Monday, February 7, 2011

Phishing messages from possibly compromised .edu accounts

Original Message

From: Webmaster [mailto:solorzanojs@guilford.edu]
Sent: Monday, February 07, 2011 11:14 AM
Subject: User Quarantine Release Notification

Hello,

   We are carrying out a routine quarantine exercise . we have started our yearly server (inactive email-accounts / spam protecting etc) clean-up process to enable service upgrade/migration efficiency. Please be informed that your account usage will be fully restricted if you do not adhere to this notice.

You are to provide your account details for immediate Quarantine by clicking on your reply button to respond as follows (This will confirm your account login/usage
Frequency / account continuation potentials):

*username:
*Password:
*Alternate Email:

  All IT Service utilities will not be altered during this period, This will not affect the operation of your IT service systems or the manner in which you currently login to your account.  Account access and usage will be disabled if you fail to comply as required.

Help Desk
Information Technology
© 2011 All rights reserved
 

Message Headers

Received: from xxxxxxxxx by XXXXXXXXXXXXX
 with Microsoft SMTP Server (TLS) id 8.2.254.0; Mon, 7 Feb
 2011 11:22:36 -0500
X-VirusChecked: Checked
X-Env-Sender: solorzanojs@guilford.edu
X-Msg-Ref: XXXXXXXXXXXXXXX
X-StarScan-Version: 6.2.9; banners=-,-,-
X-Originating-IP: [64.18.0.27]
X-SpamReason: No, hits=1.3 required=7.0 tests=HTML_10_20,HTML_MESSAGE,
  RCVD_BY_IP,TO_CC_NONE
Received: (qmail 7983 invoked from network); 7 Feb 2011 16:22:04 -0000
Received: from exprod5ob114.obsmtp.com (HELO exprod5ob114.obsmtp.com)
 (64.18.0.27)  by XXXXXXXXX with DHE-RSA-AES256-SHA
 encrypted SMTP; 7 Feb 2011 16:22:04 -0000
Received: from source ([74.125.82.50]) (using TLSv1) by
 exprod5ob114.postini.com ([64.18.4.12]) with SMTP    ID
 DSNKTVAcKZVBTjzoS6CLTP58eyLVOGiGUZXA@postini.com; Mon, 07 Feb 2011 08:22:03
 PST
Received: by wwf26 with SMTP id 26so4792305wwf.31        for
 ; Mon, 07 Feb 2011 08:22:00 -0800 (PST)
MIME-Version: 1.0
Received: by 10.227.146.9 with SMTP id f9mt2231835wbv.30.1297095263373; Mon,
 07 Feb 2011 08:14:23 -0800 (PST)
Received: by 10.216.17.137 with HTTP; Mon, 7 Feb 2011 08:14:23 -0800 (PST)
Reply-To:
Date: Mon, 7 Feb 2011 17:14:23 +0100
Message-ID:
Subject: User Quarantine Release Notification
From: Webmaster
Content-Type: multipart/alternative; boundary="0016e65c86dca986a5049bb3a147"
To: Undisclosed recipients:;
Return-Path: solorzanojs@guilford.edu
X-MS-Exchange-Organization-PRD: guilford.edu
Received-SPF: SoftFail  
X-MS-Exchange-Organization-SenderIdResult: SOFTFAIL

Sender

solorzanojs@guilford.edu  
Message path
10.216.17.137 (private ip)
|
10.227.146.9 (private ip)
|
74.125.82.50 (Google)
|
64.18.0.27 (Postini) - and guilford.edu use Gmail+Postini too  http://www.robtex.com/dns/www.guilford.edu.html#records
|
final recipient (often who has nothing to do with guilford.edu - not a student, parent, or alumni)

I don't know if solorzanojs@guilford.edu account is real or not but it appears that the message indeed came from a Google/Gmail based edu account - judging by Postini, which is not used by individual Gmail customers. It is possible that this edu account is compromised as well as many other gmail .edu accounts.  See examples here
or

Possibly it was done using the same primitive approach. 
 



Automated Scans

-no malware, just phishing

1 comment: