Every so often something slips by the spam filters and also catches my attention. Maybe a couple times a year, but this one needed chasing.
I got a mail on a private account with the highly suspicious subject line of "YOU HAVE WON!!!!!!!!!!!!!!"
Rightie then. Time for a text-mode reader! PINE to the rescue! I drop into header mode so it won't render anything in there. This happens fairly frequently when things leak, I like to see the header-spam to see what the spam checkers thought of it on the way through. This one was somewhat unremarkable, but one thing did stand out. It passed SPF checks.
Really? So a little wget magic and I have the file, which I crack open with strings and I get this text:
I got a mail on a private account with the highly suspicious subject line of "YOU HAVE WON!!!!!!!!!!!!!!"
Rightie then. Time for a text-mode reader! PINE to the rescue! I drop into header mode so it won't render anything in there. This happens fairly frequently when things leak, I like to see the header-spam to see what the spam checkers thought of it on the way through. This one was somewhat unremarkable, but one thing did stand out. It passed SPF checks.
X-RC-DBID: 046c9cac-dc1e-47d7-acbb-d595ac2651b6
X-RC-ID: 20071025215619610
X-RC-IP: 209.8.50.37
X-RC-FROM:
X-RC-RCPT:
DomainKey-Signature: a=rsa-sha1;
h=Received:From:To:Reply-To:Subject:MIME-Version:Content-Type:Message-Id:Dat
e;
b=e3NoRXbKhaqJoV3E9ofjd93PAw0NK64MJVN2M3AYWq2t0oDuGu9TJ/nbFp/UUyclm2BRKlf/0R
EJP05/UN9dia4UmNKmmCRlhsvg/ov0dAgbjRUktkKwWW32izAfrA3uczt6fFSjmAy3U76siqXxNH
/QlL/RWHQbX2i8KIAx0KA=; c=nofws; d=yousendit.com; q=dns; s=signed
Received: from localhost (unknown [209.8.50.53])
by wa-smtp-02.yousendit.com (Postfix) with ESMTP id 6FA7B3550334
for ; Thu, 25 Oct 2007 14:56:15 -0700 (PDT)
From: Victor Kundala via YouSendIt
To: xxxxxxxxxxxxxxx,
Reply-To: victor_kundala5@yahoo.co.uk
Subject: YOU HAVE WON!!!!!!!!!!!!!!
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_7f6931b42522c2a348a97f74dbe1dad0"
Message-Id: <20071025215615.6fa7b3550334@wa-smtp-02.yousendit.com>
Date: Thu, 25 Oct 2007 14:56:15 -0700 (PDT)
Huh. So I google up "yousendit" and find that it really is a legitimate service. The text of the email was the typical gark:Hello from YouSendIt,
Hello from YouSendIt,
You have a file or files called Dear Winner.doc (1 file(s)) from
victor_kundala5@yahoo.co.uk waiting for download.
You can click on the following link to retrieve your File. The link will expire
in 14 Days .
Link: http://download.yousendit.com/05CE02D8475BB9F9
Do not reply to this automatically-generated email. If you have any questions,
please email us at paidsupport@yousendit.com.
-----
File too big for email? Try YouSendIt at @ysi.base.url@
YouSendIt
1919 S.Bascom Ave., 3rd Floor
Campbell, CA 95008
Really? So a little wget magic and I have the file, which I crack open with strings and I get this text:
Dear WinnerIt's a phish! And in homage to its 409 past, it even has a Nigerian-sounding name. Awwww.
We happily announce to you today, the draw of the online UK National Lottery programme held on 20th of October 2007. Your e-mail address won you in the second category, your e-mail address attached to a ticket numbers: 4-33-34-38-39-49(bonus no.23).
You have therefore been approved to claim a total sum of
420,200 British pounds sterling. You are to contact our AFFILIATE COURIER COMPANY for delivery of your winning certificate and winning cheque.
You are to reply to this email address below: MR SOLOMON STONE INTERNATIONAL COURIER SYSTEMS EMAIL: solo_stone2004@yahoo.com Congratulations once more from all members and staffs of this programme.
Yours Truly,
Victor Kundala