FAKE Adobe email

[Han]

I think this is a fake.
Received at a different address from where I registered my Adobe Pro:
<start copy of email>
ADOBE PDF READER SOFTWARE UPGRADE NOTIFICATION

This is to remind that a new version of Adobe Acrobat Reader with
enhanced features for viewing, creating, editing, printing and internet-
sharing PDF documents has been released.

To upgrade your application:

+Go to : http: don't use bad url //www. 2011-acrobat-reader-download .com


+ Download and upgrade your application.

Copyright 2010 Adobe Systems Incorporated. All rights reserved.

Adobe Systems Incorporated
Attn: Change of Address/Privacy
343 Preston Street
Ottawa, ON K1S 1N4
Canada.
<end copy of email>

--
Best regards
Han
email address is invalid

[siljaline]

There are others that are reporting similar incidents - bottom line, Adobe does not send update notifications
by email.
(http://www.dslreports.com/forum/r258...wnload-It-Now-)

Silj


--
"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

[Han]

"siljaline" <spam@uce.gov> wrote in news:iq9ckq$pkk$1@dont-email.me:

> There are others that are reporting similar incidents - bottom line,
> Adobe does not send update notifications by email.
> (http://www.dslreports.com/forum/r258...bat-Reader-Upd
> ate-Download-It-Now-)
>
> Silj

Thanks, Silj! That link confirms my suspicion.

Where is Sealteam 6?
(Only half joking - I think it's time to liquidate some of these criminals)

--
Best regards
Han
email address is invalid

[Mike Easter]

Han wrote:
> I think this is a fake.

The best way to evaluate a suspect email is *not* by what it says in the
body or by pasting the contents of the rendered body into a newsgroup to
ask a question.

The best way to evaluate a suspect email is by examining the mail's
'source' headers.

There are many ways to show the source, depending on whether you
received the mail in OE, Tbird, some other agent or a webmail.

I recommend that you do not even open a suspect mail 'first' to
determine if it is suspect or real; but instead that any 'unknown' mail
first be evaluated by its headers.

However, that step requires that you develop some 'experience' with
reading/parsing email headers.

Absent any such experience, the next best thing you can do to determine
the source of an email is to register at spamcop and process the source
thru' spamcop and let it tell you where the mail came from.

--
Mike Easter

[siljaline]

Han wrote:
> Thanks, Silj! That link confirms my suspicion.
>
> Where is Sealteam 6?
> (Only half joking - I think it's time to liquidate some of these criminals)

If you still have the email which seems consistent with the post from dsl reports should
be reported to the ISP where it is being generated from.
http://www.dslreports.com/forum/r258...wnload-It-Now-

Folks getting these are getting duped and will get infected, it has to be stopped.

If you need help with this, let me know.

Regards,

Silj


--
"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

[Han]

Mike Easter <MikeE@ster.invalid> wrote in
news:92r0tbFaevU1@mid.individual.net:

> Han wrote:
>> I think this is a fake.
>
> The best way to evaluate a suspect email is *not* by what it says in
> the body or by pasting the contents of the rendered body into a
> newsgroup to ask a question.
>
> The best way to evaluate a suspect email is by examining the mail's
> 'source' headers.
>
> There are many ways to show the source, depending on whether you
> received the mail in OE, Tbird, some other agent or a webmail.
>
> I recommend that you do not even open a suspect mail 'first' to
> determine if it is suspect or real; but instead that any 'unknown'
> mail first be evaluated by its headers.
>
> However, that step requires that you develop some 'experience' with
> reading/parsing email headers.
>
> Absent any such experience, the next best thing you can do to
> determine the source of an email is to register at spamcop and process
> the source thru' spamcop and let it tell you where the mail came from.

Initially, I didn't display the full emai in my firefox (gmail
interface), just looked at the from as displayed by rightclicking.
Googling that domain convinced me it was bad. Then I trashed it. In
response to Silj's question, I displayed it and did what I mentioned to
him.

