Recently I’ve received the following phish:
|Authentication-Results||mta403.mail.mud.yahoo.com from=hosts.co.uk; domainkeys=neutral (no sig)|
|Received||from 126.96.36.199 (EHLO outgoing-smtp.namesco.net) (188.8.131.52) by mta403.mail.mud.yahoo.com with SMTP; Sat, 18 Oct 2008 17:04:47 -0700|
|Received||from [192.168.0.7] (helo=artemis.hosts.co.uk) by outgoing-smtp.namesco.net with esmtp (Exim 4.67) (envelope-from
|Received||from babs-education.info by artemis.hosts.co.uk with local (Exim 4.64) (envelope-from
|From||Cosmote Romania <[email protected]>|
|Sender||Site Administrator <[email protected]>|
|Date||Sun, 19 Oct 2008 00:05:18 +0100|
|Acum cu Cosmote te poti bucura de -Oferta Creditului Dublu-.Trimite un ~e-mail reply~ la acest mesaj cu un cod de reincarcare valid (neutilizat) impreuna cu numarul tau de telefon Cosmote, urmand ca la un interval de maximum 30 de minute Cosmote sa iti atribuie un credit dublu fata de cel reprezentat de codul de reincarcare trimis. Oferta ramane valabila pana la data de 25 octombrie 2008.
Cosmote-Alaturi de tine !
There is nothing particularly interesting about the scam itself (it promises something in return if you buy a prepaid card and send the number to them – such scams circulate over every media – e-mail, sms, phone, etc). What I wanted to exemplify is the multitude of actors involved (which makes stopping the scam that much harder):
There is my e-mail provider (Yahoo) who managed to classify this message (correctly) as spam.
There is the account the email originated from ([email protected]). Now, as far as I can tell, the website babs-education.info is a completely legitimate site for the “British Association of Barbershop Singers”, hosted at the provider hosts.co.uk (hence the email address). My current working theory is that this account was hacked and being used to send spam. I’m not really sure who to contact (supposedly the attacker has full control over the email account, so mailing there won’t do much good – I also tried to sign up to their forum, but it requires “administrative approval” which I still didn’t get – probably the administrator gets notified through the same email account).
There is also a third actor – Gmail – who will get the reply messages. Their abuse department got notified.
It is interesting how humans calculate the utility function. Email, as a tool, is completely inadequate in situations where we have active, hostile activity. Yet we don’t try to move on to something engineered having this situation in mind. Simply because our email (kind of) works, we regard it as more useful than future systems which would work better.
Also: closed systems like Facebook messaging, which some people claim “replaces email”, won’t ever substitute it for at least two reasons: (a) they are seeing a low(er) volume of spam because they are not as ubiquitous as email (as their popularity increases, so will the volume of spam) and (b) it is a closed system, making it useless for many usecases (companies internal messaging system for example).