Annals of Phishing

For a minute there I thought I'd gotten my first phishing email from Iran. But after a look at the headers, I think maybe not?

Received: from law.miami.edu ([172.16.8.69]) by EXCHVS.law.miami.edu with Microsoft SMTPSVC;
Sun, 22 Nov 2009 18:28:14 -0500
Received: from ([194.225.184.9])
by mx-01.law.miami.edu with ESMTP id 5202001.34032630;
Sun, 22 Nov 2009 18:27:46 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
by mta.iums.ac.ir (Postfix) with ESMTP id CAFB3D74D7E;
Mon, 23 Nov 2009 02:56:57 +0330 (IRST)
X-Virus-Scanned: amavisd-new at mta.iums.ac.ir
Received: from mta.iums.ac.ir ([127.0.0.1])
by localhost (mta.iums.ac.ir [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id egIez7IMCKAL; Mon, 23 Nov 2009 02:56:57 +0330 (IRST)
Received: from mta.iums.ac.ir (mta.iums.ac.ir [194.225.184.9])
by mta.iums.ac.ir (Postfix) with ESMTP id 8333DD74D4B;
Mon, 23 Nov 2009 02:56:52 +0330 (IRST)
Date: Mon, 23 Nov 2009 02:56:47 +0330 (IRST)
From: OWA Management Group
Message-ID: <2520384.58051258932407817.JavaMail.root@zimbra.iums.ac.ir>
Subject: Account Update
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Originating-IP: [173.162.144.44]
X-Mailer: Zimbra 5.0.16_GA_2921.RHEL4 (zclient/5.0.16_GA_2921.RHEL4)
To: undisclosed-recipients:;

It all looks very convincing…the IP numbers in the top part are Iranian. I might believe except for that last little bit, the X-Originating-IP … that comes from Comcast here in the US of A. Whether it went via Iran, or most of it is a forgery, I can't quite tell, as it's odd that this IP number doesn't appear anywhere else. I suppose another possibility is that it really is Iranian, and someone forged the X-Originating-IP to make it look like it came from Comcast, but I'm not sure why they would bother.

This entry was posted in Internet. Bookmark the permalink.

4 Responses to Annals of Phishing

  1. do-not-reply says:

    The Zimbra Collaboration Suite includes, inter alia, an Ajax Webmail Client. Personally, I’m not familiar with it. But a very quick look at your headers, leads me to suspect that the Iranian site has an exploitable installation.

    In an earlier, more innocent age, I might have followed up on something like this a bit more. The goal would have been to verify my suspicion, and then, upon verification, try to work with the open relay site to get their email locked down against abuse.

    These days, though… Roughly ninety percent of all email traffic is spam. And network maladies like spamming botnets are pushed by organized crime.

    At a gross level, I think we must conclude that the earlier approaches failed.

    I feel a small twinge of guilt for my slight contribution to that failure. On an objective level, what I and others did, just didn’t work. We most probably should have done something different.

  2. Rhodo Zeb says:

    Externalities should be internalized. You are exactly right that botnets are run by organized crime in some or many, but by no means all, cases.

    Porous operating systems allow for these botnets to be effective and profitable. It is fast becoming a public problem, these insecure boxes that, once turned into zombies, send out hundreds of thousands of spam or phishing messages to people around the globe.

    Is it unreasonable to ask the government to provide standards or requirements for security? That would appear to be the only thing that might make Microsoft build a secure operating system.

  3. David says:

    Faking the originating IP would matter to someone trying to evade a country’s firewall; the great firewall of china would probably be the first non-Iran example that comes to mind. Although it would be sloppy to not protect against spoofed packets, it wouldn’t be unheard-of either.

    I’ve tested Zimbra and found it Not There Yet (for our needs), but it is quite impressive. They got bought out by Yahoo — if you’ve used Yahoo’s “new” webmail interface, you’re already a little familiar with the Zimbra webmail interface.

    If I had to guess (without access to their logs,) I would guess that the message was relayed through the Iran Zimbra install from the comcastbusiness.net address. So yes, from Iran. But not from someone in Iran.

  4. do-not-reply says:

    They got bought out by Yahoo — if you’ve used Yahoo’s “new” webmail interface, you’re already a little familiar with the Zimbra webmail interface.

    I don’t like Yahoo!’s privacy policy.

    And, bending the topic a little bit… to speak of privacy… I suspect Michael may be familar with the District of Oregon’s decision In re: United States. With Judge Mosman’s opinion in mind, I think ethical lawyers should just get in the habit of using GPG or S/MIME for all their email. Preserving client confidentiality should be part of the normal course of business.

    Be a good habit for Michael to get his students into.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.