I get tons of returned phish attempts at one of my emails, ive obviously never tried to phish anyone so someone is masking their emails pretending to be me. I also get threats of physical beatings and being reported to the police/various other authorities. Its NOT fun.
Yes, it does, hence my initial ire (I’ve masked the email in the original):
[quote]
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0xO0Q9MTtTQ0w9Mw==
X-Message-Status: n:0
X-SID-PRA: xxx@usc.edu
X-SID-Result: Pass
X-Message-Info: GT5wTyc/kVj5tQZuO0075q9QlxPr5DDH8RYbD6cB4EvoKRW4v4k2rF+eYDVqja47WzsJr4guRR76ZkgUrvf1D51ijV1f/VtBUBE09imEiZs=
Received: from msg-scanner3.usc.edu ([128.125.137.212]) by bay0-mc8-f2.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Fri, 21 Nov 2008 07:37:44 -0800
Received: from User ([69.15.54.59])
by msg-scanner3.usc.edu (Sun Java System Messaging Server 6.2-3.04 (built Jul
15 2005)) with ESMTPA id <0KAO0024LWQNBHL0@msg-scanner3.usc.edu>; Fri,
21 Nov 2008 07:37:40 -0800 (PST)
Date: Fri, 21 Nov 2008 08:35:36 -0700
From: Citi Bank <accounts@citibank.com>
Subject: Account verification request - Please respond.
Sender: xxx@usc.edu
Message-id: <0KAO0024MWQOBHL0@msg-scanner3.usc.edu>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Content-type: text/html; charset=Windows-1251
Content-transfer-encoding: 7BIT
X-Priority: 3
X-MSMail-priority: Normal
Bcc:
Return-Path: accounts@citibank.com
X-OriginalArrivalTime: 21 Nov 2008 15:37:44.0519 (UTC) FILETIME=[18FBC570:01C94BEF]
I still wouldn’t call it definitive (there are options if someone really wants to cause trouble) but the mail administrator at usc.edu needs to be notified. There’s three distinct likely possibilities:
- The student’s box has been compromised and there’s a trojan on it using the box for phishing. (The most likely possibility.)
- The student is a complete dumbass and needs to be expelled and arrested; let the state of California determine the order to do that in. (Still very possible; I knew plenty of idiots who would try it.)
- The mail server has been compromised in some way. (Less likely but I’ve seen it more times than I can count; it’s always possible they’ve changed the box to an open relay [a mail server that will pass along mail from anyone which is something a lot of stupid admins do at least once under the foolish assumption that no one will notice] .)
I’m no longer paid to hunt these people down and kill them but I’d check the URL they sent to find out who really owns it and compare for a match against the stupid student. No match, then you’re probably looking at your standard phisher with a botnet and stolen credit information and the only way to find the real person would be to follow the money… er… data to see who picks it up.
I had my own account hi-jacked and used as a spam address so I think that its likely to be the case here also.
A smart e-mail system does verify it via reverse DNS look-ups, and then comparing the sender’s IP address with the sender’s domain name.
Most e-mail systems have such verification built-in as e-mail spoofing has been a known issue for a long time now.
I’d put all my money on this or a very similar situation. The chances this was an individually crafted email by some nefarious student are basically nil, in my experience. Actually, poking through the headers it doesn’t even seem to have originated from a computer on USC’s network (the first IP prior to USC’s mailserver belongs to a “Green Acres Nursery” in Colorado).
To the OP: there’s just no point taking spam personally like this. Unless you’re a serious computer whiz there’s no telling what, if any, information in the email is real. It’s almost universally sent by automated processes running on compromised machines owned by innocent people, and reporting it is almost entirely pointless (if USC’s admins actually tracked down every spam that appeared to originate from their servers, they’d never do anything else). I went through a phase of receiving 100+ bounce messages an hour because some spammer had stuck my address in the “from:” field of all his mailings, and they were all getting rejected. Not fun at all, added to which I surely wouldn’t have appreciated getting blamed for the flood.
Just let your spamfilter deal with it and pretend it doesn’t exist.
I’d take issue with “most”. Most ISPs still run completely open SMTP servers, because customers are very unlikely to use an address at the ISP’s domain these days. When we get to the point where every email host provides authenticated SMTP servers, ISPs don’t block SMTP traffic to external sites, and everyone implements the Sender Policy Framework, it’ll be bliss. We’re miles from that point, though.
I’m not talking about the sending SMTP server, but the mail server on the receiving end. Using reverse-lookups to verify the sender’s domain actually came from the correct e-mail gateway is quite common these days.
Not to mention webhosting services where the SMTP server typically won’t match the domain. There’s a lot of very good reasons why the stated “from” line in the SMTP service is different.
And I still say reporting is important because there are aggressive spam blacklists that will block legitimate servers who don’t police the mail that’s going out through them. I know when I dealt with this in the past I appreciated getting those spam reports as long as they were accurate; killing those accounts gave me a warm fuzzy feeling and it usually only took me two or three minutes to verify the message origin. You’ve got headers, pass them along, and let it go to someone who can do something about it.
I’ll add that I’ve gotten a couple of emails like that recently too. Judging by the headers it looks like the email is actually being sent through USC servers, the question is how. I really doubt some student would be stupid enough to do that.
Probably a compromised account or a compromised machine that is programmed to send spam through outlook or something.
I got the citi bank one today. I also got one pretending to be the IRS saying I am due a 650 dollar refund ,just contact them with my info via email. If they contacted me they have it.
It is xmas time and the thieves are busy.
I just tried this on Outlook 2007, and what I got back was
From: Me [myaddress@myserver.com] on behalf of B. Obama [bobama@whitehouse.gov]
To: “shrimpface”
Which looks a lot like what the OP got. It landed squarely in my Junk e-mail folder, so apparently Outlook saw something suspicious about it.
OK, using Tools/Account Settings, I was able to change my name and make the heading read
To: shrimpface
From: B. Obama
But it still got flagged.
Hey, not every USC student is (a) a computer science major or (b) smart.
Sounds like a job for Crandall Spondular.
By the way, if you try this at home be sure to change your settings back so somebody doesn’t ask you the next day why your e-mails are coming from the White House.:smack:I wonder if they’ll let me have Internet access at Gitmo.