Phishing?

General discussions and other topics.
20 posts Page 2 of 2
by fredw » Wed Jan 13, 2021 3:20 pm
Yeah, I got it too, fell for it, and had to change my password. I've only recently started using the newer webmail and it seems to me that it's harder to see the real email source than with the legacy-webmail.
by dane » Wed Jan 13, 2021 4:35 pm
billfalls wrote:I received this email as well. I'm surprised that it was not caught by the Sonic spam filter.
That's often the reaction that people have. But these are really tough to block, because of the way that anti-spam algorithms work.

Basically we use a global network of scores, for words and phrases, for sources and senders, for servers and relays. So mentioning "cialis" might be worth 1.5 point, while coming from a relay that's been reported as a source of spam might be worth 1.0 points. Having an invalid return address might add to the score. And when it adds up to more than a certain level, we think it's spam and segregate it.

But this phishing is narrowly focused, and directed only at Sonic customers. It doesn't look like typical spam - no free cruises or off-shore medication etc. And it doesn't trip scores from other carriers who participate in these global clearinghouses of block-lists and triggers.

So - hard to block. And really frustrating. Sorry.
Dane Jasper
Sonic
by klui » Wed Jan 13, 2021 7:39 pm
The big red flag is the body contains a link that claims will take care of the described problem. I recently got a phishing email claiming to come from a bank where my account will be limited unless I renew my information. They even provided a link where I can enter all my info!

First thing to do is to look at the email headers. Sure enough it's coming from some randomly-generated address. I didn't even bother to flag it as SPAM due to the email's randomness nature. Never even bothered to look at the link. On mobile you can long press a link to see it but it could be misconstrued as a tap if one isn't careful so much better on desktop where a simple hover can do it.

https://www.capitalone.com/learn-grow/p ... -phishing/
by corley » Mon Nov 29, 2021 8:26 am
Should we report when we receive a phishing email from someone pretended to be Sonic, so Sonic knows about it? Should we forward the phishing email to some email address in Sonic? Or should we assume that Sonic already knows about it? The one I received below today made it through the SPAM filter even though I have the SPAM filter set to the strongest setting.

I couldn't post in the graphics that went with this but it looks fairly authentic. If I hadn't checked the actual links and email addresses. Some people are probably being fooled by it.

Thanks.

Chuck

Sonic
We're experiencing issues with your information
Update your Profile.
http://home.cablelan.net/~djules/one/
If you're not sure why you received this email, you can click on the link above.10:27:31 PM


Return-Path: <agtmgutsche@internode.on.net>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on e.spam.sonic.net
X-Spam-Level:
X-Spam-Status: No, score=-0.1 required=1.0 tests=HTML_MESSAGE,KHOP_HELO_FCRDNS,
MSGID_FROM_MTA_HEADER,RCVD_HELO_IP_MISMATCH,SNF4SA,SONIC_BX_A2,
SPF_HELO_NONE shortcircuit=no autolearn=disabled version=3.4.6
X-Spam-SNF-Result: 0 (Standard White Rules)
X-Spam-MessageSniffer-Scan-Result:
X-Spam-MessageSniffer-Rules:
0-0-0-14646-c
X-Spam-GBUdb-Analysis: 0, 157.131.224.146, Ugly c=1 p=-0.738328 Source Normal
Received: from f.mx.sonic.net (b.spam-proxy.sonic.net [157.131.224.146])
by a.local-delivery (8.14.7/8.14.7) with ESMTP id 1ATERZiw023415
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
for <corley@lds.sonic.net>; Mon, 29 Nov 2021 06:27:35 -0800
Received: from smtp-out-b2-7.tor.pathcom.com (smtp-out-b2-134.tor.pathcom.com [207.188.95.134])
by f.mx.sonic.net (8.14.7/8.14.7) with ESMTP id 1ATERXqj208774
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
for <corley@sonic.net>; Mon, 29 Nov 2021 06:27:35 -0800
Message-Id: <202111291427.1ATERXqj208774@f.mx.sonic.net>
Received: from smtp-auth08.tor.pathcom.com (localhost [127.0.0.1])
by smtp-auth08.tor.pathcom.com (Postfix) with ESMTP id A16B7540FB5
for <corley@sonic.net>; Mon, 29 Nov 2021 09:22:17 -0500 (EST)
Received: from 107.181.178.76 (unknown [172.93.207.97])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
(Authenticated sender: crsg@pathcom.com)
by smtp-auth08.tor.pathcom.com (Postfix) with ESMTPSA
for <corley@sonic.net>; Mon, 29 Nov 2021 09:22:17 -0500 (EST)
From: "Sonic" <agtmgutsche@internode.on.net>
Subject: corley@sonic.net
To: "corley" <corley@sonic.net>
Content-Type: multipart/alternative; boundary="FQHRicstaLTQoHI2KOkszWhtvruMy1o=_9"
MIME-Version: 1.0
Date: Mon, 29 Nov 2021 22:27:32 +0800
X-Orthrus: tar=0 grey=no co=CA os=Linux/3.11 and newer/28 spf=permerror dkim=none
by corley » Mon Nov 29, 2021 8:29 am
Attached is a picture of the graphic for the phishing email.

