May 15, 2009

How stupid do you have to be to fall for this?

Yet another transparent phishing scam trying to reveal my userid and password under the guise of protecting me from "spam":

From: helpdesk@carleton.ca <robert.maguire@eircom.net>
Reply-To: techdept@info.It
Date: 04:39 AM
To: ..@...

Dear carleton.ca User

Your email account has been used to send numerous Spam mails recently from a foreign IP. As a result, the carleton.ca has received advice to suspend your account. However, you might not be the one promoting this Spam, as your email account might have been compromised. To protect your account from sending spam mails, you are to confirm your true ownership of this account by providing your original Username (*******) and Password (*******) as a reply to this message. On receipt of the requested information, the "carleton.ca" web email support shall block your account from Spam.

Failure to do this will violate the carleton.ca email terms & conditions. This will render your account inactive.

NOTE: You will be send a password reset message in next seven (7) working days after undergoing this process for security reasons.

Thanks for using carleton.ca

Carleton University, Webmail Access (Powered By Eircom).
(c) 2009 Carleton University, All rights reserved

--------------------------
Find the home of your dreams with eircom net property
Sign up for email alerts now http://www.eircom.net/propertyalerts

  1. If you're going to pretend to be the Carleton "helpdesk," then it helps not to reveal your real email address in the From: line. That is, assuming you really are Robert Maguire, which is doubtful.
  2. Along the same lines, don't advertise your own ISP in the signature line. Helpdesk techs typically have more meaningful sigs: you know, along the lines of "Robert Maguire, Carleton Help Desk, 613-555-1212 x1234, rmaguire@carleton.ca."
  3. If I have an account with a carleton.ca domain name, chances are I'm a student or an employee. It's a school, not a service provider. You don't have to thank me for "using" it; it's part of the job description.
  4. Coincidentally, I am neither student nor employee: I use the National Capital FreeNet, whose email services are hosted by the university, and my normal email address happens to have an alias that does end in carleton.ca. However, if there were a problem with the account, I'd hear from the NCF people, not the Carleton people. Do your homework, "Robert."
  5. If I'm dealing with an I/T administrator in Ottawa, why is the Reply-To: address in Italy?
  6. For that matter, why is the Carleton University email server being "powered" by an ISP in Ireland?
  7. If there is a problem with my account, why has this message apparently been sent to a gibberish email addresss like "..@..." instead of me, directly? That isn't even a proper email address.
  8. And if you know that my account has been compromised by spammers, why can't you address me as "Scott" or "Mr. McClare"?
  9. Why does "Robert" need me to confirm my userid? He sent me the email because my account had been used to send spam; wouldn't that mean he already knows it?
  10. How does telling him my password protect me from spam? If someone has compromised my account by determining my password somehow, then shouldn't he be telling me to change the password?
  11. If the problem is that my account has been compromised, haven't you just invited the spammer to "confirm" for me if he happens to read this first?
  12. My username and password are not "*******" - that's just how I would look if I typed them at a login prompt. In fact, that's only half true: my userid would look something like "ransom," but let's not split hairs.
  13. If my account is insecure, why are you waiting an arbitrary "seven (7) working days" to tell me to reset my password? Heck, I'll do that right now.
  14. If you are a Carleton University email administrator, couldn't you tell from the system logs that my account was being compromised from a foreign IP, and take steps to block it?

Seriously. This particular scam is second only to this one in singularly failing to convince me to surrender my private information. You people just aren't trying. Unfortunately, I know that enough people fall for this, that you don't have to.

(This blog post has been provided as a public service to the spammers, phishers, and identity thieves from the law-abiding Internet community, in the hopes that you may learn therefrom how to deceive us more effectively. Please, try harder. Thank you.)