cancel
Showing results for 
Search instead for 
Did you mean: 

Suspect emails and Avasin 14

Luzern
Seasoned Pro
Posts: 3,275
Thanks: 328
Fixes: 3
Registered: 31-07-2007

Suspect emails and Avasin 14

A relative and I are both Plusnetters. I have received a message purporting to be from his Hotmail account.
It looks like a Spam or similar message even though it has gone through PN checkers and my AVG.
Is PN's Spam check failing?
From - Thu Mar 29 19:06:14 2012
X-Account-Key: account1
X-UIDL: UID3513-1215182652
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                               
Return-path: <ba****an@hotmail.co.uk>
Envelope-to: go***n@ge***u.plus.com
Delivery-date: Thu, 29 Mar 2012 17:28:48 +0100
Received: from [212.159.9.108] (helo=avasin14.plus.net)
  by inmx16.plus.net with esmtp (PlusNet MXCore v2.00) id 1SDIDQ-0008EB-FK
  for go***n@ge***u.plus.com; Thu, 29 Mar 2012 17:28:48 +0100
Received: from blu0-omc1-s12.blu0.hotmail.com ([65.55.116.23])
by avasin14.plus.net with Plusnet Cloudmark Gateway
id rUUl1i00A0WMjQp01UUoWB; Thu, 29 Mar 2012 17:28:48 +0100
X-CM-Score: 0.00
X-CNFS-Analysis: v=2.0 cv=GLGK45xK c=1 sm=1 a=atrOReL0qIvrErWvimfC0g==:17
a=qoIZvz38YFYA:10 a=ydry2IkHkR4A:10 a=R6UODsCMFFgA:10 a=ecXdFOLGAAAA:8
a=EBOSESyhAAAA:8 a=QQA-oEH5oLoCTFvmAd0A:9 a=w31CQc5T5CT1IL9lxDsA:7
a=wPNLvfGTeEIA:10 a=nglqkvrNVMfQ69sFy66j0Q==:117
Received: from BLU0-SMTP149 ([65.55.116.7]) by blu0-omc1-s12.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 29 Mar 2012 09:28:45 -0700
X-Originating-IP: [190.188.57.22]
X-Originating-Email: [ba***an@hotmail.co.uk]
Message-ID: <BLU0-SMTP1490C704CAFCD407224D57D8F480@phx.gbl>
Received: from [192.168.1.1] ([190.188.57.22]) by BLU0-SMTP149.phx.gbl over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675);
Thu, 29 Mar 2012 09:28:44 -0700
From: b***n ne**an <ba***an@hotmail.co.uk>
Date: Thu, 29 Mar 2012 13:28:43 +0000
To: go***n@ge***u.plus.com
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------49d37fb3861a533b40412bcd"
X-OriginalArrivalTime: 29 Mar 2012 16:28:44.0691 (UTC) FILETIME=[029AF630:01CD0DC9]
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: incredible
X-Antivirus: AVG for E-mail 2012.0.1913 [2114/4902]
X-AVG-ID: ID337E0E70-36F6A20C
--------------49d37fb3861a533b40412bcd
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
<b><span style="font-size: 26pt;">
<a  alt="4xws98v6wx8cxrmduzx
3su0u5s6qzc71v5hlgk6
0ttkpixnw6kx7si6f12b"
id="vaqtw6ia22b7nnff326
sxwpobztxj6m06cd3bvn"
href="x7c5wlgpeivy96.ww5.me/dd_go***n@ge***u.plus.com/k8u2
n5whpgepfvhpfl0mh3_ViewMsg" >
Click here to see the attached video</a>

-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.1913 / Virus Database: 2114/4902 - Release Date: 03/29/12
--------------49d37fb3861a533b40412bcd
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
<b><span style="font-size: 26pt;">
<a  alt="4xws98v6wx8cxrmduzx
3su0u5s6qzc71v5hlgk6
0ttkpixnw6kx7si6f12b"
id="vaqtw6ia22b7nnff326
sxwpobztxj6m06cd3bvn"
href="x7c5wlgpeivy96.ww5.me/dd_go***n@ge***u.plus.com/k8u2
n5whpgepfvhpfl0mh3_ViewMsg" >
Click here to see the attached video</a>
<a></a><p class=""avgcert"" align="left" color="#000000">No virus found in this message.<br>
Checked by AVG - <a href='http://www.avg.com'>www.avg.com</a><br>
Version: 2012.0.1913 / Virus Database: 2114/4902 - Release Date: 03/29/12</p>
--------------49d37fb3861a533b40412bcd--


No one has to agree with my opinion, but in the time I have left a miracle would be nice.
2 REPLIES
Superuser
Superuser
Posts: 9,655
Thanks: 1,060
Fixes: 59
Registered: 06-04-2007

Re: Suspect emails and Avasin 14

It looks like the message originated in Argentina, sent to hotmail over a TLS (Transport Layer Security) protected connection. I think this implies the originator must have logged into the hotmail account. Has your relative's hotmail account been hacked?
As for the Plusnet Cloudmarks not picking it up as spam, obviously the content doesn't look sufficiently suspicious (to a machine) and the originating server should be reputable. I assume the Hotmail server took the same view since it didn't refuse to send it.
David
Luzern
Seasoned Pro
Posts: 3,275
Thanks: 328
Fixes: 3
Registered: 31-07-2007

Re: Suspect emails and Avasin 14

Reading through Google search results "blu0-omc1-s12.blu0.hotmail.com " looks a bit fishy,possibly suitable for black listing?
No one has to agree with my opinion, but in the time I have left a miracle would be nice.