Social phishing gone third party forms


Recently we have noticed the increase of third party auto-form websites popping up all over the internet.  Since then, the increase of phishing attacks have also gone up.  From the old "Check Here To Re-Validate Your Mailbox." to "We have noticed an abnormal pattern to the usage of your email account, and have temporarily suspended it, Click Here, to reactivate it."

 

These are just a few types of messages that we have received recently to our users that were automatically blocked by our spam filtering software.  We have discovered that a majority of these messages have been originating from BigPond, a subsidiary of Telstra Internet Services.  When we tried to look up a contact email for BigPond, all we got was an endless circle of help links.  So this is why we've decided to make this post public in hopes that they will contact us to get this resolved.

 

Below are some of the raw messages that we have received and are posting them here.  The links have been terminated by the third party sites involved but the emails still flow into our system directed at our users.

Phishing emails

Received: from node4.spacequad.com [192.168.0.250] by node4.spacequad.com with ESMTP
  (SMTPD32-7.07) id A7D329960208; Tue, 10 Jan 2012 09:14:43 -0500
Received: from 201.18.173.201 by node4.spacequad.com (Spacequad Internet Services - When reporting spam, please include this header and send reports in English, to abuse@spacequad.com.  All SPAM emails are automatically deleted and never delivered to user inboxes.  If you feel you emails have been unjustly deleted without cause, then contact us through our website at http://www.spacequad.net); Tue, 10 Jan 2012 09:14:43 -0500
Received: from User (unknown [180.215.175.52])
    by mail.joaopessoa.pb.gov.br (Postfix) with ESMTPA id B8DC76C6E5;
    Tue, 10 Jan 2012 11:13:40 -0300 (BRT)
From: "Admin"<admin@erica.co.uk>
Subject: Mailbox
Date: Tue, 10 Jan 2012 19:44:13 +0530
MIME-Version: 1.0
Content-Type: text/html;
    charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-PMJP-MailScanner-ID: B8DC76C6E5.AED88
X-PMJP-MailScanner: Found to be clean
X-PMJP-MailScanner-SpamScore: sssss
X-PMJP-MailScanner-From: admin@erica.co.uk
X-Spam-Status: No
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: <admin@erica.co.uk>
X-SF-HELO-Domain: mail.joaopessoa.pb.gov.br
X-SF-Originating-IP: 201.18.173.201
Message-Id: <201201100914963.SM01088@node4.spacequad.com>
X-RCPT-TO: <support@spacequad.com>
Status: U
X-UIDL: 61102861

 

 

Check Here To Re-Validate Your Mailbox.


--
Esta mensagem foi verificada pelo sistema de antivírus e
acredita-se estar livre de perigo.

 

 

Received: from node4.spacequad.com [192.168.0.250] by node4.spacequad.com with ESMTP
  (SMTPD32-7.07) id AC861CA501FE; Tue, 10 Jan 2012 17:32:38 -0500
Received: from 216.211.26.101 by node4.spacequad.com (Spacequad Internet Services - When reporting spam, please include this header and send reports in English, to abuse@spacequad.com.  All SPAM emails are automatically deleted and never delivered to user inboxes.  If you feel you emails have been unjustly deleted without cause, then contact us through our website at http://www.spacequad.net); Tue, 10 Jan 2012 17:32:38 -0500
Received: from <amsbrusl@tbaytel.net>
  by back2.tbaytel.net (CommuniGate Pro RULES 5.2.19)
  with RULES id 3393010; Tue, 10 Jan 2012 17:32:36 -0500
X-Autogenerated: Mirror
Resent-From: <amsbrusl@tbaytel.net>
Resent-Date: Tue, 10 Jan 2012 17:32:36 -0500
X-Real-To: amsbrusl@tbaytel.net
X-Junk-Score:   0 []
X-Cloudmark-Score:   0 []
X-Cloudmark-Analysis: v=1.1 cv=XAmV+LwrtiPZyAw8hfrPaxZ7ZXLIDqCUQb8YEdLBxrc= c=1 sm=1 a=Dyoqhi_TatcA:10 a=ByvEmmiFD8wA:10 a=JDadKst33uMA:10 a=-MqZA7VOL50A:10 a=WHsXhg87phMA:10 a=8EU9Q7FnrCoA:10 a=oVHfjPbe8pkA:10 a=Cfj4BQAnxiAA:10 a=bj0ZDL_8QzkA:10 a=F608s/O5Y8b+dwXGyNhgDA==:17 a=KST_e3SXtbceHVlWN3gA:9 a=0OSPoWPKoWPOPyFGrW4A:7 a=Ft8UYL4EG9YA:10 a=yW7PDUyutfhLYkPNsytjcg==:117
X-CGP-ClamAV-Result: CLEAN
X-VirusScanner: Niversoft's CGPClamav Helper v1.16 (ClamAV engine v0.97)
Received: from nschwmtas03p.mx.bigpond.com ([61.9.189.143] verified)
  by front2.tbaytel.net (CommuniGate Pro SMTP 5.2.19)
  with ESMTP id 84311878; Tue, 10 Jan 2012 17:32:36 -0500
Received-SPF: pass
 receiver=front2.tbaytel.net; client-ip=61.9.189.143; envelope-from=lori.thompson7@bigpond.com
Received: from nschwotgx01p.mx.bigpond.com ([180.215.175.52])
          by nschwmtas03p.mx.bigpond.com with ESMTP
          id <20120110223229.WUAC9914.nschwmtas03p.mx.bigpond.com@nschwotgx01p.mx.bigpond.com>;
          Tue, 10 Jan 2012 22:32:29 +0000
Received: from User ([180.215.175.52]) by nschwotgx01p.mx.bigpond.com
          with ESMTP
          id <20120110223227.VJLX2024.nschwotgx01p.mx.bigpond.com@User>;
          Tue, 10 Jan 2012 22:32:27 +0000
Reply-To: <barron2law@hotmail.com>
From: "Admin"<lori.thompson7@bigpond.com>
Subject: CONFIRM YOUR EMAIL IDENTITY BELOW..
Date: Wed, 11 Jan 2012 04:02:14 +0530
MIME-Version: 1.0
Content-Type: text/html;
    charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Authentication-Info: Submitted using SMTP AUTH LOGIN at nschwotgx01p.mx.bigpond.com from [180.215.175.52] using ID lori.thompson7@bigpond.com at Tue, 10 Jan 2012 22:31:34 +0000
Message-Id: <20120110223227.VJLX2024.nschwotgx01p.mx.bigpond.com@User>
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: <lori.thompson7@bigpond.com>
X-SF-HELO-Domain: tbaytel.net
X-SF-Originating-IP: 216.211.26.101
X-RCPT-TO: <amsbrusl@spacequad.com>
Status: U
X-UIDL: 611741147

 

 

Dear Account Owner,

 
This message is from mail messaging center to all Mail E-mail account owners. We are currently upgrading our data base account center.
 
We are deleting all the account that is spamed by spam gilton to  create more space for new accounts. To prevent your account from  closing you will have to update it below so that we will know that  it's a present used account.
 
I will be waiting for your response manager
 
CONFIRM YOUR EMAIL IDENTITY BELOW
 
Email Username :
EMAIL Password :
 
We do await for your urgent reply.
 
Mail Account Team
Admin.

 

  • Currently 0.00/5
Rating: 0.00/5 (0 votes cast)

Share It!