Original Message
Sent: Monday, February 07, 2011 11:14 AM
Subject: User Quarantine Release Notification
Hello,
We are carrying out a routine quarantine exercise . we have started our yearly server (inactive email-accounts / spam protecting etc) clean-up process to enable service upgrade/migration efficiency. Please be informed that your account usage will be fully restricted if you do not adhere to this notice.
You are to provide your account details for immediate Quarantine by clicking on your reply button to respond as follows (This will confirm your account login/usage
Frequency / account continuation potentials):
*username:
*Password:
*Alternate Email:
All IT Service utilities will not be altered during this period, This will not affect the operation of your IT service systems or the manner in which you currently login to your account. Account access and usage will be disabled if you fail to comply as required.
Help Desk
Information Technology
© 2011 All rights reserved
Message Headers
Received: from xxxxxxxxx by XXXXXXXXXXXXXwith Microsoft SMTP Server (TLS) id 8.2.254.0; Mon, 7 Feb
2011 11:22:36 -0500
X-VirusChecked: Checked
X-Env-Sender: solorzanojs@guilford.edu
X-Msg-Ref: XXXXXXXXXXXXXXX
X-StarScan-Version: 6.2.9; banners=-,-,-
X-Originating-IP: [64.18.0.27]
X-SpamReason: No, hits=1.3 required=7.0 tests=HTML_10_20,HTML_MESSAGE,
RCVD_BY_IP,TO_CC_NONE
Received: (qmail 7983 invoked from network); 7 Feb 2011 16:22:04 -0000
Received: from exprod5ob114.obsmtp.com (HELO exprod5ob114.obsmtp.com)
(64.18.0.27) by XXXXXXXXX with DHE-RSA-AES256-SHA
encrypted SMTP; 7 Feb 2011 16:22:04 -0000
Received: from source ([74.125.82.50]) (using TLSv1) by
exprod5ob114.postini.com ([64.18.4.12]) with SMTP ID
DSNKTVAcKZVBTjzoS6CLTP58eyLVOGiGUZXA@postini.com; Mon, 07 Feb 2011 08:22:03
PST
Received: by wwf26 with SMTP id 26so4792305wwf.31 for
MIME-Version: 1.0
Received: by 10.227.146.9 with SMTP id f9mt2231835wbv.30.1297095263373; Mon,
07 Feb 2011 08:14:23 -0800 (PST)
Received: by 10.216.17.137 with HTTP; Mon, 7 Feb 2011 08:14:23 -0800 (PST)
Reply-To:
Date: Mon, 7 Feb 2011 17:14:23 +0100
Message-ID:
Subject: User Quarantine Release Notification
From: Webmaster
Content-Type: multipart/alternative; boundary="0016e65c86dca986a5049bb3a147"
To: Undisclosed recipients:;
Return-Path: solorzanojs@guilford.edu
X-MS-Exchange-Organization-PRD: guilford.edu
Received-SPF: SoftFail
X-MS-Exchange-Organization-SenderIdResult: SOFTFAIL
Sender
solorzanojs@guilford.eduMessage path
10.216.17.137 (private ip)
|
10.227.146.9 (private ip)
|
74.125.82.50 (Google)
|
64.18.0.27 (Postini) - and guilford.edu use Gmail+Postini too http://www.robtex.com/dns/www.guilford.edu.html#records
|
final recipient (often who has nothing to do with guilford.edu - not a student, parent, or alumni)
I don't know if solorzanojs@guilford.edu account is real or not but it appears that the message indeed came from a Google/Gmail based edu account - judging by Postini, which is not used by individual Gmail customers. It is possible that this edu account is compromised as well as many other gmail .edu accounts. See examples here
- http://blogs.sjsu.edu/helpdesk/2010/12/08/another-scam-e-mail-going-around/
- http://www.uoguelph.ca/cio/content/recent-scams-and-phishing-attempts
or
Thank you for sharing.
ReplyDelete