spam

TheMSsForum.com: The Microsoft Software Forum

I find this in my email today and it looks wierd. I guess that I am trying to
alert people to this email but I don't know how. This is the message that I
received from HOTMAIL STAFF today. Can someone find out if it is real or not
----------------------------------------------------------------------------------------------
From : Hotmail Staff <suspension@msnusers.com>
Sent : Monday, January 31, 2005 10:41 AM
To : vppaul@msn.com
Subject : Members Support

| | | Inbox


Dear MSN Member,
During our regularly scheduled account maintenance and verification
procedure, we have detected a slight error in your information.

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription
due to an internal error within our processors.

Please update and verify your information by clicking the link below:

https://login.passport.net/uilogin.srf?id=6528

If your account information is not updated within 48 hours then your ability
to use your MSN account will become restricted.

Sincerely,




Please do not reply to this e-mail. If you have general questions regarding
your account, please click Help in the upper right corner for the MSN Hotmail
comprehensive online help.

© 2004 MIcrosoft Corporation. All rights reserved.


----------------------------------------------------------------------------------------------

The link wants to know your SS# and I know that's a bad thing. I felt that I
should do something.

Paul
Top

Re: spam by N

N
Mon Jan 31 21:36:24 CST 2005

In article <2D4C22DC-1877-475B-BDD4-28591F9974DB@microsoft.com>, =?Utf-8?B?
dnBwYXVs?= says...

> I find this in my email today and it looks wierd. I guess that I am trying to
> alert people to this email but I don't know how. This is the message that I
> received from HOTMAIL STAFF today. Can someone find out if it is real or not?

Unfortunately, for people not familiar with English, it can be hard. Right
away I recognized a quantity disagreement; the word "either" only applies
when two items are listed, for more than two, "any" is the proper word to
use. Things like that...

> ----------------------------------------------------------------------------------------------
> From : Hotmail Staff <suspension@msnusers.com>
> Sent : Monday, January 31, 2005 10:41 AM
> To : vppaul@msn.com
> Subject : Members Support
>
> | | | Inbox
>
>
> Dear MSN Member,
> During our regularly scheduled account maintenance and verification
> procedure, we have detected a slight error in your information.
>
> This might be due to either of the following reasons:
>
> 1. A recent change in your personal information (i.e. change of address).
> 2. Submiting invalid information during the initial sign up process.
> 3. An innability to accurately verify your selected option of subscription
> due to an internal error within our processors.

There is more to this message than you have shown us. The full message
headers, and the raw page code would both be informative. The odds are great
that the IP address of the message source is not a Microsoft IP address. In
fact, a genuine Hotmail Staff message should have no "Received:" header
lines at all:

> From: "Hotmail Staff" <staff@hotmail.com>
> Subject: Hotmail Tools: Stay Organized in 2005
> Date: Wed, 19 Jan 2005 00:00:01 -0800
> Mime-Version: 1.0
> Content-Type: text/html; Charset=iso-8859-1
> Content-Transfer-Encoding: 8bit

Those are the full, complete headers of the latest Hotmail Staff message I
have received. Any "Hotmail Staff" announcement in your Hotmail Inbox with
headers resembling the following are phoney:

> Received: from 64.164.98.52 (EHLO mtaw4.prodigy.net) (64.164.98.52)
> by mta819.mail.scd.yahoo.com with SMTP; Mon, 31 Jan 2005 05:14:25 -0800
> X-Originating-IP: [64.126.160.73]
> Received: from moebius-web.de (w160073.wireless.fsr.net [64.126.160.73])
> by mtaw4.prodigy.net (8.12.10 inb shim/8.12.10) with SMTP id j0VDC8WF027851;
> Mon, 31 Jan 2005 05:12:09 -0800 (PST)

In fact, the full source of the message is more certain than familiarity
with proper English syntax at figuring out if the message is genuine, or
not. The spammer may learn by reading forums such as this one. But he can't
forge the proper headers of a genuine Hotmail Staff announcement without
breaking in to the Hotmail servers.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint
Top

Re: spam by Vanguard

Vanguard
Tue Feb 01 00:14:20 CST 2005

"vppaul" <vppaul@discussions.microsoft.com> wrote in message
news:2D4C22DC-1877-475B-BDD4-28591F9974DB@microsoft.com...
>I find this in my email today and it looks wierd. I guess that I am
>trying to
> alert people to this email but I don't know how. This is the message
> that I
> received from HOTMAIL STAFF today. Can someone find out if it is real
> or not?
> ----------------------------------------------------------------------------------------------
> From : Hotmail Staff <suspension@msnusers.com>
> Sent : Monday, January 31, 2005 10:41 AM
> To : vppaul@msn.com
> Subject : Members Support

<snip - useless rendered version of HTML-formatted e-mail>

Why bother showing us the rendered version of the HTML e-mail? The
author can show you whatever they want but the real links can go
somewhere else. Show the HTML code for the e-mail if you want analysis
whether it is real or not, or look at it yourself to check if the URL
links really go where the rendered version says they go.

Top

Re: spam by vppaul

vppaul
Tue Feb 01 00:37:01 CST 2005

Here is the full message source below, I posted this message because I wanted
to try and help stop people from filling out the form on the link. I did not
think it came from HOTMAIL I wanted to warn people but did not know how. So I
came to your security group.

<html><head><script language="JavaScript">
IsNotBulkEnabled=IStatus=IsPrintEnabled=NewMenu=Junk=PutInFldr=Attach=Tools="";
_UM="curmbox=F000000001&a=966449d2f4c2b941e63bb6d0858dbc6c"
_MDL="@hotmail.com|@msn.com|@hotmail.fr|@hotmail.it|@hotmail.de|@hotmail.co.jp|@hotmail.co.uk|@hotmail.com.ar|@hotmail.co.th|@hotmail.com.tr"
function IfUtf8(C)
{ var N = (document.charset=="utf-8")?1:0
if (N == C) return true
var u = k = document.location.href
if (u.indexOf("utf8=")<=0)
u += "&utf8=9";
u = u.replace(/(utf8=)\d/ig,"$1"+(N?"1":"0"))
if (u != k)
{ window.location.replace(u)
var w =
window.open("","","height=1,width=1,menubar=no,resizable=no,titlebar=no,scrollbars=no,status=no,toolbar=no,menubar=no,location=no");
w.close()
}
}
IfUtf8(0)
</script><title>MSN Hotmail - Message</title><link rel="stylesheet"
href="/cgi-bin/dasp/EN/hotmail___1000000002.css"><script language=JavaScript
src="/cgi-bin/dasp/EN/helppane___9080000001F.js"></script><script
language=JavaScript
src="/cgi-bin/dasp/EN/hotmail___100000434.js"></script><script
language=javascript>
function _L(){

if (MsngrCreateObj())
{MIR()}
}
function _NM(){

}
</script></head><body bgcolor=#336699 onload="_L()" ><div id="HMname"
style="visibility:hidden;position:absolute">vppaul@msn.com</div><a
name="top"></a><table border=0 cellpadding=0 cellspacing=0 width=100%><tr
valign=top><td width=450 style="padding-top:3px;"><table border=0
cellpadding=0 cellspacing=0><tr><td nowrap> <a
href="http://g.msn.com/8HMAEN/7341??PS=8317" class="F" target="_top">MSN
Home</a> </td><td><font class="G">|</font></td><td nowrap> <a
href="http://g.msn.com/8HMAEN/7342??PS=8317" class="F" target="_top">My
MSN</a> </td><td><font class="G">|</font></td><td nowrap> <font
class="F">Hotmail</font> </td><td><font class="G">|</font></td><td
nowrap> <a href="http://g.msn.com/8HMAEN/7345??PS=8317" class="F"
target="_top">Shopping</a> </td> <td><font class="G">|</font></td><td
nowrap> <a href="http://g.msn.com/8HMAEN/7346??PS=8317" class="F"
target="_top">Money</a> </td><td><font class="G">|</font></td><td
nowrap> <a href="http://g.msn.com/8HMAEN/7347??PS=8317" class="F"
target="_top">People & Chat</a>&#160; </td></tr></table></td><td><span
style="width:30px;"> </span></td><td><a target="_top"
href="http://by5fd.bay5.hotmail.msn.com/cgi-bin/logout?curmbox=F000000001&a=966449d2f4c2b941e63bb6d0858dbc6c&t=1107239064&loru=&id=963&fs=1&cb=_lang%3dEN%26country%3dUS&ct=1107239064"><img
border=0 src="http://gfx1.hotmail.com/crs_918.gif" alt="Sign out of .NET
Passport sites" width="66" height="19"></a></td><td><span
style="width:27px;"> </span></td><td nowrap valign=middle><font
class="G"><label for="q">Web Search:</label></font></td><td><span
style="width:6px;"> </span></td><td width=100% nowrap valign=middle><form
method="GET" name="websearch" action="http://search.msn.com/results.asp"
style="margin-bottom:0px;margin-bottom:0px;" target="S"><input type="Hidden"
name="RS" value="CHECKED"><input type="Hidden" name="Form" value="HM"><input
type="Hidden" name="cp" value="1252"><input type="Hidden" name="v"
value=1><input type="text" id="q" name="q" size=14 accesskey="S"
style="WIDTH:65%"><span style="width:3px;"></span><input type="submit"
value="Go" size=4></form></td></tr></table><table border=0 cellpadding=0
cellspacing=0 width=100%><tr><td><img
src="http://gfx1.hotmail.com/spacer.gif" width=1 height=5></td></tr><tr><td
width=100% align=center><IFRAME FRAMEBORDER=0 SCROLLING=NO MARGINHEIGHT=0
MARGINWIDTH=0 WIDTH=728 HEIGHT=90
SRC="http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=HOTJ43?TF=_NEW?AP=1011?SC=LG?HM=0450474d554b105156525442414671700a4f64511630520d5d525f58470c33530d606a?LOC=R?ID=0002010000E7E573?UC=127"
tabindex="-1"></IFRAME></td></tr></table><table border=0 cellpadding=0
cellspacing=0 width=100% ><tr><td colspan=2><img
src="http://gfx1.hotmail.com/spacer.gif" height=1
width=779></td></tr><tr><td><table border=0 cellpadding=0 cellspacing=0
width=100%><tr> <td rowspan=2
background="http://gfx1.hotmail.com/tab.bg.dln.gif"><a
href="http://g.msn.com/1HMDEN/141??PS=8317" target="_top"><img
src="http://gfx1.hotmail.com/lgo_msn_118x35.gif" width=118 height=35 border=0
alt="go to MSN"></a></td><td rowspan=2
background="http://gfx1.hotmail.com/tab.bg.dln.gif" nowrap><font
class="D">Hotmail</font></td><td rowspan=2><img
src="http://gfx1.hotmail.com/tab.slide.hm.li.gif"></td><td colspan=12
height=13 bgcolor=#336699></td></tr><tr><td><img
src="http://gfx1.hotmail.com/tab.separator.off.gif"></td><td
background="http://gfx1.hotmail.com/tab.bg.off.gif" nowrap> <a
href="javascript:G('/cgi-bin/hmhome?');" tabindex=120
class="E">Today</a> </td><td><img
src="http://gfx1.hotmail.com/tab.separator.on.l.gif"></td><td
background="http://gfx1.hotmail.com/tab.bg.on.gif" nowrap> <a
href="/cgi-bin/HoTMaiL?curmbox=F000000001&a=966449d2f4c2b941e63bb6d0858dbc6c"
tabindex=121 class="E">Mail</a>&nbsp; </td><td><img
src="http://gfx1.hotmail.com/tab.separator.on.r.gif"></td><td
background="http://gfx1.hotmail.com/tab.bg.off.gif" nowrap> <a
href="http://calendar.msn.com/calendar/isapi.dll" tabindex=122 class="E"
target="_top">Calendar</a> </td><td><img
src="http://gfx1.hotmail.com/tab.separator.off.gif"></td><td
background="http://gfx1.hotmail.com/tab.bg.off.gif" nowrap> <a
href="javascript:G('/cgi-bin/addresses?');" tabindex=123
class="E">Contacts</a> </td><td><img
src="http://gfx1.hotmail.com/tab.separator.end.gif"></td><td
background="http://gfx1.hotmail.com/tab.bg.sln.gif"
width=100%> </td></tr></table></td><td valign=bottom><table border=0
cellpadding=0 cellspacing=0 width=100%><tr><td
background="http://gfx1.hotmail.com/tab.bg.sln.gif"><img
src="http://gfx1.hotmail.com/spacer.gif" width=1 height=35></td><td
background="http://gfx1.hotmail.com/tab.bg.sln.gif" nowrap align=right><a
href="/cgi-bin/options?section=mail&subsection=&curmbox=F000000001&a=966449d2f4c2b941e63bb6d0858dbc6c"
class="G">Options</a>&nbsp; <font class="G">|</font> <a
href="javascript:CPH('PIM_ReadMessage');"
class="G">Help</a> </td></tr></table></td></tr></table><table border=0
cellpadding=0 cellspacing=0 width="100%"><tr bgcolor="#4791C5"><td
colspan=3><img src="http://gfx1.hotmail.com/spacer.gif" height=1
width=779></td></tr><tr bgcolor="#4791C5"><td
style="padding-left:10px;height:20px;border-bottom"><table border=0
cellpadding=0 cellspacing=0 width="100%"><tr><td align=left valign=middle
width=10% nowrap><font class="G">vppaul@msn.com</font></td> <td width=1%
id="MsngrTD" nowrap class="P" nowrap><div id="newtitledropdown"
style="display:none;width:1%;vertical-align:middle;"
onclick="MCHWrapper(event,WebIMMenu);" class="G"> <img
src="http://gfx1.hotmail.com/i.p.im_off.gif" id="ImgMessStat" width=16
height=16 align=absmiddle style="margin:0px;padding-right:2px;"> Messenger:
<SPAN id="MessStat" style="padding:0 4 0 0" class="F">Offline</SPAN><img
src="http://gfx1.hotmail.com/i.p.downarrow.gif" width=7 height=7
align=absmiddle id="ImgDrop"></div></td><td
width=100%></td></tr></table></td><td align=right
style="padding-left:10px;height:20px;border-bottom"><table border=0
cellpadding=0 cellspacing=0><tr><td align="right" valign="middle"><a
href="http://g.msn.com/8HMAEN/9842??PS=8317" class="G" target="_top">Free
Newsletters</a><font class="G"> | </font><a
href="http://g.msn.com/8HMAENUS/9845??PS=8317" class="G" target="_top">MSN
Featured Offers</a> </td></tr></table></td></tr></table><iframe id="Hfrm"
class="NN"></iframe><table border=0 cellpadding=0 cellspacing=0 width=100%
class="N" id="HMTB"><tr><td colspan=2><img
src="http://gfx1.hotmail.com/spacer.gif" height=1
width=779></td></tr><tr><td><table border=0 cellpadding=0 cellspacing=0
width=100% class="O"><tr><td style="width:8px"><img
src="http://gfx1.hotmail.com/spacer.gif" height=1 width=8></td><td class="P"
nowrap onmouseover="MO()" onmouseout="MU()"
onclick="MP('/cgi-bin/compose?type=r')"><img
src="http://gfx1.hotmail.com/i.p.reply.gif" border=0 align=absmiddle hspace=1
alt="Reply"> <a href="#" onclick="MP('/cgi-bin/compose?type=r');return
false;" tabindex=1>Reply</a></td> <td class="LL">|</td><td class="P"
nowrap onmouseover="MO()" onmouseout="MU()"
onclick="MP('/cgi-bin/compose?type=ra')"><img
src="http://gfx1.hotmail.com/i.p.replyall.gif" border=0 align=absmiddle
hspace=1 alt="Reply All"> <a href="#"
onclick="MP('/cgi-bin/compose?type=ra');return false;" tabindex=1>Reply
All</a></td><td class="LL">|</td><td class="P" nowrap onmouseover="MO()"
onmouseout="MU()" onclick="FwdScan()"><img
src="http://gfx1.hotmail.com/i.p.fwd.gif" border=0 align=absmiddle hspace=1
alt="Forward"> <a href="#" onclick="FwdScan();return false;"
tabindex=1>Forward</a></td><td class="LL">|</td><td class="P" nowrap
onmouseover="MO()" onmouseout="MU()"
onclick="G('/cgi-bin/getmsg?msg=MSG1107196883.8&mfs=&_HMaction=move&tobox=F000000004&direction=next&wo=')"><img
src="http://gfx1.hotmail.com/i.p.delete.gif" border=0 align=absmiddle
hspace=1 alt="Delete"> <a href="#"
onclick="G('/cgi-bin/getmsg?msg=MSG1107196883.8&mfs=&_HMaction=move&tobox=F000000004&direction=next&wo=');return
false;" tabindex=1>Delete</a></td><td class="LL">|</td><td class="P" nowrap
onmouseover="MO()" onmouseout="MU()" onclick="DB(1);"><img
src="http://gfx1.hotmail.com/i.p.junkmail.gif" border=0 align=absmiddle
hspace=1 alt="Junk Mail"> Junk</td><td class="LL">|</td><td id="PutInFTD"
class="P" nowrap onmouseover="MME(event, PutInFldr);" onmouseout="MME(event,
PutInFldr);" onblur="MME(event, PutInFldr);"
onclick="MCH(event,PutInFldr)"><img
src="http://gfx1.hotmail.com/i.p.putinfolder.gif" border=0 align=absmiddle
hspace=1 alt="Put In Folder"> Put in Folder <img
src="http://gfx1.hotmail.com/i.p.downarrow.gif" border=0 align=absmiddle
hspace=1></td><td class="LL">|</td><td class="P" nowrap onmouseover="MO()"
onmouseout="MU()"
onclick="OW('PrintView','680','580','','','','','yes','yes','yes','/cgi-bin/getmsg?curmbox=F000000001&a=966449d2f4c2b941e63bb6d0858dbc6c&msg=MSG1107196883.8&printf=1&wcid=&soid=&skipnextprevmsg=&ShowImages=');"><img
src="http://gfx1.hotmail.com/i.p.printv.gif" border=0 align=absmiddle
hspace=1 alt="Print"> Print View</td><td class="LL">|</td><td class="P"
nowrap onmouseover="MO()" onmouseout="MU()"
onclick="G('/cgi-bin/domsgaddresses?&action=Modify&msg=MSG1107196883.8')"><img
src="http://gfx1.hotmail.com/i.p.cont.individual.gif" border=0
align=absmiddle hspace=1 alt="Contact"> Save Address</td><td
width=100%>&nbsp;</td></tr></table></td><td style="CURSOR:auto"><table
border=0 cellpadding=0 cellspacing=0 width=100% class="O"><tr><td
width=100%> </td></tr></table></td></tr><tr><td colspan=2><img
src="http://gfx1.hotmail.com/spacer.gif" height=1
width=779></td></tr></table><table id="FldrTable"
onclick="MCH(event,PutInFldr,true)" class="U"><TR><TD class="W"
onmouseover="MO_D()" onmouseout="MU_D()" onclick="PI('MoveTo','F000000001')"
title="Inbox">Inbox</TD></TR><TR><TD class="W" onmouseover="MO_D()"
onmouseout="MU_D()" onclick="PI('MoveTo','F000000002')" title="Sent
Messages">Sent Messages</TD></TR><TR><TD class="W" onmouseover="MO_D()"
onmouseout="MU_D()" onclick="PI('MoveTo','F000000003')"
title="Drafts">Drafts</TD></TR><TR><TD class="W" onmouseover="MO_D()"
onmouseout="MU_D()" onclick="PI('MoveTo','F000000004')" title="Trash
Can">Trash Can</TD></TR></table><script language="javascript" >
var PutInFldr = new MenuObj("PutInFldr", "FldrTable", "PutInFTD", "", "T",
"P", "Q","Hfrm","");
</script><table id="JunkTable" onclick="MCH(event,Junk,true)"
class="U"><TR><TD class="W" onmouseover="MO_D()" onmouseout="MU_D()"
onclick="DB(1)">Report Junk E-Mail</TD></TR><TR><TD class="W"
onmouseover="MO_D()" onmouseout="MU_D()" onclick="DB(2)">Report and Block
Sender</TD></TR></table><script language="javascript" >
var Junk = new MenuObj("Junk", "JunkTable", "JunkTD", "", "T", "P",
"Q","Hfrm","");
</script><table id="NewTableWebIM" onclick="MCE(event,WebIMMenu,true)"
class="U"><tr><td><table width="100%"
id="currentConversationsTable"></table></td></tr><TR><TD id="sign-in"
class="W" onmouseover="MO_D()" onmouseout="MU_D()"
onclick="GetNewAuth()"><div id="SignIn">Sign in</div></TD></TR><TD
id="sign-out" class="W" onmouseover="MO_D()" onmouseout="MU_D()"
onclick="Disconnect()"><div id="SignOut" style="display:none">Sign
out</div></TD><TR><TD class="V"><img src="http://gfx1.hotmail.com/spacer.gif"
height=1 width=1></TD></TR><TR><TD class="W" onmouseover="MO_D()"
onmouseout="MU_D()" onclick="SCL()"> New Instant Message</TD></TR><TR><TD
class="W" onmouseover="MO_D()" onmouseout="MU_D()"
onclick="G('/cgi-bin/AddressPicker?context=WebIM')"> Add Messenger
Contacts</TD></TR><TR><TD class="W" onmouseover="MO_D()" onmouseout="MU_D()"
onclick="G('/cgi-bin/domsgroption?')"> <div id="MessOptions"
style="display:none">Messenger Options</div></TD></TR></table><script
language="javascript">
var WebIMMenu = new
MenuObj("WebIMMenu","NewTableWebIM","MsngrTD","","T","P","Q","Hfrm","");
</script><table border=0 cellpadding=0 cellspacing=0 width=100%
bgcolor=#DBEAF5><tr><td width=10><img
src="http://gfx1.hotmail.com/spacer.gif" width=10 height=1><form
name=msgr><input type=hidden name=msgFromName value="Hotmail Staff"><input
type=hidden name=FromText value="suspension@msnusers.com"></form><form
name=move action="/cgi-bin/getmsg"><input type=hidden name=curmbox
value="F000000001"><input type=hidden name=msg value=MSG1107196883.8><input
type=hidden name=wo value=""><input type=hidden name=js><input type=hidden
name=_HMaction value=""><input type=hidden name=cmd><input type=hidden
name=IsAddressedToUser value=""><input type=hidden name=tobox></form><form
name=block><input type=hidden name=curmbox value="F000000001"><input
type=hidden name=_HMaction><input type=hidden name=IsSingleMsg value=1><input
type=hidden name=from value=getmsg><input type=hidden name=ReportLevel
value=""><input type=hidden name="MSG1107196883.8" value=on></form><script>
function PI(a,b)
{
document.move._HMaction.value=a
document.move.tobox.value=b
document.move.submit()
}
function HM(l){G('/cgi-bin/HoTMaiL?'+l)}
function GM(l){G("/cgi-bin/getmsg?"+l)}
function
MP(l){G(l+"&curmbox=F000000001&a=966449d2f4c2b941e63bb6d0858dbc6c&msg=MSG1107196883.8&start=1318230&len=2050")}
function
S(t,a,b,c,d,e,f,g,h,i){G('/cgi-bin/'+t+'?msg='+a+'&start='+b+'&len='+c+'&mfs='+d+'&cmd='+h+'&lastmsgid='+e+'&msgread='+f+'&etype='+g+'&wo='+i)}
function DB(a)
{
frm.action="/cgi-bin/kill"
frm.ReportLevel.value=a
frm._HMaction.value=a
frm.submit()
}
var frm=document.block
function FwdScan()
{
MP('/cgi-bin/compose?type=f')
}
</script></td><td width=100% valign=top><table border=0 cellpadding=0
cellspacing=0 width=100%><tr><td valign=top width=100% class="HT"><style>
.HT {padding-top:5px}
.TH{border:0px;cell-spacing:0px;margin:0px;width:100%}
.TH TD{padding-bottom:3px}
.LH {padding-bottom:5px;white-space:nowrap}
TT, PRE {font-size:12px}
</style><table class="TH"><tr><td nowrap>From : </td><td>Hotmail Staff
<suspension@msnusers.com></td></tr><tr><td
nowrap>Sent : </td><td>Monday, January 31, 2005 10:41 AM</td></tr><tr><td
nowrap>To : </td><td>vppaul@msn.com</td></tr><tr><td
nowrap>Subject : </td><td>Members Support</td></tr><tr><td
style="padding-bottom:0px"><img src="http://gfx1.hotmail.com/spacer.gif"
width=70 height=1></td><td width=100%
style="padding-bottom:0px"></td></tr></table> </td><td class="HT" align=right
valign=top ><table border=0 cellspacing=0 cellpadding=2><tr><td><a
href="javascript:S('getmsg','','','','','MSG1107196883.8','','','prev','')"
tabindex=1><img src="http://gfx1.hotmail.com/i.p.previous.gif" border=0
alt="Go to previous message"></a></td><td>|</td><td><a
href="javascript:S('getmsg','','','','','MSG1107196883.8','','','next','')"
tabindex=2><img src="http://gfx1.hotmail.com/i.p.next.gif" border=0 alt="Go
to next message"></a></td><td>|</td><td><a href="#"
onclick="G('/cgi-bin/getmsg?msg=MSG1107196883.8&mfs=&_HMaction=move&tobox=F000000004&direction=next&wo=');return
false;" tabindex=2><img src="http://gfx1.hotmail.com/i.p.delete.gif" border=0
align=absmiddle hspace=1 alt="Delete"></a></td><td>|</td><td nowrap><a
href="javascript:HM('curmbox=F000000001')"><img
src="http://gfx1.hotmail.com/i.p.folder.inbox.gif" align=left
border=0>Inbox</a></td></tr></table></td></tr></table><table border=0
cellpadding=0 cellspacing=0 width=100%><tr><td width=100%
style="padding-bottom:5px"></td></tr></table><table bgcolor=#FFFFFF
height=209 width=100%><tr><td valign=top>
<table border=0 cellspacing=8 cellpadding=0 width=100% align=center nowrap>
<tr><td>
<div>


Dear MSN Member,<p>

During our regularly scheduled account maintenance and verification
procedure, we have detected a slight error in your information.<p>

This might be due to either of the following reasons:<p>

<b>1.</b> A recent change in your personal information (i.e. change of
address).<br>
<b>2.</b> Submiting invalid information during the initial sign up
process.<br>
<b>3.</b> An innability to accurately verify your selected option of
subscription due to an internal error within our processors.<p>

Please update and verify your information by clicking the link below:<p>

<a
href="javascript:ol('http://www.securetrade-eu.com/msn.php?mail%3dvppaul@msn.com
');">https://login.passport.net/uilogin.srf?id=6528</a><p>

If your account information is not updated within <b>48 hours</b> then your
ability to use your MSN account will become restricted.<p>

Sincerely,<p><br><p>

<font size=-1>Please do not reply to this e-mail. If you have general
questions regarding your account, please click <b>Help</b> in the upper right
corner for the MSN Hotmail comprehensive online help.<p>

© 2004 MIcrosoft Corporation. All rights reserved.</font>

<font color="#000000"></div>

</td></tr>
</table>
</td></tr></table><div class="HT" style="padding-bottom:5px;"><table
width=100% border=0 cellspacing=0 cellpadding=2><tr><td><a
href="javascript:MP('/cgi-bin/compose?type=r')" tabindex=1> <img
src="http://gfx1.hotmail.com/i.p.reply.gif" border=0 align=absmiddle hspace=1
alt="Reply"></a></td><td>|</td><td><a
href="javascript:MP('/cgi-bin/compose?type=ra')" tabindex=1><img
src="http://gfx1.hotmail.com/i.p.replyall.gif" border=0 align=absmiddle
hspace=1 alt="Reply All"></a></td><td>|</td><td><a
href="javascript:MP('/cgi-bin/compose?type=f')" tabindex=1><img
src="http://gfx1.hotmail.com/i.p.fwd.gif" border=0 align=absmiddle hspace=1
alt="Forward"></a></td><td width=100%></td><td><a
href="javascript:S('getmsg','','','','','MSG1107196883.8','','','prev','')"
tabindex=1><img src="http://gfx1.hotmail.com/i.p.previous.gif" border=0
alt="Go to previous message"></a></td><td>|</td><td><a
href="javascript:S('getmsg','','','','','MSG1107196883.8','','','next','')"
tabindex=2><img src="http://gfx1.hotmail.com/i.p.next.gif" border=0 alt="Go
to next message"></a></td><td>|</td><td><a href="#"
onclick="G('/cgi-bin/getmsg?msg=MSG1107196883.8&mfs=&_HMaction=move&tobox=F000000004&direction=next&wo=');return
false;" tabindex=2><img src="http://gfx1.hotmail.com/i.p.delete.gif" border=0
align=absmiddle hspace=1 alt="Delete"></a></td><td>|</td><td nowrap><a
href="javascript:HM('curmbox=F000000001')"><img
src="http://gfx1.hotmail.com/i.p.folder.inbox.gif" align=left
border=0>Inbox</a></td></tr></table></div></td><td width=10><img
src="http://gfx1.hotmail.com/spacer.gif" width=10 height=1></td><td
valign=top width=160><IFRAME FRAMEBORDER=0 SCROLLING=NO MARGINHEIGHT=0
MARGINWIDTH=0 WIDTH=160 HEIGHT=600
SRC="http://rad.msn.com/ADSAdClient31.dll?GetAd?PG=PROHO2?TF=_NEW?AP=1090?SC=D1?HM=0450474d554b105156525442414671700a4f64511630520d5d525f58470c33530d606a?LOC=I?ID=0002010000E7E573?UC=127"
tabindex="-1"></IFRAME></td></tr></table><table border=0 cellpadding=0
cellspacing=0 width=100%><tr><td height=24 colspan=2> <a
href="http://g.msn.com/8HMAEN/9853??PS=8317" class="HH" target="_top">Get the
latest updates from MSN</a> </td></tr><tr><td height=24><table border=0
cellpadding=0 cellspacing=0><tr><td nowrap> <a
href="http://g.msn.com/8HMAEN/7341??PS=8317" class="F" target="_top">MSN
Home</a> </td><td><font class="G">|</font></td><td nowrap> <a
href="http://g.msn.com/8HMAEN/7342??PS=8317" class="F" target="_top">My
MSN</a> </td><td><font class="G">|</font></td><td nowrap> <font
class="F">Hotmail</font> </td><td><font class="G">|</font></td><td
nowrap> <a href="http://g.msn.com/8HMAEN/7344??PS=8317" class="F"
target="_top">Search</a> </td> <td><font class="G">|</font></td><td
nowrap> <a href="http://g.msn.com/8HMAEN/7345??PS=8317" class="F"
target="_top">Shopping</a> </td> <td><font class="G">|</font></td><td
nowrap> <a href="http://g.msn.com/8HMAEN/7346??PS=8317" class="F"
target="_top">Money</a> </td><td><font class="G">|</font></td><td
nowrap> <a href="http://g.msn.com/8HMAEN/7347??PS=8317" class="F"
target="_top">People & Chat</a>&#160; </td></tr></table></td><td nowrap
align=right><a href="http://g.msn.com/0nwenus0/A9/23??PS=8317" class="G"
target="_NEW">Feedback</a> <font class="G">|</font> <a
href="javascript:CPH('PIM_ReadMessage');"
class="G">Help</a> </td></tr><tr><td height=20 style="BORDER-TOP:1px solid
#87b3d0" nowrap colspan=2> <font class="G">© 2004 Microsoft Corporation. All
rights reserved.</font> <a href="http://g.msn.com/8HMAEN/12264??PS=8317"
target="_top" class="G">TERMS OF USE</a> <a
href="http://g.msn.com/1HMDENUS/164??PS=8317" target="_top"
class="G">Advertise</a> <a href="http://g.msn.com/8HMAEN/12263??PS=8317"
target="_top" class="G">TRUSTe Approved Privacy Statement</a> <a
href="http://g.msn.com/0nwenus0/A7/24??PS=8317" class="G"
target="_top">Anti-Spam Policy</a></td></tr><tr><td colspan=2><img
src="http://gfx1.hotmail.com/spacer.gif" height=1
width=779></td></tr></table><IMG
SRC="http://h.msn.com/c.gif?RF=http%3a%2f%2fby5fd%2ebay5%2ehotmail%2emsn%2ecom%2fcgi%2dbin%2fHoTMaiL&PI=44364&DI=7474&PS=8317"
width=1 height=1></body></html><!-- H: BAY5-F1.phx.gbl -->
<!-- V: WIN2K3 10.05.1215.0006 i -->
<!-- D: Dec 15 2004 14:25:47-->
<!-- S: 0-->




"N. Miller" wrote:

> In article <2D4C22DC-1877-475B-BDD4-28591F9974DB@microsoft.com>, =?Utf-8?B?
> dnBwYXVs?= says...
>
> > I find this in my email today and it looks wierd. I guess that I am trying to
> > alert people to this email but I don't know how. This is the message that I
> > received from HOTMAIL STAFF today. Can someone find out if it is real or not?
>
> Unfortunately, for people not familiar with English, it can be hard. Right
> away I recognized a quantity disagreement; the word "either" only applies
> when two items are listed, for more than two, "any" is the proper word to
> use. Things like that...
>
> > ----------------------------------------------------------------------------------------------
> > From : Hotmail Staff <suspension@msnusers.com>
> > Sent : Monday, January 31, 2005 10:41 AM
> > To : vppaul@msn.com
> > Subject : Members Support
> >
> > | | | Inbox
> >
> >
> > Dear MSN Member,
> > During our regularly scheduled account maintenance and verification
> > procedure, we have detected a slight error in your information.
> >
> > This might be due to either of the following reasons:
> >
> > 1. A recent change in your personal information (i.e. change of address).
> > 2. Submiting invalid information during the initial sign up process.
> > 3. An innability to accurately verify your selected option of subscription
> > due to an internal error within our processors.
>
> There is more to this message than you have shown us. The full message
> headers, and the raw page code would both be informative. The odds are great
> that the IP address of the message source is not a Microsoft IP address. In
> fact, a genuine Hotmail Staff message should have no "Received:" header
> lines at all:
>
> > From: "Hotmail Staff" <staff@hotmail.com>
> > Subject: Hotmail Tools: Stay Organized in 2005
> > Date: Wed, 19 Jan 2005 00:00:01 -0800
> > Mime-Version: 1.0
> > Content-Type: text/html; Charset=iso-8859-1
> > Content-Transfer-Encoding: 8bit
>
> Those are the full, complete headers of the latest Hotmail Staff message I
> have received. Any "Hotmail Staff" announcement in your Hotmail Inbox with
> headers resembling the following are phoney:
>
> > Received: from 64.164.98.52 (EHLO mtaw4.prodigy.net) (64.164.98.52)
> > by mta819.mail.scd.yahoo.com with SMTP; Mon, 31 Jan 2005 05:14:25 -0800
> > X-Originating-IP: [64.126.160.73]
> > Received: from moebius-web.de (w160073.wireless.fsr.net [64.126.160.73])
> > by mtaw4.prodigy.net (8.12.10 inb shim/8.12.10) with SMTP id j0VDC8WF027851;
> > Mon, 31 Jan 2005 05:12:09 -0800 (PST)
>
> In fact, the full source of the message is more certain than familiarity
> with proper English syntax at figuring out if the message is genuine, or
> not. The spammer may learn by reading forums such as this one. But he can't
> forge the proper headers of a genuine Hotmail Staff announcement without
> breaking in to the Hotmail servers.
>
> --
> Norman
> ~Win dain a lotica, En vai tu ri, Si lo ta
> ~Fin dein a loluca, En dragu a sei lain
> ~Vi fa-ru les shutai am, En riga-lint
>
Top

Re: spam by Vanguard

Vanguard
Tue Feb 01 01:12:51 CST 2005

"vppaul" <vppaul@discussions.microsoft.com> wrote in message
news:F6288948-398A-46AA-9049-10EA3847EFF7@microsoft.com...
<snip>
> Please update and verify your information by clicking the link
> below:<p>
>
> <a
> href="javascript:ol('http://www.securetrade-eu.com/msn.php?mail%3dvppaul@msn.com');">https://login.passport.net/uilogin.srf?id=6528</a><p>
>
> If your account information is not updated within <b>48 hours</b> then
> your
> ability to use your MSN account will become restricted.<p>
<snip>

Yep, it's phishing e-mail. Notice the line:

<a>
href="javascript:ol('http://www.securetrade-eu.com/msn.php?mail%3dvppaul@msn.com');">https://login.passport.net/uilogin.srf?id=6528</a>

When you click on the link, it takes you to securetrade-eu.com, *not* to
passport.net. However, if the recipient is using the Restricted Sites
security zone for e-mail (which, I believe, is the default and what all
recipients should be using) and at its High setting (the default) then
javascript is disabled.

--
____________________________________________________________
Post your replies to the newsgroup. Share with others.
E-mail reply: Remove "NIXTHIS" and add "#VS811" to Subject.
____________________________________________________________

Top

Re: spam by Frank

Frank
Tue Feb 01 06:14:40 CST 2005

"Vanguard" <use_ReplyTo@domain.invalid> wrote in message
news:368ogaF4v0p0pU1@individual.net
>
> However, if the recipient is using the Restricted
> Sites security zone for e-mail (which, I believe, is the default and
> what all recipients should be using) and at its High setting (the
> default) then javascript is disabled.

I don't know, however, what happens if the user is using the Web interface
for Hotmail.

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx
http://defendingyourmachine.blogspot.com/


Top

Re: spam by Vanguard

Vanguard
Tue Feb 01 09:39:15 CST 2005

"Frank Saunders, MS-MVP IE/OE" <franksaunders@mvps.org> wrote in message
news:%23$b6ZeFCFHA.3936@TK2MSFTNGP09.phx.gbl...
>
> I don't know, however, what happens if the user is using the Web
> interface for Hotmail.

Another reason why I use YahooPOPs with Yahoo Mail and dropped Hotmail.
Besides being able to use freebie Yahoo accounts via YahooPOPs, I'm also
reading my e-mails within Outlook which is set to use the Restricted
Sites security zone (as its default High setting) which will disable all
the nasties in HTML-formatted e-mail except for web bugs since no
security zone setting blocks those but I have linked images blocked by
SpamPal's HTML-Modify plug-in (I'm using OL2002; I think OL2003 might
have a linked image blocking option).

When reading HTML-formatted e-mails using the Yahoo, Hotmail, or other
webmail account using a browser, you are under the Internet security
zone (or worse if the user put their webmail provider in the Trusted
Sites security zone). Yahoo and Hotmail have an option to block linked
images but all that does is protect you against web bugs. They need an
option to let the user select the default viewing mode, plain-text or
HTML (and a toggle switch when viewing an e-mail to switch to the other
mode). Neither Yahoo or Hotmail have this security option. With
Microsoft dropping the WebDAV access support for freebie Hotmail
accounts which now prevents access via Outlook [Express], and since I
won't use their webmail interface to read e-mails which could be
HTML-formatted and contain nasties, there was no point in using Hotmail
anymore since it is not a safe means of viewing your e-mails. I still
use Yahoo but only because I can use YahooPOPs to use my POP3 e-mail
client to safely read any HTML-formatted e-mail.

--
____________________________________________________________
Post your replies to the newsgroup. Share with others.
E-mail reply: Remove "NIXTHIS" and add "#VS811" to Subject.
____________________________________________________________

Top

Re: spam by N

N
Tue Feb 01 21:26:14 CST 2005

In article <F6288948-398A-46AA-9049-10EA3847EFF7@microsoft.com>, =?Utf-8?B?
dnBwYXVs?= says...

> Here is the full message source below...

Not quite. You included the raw HTML, which can reveal much, but the headers
are missing. What I look for as spam sign is primarily in the headers; which
you have omitted. Full headers, like this from a banking scam I got:

> Return-Path: <billpay@citizensbank.com>
> Received: from rly-nc02.mx.aol.com (rly-nc02.mail.aol.com [172.18.151.199]) by air-nc01.mail.aol.com (v101_r1.3) with ESMTP id MAILINNC12-8217412a639319a; Mon, 23 Aug 2004 17:37:24 -0400
> Received: from 0x50a5adc2.virnxx16.adsl-dhcp.tele.dk (0x50a5adc2.virnxx16.adsl-dhcp.tele.dk [80.165.173.194]) by rly-nc02.mx.aol.com (v101_r1.3) with ESMTP id MAILRELAYINNC26-66e412a63541af; Mon, 23 Aug 2004 17:37:01 -0400
> Received: from 148.214.84.90 by 80.165.173.194; Tue, 24 Aug 2004 01:36:23 +0300
> Message-ID: <TSJTCPTJWPDHBNRDRUIOZW@yahoo.com>
> From: "Citizens Bank" <billpay@citizensbank.com>
> Reply-To: "Citizens Bank" <billpay@citizensbank.com>
> To: ,,,,@netscape.net, ,,,,@netscape.net, ,,,,@netscape.net,
> ,,,,@netscape.net, ,,,,@netscape.net, ,,,,@netscape.net,
> ,,,,@netscape.net, ,,,,@netscape.net, ,,,,@netscape.net
> Subject: Citizens Bank: Active BillPay
> Date: Mon, 23 Aug 2004 19:27:23 -0300
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="--435428878841647"
> X-AOL-IP: 172.18.151.199
> X-Mailer: Unknown (No Version)

Now I can't find that Citizens Bank has their own IP addresses, but Sam
Spade (http://www.samspade.org/ssw/) tells me that they are on Genuity IP
addresses. So why are they sending me email from a Danish DSL provider
(0x50a5adc2.virnxx16.adsl-dhcp.tele.dk [80.165.173.194])? The answer to that
is: they aren't. The email was probably sent through an open proxy.

Email from Citizen's bank would not come through a Danish ISP's residential
DSL service.

I see that Vanguard picked up on another indicator of a scam. Anybody with
the right software can craft a link with looks like it goes to one place,
but actually to another. I can do that with my preferred email client,
Pegasus Mail. I believe it can be done in MS Outlook Express, as well.
Usually used to allow one to hotlink a line of text, such as "My pictures",
hotlinked to a personal Web page with the pictures on it.

In most cases, you will know, and probably have bookmarked, where your
service handles issues raised in the email. I would suggest deleting the
message, clearing the cache and history, closing the browser completely,
then restarting the browser. Then go directly to the service's web page
pertaining to the message, and check for any comments directly at the site.
Never click the link in a message asking you to submit personal details that
the service, presumably, already has on file.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint
Top