click on a link that says "Click here to check your account" or "Click here to sign in" unless you are absolutely sure that the link is genuine.

In the one I received today, such a link contained the following address:

http:// XXXXX.com/paypa/cgi-bin/us/security/update-paypal/service-peyment/update/login.aspx

I have deliberately mullered the address so that it shows as text, but if the full address was shown as it was in the email, it would come up as a clickable link, disguised as a "Click here" message, as shown in the screen dump below.

Note that the originating email address is "paypal@service.com", obviously incorrect, and the "www.paypal.com/us/" is also wrong.



ALWAYS check that any message purporting to be from Ebay or PayPal is genuine!

Here are the headers for that email:

++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++
Return-path: <paypal@service.com>
Envelope-to: prepair@easynet.co.uk
Delivery-date: Fri, 24 Apr 2009 23:03:12 +0100
Received: from [212.135.6.77] (helo=mf3.mail.uk.easynet.net)
by store4.mail.uk.easynet.net with esmtp (Exim 4.63)
(envelope-from <paypal@service.com>)
id 1LxTUG-0002R4-7V
for prepair@easynet.co.uk; Fri, 24 Apr 2009 23:03:12 +0100
Received: from mailwall9.mail.uk.easynet.net ([212.135.6.206])
by mf3.mail.uk.easynet.net with esmtp (Exim 4.32)
id 1LxTUG-000LDa-6V
for prepair@easynet.co.uk; Fri, 24 Apr 2009 23:03:12 +0100
Received: from store4.mail.uk.easynet.net ([212.135.6.100])
by mailwall9.mail.uk.easynet.net with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
(Exim 4.69)
(envelope-from <paypal@service.com>)
id 1LxTUD-0000l0-Cx
for prepair@easynet.co.uk; Fri, 24 Apr 2009 23:03:10 +0100
Received: from [80.76.80.5] (helo=smtp.sonic.it)
by store4.mail.uk.easynet.net with esmtp (Exim 4.63)
(envelope-from <paypal@service.com>)
id 1LxTUE-0002Oj-8N
for prepair@easynet.co.uk; Fri, 24 Apr 2009 23:03:10 +0100
Received: from User (host-80.76.90.11.xdsl.sonic.it [80.76.90.11])
by smtp.sonic.it (Postfix) with SMTP id 8F1B415F68;
Fri, 24 Apr 2009 16:57:28 +0200 (CEST)
From: <paypal@service.com>
Subject: Please Restore Your Account Access
Date: Fri, 24 Apr 2009 16.57.29 +0200
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <20090424145728.8F1B415F68@smtp.sonic.it>
To: undisclosed-recipients:;
X-Easyfilter-Spam-Score: 0.0
X-Easyfilter-Scanned: yes (1LxTUG-000LDa-6V)
X-Agent-Received: from pop3.easynet.co.uk (pop3.easynet.co.uk); Sat, 25 Apr 2009 11:52:52 +0100
X-Agent-Junk-Probability: 0
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++

"www.sonic.it" is an internet service provider in Italy, probably the one that hosts the scammer's email accounts, not necessarily with knowledge of what they are doing.


Peter

Last edited by listerdiesel; 25-04-09 at 12:01 PM.
listerdiesel is offline   Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 04:20 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.