Re: InfoSec Alert from University of Cincinnati

[Ken Connelly <Ken.Connelly () UNI EDU>]

I wouldn't expect anti-spam to care about the From: and the Reply-to: 
being different. While not necessarily a common occurrence, that's the 
proper way to get responses from mail you send from one address to go to 
another address.

I *would* expect anti-spam to fire if the header-from domain and the 
envelope-from domain were different and/or if those domains didn't match 
with the IP address of the smtp client sending the mail, but a disparate 
reply-to is legit.

- ken

Mclaughlin, Kevin (mclaugkl) wrote:
> Hi Everyone:
>
> Just some information I thought you might be interested in.
>
> We were hit by a Spear Phishing attack on Friday. This attack proved 
> to be pretty successful against the members of our community and 
> caused a lot of extra work for our email services team over the 
> weekend. The attack basically asked members of our student email 
> community to send their passwords to a member of the UC email support 
> team (see actual email below). We had put an alert out via our IT and 
> technology listserve groups early Friday when we got wind of this but 
> surprisingly (or not surprisingly) a large percentage of our students 
> fell for this particular attack. What was even more interesting was 
> that our Mirapoint SPAM filters assigned this a low likelihood of SPAM 
> value even though the “From” and “Reply To” addresses were completely 
> different domains.
>
> -Kevin
>
> *========================================= Information Security Alert 
> ========================================================*
>
> UC Information Security has received a report of a new spear-phishing 
> attempt against UC email users. Spear-Phishing is a phishing campaign 
> tailored to a specific target group, using language or information to 
> pacify suspicions of the target group.
>
> This phishing attempt requests the user to send their password in a 
> reply email. Please alert your communities to this threat and remind 
> them that UCit will never ask for a password to be sent by email!
>
> *The Phishing message looks like this. (Note that the return address 
> is a yahoo account):*
>
> From: "EMAIL.UC.EDU SUPPORT" <support () email uc edu>
>
> Date: January 24, 2008 9:36:14 AM EST
>
> To: undisclosed-recipients:;
>
> Subject: Confirm Your E-mail Address
>
> Reply-To: youfidnet () yahoo com
>
> Dear Email.uc.edu Subscriber,
>
> To complete your email.uc.edu account, you must reply to this email
>
> immediately and enter your password here (*********)
>
> Failure to do this will immediately render your email address
>
> deactivated from our database.
>
> You can also confirm your email address by logging into your
>
> email.uc.edu account at https://email.uc.edu
>
> Thank you for using EMAIL.UC.EDU !
>
> EMAIL.UC.EDU TEAM
>
> *=================================== End Information Security Alert 
> ==========================================*
>
> Kevin L. McLaughlin
>
> CISM, CISSP, GIAC,PMP, ITIL Master Certified
>
> Director, Information Security
>
> University of Cincinnati
>
> 513-556-9177 (w)
>
> 513-703-3211 (m)
>
> 513-558-ISEC (department)
>
> UC-Logo-800
>
>
> CONFIDENTIALITY NOTICE: This e-mail message and its content is 
> confidential, intended solely for the addressee, and may be legally 
> privileged. Access to this message and its content by any individual 
> or entity other than those identified in this message is unauthorized. 
> If you are not the intended recipient, any disclosure, copying or 
> distribution of this e-mail may be unlawful. Any action taken or 
> omitted due to the content of this message is prohibited and may be 
> unlawful.

--
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373