Yobunny client support forums

Tech Support Forums => Security, Vulnerabilities, Alerts - Stay Safe! => Topic started by: Liz on March 20, 2015, 08:17:19 PM

Title: This one has me wondering
Post by: Liz on March 20, 2015, 08:17:19 PM

It has to be a fake. apologies if not all info here:

From "ebiling@bt.com" Sun Jan  4 19:20:20 2015
X-Apparently-To: <address removed>; Mon, 15 Dec 2014 20:27:03 +0000
Return-Path: <ebiiling@bt.com>
X-YahooFilteredBulk: 24.106.184.6
Received-SPF: softfail (transitioning domain of bt.com does not designate 24.106.184.6 as permitted sender)
X-YMailISG: 2kgiH3sWLDsHOnksjo2ase3bgiAHiua8_W3hvFE4YMs3UCKV
 hDyiOYbXe12MGS09oc7hzpUU5uDmr8ORcUwys0YulbWEb3ejICrPOn8sXgyO
 Nety2nFO9hB.oUKHy1nePQqd75b79Zke1j2eFcWmWQAtnqgu5gZYH5hlX.At
 h2MHPLRmcoUpaN0XW2cXxPHGS5FpecArssJLCC9PxdakNnHgOMWIGXRApTYc
 cl4lIZ8AgQV0YLpVZjtWo2n0LKgbIlNSa89w4302PlTuvp_ws1YtLuSsXI_n
 sU5fqzPRKpXwACxRbIEy7hbjm7utVwmQHwPC4KlNX5BeBSFewNHq3zSnNKbL
 yE8.vKcxQlo0BC2Fe0AO3XX6q0dxKkziQ4GMdU3sIHWzcpbUBrN1vpCfWfvd
 mSC3.AnaluZZwNPd6prjiy9mK9BhtJmFdgTD.bppzRGvACSQSz2D0A98euzm
 yzHUYPGiIRGpCk_0sdt3Cad7GkDMEmPykuB0L9_.4_PPvfao4IPWjs1OWpNJ
 1go4j8bu8FkhXJQEH.Ss5Vbekk0tGnsDdxmeJxek.Ct.tTUJqV4_m7Ki0dm5
 .B0cppTtalZ1NWxK1wEJeuDBklmtbH5SijWPKP2tGGAe3HeXzMWCMp6wOhm0
 yGcu_SCrbqz0WJAgLWnpK3XNaDxl5M_UfEvO.1NBtova8fohYHz24wiPiSR.
 gZ6R2gho8sc6qmV_fV1LehZD2vO5YRoXenKutk6Fv_MUWAYsGZkgn.OsKFKO
 MNkVvhZ_h9Mbm8NYu8uEab4MIpNWkC6Abx6nOGmqWnPFoZ.mUN172UZ0kSD4
 X_WNbvtUJdbwBqyEN9w47aLnLzc44XSIM9xE4yXE9BU_v6azFdx7CnMXiN7.
 pUWvq3.ZHNrYwgAG0agw6l5yXKI9AGLWv4EcP7lfe4A1Vpu8xb_9UlBePwn0
 3uzc2rQgze2.TiGnz0xSBcd4EECPQFwXQC0RH81BPfmy9_Omt8iVH8FRKk6g
 _bKL33zSVw8MHYxIhqTUAOQDVBPFcp5aD1VaJz7lPmZeIiAvH.uxdF9i7Jol
 fVNwBsmCPZg6twQupSsi6etZsMTCib3e_3QAUlbuo3kpEwYYbvn0m8OyBhml
 FMeq6A_9AjJuEwVQdiK1mW9PrCUczAqXkXbyP_e8K_AOjQWWhDUuIJGmynaC
 VnZlWfai.1ODs5A50CE2J8YfUVkArKXpdnnjzSs6SCFBefJe.mAz8mNn1uDe
 Wl8cNWSBsiM0BwXkga_eCSBDKm8j8UWInTdrKU1grO6078J01BhOBO1JQNec
 4XLR12ysg2WqBRVps.IZfY.8Ysnc26eaX3.3HleXRqlyEckRjxG4.wVI_SyA
 zFIZMHqTAC9UGnHFCjM5gq69Yc1S.WksTPZ4tJhIic9Unwcj1sm.oSLlcqXr
 tVWmzrLcIhcMlMku4Q--
X-Originating-IP: [24.106.184.6]
Authentication-Results: mta1075.mail.ir2.yahoo.com  from=bt.com; domainkeys=neutral (no sig);  from=bt.com; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO s4009.pbxtra.fonality.com) (24.106.184.6)
  by mta1075.mail.ir2.yahoo.com with SMTP; Mon, 15 Dec 2014 20:27:03 +0000
Received: from SEAN-SERV200803.poundhost.com (pbxtra4009 [127.0.0.1])
   by s4009.pbxtra.fonality.com (Postfix) with ESMTP id 7A781150561D
   for <address removed>; Mon, 15 Dec 2014 14:20:27 -0500 (EST)
Content-Type: multipart/alternative; boundary="===============1348212090=="
MIME-Version: 1.0
Subject: <address removed>@yahoo.co.uk, You need to upgrade now
To: <address removed>
From: "ebiling@bt.com" <ebiiling@bt.com>
Date: Sun, 04 Jan 2015 19:20:20 +0000
Message-Id: <20141215192029.7A781150561D@s4009.pbxtra.fonality.com>
Content-Length: 23174

Title: Re: This one has me wondering
Post by: Anne on April 07, 2015, 03:43:47 PM

Looks like a phishing scam or similar,  Liz.  The originating IP decodes to a RoadRunner IP in the USA, not to BT.

Quote

Hostname:  rrcs-24-106-184-6.se.biz.rr.com   IP Address: 24.106.184.6   Country:  (http://www.geoiptool.com/static/img/flags/us.gif) United States    Country Code: US (USA)   Region: North Carolina   City: Chapel Hill

The other clue is the SPF line which says it's a check fail:

Quote

Received-SPF: softfail (transitioning domain of bt.com does not designate 24.106.184.6 as permitted sender)

By the way, you've left your email address visible in the quoted header, I'll blank it out for you.