Beware the following scam mail:
Spamvertized link: http :// bit . do/d7kxB redirects to http :// www . goldchess . com . mo/hughes/signin/
Thank you @El Dorado Netwo
p.s Did you change your username? the 'rks' is missing from networks..I wasn't sure if perhaps you had dropped it or not.
No, did not change my profile. The Community Forums server may be truncating Usernames at 15 characters.
@bare65 wrote:Thank you @El Dorado Netwo
p.s Did you change your username? the 'rks' is missing from networks..I wasn't sure if perhaps you had dropped it or not.
Sheesh! That's a new one, and quite interesting.
Thanks for the heads up. 🙂
.mo is Macau. That's certainly a first for me.
Any way to sanitize the headers and post them here?
Return-Path: hughescare@nosecurealerts.com Received: from mx01.hughes.cmh.synacor.com (LHLO mx.hughes.net) (10.33.3.39) by md11.hughes.cmh.synacor.com with LMTP; Sat, 17 Feb 2018 20:54:19 -0500 (EST) Return-Path: <hughescare@nosecurealerts.com> Received: from [104.47.37.232] (helo=NAM02-CY1-obe.outbound.protection.outlook.com) X_CMAE_Category: 0,0 Undefined,Undefined X-CNFS-Analysis: v=2.1 cv=DqFvpgP+ c=1 sm=0 tr=0 a=3BPw+X5RcOvZ8mN/Y7qLEQ==:117 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=XLwk/flg9bK2IbKqzd+p90dOJos=:19 a=GckbbraJEBYA:10 a=K2sD3e5hR_cA:10 a=R2YS8bO5JkkA:10 a=Op4juWPpsa0A:10 a=G7ipKTrHp8AA:10 a=lb0Jg9igBaMA:10 a=oG0gYdJKAAAA:20 a=2HVv-YZcAAAA:8 a=1XWaLZrsAAAA:8 a=lSn0ho_TSPg17LpDz_8A:9 a=vw6iwVVO5kbN4bvWlfsksWyUBTs=:19 a=pILNOxqGKmIA:10 a=QZ8BwheG2wIA:10 a=2zJYuC2nAAAA:20 a=aa0OqqPpo7zRQ1EHUU4A:9 a=ssv6wNgQDax3S0dN:21 a=_W_S_7VecoQA:10 a=frz4AuCg-hUA:10 a=9zvorafZvedpU1MLAFt6:22 a=PoJJkPU_yy79AEvAox9S:22 a=zBcKKy0t_GurA3yQpR8b:22 a=zXa7Rw5gVdLeumQyU64c:22 a=OWwYyy1eKR4TvAL9iI9V:22 a=li3AHD2c9G6udS1iUICF:22 a=nBo9GtMZhfJHpQB_4jiH:22 a=bl4RgePX7nZZK8afqlxj:22 a=1Zj1F_jxm3cH6GoB3e50:22 X-CM-Score: 0 X-Scanned-by: Cloudmark Authority Engine Authentication-Results: mx01.hughes.cmh.synacor.com smtp.mail=hughescare@nosecurealerts.com; spf=pass; sender-id=pass Authentication-Results: mx01.hughes.cmh.synacor.com header.from=hughescare@nosecurealerts.com; sender-id=pass Received-SPF: pass (mx01.hughes.cmh.synacor.com: domain nosecurealerts.com designates 104.47.37.232 as permitted sender) Received: from [104.47.37.232] ([104.47.37.232:45252] helo=NAM02-CY1-obe.outbound.protection.outlook.com) by mx.hughes.net (envelope-from <hughescare@nosecurealerts.com>) (ecelerity 2.2.3.49 r(42060/42061)) with ESMTP id 5A/DC-12303-7CCD88A5; Sat, 17 Feb 2018 20:54:18 -0500 Received: from BN6PR2201MB1283.namprd22.prod.outlook.com (10.174.81.147) by BN6PR2201MB1508.namprd22.prod.outlook.com (10.174.91.