Sylence Posted May 5, 2016 Share Posted May 5, 2016 I got an email from my email provider which is Microsoft outlook. it's weird because it is placed in the "junk" folder !! so the content is: We just got this from the IRS. Thank you and here's the screenshot. contents of the attachment opened in the Word online has anyone got the same email? what the hell is happening? update message sources reveals: x-store-info:4r51+eLowCe79NzwdU2kR3P+ctWZsO+J Authentication-Results: hotmail.com; spf=softfail (sender IP is 216.56.144.46; identity alignment result is pass and alignment mode is relaxed) [email protected]; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=outlook.com; x-hmca=fail [email protected] X-SID-PRA: [email protected] X-AUTH-Result: FAIL IP location: Update 2 Hop Delay From By With Time (UTC) Blacklist 1 * outlook.com 216.56.144.46 SNT004-MC4F17.hotmail.com Microsoft SMTPSVC(7.5.7601.23143) 5/4/2016 7:03:18 PM Header Name Header Value Authentication-Results hotmail.com; spf=softfail (sender IP is 216.56.144.46; identity alignment result is pass and alignment mode is relaxed) [email protected]; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=outlook.com; x-hmca=fail [email protected] X-SID-PRA [email protected] X-AUTH-Result FAIL X-SID-Result FAIL X-Message-Status n:n X-Message-Delivery Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02 X-Message-Info 11chDOWqoTmMyTDt9MpudWAM9oAo7KxA3HLpAIEaQ0A/MULxj/ADrcxhefHT9O2o4fj+9F2eT49IIGEe6HOKrJy5G9+JwLNyAJ/z22wRgNQUmmBy+GLEE0vPYOgmSMkGtF8nqEfj7Z5F71l2RaLOq1Pj1MUJXQ73p1x8zVb3psciowHemF1VDA2lNI1cjqnWqfoSIGEKJ/V0VscYdNdJIlzDIq3eA3Uy9AXIe/4m5fmubvJpTpF7VA== Message-ID <[email protected]> Date Wed, 04 May 2016 14:03:18 -0500 Reply-To "[email protected]" <[email protected]> From "[email protected]" <[email protected]> X-Mailer Apple Mail (2.1283) MIME-Version 1.0 To <***(censored by myself****@outlook.com> Subject Fw: outlook.com irs notification Return-Path [email protected] X-OriginalArrivalTime 04 May 2016 19:03:19.0167 (UTC) FILETIME=[9F0370F0:01D1A637] sent from Apple mail? even more weird. Link to comment Share on other sites More sharing options...
TrasMontano Posted May 5, 2016 Share Posted May 5, 2016 In doubt, just delete it. Link to comment Share on other sites More sharing options...
SnakeMasteR Posted May 5, 2016 Share Posted May 5, 2016 Probably some script or macro virus. They will never ask you to download and open weird documents or attachments! And it's categorized as junk for a reason i guess, probably because sending junk or marking internal stuff as it doesn't make much sense?! Just delete it and do not download or open suspicious attachments, no matter if zip, pdf or whatever there is. Link to comment Share on other sites More sharing options...
Sylence Posted May 5, 2016 Author Share Posted May 5, 2016 1 minute ago, n0_risk! said: Probably some script or macro virus. They will never ask you to download and open weird documents or attachments! And it's categorized as junk for a reason i guess, probably because sending junk or marking internal stuff as it doesn't make much sense?! Just delete it and do not download or open suspicious attachments, no matter if zip, pdf or whatever there is. Yes that's right, but if the email is sent from the outlook.com domain it means the virus controls the domain and the server credentials. and btw I opened it through Word online not on my computer. I usually get emails with titles to make them look official and legit, whatsapp, Google, Facebook etc but when I check the domain they're sent from i see some weird nonsensical domain names that have nothing to do with official domains, but this one is sent from the outlook.com server itself. Link to comment Share on other sites More sharing options...
