Internet and e-mail policy and practice
including Notes on Internet E-mail


2005
Months
Jun

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Email

23 Jun 2005

Phish or Phair? Email

Phishing is a big problem, and banks have given us lots of advice like don't click on links in e-mail messages and watch for mail from fake sources. So take a look at this message that I got earlier this year and tell me whether it's real or a phish. (I already know the answer. This is a thought experiment.)

Clues:

  • Helo with nonexistent domain name unrelated to the bank
  • Actual IP has no rDNS, SWIP is to some company with no visible connection to the bank
  • Return address is in securesuiteemail.com, a domain unrelated to the bank
  • Return address domain is at Yahoo domains with a yahoo.com contact, a mailing address in Israel, and a bogus phone number
  • Headers include "Comment: Unauthenticated sender"
  • HTML contents include URLs that they encourage you to click through, that don't match the ones in the text part and are not in the bank's domain or any domain in the header, rather they're at bankofamerica.vbv.cyota.com

So tell me, if you found this in your mailbox, would you believe that it's a genuine communication from the Bank of America credit card department?

(I've reformatted this message a little bit to make it look OK on the weblog. The headers are verbatim other than the recipient address, and the HTML is basically the way it was. The links are all live, and take you to a site purporting to be Bank of America.)

Return-Path: 
Received: (qmail 4897 invoked by uid 100); 27 Feb 2005 19:32:01 -0000
Received: (qmail 4155 invoked from network); 27 Feb 2005 19:30:20 -0000
Received: from unknown (HELO cyomail1.cyota.dotsconnect.com) (63.150.74.73)
  by mail.iecc.com with SMTP; 27 Feb 2005 19:30:20 -0000
Received: from cyoweb1 (cyoweb1 [172.29.1.10])
	by cyomail1.cyota.dotsconnect.com (8.11.7p1+Sun/8.10.2) with SMTP
    id j1RJKXF27254
	for xxx@yyy.com; Sun, 27 Feb 2005 14:20:33 -0500 (EST)
Date: 27 Feb 2005 19:31:39 -0000
Message-Id: <200502271920.j1RJKXF27254@cyomail1.cyota.dotsconnect.com>
From: "Bank of America" 
Reply-To: bankofamerica@securesuiteemail.com
To: xxx@yyy.com
Subject: Bank of America - Verified by Visa Registration Confirmation
Comment: Unauthenticated sender
X-Mailer: JNet CSmtpWrapper
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="CyotaVBV"
 
--CyotaVBV
Content-Type: text/plain; charset=iso-8859-1
 
Dear Bank of America Visa Cardholder:
 
This message confirms your registration into Verified by Visa
services.
 
This is an outbound message only. Please do not reply.  If you have
any questions, please refer to our Frequently Asked Questions (FAQs)
or contact us by secure e-mail at
http://www.bankofamerica.com/verifiedbyvisa (select this link or copy
and paste it into your browser).  On this page, select "FAQs" or
choose "Contact Us" to send us an e-mail.We will get back to you
within 2 business days.
 
You can always visit the Verified by Visa site at
http://www.bankofamerica.com/verifiedbyvisa to track your
transactions and manage account settings.
 
Please keep this email with the Verified by Visa site URL in a safe
place.
 
 
Thank you,
Bank of America
 
--CyotaVBV
Content-Type: text/html; charset=iso-8859-1
Dear Bank of America Visa Cardholder:

This message confirms your registration into Verified by Visa services.

This is an outbound message only. Please do not reply. if you have any questions, please refer to our Frequently Asked Questions (FAQs) or contact us by secure e-mail at the
Verified by Visa site. On this page, select "FAQs" or choose "Contact Us" to send us an e-mail. We will get back to you within 2 business days.

You can always visit the Verified by Visa site. to track your transactions and manage account settings.

Please keep this email with the Verified by Visa site link in a safe place.


Thank you,
Bank of America

posted at: 23:15 :: permanent link to this entry :: 3 comments
Stable link is https://jl.ly/Email/phish1.html

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
Criminal Abuse of Domain Names: Bulk Registration and Contact Information Access
One hour ago

A keen grasp of the obvious
My high security debit card
306 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse



© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.