[SV-PAL Customer Support]

[Home Page] [About] [Subscriber] [Services] [Support] [Volunteer]


Beware of e-mail fraud

Summary:
e-mail apparently (not really) coming from support@svpal.org prompts users to click on a link apparently (not really) pointing to www.svpal.org. If you click on that link, you are confirming (probably to a spammer) that you have a valid e-mail address where they can spam you until the end of time.
Details:

Support received several e-mail messages such as this:

============================================================
The original message was received at Thu, 09 Jun 2005 04:42:55 -0700 (PDT)
from 3v7l8dbta6xgljlx@enterprise-pn.svpal.org [192.168.147.69]

   ----- The following addresses had permanent fatal errors -----

    (reason: 550 5.1.1 User Unknown)

   ----- Transcript of session follows -----
550 5.1.1 ... User Unknown
    [ Part 2: "" ]

Reporting-MTA: dns; svpal.svpal.org
Arrival-Date: Thu, 09 Jun 2005 04:42:55 -0700 (PDT)

Final-Recipient: RFC822; xxxxxxx@svpal.org
X-Actual-Recipient: RFC822; xxxxxxx@svpal.org
Action: failed
Status: 5.1.1
Diagnostic-Code: SMTP; 550 5.1.1 User Unknown
Last-Attempt-Date: Thu, 09 Jun 2005 04:42:55 -0700 (PDT)


    [ Part 3: "" ]

Return-Path: 
Received: from enterprise.svpal.org
    (3v7l8dbta6xgljlx@enterprise-pn.svpal.org [192.168.147.69])
        by svpal.svpal.org (8.13.3/8.13.1) with ESMTP id j59BgjMr025999
        for ; Thu, 9 Jun 2005 04:42:45 -0700 (PDT)
        (envelope-from support@svpal.org)
Received: from svpal.org (c-67-175-178-210.hsd1.il.comcast.net
    [67.175.178.210])
        by enterprise.svpal.org (8.13.3/8.13.1) with ESMTP id j59BgPSa091374
        for ; Thu, 9 Jun 2005 04:42:25 -0700 (PDT)
        (envelope-from support@svpal.org)
Message-Id: 
From: support@svpal.org
To: xxxxxxx@svpal.org
Subject: Account Alert
Date: Thu, 9 Jun 2005 06:42:20 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0009_11E42639.B200AB51"
X-Priority: 3
X-MSMail-Priority: Normal
X-Filter-Version: 1.11a-svpal (enterprise.svpal.org)
X-MailFilter: Yes
 
Dear Valued Member,  
According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons. 
http://www.svpal.org/confirm.php?email=xxxxxxx@svpal.org 
Thank you for your attention to this question. We apologize for any inconvenience. 
Sincerely,Svpal Security Department Assistant. 
============================================================

This is a bounce message, because xxxxxxx@svpal.org does not exist. The message bounced to support@svpal.org, because that is the address fraudulently used in the "From:" field, even though it was sent from c-67-175-178-210.hsd1.il.comcast.net [67.175.178.210].

The link http://www.svpal.org/confirm.php?email=xxxxxxx@svpal.org appears to be pointing to www.svpal.org, BUT IT IS NOT. Here is the same message, showing the source:

<html> 
<body> 
<BR><STRONG>Dear Valued Member, </STRONG><BR> 
<BR>According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons.<BR> 
<BR><a href="http://209.67.220.164/confirm.php?email=xxxxxxx@svpal.org">http://www.svpal.org/confirm.php?email=xxxxxxx@svpal.org</a><BR> 
<BR>Thank you for your attention to this question. We apologize for any inconvenience.<BR> 
<BR>Sincerely,Svpal Security Department Assistant.<BR> 
</body> 
</html>
The link is actually pointing to http://209.67.220.164/confirm.php?email=xxxxxxx@svpal.org

209.67.220.164 is registered to:

OrgName:    Layered Technologies, Inc. 
OrgID:      LAYER-3
Address:    18816 Preston Road
Address:    Suite #100
City:       Dallas
StateProv:  TX
PostalCode: 75252
Country:    US
In conclusion, do not automatically believe any message is sent from svpal.org, or click on any suspicious link provided by an e-mail message. Instead, e-mail us at spt1@svpal.org or ar1@svpal.org if you have questions (that is the number one in the addresses, not the letter L).


P.S. Here is one reply to the abuse report:

============================================================
From abuse@savvis.net Thu Jun  9 09:49:26 2005
Date: Thu, 9 Jun 2005 09:34:10 -0500
From: "> [Savvis Abuse]" <abuse@savvis.net>
To: SVPAL Customer Support <spt1@svpal.org>
Subject: RE: ***FRAUD REPORT for 67.175.178.210 and 209.67.220.164***

The SAVVIS Security Team has become aware of a new virus variant
traversing the Internet which presents a serious security risk. This
virus may come as an attachment, or may be distributed as SPAM with a
spoofed source address and an http link to a malicious password
gathering web site.   Infected attachments will normally be intercepted
by the anti-virus software running on email gateways.  Malicious links
will not always be intercepted or identified by anti-virus software.
The links may be disguised so they appear to be from the user's local
domain, but in reality, point to an external malicious site.  

 

Two such sites (209.67.220.164) and (205.138.199.146) were identified as
belonging to an unmanaged host on a customer network and were null
routed on Monday 6/6/2005. SAVVIS has notified our customers and
requested they contact local law enforcement for investigation of their
server.  Even though the malicious site has been taken down, users may
continue to receive spoofed emails for several days or even weeks.
These emails should be deleted without interacting.  Any user that has
entered account or password information via one of these links should
change their password immediately.  

 

As always, users are warned against opening any unrequested attachments,
even if they appear to come from known or trustworthy sources and should
never submit their account information and password to any unrequested
links that they visit.

 

Description: 

This virus is being spread by Microsoft servers and/or workstations. 

It is being referenced by one or more variants of the type: 

 

 W32/Mytob. 

 

More information on the virus can be found at: 

 

http://vil.nai.com/vil/newly-discovered-viruses.asp 

 

The Savvis Security Team  
============================================================

SV-PAL Home Page

http://www.svpal.org/support/
support@svpal.org


Copyright © 2001-2006 Silicon Valley Public Access Link