Hoy recibí un mensaje que pretende ser de Amazon. Normalmente,puedodetectaruncorreoelectrónicodephishingadistancia.(TrabajoeneldepartamentodeAbusosyCONdeunISP).Peroestepareceunpocodesviado.Siesphishing,damiedo.
Elúnicoindicioquetengodequenoesrealesqueseenvióaunadirecciónde{laAenQ&A}@eoni.com,quenotieneunKenneth(esunadireccióndesoportetécnicoparanuestroISPquetambiénhacehostingdedominio).Elhechodequeesténusandoesadirecciónmehacepensarqueladirecciónpodríahaberserecopiladoautomáticamente(probablementewhois).EsmuyposiblequeunodelosdominiosquealojamosseaparaunclientellamadoKenneth,yqueesedominiotenganuestradireccióndecontactoenelregistrodewhoisenalgúnlugar.Tenemossuficientesdominiosalojadosquesolounnombrenoserásuficienteparaencontrardichonombrededominioymirarelregistrodewhois.
Alestareneldepartamentodeabusos,queríasabersiestoesrealono(porloquepuedodenunciarlosiesposible/impedirquetrabajeennuestraredsiesunPhish).
Aquíestánlosencabezados:
Return-Path:<01010157e278aa63-283a615a-b603-4300-8c6f-8426b3978f81-000000@us-west-2.amazonses.com>Delivered-To:{ainQ&A}@eoni.comReceived:(qmail8542invokedfromnetwork);20Oct201614:22:22-0000Received:froma27-163.smtp-out.us-west-2.amazonses.com(HELOa27-163.smtp-out.us-west-2.amazonses.com)(54.240.27.163)byadam6.eoni.comwith(AES128-SHAencrypted)SMTP(9d6af486-96d0-11e6-bacc-001e67492cec);Thu,20Oct201607:22:22-0700DKIM-Signature:v=1;a=rsa-sha256;q=dns/txt;c=relaxed/simple;s=iapqtturmhylirl6i5t3a2ps2ewsadsl;d=business.amazon.com;t=1476973341;h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type:List-Unsubscribe;bh=CqDwwona4ZmOCsT+zgi3DKmE5lkxklMdpT65fdXrB1c=;b=UAkSuvsci14jfOFm+fW8S5l3ntdIbESTZB8eHvo6+itz4xiYy9sxXQ1RoXIJIGq93ny5HJIKyI6wkjKRWnX6TQ3EHhDqDFlkB75Z1NzHNlp/5NUA8cEa6ua+wq1sWdyG33ok5gn5Kkz3v72uQMAhT6Dqq/3DSW9ipDMzrHF12Fs=DKIM-Signature:v=1;a=rsa-sha256;q=dns/txt;c=relaxed/simple;s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx;d=amazonses.com;t=1476973341;h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type:List-Unsubscribe:Feedback-ID;bh=CqDwwona4ZmOCsT+zgi3DKmE5lkxklMdpT65fdXrB1c=;b=BdhqUbp6t3dhXe83M3isFcjV2hXaT6rAhCxPN/WXWepJngjhi1EO3Sgd5SbkaEjj6dzzlfljD+nKTJH2r9Kd1COeXqc5tgSeMEmVYV1TpmIRhc1fU9RUULRKG4ojxs0msSbRDRzSCa83Se484s7KDNwb5LWixFn7jo3oL7DFKx0=Message-ID:<01010157e278aa63-283a615a-b603-4300-8c6f-8426b3978f81-000000@us-west-2.amazonses.com>Date:Thu,20Oct201614:22:21+0000Subject:FreeUpgradetoAmazonBusinessAccountFrom:Amazon<[email protected]>To:{AinQ&A}@eoni.comMIME-Version:1.0Content-Type:multipart/alternative;boundary="_=_swift_v4_1476973341_6e5cebc34b840a2a68132f6e212fdc76_=_"
X-Pardot-Route: 113:54552:359489270
List-Unsubscribe: <http://www.amazonbusiness.com/unsubscribe/u/54552/6674f6c0dd8377b4a26688a664718cffd707396fd788791d186acab4a81bd210/359489270>
X-Report-Abuse-To: [email protected]
X-SES-Outgoing: 2016.10.20-54.240.27.163
Feedback-ID: 1.us-west-2.DslCQSzKRwSQ0bYxCfi+GcY39H31l7QrR+kFUIOTrc4=:AmazonSES
X-MagicMail-OS: Inactive
X-MagicMail-UUID: 9d6af486-96d0-11e6-bacc-001e67492cec
X-MagicMail-SourceIP: 54.240.27.163
X-MagicMail-RegexMatch: 0
X-MagicMail-EnvelopeFrom: <01010157e278aa63-283a615a-b603-4300-8c6f-8426b3978f81-000000@us-west-2.amazonses.com>
X-MagicMail-Original-Destination: {A in Q&A}@eoni.com
X-MagicMail-Quarantine: Yes
Mirando los encabezados, veo que es por lo que creo que es un servicio de correo electrónico de AWS. (Cualquiera puede comprar eso y enviar un correo electrónico). Así que eso no me convence de que sea Amazon. Veo cosas sobre Pardot, un sistema de automatización de marketing B2B de salesforce. Parece extraño que no fuera en casa para Amazon, pero podrían usar un sistema así. Así que no estoy seguro de qué pensar al respecto.
