Hughesnet Community

Latest HughesNet Phishing Scam / Spam, Dated 02/17/18

cancel
Showing results for 
Search instead for 
Did you mean: 
El Dorado Netwo
Advanced Tutor

Latest HughesNet Phishing Scam / Spam, Dated 02/17/18

Beware the following scam mail:

HughesNet Spam.JPG

 

Spamvertized link: http :// bit . do/d7kxB redirects to http :// www . goldchess . com . mo/hughes/signin/ 

El Dorado Networks |Diamond Springs, CA | eldoradonetworks.com
7 REPLIES 7
bare65
Advanced Tutor

Thank you @El Dorado Netwo

 

p.s Did you change your username? the 'rks' is missing from networks..I wasn't sure if perhaps you had dropped it or not.

No, did not change my profile. The Community Forums server may be truncating Usernames at 15 characters.


@bare65 wrote:

Thank you @El Dorado Netwo

 

p.s Did you change your username? the 'rks' is missing from networks..I wasn't sure if perhaps you had dropped it or not.

El Dorado Networks |Diamond Springs, CA | eldoradonetworks.com
GabeU
Distinguished Professor IV

Sheesh!   That's a new one, and quite interesting.  

 

Thanks for the heads up.  🙂

.mo is Macau. That's certainly a first for me.

Any way to sanitize the headers and post them here?


* Disclaimer: I am a HughesNet customer and not a HughesNet employee. All of my comments are my own and do not necessarily represent HughesNet in any way.