Attachments

by ds_sonic_asif » Mon Nov 29, 2021 2:03 pm
Here is another mole to whack. Received about 7 hours ago. I just got one where the subject and recipient was my sonic email address. The html message had "Sonic. We are experiencing issues with your information". The "Update your Profile." button (defanged below with a couple of added spaces) goes to:

http ://home.cablelan.net/~djules/one/
by virtualmike » Mon Nov 29, 2021 8:35 pm
Send the info you posted here to support@sonic.net.
by dkenglish7 » Thu Dec 02, 2021 4:12 pm
I reported that one to support, and got a response of "If you want it blacklisted, respond with your full name and account address." Seems rather silly and apathetic - why else would I go to the trouble of reporting?
by virtualmike » Thu Dec 02, 2021 8:53 pm
Sorry to hear you had that experience. Next time, introduce the email with "Please forward to Sonic server operations so that Sonic customers don't get caught in this phishing net."
by peregrin » Fri May 13, 2022 1:26 pm
got a fake sonic.net email.
Return-Path: <m.fujisawa@granver.co.jp>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on e.spam.sonic.net
X-Spam-Level: **
X-Spam-Status: No, score=2.1 required=5.0 tests=DCC_CHECK,HTML_IMAGE_ONLY_12,
HTML_MESSAGE,HTTPS_HTTP_MISMATCH,KHOP_HELO_FCRDNS,
MSGID_FROM_MTA_HEADER,RCVD_IN_XBL,SNF4SA,SONIC_BX_A2,SPF_HELO_NONE,
T_REMOTE_IMAGE,T_SCC_BODY_TEXT_LINE shortcircuit=no autolearn=disabled
version=3.4.6
X-Spam-SNF-Result: 0 (Standard White Rules)
X-Spam-MessageSniffer-Scan-Result:
X-Spam-MessageSniffer-Rules:
0-0-0-3829-c
X-Spam-GBUdb-Analysis: 0, 157.131.224.146, Ugly c=1 p=-0.778522 Source Normal
Received: from f.mx.sonic.net (b.spam-proxy.sonic.net [157.131.224.146])
by a.local-delivery (8.14.7/8.14.7) with ESMTP id 24CHpr4B018835
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
for <peregrin@lds.sonic.net>; Thu, 12 May 2022 10:51:53 -0700
Received: from granver.co.jp (granver.co.jp [1.33.170.8])
by f.mx.sonic.net (8.14.7/8.14.7) with ESMTP id 24CHpgBU059874
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
for <peregrin@sonic.net>; Thu, 12 May 2022 10:51:51 -0700
Message-Id: <202205121751.24CHpgBU059874@f.mx.sonic.net>
Received: (qmail 10158 invoked by SAV 20220512.007 by uid 0); 13 May 2022 02:51:41 +0900
Received: from unknown (HELO D34.4ajhsehqjcee1mewnswj3kfhsg.phxx.internal.cloudapp.net) (m.fujisawa@granver.co.jp@20.118.129.32)
by dc43.etius.jp (1.33.170.8) with ESMTPA; 13 May 2022 02:51:41 +0900
Content-Type: multipart/alternative; boundary="===============1734335269=="
MIME-Version: 1.0
Subject: Sonic.net Service Violation Notice
To: "services.center@suddenlink.net" <m.fujisawa@granver.co.jp>
From: "Information Center" <m.fujisawa@granver.co.jp>
Date: Thu, 12 May 2022 17:51:39 +0000
X-Orthrus: tar=1 grey=no co=JP os=Linux/3.1-3.10/839 spf=pass dkim=none
20 posts Page 2 of 2

Who is online

In total there are 28 users online :: 1 registered, 0 hidden and 27 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: Ahrefs [Bot] and 27 guests