I posted this to my website, if you prefer referencing a URL to forwarding
image-laden email.




From: Technology Discussion at UVM [mailto:[log in to unmask]] On
Behalf Of Geoffrey Duke
Sent: Wednesday, March 23, 2011 2:48 PM
To: [log in to unmask]
Subject: How to catch a phish


I've received several phishing attempts, recently, this time masquerading as
mail from Twitter. I thought I'd share how I recognized this as an attack.
Many list members already know this stuff, but I thought I'd share since we
still see folks responding to these kinds of attacks.


1. Unexpected


Before I even looked at the content of the message, I was suspicious because
I don't have any twitter stuff associated with my UVM email. I could have
deleted the message then and, if I was using twitter, logged into my twitter
account directly to see if something was going on.


But I wondered how the message was crafted, so I opened it with awareness.


2. False link


A false link is shows a web address in the message, but the link that is
attached to it is different. Below, my mail program shows that the link will
actually send me to




Thunderbird actually throws a warning about the suspicious nature of the
message. Also, when I hover my mouse pointer over the link, the real address
is displayed in the status bar on the bottom of the Window.




Webmail shows a warning, and my web browser displays the real link address
at the bottom of the screen.



That's enough for me to hear Admiral Ackbar <>
in the back of my head.


3. Strange headers


If you look at the full header information, you can see some interesting
details about the email message. Here are some of the headers from the
message above:


Return-Path: <[log in to unmask]>

Received: from ( [])

                by (8.13.7/8.13.7) with ESMTP id

                for <[log in to unmask]>; Tue, 22 Mar 2011 02:53:09 -0400

Received: from
( [])

                by (8.14.4/8.14.4) with SMTP id

                for <[log in to unmask]>; Tue, 22 Mar 2011 02:53:08 -0400

Received: by (Postfix, from userid 1181305386)

        id 026EA983D3C; Tue, 22 Mar 2011 07:24:17 +0000 (UTC)

X-Mailer: MIME-tools 5.427 (Entity 5.427)

From: "Twitter" <[log in to unmask]>

Subject: You have notifications pending

To: [log in to unmask]


Looking at the Received: headers, we should see an entry for each email
server that handled the message from origin to destination. I note that the
first Received header (bottom one) is missing the from phrase that's part of
the others. So even though it says, it's a crudely forged
entry, but makes for a good example.


Also, in the second (middle) Received header, I see that UVM's server
warthog actually got the message from a computer called That's not twitter. And what's with the
Return-Path address, [log in to unmask] More junk.


I hope this is helpful info. Here are a few links with more info: 




Geoffrey Duke
802.656.1172 |  <> Sr System Administrator |
<> Enterprise Technology Services |
<> University of Vermont