I happen to have received the US Bank “phish” email.
Since I live in Toronto, Canada and don’t do business with
US Bank, I recognized it for what it was.
Because I felt the message was a problem, I made a copy of
the email header, along with a report.
So everyone can see what we are talking about, I am
forwarding a copy of the message header.
For privacy reasons, I have made the following changes to
the header:
* I have changed the domain information as found in the
header information concerning existing domains within
Canada or the United States.
I am now showing the spammed email address as
phished(_at_)example(_dot_)com
The various addresses, domains and the final address have
been altered, with the ultimate recipient address being
shown as personal(_at_)bigisp(_dot_)com(_dot_)
I have left the return path as originally shown, being
Return-Path:
<anti-fraud(_dot_)ref(_dot_)num341742039034844(_at_)usbank(_dot_)com>
* I have altered each of the related IP addresses slightly,
except that of the one which is shown below as
([220.168.12.3]).
(A “who is” inquiry through DNS & stuff shows this IP
address is assigned to Chinanet, being the Hunan province
network with offices in Beijing.)
* All other information in the header has not been changed.
According to the header, it seems the phisher made a direct
connection from the IP address assigned to Chinanet to the
MX server of the spammed email address.
Of course, if this was a legitimate bank message, it would
not have been sent in this fashion. Also, it was sent with
low importance.
Given the header information, I am curious to know how this
particular message header would have been treated, based on
the presumption the spammed domain has published an SPF
record (compliant with Sender –ID) and the receiving MX
server associated with the spammed email address is set up
to check for either SPF or Sender ID records?
If anyone wishes an original of the header for personal
analysis, please email me and I will send it on.
John Glube
Toronto, Canada
The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html
--------------- Header ---------------
Return-Path:
<anti-fraud(_dot_)ref(_dot_)num341742039034844(_at_)usbank(_dot_)com>
Received: from toip1.bigisp.net ([209.220.175.84])
by tomts38-srv.bigsip.net
(InterMail vM.5.01.06.10 201-253-122-130-110-20040306)
with ESMTP
id
<20040726103003(_dot_)BFKZ8124(_dot_)tomts38-srv(_dot_)bigisp(_dot_)net(_at_)toip1(_dot_)bigsip(_dot_)net>
for <personal(_at_)bigisp(_dot_)net>; Mon, 26 Jul 2004 06:30:03
-0400
Received: from erato.host2u.net (216.70.64.161)
by toip1.bigisp.net with ESMTP; 26 Jul 2004 06:30:02 -0400
Received: from 66.79.231.191 ([220.168.12.3])
by erato.host2u.net (8.11.6/8.11.6) with SMTP id
i6QATuo17389
for <phish(_at_)example(_dot_)com>; Mon, 26 Jul 2004 05:29:57
-0500
Message-Id: <200407261029(_dot_)i6QATuo17389(_at_)erato(_dot_)host2u(_dot_)net>
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
FCC:
mailbox://anti-fraud(_dot_)ref(_dot_)num341742039034844(_at_)usbank(_dot_)com/Sent
X-Identity-Key: id1
Date: Mon, 26 Jul 2004 14:25:49 +0300
From: U S Bank
<anti-fraud(_dot_)ref(_dot_)num341742039034844(_at_)usbank(_dot_)com>
X-Mozilla-Draft-Info: internal/draft; vcard=0; receipt=0;
uuencode=0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: phish(_at_)example(_dot_)com
Subject: Important notification
Content-Type: multipart/related;
boundary="------------010705020107040506040001"
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.725 / Virus Database: 480 - Release Date: 19/07/2004
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.725 / Virus Database: 480 - Release Date: 19/07/2004