Internet and e-mail policy and practice
including Notes on Internet E-mail


2005
Months
Jun

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home

26 Jun 2005

Phish or Phair, part II Email

Here we have a piece of mail purportedly from MBNA (a large credit card bank headquartered in an impressively large and anonymous building in Wilmington DE that I walked past a few weeks ago) about a utility bill that perhaps is available in their system for me to pay. Again the only thing I changed was to turn the target address to xxx@yyy.com. All of the X- headers were in the original mail.

Clues:

  • Comes from customercenter.net which is not MBNA
  • Has a lot of dubious 10.x.x.x received headers referring to Checkfree which isn't MBNA, either
  • Has amateurish looking X- headers
  • Body has Javascript to concoct a URL that you're supposed to click on
  • URL links to mbnanetaccess.com. Is that really MBNA?
  • Bill is from NYSEG which is indeed the local electric company, but anyone who looked at my WHOIS info would know that.

(I've reformatted this message a little bit to make it look OK on the weblog. The headers are verbatim other than the recipient address, and the HTML is basically the way it was. The links take you to a site that looks like MBNA.)

Return-Path: 
Received: (qmail 18498 invoked from network); 2 Mar 2005 09:54:57 -0000
Received: from outbd-pstfx.customercenter.net (208.235.248.20)
  by mail.iecc.com with SMTP; 2 Mar 2005 09:54:57 -0000
Received: from localhost (localhost.localdomain [127.0.0.1])
	by outbd-pstfx.customercenter.net (Postfix) with ESMTP id 0399C3BECA
	for ; Wed,  2 Mar 2005 04:54:56 -0500 (EST)
Received: from prod-mail.customercenter.net (elpemh03.nc.customercenter.net
    [10.30.26.53])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by outbd-pstfx.customercenter.net (Postfix) with ESMTP id A7A953BEB3
	for ; Wed,  2 Mar 2005 04:54:55 -0500 (EST)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by prod-mail.customercenter.net (Postfix) with ESMTP id 8A4E92B4021
	for ; Wed,  2 Mar 2005 04:54:55 -0500 (EST)
Received: from espgcm01 (espgcm01-appl.nc.checkfree.com [10.30.7.207])
	by prod-mail.customercenter.net (Postfix) with ESMTP
	for ; Wed,  2 Mar 2005 04:54:55 -0500 (EST)
Received: from espgcm01 (espgcm01-appl.nc.checkfree.com [10.30.7.207])
 by espgcm01-appl.nc.checkfree.com
 (iPlanet Messaging Server 5.1 (built May  7 2001))
 with ESMTP id <0ICO0017079X6L@espgcm01-appl.nc.checkfree.com> for
 xxx@yyy.com; Wed, 02 Mar 2005 04:54:41 -0500 (EST)
Date: 2 Mar 2005 04:54:41 -0500
Message-id:
    <32685630.1109757281414.JavaMail.gcmsadm@ewpexv01.nc.checkfree.com>
From: bill_pay_choice_checkfree@customercenter.net
Reply-To: bill_pay_choice_checkfree_reply@customercenter.net
To: xxx@yyy.com
Subject: You have a new e-bill from NYSEG
MIME-version: 1.0
X-Mailer: smasend
Content-type: text/html; charset=us-ascii
Content-transfer-encoding: 7BIT
X-Priority: 2 (Normal)
X-MessageId: #500219123540203007480_
X-Virus-Scanned: by amavisd-new at customercenter.net
X-Virus-Scanned: by amavisd-new at customercenter.net
 
 
You have a new e-bill from NYSEG .
         

E-bill Information

Merchant Account Number: ***********0007  
Due Date: 03/28/2005   
Amount Due: $118.88  
Account Balance:  
To pay this e-bill, click Pay. You can select a payment date, amount, and payment account after clicking Pay/View E-bill.  
 
 

If you are unable to pay this e-bill by clicking the Pay/View E-bill button, follow these steps:

  1. Sign in to Bill Pay Choice.
  2. Click on the Bill Pay logo or the Pay Bills Now button to go to the Bill Pay Choice home page.
  3. Click the Pay button for the e-bill you want to pay online.
  4. Verify the payment details are accurate (You can change the pre-filled information by clicking in the field).
  5. Click the Continue button.
  6. Confirm the payment details are correct and then click the Schedule Payment button.
Your payment is now scheduled for this e-bill. You can view your payment activity online by clicking the Payment Activity link on the left side navigation.
 

Please do not reply to this message. If you have any questions, please contact us by clicking here. Or call us at 1-800-653-2465.    

   

========================================
Please do not delete this section.
Email_ID:#500219123540203007480_
========================================


  posted at: 12:29 :: permanent link to this entry :: 2 comments
Stable link is https://jl.ly/Email/phish2.html

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
It turns out you don’t need a license to hunt for spam.
4 days ago

A keen grasp of the obvious
Italian Apple Cake
562 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

My Mastodon feed



© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.