Si esto es un ataque, tiene que funcionar de alguna manera. ¿A dónde van los enlaces?
Crear mi cuenta: http: /www.amazonbusiness.com/e/54552/gistration-start-ref-b2b-e459b/jt2hvr/359489270
Cancelar suscripción: http: /www.amazonbusiness.com/preferences/? ehash = 6674f6c0dd8377b4a26688a664718cffd707396fd788791d186acab4a81bd210 & email_id = 359489270
Actualice las preferencias de correo electrónico: http: /www.amazonbusiness.com/preferences/? ehash = 6674f6c0dd8377b4a26688a664718cffd707396fd788791d186acab4a81bd210 & email_id = 359489270
Ninguno de estos tiene SSL, pero Create my account one redirige a:
enlace
Bien, ¿dónde está alojado este dominio amazonbusiness.com? ¿Quién posee el nombre? Seguramente Amazon alojaría todos sus sitios en AWS, ¿no?
dig a www.amazonbusiness.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> a www.amazonbusiness.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58074
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.amazonbusiness.com. IN A
;; ANSWER SECTION:
www.amazonbusiness.com. 820 IN CNAME go.pardot.com.
go.pardot.com. 7199 IN CNAME pi.pardot.com.
pi.pardot.com. 29 IN CNAME pi-dfw.pardot.com.
pi-dfw.pardot.com. 29 IN CNAME pi-dfw-lb1.pardot.com.
pi-dfw-lb1.pardot.com. 899 IN A 136.147.104.32
;; Query time: 57 msec
;; SERVER: 192.168.88.1#53(192.168.88.1)
;; WHEN: Thu Oct 20 08:21:50 PDT 2016
;; MSG SIZE rcvd: 143
Compare eso con el propio amazon.com:
dig a amazon.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> a amazon.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40326
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;amazon.com. IN A
;; ANSWER SECTION:
amazon.com. 23 IN A 54.239.25.208
amazon.com. 23 IN A 54.239.17.7
amazon.com. 23 IN A 54.239.26.128
amazon.com. 23 IN A 54.239.25.192
amazon.com. 23 IN A 54.239.17.6
amazon.com. 23 IN A 54.239.25.200
;; Query time: 1 msec
;; SERVER: 192.168.88.1#53(192.168.88.1)
;; WHEN: Thu Oct 20 09:02:34 PDT 2016
;; MSG SIZE rcvd: 124
Bien, entonces quién es el propietario del espacio de direcciones IP para el sitio posiblemente falso:
whois 136.147.104.32
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=136.147.104.32?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange: 136.147.0.0 - 136.147.255.255
CIDR: 136.147.0.0/16
NetName: SFDC-3
NetHandle: NET-136-147-0-0-1
Parent: NET136 (NET-136-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS14340
Organization: Salesforce.com, Inc. (SALESF-3)
RegDate: 2012-02-24
Updated: 2014-07-14
Ref: https://whois.arin.net/rest/net/NET-136-147-0-0-1
OrgName: Salesforce.com, Inc.