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.506.18; Sun, 18 Feb 2018 01:53:03 +0000 Received: from BN6PR2201MB1283.namprd22.prod.outlook.com ([10.174.81.147]) by BN6PR2201MB1283.namprd22.prod.outlook.com ([10.174.81.147]) with mapi id 15.20.0506.021; Sun, 18 Feb 2018 01:53:03 +0000 From: HughesNet Care <hughescare@nosecurealerts.com> Subject: Important Update - Review your account Thread-Topic: Important Update - Review your account Thread-Index: AQHTqFrHQHQrT3WBKU6YHLYG2BHv+A== Date: Sun, 18 Feb 2018 01:53:00 +0000 Message-ID: <BN6PR2201MB1283AE6D6912F8691E9B7C7AAFC90@BN6PR2201MB1283.namprd22.prod.outlook.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=hughescare@nosecurealerts.com; x-originating-ip: [73.152.151.104] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;BN6PR2201MB1508;6:01nnN/S97ONfTuyTj9wRAJ3E0lIdIHnRWV9ZvxLFm1wdPqI6mVAUeRMMZHTKrOBdxSrRzSJxB0mVeJ1ApYiN0Vn4/02GtVW4xSQtw8AoFequjiYLKd+k8oNF0P0KLley/X1c8V2DQWSK8BwBUk52HmbX3NDjt92JgDqXeuqQk7r4TOYbh1yR6iZSFeDSXC5/4oAZp0OGjyrwC6CfD8v7np5M6gYL4afPtNjpq1hFjJql0iSzdC+nOAj76UtXNDxZ681iLzYRTtGajzF5lGIu8XMJab5opAttVOXpN00HvI+8py2l2cVYNWH6s4TryM16AU704+qGpufSdoMFjg7eOBvC3K+Ik3RREKzLD5Xbn8KvO0fWwZBkvnu+8YaZjduh;5:8DCkWfJE/k5iSDLGzUDhCA1nEDjYMN530HM4w37ChRGprs6Ttilmfi5pR/WOzSIiLh0xahQO2h523kgZby6vJnT75HD7QjtlSjIvEku7TMfUOrAenDoqPKHlUUWoUt81d57EN+CaXZtm8ZhkQnjxjNUZRRhsLG24V14Mhz+4Z5Q=;24:/fmTApZ1W3Wnq8P5E00rZKxUa8WHGwbOWVTlDTO1Gw4nqhnDSWRrfNrr9zOEF6TuFqMNkJsLiVdC3U23rtOT3g==;7:oMv4GoHchUimg4UtXwiAidgxEQTAGykXFRbQ+Jpj2Zb+3tguSqkhY8Tl+LV5mF5/AESWAxRbDJsZii8n1FzIs1DIqmFS4CPO/vnwOdhsYVazo1gNORvG+hwG2vPrNbBRNUuKrNwU5j2QDYzUDbc1/DCPPir98u8QuRfpd4UJSD46TUDHQfT6g6R0lzB2aSZ/JJmLksEsdXTHd1y9lMOh9Oiycp04+D6nr4pSYu1cbOUa1ox5f4d/PCIUaOFbNUxH x-ms-office365-filtering-correlation-id: 8344e2db-fb95-4659-b260-08d5767258dd x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(7021125)(5600026)(4604075)(3008032)(4534165)(7022125)(4603075)(4627221)(201702281549075)(7048125)(7026125)(7027125)(7031125)(7035125)(7023125)(7093024)(2017052603307)(7153060)(49563074)(7193020);SRVR:BN6PR2201MB1508; x-ms-traffictypediagnostic: BN6PR2201MB1508: x-microsoft-antispam-prvs: <BN6PR2201MB1508B8832FE5876403F5788FAFC90@BN6PR2201MB1508.namprd22.prod.outlook.com> x-exchange-antispam-report-test: UriScan:(110762155241884)(148322886591682)(167856512178636)(247508381695603)(38060298277622)(224945534805241)(73312121905874)(211936372134217)(179696456005106)(155671647461668); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(102415395)(2401047)(8121501046)(5005006)(2017080701011)(3002001)(10201501046)(93006095)(93001095)(3231101)(944501161)(20161123560045)(20161123562045)(2016111802025)(20161123558120)(20161123564045)(6072148)(6042181)(6043046)(201708071742011);SRVR:BN6PR2201MB1508;BCL:0;PCL:0;RULEID:;SRVR:BN6PR2201MB1508; x-forefront-prvs: 058707456E x-forefront-antispam-report: SFV:SPM;SFS:(10009020)(7966004)(39830400003)(34036004)(346002)(366004)(376002)(396003)(448600002)(199004)(189003)(6506007)(10126004)(59450400001)(33656002)(105586002)(1671002)(14454004)(8936002)(2420400007)(15650500001)(7336002)(74316002)(106356001)(7276002)(3660700001)(66066001)(7406005)(7366002)(7416002)(53376002)(109986005)(86362001)(26005)(53366004)(606006)(77096007)(97736004)(5660300001)(8676002)(25786009)(88732003)(76576003)(99936001)(102836004)(81156014)(81166006)(89122003)(7110500001)(17550700004)(14971765001)(861006)(5180700001)(54896002)(54556002)(6306002)(9686003)(236005)(68736007)(3846002)(7696005)(6116002)(186003)(6606003)(14613045005)(2900100001)(2906002)(3280700002)(733005)(55016002)(881003)(19627405001)(6436002)(65706003)(53936002)(8666007)(99286004)(7736002)(101860200001)(102460200001);DIR:OUT;SFP:1501;SCL:5;SRVR:BN6PR2201MB1508;H:BN6PR2201MB1283.namprd22.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:0;MX:1;LANG:en; received-spf: None (protection.outlook.com: nosecurealerts.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: cTHRv06zUDjL6xTWixRh92VNK1vhBj9c1FSoUqm8VLYpaQOqvFnosw6HVGANK6Irv3sHRmkjMiwkgmVNGdeHTZjn6UP7JnUKY6hlapUl++nAqzi1dnoFFEPE2OhUTDeZXSVSp3YogzDkNfAhzTxFVtOaYrZea96O3c0kphV5Tsg= spamdiagnosticoutput: 1:22 Content-Type: multipart/related; boundary="_004_BN6PR2201MB1283AE6D6912F8691E9B7C7AAFC90BN6PR2201MB1283_"; type="multipart/alternative" MIME-Version: 1.0 X-OriginatorOrg: nosecurealerts.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8344e2db-fb95-4659-b260-08d5767258dd X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Feb 2018 01:53:00.9097 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: d03ebf6b-f76d-476b-8b54-301f2a20df27 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR2201MB1508 --_004_BN6PR2201MB1283AE6D6912F8691E9B7C7AAFC90BN6PR2201MB1283_ Content-Type: multipart/alternative; boundary="_000_BN6PR2201MB1283AE6D6912F8691E9B7C7AAFC90BN6PR2201MB1283_" --_000_BN6PR2201MB1283AE6D6912F8691E9B7C7AAFC90BN6PR2201MB1283_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable
Interesting. They truly did use an Outlook Online email server (104.47.37.232) as a relay.
If the remaining headers aren't faked, Microsoft let it go despite an SPF fail on @nosecurealerts.com and says the originator was from someone on Comcast (73.152.151.104). #ImShocked #NoImNot 👀
Incidentally, if you forward this as an attachment to abuse@microsoft.com they will do nothing. However, in their reply to you (if they reply to you) they will tell you where in their Outlook department it needs to be sent, which is a horrendous way to solve the problem.
Edit: BTW, Microsoft's Whois record designates abuse@microsoft.com for that IP.
Yes, I typically report these to junk@office365.microsoft.com, not that it does a lot of good. I'll also send to report_spam@hotmail.com or report_spam@live.com if the perp uses an @hotmail address.