Question

Locked

Spoofed email to Phish

By 3phatladies ·
Hi all.
Today we received an email that seemed to come form our own domain called alert..."alert@domain.com"

Obviously they tried to Phish us out with the link and it's originating via a relay site in Russia but how did they manage to trick the front desk into showing them it came from within our domain though?

We don't have an email by that name so it rang alarm bells and Untangle trapped it as spam anyhow. On opening it up (actual domain name omitted)in a VM it read :


Return-Path: <sorestfbt44@sedek.ru>
From: <alert@domain.com>
To: <michael@domain.com>
Subject: For the owner of the michael@domain.com mailbox
Date: Tue, 20 Oct 2009 03:59:31 +1100
Message-I <000d01ca50d5$24d9f380$6400a8c0@sorestfbt44>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_003B_01CA5175.D7F98D40"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcpQ1TpPBtV47dDjTkqvUVpiC7GILg==
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300

This is a multi-part message in MIME format.

------=_NextPart_000_003B_01CA5175.D7F98D40
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit

Dear user of the domain.com mailing service!

We are informing you that because of the security upgrade of the mailing
service your mailbox (michael@domain.com) settings were changed. In
order to apply the new set of settings click on the following link:


<http://domain.com.vvverfq.co.uk/owa/service_directory/settings.php?ema
il=michael@domain.com&from=domain.com&fromname=michael>
http://domain.com/owa/service_directory/settings.php?email=michael@domain.com&from=domain.com&fromname=michael

Best regards, domain.com Technical Support.

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Not sure how its created and sent, but you can block it.

by Dedlbug In reply to Spoofed email to Phish

Check this blog: http://www.sophos.com/blogs/sophoslabs/?cat=3

I have noticed the same spam arriving in most of the Exchange servers I monitor. Those with third party spam filters (AVG, Barracuda, Symantec) all seem to have caught it. However, Exchange IMF is not catching it yet. I figure it will have to soon, because it is affecting a lot of mail servers out there, but if you run a third party solution you can try to block it. Refer to this link for more info: http://www.symantec.com/connect/blogs/personalized-patchupdate-spam-delivering-malware

Not much help, but I feel your pain.

Back to Software Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums