Internet and e-mail policy and practice
including Notes on Internet E-mail


2005
Months
Jun

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Email


23 Jun 2005

Phish or Phair? Email

Phishing is a big problem, and banks have given us lots of advice like don't click on links in e-mail messages and watch for mail from fake sources. So take a look at this message that I got earlier this year and tell me whether it's real or a phish. (I already know the answer. This is a thought experiment.)

Clues:

  • Helo with nonexistent domain name unrelated to the bank
  • Actual IP has no rDNS, SWIP is to some company with no visible connection to the bank
  • Return address is in securesuiteemail.com, a domain unrelated to the bank
  • Return address domain is at Yahoo domains with a yahoo.com contact, a mailing address in Israel, and a bogus phone number
  • Headers include "Comment: Unauthenticated sender"
  • HTML contents include URLs that they encourage you to click through, that don't match the ones in the text part and are not in the bank's domain or any domain in the header, rather they're at bankofamerica.vbv.cyota.com

So tell me, if you found this in your mailbox, would you believe that it's a genuine communication from the Bank of America credit card department?

(I've reformatted this message a little bit to make it look OK on the weblog. The headers are verbatim other than the recipient address, and the HTML is basically the way it was. The links are all live, and take you to a site purporting to be Bank of America.)

Return-Path: 
Received: (qmail 4897 invoked by uid 100); 27 Feb 2005 19:32:01 -0000
Received: (qmail 4155 invoked from network); 27 Feb 2005 19:30:20 -0000
Received: from unknown (HELO cyomail1.cyota.dotsconnect.com) (63.150.74.73)
  by mail.iecc.com with SMTP; 27 Feb 2005 19:30:20 -0000
Received: from cyoweb1 (cyoweb1 [172.29.1.10])
	by cyomail1.cyota.dotsconnect.com (8.11.7p1+Sun/8.10.2) with SMTP
    id j1RJKXF27254
	for xxx@yyy.com; Sun, 27 Feb 2005 14:20:33 -0500 (EST)
Date: 27 Feb 2005 19:31:39 -0000
Message-Id: <200502271920.j1RJKXF27254@cyomail1.cyota.dotsconnect.com>
From: "Bank of America" 
Reply-To: bankofamerica@securesuiteemail.com
To: xxx@yyy.com
Subject: Bank of America - Verified by Visa Registration Confirmation
Comment: Unauthenticated sender
X-Mailer: JNet CSmtpWrapper
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="CyotaVBV"
 
--CyotaVBV
Content-Type: text/plain; charset=iso-8859-1
 
Dear Bank of America Visa Cardholder:
 
This message confirms your registration into Verified by Visa
services.
 
This is an outbound message only. Please do not reply.  If you have
any questions, please refer to our Frequently Asked Questions (FAQs)
or contact us by secure e-mail at
http://www.bankofamerica.com/verifiedbyvisa (select this link or copy
and paste it into your browser).  On this page, select "FAQs" or
choose "Contact Us" to send us an e-mail.We will get back to you
within 2 business days.
 
You can always visit the Verified by Visa site at
http://www.bankofamerica.com/verifiedbyvisa to track your
transactions and manage account settings.
 
Please keep this email with the Verified by Visa site URL in a safe
place.
 
 
Thank you,
Bank of America
 
--CyotaVBV
Content-Type: text/html; charset=iso-8859-1
Dear Bank of America Visa Cardholder:

This message confirms your registration into Verified by Visa services.

This is an outbound message only. Please do not reply. if you have any questions, please refer to our Frequently Asked Questions (FAQs) or contact us by secure e-mail at the
Verified by Visa site. On this page, select "FAQs" or choose "Contact Us" to send us an e-mail. We will get back to you within 2 business days.

You can always visit the Verified by Visa site. to track your transactions and manage account settings.

Please keep this email with the Verified by Visa site link in a safe place.


Thank you,
Bank of America

posted at: 23:15 :: permanent link to this entry :: 3 comments
posted at: 23:15 :: permanent link to this entry :: 3 comments

comments...        (Jump to the end to add your own comment)


> So tell me, if you found this in your mailbox, would you believe that it's a genuine communication from the Bank of America credit card department? (...The headers are verbatim other than the recipient address...)

If I found this in my mailbox, I'd look at the recipient address and see if it was the *unique* address that I use only for BoA correspondence. But, since you've hidden the recipient address (and I don't know if you use unique addresses for this type of correspondence), my guess is that it's phair. And it's a great example of something that looks like a phish.

(by Nancy McGough 24 Jun 2005 03:04)


Per-corrspondent addresses
It's true (as Nancy knows) that I hand out a unique address to each commercial correspondent, which is why I obscured the address here so you couldn't tell whether the sender sent it to that address. But most people use the same address everywhere which isn't likely to change soon.

(by John L 24 Jun 2005 15:46)


Phish
I found out it was a phishing email which is working with netdetective.com, they now have my cc# and ss#, my life is about to suck, and im an idiot

(by 19 Nov 2006 00:22)


Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

 
Name:
Email: you@wherever (required, for confirmation)
Title: (optional)
Comments:
Show my Email address
Save my Name and Email for next time

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE

11 days ago

A keen grasp of the obvious
My high security debit card
300 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse



© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.