VileTouch Posted May 5, 2016 Share Posted May 5, 2016 1 hour ago, saeed_dc said: Yes that's right, but if the email is sent from the outlook.com domain it means the virus controls the domain and the server credentials. and btw I opened it through Word online not on my computer. I usually get emails with titles to make them look official and legit, whatsapp, Google, Facebook etc but when I check the domain they're sent from i see some weird nonsensical domain names that have nothing to do with official domains, but this one is sent from the outlook.com server itself. having an outlook domain means nothing. anyone can create an account in outlook.com AND it can be spoofed. right click the email's title in the inbox and look at the source code of the message. that should give you the real address. Link to comment Share on other sites More sharing options...
Sylence Posted May 5, 2016 Author Share Posted May 5, 2016 33 minutes ago, VileTouch said: having an outlook domain means nothing. anyone can create an account in outlook.com AND it can be spoofed. right click the email's title in the inbox and look at the source code of the message. that should give you the real address. yeah I confused it, but I assumed [email protected] is taken by the company itself, like [email protected] or similar names. I'm still not sure. I posted the source code above. Link to comment Share on other sites More sharing options...
VileTouch Posted May 6, 2016 Share Posted May 6, 2016 7 hours ago, saeed_dc said: yeah I confused it, but I assumed [email protected] is taken by the company itself, like [email protected] or similar names. I'm still not sure. I posted the source code above. it's a spoofed address. that ip is from an elementary school, that someone might be using as a proxy. (script kiddies don't make very good hackers.) however, there's a nice little firewall there so you might have some trouble tracing back the attacker on your own (not that it's impossible, but)... however, you could also contact the sysadmins of the school (they have been known to help wikipedia stop vandalism from their end) the document contains an embedded "audio" i doubt it really is, but do you have the url? (prepare for ransomware) smartscreen flagged it as junk. there's no way they would flag their own messages. that looks nowhere near like a legit communication from an official address, you should have noticed that. and finally, you broke the first rule of safe browsing: NEVER, EVER open attachments from unknown sources, specially if they are office documents!. even if they are from known contacts you should double and triple check that they are clean. Link to comment Share on other sites More sharing options...
straycat19 Posted May 6, 2016 Share Posted May 6, 2016 11 hours ago, saeed_dc said: I got an email from my email provider which is Microsoft outlook. it's weird because it is placed in the "junk" folder !! so the content is: We just got this from the IRS. Thank you What bothers me the most, especially since you are a long time member here, is that you would open the email and the attachment. Thousands of posts have warned about phishing emails and their consequences. These have become so prevalent we don't even open them on a secure system to test them and see what malware they are trying to install on the system. We just delete them from the server automatically so the users never even see them. If any get through then the attachment is automatically removed and if the user thinks it is important they have to call us and tell us why and we tell them why not. I don't even bother to look at what is in the Junk and Spam email folders any more because if it was something important then obviously the sender would know me and would follow up with a phone call, since in the corporate and business world we know emails get lost and if we don't get a response in the expected time frame then we call. Link to comment Share on other sites More sharing options...
Sylence Posted May 6, 2016 Author Share Posted May 6, 2016 25 minutes ago, VileTouch said: it's a spoofed address. that ip is from an elementary school, that someone might be using as a proxy. (script kiddies don't make very good hackers.) however, there's a nice little firewall there so you might have some trouble tracing back the attacker on your own (not that it's impossible, but)... however, you could also contact the sysadmins of the school (they have been known to help wikipedia stop vandalism from their end) the document contains an embedded "audio" i doubt it really is, but do you have the url? (prepare for ransomware) smartscreen flagged it as junk. there's no way they would flag their own messages. that looks nowhere near like a legit communication from an official address, you should have noticed that. and finally, you broke the first rule of safe browsing: NEVER, EVER open attachments from unknown sources, specially if they are office documents!. even if they are from known contacts you should double and triple check that they are clean. Okay I set KIS to maximum security and manually allowed it to scan archives too, then downloaded the attachment and here's what I got. hopefully the file's details will be sent to KSN as part of cloud protection. . I didn't open the zip file to see whether there's an embedded audio or not as Kaspersky detected it soon as download finished. you've already known about this school or found that information just now? yes that was my mistake thinking of it as a legit email but it was just thoughts, didn't lead to actions, I'd already encountered worst cases, more legit-looking emails but this time I was careless. of course I didn't open that attachment. do you mean the Word online? that's online, nothing to do with my computer. I opened that attachment just few minutes ago on my computer. Link to comment Share on other sites More sharing options...