Good thing that gmail's filtering is pretty good ...

--
Best regards
Han
email address is invalid

[David H. Lipman]

From: "Han" <nobody@nospam.not>

>
> I still have the email in my gmail trash. The headers are reported as:
>
> from Adobe Systems Incorporated reply@adobesystems.com
> reply-to reply@adobesystems.com
> to mygmail.com
> date Mon, May 9, 2011 at 3:30 AM
> subject Adobe PDF Reader Software Upgrade Notification
> mailed-by returnpath.bluehornet.com
> signed-by bluehornet.com
> unsubscribe Unsubscribe from this sender
>
> Shoot. I clicked on report phishing to google, and now the email has
> disappeared from the trash. I apparently also clicked on an unsubscribe
> link that was sent to
> unsub-12345-echo4-bighexnumber@listunsub.bluehornet.com
> (munged)
>
> --

That's not a complete email header. But, don't worry, it isn't that important.


--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Mike Easter]

Han wrote:
> Mike Easter
>> Han wrote:
>>> I think this is a fake.

>> The best way to evaluate a suspect email is by examining the mail's
>> 'source' headers.

> Initially, I didn't display the full emai in my firefox (gmail
> interface), just looked at the from as displayed by rightclicking.
> Googling that domain convinced me it was bad. Then I trashed it. In
> response to Silj's question, I displayed it and did what I mentioned to
> him.
>
> Good thing that gmail's filtering is pretty good ...

In gmail you can see the message source by selecting the mail item
(which displays/opens it) and adjacent to the top right Reply button is
an arrow for a menu which contains the function 'show original'.

That original is the 'message source' which contains complete headers
and the unrendered version of the email.

The Received from: lines are the tracelines which are stacked/added from
bottom to top tracing the item from source to destination. When spam
headers are traced or 'parsed' for source, those tracelines are chained
from top backwards to 'bottom' to the source, avoiding chaining any
preloaded misleading bogus lines to the last real one above it.


--
Mike Easter

[Mike Easter]

Han wrote:
> I think this is a fake.

> This is to remind that a new version of Adobe Acrobat Reader with
> enhanced features for viewing, creating, editing, printing and internet-
> sharing PDF documents has been released.

Here's a screenshot of the/your rendered phish body

http://www.pcworld.com/zoom?id=227423&page=1&zoomIdx=1

However, the article about it^1 didn't explore how the phish payload worked.

In the past, one could access the newsgroup
news.admin.net-abuse.sightings and be able to find a source example of
your item because other recipients of the spam/phish/scam would have
auto-submitted to the sightings group, but that process is no longer active.


^1
http://www.pcworld.com/businesscente...ing_scams.html
Watch Out for Adobe Phishing Scams - May 9, 2011


--
Mike Easter

[Han]

Mike Easter <MikeE@ster.invalid> wrote in
news:92rpugFmjgU1@mid.individual.net:

> Han wrote:
>> I think this is a fake.
>
>> This is to remind that a new version of Adobe Acrobat Reader with
>> enhanced features for viewing, creating, editing, printing and
>> internet- sharing PDF documents has been released.
>
> Here's a screenshot of the/your rendered phish body
>
> http://www.pcworld.com/zoom?id=227423&page=1&zoomIdx=1
>
> However, the article about it^1 didn't explore how the phish payload
> worked.
>
> In the past, one could access the newsgroup
> news.admin.net-abuse.sightings and be able to find a source example of
> your item because other recipients of the spam/phish/scam would have
> auto-submitted to the sightings group, but that process is no longer
> active.
>
>
> ^1
> http://www.pcworld.com/businesscente...h_out_for_adob
> e_phishing_scams.html Watch Out for Adobe Phishing Scams - May 9, 2011


Thanks, Mike, David & Silj. Whatever I did hasn't (yet) had any bad
consequences. I hope reporting it to gmail will filter it for others.

--
Best regards
Han
email address is invalid