cancel
Showing results for 
Search instead for 
Did you mean: 

Obvious pishing emails getting through SPAM / AV filters - BT Business bill

Superuser
Superuser
Posts: 12,948
Thanks: 4,246
Fixes: 26
Registered: ‎22-08-2007

Obvious pishing emails getting through SPAM / AV filters - BT Business bill

Received a very plausible BT Business account phone bill yesterday (3rd Aug) and I'm very surprised that it got through spam filtering.

Return-path: <btbusiness@bttconnect.com>
Envelope-to: pub@mydomain.co.uk
Delivery-date: Wed, 02 Aug 2017 09:49:38 +0100
Received: from [212.159.8.109] (helo=avasin15.plus.net)
   by inmx17.plus.net with esmtp (PlusNet MXCore v2.00) id 1dcpLW-0006xb-8X
   for pub@mydomain.co.uk; Wed, 02 Aug 2017 09:49:38 +0100
Received: from mta54.bttconnect.com ([5.188.62.56])
 by avasin15.plus.net with Plusnet Cloudmark Gateway
 id s8pb1v0021Cogxh018pdV4; Wed, 02 Aug 2017 09:49:38 +0100
X-CM-Score: 0.00
X-CNFS-Analysis: v=2.2 cv=V70N6avi c=1 sm=1 tr=0
 a=xnDwevRmZtlPTB+rSW32Hg==:117 a=xnDwevRmZtlPTB+rSW32Hg==:17 a=e9qsufxtAAAA:8
 a=2AHT_ADaHdRiSzqc70cA:9 a=T0wAGKrYjJwxAU_Z:21 a=3LIiwnXAl0Wl8f3O:21
 a=QEXdDO2ut3YA:10 a=QrEJ-7pvAAAA:8 a=SSmOFEACAAAA:8 a=6C2pXCVufWSKaPu3:21
 a=s_wuipRqil9VrUqJ:21 a=j8yKiMO9kUJxZgbv:21 a=_W_S_7VecoQA:10
 a=frz4AuCg-hUA:10 a=fPaBA7gmfwsA:10 a=p403mkujtbAA:10
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key.bt; d=bttconnect.com;
 h=Date:Message-ID:From:To:Subject:List-Unsubscribe:MIME-Version:Content-Type; i=btbusiness@bttconnect.com;
 bh=HMIFkfJU19f0NLnAeznL9mT4sjg=;
 b=U338CQiQYEzyuZcZJaFxu3Y/YENwVBpkj2wWXbji6yDkCiQmCxcorJS3FRgNh+ViqbMT371PufEL
   VOGr0JDRyS0PXZT0Pxu2MztkdPlD8ZW0q7WuLz38wFvYVzf/eAqtgQh9G/vpYsAMzo3JWFdOjbFm
   N6OQqV1bus4NXIvEWIM=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key.bt; d=bttconnect.com;
 b=O6QfbDZUYTl6W6Qeo359M8QbWagaAZFgL8icTxJEQUsY0DbchkYSgd8z4qm4lA3oERri/ofTfSUc
   rukaONpBqQvSnpSwDZ7Q9+ynulUW2SWqHLiNB/SvA6O8Ym3q3dsY83gQHWh6wcdx4JtmJIOEOvlx
   7jI/zNHarBGD2vJpEBY=;
Date: Wed, 2 Aug 2017 01:49:36 -0700
Message-ID: <20170802014936133.ADAAAFFFFDADBBF@edelivery.1265EADB4776DCEBD.bttconnect.com>
From: "BT Business" <btbusiness@bttconnect.com>
To: <pub@mydomain.co.uk>
Errors-To: error@bttconnect.com
List-Unsubscribe: <mailto:unsubscribe@bttconnect.com?subject=Unsubscribe>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_5429FDAF5511BDDF"
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: New BT Bill

 

Only after looking carefully did I realise that the double 't' in the from address and MTA is 'wrong'.

Name Value
Registrar Eranet International Limited
Name Server NS1.BTTCONNECT.COM
Name Server NS2.BTTCONNECT.COM
Name Value
Domain Name BTTCONNECT.COM
Registry Domain ID 2148532163_DOMAIN_COM-VRSN
Registrar WHOIS Server whois.eranet.com
Registrar URL http://www.eranet.com
Updated Date 2017-07-30T20:06:09Z
Creation Date 2017-07-30T18:48:06Z
Registry Expiry Date 2018-07-30T18:48:06Z
Registrar Eranet International Limited
Registrar IANA ID 1868
Domain Status clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server NS1.BTTCONNECT.COM
Name Server NS2.BTTCONNECT.COM
DNSSEC unsigned
URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/
Last update of whois database 2017-08-02T08:57:27Z

 

Target for the scam is

See your bill here:

h-t-t-p-s://lifestylesolutionsaustltd-my.sharepoint.com/personal/margaret_higgins_lifestylesolutions_org_au/_layouts/15/guestaccess.aspx?docid=0d615ad45ab484afd9b9d35d3f9005bfc&authkey=ARqQT0PO7oUuhlzRuKsR7nQ

7 REPLIES
Community Veteran
Posts: 5,611
Thanks: 1,533
Fixes: 35
Registered: ‎16-10-2014

Re: Obvious pishing emails getting through SPAM / AV filters - BT Business bill

I noticed this :

List-Unsubscribe: <mailto:unsubscribe@bttconnect.com?subject=Unsubscribe>

In the header data, you could always unsubscribe!

But of course you'd never get your bill and BTT would then cut you off! Grin

 

Superuser
Superuser
Posts: 12,948
Thanks: 4,246
Fixes: 26
Registered: ‎22-08-2007

Re: Obvious pishing emails getting through SPAM / AV filters - BT Business bill

...it would also verify that the email address is valid and I'd get even more guff!

Community Veteran
Posts: 5,611
Thanks: 1,533
Fixes: 35
Registered: ‎16-10-2014

Re: Obvious pishing emails getting through SPAM / AV filters - BT Business bill

It was of course a joke. Hence the Grin

Superuser
Superuser
Posts: 12,948
Thanks: 4,246
Fixes: 26
Registered: ‎22-08-2007

Re: Obvious pishing emails getting through SPAM / AV filters - BT Business bill

@Mook,

That was taken as read - the reply was intended as a warning to others to not use unsubscribe links in spam / pishing emails, as that action can be used to verify that the harvested email address is a live one.  Remaining silent is the best strategy.

Community Veteran
Posts: 5,611
Thanks: 1,533
Fixes: 35
Registered: ‎16-10-2014

Re: Obvious pishing emails getting through SPAM / AV filters - BT Business bill

Another sensible idea is to turn off remote images as well, as this can also be used to verify the email address as valid.

Superuser
Superuser
Posts: 9,884
Thanks: 1,248
Fixes: 71
Registered: ‎06-04-2007

Re: Obvious pishing emails getting through SPAM / AV filters - BT Business bill

@Townman

Forum notification of this new topic went into my Spam folder. Clearly that will be based on text content rather than headers; however have you ever had anything directed to your Spam mailbox?

David
Superuser
Superuser
Posts: 12,948
Thanks: 4,246
Fixes: 26
Registered: ‎22-08-2007

Re: Obvious pishing emails getting through SPAM / AV filters - BT Business bill

Hi, David,

Yes loads of stuff including quarantined items and stuff not marked [-SPAM-]

I suppose that between me receiving that email and you getting the forum post email the spam filter might have learnt a new trick,