a more elaborate spear phishing email than we have seen for a while

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

They have gone to the trouble of getting our correct postal address...

The reply-to is also interesting: help-desk () alumni com  I have done a
whois on this and it has been registered for a long time.
www.alumni.com has a parking banner, nothing else.



Russell

Begin forwarded message:

> From: "University () auckland ac nz" <University () auckland ac nz>
> Date: 9 May 2009 12:21:44 AM
> To: "-@.l" <-@.l>
> Subject: University of Auckland System Administration.
> Reply-To: "help-desk () alumni com" <help-desk () alumni com>
> Received: from UXCHANGE2.UoA.auckland.ac.nz (130.216.190.119) by
> uxchange7-fe1.UoA.auckland.ac.nz (130.216.190.107) with Microsoft
> SMTP Server id 8.1.291.1; Sat, 9 May 2009 00:22:42 +1200
> Received: from harpo.itss.auckland.ac.nz ([130.216.190.13]) by
> UXCHANGE2.UoA.auckland.ac.nz with Microsoft SMTPSVC(6.0.3790.1830);     
> Sat, 9 May 2009 00:22:42 +1200
> Received: from localhost (localhost.localdomain [127.0.0.1])    by
> harpo.itss.auckland.ac.nz (Postfix) with ESMTP id 3378A34E3A;   Sat,
> 9 May 2009 00:22:42 +1200 (NZST)
> Received: from harpo.itss.auckland.ac.nz ([127.0.0.1])  by localhost
> (smtpc.itss.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024)       
> with ESMTP id gU8PZzArPKG7; Sat,  9 May 2009 00:22:41 +1200 (NZST)
> Received: from invictus.bright.net (invictus.bright.net
> [209.143.0.12]) by harpo.itss.auckland.ac.nz (Postfix) with ESMTP id
> CAB6834324;     Sat,  9 May 2009 00:21:45 +1200 (NZST)
> Received: from [192.168.1.30] by invictus.bright.net with
> SMTP          id
> <20090508122144.SECF10361.invictus@[192.168.1.30]>;          Fri, 8
> May 2009 08:21:44 -0400
> Thread-Topic: University of Auckland System Administration.
> Thread-Index: AcnP16/C9RDALalFTROhKcXXVkLBuA==
> Message-Id: <20090508122144.SECF10361.invictus@[192.168.1.30]>
> Accept-Language: en-AU, en-US, en-NZ
> Content-Language: en-US
> X-Ms-Exchange-Organization-Authas: Anonymous
> X-Ms-Exchange-Organization-Authsource: uxchange7-
> fe1.UoA.auckland.ac.nz
> X-Originalarrivaltime: 08 May 2009 12:22:42.0164 (UTC)
> FILETIME=[AF3C1B40:01C9CFD7]
> X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
> X-Spam-Status: No, score=-1.429 tagged_above=-200 required=5.5
> tests=[BAYES_00=-2.599, TO_MALFORMED=1.17]
> X-Spam-Flag: NO
> X-Spam-Score: -1.429
> X-Originating-Ip: [67.72.98.47]
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: quoted-printable
> Mime-Version: 1.0
>
> The University of Auckland
> Private Bag 92019
> Victoria Street West
> Auckland 1142
>
> Dear Auckland account user,
>
> Thank you for subscribing to auckland.ac.nz Internet. As part of our
> continuous effort in providing a higher level of service, we are
> pleased to inform you that we have upgrade your e-mail account
> and you will have to reactivate your account. To complete your
> account activation with us, you must reply to this email
> Immediately and enter your account details as requested below.
>
> First Name:
> Last Name:
> User Name/ID:
> Password:
> Retype Password:
> Phone number
>
> You are required to do this before the next 48 hours of receipt of
> this email or your account will be de-activated from our database.
>
> NOTE: You will be sent an account activation code to the Email ID
> you provide in the next seven (7)
> Working days for security reasons.
>
> It is also pertinent, you understand that our primary concern is for
> our
> customers, and for the security of their files and data.
>
> Your account can also be verified using the link below:
> https://mail.fmhs.auckland.ac.nz/exchweb/bin/auth/owalogon.asp?url=https://mail.fmhs.auckland.ac.nz/exchange/&reason=0
>
> Thank you for using auckland.ac.nz.

Attachment: smime.p7s
Description: