Email Hoax being circulated to Exetel users

Malware detection, cleaning and prevention
User avatar
Dazzled
Volunteer Site Admin
Posts: 6002
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Email Hoax being circulated to Exetel users

Post by Dazzled » Sat Feb 27, 2010 9:25 pm

You'd be surprised just how much of this stuff becomes relatively harmless if you simply turn HTML display off in your mail client. The World Wide Web Consortium has always discouraged HTML in emails, and when used it usually breaches the coding standards. Unfortunately a company in Redmond regards itself as the only standard, and has opened up yet another door for abusers with its email clients.

I'm fighting a losing battle though, as even companies with serious security concerns, like banks, insist on sending HTML encoded emails.

User avatar
jokiin
Volunteer Site Admin
Posts: 2970
Joined: Mon Feb 02, 2004 10:23 pm
Location: Sydney

Re: Email Hoax being circulated to Exetel users

Post by jokiin » Sat Feb 27, 2010 10:48 pm

Dazzled wrote:You'd be surprised just how much of this stuff becomes relatively harmless if you simply turn HTML display off in your mail client. The World Wide Web Consortium has always discouraged HTML in emails, and when used it usually breaches the coding standards. Unfortunately a company in Redmond regards itself as the only standard, and has opened up yet another door for abusers with its email clients.

I'm fighting a losing battle though, as even companies with serious security concerns, like banks, insist on sending HTML encoded emails.
as much as I understand the down sides of HTML email, it is just so much easier on the eyes

BrickPilot
Posts: 4
Joined: Sat Dec 13, 2008 8:43 pm
Location: Australia

Re: Email Hoax being circulated to Exetel users

Post by BrickPilot » Sun Apr 25, 2010 12:54 am

More spam that goes like this.....

Dear Customer,

Access To Your Account Is about to Expire,
We advise you update your account to avoid Suspension .

Please click the link below to update your access.
https://www.exetel.com.au/login/

Thank you.

exetel Helpdesk Service.



ip=213.198.65.205

User avatar
Dazzled
Volunteer Site Admin
Posts: 6002
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Email Hoax being circulated to Exetel users

Post by Dazzled » Sun Apr 25, 2010 7:45 am

BrickPilot, the message you quote almost certainly has an HTML display hiding the criminal's actual link, which goes to a distant server. Turning HTML display off in email clients makes this kind of fraud obvious.

See such articles as http://www.efn.no/html-bad.html This gives many reasons why HTML is a bad idea, but its use to disguise fraud should go to the top of the list.

You can also use a permanent javascript which checks all linked text that purports to be a URL. If the text doesn't match the underlying href URL, a warning icon is displayed, often when hovering. Decent browsers have this add-on ability, but fewer popular email clients.

User avatar
allesklar
Posts: 29
Joined: Sat Apr 22, 2006 1:12 am
Location: Lismore, NSW
Contact:

