Suspicious email purporting to be from UC Berkeley professor about BOINC

Message boards : Cafe SETI : Suspicious email purporting to be from UC Berkeley professor about BOINC
Message board moderation

To post messages, you must log in.

AuthorMessage
Profile AdmiralJeff
Avatar

Send message
Joined: 11 Dec 99
Posts: 32
Credit: 25,877,576
RAC: 0
United States
Message 1851691 - Posted: 26 Feb 2017, 22:06:23 UTC

Anyone else seen one of these emails? It came in on an email address I only use for my Seti@home account.

I forwarded a copy to Professor Dragan in case her account may have been commandeered in some way.

The grammar seems to be a giveaway.

Original message and headers below, with email addresses redacted (xxx@xxx.xxx). The link to an EXE download file has also been removed from body of the message.

I would hate to think that the database of Seti@home / BOINC user accounts has been hacked and user account info stolen.

Jeff

-----Begin Message Headers-----
Return-Path: <apache@n2yo.net>
Received: from n2yo.net (n2yo.com [64.71.74.100])
by mtaig-mcc02.mx.aol.com (Internet Inbound) with ESMTP id 2AA247000008A
for <xxx@xxx.xxx>; Sun, 26 Feb 2017 14:44:46 -0500 (EST)
Received: by n2yo.net (Postfix, from userid 48)
id 3D703383874; Sun, 26 Feb 2017 19:44:45 +0000 (UTC)
Date: Sun, 26 Feb 2017 19:44:45 +0000
To: xxx@xxx.xxx
From: =?UTF-8?Q??= <xxx@xxx.xxx>
Subject: =?UTF-8?Q?N=32YO=2enet_new_software_for_all_platforms?=
Message-ID: <43c6a606567e44e294a356ce16d5d6a6@n2yo.net>
X-Priority: 3
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="us-ascii"
x-aol-global-disposition: S
Authentication-Results: mx.aol.com;
spf=none (aol.com: the domain n2yo.net appears to have no SPF Record.) smtp.mailfrom=n2yo.net;
X-AOL-OVERRIDE-PIK-REASON: Y
X-AOL-REROUTE: YES
x-aol-sid: 3039ac1afd4258b3302e6462
X-AOL-IP: 64.71.74.100
X-AOL-SPF: domain : n2yo.net SPF : none
-----End Message Headers-----

-----Original Message-----
Subject: N2YO.net new software for all platforms
From: =?UTF-8?Q??= <xxx@xxx.xxx>
To: xxx@xxx.xxx

Hello Dear

Lawrence Livermore National Laboratory are working in association with University of California, Berkeley's BOINC project and we want to get suggests from our partners and developers.
Please download and review our new product to help us improving or contribution BOINC project :

[Link Removed]


Kind regards

Professor Anca Dragan
UC Berkeley, EECS
776 Sutardja Dai Hall #1758
Berkeley, CA 94720-1758

Personal Homepages:
https://www2.eecs.berkeley.edu/Faculty/Homepages/anca.html
https://people.eecs.berkeley.edu/~anca
ID: 1851691 · Report as offensive
Profile Gordon Lowe
Avatar

Send message
Joined: 5 Nov 00
Posts: 12094
Credit: 6,317,865
RAC: 0
United States
Message 1851701 - Posted: 26 Feb 2017, 22:33:49 UTC - in response to Message 1851691.  

Anytime an email starts off, "Hello dear", I get suspicious.
The mind is a weird and mysterious place
ID: 1851701 · Report as offensive
Profile Carlos
Volunteer tester
Avatar

Send message
Joined: 9 Jun 99
Posts: 29756
Credit: 57,275,487
RAC: 157
United States
Message 1851744 - Posted: 27 Feb 2017, 0:54:01 UTC

"we want to get suggests" Need you look any farther?
I have not gotten a copy or if I did my spam software blocked it before I ever saw it.
ID: 1851744 · Report as offensive
Profile betreger Project Donor
Avatar

Send message
Joined: 29 Jun 99
Posts: 11360
Credit: 29,581,041
RAC: 66
United States
Message 1851747 - Posted: 27 Feb 2017, 1:27:35 UTC

I return them to the sender, a little spam for them is a good thing.
ID: 1851747 · Report as offensive
Profile Gary Charpentier Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 25 Dec 00
Posts: 30608
Credit: 53,134,872
RAC: 32
United States
Message 1851755 - Posted: 27 Feb 2017, 2:03:07 UTC

nothing here
ID: 1851755 · Report as offensive
Profile zoom3+1=4
Volunteer tester
Avatar

Send message
Joined: 30 Nov 03
Posts: 65709
Credit: 55,293,173
RAC: 49
United States
Message 1851790 - Posted: 27 Feb 2017, 4:50:45 UTC - in response to Message 1851744.  