Sylence Posted May 6, 2016 Author Share Posted May 6, 2016 10 minutes ago, straycat19 said: What bothers me the most, especially since you are a long time member here, is that you would open the email and the attachment. Thousands of posts have warned about phishing emails and their consequences. These have become so prevalent we don't even open them on a secure system to test them and see what malware they are trying to install on the system. We just delete them from the server automatically so the users never even see them. If any get through then the attachment is automatically removed and if the user thinks it is important they have to call us and tell us why and we tell them why not. I don't even bother to look at what is in the Junk and Spam email folders any more because if it was something important then obviously the sender would know me and would follow up with a phone call, since in the corporate and business world we know emails get lost and if we don't get a response in the expected time frame then we call. I understand in the corporates and other more sensitive environments the outcome of such actions can be catastrophic and that's the right thing you do by deleting or ignoring junk and spam emails automatically if you already know who your contacts are. but some of the emails from local websites I use are usually placed in the junk folder by mistake so I can't completely ignore such folders.. Link to comment Share on other sites More sharing options...
VileTouch Posted May 6, 2016 Share Posted May 6, 2016 19 minutes ago, saeed_dc said: Okay I set KIS to maximum security and manually allowed it to scan archives too, then downloaded the attachment and here's what I got. hopefully the file's details will be sent to KSN as part of cloud protection. . I didn't open the zip file to see whether there's an embedded audio or not as Kaspersky detected it soon as download finished. you've already known about this school or found that information just now? yes that was my mistake thinking of it as a legit email but it was just thoughts, didn't lead to actions, I'd already encountered worst cases, more legit-looking emails but this time I was careless. of course I didn't open that attachment. do you mean the Word online? that's online, nothing to do with my computer. I opened that attachment just few minutes ago on my computer. heh, it would have been interesting to see what's inside that z3.tmp, but oh well... i have my sauces... Link to comment Share on other sites More sharing options...
Sylence Posted May 6, 2016 Author Share Posted May 6, 2016 7 minutes ago, VileTouch said: heh, it would have been interesting to see what's inside that z3.tmp, but oh well... i have my sauces... Well okay if you really want it..but give me some time to add a couple more antivirus, anti-malwares, ad blockers to my computer and set up a few virtual machines in a way like matryoshka nested boxes so I can confuse the shit out of this trojan while checking it out Link to comment Share on other sites More sharing options...
VileTouch Posted May 6, 2016 Share Posted May 6, 2016 Just now, saeed_dc said: Well okay if you really want it..but give me some time to add a couple more antivirus, anti-malwares, ad blockers to my computer and set up a few virtual machines in a way like matryoshka nested boxes so I can confuse the shit out of this trojan while checking it out it's fine if you delete it as well. a single (backed up and without access to the net) vm should do the job Link to comment Share on other sites More sharing options...
jasonliul Posted May 6, 2016 Share Posted May 6, 2016 In fact, most hardware company install some useless software in your machine, and this cause software conflict. Intel, AMD, Dell... all of them. Microsoft spy you every day, and sent junk email to me every day. Never trust them, just follow what you REALLY need. Link to comment Share on other sites More sharing options...
Sylence Posted May 6, 2016 Author Share Posted May 6, 2016 9 minutes ago, jasonliul said: In fact, most hardware company install some useless software in your machine, and this cause software conflict. Intel, AMD, Dell... all of them. Microsoft spy you every day, and sent junk email to me every day. Never trust them, just follow what you REALLY need. you mean when buying pre assembled computers and laptops right? when you buy different pieces of hardware and assemble them yourself then you're fine. can you show me an example? maybe it's a misunderstanding like this one. Link to comment Share on other sites More sharing options...
jasonliul Posted May 6, 2016 Share Posted May 6, 2016 1 minute ago, saeed_dc said: you mean when buying pre assembled computers and laptops right? when you buy different pieces of hardware and assemble them yourself then you're fine. can you show me an example? maybe it's a misunderstanding like this one. Any driver installer, with some useless software. Most users just use "quick install", then they'll be fooled. Ironically, users usually be scared to uninstall such program. The truth is, uninstall these program will never uninstall their driver at the same time. Those program will install some service in windows, but MS release their patch never consider of them. In many case, people meet so called "Hardware Conflicts", they should uninstall such useless program from hardware corp. first. Link to comment Share on other sites More sharing options...
