cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Obvious pishing emails getting through SPAM / AV filters - BT Business bill

Townman
Superuser
Superuser
Posts: 22,338
Thanks: 9,209
Fixes: 147
Registered: ‎22-08-2007

Obvious pishing emails getting through SPAM / AV filters - BT Business bill

‎04-08-2017 7:51 AM

Received a very plausible BT Business account phone bill yesterday (3rd Aug) and I'm very surprised that it got through spam filtering.

Return-path: <btbusiness@bttconnect.com>
Envelope-to: pub@mydomain.co.uk
Delivery-date: Wed, 02 Aug 2017 09:49:38 +0100
Received: from [212.159.8.109] (helo=avasin15.plus.net)
   by inmx17.plus.net with esmtp (PlusNet MXCore v2.00) id 1dcpLW-0006xb-8X
   for pub@mydomain.co.uk; Wed, 02 Aug 2017 09:49:38 +0100
Received: from mta54.bttconnect.com ([5.188.62.56])
 by avasin15.plus.net with Plusnet Cloudmark Gateway
 id s8pb1v0021Cogxh018pdV4; Wed, 02 Aug 2017 09:49:38 +0100
X-CM-Score: 0.00
X-CNFS-Analysis: v=2.2 cv=V70N6avi c=1 sm=1 tr=0
 a=xnDwevRmZtlPTB+rSW32Hg==:117 a=xnDwevRmZtlPTB+rSW32Hg==:17 a=e9qsufxtAAAA:8
 a=2AHT_ADaHdRiSzqc70cA:9 a=T0wAGKrYjJwxAU_Z:21 a=3LIiwnXAl0Wl8f3O:21
 a=QEXdDO2ut3YA:10 a=QrEJ-7pvAAAA:8 a=SSmOFEACAAAA:8 a=6C2pXCVufWSKaPu3:21
 a=s_wuipRqil9VrUqJ:21 a=j8yKiMO9kUJxZgbv:21 a=_W_S_7VecoQA:10
 a=frz4AuCg-hUA:10 a=fPaBA7gmfwsA:10 a=p403mkujtbAA:10
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key.bt; d=bttconnect.com;
 h=Date:Message-ID:From:To:Subject:List-Unsubscribe:MIME-Version:Content-Type; i=btbusiness@bttconnect.com;
 bh=HMIFkfJU19f0NLnAeznL9mT4sjg=;
 b=U338CQiQYEzyuZcZJaFxu3Y/YENwVBpkj2wWXbji6yDkCiQmCxcorJS3FRgNh+ViqbMT371PufEL
   VOGr0JDRyS0PXZT0Pxu2MztkdPlD8ZW0q7WuLz38wFvYVzf/eAqtgQh9G/vpYsAMzo3JWFdOjbFm
   N6OQqV1bus4NXIvEWIM=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key.bt; d=bttconnect.com;
 b=O6QfbDZUYTl6W6Qeo359M8QbWagaAZFgL8icTxJEQUsY0DbchkYSgd8z4qm4lA3oERri/ofTfSUc
   rukaONpBqQvSnpSwDZ7Q9+ynulUW2SWqHLiNB/SvA6O8Ym3q3dsY83gQHWh6wcdx4JtmJIOEOvlx
   7jI/zNHarBGD2vJpEBY=;
Date: Wed, 2 Aug 2017 01:49:36 -0700
Message-ID: <20170802014936133.ADAAAFFFFDADBBF@edelivery.1265EADB4776DCEBD.bttconnect.com>
From: "BT Business" <btbusiness@bttconnect.com>
To: <pub@mydomain.co.uk>
Errors-To: error@bttconnect.com
List-Unsubscribe: <mailto:unsubscribe@bttconnect.com?subject=Unsubscribe>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_5429FDAF5511BDDF"
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: New BT Bill

 

Only after looking carefully did I realise that the double 't' in the from address and MTA is 'wrong'.