OrgId: SALESF-3
Address: 1 Market Street
Address: Suite 300
City: San Francisco
StateProv: CA
PostalCode: 94105
Country: US
RegDate: 1999-11-30
Updated: 2014-11-20
Ref: https://whois.arin.net/rest/org/SALESF-3
OrgAbuseHandle: NOC1403-ARIN
OrgAbuseName: Network Operations Center
OrgAbusePhone: +1-415-901-7000
OrgAbuseEmail: [email protected]
OrgAbuseRef: https://whois.arin.net/rest/poc/NOC1403-ARIN
OrgNOCHandle: NOC1403-ARIN
OrgNOCName: Network Operations Center
OrgNOCPhone: +1-415-901-7000
OrgNOCEmail: [email protected]
OrgNOCRef: https://whois.arin.net/rest/poc/NOC1403-ARIN
OrgAbuseHandle: SAN76-ARIN
OrgAbuseName: Salesforce Abuse NOC
OrgAbusePhone: +1-703-463-3219
OrgAbuseEmail: [email protected]
OrgAbuseRef: https://whois.arin.net/rest/poc/SAN76-ARIN
OrgTechHandle: NOC1403-ARIN
OrgTechName: Network Operations Center
OrgTechPhone: +1-415-901-7000
OrgTechEmail: [email protected]
OrgTechRef: https://whois.arin.net/rest/poc/NOC1403-ARIN
RNOCHandle: NOC1403-ARIN
RNOCName: Network Operations Center
RNOCPhone: +1-415-901-7000
RNOCEmail: [email protected]
RNOCRef: https://whois.arin.net/rest/poc/NOC1403-ARIN
RAbuseHandle: SAN76-ARIN
RAbuseName: Salesforce Abuse NOC
RAbusePhone: +1-703-463-3219
RAbuseEmail: [email protected]
RAbuseRef: https://whois.arin.net/rest/poc/SAN76-ARIN
RTechHandle: NOC1403-ARIN
RTechName: Network Operations Center
RTechPhone: +1-415-901-7000
RTechEmail: [email protected]
RTechRef: https://whois.arin.net/rest/poc/NOC1403-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
Así que NO en AWS. Compare con quién es el propietario del espacio de direcciones IP que alberga Amazon.com:
whois 54.239.26.128
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=54.239.26.128?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange: 54.224.0.0 - 54.239.255.255
CIDR: 54.224.0.0/12
NetName: AMAZON-2011L
NetHandle: NET-54-224-0-0-1
Parent: NET54 (NET-54-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS16509
Organization: Amazon Technologies Inc. (AT-88-Z)
RegDate: 2012-03-01
Updated: 2012-04-02
Ref: https://whois.arin.net/rest/net/NET-54-224-0-0-1
OrgName: Amazon Technologies Inc.
OrgId: AT-88-Z
Address: 410 Terry Ave N.
City: Seattle
StateProv: WA
PostalCode: 98109
Country: US
RegDate: 2011-12-08
Updated: 2014-10-20
Comment: All abuse reports MUST include:
Comment: * src IP
Comment: * dest IP (your IP)
Comment: * dest port
Comment: * Accurate date/timestamp and timezone of activity
Comment: * Intensity/frequency (short log extracts)
Comment: * Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time.
Ref: https://whois.arin.net/rest/org/AT-88-Z
OrgTechHandle: ANO24-ARIN
OrgTechName: Amazon EC2 Network Operations
OrgTechPhone: +1-206-266-4064
OrgTechEmail: [email protected]
OrgTechRef: https://whois.arin.net/rest/poc/ANO24-ARIN
OrgAbuseHandle: AEA8-ARIN
OrgAbuseName: Amazon EC2 Abuse
OrgAbusePhone: +1-206-266-4064
OrgAbuseEmail: [email protected]
OrgAbuseRef: https://whois.arin.net/rest/poc/AEA8-ARIN
OrgNOCHandle: AANO1-ARIN
OrgNOCName: Amazon AWS Network Operations
OrgNOCPhone: +1-206-266-4064
OrgNOCEmail: [email protected]
OrgNOCRef: https://whois.arin.net/rest/poc/AANO1-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#
Así que Amazon.com está en AWS, como pensé que sería.
En este momento, no estoy seguro de si el correo electrónico es falso o no. ¿Lo es? Si es así, ¿cómo funciona? Parece estar haciendo algo con OpenID, ¿qué está pasando allí? ¿Cómo podría estar seguro en el futuro?