I got this email yesterday:
Return-Path: >email@example.com> X-Original-To: firstname.lastname@example.org Received: from smtp.buffalostate.edu (smtp.buffalostate.edu [184.108.40.206]) Received: from mail.buffalostate.edu (unverified [220.127.116.11]) by mail.buffalostate.edu (SurgeMail 3.9e) with ESMTP id 6842901-1888925 for multiple; Sat, 13 Dec 2008 16:06:31 -0500 To: (Recipient List Suppressed) Received: from 18.104.22.168 by HTTP Sender: email@example.com From: "Update Your E-mail Account" >firstname.lastname@example.org> Reply-To: email@example.com Subject: Dear Email Owner X-Mailer: 22.214.171.124 - gardcm23 X-Originating-IP: 126.96.36.199 Date: Sat, 13 Dec 2008 16:06:32 -0500 Priority: normal Message-id: >firstname.lastname@example.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Authenticated-User: email@example.com Dear Email Owner, This message is from messaging center to all Email owners. We are currently upgrading our data base and e-mail center. We are deleting all unused email to create more space for new one. CONFIRM YOUR EMAIL BELOW: Email Username: ............... EMAIL Password: ................ Warning!!! Email owner that refuses to update his or her Email, within Seven days of receiving this warning will lose his or her Email permanently. You are to send your email username and password to the webmaster via this email: firstname.lastname@example.org Regards Mrs. Anderson Mary Webmaster (ORG)
This one is clearly a scam. There is also some interesting redirection going on here. If you start with the originating IP of 188.8.131.52, we find that this IP is located in Queensland, Australia. However, the sender appears to be 'email@example.com'. This is an email address at New York State University College at Buffalo (and the IP addresses appear to confirm this.) So the email was sent from Australia, through a mail server in New York in the United States. Plus the visible email address in there that you are supposed to return your email login information to is 'firstname.lastname@example.org'. Live.com is a domain named owned by Microsoft. It's one of the domain names you can get from signing up for a free email address with Microsoft's Hotmail service.
So someone in Australia, sends an email through a New York University mail server, and masquerades as someone from Microsoft??? Um no. This is clearly a scam. It's trivial to create an email address called 'org-accountupdate' at Hotmail. This name looks pretty legit, but when you follow the email back through the path it takes through the internet it is clearly a scam. We see several classic signs of spam here. First the English grammar is incorrect in this email. It's better than most, but still wrong. Second, it uses scare tactics to get you to respond to it. If you don't send your email username and password immediately you'll lose your email! Considering how I received this email in an email box that is not run by Microsoft, nor anyplace in Queensland, Australia, or anything related to a university in New York, it is clearly a scam. Third, it is very general. 'org-accountupdate' is just general enough to make it sound official. There is no mention of WHAT organization is sending the email. Also, keep in mind that your email provider would never ask you for your email username and password - they already have it!
The secret to learning if an email is valid is to study the raw email headers. Most email programs hide these from you because they are full of information that's not useful in most cases. The email program should have some way to find this information though. If you find an email like this that you are suspicious of, look through the options of your email program to find out how to view the raw headers. Then start looking at the various servers and IP addresses in the 'Received:" and other headers. These headers give you the full information as to the route this email took to reach you. If it sounds suspicous, then it's very likely that it is.