| Forum Home | ||||
| PC World Chat | ||||
| Thread ID: 120841 | 2011-09-28 22:08:00 | Interesting ASB scam attempt | Billy T (70) | PC World Chat |
| Post ID | Timestamp | Content | User | ||
| 1234296 | 2011-09-28 22:08:00 | I haven't seen much in the way of attempts to scam ASB accounts, but I seem to recall there was a fairly serious attack quite recently. This appears to be a fresh try-on, but the subject line is very un-ASB. Is the "does not designate as permitted" in the second line confirm the scam status? X-Apparently-To: XXXX@xtra.co.nz via 124.108.96.103; Wed, 28 Sep 2011 13:15:36 -0700 Received-SPF: softfail (transitioning domain of company.info does not designate 210.54.141.252 as permitted sender) X-YMailISG: SxyOJ2cWLDtxRhyHP_RCAsi9o9KoEbxROUD58ATsrHmt5SqP 0puaK_p0v8nY3MClzcaYH5_dbKg5UljQI13VWOsEtqNSxElaKW SgoAD.ObkV 9s22lZ5maJDhhHekk98rRY5rQScTlczyCcYWxWTjS0psfA5DFY fJBiru4c94 nOFemCZqV8Iumk83jtVbUFKDWKp85k6qpkFFR8WkpeRMPy71MA wg9_UdpNXV CU6ZmGzJ1xJJXieLHRlNHTk2lpTRY9TVq7eZ394FSBvK3DqehA hfzSyTvTJi Rrq2X0yWqUS83XAblM.40_Cjpp7iCscEDZePxOBtwjErQpUu92 350dmLgBQo oZYAvtFePyNsNR3zVQ9slPmqZdLKB5EusQ-- X-Originating-IP: [210.54.141.252] Authentication-Results: mta1003.tnz.mail.aue.yahoo.com from=company.info; domainkeys=neutral (no sig); from=company.info; dkim=neutral (no sig) Received: from 127.0.0.1 (EHLO mta03.xtra.co.nz) (210.54.141.252) by mta1003.tnz.mail.aue.yahoo.com with SMTP; Wed, 28 Sep 2011 13:15:36 -0700 Received: from 4erwerwe ([122.59.92.174]) by mta03.xtra.co.nz with SMTP id <20110928201534.KQFF7312.mta03.xtra.co.nz@4erwerwe>; Thu, 29 Sep 2011 09:15:34 +1300 Reply-To: vtqibm@company.info From: ASB Bank Limited<vtqibm@company.info> To: service@asb.co.nz Note: This email link is live Subject: In return we will credit 50.00 NZD to your account - Just for your time! Date: Thu, 29 Sep 2011 09:15:33 +1300 MIME-Version: 1.0 Content-Type: text/html; charset="shift_jis" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Intercepted on Xtra's server via Mailwasher, viewed on line then deleted. No need to even download. Cheers Billy 8-{) :stare: |
Billy T (70) | ||
| 1234297 | 2011-09-28 22:27:00 | I haven't seen much in the way of attempts to scam ASB accounts ASB have a long list of example "scam of the day" emails on their web site. The latest is a Customer Satisfaction Survey promising $50. www.asb.co.nz |
PaulD (232) | ||
| 1234298 | 2011-09-29 02:34:00 | Is the "does not designate as permitted" in the second line confirm the scam status?No - what that line says is that the email was purporting to be from vtqibm@company.info, but that the server which originally sent it is not listed as an approved mail source for that domain. The SPF record for company.info is below: company.info. 86400 IN TXT "v=spf1 mx ip4:82.199.90.1/28 a:appmail.reeleezee.nl include:_spf.google.com ~all" The headers are pretty interesting though, and very informative. The scam email in question was sent by another Xtra DSL customer: steve@neith ~ $ dig -x 122.59.92.174 ; <<>> DiG 9.7.3 <<>> -x 122.59.92.174 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51423 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;174.92.59.122.in-addr.arpa. IN PTR ;; ANSWER SECTION: 174.92.59.122.in-addr.arpa. 86400 IN PTR 122-59-92-174.jetstream.xtra.co.nz. ;; Query time: 52 msec ;; SERVER: 10.124.4.1#53(10.124.4.1) ;; WHEN: Thu Sep 29 15:26:36 2011 ;; MSG SIZE rcvd: 92Note that they may not have sent that message knowingly; it's possible that their computer was hijacked to do the job. The X-Mailer claims that the message was sent via Outlook Express, however this may or may not be true - this header is the equivalent of the 'User-Agent' header for a web browser, and is trivial to spoof. |
Erayd (23) | ||
| 1234299 | 2011-09-29 09:32:00 | Thanks Erayd That is very enlightening. So it could be a local that is trying it on? Cheers Billy 8-{) |
Billy T (70) | ||
| 1234300 | 2011-09-29 11:25:00 | It certainly came from a local's computer, but they may not be aware of it - their computer may have been hijacked by the real scammer for the purposes of sending email. Of course, it's also entirely possible that they are a stupid scammer sending things from their own connection. | Erayd (23) | ||
| 1 | |||||