This one was a bit more than a chuckle:
Your Mailbox (debian-user@lists.debian.org) usage is above 100MB, prior to the general system update, CLICK HERE to Upgrade your E-mail account to avoid any blockage or deactivation.Why? you ask. What is so interesting about it?
NMSU Help desk
Copyright 2016 © New Mexico State University. All rights Reserved.
Here are the headers that Google shows for it when you ask for the simple display of the headers (the triangle beside the from name):
from: | helpdesk@nmsu.edu <[****P]@csufresno.edu> via lists.debian.org | ||
to: | debian-user@lists.debian.org | ||
date: | Thu, Jul 28, 2016 at 1:14 AM | ||
subject: | Mailbox is almost full | ||
mailing list: | debian-user@lists.debian.org Filter messages from this mailing list | ||
mailed-by: | lists.debian.org | ||
encryption: | Standard (TLS) Learn more |
Wow! The general user mailing list for the Debian/Linux family of computer operating systems has a mailbox at New Mexico State University!
Oh, but wait. The "from" address is deliberately miss-labeled (spoofed). It claims to be the helpdesk at NMSU, but it's really a professor at Fresno State (California State University, Fresno)!
Why would a professor at Fresno State be working the help desk at NMSU? Or even pretending to be?
Beginning to see the humor here?
Let's get a better look at the headers. Over to the right of the upper reply button, there's another triangle for a pop-up menu. Click that, and select "Show original":
Delivered-To: [****B]@gmail.com
Received: by 10.36.98.147 with SMTP id d141csp352457itc;
Wed, 27 Jul 2016 08:36:20 -0700 (PDT)
X-Received: by 10.28.194.195 with SMTP id s186mr34931549wmf.48.1469633777622;
Wed, 27 Jul 2016 08:36:17 -0700 (PDT)
[...]
Received-SPF: pass (google.com: manual fallback record for domain of bounce-debian-user=[****B]=gmail.com@lists.debian.org designates 2001:41b8:202:deb:216:36ff:fe40:4002 as permitted sender) client-ip=2001:41b8:202:deb:216:36ff:fe40:4002;
Authentication-Results: mx.google.com;
spf=pass (google.com: manual fallback record for domain of bounce-debian-user=[****B]=gmail.com@lists.debian.org designates 2001:41b8:202:deb:216:36ff:fe40:4002 as permitted sender) smtp.mailfrom=bounce-debian-user=[****B]=gmail.com@lists.debian.org
[...]
Received: from [10.32.215.48] (unknown [197.211.57.1])
by fresno-p02.merit.edu (Postfix) with ESMTPSA id AA5C670072A1
for <debian-user@lists.debian.org>; Wed, 27 Jul 2016 11:13:22 -0400 (EDT)
Content-Type: multipart/alternative; boundary="===============1054991032=="
[...]
Resent-Date: Wed, 27 Jul 2016 15:36:11 +0000 (UTC)
You will not see this in a MIME-aware mail reader.
--===============1054991032==
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
Your Mailbox (debian-user@lists.debian.org) usage is above 100MB, prior to =
the general system update, CLICK HERE to Upgrade your E-mail account to avo=
id any blockage or deactivation.
NMSU Help desk
Copyright 2016 =A9 New Mexico State University. All rights Reserved.
--===============1054991032==
Content-Type: text/html; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Description: Mail message body
<HTML><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=
=3Diso-8859-1"/></head><BODY><P style=3D"WHITE-SPACE: normal; WORD-SPACING:=
0px; TEXT-TRANSFORM: none; COLOR: rgb(34,34,34); FONT: small arial, sans-s=
erif; WIDOWS: 1; LETTER-SPACING: normal; TEXT-INDENT: 0px; -webkit-text-str=
oke-width: 0px"><SPAN style=3D"FONT-SIZE: 16px; FONT-FAMILY: calibri, arial=
, helvetica, sans-serif; COLOR: rgb(0,0,0); font-stretch: normal">Your =
;Mailbox (debian-user@lists.debian.org) usage is above 100MB, prior to the =
general system update, </SPAN><A style=3D"FONT-SIZE: 16px; TEXT-DECORA=
TION: none; FONT-FAMILY: calibri, arial, helvetica, sans-serif; COLOR: rgb(=
17,85,204); font-stretch: normal" href=3D"http://akkartec.com/images/upgrad=
e/" target=3D_blank>CLICK HERE</A><SPAN style=3D"FONT-SIZE: 16px; FONT-FAMI=
LY: calibri, arial, helvetica, sans-serif; COLOR: rgb(0,0,0); font-stretch:=
normal"> to Upgrade your E-mail account to avoid any blockage or deac=
tivation.</SPAN><BR style=3D"FONT-SIZE: 16px; FONT-FAMILY: calibri, arial, =
helvetica, sans-serif; COLOR: rgb(0,0,0); font-stretch: normal"></P>
<P style=3D"WHITE-SPACE: normal; WORD-SPACING: 0px; TEXT-TRANSFORM: none; C=
OLOR: rgb(34,34,34); FONT: small arial, sans-serif; WIDOWS: 1; LETTER-SPACI=
NG: normal; TEXT-INDENT: 0px; -webkit-text-stroke-width: 0px"><SPAN style=
=3D"FONT-SIZE: 16px; FONT-FAMILY: calibri, arial, helvetica, sans-serif; CO=
LOR: rgb(0,0,0); font-stretch: normal">NMSU Help desk<BR>Copyright </=
SPAN><SPAN style=3D"FONT-SIZE: 16px; FONT-FAMILY: calibri, arial, helvetica=
, sans-serif; COLOR: rgb(0,0,0)">2016</SPAN><SPAN style=3D"FONT-SIZE: 16px;=
FONT-FAMILY: calibri, arial, helvetica, sans-serif; COLOR: rgb(0,0,0)">&nb=
sp;</SPAN><SPAN style=3D"FONT-SIZE: 16px; FONT-FAMILY: calibri, arial, helv=
etica, sans-serif; COLOR: rgb(0,0,0)">=A9 New Mexico State University. All =
rights Reserved.</SPAN></P></BODY></HTML>
--===============1054991032==--
I ripped out a bunch of stuff that gets in the way of seeing the interesting stuff, but it looks like (maybe) an open mail relay somewhere on merit.edu networks is picking up stuff from a bot or zombie-ized PC somewhere in the same network.
And the headers are very carefully crafted to sneak this through the SPF pseudo-validation system, but I clipped most of that. (You did know that SPF leaks like a sieve, right?)
I highlighted what appears to be the business end of this, a link to an "image" (probably not a benign image, at any rate) on akkartec.com.
Anyway, hi, Professor [Name Elided]. I am sure you are not working at NMSU's help desk. (I didn't really quite Roll On the Floor Laughing.) But it does raise an eyebrow.
And it allows me to show one example of why you should never trust e-mail without some good external reason to do so. (And maybe not even then.)
No comments:
Post a Comment