Some good stuff here (and a sad conclusion) Source: http://blog.wordtothewise.com/ .. After Epsilon lost a bunch of customer lists last week, Iâ€™ve been keeping an eye open to see if any of the vendors I work with had any of my email addresses stolen â€“ not least because itâ€™ll be interesting to see where this data ends up. Yesterday I got mail from Marriott, telling me that â€œunauthorized third party gained access to a number of Epsilonâ€™s accounts including Marriottâ€™s email list.â€. Great! Lets start looking for spam to my Marriott tagged address, or for phishing targeted at Marriott customers. I hit what looks like paydirt this morning. Plausible looking mail with Marriott branding, nothing specific to me other than name and (tagged) email address. Itâ€™s time to play Real. Or. Phish? 1. Branding and spelling is all good. Itâ€™s using decent stock photos, and what looks like a real Marriott logo. All very easy to fake, but if itâ€™s a phish itâ€™s pretty well done. Then again, phishes often steal real content and just change out the links. Conclusion? Real. Maybe. 2. The mail wasnâ€™t sent from marriott.com, or any domain related to it. Instead, it came from â€œ[email protected]â€. This is classic phish behaviour â€“ using a lookalike domain such as â€œpaypal-billing.comâ€ or â€œaolsecurity.comâ€ so as to look as though youâ€™re associated with a company, yet to be able to use a domain name you have full control of, so as to be able to host websites, receive email, sign with DKIM, all that sort of thing. Conclusion? Phish. 3. SPF pass Given that the mail was sent â€œfromâ€ marriott-email.com, and not from marriott.com, this is pretty meaningless. But it did pass an SPF check. Conclusion? Neutral. 4. DKIM fail Authentication-Results: m.wordtothewise.com; dkim=fail (verification failed; insecure key) [email protected]; As the mail was sent â€œfromâ€ marriott-email.com it should have been possible for the owner of that domain (presumably the phisher) to sign it with DKIM. That they didnâ€™t isnâ€™t a good sign at all. Conclusion? Phish. 5. Badly obfuscated headers From: =?iso-8859-1?B?TWFycmlvdHQgUmV3YXJkcw==?= <[email protected]> Subject: =?iso-8859-1?B?WW91ciBBY2NvdW50IJYgVXAgdG8gJDEwMCBjb3Vwb24=?= Base 64 encoding of headers is an old spammer trick used to make them more difficult for naive spam filters to handle. That doesnâ€™t work well with more modern spam filters, but spammers and phishers still tend to do it so as to make it harder for abuse desks to read the content of phishes forwarded to them with complaints. Thereâ€™s no legitimate reason to encode plain ascii fields in this way. Spamassassin didnâ€™t like the message because of this. Conclusion? Phish. 6. Well-crafted multipart/alternative mail, with valid, well-encoded (quoted-printable) plain text and html parts Just like the branding and spelling, this is very well done for a phish. But again, itâ€™s commonly something thatâ€™s stolen from legitimate email and modified slightly. Conclusion? Real, probably. 7. Typical content links in the email Most of the content links in the email are to things like â€œhttp://marriott-email.com/16433acf1layfousiaey2oniaaaaaalfqkc4qmz76deyaaaaaâ€, which is consistent with the from address, at least. This isnâ€™t the sort of URL a real company website tends to use, but itâ€™s not that unusual for click tracking software to do something like this. Conclusion? Neutral 8. Atypical content links in the email We also have other links: * http://bp.specificclick.net?pixid=99015955 * http://ad.yieldmanager.com/pixel?id=550897&id=95457&id=102672&id=515007&t=2 * http://ad.doubleclick.net/activity;src=3286198;type=mari1;cat=rwdemls;ord=1; num=[Random Number]? * http://ib.adnxs.com/seg?add=1519 * http://action.mathtag.com/mm//MARI//red?nm=rwdemls&s0=&s1=& s2=&v0=&v1=&v2=&ri=[Random Number] * http://media.fastclick.net/w/tre?ad_id=26033;evt=13686;cat1=14501;cat2=14505 * http://images.bfi0.com/creative/spacer.gif (Those â€œ[Random Number]â€ bits arenâ€™t me hiding things. Thatâ€™s literally what is in the email.) Thatâ€™s an awful lot of other servers this mail is going to try and contact when you read it. Iâ€™m pretty sure that most of those are tracking links (but how many legitimate emails that advertise a single company and which are sent directly by that company, need to use half a dozen independent affiliate tracking links?). Conclusion? Doesnâ€™t look terribly honest. Maybe some sort of affiliate scam rather than a phish, though. 9. Most of the links in the email go to marriott-email.com, but then immediately redirect to marriott.com. This shows someone is tracking clicks, which is pretty common for mail sent via ESPs, so as to make click tracking information available to the client without the client having to do any work to capture data on their website. Conclusion? Real. 10. The unsubscription link goes to a terrible page with a set of checkboxes, rather than providing a simple unsubscription button. Conclusion? Sadly, thatâ€™s a sign that itâ€™s real. 11. Sending network configuration It was sent from a machine with reverse DNS of dmailer0112.dmx1.bfi0.com, but which claimed to be called dmx1.bfi0.com, not a valid hostname for the IP address it came from. This is pretty common misconfiguration of the network that happens at larger ESPs with complex outbound smarthost farms. Iâ€™d expect a phisher not to have that sort of mistake if they were sending from their own machine or through a botnet. And while â€œdmx1.bfi0.comâ€ could be an obscure end-user DSL, the reverse DNS of dmailer0112 looks like itâ€™s a system intended to send email, not a botnet. Conclusion? Real. Final Conclusion Youâ€™ve probably guessed by now. Itâ€™s real email, sent on behalf of Marriott Rewards through one of their ESPs. But if it takes me several minutes of groveling through the mail before I convince myself itâ€™s real, what chance does a typical consumer have of telling the difference between a well targeted phishing email and a typical piece of commercial email?