Spamgourmet phishing message

General discussion re sg.

Spamgourmet phishing message

Postby IByte » Thu Oct 09, 2008 4:58 pm

Someone performing a phishing attack appears to be after my login data. I received the following message, purportedly (but obviously not) coming from Spamgourmet (headers munged):

Code: Select all
Delivered-To: ______@gmail.com
Received: by 10.65.237.9 with SMTP id o9cs____55qbr;
        Thu, 9 Oct 2008 07:21:39 -0700 (PDT)
Received: by 10.141.75.17 with SMTP id c17_____562rvl.212.1223562098344;
        Thu, 09 Oct 2008 07:21:38 -0700 (PDT)
Return-Path: <+g__________________a1e1a6f.web.account1?live.com@spamgourmet.com>
Received: from gourmet.spamgourmet.com (gourmet.spamgourmet.com [216.75.35.164])
        by mx.google.com with ESMTP id g22s_________90rvb.8.2008.10.09.07.21.37;
        Thu, 09 Oct 2008 07:21:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of +g_______________1e1a6f.web.account1#live.com@spamgourmet.com designates 216.75.35.164 as permitted sender) client-ip=216.75.35.164;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of +g_________1e1a6f.web.account1#live.com@spamgourmet.com designates 216.75.35.164 as permitted sender) smtp.mail=+g___________e1a6f.web.account1#live.com@spamgourmet.com
Received: from gourmet.spamgourmet.com (localhost.localdomain [127.0.0.1])
   by gourmet.spamgourmet.com (8.13.8/8.13.7) with ESMTP id m99E_____24501
   for <_________@gmail.com>; Thu, 9 Oct 2008 14:21:37 GMT
Received: (from ____@localhost)
   by gourmet.spamgourmet.com (8.13.8/8.13.8/Submit) id m99ELa____4474
   for ___________@gmail.com; Thu, 9 Oct 2008 14:21:36 GMT
Received: from mail7.sea5.speakeasy.net (mail7.sea5.speakeasy.net [69.17.117.9])
   by gourmet.spamgourmet.com (8.13.8/8.13.7) with ESMTP id m99E_________5
   for <g____________@spamgourmet.com>; Thu, 9 Oct 2008 14:21:33 GMT
Received: (qmail 3214 invoked from network); 9 Oct 2008 12:42:40 -0000
Received: from wmail2.sea5.speakeasy.net ([69.17.117.158])
          (envelope-sender <web.account1@live.com>)
          by mail7.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP
          for <Grqqqycz_____hczbxyrb.x.sturle@spamgourmet.com>; 9 Oct 2008 12:42:40 -0000
Received: from wmail.speakeasy.net (localhost [127.0.0.1])
   by wmail2.sea5.speakeasy.net (Postfix) with ESMTP id EDBE____52;
   Thu,  9 Oct 2008 05:42:39 -0700 (PDT)
Content-Disposition: inline
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Subject:   Warning Alert !! (g_________: message 2 of 20)
X-Mailer: AtMail  - 41.220.75.3 - marykos@speakeasy.net
Date: Thu, 09 Oct 2008 05:42:39 PDT
X-Origin: 41.220.75.3
Message-Id: <1459.1223556159@speakeasy.net>
To: info@spamgourmet.com
From: "SPAMGOURMET  Email  MANAGEMENT - web.account1@live.com" <+g_________e1a6f.web.account1#live.com@spamgourmet.com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by gourmet.spamgourmet.com id m99______45




Dear SPAMGOURMET Email Account Owner,
This message is from SPAMGOURMET MAIL MANAGEMENT messaging
center to all email account owners. We are currently
upgrading our data base and e-mail
account center.We are deleting all unused  email account to
create more  space for new accounts.

To prevent your account from closing you will have to update
it below so that we will know that it's a present used
account.
CONFIRM YOUR EMAIL IDENTITY BELOW

Email Username : .......... .....
EMAIL Password : ................
Date of Birth : .................
Alternative Email : ..........

Warning!!! Account owner that refuses to update his or her
account within Seven days of receiving this warning will
lose his or her account permanently.
Thank you for your understanding
SPAMGOURMET Email Managemen







IByte
 
Posts: 3
Joined: Thu Oct 09, 2008 4:37 pm

Me too

Postby jknecht » Thu Oct 09, 2008 7:21 pm

I got the same email today as well.

The address that it was originally sent to was feedhub.20.username..., so either somebody got the email address from feedhub (where I think I created an account a long time ago) or they are just shooting in the dark and trying to make it appear that feedhub is involved in some way.
jknecht
 
Posts: 2
Joined: Thu Oct 09, 2008 7:15 pm

Probably harvested

Postby IByte » Thu Oct 09, 2008 7:56 pm

The Spamgourmet address I used is shown on a publicly accessible bug tracking list, so they probably just harvested it from the web. I haven't had any other spam on that address yet, though.
IByte
 
Posts: 3
Joined: Thu Oct 09, 2008 4:37 pm

Postby josh » Fri Oct 10, 2008 2:51 am

yeah - I got a couple, too -- I bet they're going to other webmail providers, too. I put a news item in.

Hopefully asking for date of birth will tip any spamgourmet user off that it's bogus, since we never ask for something like that.
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

also a bug tracking list

Postby yizwos » Fri Oct 10, 2008 9:17 pm

I also had it on one address which was already being spammed. I had used spamgourmet.com when posting (not an alias) and it was an address which I posted to a public bug tracking list. I hope it's not a targeted attack against software developers. It's probably too obvious to work if it is. My first instinct was to come to the forum :-) What is with these people?
I'm veggie, so please eat a tin of spam for me.
yizwos
 
Posts: 5
Joined: Sat Jan 05, 2008 9:45 pm

Postby jknecht » Sat Oct 11, 2008 1:48 am

These spammers are obviously pretty stupid if they think that fishing after spamgourmet users is the best use of their time. I'd imagine spamgourmet users are probably a lot more tech-savvy than most users and probably more paranoid than most too.

I'm curious about whether they really got my address from feedhub's private database, since it was addressed to feedhub.20.username, or if they made it up and added 'feedhub' for some reason (perhaps to cause trouble for feedhub).

yizwos and IByte said their address was posted publicly. Mine definitely was not public. josh, was the address they used for you one that you had definitely given out somewhere, and had you given it out publicly (or just to a private party/company), or do you think they just made it up based on your username?
jknecht
 
Posts: 2
Joined: Thu Oct 09, 2008 7:15 pm

Purported sender auto-generated?

Postby IByte » Sat Oct 11, 2008 9:05 pm

jknecht wrote:These spammers are obviously pretty stupid if they think that fishing after spamgourmet users is the best use of their time. I'd imagine spamgourmet users are probably a lot more tech-savvy than most users and probably more paranoid than most too.

I have a hunch that the name of the email service mentioned in the phishing mail is auto-generated from the receiving address's domain, so they might not be targeting Spamgourmet specifically.
IByte
 
Posts: 3
Joined: Thu Oct 09, 2008 4:37 pm


Return to General Discussion

Who is online

Users browsing this forum: Majestic-12 [Bot] and 16 guests

cron