If you have a look at the url post the actual site address is written in the code. It's the same as the Westpac email I got last week http://olb.westpac.com.au:UserSession=2f4d0zzz899amaiioiiabv5589955&userrstste=SecurityUpdate&[EMAIL PROTECTED]
This is where they are actually comming from. 69.61.29.81 > Hi everyone, > > I just received one of those email's suposedly from St. George, telling > me to log in to their website and update my records. Since I am not a > St. George customer, I was a little suspicious :-D > > Looking through the email, the scam worked by having a HREF tag > containing the real St. George address followed by umpteen spaces (I > guess around 160) followed by "[EMAIL PROTECTED]". So even if the mouse > hovered over the link, the address displayed in the status bar would > still appear correct. > > St. George are aware of this, and have a note on their own web page > warning people about this hoax. > > Anyway, to my question. Just out of curiosity, I wondered if I could > work out where this email came from. Here is the relevant data from the > header: > > Received: from localhost (localhost [127.0.0.1]) > by andrewm.localdomain (8.12.8/8.11.6) with ESMTP id > h7KLKhj3005981 > for <[EMAIL PROTECTED]>; Thu, 21 Aug 2003 07:20:44 +1000 > X-From_: [EMAIL PROTECTED] Wed Aug 20 22:18:49 2003 > Envelope-to: [EMAIL PROTECTED] > Delivery-date: Wed, 20 Aug 2003 22:18:49 +0100 > Received: from xxx.freeserve.com [195.92.195.154] > by localhost with POP3 (fetchmail-6.2.0) > for [EMAIL PROTECTED] (single-drop); Thu, 21 Aug 2003 07:20:44 > +1000 (EST) > Received: from [203.2.192.89] (helo=mta08.mail.mel.aone.net.au) > by imailg2.svr.pol.co.uk with esmtp (Exim 4.14) > id 19paLw-0000ge-QM > for [EMAIL PROTECTED]; Wed, 20 Aug 2003 22:18:49 +0100 > Received: from [66.26.168.93] by mta08.mail.mel.aone.net.au with SMTP > id > <[EMAIL PROTECTED]> > for <[EMAIL PROTECTED]>; Thu, 21 Aug 2003 07:18:46 +1000 > Date: Thu, 21 Aug 2003 01:19:50 -0400 > From: [EMAIL PROTECTED] > > > The stuff I have xxx'd out is my email accounts. > > Now as far as I can tell, mta08.mail.mel.aone.net.au would have to be > the starting point in the chain. I presume that this is an OzEmail mail > server, since there is nothing else in the list that appears to be > OzEmail, and the email in question was sent to my OzEmail account. > > Does this mean that the originator sent the email from OzEmail? Or that > the OzEmail mail server allows relaying? > > Or has the chain been lost somewhere? > > Or has SpamAssassin deleted part of the header (I doubt this, because > if this was the case, then more of the header should have gone). > > As I said: this is just out of curiosity. Anyone have any thoughts? > > Regards, Andrew -- Regards, Kevin Saenz Spinaweb I.T consultants Ph: 02 4620 5130 Fax: 02 4625 9243 Mobile: 0418455661 Web: http://www.spinaweb.com.au -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
