[HLUG] Odd security email

pl info at lifespacedesign.co.uk
Mon Oct 14 10:39:51 UTC 2019


Hi Gang,

Not my field at all; but could it be an automated system scraping up 
email addresses and then sending this one to check they are still active 
prior to the next level of attack.

There is also the matter of "building trust" which is an essential first 
stage of all con methods; as J says, the advice offered is sound ;)

MtG

Pete H@


On 13/10/19 23:03, Julian Robbins via Herefordshire wrote:
> Headers look ok to me.
>
> Authentication-Results: mx.google.com;
>         dkim=pass header.i=@booking.com header.s=bk header.b=G0zx9DNF;
>         spf=pass (google.com: domain of noreply at mailer.booking.com
> designates 37.10.30.5 as permitted sender) smtp.mailfrom=
> noreply at mailer.booking.com;
>         dmarc=pass
>
> SPf and Dkim are ok....
>
> Julian
>
> On Sun, 13 Oct 2019 at 23:02, Julian Robbins <joolsr1 at gmail.com> wrote:
>
>> Delivered-To: joolsr1 at gmail.com
>> Received: by 2002:a25:e6cb:0:0:0:0:0 with SMTP id d194csp3229343ybh;
>>          Sun, 13 Oct 2019 04:09:29 -0700 (PDT)
>> X-Google-Smtp-Source: APXvYqxcxL4Jog8KOMbIkM9j6fwn3dE9bkL0AshIlePkcCAy4LM+iL6ZeCM0WPOLlg9EUfY3epg9
>> X-Received: by 2002:a50:d794:: with SMTP id w20mr23191759edi.258.1570964969771;
>>          Sun, 13 Oct 2019 04:09:29 -0700 (PDT)
>> ARC-Seal: i=1; a=rsa-sha256; t=1570964969; cv=none;
>>          d=google.com; s=arc-20160816;
>>          b=0GkNK33QP4y44R5WIx1TFnq3OuLqyyD5JSCGVdQSB4scSPw8ir6ZIpw5GGv2vQVvzG
>>           h5C3XQCHVKY4NX/IYoW+b/fOrVntaYggEGRBdNjYF9JT+ywdIowRaGkQZkhVI9Iryq+E
>>           CCtwVZESLnMjCY/xatPgG5Vp6JPhwfZAcc8bHELOoSerVWxst7KoFm5sGadSFHN75MbS
>>           hL0pmM28dotaEEEUUALuc9n/BgtQk6L6WSnh2vSQtXaxLyMhJI/y1m17vSVoYAHbTOGC
>>           oGE7KXlSPeknPW1LJLsFxWqfRz5/e0BZlTDfpuxTUszaMz/MBAItggantuRUMTWa4Ecg
>>           InQQ==
>> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
>>          h=message-id:sender:from:to:subject:reply-to:date:mime-version
>>           :dkim-signature:content-transfer-encoding;
>>          bh=qo9stLkA7jDx1CC8eXAeu3vu6MeGIrIbzZkqHrTbe6A=;
>>          b=JLnTVmjzS2o/dCdiiqRyeeVpOVYoe1h/Y7MNfKVmVtV/g21EvtVEm32eRe8mVvVjwS
>>           KH+ULR+Wn4MGQA713Hm6JFg4aDs5wkPBS5v1Zql3JeaJmSKmHsXECy+bGo1zICEtRCRa
>>           pduSev4svTEROo3iT4EavKehK1c3i+R/G217w6WryNqiahOvkLCy4jgLcPfeBHMk7u0N
>>           f3XPWbDcy+lTlRBIuG0yczwqHAXGDMySjserIzi36nJTZ06ESznGA/ztGb4aSVv3+Bjj
>>           enxp8GF9a4YwCVbpuT6Tp8U0dYcY9K6uS8WkAz192nbLn7btsOzszhZmP2miOOsHV3Wt
>>           Fm5g==
>> ARC-Authentication-Results: i=1; mx.google.com;
>>         dkim=pass header.i=@booking.com header.s=bk header.b=G0zx9DNF;
>>         spf=pass (google.com: domain of noreply at mailer.booking.com designates 37.10.30.5 as permitted sender) smtp.mailfrom=noreply at mailer.booking.com;
>>         dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=booking.com
>> Return-Path: <noreply at mailer.booking.com>
>> Received: from mailout-202-r4.booking.com (mailout-202-r4.booking.com. [37.10.30.5])
>>          by mx.google.com with ESMTPS id h90si10371992edd.178.2019.10.13.04.09.29
>>          for <joolsr1 at gmail.com>
>>          (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
>>          Sun, 13 Oct 2019 04:09:29 -0700 (PDT)
>> Received-SPF: pass (google.com: domain of noreply at mailer.booking.com designates 37.10.30.5 as permitted sender) client-ip=37.10.30.5;
>> Authentication-Results: mx.google.com;
>>         dkim=pass header.i=@booking.com header.s=bk header.b=G0zx9DNF;
>>         spf=pass (google.com: domain of noreply at mailer.booking.com designates 37.10.30.5 as permitted sender) smtp.mailfrom=noreply at mailer.booking.com;
>>         dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=booking.com
>> Content-Transfer-Encoding: binary
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=booking.com; s=bk; t=1570964969; bh=qo9stLkA7jDx1CC8eXAeu3vu6MeGIrIbzZkqHrTbe6A=; h=Content-Type:MIME-Version:Date:Reply-To:Subject:To:From:Sender:
>> 	 Message-Id:From; b=G0zx9DNFiMTyUbeyJz6ogUVW2y/76u14/OzWF88P8/tR7Jx0lQsIyb++a62mdIGdz
>> 	 ZXP3qz029XCq2UhqaH0QTOyx1JB0WxqAjxCfFcQnS1GgmzuZIZSf5gfS9F+CyCRfTj
>> 	 FfDG9KlkXOQq+prAp55JRV3/pg/cQ3MEyu82ELzg=
>> Content-Type: multipart/alternative; boundary="_----------=_157096496947428667"
>> MIME-Version: 1.0
>> Date: Sun, 13 Oct 2019 13:09:29 +0200
>> Reply-To: noreply at booking.com
>> Subject: As a precaution, you need to reset your Booking.com password
>> To: joolsr1 at gmail.com
>> From: noreply at booking.com
>> Sender: noreply at booking.com
>> X-Bme-Id: 12464730202
>> Message-Id: <46rf8n2wSHzyD7 at outgoing--mailrouter-206.lhr4.prod.booking.com>
>>
>>
>>
>> On Sun, 13 Oct 2019 at 22:53, Keith Edmunds via Herefordshire <
>> herefordshire at mailman.lug.org.uk> wrote:
>>
>>>> I just received the email purporting to be from booking.com
>>> Paste the headers.
>>> --
>>> "You can lead a horse to water but you can't make it learn grammar" -
>>> Reddit
>>>
>>> --
>>> Herefordshire LUG mailing list
>>> Web:  http://www.herefordshire.lug.org.uk
>>> List: https://mailman.lug.org.uk/mailman/listinfo/herefordshire
>>




More information about the Herefordshire mailing list