The forging of email addresses of our domain names continues as the never ending barrage of phishing and other dangerous SPAM email is received. These attacks are socially engineered in that they rely on the fact that the email appears to come from your domain name, but does not. The most recent attack received looks like the following and contains the subject line “your mailbox has been deactivated“:
We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.
Best regards, pfeiferhouse.com technical support.
It appears to be from support@yourdomain.[com,net,org]. If you examine the email header information and trace the IP address you will find that the IP address does not match that of the IP address of the email server for your domain name.
Outlook users can look at the email header information by right clicking on the email and selecting the ‘Options…’ menu item. A window will appear that looks similar to the following:
Received: (qmail 61213 invoked by uid 98); 16 Nov 2009 18:06:16 -0000
Received: from 220.127.116.11 by tahoestores.org (envelope-from <firstname.lastname@example.org>, uid 1002) with qmail-scanner-2.01
(clamdscan: 0.95.1/9441. spamassassin: 3.2.5.
Processed in 2.550748 secs); 16 Nov 2009 18:06:16 -0000
X-Spam-Status: No, score=2.1 required=2.5
Received: from cbk137.neoplus.adsl.tpnet.pl (18.104.22.168)
by tahoestores.org with SMTP; 16 Nov 2009 18:06:11 -0000
Received: from 22.214.171.124 by mailin.rzone.de; Mon, 16 Nov 2009 19:05:35 +0100
From: “email@example.com” <firstname.lastname@example.org>
Subject: your mailbox has been deactivated
Date: Mon, 16 Nov 2009 19:05:35 +0100
X-Priority: 3 (Normal)
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2905
Notice the Return path and the IP address highlighted above. If the Return path does not match the email address you see in your inbox you will know right away that the email address is forged. You can further verify that the email is SPAM by comparing the IP address to the IP address of our email server which is 126.96.36.199.
Customers of Gossamer can also rest assured that the configuration of our email server cannot be modified or otherwise updated by running a program on your local machine.
You will not continue to see these emails as Gossamer blocks the offending IP addresses permanently from our email server as soon as they are received. In addition, our virus and SPAM filters will generally update within 24 hours to block similar SPAM and virus content.
If you do receive a suspicious email related to the continued use of your email account you may safely ignore it and remember the golden email rule. Also remember the corollary, do not click on links contained in email from those you do not know.
If you do receive a similar email, follow the golden email rule and delete it. If you are so inclined, you can also send the email header information to me and I will immediately ban the IP address.
You may also review a variety of other similar attacks on Google by searching on ‘your mailbox has been deactivated’.