I posted this to my website, if you prefer referencing a URL to forwarding image-laden email.




From: Technology Discussion at UVM [mailto:[log in to unmask]] On Behalf Of Geoffrey Duke
Sent: Wednesday, March 23, 2011 2:48 PM
To: [log in to unmask]
Subject: How to catch a phish


I’ve received several phishing attempts, recently, this time masquerading as mail from Twitter. I thought I’d share how I recognized this as an attack. Many list members already know this stuff, but I thought I’d share since we still see folks responding to these kinds of attacks.


1. Unexpected


Before I even looked at the content of the message, I was suspicious because I don’t have any twitter stuff associated with my UVM email. I could have deleted the message then and, if I was using twitter, logged into my twitter account directly to see if something was going on.


But I wondered how the message was crafted, so I opened it with awareness.


2. False link


A false link is shows a web address in the message, but the link that is attached to it is different. Below, my mail program shows that the link will actually send me to


[log in to unmask]">



Thunderbird actually throws a warning about the suspicious nature of the message. Also, when I hover my mouse pointer over the link, the real address is displayed in the status bar on the bottom of the Window.


[log in to unmask]">



Webmail shows a warning, and my web browser displays the real link address at the bottom of the screen.


[log in to unmask]">


That’s enough for me to hear Admiral Ackbar in the back of my head.


3. Strange headers


If you look at the full header information, you can see some interesting details about the email message. Here are some of the headers from the message above:


Return-Path: <[log in to unmask]>

Received: from ( [])

                by (8.13.7/8.13.7) with ESMTP id p2M6r9Qj004516

                for <[log in to unmask]>; Tue, 22 Mar 2011 02:53:09 -0400

Received: from ( [])

                by (8.14.4/8.14.4) with SMTP id p2M6r7vT022753

                for <[log in to unmask]>; Tue, 22 Mar 2011 02:53:08 -0400

Received: by (Postfix, from userid 1181305386)

        id 026EA983D3C; Tue, 22 Mar 2011 07:24:17 +0000 (UTC)

X-Mailer: MIME-tools 5.427 (Entity 5.427)

From: "Twitter" <[log in to unmask]>

Subject: You have notifications pending

To: [log in to unmask]


Looking at the Received: headers, we should see an entry for each email server that handled the message from origin to destination. I note that the first Received header (bottom one) is missing the from phrase that’s part of the others. So even though it says, it’s a crudely forged entry, but makes for a good example.


Also, in the second (middle) Received header, I see that UVM’s server warthog actually got the message from a computer called That’s not twitter. And what’s with the Return-Path address, [log in to unmask]? More junk.


I hope this is helpful info. Here are a few links with more info:




Geoffrey Duke
802.656.1172 |
Sr System Administrator | Enterprise Technology Services | University of Vermont