I eagerly opened my SPAM box in Gmail recently and discovered a standard-fare phishing attack email. This particular one was impersonating USAA bank and claimed the user needed to take action for a pending deposit.
Upon viewing the original source (raw copy) of the email, we can quickly identify where the phishing email came from.
Received: from 100-43-237-85.static-ip.telepacific.net ([22.214.171.124] helo=TS-PCMV.inland.local) by smtpout.telepacific.net with esmtp (Exim 4.69) (envelope-from <USAA.Customers@usmail.net>) id 1dFJlm-0001IH-SU; Mon, 29 May 2017 05:27:38 -0700
According to DomainTools, the IP 126.96.36.199 has been assigned to Telepacific Communication, currently known as TPx Communications as of April 11, 2017 and is headquartered in Los Angeles, CA. The WHOIS record further details the customer operating the IP address as “INLAND RHEUMATOLOGY & OSTEOPUROSIS MED GROUP”
So how did this email get through in the first place? Interestingly, further details are found in the original source of the email:
X-Spam-Report: Spam detection software, running on the telepacific email platform has scanned this email in an attempt to identify spam. The original message has been attached to this so you can view it or label similar future email.
If you have any questions, please see http://www.telepacific.com/contact/customerService/ Content analysis details:
(5.3 points, 2.0 required) pts rule name
description —- ———————- ————————————————– 0.0 URIBL_BLOCKED
ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: usaa.com] 0.0 TVD_RCVD_IP
Message was received from an IP address 1.5 TVD_PH_SEC
BODY: Message includes a phrase commonly used in phishing mails 0.0 HTML_MESSAGE
BODY: HTML included in message 0.1 MISSING_MID
Missing Message-Id: header 0.0 LOTS_OF_MONEY
Huge… sums of money 0.6 TO_EQ_FM_DIRECT_MX
To == From and direct-to-MX 3.0 URI_WP_HACKED
URI for compromised WordPress site, possible malware -0.0 AWL
AWL: Adjusted score from AWL reputation of From: address
So it appears the email was scanned by Telepacific Communication’s anti-spam software but was allowed to slip through. I reported the issue to email@example.com and received a bounceback:
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
host a2nlsmtpcp-v01.shr.prod.iad2.secureserver.net [188.8.131.52]
SMTP error from remote mail server after end of data:
552 5.2.0 FP6Vd4FrlCQzG :: CPANEL :: Message rejected for spam or virus content ::
Please include this entire message when contacting support ::
The irony of this is quite laughable since the original message was not flagged as malicious but the act of reporting it was. I sent a follow up message to Telepacific Communication’s abuse department but did not receive any response.