Return-Path: hughescare@nosecurealerts.com
Received: from mx01.hughes.cmh.synacor.com (LHLO mx.hughes.net) (10.33.3.39)
 by md11.hughes.cmh.synacor.com with LMTP; Sat, 17 Feb 2018 20:54:19 -0500
 (EST)
Return-Path: <hughescare@nosecurealerts.com>
Received: from [104.47.37.232] (helo=NAM02-CY1-obe.outbound.protection.outlook.com)
X_CMAE_Category: 0,0 Undefined,Undefined
X-CNFS-Analysis: v=2.1 cv=DqFvpgP+ c=1 sm=0 tr=0 a=3BPw+X5RcOvZ8mN/Y7qLEQ==:117 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=XLwk/flg9bK2IbKqzd+p90dOJos=:19 a=GckbbraJEBYA:10 a=K2sD3e5hR_cA:10 a=R2YS8bO5JkkA:10 a=Op4juWPpsa0A:10 a=G7ipKTrHp8AA:10 a=lb0Jg9igBaMA:10 a=oG0gYdJKAAAA:20 a=2HVv-YZcAAAA:8 a=1XWaLZrsAAAA:8 a=lSn0ho_TSPg17LpDz_8A:9 a=vw6iwVVO5kbN4bvWlfsksWyUBTs=:19 a=pILNOxqGKmIA:10 a=QZ8BwheG2wIA:10 a=2zJYuC2nAAAA:20 a=aa0OqqPpo7zRQ1EHUU4A:9 a=ssv6wNgQDax3S0dN:21 a=_W_S_7VecoQA:10 a=frz4AuCg-hUA:10 a=9zvorafZvedpU1MLAFt6:22 a=PoJJkPU_yy79AEvAox9S:22 a=zBcKKy0t_GurA3yQpR8b:22 a=zXa7Rw5gVdLeumQyU64c:22 a=OWwYyy1eKR4TvAL9iI9V:22 a=li3AHD2c9G6udS1iUICF:22 a=nBo9GtMZhfJHpQB_4jiH:22 a=bl4RgePX7nZZK8afqlxj:22 a=1Zj1F_jxm3cH6GoB3e50:22
X-CM-Score: 0
X-Scanned-by: Cloudmark Authority Engine
Authentication-Results: mx01.hughes.cmh.synacor.com smtp.mail=hughescare@nosecurealerts.com; spf=pass; sender-id=pass
Authentication-Results: mx01.hughes.cmh.synacor.com header.from=hughescare@nosecurealerts.com; sender-id=pass
Received-SPF: pass (mx01.hughes.cmh.synacor.com: domain nosecurealerts.com designates 104.47.37.232 as permitted sender)
Received: from [104.47.37.232] ([104.47.37.232:45252] helo=NAM02-CY1-obe.outbound.protection.outlook.com)
	by mx.hughes.net (envelope-from <hughescare@nosecurealerts.com>)
	(ecelerity 2.2.3.49 r(42060/42061)) with ESMTP
	id 5A/DC-12303-7CCD88A5; Sat, 17 Feb 2018 20:54:18 -0500
Received: from BN6PR2201MB1283.namprd22.prod.outlook.com (10.174.81.147) by
 BN6PR2201MB1508.namprd22.prod.outlook.com (10.174.91.29) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.506.18; Sun, 18 Feb 2018 01:53:03 +0000
Received: from BN6PR2201MB1283.namprd22.prod.outlook.com ([10.174.81.147]) by
 BN6PR2201MB1283.namprd22.prod.outlook.com ([10.174.81.147]) with mapi id
 15.20.0506.021; Sun, 18 Feb 2018 01:53:03 +0000
From: HughesNet Care <hughescare@nosecurealerts.com>
Subject: Important Update - Review your account
Thread-Topic: Important Update - Review your account
Thread-Index: AQHTqFrHQHQrT3WBKU6YHLYG2BHv+A==
Date: Sun, 18 Feb 2018 01:53:00 +0000
Message-ID: <BN6PR2201MB1283AE6D6912F8691E9B7C7AAFC90@BN6PR2201MB1283.namprd22.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=hughescare@nosecurealerts.com; 
x-originating-ip: [73.152.151.104]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BN6PR2201MB1508;6:01nnN/S97ONfTuyTj9wRAJ3E0lIdIHnRWV9ZvxLFm1wdPqI6mVAUeRMMZHTKrOBdxSrRzSJxB0mVeJ1ApYiN0Vn4/02GtVW4xSQtw8AoFequjiYLKd+k8oNF0P0KLley/X1c8V2DQWSK8BwBUk52HmbX3NDjt92JgDqXeuqQk7r4TOYbh1yR6iZSFeDSXC5/4oAZp0OGjyrwC6CfD8v7np5M6gYL4afPtNjpq1hFjJql0iSzdC+nOAj76UtXNDxZ681iLzYRTtGajzF5lGIu8XMJab5opAttVOXpN00HvI+8py2l2cVYNWH6s4TryM16AU704+qGpufSdoMFjg7eOBvC3K+Ik3RREKzLD5Xbn8KvO0fWwZBkvnu+8YaZjduh;5:8DCkWfJE/k5iSDLGzUDhCA1nEDjYMN530HM4w37ChRGprs6Ttilmfi5pR/WOzSIiLh0xahQO2h523kgZby6vJnT75HD7QjtlSjIvEku7TMfUOrAenDoqPKHlUUWoUt81d57EN+CaXZtm8ZhkQnjxjNUZRRhsLG24V14Mhz+4Z5Q=;24:/fmTApZ1W3Wnq8P5E00rZKxUa8WHGwbOWVTlDTO1Gw4nqhnDSWRrfNrr9zOEF6TuFqMNkJsLiVdC3U23rtOT3g==;7:oMv4GoHchUimg4UtXwiAidgxEQTAGykXFRbQ+Jpj2Zb+3tguSqkhY8Tl+LV5mF5/AESWAxRbDJsZii8n1FzIs1DIqmFS4CPO/vnwOdhsYVazo1gNORvG+hwG2vPrNbBRNUuKrNwU5j2QDYzUDbc1/DCPPir98u8QuRfpd4UJSD46TUDHQfT6g6R0lzB2aSZ/JJmLksEsdXTHd1y9lMOh9Oiycp04+D6nr4pSYu1cbOUa1ox5f4d/PCIUaOFbNUxH
x-ms-office365-filtering-correlation-id: 8344e2db-fb95-4659-b260-08d5767258dd
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(7021125)(5600026)(4604075)(3008032)(4534165)(7022125)(4603075)(4627221)(201702281549075)(7048125)(7026125)(7027125)(7031125)(7035125)(7023125)(7093024)(2017052603307)(7153060)(49563074)(7193020);SRVR:BN6PR2201MB1508;
x-ms-traffictypediagnostic: BN6PR2201MB1508:
x-microsoft-antispam-prvs: <BN6PR2201MB1508B8832FE5876403F5788FAFC90@BN6PR2201MB1508.namprd22.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(110762155241884)(148322886591682)(167856512178636)(247508381695603)(38060298277622)(224945534805241)(73312121905874)(211936372134217)(179696456005106)(155671647461668);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(102415395)(2401047)(8121501046)(5005006)(2017080701011)(3002001)(10201501046)(93006095)(93001095)(3231101)(944501161)(20161123560045)(20161123562045)(2016111802025)(20161123558120)(20161123564045)(6072148)(6042181)(6043046)(201708071742011);SRVR:BN6PR2201MB1508;BCL:0;PCL:0;RULEID:;SRVR:BN6PR2201MB1508;
x-forefront-prvs: 058707456E
x-forefront-antispam-report: SFV:SPM;SFS:(10009020)(7966004)(39830400003)(34036004)(346002)(366004)(376002)(396003)(448600002)(199004)(189003)(6506007)(10126004)(59450400001)(33656002)(105586002)(1671002)(14454004)(8936002)(2420400007)(15650500001)(7336002)(74316002)(106356001)(7276002)(3660700001)(66066001)(7406005)(7366002)(7416002)(53376002)(109986005)(86362001)(26005)(53366004)(606006)(77096007)(97736004)(5660300001)(8676002)(25786009)(88732003)(76576003)(99936001)(102836004)(81156014)(81166006)(89122003)(7110500001)(17550700004)(14971765001)(861006)(5180700001)(54896002)(54556002)(6306002)(9686003)(236005)(68736007)(3846002)(7696005)(6116002)(186003)(6606003)(14613045005)(2900100001)(2906002)(3280700002)(733005)(55016002)(881003)(19627405001)(6436002)(65706003)(53936002)(8666007)(99286004)(7736002)(101860200001)(102460200001);DIR:OUT;SFP:1501;SCL:5;SRVR:BN6PR2201MB1508;H:BN6PR2201MB1283.namprd22.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:0;MX:1;LANG:en;
received-spf: None (protection.outlook.com: nosecurealerts.com does not
 designate permitted sender hosts)
x-microsoft-antispam-message-info: cTHRv06zUDjL6xTWixRh92VNK1vhBj9c1FSoUqm8VLYpaQOqvFnosw6HVGANK6Irv3sHRmkjMiwkgmVNGdeHTZjn6UP7JnUKY6hlapUl++nAqzi1dnoFFEPE2OhUTDeZXSVSp3YogzDkNfAhzTxFVtOaYrZea96O3c0kphV5Tsg=
spamdiagnosticoutput: 1:22
Content-Type: multipart/related;
	boundary="_004_BN6PR2201MB1283AE6D6912F8691E9B7C7AAFC90BN6PR2201MB1283_";
	type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: nosecurealerts.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8344e2db-fb95-4659-b260-08d5767258dd
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Feb 2018 01:53:00.9097
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d03ebf6b-f76d-476b-8b54-301f2a20df27
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR2201MB1508

--_004_BN6PR2201MB1283AE6D6912F8691E9B7C7AAFC90BN6PR2201MB1283_
Content-Type: multipart/alternative;
	boundary="_000_BN6PR2201MB1283AE6D6912F8691E9B7C7AAFC90BN6PR2201MB1283_"

--_000_BN6PR2201MB1283AE6D6912F8691E9B7C7AAFC90BN6PR2201MB1283_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
El Dorado Networks |Diamond Springs, CA | eldoradonetworks.com

Interesting. They truly did use an Outlook Online email server (104.47.37.232) as a relay.

If the remaining headers aren't faked, Microsoft let it go despite an SPF fail on @nosecurealerts.com and says the originator was from someone on Comcast (73.152.151.104). #ImShocked #NoImNot 👀

 

Incidentally, if you forward this as an attachment to abuse@microsoft.com they will do nothing. However, in their reply to you (if they reply to you) they will tell you where in their Outlook department it needs to be sent, which is a horrendous way to solve the problem.

 

Edit: BTW, Microsoft's Whois record designates abuse@microsoft.com for that IP.


* Disclaimer: I am a HughesNet customer and not a HughesNet employee. All of my comments are my own and do not necessarily represent HughesNet in any way.

Yes, I typically report these to junk@office365.microsoft.com, not that it does a lot of good. I'll also send to report_spam@hotmail.com or report_spam@live.com if the perp uses an @hotmail address.

El Dorado Networks |Diamond Springs, CA | eldoradonetworks.com