![[SVPAL Customer Support]](/support/svpal-logo.gif){kind=logo}
Fraud
Beware of e-mail fraud
Summary:
Details:
Support received several e-mail messages such as this:
============================================================
The original message was received at Thu, 09 Jun 2005 04:42:55 -0700 (PDT)
from 3v7l8dbta6xgljlx@enterprise-pn.svpal.org [192.168.147.69]
----- The following addresses had permanent fatal errors -----
(reason: 550 5.1.1 User Unknown)
----- Transcript of session follows -----
550 5.1.1 ... User Unknown
[ Part 2: "" ]
Reporting-MTA: dns; svpal.svpal.org
Arrival-Date: Thu, 09 Jun 2005 04:42:55 -0700 (PDT)
Final-Recipient: RFC822; xxxxxxx@svpal.org
X-Actual-Recipient: RFC822; xxxxxxx@svpal.org
Action: failed
Status: 5.1.1
Diagnostic-Code: SMTP; 550 5.1.1 User Unknown
Last-Attempt-Date: Thu, 09 Jun 2005 04:42:55 -0700 (PDT)
[ Part 3: "" ]
Return-Path:
Received: from enterprise.svpal.org
(3v7l8dbta6xgljlx@enterprise-pn.svpal.org [192.168.147.69])
by svpal.svpal.org (8.13.3/8.13.1) with ESMTP id j59BgjMr025999
for ; Thu, 9 Jun 2005 04:42:45 -0700 (PDT)
(envelope-from support@svpal.org)
Received: from svpal.org (c-67-175-178-210.hsd1.il.comcast.net
[67.175.178.210])
by enterprise.svpal.org (8.13.3/8.13.1) with ESMTP id j59BgPSa091374
for ; Thu, 9 Jun 2005 04:42:25 -0700 (PDT)
(envelope-from support@svpal.org)
Message-Id:
From: support@svpal.org
To: xxxxxxx@svpal.org
Subject: Account Alert
Date: Thu, 9 Jun 2005 06:42:20 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0009_11E42639.B200AB51"
X-Priority: 3
X-MSMail-Priority: Normal
X-Filter-Version: 1.11a-svpal (enterprise.svpal.org)
X-MailFilter: Yes
Dear Valued Member,
According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons.
http://www.svpal.org/confirm.php?email=xxxxxxx@svpal.org
Thank you for your attention to this question. We apologize for any inconvenience.
Sincerely,Svpal Security Department Assistant.
============================================================
<html> <body> <BR><STRONG>Dear Valued Member, </STRONG><BR> <BR>According to our site policy you will have to confirm your account by the following link or else your account will be suspended within 24 hours for security reasons.<BR> <BR><a href="http://209.67.220.164/confirm.php?email=xxxxxxx@svpal.org">http://www.svpal.org/confirm.php?email=xxxxxxx@svpal.org</a><BR> <BR>Thank you for your attention to this question. We apologize for any inconvenience.<BR> <BR>Sincerely,Svpal Security Department Assistant.<BR> </body> </html>The link is actually pointing to http://209.67.220.164/confirm.php?email=xxxxxxx@svpal.org
OrgName: Layered Technologies, Inc. OrgID: LAYER-3 Address: 18816 Preston Road Address: Suite #100 City: Dallas StateProv: TX PostalCode: 75252 Country: USIn conclusion, do not automatically believe any message is sent from svpal.org, or click on any suspicious link provided by an e-mail message. Instead, e-mail us at spt1@svpal.org or ar1@svpal.org if you have questions (that is the number one in the addresses, not the letter L).
============================================================ From abuse@savvis.net Thu Jun 9 09:49:26 2005 Date: Thu, 9 Jun 2005 09:34:10 -0500 From: "> [Savvis Abuse]" <abuse@savvis.net> To: SVPAL Customer Support <spt1@svpal.org> Subject: RE: ***FRAUD REPORT for 67.175.178.210 and 209.67.220.164*** The SAVVIS Security Team has become aware of a new virus variant traversing the Internet which presents a serious security risk. This virus may come as an attachment, or may be distributed as SPAM with a spoofed source address and an http link to a malicious password gathering web site. Infected attachments will normally be intercepted by the anti-virus software running on email gateways. Malicious links will not always be intercepted or identified by anti-virus software. The links may be disguised so they appear to be from the user's local domain, but in reality, point to an external malicious site. Two such sites (209.67.220.164) and (205.138.199.146) were identified as belonging to an unmanaged host on a customer network and were null routed on Monday 6/6/2005. SAVVIS has notified our customers and requested they contact local law enforcement for investigation of their server. Even though the malicious site has been taken down, users may continue to receive spoofed emails for several days or even weeks. These emails should be deleted without interacting. Any user that has entered account or password information via one of these links should change their password immediately. As always, users are warned against opening any unrequested attachments, even if they appear to come from known or trustworthy sources and should never submit their account information and password to any unrequested links that they visit. Description: This virus is being spread by Microsoft servers and/or workstations. It is being referenced by one or more variants of the type: W32/Mytob. More information on the virus can be found at: http://vil.nai.com/vil/newly-discovered-viruses.asp The Savvis Security Team ============================================================