Possibably the Ultimate Scam

[Raion]

Maybe they found an exploit in SP2 and they want everyone to download it to infect everyones computers??? Other than that, I'm just as confused..

[Winston]

Yeah, but even if there was an exploit in SP2, I doubt the benefit of it (to the cracker) would outweight having millions of unprotected computers out there ripe for the picking. SP2 fixes way to many of M$'s security issues.


Oh yeah... I decided to vote for Jennifer Anniston. Bush and Kerry are just creepy.

[secure_lockdown]

Originally posted here by moxnix
Well, I only have the info provided but check out the spelling and typos for one thing.
1. "don't forget to get itfor free today"
2. "Help your friendsand family"
3. "More ofwhat you love about your computer"
Just to show a few....there are more, and I don't think MSN would allow something with those erros to go out.

i use SuSE and Konquerer. missing spaces between words. I get a lot of that in the email client from HTML emails.

[rktak]

try doing a trace route to the servers servera01.cpsmtpout3.msn.com and communications3.msn.com mentioned in the mail..... the last server is pos1-0.iuscixtukc1201.ntwk.msn.net before the request times out....

now do a tracert to www.microsoft.com.... the last server again is pos1-0.iuscixtukc1201.ntwk.msn.net before the request times out....

so basically the email seems to have originated somewhere from the microsoft's network.... now ofcourse that doesn't make the email totally legitimate

pl correct me if i'm wrong!!!!

[Riot]

Thats a weird one to crack. i have neavor seen one like that.

[ShagDevil]

Rktak, I did a couple IP Block/WhoIs checks on a couple of the servers as well and found they were both part of registered domains of MicroSoft. (communications3 and servera01).
It appears as though the email originated from here:

Received: from communications3.msn.com ([207.46.153.61])

which Sam Spade identifies as registered to Microsoft. That's not saying that someone couldn't have just injected a couple extra recieved: fields in order to make the email appear to have come from communications3.msn.com

The path of the email runs through these server exchanges (from what I can see):
communications3.msn.com
servera01.cpsmtpout3.msn.com
xprdmx9.nwk.excite.com
0 (qmail-ldap-1.03) (I'm not sure about this one)

The only actual exchange that seems to be a little odd is this:

Received: from unknown (HELO xprdmx9.nwk.excite.com) ([10.50.30.30]) (envelope-sender <communications?wincs?fpp@communications3.msn.com> )
by 0 (qmail-ldap-1.03) with SMTP

If you look at Moxnix's WhoIs of this envelope sender, something seems somewhat fishy. In addition to that, if you do a WhoIs on xprdmx9.nwk.excite.com you'll see the IPs of the servers are not even remotely close to 10.50.30.30. That IP address actually belongs to IANA. Maybe I'm missing something?

Anyways, something else bothers me about this being an effective scam.

Remember,the easiest way to get SP2 is by turning on your AutomaticUpdate

Why would they even bother putting this in here? very strange indeed.

[Tiger Shark]

Ahem... Girls and Boys.....

10.50.30.30

Is indeed an IANA address..... Look at it really, really carefully and you will see that it fits rather nicely into the 10.0.0.0/8 IP address block that is private.

It would be almost impossible to spoof this address since all communication back to the initiator would be dropped by the internet routers, (MS' included), so this did indeed originate within the MS network.

I'm about to leave... I'll take another look in a minute....

[Edit]

It looks kosher to me....

Are you an MS Preferred Customer?

[/Edit]

[ShagDevil]

Received: from unknown (HELO xprdmx9.nwk.excite.com) ([10.50.30.30])

This seems very suspicious to me. The machine [xprdmx9.nwk.excite.com] is not identifying itself correctly. The associated IP address should not be resolving back to IANA but rather, some form of Excite's domains(I did a WhoIs on the server [xprdmx9.nwk.excite.com] and checked out the registered domains). Also, I believe the HELO field can be forged as well (if I remember correctly). This 10.50.30.30 is throwing me for a loop. Again, maybe I'm missing something?

[moxnix]

Originally posted here by Tiger Shark
Are you an MS Preferred Customer?

No Tiger, except for getting a couple of free disks from them, I haven't comunicated with MSN in along time, and I don't think I used my excite account to do that.
It still strikes me as a fake. If anyone wants to see the original email with the html intact, just pm me an email addy and I will forward it to you, and then maybe you can see what I mean.
moxnix

[Tiger Shark]

Mox... ahah.... I was going to ask if there was any html.....

Right near the top there will be a declaration of an image map. The image map covers a large area of the email itself.... as you run your cursor over the email you should notice that it is a hand rather than a pointer....

Am I correct?

If so the address the image map points to is where you will be sent..... That's why everything else looks really kosher.... because it is.....