Re: Email Hoax being circulated to Exetel users

Post by allesklar » Mon Nov 05, 2012 9:42 am

Same old same old is back again:
Here's what I received


Return-path: <Mingliang.Li@tudelft.nl>
Envelope-to: possibly@exemail.com.au
Delivery-date: Sat, 03 Nov 2012 09:19:35 +1100
Received: from chestnut2.exetel.com.au ([220.233.0.75])
by chestnut.exetel.com.au with esmtp (Exim 4.71)
(envelope-from <Mingliang.Li@tudelft.nl>)
id 1TUPaP-0006IX-AJ; Sat, 03 Nov 2012 09:19:33 +1100
Received: from ipmx2.po.exetel.com.au ([220.233.2.146] helo=mscip02.mailsentry.net.au)
by chestnut2.exetel.com.au with esmtp (Exim 4.71)
(envelope-from <Mingliang.Li@tudelft.nl>)
id 1TUPaO-00013t-Hj; Sat, 03 Nov 2012 09:19:32 +1100
Received: from mailservice.tudelft.nl ([130.161.131.5])
by mscip02.mailsentry.net.au with ESMTP; 03 Nov 2012 09:19:12 +1100
Received: from localhost (localhost [127.0.0.1])
by amavis (Postfix) with ESMTP id 19624108C039;
Fri, 2 Nov 2012 23:18:53 +0100 (CET)
X-Virus-Scanned: amavisd-new at tudelft.nl
X-Spam-Flag: NO
X-Spam-Score: -1.106
X-Spam-Level:
X-Spam-Status: No, score=-1.106 tagged_above=-99 required=5
tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RDNS_NONE=0.793]
autolearn=no
Received: from mailservice.tudelft.nl ([130.161.131.74])
by localhost (tudelft.nl [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id 45UUNG6dR9u7; Fri, 2 Nov 2012 23:18:52 +0100 (CET)
Received: from srv351.tudelft.net (mailboxcluster1.tudelft.net [131.180.6.101])
by mx3.tudelft.nl (Postfix) with ESMTP id C09D3108C00C;
Fri, 2 Nov 2012 23:18:50 +0100 (CET)
Received: from SRV366.tudelft.net ([fe80::1810:8a19:3192:6e95]) by
srv351.tudelft.net ([::1]) with mapi id 14.02.0318.001; Fri, 2 Nov 2012
23:18:47 +0100
From: Mingliang Li - CITG <Mingliang.Li@tudelft.nl>
To: "no-reply@exemail.com.au" <no-reply@exemail.com.au>
Subject: Important
Thread-Topic: Important
Thread-Index: Ac25SAa9OePjoYwCSH6QotwvV1yf5g==
Date: Fri, 2 Nov 2012 22:18:46 +0000
Message-ID: <E2EB035C296CD04A85389E86B3BB7740B1FD1B@SRV366.tudelft.net>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative;
boundary="_000_E2EB035C296CD04A85389E86B3BB7740B1FD1BSRV366tudelftnet_"
MIME-Version: 1.0

<x-html><!x-stuff-for-pete base="" src="" id="0" charset="gb2312"><html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style>
</head>
<body ocsi="0" fpstyle="1">
<div style="direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;">Your exetel.com.au Account (Email&Sms) Has Exceeded It Quota/Limit As Set By Your Administration, And You May Not Be Able To Send Or Receive New Mails and Sms Until You Re-Validate
It. To Re-Validate, Please <a href="http://exemcmau.atspace.cc">CLICK HERE</a></div>
</body>
</html>

</x-html>
Relax... nothing can go wr

User avatar
Dazzled
Volunteer Site Admin
Posts: 6002
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Email Hoax being circulated to Exetel users

Post by Dazzled » Mon Nov 05, 2012 10:37 am

There should be a word with someone at the Delft University of Technology.

User avatar
gondy
Posts: 23
Joined: Mon Apr 25, 2005 6:40 pm
Location: Sydney, Australia

Re: Email Hoax being circulated to Exetel users

Post by gondy » Tue Feb 04, 2014 1:18 pm

More rubbish. This is via aol and internap. Is the SPF pass only the result of exetel forwarding the email? Does exetel use SPF when forwarding messages?



Delivered-To: xxx
Received: by 10.220.92.194 with SMTP id s2csp152022vcm;
Mon, 3 Feb 2014 16:11:32 -0800 (PST)
X-Received: by 10.68.229.164 with SMTP id sr4mr39865150pbc.82.1391472692051;
Mon, 03 Feb 2014 16:11:32 -0800 (PST)
Return-Path: <update@exetel.com.au>
Received: from smtp.po.exetel.com.au (pecan-mail.exetel.com.au. [220.233.0.8])
by mx.google.com with ESMTP id i8si22339390pav.103.2014.02.03.16.11.31
for <xxx>;
Mon, 03 Feb 2014 16:11:32 -0800 (PST)
Received-SPF: pass (google.com: domain of update@exetel.com.au designates 220.233.0.8 as permitted sender) client-ip=220.233.0.8;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of update@exetel.com.au designates 220.233.0.8 as permitted sender) smtp.mail=update@exetel.com.au
Received: from chestnut.exetel.com.au ([220.233.0.35])
by smtp.po.exetel.com.au with esmtp (Exim 4.80)
(envelope-from <update@exetel.com.au>)
id 1WATbu-0007Te-RO
for xxx; Tue, 04 Feb 2014 11:11:30 +1100
Received: from chestnut2.exetel.com.au ([220.233.0.75])
by chestnut.exetel.com.au with esmtp (Exim 4.71)
(envelope-from <update@exetel.com.au>)
id 1WATbu-0005T7-6Z; Tue, 04 Feb 2014 11:11:30 +1100
Received: from ipmx2.po.exetel.com.au ([220.233.2.146] helo=mscip02.mailsentry.net.au)
by chestnut2.exetel.com.au with esmtp (Exim 4.71)
(envelope-from <update@exetel.com.au>)
id 1WATbt-0008WS-Rx; Tue, 04 Feb 2014 11:11:29 +1100
Received: from acorn.exetel.com.au ([220.233.0.21])
by mscip02.mailsentry.net.au with ESMTP; 04 Feb 2014 11:11:26 +1100
Received: from localhost ([127.0.0.1] helo=webmail.exetel.com.au)
by acorn.exetel.com.au with esmtp (Exim 4.71)
(envelope-from <update@exetel.com.au>)
id 1WATbq-0000Sz-E8; Tue, 04 Feb 2014 11:11:26 +1100
Received: from 172.163.6.23
(SquirrelMail authenticated user waugh@exemail.com.au)
by webmail.exetel.com.au with HTTP;
Tue, 4 Feb 2014 11:11:26 +1100
Message-ID: <8ad14965140075cbc6d8bc8ff49df805.squirrel@webmail.exetel.com.au>
Date: Tue, 4 Feb 2014 11:11:26 +1100
Subject: Final Notice (Urgent Action Required)
From: "Exetel Internet Broadband Team" <update@exetel.com.au>
Reply-To: cstmrcrservice@hotmail.com
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal

Dear Exetel Communication Subscriber

An HTK4S virus has been detected in the Exetel Internet Broadband E-mail
Login server,and
all exetel.com.au accounts need to be upgraded immediately to prevent
damage to the Exetel Internet Broadband server.

You are therefore required to verify your account to enable us verify and
perform maintenance in your account with the new HTK4S
anti-virus/anti-Spam version 2014.

To verify Your account click
https://<donotclick>.creator.zoho.com/p0166534413/copy-1-of-support-desk/form-perma/Welcome_to_Central_Authentication_Service/FyEp7EbEpv0Hnq6CPf12DaM4Nk0KftnnKPV39mJDgBU7aZDOJrHYZ3jqurjkbsH91r2MfSyr4RYGYVtfC8Kfyj7VxFeR0Fme3WmT/donotclick

failure to verify your your account details, your account will be suspended
permanently from our services.


Copyright© Exetel Internet Broadband 2014 All Rights Reserved
That's my 2¢, which these days gets rounded to zero!

glend
Posts: 30
Joined: Thu Oct 11, 2012 5:22 pm
Location: Exetel Sydney

Re: Email Hoax being circulated to Exetel users

Post by glend » Tue Feb 04, 2014 3:51 pm

Yes, the Received-SPF is added by our system as the mail passes through.

Glen
System Admin
Exetel

IanS
Posts: 265
Joined: Fri Jun 25, 2004 11:32 pm
Location: Newcastle

Re: Email Hoax being circulated to Exetel users

Post by IanS » Wed Jun 25, 2014 6:26 pm

I've received 2 email with the subject "Important changes to your monthly bill" with the following header:
X-Kaspersky: Checking
Return-Path: <bounce-mc.us3_26002911.405213-xxx=exemail.com.au@mail48.atl71.mcdlv.net>
Envelope-to: xxx@exemail.com.au
Delivery-date: Wed, 25 Jun 2014 18:00:50 +1000
Received: from chestnut2.exetel.com.au ([220.233.0.75]) by chestnut.exetel.com.au with esmtp (Exim 4.71) (envelope-from <bounce-mc.us3_26002911.405213-xxx=exemail.com.au@mail48.atl71.mcdlv.net>) id 1Wzi8Q-0002V3-UX for xxx@exemail.com.au; Wed, 25 Jun 2014 18:00:50 +1000
Received: from ipmx2.po.exetel.com.au ([220.233.2.146] helo=mscip02.mailsentry.net.au) by chestnut2.exetel.com.au with esmtp (Exim 4.71) (envelope-from <bounce-mc.us3_26002911.405213-xxx=exemail.com.au@mail48.atl71.mcdlv.net>) id 1Wzi8Q-0003LD-RA for xxx@exemail.com.au; Wed, 25 Jun 2014 18:00:50 +1000
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvgSABGBqlPGAoEwgWdsb2JhbABADgUHgkaBGS+DFQOqUWaMQIE5BBMFAYZsTgECAQEjbhYPAQELCwkHFCqECAUaBgoTAwECAgYDKQEFCi8ICwEJAgIxLA8EARwEh0RdDTaocgF3S1kNG4M8AlWBEBCXNQEGgUGLK4EqBBEBCEkQgiwPMhKBOoRoAoNMiFeCRIJxhBSBRoweh0mCAD0vAQV8AgcXA4EZ
X-IronPort-AV: E=Sophos;i="5.00,775,1396965600"; d="scan'208,217";a="138684111"
Received: from mail48.atl71.mcdlv.net ([198.2.129.48]) by mscip02.mailsentry.net.au with ESMTP; 25 Jun 2014 18:00:48 +1000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail48.atl71.mcdlv.net; h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; i=do-not-reply=3Dexetel.com.au@mail48.atl71.mcdlv.net; bh=vaxIQ487Cc+rLQz2fZxfK9sgIMg=; b=wMF9P4dNjHr5ec+fQ5ei0vr3i6p4UsPh/+VkEfk+Mi/Koh063mF66czzAk3EehIl80HSQJW63mHQ pFwMbhl1JIOuoE2DvEDoOMyV5xUIE0PeTkVc7n5HNJ71mwbRzid+BuG/UkhdwoYu2VbfLJXLfHAo cfsOZueYyWKt8HumL1o=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail48.atl71.mcdlv.net; b=NYv5y2FIpKxqxiWBuK2qhHhSlsYc7HW00dptwQ0HmYbNPs3CfQ+dUUOxGard77fhv02DU62xUEW0 GsM0AtZ2wmqLrnCMFRCopmbIk68tYUdi1QsHv46GbH2uFGSVb5Culke9y4DwQgofFD8eZT7TatDP P8p9B1ChmGV4PJveGUM=;
Received: from (127.0.0.1) by mail48.atl71.mcdlv.net id hla0r0174f4s for <xxx@exemail.com.au>; Wed, 25 Jun 2014 07:03:12 +0000 (envelope-from <bounce-mc.us3_26002911.405213-xxx=exemail.com.au@mail48.atl71.mcdlv.net>)
Subject: Important changes to your monthly bill
From: "Exetel" <do-not-reply@exetel.com.au>
Reply-To: "Exetel" <do-not-reply@exetel.com.au>
To: <xxx@exemail.com.au>
Date: Wed, 25 Jun 2014 07:03:12 +0000
Message-ID: <74afddbd0d29288f373b31f9f83b0b607d9.20140625070232@mail48.atl71.mcdlv.net>
X-Mailer: MailChimp Mailer - **CID1abad4cdc783b0b607d9**
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17609
X-SpamFlt-Status: Not Detected
X-Campaign: mailchimp74afddbd0d29288f373b31f9f.1abad4cdc7
X-KASFlt-Status: {Return-Path: random string in envelope-from}
X-KASFlt-Status: {Sent by MailChimp Email Marketer [gray engine]}
X-KASFlt-Status: Lua profiles 63039 [Jun 25 2014]
X-KASFlt-Status: Version: 5.2.1
X-KASFlt-Status: {Has list-unsubscribe header [mass mail]}
X-KASFlt-Status: Status: not_detected
X-KASFlt-Status: Method: none
X-KASFlt-Status: {Unsubscribe in URL [mass mail]}
X-KASFlt-Status: Rate: 10
X-SpamFlt-Phishing: Not Detected
X-campaignid: mailchimp74afddbd0d29288f373b31f9f.1abad4cdc7
X-Report-Abuse: Please report abuse for this campaign here: http://www.mailchimp.com/abuse/abuse.ph ... 83b0b607d9
X-MC-User: 74afddbd0d29288f373b31f9f
X-Feedback-ID: 26002911:26002911.405213:us3:mc
X-Accounttype: pd
List-Unsubscribe: <mailto:unsubscribe-74afddbd0d29288f373b31f9f-1abad4cdc7-83b0b607d9@mailin1.us2.mcsv.net?subject=unsubscribe>, <http://exetel.us3.list-manage.com/unsub ... 1abad4cdc7>
Sender: "Exetel" <do-not-reply=exetel.com.au@mail48.atl71.mcdlv.net>
x-mcda: FALSE
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_00C3_01CF90A0.2DD821E0"
MIME-Version: 1.0
I haven't found any reference to the so called billing changes either on the forum or Exetel's website. The hyperlinks look suspicious & I wouldn't think Exetel would use an external email list provider, to email their customers.

