Internet and e-mail policy and practice
including Notes on Internet E-mail


2005
Months
Jun

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Email


26 Jun 2005

Phish or Phair, part II Email

Here we have a piece of mail purportedly from MBNA (a large credit card bank headquartered in an impressively large and anonymous building in Wilmington DE that I walked past a few weeks ago) about a utility bill that perhaps is available in their system for me to pay. Again the only thing I changed was to turn the target address to xxx@yyy.com. All of the X- headers were in the original mail.

Clues:

  • Comes from customercenter.net which is not MBNA
  • Has a lot of dubious 10.x.x.x received headers referring to Checkfree which isn't MBNA, either
  • Has amateurish looking X- headers
  • Body has Javascript to concoct a URL that you're supposed to click on
  • URL links to mbnanetaccess.com. Is that really MBNA?
  • Bill is from NYSEG which is indeed the local electric company, but anyone who looked at my WHOIS info would know that.

(I've reformatted this message a little bit to make it look OK on the weblog. The headers are verbatim other than the recipient address, and the HTML is basically the way it was. The links take you to a site that looks like MBNA.)

Return-Path: 
Received: (qmail 18498 invoked from network); 2 Mar 2005 09:54:57 -0000
Received: from outbd-pstfx.customercenter.net (208.235.248.20)
  by mail.iecc.com with SMTP; 2 Mar 2005 09:54:57 -0000
Received: from localhost (localhost.localdomain [127.0.0.1])
	by outbd-pstfx.customercenter.net (Postfix) with ESMTP id 0399C3BECA
	for ; Wed,  2 Mar 2005 04:54:56 -0500 (EST)
Received: from prod-mail.customercenter.net (elpemh03.nc.customercenter.net
    [10.30.26.53])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by outbd-pstfx.customercenter.net (Postfix) with ESMTP id A7A953BEB3
	for ; Wed,  2 Mar 2005 04:54:55 -0500 (EST)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by prod-mail.customercenter.net (Postfix) with ESMTP id 8A4E92B4021
	for ; Wed,  2 Mar 2005 04:54:55 -0500 (EST)
Received: from espgcm01 (espgcm01-appl.nc.checkfree.com [10.30.7.207])
	by prod-mail.customercenter.net (Postfix) with ESMTP
	for ; Wed,  2 Mar 2005 04:54:55 -0500 (EST)
Received: from espgcm01 (espgcm01-appl.nc.checkfree.com [10.30.7.207])
 by espgcm01-appl.nc.checkfree.com
 (iPlanet Messaging Server 5.1 (built May  7 2001))
 with ESMTP id <0ICO0017079X6L@espgcm01-appl.nc.checkfree.com> for
 xxx@yyy.com; Wed, 02 Mar 2005 04:54:41 -0500 (EST)
Date: 2 Mar 2005 04:54:41 -0500
Message-id:
    <32685630.1109757281414.JavaMail.gcmsadm@ewpexv01.nc.checkfree.com>
From: bill_pay_choice_checkfree@customercenter.net
Reply-To: bill_pay_choice_checkfree_reply@customercenter.net
To: xxx@yyy.com
Subject: You have a new e-bill from NYSEG
MIME-version: 1.0
X-Mailer: smasend
Content-type: text/html; charset=us-ascii
Content-transfer-encoding: 7BIT
X-Priority: 2 (Normal)
X-MessageId: #500219123540203007480_
X-Virus-Scanned: by amavisd-new at customercenter.net
X-Virus-Scanned: by amavisd-new at customercenter.net
 
 
You have a new e-bill from NYSEG .
         

E-bill Information

Merchant Account Number: ***********0007  
Due Date: 03/28/2005   
Amount Due: $118.88  
Account Balance:  
To pay this e-bill, click Pay. You can select a payment date, amount, and payment account after clicking Pay/View E-bill.  
 
 

If you are unable to pay this e-bill by clicking the Pay/View E-bill button, follow these steps:

  1. Sign in to Bill Pay Choice.
  2. Click on the Bill Pay logo or the Pay Bills Now button to go to the Bill Pay Choice home page.
  3. Click the Pay button for the e-bill you want to pay online.
  4. Verify the payment details are accurate (You can change the pre-filled information by clicking in the field).
  5. Click the Continue button.
  6. Confirm the payment details are correct and then click the Schedule Payment button.
Your payment is now scheduled for this e-bill. You can view your payment activity online by clicking the Payment Activity link on the left side navigation.
 

Please do not reply to this message. If you have any questions, please contact us by clicking here. Or call us at 1-800-653-2465.    

   

========================================
Please do not delete this section.
Email_ID:#500219123540203007480_
========================================


posted at: 12:29 :: permanent link to this entry :: 2 comments
posted at: 12:29 :: permanent link to this entry :: 2 comments

comments...        (Jump to the end to add your own comment)


Looks real to me.

mbnanetaccess.com does belong to MBNA bank, name servers for mbnanetaccess.com are NS1.MBNA.COM and NS2.MBNA.COM.

MBNA does indeed use third parties to deliver its email. At least one of these third parties is listed in a number of DNSBLs.

I do agree though - it is often difficult to distinguish between MBNA email and phish.

http://chris-linfoot.net/d6plinks/CWLT-6BWFZF

(by Chris Linfoot 28 Jul 2005 03:58)


Yes, it's real
You're right, this really is from MBNA, although it looks just like a lot of phishes that are not MBNA.

(by John L 30 Jul 2005 14:47)


Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

 
Name:
Email: you@wherever (required, for confirmation)
Title: (optional)
Comments:
Show my Email address
Save my Name and Email for next time

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
Criminal Abuse of Domain Names: Bulk Registration and Contact Information Access
One hour ago

A keen grasp of the obvious
My high security debit card
306 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse



© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.