My spam filter would block it, since I don't get this stuff in My email box.
The T1 Trust, PRR T1 Class 4-4-4-4 #5550, 1 of America's First HST's
ID: 1851790 · Report as offensive
Dr Who Fan
Volunteer tester
Avatar

Send message
Joined: 8 Jan 01
Posts: 3194
Credit: 715,342
RAC: 4
United States
Message 1851798 - Posted: 27 Feb 2017, 5:30:40 UTC - in response to Message 1851691.  

Just by looking at the email Headers tell me it is 1000% SPAM!
Tip off(s):
Received: from n2yo.net (n2yo.com [64.71.74.100])

According to DomainTools : IP Location United States - Florida - West Palm Beach - Cloud South / Website Title LIVE REAL TIME SATELLITE TRACKING AND PREDICTIONS

x-aol-global-disposition: S

AOL Automatically flagged it as possible SPAM / Suspicious Mail "S"

spf=none (aol.com: the domain n2yo.net appears to have no SPF Record.) smtp.mailfrom=n2yo.net;
X-AOL-OVERRIDE-PIK-REASON: Y
X-AOL-REROUTE: YES

What is an SPF Record? An SPF (Sender Policy Framework) record is a list of servers that are allowed to send e-mail from your domain. This reduces spam activity that may be perceived to originate from your domain, which is known as source address spoofing.
https://www.liquidweb.com/kb/what-is-an-spf-record/
AOL says the email DID NOT come from where it claims to have. It was REROUTED / SENT FROM SOMEWHERE ELSE.
-----End Message Headers-----
ID: 1851798 · Report as offensive
Dr Who Fan
Volunteer tester
Avatar

Send message
Joined: 8 Jan 01
Posts: 3194
Credit: 715,342
RAC: 4
United States
Message 1851800 - Posted: 27 Feb 2017, 5:32:34 UTC - in response to Message 1851747.  

I return them to the sender, a little spam for them is a good thing.

BAD IDEA!
Another great way to get EVEN MORE SPAM mail. It also tells them they have found a WORKING EMAIL ADDRESS.
ID: 1851800 · Report as offensive
Grant (SSSF)
Volunteer tester

Send message
Joined: 19 Aug 99
Posts: 13720
Credit: 208,696,464
RAC: 304
Australia
Message 1851801 - Posted: 27 Feb 2017, 5:36:35 UTC - in response to Message 1851800.  

I return them to the sender, a little spam for them is a good thing.

BAD IDEA!
Another great way to get EVEN MORE SPAM mail. It also tells them they have found a WORKING EMAIL ADDRESS.

The other problem is that often (pretty much always) the return address is valid, but it's not the sender's. Some poor sod ends up getting spammed by all the returned spam with no idea why they're suddenly getting all this rubbish being bounced back at them, even though they had nothing to do with it.
Grant
Darwin NT
ID: 1851801 · Report as offensive
bluestar

Send message
Joined: 5 Sep 12
Posts: 6995
Credit: 2,084,789
RAC: 3
Message 1851822 - Posted: 27 Feb 2017, 10:45:44 UTC
Last modified: 27 Feb 2017, 10:55:48 UTC

In my opinion if this happened to be a true "bitch" mail, I would rather post the complete header in full for such a thing.

Unless so, you could perhaps pretend not to be any much better yourself.

A given wording in such an e-mail stating "may be forged" when it comes to the possible IP-address for the sender, should be taken 50/50 in my opinion.

Sorry about that, but I happen to know about it.
ID: 1851822 · Report as offensive
Profile Gary Charpentier Crowdfunding Project Donor*Special Project $75 donorSpecial Project $250 donor
Volunteer tester
Avatar

Send message
Joined: 25 Dec 00
Posts: 30608
Credit: 53,134,872
RAC: 32
United States
Message 1851849 - Posted: 27 Feb 2017, 14:30:45 UTC

@AdmiralJeff Since no one else seems to be getting one, I'd suspect spear phishing. It may be intended just for you. Do you work in a sensitive industry?
ID: 1851849 · Report as offensive

Message boards : Cafe SETI : Suspicious email purporting to be from UC Berkeley professor about BOINC


 
©2024 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.