6 Replies Latest reply: Feb 22, 2013 2:15 PM by oilnwine
oilnwine Level 1 Level 1 (0 points)

I am having problems with spoofing from eigbox.net. They are posing as legitit senders (like apple.com). This is one that I surely would not have thought it originated from them. Here is the complete header of the SPAM email.

 

Return-path: <d_nt_bounces@new.itunes.com >
Envelope-to: maddy@konawind.com
Delivery-date: Mon, 18 Feb 2013 14:56:42 -0500
Received: from bosimpinc05.eigbox.net ([10.20.13.5])
         by bosmailscan20.eigbox.net with esmtp (Exim)
         id 1U7WpN-0002KZ-QP
         for maddy@konawind.com ; Mon, 18 Feb 2013 14:56:41 -0500
Received: from msbadger1006.apple.com ([17.254.6.227])
         by bosimpinc05.eigbox.net with NO UCE
         id 1vwg1l03T4ttjy901vwgdb; Mon, 18 Feb 2013 14:56:41 -0500
X-EN-OrigIP: 17.254.6.227
X-EN-IMPSID: 1vwg1l03T4ttjy901vwgdb
DKIM-Signature: v=1; a=rsa-sha1; d=new.itunes.com; s=itunes2048; c=relaxed/simple;
         q=dns/txt; i=@new.itunes.com; t=1361216199;
         h=From:Subject:Date:To:MIME-Version:Content-Type;
         bh=Zy542eO5G8qq2FxdfQjMEttZeLs=;
         b=AOovBbGljd2kQMVphmatSXO/pZwgtX/9Zj7+j2Mdw/ARJnLt+86HGjJO/XBLBwOI
         aY5ODeopWao49l11r6mzS72NIIjlDqsLBA7vwSaQHcrvXOdr6uzNiMaEdo7hASoQ
         XzrpJ6kpDGOO+gVDEd31dJdF3ORn5NRKXrIWEv/Y8xopga288Gy2vCg7ssIP55KV
         maqXNgTdVLtXqskq3oDSzNd/SkwuY6FC+64MOrI9qq+1+dbDPCvtpNy213g1c4T4
         P3MFYL5gBbfHruIYpBXCuHAeJuBHlSyaV4irTL8lJ/NBoJH0q3KwTG71LVgwjDo7
         9nkE+hFWf0VAnl346sWCIQ==;
Date: Mon, 18 Feb 2013 19:36:38 +0000
From: iTunes <discover@new.itunes.com >
To: maddy@konawind.com
Message-ID: <520644072.47026365.1361216198875.JavaMail.cboxp@ednabay.apple.com>
Subject: Hamlet: The Shakesperience, United States Government, Apps for
     Learning History, and More
MIME-Version: 1.0
Content-Type: multipart/alternative;
         boundary="----=_Part_47026364_946702385.1361216198875"
X-Broadcast-Id: 108558
List-Unsubscribe: <http://mynews.apple.com/subscriptions?v=2&la=en_us&a=RYG6vuOtNDA7ZUWxdhXV2T320VX yPX0rQU3UY9%2F7LTrPF%2BzxwdgRn9X9FZeGutDg2Y1ZE5uK6j9tCpXRvjQgI16hOlml3QyxI5NAkhz VmnGaOOVOH58YfS%2F4TSJCj00T>
X-Sent-To: maddy@konawind.com ,2,AehB%2FVCEQOL6XXN%2F0c2E9WfYxwcU7DQAsO58%2BZpwwQjR6UkyCNNEe2fT3b2nOkqTAPLnKP BhW%2F5LOLV1MGXuXwOsHdREC1t%2F3tPi5v3nnMESm388Twlx9Im8hS8ZOAGp

 

How do I get rid of all this junk mail? Any help would be appreciated.

 

TIA

~Maddy


iMac, Mac OS X (10.6.8)
  • oilnwine Level 1 Level 1 (0 points)

    OK so I downloaded and ran ClamXav and it found 6 instances of a phishing app. It found several instances of these:

     

    Heuristics.Phishing.Email.SpoofedDomain

    HTM.Phishing.Pay-201

    I deleted them but I am wondering where this email is originating from. ? Does anyone know and how to get rid of it?

    TIA
    ~Maddy

  • janetfrommountainview Level 1 Level 1 (0 points)

    Disregard.

  • MadMacs0 Level 5 Level 5 (4,605 points)

    oilnwine wrote:

     

    OK so I downloaded and ran ClamXav and it found 6 instances of a phishing app. It found several instances of these:

     

    Heuristics.Phishing.Email.SpoofedDomain

    This may or may not have been an actual phishing attempt. The word "Heuristics" indicates that something about the format of the message was suspicious, not that it matched a particular signature. You should always read these before deleting.

    HTM.Phishing.Pay-201

    Looks like it's actually "HTML.Phishing.Pay-201" matches a signature that reads "as*part*of*our*security measures, we regularly screen activity in the{WILDCARD_ANY_STRING(LENGTH<=14)}paypal system. we recently contacted you after noticing an issue" except that I inserted some "*" for spaces to prevent this from being identified. This can safely be deleted, but make certain you do it properly.

     

    Never use ClamXav (or any other A-V software) to move (quarantine) or delete e-mail. It will corrupt the mailbox index which could cause loss of other e-mail and other issues with functions such as searching. It may also leave the original e-mail on your ISP's e-mail server and will be re-downloaded to your hard drive the next time you check for new mail.

     

    So, if you choose to "Scan e-mail content for malware and phishing" in the General Preferences, make sure you do not elect to either Quarantine or Delete infected files.

    I am wondering where this email is originating from.

    The best way I know is to submit it to SpamCop the next time you get one.

  • oilnwine Level 1 Level 1 (0 points)

    Thanks, but what do I do with the files that it does find? Can I delete them manually?

     

    ~Maddy

  • MadMacs0 Level 5 Level 5 (4,605 points)

    oilnwine wrote:

     

    Thanks, but what do I do with the files that it does find? Can I delete them manually?

    Sort of.

     

    When possibly infected e-mail files are found:

    1. Highlight the entry in the ClamXav window's top pane that needs to be dealt with.
    2. Right-click/Control-click on the entry. 
    3. Select "Reveal In Finder" from the pop-up menu.
    4. When the window opens, double-click on the file to open the message in your e-mail client application.
    5. Read the message and if you agree that it is junk/spam/phishing then use the e-mail client's delete button to delete it (reading it is especially important when the word "Heuristics" appears in the infection name).
    6. If you disagree and choose to retain the message, return to ClamXav and choose "Exclude From Future Scans" from the pop-up menu.
    7. If this is a g-mail account and those messages continue to show up after you have deleted them in the above manner, you may need to log in to webmail using your browser, go to the "All Mail" folder, find the message(s) and use the delete button there to permanently delete them from the server. Then check the "Trash" folder and delete them there.
  • oilnwine Level 1 Level 1 (0 points)

    Thanks!