Monday, February 7, 2011

Phishing messages from possibly compromised .edu accounts

Original Message

From: Webmaster []
Sent: Monday, February 07, 2011 11:14 AM
Subject: User Quarantine Release Notification


   We are carrying out a routine quarantine exercise . we have started our yearly server (inactive email-accounts / spam protecting etc) clean-up process to enable service upgrade/migration efficiency. Please be informed that your account usage will be fully restricted if you do not adhere to this notice.

You are to provide your account details for immediate Quarantine by clicking on your reply button to respond as follows (This will confirm your account login/usage
Frequency / account continuation potentials):

*Alternate Email:

  All IT Service utilities will not be altered during this period, This will not affect the operation of your IT service systems or the manner in which you currently login to your account.  Account access and usage will be disabled if you fail to comply as required.

Help Desk
Information Technology
© 2011 All rights reserved

Message Headers

Received: from xxxxxxxxx by XXXXXXXXXXXXX
 with Microsoft SMTP Server (TLS) id; Mon, 7 Feb
 2011 11:22:36 -0500
X-VirusChecked: Checked
X-StarScan-Version: 6.2.9; banners=-,-,-
X-Originating-IP: []
X-SpamReason: No, hits=1.3 required=7.0 tests=HTML_10_20,HTML_MESSAGE,
Received: (qmail 7983 invoked from network); 7 Feb 2011 16:22:04 -0000
Received: from (HELO
 encrypted SMTP; 7 Feb 2011 16:22:04 -0000
Received: from source ([]) (using TLSv1) by ([]) with SMTP    ID; Mon, 07 Feb 2011 08:22:03
Received: by wwf26 with SMTP id 26so4792305wwf.31        for
 ; Mon, 07 Feb 2011 08:22:00 -0800 (PST)
MIME-Version: 1.0
Received: by with SMTP id f9mt2231835wbv.30.1297095263373; Mon,
 07 Feb 2011 08:14:23 -0800 (PST)
Received: by with HTTP; Mon, 7 Feb 2011 08:14:23 -0800 (PST)
Date: Mon, 7 Feb 2011 17:14:23 +0100
Subject: User Quarantine Release Notification
From: Webmaster
Content-Type: multipart/alternative; boundary="0016e65c86dca986a5049bb3a147"
To: Undisclosed recipients:;
Received-SPF: SoftFail  
X-MS-Exchange-Organization-SenderIdResult: SOFTFAIL

Message path (private ip)
| (private ip)
| (Google)
| (Postini) - and use Gmail+Postini too
final recipient (often who has nothing to do with - not a student, parent, or alumni)

I don't know if account is real or not but it appears that the message indeed came from a Google/Gmail based edu account - judging by Postini, which is not used by individual Gmail customers. It is possible that this edu account is compromised as well as many other gmail .edu accounts.  See examples here

Possibly it was done using the same primitive approach. 

Automated Scans

-no malware, just phishing

1 comment: