Category: Alerts

Someone has send mail around requesting you, as an Interact Suite cusomer, to help them to “enhance security”. This is how the message looks like when opened in Outlook – where it will show up as HTML page (I guess most users have it set that way):

But in raw tekst (use “View source”), it’s appears to be some other addaress:

In accordance with introduction of the new security level in our system, it is urgently requested to follow this link
<a href=”http://interact.regions.secuserver8.com/ibsregions/cmserver/welcome/default/verify.cfm”>
https://interact.regions.com/ibsregions/cmserver/welcome/default/verify.cfm</a>
and to create a secret question/answer pair, which will be an additional measure for preventing nauthorized access to Your accounts.

In order that only customers will use this abusive link, is says:

If You are not Regions Bank US InterAct Customer please disregard this letter.

A good bank has proper relation management and this letter would not have been sent in the first place!

Full header as it appears on my system:

Return-Path: akstcutahmbdmnsdgs@utahmbd.com
Received: from 198.pool85-49-20.dynamic.orange.es (85.49.20.198)
by diana.intra.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Tue, 17 Jul 2007 23:49:49 +0100 (CET)
Return-Path:
Received: from aa.bb.cc.dd (HELO utahmbd.com)
by grootersnet.nl with esmtp (C-X)*-PU0A6G 7++;+S)
id B5J@/5-152D.< -M. for XXXXXXXXXX@XXXXXXXXXX.NL; Tue, 17 Jul 2007 21:49:44 -0100 From: "administration@XXXXXXXXXXXX.net"
To: < (Me)>
Subject: Urgent Request ID586948
Date: Tue, 17 Jul 2007 21:49:44 -0100
Message-ID: <01c7c8bc$6345e3c0$6c822ecf@akstcutahmbdmnsdgs>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_000A_01C7C8CD.26CEB3C0"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700
Thread-Index: Aca6Q7S.*N?F8/51UL9890?+F9?73)==

(for obvious reasons, I have removed email addresses – except the sender’s one. To start wityh, it looks like a complete bogus one, and if it isn’t, well, ít’s his own fault)

I have informed the ISP and the expected sender.

Don’t reply on this:

Subject line:

Worm Alert!

Message body:

Dear Customer,

Our robot has detected an abnormal activity from your IP adress
on sending e-mails. Probably it is connected with the last epidemic
of a worm which does not have official patches at the moment.

We recommend you to install this patch to remove worm files
and stop email sending, otherwise your account will be blocked.

Abuse Team

(“this patch” is actually a link:

<a href="http://68.61.229.214/?7703a3b01bdad81d9b848ca9a885b5e6291c3d">this patch</a>

and will very likely install a worm, backdfoor, virus of other malware on your system.

The header that I found was:

X-McAfeeVS-TimeoutProtection: 0
Return-Path:
Received: from grootstal.nijmegen.internl.net by hees.nijmegen.internl.net
via grootstal.nijmegen.internl.net [217.149.192.7] with ESMTP for
id l69JQmRx021094 (8.13.8/2.11); Mon, 9 Jul 2007 21:26:48 +0200 (MEST)
Received: from 248.145-62-69.ftth.swbr.surewest.net by grootstal.nijmegen.internl.net
via 248.145-62-69.ftth.swbr.surewest.net [69.62.145.248] with SMTP for
id l69JQjFj012570 (8.13.6/2.05); Mon, 9 Jul 2007 21:26:47 +0200 (MEST)
X-RelayHost: 69.62.145.248
Received: (qmail 24120 invoked from network); Mon, 9 Jul 2007 12:26:42 -0700
Received: from unknown (HELO crs) (98.132.150.165)
by 248.145-62-69.ftth.swbr.surewest.net with SMTP; Mon, 9 Jul 2007 12:26:42 -0700
Date: Mon, 9 Jul 2007 12:26:42 -0700
To: willem@grooters.100.nl
From: “Abuse Team”
Reply-to: art@hyde-housing.co.uk
Subject: Worm Alert!
Message-ID:
X-Priority: 3
X-Mailer: PHPMailer [version 1.72]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset=”windows-1252″
X-Language-Detected: en
X-Spam-Scanned: InterNLnet Mail Scan System V2.03

and the address is an anonimized one (doesn’t lead to a real address)