Can someone confirm this is junk & possibly adjust the SPAM filter to capture this crud

IanS
Attachments
Billing changes 1.PNG
Billing changes 1.PNG (70.75 KiB) Viewed 4047 times
billing changes 2.PNG
billing changes 2.PNG (44.84 KiB) Viewed 4047 times

User avatar
Gidget
Volunteer Site Admin
Posts: 1811
Joined: Wed Jan 28, 2004 4:33 am
Location: Sydney

Re: Email Hoax being circulated to Exetel users

Post by Gidget » Wed Jun 25, 2014 7:05 pm

I believe the emails are legitimate (I got some too) and the content does not sound suspicious. Mailchimp is a well-known mass-mailing site used by lots of companies. However, my opinion isn't an official answer from Exetel so you should wait to hear officially from Exetel staff.
Log a fault ticket here
or call Exetel VOIP numbers (02) 8030 1000 or 1300 788 141 (log faults 24x7)
Exetel Support Portal

User avatar
Dazzled
Volunteer Site Admin
Posts: 6002
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: Email Hoax being circulated to Exetel users

Post by Dazzled » Wed Jun 25, 2014 7:47 pm

I had to dig one out of a trap. Mailchimp is on so many block lists. My own copy was plain text first. Dopey enough to specify a load of Windows fonts.

IanS
Posts: 265
Joined: Fri Jun 25, 2004 11:32 pm
Location: Newcastle

Re: Email Hoax being circulated to Exetel users

Post by IanS » Wed Jun 25, 2014 8:10 pm

Just checked the email I received last week & its was for broadband & telephone customers.
A friend has just forwarded me another one, this time for VoIP customers.

User avatar
KavindaS
Forum Admin
Posts: 2253
Joined: Wed Dec 23, 2009 3:59 pm
Location: Sydney

Re: Email Hoax being circulated to Exetel users

Post by KavindaS » Wed Jun 25, 2014 8:42 pm

IanS wrote:I've received 2 email with the subject "Important changes to your monthly bill" with the following header:

I haven't found any reference to the so called billing changes either on the forum or Exetel's website. The hyperlinks look suspicious & I wouldn't think Exetel would use an external email list provider, to email their customers.

Can someone confirm this is junk & possibly adjust the SPAM filter to capture this crud

IanS
Hi Ian,
Thanks for the information. As stated we have sent these emails to our customers according to the services they have. Therefore the email content which you have received appears to be legitimate. However considering the external email list provider you have pointed, I will further get this confirmed with our developers and update the thread.

James
Exetel Staff
Posts: 1974
Joined: Mon May 09, 2005 10:27 pm

Re: Email Hoax being circulated to Exetel users

Post by James » Thu Jun 26, 2014 6:48 pm

It is a legit email.

IanS
Posts: 265
Joined: Fri Jun 25, 2004 11:32 pm
Location: Newcastle

Re: Email Hoax being circulated to Exetel users

Post by IanS » Thu Jun 26, 2014 8:22 pm

James wrote:It is a legit email.
Next time can we do a post to the forum regarding these types of notification email. With all the phishing scam email floating around in cyberspace, people seem to brush these types of email off as SPAM. We're all use to our online banking, eBay & PayPal accounts posting copies of email they send out within their secure user facilities.

Maybe that's the solution, when these email go out, make them available to be read & verified from within the user facilities. Don't place hyperlinks within the email (it's been drummed into us not to click on links), just a simple message "Please logon to you secure user facilities to view an important message regarding your account" & let the user open their browser & navigate to Exetel.

Just my 2c worth
IanS

Post Reply