Windows 7 - Suspicious Password Reset e-mail?

Asked By Ubercatt on 04-Jan-09 01:17 PM
I recently got the same email that was featured in this discussion
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.security.homeusers&tid=1a0a68d0-fe39-4a9d-b78b-0afe37be22ed&p=1

The email seemed a bit suspicious to me at first, but that discussion
confirmed my suspicions. However, that thread is a bit old, so I would think
that if it was a scam that hotmail/msn would have closed it down by now.

Is this real?

If so, should I click the link to cancel the reset request?
If not, I should report it, right?




Shenan Stanley replied on 04-Jan-09 01:59 PM
You should do NOTHING (but delete the email) if you did not make the
request.

How would MSN/Microsoft/anyone shutdown a spammer/phisher who could use
almost any email service in the world to produce their trash and send it to
you in various manners - some of which (on the surface) can make it look
legitimate, etc?

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
David H. Lipman replied on 04-Jan-09 03:27 PM
From: "Ubercatty" <Ubercatty@>


Please read the following from the US CERT
http://www.us-cert.gov/reading_room/emailscams_0905.pdf

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Ubercatt replied on 04-Jan-09 04:00 PM
Thank you very much! That link was mostly what I already knew, but it
reinforced a lot of stuff, and provided some new information. Thanks again!



Well, I know that some email providers can start by disabling the addresses
in question. Sort of like a forum ban, I'd assume, but since it hasn't
happened to me, I'm not sure.
Besides, if they really couldn't do anything, why would there be a "Mark
as... > Phishing Scam" option in the headers? And wouldn't they remove the
option to "choose whether you'd like to report messages to Microsoft and the
companies who help us fight junk e-mail?"
I'm pretty sure that if someone was going to scam you, an email would seem a
lot more realistic if it was something like this:
From:  Microsoft Customer Support (postmaster@live.com)
than if it was something like this:
From:  Microsoft Customer Support (postmaster@aim.com)
Don't you think that people would be more easily fooled by an address
provided by an email that company offers than by an address from some other
free email service?
Thank you for the advice to delete the email, though. :P
David H. Lipman replied on 04-Jan-09 04:20 PM
From: "Ubercatty" <Ubercatty@>






You can't just look at the email address.  You have to look at the headers and see where
the email is truly coming from.

Example email:
------------------
Dear Webmail User,

I am pleased to announce that on December 21th, 2008, VERIZON.NET will
transition its current e-mail service to a new offering Webmail. This new e-
mail offering, based on popular web-based e-mail program, is one part of
collaboration tools that will also be available to all VERIZON.NET webmail
account owners.

The new Webmail service will replace Mailhost. Although hosted by VERIZON.NET
messaging center, all existing VERIZON.NET e-mail account will undergo
regularly scheduled maintenance from our data base, access to your e-mail via
the Webmail client will be unavailable for some time during this maintenance
window. We are currently upgrading our data base and we are eleting all
VERIZON.NET email account to create more space for new accounts.

To complete your VERIZON.NET Webmail account, you are to reply to this e-mail
immediately to enable us upgrade your domain account and you are to send to us

the following information below.

Your Email Address:...................................
Correct Password :.....................................

Over the next seven days you will receive additional information on the e-mail
transition. All communications will be in this same format; an e-mail from me
as VERIZON.NET Chief Information Officer. You will be directed to additional
information on VERIZON.NET hosted websites.

I am sure you will be pleased with this new service.

Final Notification, Please Protect Your VERIZON.NET Webmail From Being Closed.
Thank you for using VERIZON.NET WEBMAIL

--
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com!

----------------------------

Now the hearders (my email address obfuscated for Usenet posting)...

Received: from webmail-outgoing.us4.outblaze.com ([205.158.62.67])
by vms169119.mailsrvcs.net
(Sun Java System Messaging Server 6.2-6.01 (built Apr  3 2006))
with ESMTP id <0KC7001MZ9H9NCP0@vms169119.mailsrvcs.net> for
xxxxxxxxxx@verizon.net; Sat, 20 Dec 2008 18:03:10 -0600 (CST)
Received: from wfilter3.us4.outblaze.com.int
(wfilter3.us4.outblaze.com.int [192.168.8.242])
by webmail-outgoing.us4.outblaze.com (Postfix) with QMQP id 93B3018001AB for
Received: by ws1-4.us4.outblaze.com (Postfix, from userid 1001)
id 68E8C606861; Sun, 21 Dec 2008 00:03:09 +0000 (GMT)
Received: from [81.199.224.206] by ws1-4.us4.outblaze.com with http for
upgrade@webname.com; Sat, 20 Dec 2008 19:03:09 -0500
Date: Sat, 20 Dec 2008 19:03:09 -0500
From: "MAIL UPGRADE" <upgrade@webname.com>
Subject: YOUR VERIZON WEBMAIL UPGRADE
X-Originating-IP: [205.158.62.67]
X-Originating-IP: 81.199.224.206
To: info@verizone.net
Message-id: <20081221000309.68E8C606861@ws1-4.us4.outblaze.com>
MIME-version: 1.0
Content-type: multipart/alternative; boundary="_----------=_122981778992620"
Content-transfer-encoding: 7bit
X-OB-Received: from unknown (205.158.62.50)  by wfilter3.us4.outblaze.com; 21
Dec 2008 00:02:45 -0000
X-Originating-Server: ws1-4.us4.outblaze.com
X-PMFLAGS: 570966400 0 1 PKES9S7N.CNM

---------------------------------

The above shows...

X-Originating-IP: [205.158.62.67]
X-Originating-IP: 81.199.224.206

Neither of which is Verizon.

This is phishing email.

I suggest reporting Phishing email (which includes the Full Header and Body of the email)
to the following...

phishing@webwasher.com
reportphishing@antiphishing.org
scams@fraudwatchinternational.com

In the above Verizon Phishing email example I also sent it to;  Phishing@Verizon.Com

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp