ietf-mxcomp
[Top] [All Lists]

RE: How would SPF or Sender Id caught this one?

2004-07-30 22:41:54
I happen to have received the US Bank “phish” email.

 

Since I live in Toronto, Canada and don’t do business with

US Bank, I recognized it for what it was.

 

Because I felt the message was a problem, I made a copy of

the email header, along with a report. 

 

So everyone can see what we are talking about, I am

forwarding a copy of the message header.

 

For privacy reasons, I have made the following changes to

the header:

 

* I have changed the domain information as found in the

header information concerning existing domains within

Canada or the United States.

 

I am now showing the spammed email address as

phished(_at_)example(_dot_)com

 

The various addresses, domains and the final address have

been altered, with the ultimate recipient address being

shown as personal(_at_)bigisp(_dot_)com(_dot_) 

 

I have left the return path as originally shown, being

Return-Path: 
<anti-fraud(_dot_)ref(_dot_)num341742039034844(_at_)usbank(_dot_)com>

 

* I have altered each of the related IP addresses slightly,

except that of the one which is shown below as

([220.168.12.3]).

 

(A “who is” inquiry through DNS & stuff shows this IP

address is assigned to Chinanet, being the Hunan province

network with offices in Beijing.)

 

* All other information in the header has not been changed.

 

According to the header, it seems the phisher made a direct

connection from the IP address assigned to Chinanet to the

MX server of the spammed email address. 

 

Of course, if this was a legitimate bank message, it would

not have been sent in this fashion. Also, it was sent with

low importance.

 

Given the header information, I am curious to know how this

particular message header would have been treated, based on

the presumption the spammed domain has published an SPF

record (compliant with Sender –ID) and the receiving MX

server associated with the spammed email address is set up

to check for either SPF or Sender ID records? 

 

If anyone wishes an original of the header for personal

analysis, please email me and I will send it on.

 

John Glube

Toronto, Canada

 

The FTC Calls For Sender Authentication

http://www.learnsteps4profit.com/dne.html

 

--------------- Header ---------------

 

Return-Path: 
<anti-fraud(_dot_)ref(_dot_)num341742039034844(_at_)usbank(_dot_)com>

Received: from toip1.bigisp.net ([209.220.175.84])

          by tomts38-srv.bigsip.net

          (InterMail vM.5.01.06.10 201-253-122-130-110-20040306)
with ESMTP

          id
<20040726103003(_dot_)BFKZ8124(_dot_)tomts38-srv(_dot_)bigisp(_dot_)net(_at_)toip1(_dot_)bigsip(_dot_)net>

          for <personal(_at_)bigisp(_dot_)net>; Mon, 26 Jul 2004 06:30:03
-0400

Received: from erato.host2u.net (216.70.64.161)

  by toip1.bigisp.net with ESMTP; 26 Jul 2004 06:30:02 -0400

Received: from 66.79.231.191 ([220.168.12.3])

            by erato.host2u.net (8.11.6/8.11.6) with SMTP id
i6QATuo17389

            for <phish(_at_)example(_dot_)com>; Mon, 26 Jul 2004 05:29:57
-0500

Message-Id: <200407261029(_dot_)i6QATuo17389(_at_)erato(_dot_)host2u(_dot_)net>

X-Mozilla-Status: 0001

X-Mozilla-Status2: 00000000

FCC: 
mailbox://anti-fraud(_dot_)ref(_dot_)num341742039034844(_at_)usbank(_dot_)com/Sent

X-Identity-Key: id1

Date: Mon, 26 Jul 2004 14:25:49 +0300

From: U S Bank 
<anti-fraud(_dot_)ref(_dot_)num341742039034844(_at_)usbank(_dot_)com>

X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0;
uuencode=0

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

X-Accept-Language: en-us, en

MIME-Version: 1.0

To: phish(_at_)example(_dot_)com

Subject: Important notification

Content-Type: multipart/related;

 boundary="------------010705020107040506040001"

 


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.725 / Virus Database: 480 - Release Date: 19/07/2004



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.725 / Virus Database: 480 - Release Date: 19/07/2004