Sylence Posted May 6, 2016 Author Share Posted May 6, 2016 24 minutes ago, jasonliul said: Any driver installer, with some useless software. Most users just use "quick install", then they'll be fooled. Ironically, users usually be scared to uninstall such program. The truth is, uninstall these program will never uninstall their driver at the same time. Those program will install some service in windows, but MS release their patch never consider of them. In many case, people meet so called "Hardware Conflicts", they should uninstall such useless program from hardware corp. first. Yes software conflicts are found a lot in Windows, specially if they're not updated and are from less popular companies that's why there are programs like softorganizer to uninstal programs completely Link to comment Share on other sites More sharing options...
jasonliul Posted May 6, 2016 Share Posted May 6, 2016 1 hour ago, saeed_dc said: Yes software conflicts are found a lot in Windows, specially if they're not updated and are from less popular companies that's why there are programs like softorganizer to uninstal programs completely i've help my friend for "AMD video drive conflict" recently. The sad thing is, real conflict NOT cause by AMD drive, it's so simple caused by such binding program from those famous hardware corp. Link to comment Share on other sites More sharing options...
Sylence Posted May 6, 2016 Author Share Posted May 6, 2016 6 minutes ago, jasonliul said: i've help my friend for "AMD video drive conflict" recently. The sad thing is, real conflict NOT cause by AMD drive, it's so simple caused by such binding program from those famous hardware corp. you must be referring to the AMD gaming evolved app by raptr, that piece of software is crap, so is the raptr community Link to comment Share on other sites More sharing options...
jasonliul Posted May 6, 2016 Share Posted May 6, 2016 That's true. Link to comment Share on other sites More sharing options...
CODYQX4 Posted May 6, 2016 Share Posted May 6, 2016 . Link to comment Share on other sites More sharing options...
jasonliul Posted May 6, 2016 Share Posted May 6, 2016 2 hours ago, CODYQX4 said: It's funny because I have a Gmail address from 2007 and an MSN account from around the same time. I almost never use the MSN one. Guess which one gets the most spam? MSN, 100X more and it's almost never been used. I seem to get more spam in recent years but Gmail catches all of it and for a nearly decade old account that's been used and a few major companies have leaked, the spam count is surprisingly low. That's because you never used QQ in china. It's professional spam deliver. Link to comment Share on other sites More sharing options...
Administrator DKT27 Posted May 6, 2016 Administrator Share Posted May 6, 2016 As mentioned already, it is not necessary that the email address belongs to the Outlook guys. But, it does looked proofed. I wish I personally could have switched to Gmail, but have too much associated with my Outlook / Hotmail account. Do not like Gmail's look too. 10 hours ago, VileTouch said: heh, it would have been interesting to see what's inside that z3.tmp, but oh well... i have my sauces... You scanned the IP, did not you. Link to comment Share on other sites More sharing options...
VileTouch Posted May 6, 2016 Share Posted May 6, 2016 8 hours ago, CODYQX4 said: It's funny because I have a Gmail address from 2007 and an MSN account from around the same time. I almost never use the MSN one. Guess which one gets the most spam? MSN, 100X more and it's almost never been used. I seem to get more spam in recent years but Gmail catches all of it and for a nearly decade old account that's been used and a few major companies have leaked, the spam count is surprisingly low. funny how i don't get ANY spam... AT ALL in outlook any more. my suggestion? make use of the mail filter. add whole domains to it, not just a single address. Link to comment Share on other sites More sharing options...
VileTouch Posted May 6, 2016 Share Posted May 6, 2016 3 hours ago, DKT27 said: You scanned the IP, did not you. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.