Latest spam

[Red Roo]

Some of you may have received an email today from what looks like “Qantas Frequent Flyer”.

This is definitely spam and should be deleted without opening any links or attachments.

While Qantas Security have been made aware of this, all Frequent Flyer members are reminded to only ever use qantas.com to access their accounts.

Some details to look out for this time:

- sent from a non-Qantas email address
- old Frequent Flyer logo
- addressed to "Dear Esteemed Customer"

If you've received such an email, I would also encourage you to report it to SCAMwatch home.

 

[Jhig]

Thanks for that, Bloody spammers

 

[JohnK]

Thanks. And here I am thinking every email I receive from Qantas is genuine.

 

[russ]

For a second there, I thought QF was announcing that they were serving Spam in the J lounge.

It would be an improvement!

 

[serfty]

Thanks. And here I am thinking every email I receive from Qantas is genuine.

Except that the emails referred to here ARE NOT from Qantas, but they are genuine spam.

To put it a better way, not all emails sporting a Qantas logo are actually from Qantas

 

[medhead]

Except that the emails referred to here ARE NOT from Qantas, but they are genuine spam.

To put it a better way, not all emails sporting a Qantas logo are actually from Qantas

It is a true statement, however, every email from Qantas is genuinely from qantas.

Thanks. And here I am thinking every email I receive from Qantas is genuine.

That is still the case. Every email from qantas is from Qantas.

 

[serfty]

...

That is still the case. Every email from qantas is from Qantas.

Indeed, that is completely correct.

JohnK's post was indeed accurate - but not relevant to this thread which is about emails NOT from Qantas (even though they may look so).

 

[Red Roo]

...not all emails sporting a Qantas logo are actually from Qantas

Especially when it's an old logo!

 

[JohnK]

Except that the emails referred to here ARE NOT from Qantas, but they are genuine spam.

To put it a better way, not all emails sporting a Qantas logo are actually from Qantas

Right. Some spam emails look extremely dodgy and one stays away from those.

Others well. I do not inpect every single email I receive to ensure that it is genuine before opening so I could easily be caught out with some of the spam emails that look very good.

And yes I do click on links in emails from Qantas and Virgin for OLCI/web check-in. The Qantas one takes me straight into the booking without me logging in to system.

 

[pandaflyer]

slightly OT, but silly question why is it spammers can not use the correct logo its not like right click save image as is hard, in fact I would have to go searching to find an old logo...

 

[harvyk]

It is a true statement, however, every email from Qantas is genuinely from qantas.
That is still the case. Every email from qantas is from Qantas.

That's not true at all, it is entirely possible to send mail from Qantas despite having no connection to the company. Whilst some mail servers will block such spoofed mail, there are still many out there which do not, and it would take a network engineer (or at least someone who knows how to read mail headers and who has time to do a trace on IP's) to spot the difference.

slightly OT, but silly question why is it spammers can not use the correct logo its not like right click save image as is hard, in fact I would have to go searching to find an old logo...

Actually it's in the interest of spammers to intentionally place mistakes into their emails, they are trying to catch out the truly unaware, so by putting in intentional mistakes it acts as a filter to prevent more suspicious people from "wasting their time". Little point sending out 1000 emails to 1000 people all who would then respond because it looks legit but only 1 of them would actually hand over important information like credit card numbers. Chances are that 1 person who falls for the "legit" looking email would probably still fall for a not so legit email but the majority of those 999 others would not even bother to reply.

 

[grussellt]

I don't think we will ever see this linked to Qantas!

 

[JohnK]

That is still the case. Every email from qantas is from Qantas.

Thanks for your insightfullness.

Now I am safe knowing that whenever I receive an email from Qantas with proper logo that it is Qantas sending that email not a spammer.

 

[medhead]

That's not true at all, it is entirely possible to send mail from Qantas despite having no connection to the company.

If qantas did not authorise the email then by definition it is not from Qantas.

 

[medhead]

Thanks for your insightfullness.

Now I am safe knowing that whenever I receive an email from Qantas with proper logo that it is Qantas sending that email not a spammer.

Thanks for your sarcasm. I Can only work within the constrains of your post.

 

[harvyk]

If qantas did not authorise the email then by definition it is not from Qantas.

Yeah, but when I send an email which looks like it's from Qantas, including from the [email protected] address, and use the same sort of formatting as the standard qantas email, you'd be hard pressed to pick the difference.
Yes some email systems will do what's called a reverse look up on @email.qantas.com and find out that the email did not actually come from QF (and thus block it), but there are quite a lot out there which don't.

So just saying "qantas did not authorise" doesn't mean a lot.

The only thing that would trip me up with such an email is getting the persons name right (although that can sometimes be guessed based on the email address), and their status credit / point balance. Again put some fake numbers in, some people might complain to QF, most probably won't...

