cancel
Showing results for 
Search instead for 
Did you mean: 

Latest HughesNet Phishing Scam / Spam, Dated 02/17/18

Advanced Tutor

Latest HughesNet Phishing Scam / Spam, Dated 02/17/18

Beware the following scam mail:

HughesNet Spam.JPG

 

Spamvertized link: http :// bit . do/d7kxB redirects to http :// www . goldchess . com . mo/hughes/signin/ 

El Dorado Networks |Diamond Springs, CA | eldoradonetworks.com
7 REPLIES 7
Advanced Tutor

Re: Latest HughesNet Phishing Scam / Spam, Dated 02/17/18

Thank you @El Dorado Netwo

 

p.s Did you change your username? the 'rks' is missing from networks..I wasn't sure if perhaps you had dropped it or not.

Highlighted
Distinguished Professor IV

Re: Latest HughesNet Phishing Scam / Spam, Dated 02/17/18

Sheesh!   That's a new one, and quite interesting.  

 

Thanks for the heads up.  Smiley Happy


AMD FX-6100 | Samsung 250GB 840 EVO SSD | Western Digital Blue 500GB HDD | 16GB DDR3-1866 | EVGA Geforce GTX 550ti | Windows 10 Pro 64-bit
Assistant Professor

Re: Latest HughesNet Phishing Scam / Spam, Dated 02/17/18

.mo is Macau. That's certainly a first for me.

Any way to sanitize the headers and post them here?


* Disclaimer: I am a HughesNet customer and not a HughesNet employee. All of my comments are my own and do not necessarily represent HughesNet in any way.
Advanced Tutor

Re: Latest HughesNet Phishing Scam / Spam, Dated 02/17/18

Return-Path: hughescare@nosecurealerts.com
Received: from mx01.hughes.cmh.synacor.com (LHLO mx.hughes.net) (10.33.3.39)
 by md11.hughes.cmh.synacor.com with LMTP; Sat, 17 Feb 2018 20:54:19 -0500
 (EST)
Return-Path: <hughescare@nosecurealerts.com>
Received: from [104.47.37.232] (helo=NAM02-CY1-obe.outbound.protection.outlook.com)
X_CMAE_Category: 0,0 Undefined,Undefined
X-CNFS-Analysis: v=2.1 cv=DqFvpgP+ c=1 sm=0 tr=0 a=3BPw+X5RcOvZ8mN/Y7qLEQ==:117 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=XLwk/flg9bK2IbKqzd+p90dOJos=:19 a=GckbbraJEBYA:10 a=K2sD3e5hR_cA:10 a=R2YS8bO5JkkA:10 a=Op4juWPpsa0A:10 a=G7ipKTrHp8AA:10 a=lb0Jg9igBaMA:10 a=oG0gYdJKAAAA:20 a=2HVv-YZcAAAA:8 a=1XWaLZrsAAAA:8 a=lSn0ho_TSPg17LpDz_8A:9 a=vw6iwVVO5kbN4bvWlfsksWyUBTs=:19 a=pILNOxqGKmIA:10 a=QZ8BwheG2wIA:10 a=2zJYuC2nAAAA:20 a=aa0OqqPpo7zRQ1EHUU4A:9 a=ssv6wNgQDax3S0dN:21 a=_W_S_7VecoQA:10 a=frz4AuCg-hUA:10 a=9zvorafZvedpU1MLAFt6:22 a=PoJJkPU_yy79AEvAox9S:22 a=zBcKKy0t_GurA3yQpR8b:22 a=zXa7Rw5gVdLeumQyU64c:22 a=OWwYyy1eKR4TvAL9iI9V:22 a=li3AHD2c9G6udS1iUICF:22 a=nBo9GtMZhfJHpQB_4jiH:22 a=bl4RgePX7nZZK8afqlxj:22 a=1Zj1F_jxm3cH6GoB3e50:22
X-CM-Score: 0
X-Scanned-by: Cloudmark Authority Engine
Authentication-Results: mx01.hughes.cmh.synacor.com smtp.mail=hughescare@nosecurealerts.com; spf=pass; sender-id=pass
Authentication-Results: mx01.hughes.cmh.synacor.com header.from=hughescare@nosecurealerts.com; sender-id=pass
Received-SPF: pass (mx01.hughes.cmh.synacor.com: domain nosecurealerts.com designates 104.47.37.232 as permitted sender)
Received: from [104.47.37.232] ([104.47.37.232:45252] helo=NAM02-CY1-obe.outbound.protection.outlook.com)
	by mx.hughes.net (envelope-from <hughescare@nosecurealerts.com>)
	(ecelerity 2.2.3.49 r(42060/42061)) with ESMTP
	id 5A/DC-12303-7CCD88A5; Sat, 17 Feb 2018 20:54:18 -0500
Received: from BN6PR2201MB1283.namprd22.prod.outlook.com (10.174.81.147) by
 BN6PR2201MB1508.namprd22.prod.outlook.com (10.174.91.29) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.506.18; Sun, 18 Feb 2018 01:53:03 +0000
Received: from BN6PR2201MB1283.namprd22.prod.outlook.com ([10.174.81.147]) by
 BN6PR2201MB1283.namprd22.prod.outlook.com ([10.174.81.147]) with mapi id
 15.20.0506.021; Sun, 18 Feb 2018 01:53:03 +0000
From: HughesNet Care <hughescare@nosecurealerts.com>
Subject: Important Update - Review your account
Thread-Topic: Important Update - Review your account
Thread-Index: AQHTqFrHQHQrT3WBKU6YHLYG2BHv+A==
Date: Sun, 18 Feb 2018 01:53:00 +0000
Message-ID: <BN6PR2201MB1283AE6D6912F8691E9B7C7AAFC90@BN6PR2201MB1283.namprd22.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=hughescare@nosecurealerts.com; 
x-originating-ip: [73.152.151.104]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BN6PR2201MB1508;6:01nnN/S97ONfTuyTj9wRAJ3E0lIdIHnRWV9ZvxLFm1wdPqI6mVAUeRMMZHTKrOBdxSrRzSJxB0mVeJ1ApYiN0Vn4/02GtVW4xSQtw8AoFequjiYLKd+k8oNF0P0KLley/X1c8V2DQWSK8BwBUk52HmbX3NDjt92JgDqXeuqQk7r4TOYbh1yR6iZSFeDSXC5/4oAZp0OGjyrwC6CfD8v7np5M6gYL4afPtNjpq1hFjJql0iSzdC+nOAj76UtXNDxZ681iLzYRTtGajzF5lGIu8XMJab5opAttVOXpN00HvI+8py2l2cVYNWH6s4TryM16AU704+qGpufSdoMFjg7eOBvC3K+Ik3RREKzLD5Xbn8KvO0fWwZBkvnu+8YaZjduh;5:8DCkWfJE/k5iSDLGzUDhCA1nEDjYMN530HM4w37ChRGprs6Ttilmfi5pR/WOzSIiLh0xahQO2h523kgZby6vJnT75HD7QjtlSjIvEku7TMfUOrAenDoqPKHlUUWoUt81d57EN+CaXZtm8ZhkQnjxjNUZRRhsLG24V14Mhz+4Z5Q=;24:/fmTApZ1W3Wnq8P5E00rZKxUa8WHGwbOWVTlDTO1Gw4nqhnDSWRrfNrr9zOEF6TuFqMNkJsLiVdC3U23rtOT3g==;7Smiley SurprisedMv4GoHchUimg4UtXwiAidgxEQTAGykXFRbQ+Jpj2Zb+3tguSqkhY8Tl+LV5mF5/AESWAxRbDJsZii8n1FzIs1DIqmFS4CPO/vnwOdhsYVazo1gNORvG+hwG2vPrNbBRNUuKrNwU5j2QDYzUDbc1/DCPPir98u8QuRfpd4UJSD46TUDHQfT6g6R0lzB2aSZ/JJmLksEsdXTHd1y9lMOh9Oiycp04+D6nr4pSYu1cbOUa1ox5f4d/PCIUaOFbNUxH
x-ms-office365-filtering-correlation-id: 8344e2db-fb95-4659-b260-08d5767258dd
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEIDSmiley Sad7020095)(4652020)(7021125)(5600026)(4604075)(3008032)(4534165)(7022125)(4603075)(4627221)(201702281549075)(7048125)(7026125)(7027125)(7031125)(7035125)(7023125)(7093024)(2017052603307)(7153060)(49563074)(7193020);SRVR:BN6PR2201MB1508;
x-ms-traffictypediagnostic: BN6PR2201MB1508:
x-microsoft-antispam-prvs: <BN6PR2201MB1508B8832FE5876403F5788FAFC90@BN6PR2201MB1508.namprd22.prod.outlook.com>
x-exchange-antispam-report-test: UriScanSmiley Sad110762155241884)(148322886591682)(167856512178636)(247508381695603)(38060298277622)(224945534805241)(73312121905874)(211936372134217)(179696456005106)(155671647461668);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEIDSmiley Sad102415395)(2401047)(8121501046)(5005006)(2017080701011)(3002001)(10201501046)(93006095)(93001095)(3231101)(944501161)(20161123560045)(20161123562045)(2016111802025)(20161123558120)(20161123564045)(6072148)(6042181)(6043046)(201708071742011);SRVR:BN6PR2201MB1508;BCL:0;PCL:0;RULEID:;SRVR:BN6PR2201MB1508;
x-forefront-prvs: 058707456E
x-forefront-antispam-report: SFVSmiley FrustratedPM;SFSSmiley Sad10009020)(7966004)(39830400003)(34036004)(346002)(366004)(376002)(396003)(448600002)(199004)(189003)(6506007)(10126004)(59450400001)(33656002)(105586002)(1671002)(14454004)(8936002)(2420400007)(15650500001)(7336002)(74316002)(106356001)(7276002)(3660700001)(66066001)(7406005)(7366002)(7416002)(53376002)(109986005)(86362001)(26005)(53366004)(606006)(77096007)(97736004)(5660300001)(8676002)(25786009)(88732003)(76576003)(99936001)(102836004)(81156014)(81166006)(89122003)(7110500001)(17550700004)(14971765001)(861006)(5180700001)(54896002)(54556002)(6306002)(9686003)(236005)(68736007)(3846002)(7696005)(6116002)(186003)(6606003)(14613045005)(2900100001)(2906002)(3280700002)(733005)(55016002)(881003)(19627405001)(6436002)(65706003)(53936002)(8666007)(99286004)(7736002)(101860200001)(102460200001);DIRSmiley SurprisedUT;SFP:1501;SCL:5;SRVR:BN6PR2201MB1508;H:BN6PR2201MB1283.namprd22.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:0;MX:1;LANG:en;
received-spf: None (protection.outlook.com: nosecurealerts.com does not
 designate permitted sender hosts)
x-microsoft-antispam-message-info: cTHRv06zUDjL6xTWixRh92VNK1vhBj9c1FSoUqm8VLYpaQOqvFnosw6HVGANK6Irv3sHRmkjMiwkgmVNGdeHTZjn6UP7JnUKY6hlapUl++nAqzi1dnoFFEPE2OhUTDeZXSVSp3YogzDkNfAhzTxFVtOaYrZea96O3c0kphV5Tsg=
spamdiagnosticoutput: 1:22
Content-Type: multipart/related;
	boundary="_004_BN6PR2201MB1283AE6D6912F8691E9B7C7AAFC90BN6PR2201MB1283_";
	type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: nosecurealerts.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8344e2db-fb95-4659-b260-08d5767258dd
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Feb 2018 01:53:00.9097
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d03ebf6b-f76d-476b-8b54-301f2a20df27
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR2201MB1508