Name Value
Registrar Eranet International Limited
Name Server NS1.BTTCONNECT.COM
Name Server NS2.BTTCONNECT.COM
Name Value
Domain Name BTTCONNECT.COM
Registry Domain ID 2148532163_DOMAIN_COM-VRSN
Registrar WHOIS Server whois.eranet.com
Registrar URL http://www.eranet.com
Updated Date 2017-07-30T20:06:09Z
Creation Date 2017-07-30T18:48:06Z
Registry Expiry Date 2018-07-30T18:48:06Z
Registrar Eranet International Limited
Registrar IANA ID 1868
Domain Status clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server NS1.BTTCONNECT.COM
Name Server NS2.BTTCONNECT.COM
DNSSEC unsigned
URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/
Last update of whois database 2017-08-02T08:57:27Z

 

Target for the scam is

See your bill here:

h-t-t-p-s://lifestylesolutionsaustltd-my.sharepoint.com/personal/margaret_higgins_lifestylesolutions_org_au/_layouts/15/guestaccess.aspx?docid=0d615ad45ab484afd9b9d35d3f9005bfc&authkey=ARqQT0PO7oUuhlzRuKsR7nQ

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

Message 1 of 8
(1,128 Views)
0 Thanks
7 REPLIES 7
Anonymous
Not applicable

Re: Obvious pishing emails getting through SPAM / AV filters - BT Business bill

‎04-08-2017 8:06 AM

I noticed this :

List-Unsubscribe: <mailto:unsubscribe@bttconnect.com?subject=Unsubscribe>

In the header data, you could always unsubscribe!

But of course you'd never get your bill and BTT would then cut you off! Grin

 

Message 2 of 8
(1,122 Views)
0 Thanks
Townman
Superuser
Superuser
Posts: 22,338
Thanks: 9,209
Fixes: 147
Registered: ‎22-08-2007

Re: Obvious pishing emails getting through SPAM / AV filters - BT Business bill

‎04-08-2017 8:34 AM

...it would also verify that the email address is valid and I'd get even more guff!

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

Message 3 of 8
(1,112 Views)
0 Thanks
Anonymous
Not applicable

Re: Obvious pishing emails getting through SPAM / AV filters - BT Business bill

‎04-08-2017 9:09 AM

It was of course a joke. Hence the Grin

Message 4 of 8
(1,095 Views)
Townman
Superuser
Superuser
Posts: 22,338
Thanks: 9,209
Fixes: 147
Registered: ‎22-08-2007

Re: Obvious pishing emails getting through SPAM / AV filters - BT Business bill

‎04-08-2017 9:15 AM

@Anonymous,

That was taken as read - the reply was intended as a warning to others to not use unsubscribe links in spam / pishing emails, as that action can be used to verify that the harvested email address is a live one.  Remaining silent is the best strategy.

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

Message 5 of 8
(1,090 Views)
0 Thanks
Anonymous
Not applicable

Re: Obvious pishing emails getting through SPAM / AV filters - BT Business bill

‎04-08-2017 9:29 AM

Another sensible idea is to turn off remote images as well, as this can also be used to verify the email address as valid.

Message 6 of 8
(1,081 Views)
spraxyt
Aspiring Legend
Posts: 10,063
Thanks: 673
Fixes: 75
Registered: ‎06-04-2007

Re: Obvious pishing emails getting through SPAM / AV filters - BT Business bill

‎04-08-2017 4:43 PM

@Townman

Forum notification of this new topic went into my Spam folder. Clearly that will be based on text content rather than headers; however have you ever had anything directed to your Spam mailbox?

David
Message 7 of 8
(1,050 Views)
0 Thanks
Townman
Superuser
Superuser
Posts: 22,338
Thanks: 9,209
Fixes: 147
Registered: ‎22-08-2007

Re: Obvious pishing emails getting through SPAM / AV filters - BT Business bill

‎04-08-2017 8:34 PM

Hi, David,

Yes loads of stuff including quarantined items and stuff not marked [-SPAM-]

I suppose that between me receiving that email and you getting the forum post email the spam filter might have learnt a new trick,

In another browser tab, login into the Plusnet user portal BEFORE clicking the fault & ticket links

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

If this post helped, please click the Thumbs Up and if it fixed your issue, please click the This fixed my problem green button below.

Message 8 of 8
(1,037 Views)
0 Thanks