 

[medhead]

Yeah, but when I send an email which looks like it's from Qantas, including from the [email protected] address, and use the same sort of formatting as the standard qantas email, you'd be hard pressed to pick the difference.
Yes some email systems will do what's called a reverse look up on @email.qantas.com and find out that the email did not actually come from QF (and thus block it), but there are quite a lot out there which don't.

So just saying "qantas did not authorise" doesn't mean a lot.

The only thing that would trip me up with such an email is getting the persons name right (although that can sometimes be guessed based on the email address), and their status credit / point balance. Again put some fake numbers in, some people might complain to QF, most probably won't...

Some one pretending to be qantas is not qantas.

 

[harvyk]

Some one pretending to be qantas is not qantas.

So how would you know that it's not qantas?

 

[medhead]

So how would you know that it's not qantas?

Irrelevant question. Here is the post to which I replied. Read it and you will see a tautology. Every email from qantas is genuinely from qantas. It really isn't hard to understand the point, is it?

As for technicalities, I'd be more interested to know how someone in the it profession can even seriously have such a view.

Thanks. And here I am thinking every email I receive from Qantas is genuine.

 

[harvyk]

As for technicalities, I'd be more interested to know how someone in the it profession can even seriously have such a view.

So you want to know the technicalities behind how spoofing an email works, fine here you go...



Email uses a couple of different protocols to get from A to B.

The most common one, at least from the sender to your ISP is one called SMTP or Simple Mail Transfer Protocol. This is a pretty trusting protocol considering that once you have said I have some mail for you, the responding server simply says “cool, what email sent it”.
Now most email clients will then use the real email address, however there is nothing stopping a person from putting in any email address they like. A packet could look something like this.

EHLO relay.email.qantas.com
MAIL FROM: [email protected]
RCPT TO: [email protected]
Ect… (I’m not going to do a full SMTP packet for you, but look up Wikipedia if you are interested)

Now quite a few email servers would happily accept this and do no further checking that I really was from relay.email.qantas.com and that [email protected] actually existed.
There is a feature which some email servers have which is called reverse DNS lookup. Now when it looks up email.qantas.com it will get 199.7.200.25 (actually in the example of the internet header below, it’d look for omp.email.qantas.com, which is 199.7.202.86). Since I will be coming from a different IP address (say 190.51.100.82 for example) the ISP’s mail server would drop the mail as a spoof, here is the thing, the ISP needs to have either actively installed spam filters which do this look up, or need to have enabled it on their mail server. This is not done as a default part of SMTP. This also means that there are still many ISP’s out there which will not do this check.

Now what you’ll have is an email from [email protected], which looks like it’s from Qantas, and unless you look into the internet headers which I have provided an excerpt of a valid one from below and can determine that 190.51.100.82 does not belong to Qantas you’d assume that it was, because your email program (eg outlook) will say it’s an email from [email protected], and that it was valid.

Received: from omp.email.qantas.com ([199.7.202.86]) by (blanked for privacy reasons)
with XWall v3.49. ; Wed, 30 Oct 2013 11:13:40 +1100
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=qantas; d=email.qantas.com;
h=MIME-Version:Content-Type:Content-Transfer-Encodingate:To:From:Reply-To:Subject:List-Unsubscribe:Message-ID; [email protected];
bh=H3DKhj5vbZV2ui9N5ZsM+9PUlPA=;
b=iffDl9wl30fuSMMQBKM3fVfRMkuim6J1QsfPoikWj4g1r7TfsdXphAgrqWKkUqxkCb8Edj+6ddWw
UeLB8fbeo6oGpUzxFT+mojfieWKX5ilRtEHITCz3EIKHCL56A6JG5/i+3Cf6R1iSqf/NtOPDCdPD
uHUxQQi4YtiNhGVDiAY=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=qantas; d=email.qantas.com;
b=jeGbLarXeyiQMgehBvnOVGoO2kXYn66eCtM6Ew0p9R71/gaWIjmwe14LsXqTRSun+6FVnjZLJZtJ
wjHcvLRwo+UFCp3QdKyNS/zKcFLvIgr5Lyo3uVYq+Cpo1CYgBX/itOePQFmDVxaOVbPOQ/0kpI2c
lY+w7rgRgjL2mFVNv6Y=;
Received: by omp.email.qantas.com id he17l41607go for
<(privacy reasons)>; Tue, 29 Oct 2013 17:14:09 -0700 (envelope-from
<[email protected]>)
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable

PS. before a mod or admin delete's this message, this is all information which Qantas's mail servers / dns servers send out publicly. It can be easily obtained by anyone who has nslookup installed and who has ever received an email from Qantas. This is not a how to guide, as it is missing a few key elements for sending actual spoof emails.