[LINK] LinkedIn spook or an actual break ?
Jan Whitaker
jwhit at janwhitaker.com
Tue Jun 12 09:21:02 AEST 2012
Linkers,
Given the recent LinkedIn concerns, I was alert when this came today.
Note the envelope is not via linked in, but that there is a path
point that *is* LinkedIn, unless that is also faked by the spammer.
The 'From' line is easy to fake. Anyone have any insight on decoding
email headers to see if this is a result of the recent LinkedIn
breach? I don't know any of these people, so I shouldn't be in their
personal contact information and I'm pretty well locked down in
LinkedIn regarding exposure of anything much.
Return-path: <AbdielGrullon at me.com>
Envelope-to: jwhit at janwhitaker.com
Delivery-date: Mon, 11 Jun 2012 15:34:07 -0400
Received: from [78.93.119.125] (port=1947)
by pearl.host-care.com with esmtp (Exim 4.77)
(envelope-from <AbdielGrullon at me.com>)
id 1SeANH-0002sq-Ar
for jwhit at janwhitaker.com; Mon, 11 Jun 2012 15:34:05 -0400
Received: from mailb-de.linkedin.com ([199.101.160.75]) by
mx6.me.com.akadns.net;
Mon, 11 Jun 2012 04:33:58 -0800
Sender: messages-noreply at bounce.linkedin.com
Date: Mon, 11 Jun 2012 04:33:58 -0800
From: Shanell Overton via LinkedIn <member at linkedin.com>
Reply-To: Shanell Overton <AbdielGrullon at me.com>
To: jwhit <jwhit at janwhitaker.com>
Message-ID: <860616863.5663454.0581957894672.JavaMail.app at ela4-app0647.prod>
Subject: Fwd: Wire Transfer (9007VB04)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_3389225_1459608723.5057231173308"
X-LinkedIn-Template: email_type_MEBC_MEBC
X-LinkedIn-Class: MBR-TO-MBR
X-LinkedIn-fbl: s-82HNOBWN1SSYZVV0P4U17KX0UA7W5BOE70S1YN-073HWVDKC5PMA1B
X-OriginalArrivalTime: Mon, 11 Jun 2012 04:33:58 -0800
FILETIME=[1D4B1D4B:6F87D499]
X-Spam-Status: No, score=5.2
X-Spam-Score: 52
X-Spam-Bar: +++++
X-Ham-Report: Spam detection software, running on the system
"pearl.host-care.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Dear Bank Account Operator,WIRE TRANSACTION:
WIRE-4555045775408245CURRENT
STATUS: CANCELLED You can find details in the attached
file.(Internet Explorer
file) Dear Bank Account Operator, WIRE TRANSACTION: WIRE-4555045775408245
CURRENT STATUS: CANCELLED [...]
Content analysis details: (5.2 points, 7.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
<http://www.spamcop.net/bl.shtml?78.93.119.125>]
0.4 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[78.93.119.125 listed in zen.spamhaus.org]
3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[78.93.119.125 listed in list.dnswl.org]
2.7 RCVD_IN_PSBL RBL: Received via a relay in PSBL
[78.93.119.125 listed in psbl.surriel.com]
1.3 RCVD_IN_RP_RNBL RBL: Relay in RNBL,
https://senderscore.org/blacklistlookup/
[78.93.119.125 listed in
bl.score.senderscore.com]
1.4 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT
[78.93.119.125 listed in bb.barracudacentral.org]
0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
1.5 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date
0.0 HTML_MESSAGE BODY: HTML included in message
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5000]
0.8 RDNS_NONE Delivered to internal network by a host
with no rDNS
-9.2 AWL AWL: From: address is in the auto white-list
X-Spam-Flag: NO
Melbourne, Victoria, Australia
jwhit at janwhitaker.com
blog: http://janwhitaker.com/jansblog/
business: http://www.janwhitaker.com
Our truest response to the irrationality of the world is to paint or
sing or write, for only in such response do we find truth.
~Madeline L'Engle, writer
_ __________________ _
More information about the Link
mailing list