Beware of e-mail fraud
e-mail apparently (not really) coming from firstname.lastname@example.org prompts
users to click on a link apparently (not really) pointing to
www.svpal.org. If you click on that link, you are confirming
(probably to a spammer) that you have a valid e-mail address
where they can spam you until the end of time.
Support received several e-mail messages such as this:
The original message was received at Thu, 09 Jun 2005 04:42:55 -0700 (PDT)
from email@example.com [192.168.147.69]
----- The following addresses had permanent fatal errors -----
(reason: 550 5.1.1 User Unknown)
----- Transcript of session follows -----
550 5.1.1 ... User Unknown
[ Part 2: "" ]
Reporting-MTA: dns; svpal.svpal.org
Arrival-Date: Thu, 09 Jun 2005 04:42:55 -0700 (PDT)
Final-Recipient: RFC822; firstname.lastname@example.org
X-Actual-Recipient: RFC822; email@example.com
Diagnostic-Code: SMTP; 550 5.1.1 User Unknown
Last-Attempt-Date: Thu, 09 Jun 2005 04:42:55 -0700 (PDT)
[ Part 3: "" ]
Received: from enterprise.svpal.org
by svpal.svpal.org (8.13.3/8.13.1) with ESMTP id j59BgjMr025999
for ; Thu, 9 Jun 2005 04:42:45 -0700 (PDT)
Received: from svpal.org (c-67-175-178-210.hsd1.il.comcast.net
by enterprise.svpal.org (8.13.3/8.13.1) with ESMTP id j59BgPSa091374
for ; Thu, 9 Jun 2005 04:42:25 -0700 (PDT)
Subject: Account Alert
Date: Thu, 9 Jun 2005 06:42:20 -0500
X-Filter-Version: 1.11a-svpal (enterprise.svpal.org)
Dear Valued Member,
According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons.
Thank you for your attention to this question. We apologize for any inconvenience.
Sincerely,Svpal Security Department Assistant.
This is a bounce message, because firstname.lastname@example.org does not
exist. The message bounced to email@example.com, because that is the
address fraudulently used in the "From:" field, even though it was
sent from c-67-175-178-210.hsd1.il.comcast.net [220.127.116.11].
The link http://firstname.lastname@example.org
appears to be pointing to www.svpal.org, BUT IT IS NOT.
Here is the same message, showing the source:
<BR><STRONG>Dear Valued Member, </STRONG><BR>
<BR>According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons.<BR>
<BR>Thank you for your attention to this question. We apologize for any inconvenience.<BR>
<BR>Sincerely,Svpal Security Department Assistant.<BR>
The link is actually pointing to http://email@example.com
18.104.22.168 is registered to:
OrgName: Layered Technologies, Inc.
Address: 18816 Preston Road
Address: Suite #100
In conclusion, do not automatically believe any message is
sent from svpal.org, or click on any suspicious link provided by
an e-mail message. Instead, e-mail us at firstname.lastname@example.org or email@example.com
if you have questions (that is the number one in the addresses,
not the letter L).
P.S. Here is one reply to the abuse report:
From firstname.lastname@example.org Thu Jun 9 09:49:26 2005
Date: Thu, 9 Jun 2005 09:34:10 -0500
From: "> [Savvis Abuse]" <email@example.com>
To: SVPAL Customer Support <firstname.lastname@example.org>
Subject: RE: ***FRAUD REPORT for 22.214.171.124 and 126.96.36.199***
The SAVVIS Security Team has become aware of a new virus variant
traversing the Internet which presents a serious security risk. This
virus may come as an attachment, or may be distributed as SPAM with a
spoofed source address and an http link to a malicious password
gathering web site. Infected attachments will normally be intercepted
by the anti-virus software running on email gateways. Malicious links
will not always be intercepted or identified by anti-virus software.
The links may be disguised so they appear to be from the user's local
domain, but in reality, point to an external malicious site.
Two such sites (188.8.131.52) and (184.108.40.206) were identified as
belonging to an unmanaged host on a customer network and were null
routed on Monday 6/6/2005. SAVVIS has notified our customers and
requested they contact local law enforcement for investigation of their
server. Even though the malicious site has been taken down, users may
continue to receive spoofed emails for several days or even weeks.
These emails should be deleted without interacting. Any user that has
entered account or password information via one of these links should
change their password immediately.
As always, users are warned against opening any unrequested attachments,
even if they appear to come from known or trustworthy sources and should
never submit their account information and password to any unrequested
links that they visit.
This virus is being spread by Microsoft servers and/or workstations.
It is being referenced by one or more variants of the type:
More information on the virus can be found at:
The Savvis Security Team
SV-PAL Home Page
Copyright © 2001-2006 Silicon Valley Public Access Link