I thought this was particularly slack from the phisher, this came from
Barclays with a dodgy attachment for the entry of details:

Dear Valued Customer

We believe that Invention of security measures is the best way to beat
online fraud.
Lloyds TSB Bank have employed some industrial leading models to start
performing an extra
security check with Your Online Banking Activities to ensure a safe and
secure Online Banking.

You are requested to follow the provided steps and Update Your Online
Banking details, for the safety of Your Accounts by downloading the
attached
form and follow the instructions on your screen. If you choose to ignore
our request,
you leave us no choice but to temporary suspend your account.

Thanks you for your patience as we work together to protect your account.



Sincerely,
Barclays Online Bank Customer Service.


*Important*
Please update your records on or before 48 hours, a failure to update your
records will result in a temporary hold on your funds.


--------------------------------------------------------------------------------


© 2011 Barclays Bank plc . All rights reserved.

On Thursday, December 22nd, 2011, at 15:14:32h +0000, Daniallo wrote:

I thought this was particularly slack from the phisher, this came from
Barclays

Well not actually from Barclays in fact.

What you should always do is to look at the Received from lines in the
message header to see where the message really came from.

Assuming you get your e-mail delivered to yourISP.com, you will see
a line saying

Received: from some_potentially_bogus_site (IP ADDRESS)
by from

The name of the sending machine may very well be forged, but
the IP ADDRESS will be the real IP address of the sending machine
(unless they spammer was very very clever and forged the IP address
which is quite difficult and usually highly unlikely).

If your ISP email host does IP address checking, it will usually
flag the name as bogus if it does not match the IP address.

So an example would be

Received: from email.ames.k12.ia.us ([205.221.128.200])
by atticus.yoyo.org with esmtp (Exim 4.76)
(envelope-from )
id 1RdEgM-00077f-Lz
for ; Wed, 21 Dec 2011 05:25:40 +0000

Note that Received lines prior to the one for your_ISP may give a hint as to
where the mail came from before that, but since these can have easily been
forged they are no guarantee as to where the message came from before being
received by your_ISP.

What you then should do is use the whois program as in

whois 205.221.128.200

to find out which network the mail came from and who is responsible.

In this case

NetRange: 205.221.128.0 - 205.221.139.255

NetHandle: NET-205-221-128-0-1

CustName: Ames Community Schools

and look down the listing for the Abuse section and address

OrgAbuseName: Abuse Contact
OrgAbusePhone: +1-515-725-4400
OrgAbuseEmail:

Then as a good citizen who wants to reduce the level of SPAM and
criminal activity on the Internet, send an e-mail message to that
address including the FULL header of the offending message and its content.

Of course the "best" ISP abuse departments are ones which reject
your e-mail abuse report saying that it contains spam and all efforts
at trying to contact them fail, including the one that their e-mail
box is full and cannot receive any more messages.

In the case of the above message which as an advanced fee fraud scam,
it looks highly probable that the e-mail system at the Ames Community
School has either been taken over as part of a botnet, or the e-mail
has improperly configured to act as an open relay and Ames Community
School is totally unaware of the problem.

In this case it looks as if it is the latter and the spammers are using
their mailer as a distributor for their criminally fraudulent activities.

On Thu, 22 Dec 2011 16:10:38 +0000 (UTC), J G Miller wrote:

Well not actually from Barclays in fact.

Err yes, I'm aware of that, forgot the quotes. I was pointing that the text
said LloydsTSB, it came from 'Barclays' & was signed by Barclays.
Usually they put a little more effort into these things.

Daniallo wrote:
On Thu, 22 Dec 2011 16:10:38 +0000 (UTC), J G Miller wrote:

Well not actually from Barclays in fact.

Err yes, I'm aware of that, forgot the quotes. I was pointing that the text
said LloydsTSB, it came from 'Barclays' & was signed by Barclays.
Usually they put a little more effort into these things.

Cut and paste, without any thought or attention. Much like many 'genuine'
communications you receive in this day and age !


--
Mark
Please replace invalid and invalid with gmx and net to reply.

www.paras.org.uk

"Mark Carver" wrote in message ...

Daniallo wrote:
On Thu, 22 Dec 2011 16:10:38 +0000 (UTC), J G Miller wrote:

Well not actually from Barclays in fact.

Err yes, I'm aware of that, forgot the quotes. I was pointing that the
text
said LloydsTSB, it came from 'Barclays' & was signed by Barclays.
Usually they put a little more effort into these things.

Cut and paste, without any thought or attention. Much like many 'genuine'
communications you receive in this day and age !


Indeed.
Although an interesting one last week was the letter I received from Tesco
Credit Card Fraud Dept in Southend, which arrived in a Natwest envelope with
a London return postcode!

On Thu, 22 Dec 2011 17:10:43 +0000, Daniallo wrote:

On Thu, 22 Dec 2011 16:10:38 +0000 (UTC), J G Miller wrote:

Well not actually from Barclays in fact.

Err yes, I'm aware of that, forgot the quotes. I was pointing that the text
said LloydsTSB, it came from 'Barclays' & was signed by Barclays.
Usually they put a little more effort into these things.

They usually do.

I had one allegedly from Lloyds TSB.

It said:

To access your statement,click on the link below.
https://online.lloydstsb.co.uk/e-statement/

The actual url behind that innocent-looking text was:

http://abpecas.com.br/.cgi-bin/index.html


--
Peter Duncanson
(in uk.tech.digital-tv)

On Thursday, December 22nd, 2011 18:47:45 +0000, Peter Duncanson wrote:

The actual url behind that innocent-looking text was:

http://abpecas.com.br/.cgi-bin/index.html

Do you notice the period "." before the cgi-bin ??

That is a good sign that what has happened is that the
machine hosting the abpecas.com.br web site (which is
legitimate) has been cracked and the crackers have used
instead of the expected directory "cgi-bin" directory
a so called "hidden" directory ".cgi-bin" to store their
illicit harvesting web pages.

Somebody doing a directory listing would not see the
.. directories with a simple ls, and using an ls -l
might not even notice .cgi-bin in addition to cgi-bin
or think it out of the ordinary.

What it most probably reveals is that the people who
set up the abpecas.com.br site were incompetent at
security because they have allowed their site to
be compromised and in all likelihood will have not
been aware that their site was cracked.

On Thu, 22 Dec 2011 23:33:55 UTC, J G Miller wrote:

snip

Somebody doing a directory listing would not see the
. directories with a simple ls, and using an ls -l
might not even notice .cgi-bin in addition to cgi-bin
or think it out of the ordinary.

I think you mean "ls -a" to show "dot" files. :-)
--
Regards
Dave Saville

On Friday, December 23rd, 2011, at 13:29:21h +0000, Dave Saville wrote:

I think you mean "ls -a" to show "dot" files. :-)

Indeed yes.

-A to omit current directory . and upper directory .. but all other dot entities
-a to show everything.
-l for long listing

For keeping an eye on (modification time) changed directory content

ls -aFlrst