Click the comments link on any
story to see comments or add your own.
Subscribe to this blog
RSS feed
|
Home :: Email
26 Jun 2005
Here we have a piece of mail purportedly from MBNA (a large credit card
bank headquartered in an impressively large and anonymous building in
Wilmington DE that I walked past a few weeks ago) about a utility bill that
perhaps is available in their system for me to pay. Again the only thing
I changed was to turn the target address to xxx@yyy.com. All of the X-
headers were in the original mail.
Clues:
- Comes from customercenter.net which is not MBNA
- Has a lot of dubious 10.x.x.x received headers referring to Checkfree
which isn't MBNA, either
- Has amateurish looking X- headers
- Body has Javascript to concoct a URL that you're supposed to click on
- URL links to mbnanetaccess.com. Is that really MBNA?
- Bill is from NYSEG which is indeed the local electric company, but
anyone who looked at my WHOIS info would know that.
(I've reformatted this message a little bit to make it look OK on the
weblog. The headers are verbatim other than the recipient address,
and the HTML is basically the way it was. The links
take you to a site that looks like MBNA.)
Return-Path:
Received: (qmail 18498 invoked from network); 2 Mar 2005 09:54:57 -0000
Received: from outbd-pstfx.customercenter.net (208.235.248.20)
by mail.iecc.com with SMTP; 2 Mar 2005 09:54:57 -0000
Received: from localhost (localhost.localdomain [127.0.0.1])
by outbd-pstfx.customercenter.net (Postfix) with ESMTP id 0399C3BECA
for ; Wed, 2 Mar 2005 04:54:56 -0500 (EST)
Received: from prod-mail.customercenter.net (elpemh03.nc.customercenter.net
[10.30.26.53])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by outbd-pstfx.customercenter.net (Postfix) with ESMTP id A7A953BEB3
for ; Wed, 2 Mar 2005 04:54:55 -0500 (EST)
Received: from localhost (localhost.localdomain [127.0.0.1])
by prod-mail.customercenter.net (Postfix) with ESMTP id 8A4E92B4021
for ; Wed, 2 Mar 2005 04:54:55 -0500 (EST)
Received: from espgcm01 (espgcm01-appl.nc.checkfree.com [10.30.7.207])
by prod-mail.customercenter.net (Postfix) with ESMTP
for ; Wed, 2 Mar 2005 04:54:55 -0500 (EST)
Received: from espgcm01 (espgcm01-appl.nc.checkfree.com [10.30.7.207])
by espgcm01-appl.nc.checkfree.com
(iPlanet Messaging Server 5.1 (built May 7 2001))
with ESMTP id <0ICO0017079X6L@espgcm01-appl.nc.checkfree.com> for
xxx@yyy.com; Wed, 02 Mar 2005 04:54:41 -0500 (EST)
Date: 2 Mar 2005 04:54:41 -0500
Message-id:
<32685630.1109757281414.JavaMail.gcmsadm@ewpexv01.nc.checkfree.com>
From: bill_pay_choice_checkfree@customercenter.net
Reply-To: bill_pay_choice_checkfree_reply@customercenter.net
To: xxx@yyy.com
Subject: You have a new e-bill from NYSEG
MIME-version: 1.0
X-Mailer: smasend
Content-type: text/html; charset=us-ascii
Content-transfer-encoding: 7BIT
X-Priority: 2 (Normal)
X-MessageId: #500219123540203007480_
X-Virus-Scanned: by amavisd-new at customercenter.net
X-Virus-Scanned: by amavisd-new at customercenter.net
You have a new e-bill from NYSEG . |
E-bill Information
|
Merchant Account Number: |
***********0007 |
|
Due Date: |
03/28/2005 |
|
Amount Due: |
$118.88 |
|
Account Balance: |
|
|
To pay this e-bill, click Pay. You can select a payment date, amount, and payment account after clicking Pay/View E-bill.
|
|
|
If you are unable to pay this e-bill by clicking the Pay/View E-bill button, follow these steps:
|
- Sign in to Bill Pay Choice.
- Click on the Bill Pay logo or the Pay Bills Now button to go to the Bill Pay Choice home page.
- Click the Pay button for the e-bill you want to pay online.
- Verify the payment details are accurate (You can change the pre-filled information by clicking in the field).
- Click the Continue button.
- Confirm the payment details are correct and then click the Schedule Payment button.
|
|
Your payment is now scheduled for this e-bill. You can view your payment activity online by clicking the Payment Activity link on the left side navigation.
|
Please do not reply to this message. If you have any questions, please contact us by clicking here. Or call us at 1-800-653-2465.
======================================== Please do not delete this section. Email_ID:#500219123540203007480_ ========================================
posted at: 12:29 :: permanent link to this entry ::
2 comments
comments... (Jump to the end to add your own comment)
Looks real to me.mbnanetaccess.com does belong to MBNA bank, name servers for mbnanetaccess.com are NS1.MBNA.COM and NS2.MBNA.COM. MBNA does indeed use third parties to deliver its email. At least one of these third parties is listed in a number of DNSBLs. I do agree though - it is often difficult to distinguish between MBNA email and phish. http://chris-linfoot.net/d6plinks/CWLT-6BWFZF
(by Chris Linfoot
28 Jul 2005 03:58)
Yes, it's real You're right, this really is from MBNA, although it looks just
like a lot of phishes that are not MBNA.
(by John L
30 Jul 2005 14:47)
Add your comment...
Note: all comments require an email address to send a confirmation
to verify that it was posted by a person and not a spambot.
The comment won't be visible until you click the link in the
confirmation.
Unless you check the box below, which almost nobody does, your email
won't be displayed, and I won't use it for other purposes.
|
Topics
My other sites
Who is this guy?
Airline ticket info
Taughannock Networks
Other blogs
CAUCE It turns out you don’t need a license to hunt for spam. 27 days ago
A keen grasp of the obvious Italian Apple Cake 585 days ago
Related sites
Coalition Against Unsolicited Commercial E-mail
Network Abuse Clearinghouse
|