--_004_BN6PR2201MB1283AE6D6912F8691E9B7C7AAFC90BN6PR2201MB1283_
Content-Type: multipart/alternative;
	boundary="_000_BN6PR2201MB1283AE6D6912F8691E9B7C7AAFC90BN6PR2201MB1283_"

--_000_BN6PR2201MB1283AE6D6912F8691E9B7C7AAFC90BN6PR2201MB1283_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
El Dorado Networks |Diamond Springs, CA | eldoradonetworks.com
Assistant Professor

Re: Latest HughesNet Phishing Scam / Spam, Dated 02/17/18

Interesting. They truly did use an Outlook Online email server (104.47.37.232) as a relay.

If the remaining headers aren't faked, Microsoft let it go despite an SPF fail on @nosecurealerts.com and says the originator was from someone on Comcast (73.152.151.104). #ImShocked #NoImNot 👀

 

Incidentally, if you forward this as an attachment to abuse@microsoft.com they will do nothing. However, in their reply to you (if they reply to you) they will tell you where in their Outlook department it needs to be sent, which is a horrendous way to solve the problem.

 

Edit: BTW, Microsoft's Whois record designates abuse@microsoft.com for that IP.


* Disclaimer: I am a HughesNet customer and not a HughesNet employee. All of my comments are my own and do not necessarily represent HughesNet in any way.
Advanced Tutor

Re: Latest HughesNet Phishing Scam / Spam, Dated 02/17/18

Yes, I typically report these to junk@office365.microsoft.com, not that it does a lot of good. I'll also send to report_spam@hotmail.com or report_spam@live.com if the perp uses an @hotmail address.

El Dorado Networks |Diamond Springs, CA | eldoradonetworks.com
Advanced Tutor

Re: Latest HughesNet Phishing Scam / Spam, Dated 02/17/18

No, did not change my profile. The Community Forums server may be truncating Usernames at 15 characters.


@bare65 wrote:

Thank you @El Dorado Netwo

 

p.s Did you change your username? the 'rks' is missing from networks..I wasn't sure if perhaps you had dropped it or not.

El Dorado Networks |Diamond Springs, CA | eldoradonetworks.com