Interesting phish

Recently I’ve received the following phish:

Return-Path <[email protected]>
Authentication-Results; domainkeys=neutral (no sig)
Received from (EHLO ( by with SMTP; Sat, 18 Oct 2008 17:04:47 -0700
Received from [] ( by with esmtp (Exim 4.67) (envelope-from ) id 1KrKrG-0008PU-2d for [email protected]; Sun, 19 Oct 2008 00:05:20 +0100
Received from by with local (Exim 4.64) (envelope-from ) id 1KrKrG-0002kk-1E for [email protected]; Sun, 19 Oct 2008 00:05:18 +0100
To [email protected]
From Cosmote Romania <[email protected]>
Reply-To [email protected]
MIME-Version 1.0
Content-Type text/plain
Content-Transfer-Encoding 8bit
Message-Id <[email protected]>
Sender Site Administrator <[email protected]>
Date Sun, 19 Oct 2008 00:05:18 +0100
Content-Length 422
Acum cu Cosmote te poti bucura de -Oferta Creditului Dublu-.Trimite un ~e-mail reply~ la acest mesaj cu un cod de reincarcare valid (neutilizat) impreuna cu numarul tau de telefon Cosmote, urmand ca la un interval de maximum 30 de minute Cosmote sa iti atribuie un credit dublu fata de cel reprezentat de codul de reincarcare trimis. Oferta ramane valabila pana la data de 25 octombrie 2008.

Cosmote-Alaturi de tine !

There is nothing particularly interesting about the scam itself (it promises something in return if you buy a prepaid card and send the number to them – such scams circulate over every media – e-mail, sms, phone, etc). What I wanted to exemplify is the multitude of actors involved (which makes stopping the scam that much harder):

There is my e-mail provider (Yahoo) who managed to classify this message (correctly) as spam.

There is the account the email originated from ([email protected]). Now, as far as I can tell, the website is a completely legitimate site for the “British Association of Barbershop Singers”, hosted at the provider (hence the email address). My current working theory is that this account was hacked and being used to send spam. I’m not really sure who to contact (supposedly the attacker has full control over the email account, so mailing there won’t do much good – I also tried to sign up to their forum, but it requires “administrative approval” which I still didn’t get – probably the administrator gets notified through the same email account).

There is also a third actor – Gmail – who will get the reply messages. Their abuse department got notified.

It is interesting how humans calculate the utility function. Email, as a tool, is completely inadequate in situations where we have active, hostile activity. Yet we don’t try to move on to something engineered having this situation in mind. Simply because our email (kind of) works, we regard it as more useful than future systems which would work better.

Also: closed systems like Facebook messaging, which some people claim “replaces email”, won’t ever substitute it for at least two reasons: (a) they are seeing a low(er) volume of spam because they are not as ubiquitous as email (as their popularity increases, so will the volume of spam) and (b) it is a closed system, making it useless for many usecases (companies internal messaging system for example).

, ,

One response to “Interesting phish”

  1. maybe you should’ve translated the spam text ( or just say something about it ). Actually I find more interesting another phishing done in regards to the same company: SMS campaign – it sends a message that you won a rather big sum of money and ask you to send a smaller percent of it to a known address trough delivery or credit transfer on your phone, so that the company can send you the “prize”. It’s likely that a lot of people have been fooled by this kind of dumb campaign (imagining that a somewhat big company is going to ask you for money to send you a prize is more than suspicious). And we both know that romanian people have it difficult going to the police (except there is something to gain from it 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *