All Zimbra mail servers have been upgraded to Zimbra Network Edition 7.2.2, the current 7.x release.
Warning: ‘Webmail Account Warning’ message is bogus.
This bogus email is making the rounds and seems to be slipping past spam filters at the moment. If you get one of these messages, delete it. The link in the message takes you to a form that asks you to enter your email address and password. If you do this, you can count on your account being hijacked by spammers all over the world. This is an example of a ‘phishing‘ email, designed to trick you into giving up your account login credentials. The copies that we’ve seen of this message came from IP numbers in Brazil.
Webmail Account Warning!
This mail is from Webmail Service; we wish to bring to your notice the Condition of your email account.
We have just noticed that you have exceeded your email Database limit of 500 MB quota and your email IP is causing conflict because it is been accessed in different server location. You need to Upgrade and expand your email quota limit before you can continue to use your email.
Update your email quota limit to 4.8 GB, use the below web link:
<link to form on docs.google.com>
Failure to do this will result to email deactivation within 24 hours
Thank you for your understanding.
Copyright 2012 Help Desk Technical Upgrading
Phishing/Malware email
We’re seeing a significant increase in the number of ‘phishing’ and malware email messages.
Most of these are being stopped by Postini’s spam/virus filters, but some are getting through, and some are getting past our own spam/virus filters that we use to supplement Postini.
These messages are well crafted and look like legitimate email from an entity that you might be doing business with (AT&T, USPS, an airline, FedEx, UPS, your bank). They tell you that a check has bounced or that you’re being billed for some outrageous amount, or something similar – the idea is to get you to click on the links in the messages. If you do that, you’ll go to the bad guys’ web sites, where you’ll either be exposed to malware or there will be a login page that’s designed to trick you into entering login information that you use with your bank, airline, etc.
These messages appear to come from legitimate email addresses (which are forged) and have subject lines like:
US Airways online check-in. Please confirm your US Airways online registration. Fwd: Wire Transfer Confirmation (FED 5405TG032) Your USPS postage labels charge. USPS postage labels receipt. USPS postage labels invoice. USPS: DELIVER CONFIRMATION - FAILED 636382 Your USPS shipment postage labels receipt. Your USPS delivery. Confirmation of email address change. Your AT&T wireless bill is ready to view
Before you click on any links in email that you receive, hover your mouse pointer over the link and check to see where the link really points – most browsers will show this at the bottom of the page. If they point to something that looks bogus, don’t click.
Forward messages like this to spam@postini.com – this will help Postini recognize the tricks that these bad guys are using to get past their filters. Once you’ve done that, delete them.
Using strong passwords
Over the past few months we’ve seen an enormous jump in the number of password-guessing attacks on our mail servers. The attackers are spammers who are trying to get access to legitimate accounts so they can send spam.
We have software in place that identifies and blocks these attacks, but if a password is too easy to guess the attacker can guess it before the ‘this is an attack’ threshold is reached. When this happens, the victim gets a flood of bounce messages for email they never sent, and when we detect the hijacking we have to lock the account and coordinate with the victim to set a new password, an inconvenience for everybody.
There’s a somewhat geeky but appropriate cartoon that describes a technique for generating passwords that are hard to guess but easy for you to remember at http://xkcd.com/936/.
If your account is on mail.his.com or one of our other Zimbra servers, you can change your password by logging on to webmail and clicking the ‘Preferences’ tab.
Bogus “Delivery Status Notification”
There is a trojan making the rounds that masquerades as a Delivery Status Notification. It contains the line:
Note: Forwarded message is attached.
The attachment is an html attachment which carries various javascript browser exploits/trojans.
Postini is aware of the situation, and Postini Spam Engineering continues to monitor for new variants and will release additional filters as necessary.
If you get one of these messages, do not click on this attachment, or it will infect your computer.
If you did click on one of those, do:
- update your virus definitions
- run a complete computer scan, make sure all trojans that may have been downloaded are removed or quarantined.
- change your password(s), use strong and secure ones. Email us at support@his.com if you need a password reset.
Bogus emails from his.com
Some HIS customers reported getting emails pretending to be from his.com and containing a bogus alert message.
From: “his.com support” <admin@his.com>
Subject: his.com account notification
or
Subject: Returned mail: see transcript for details
From: domains@megginson.com
We are blocking them on our SPAm filters. However, if you received one of those
Do not click on any link or attachment, or your computer will get infected.
———————————
Here is the text of the bogus messages we’ve seen lately:
From: “his.com support” <admin@his.com>
Subject: his.com account notification
Dear Customer,
This e-mail was send to notify you that we have temporanly prevented
access to your account.
We have reasons to beleive that your account may have been accessed by
someone else.
Please run attached file and Follow instructions
———————————
Subject: Returned mail: see transcript for details
From: domains@megginson.com
Dear user of his.com,
Your e-mail account was used to send a large amount of unsolicited commercial e-mail during the last week.
Obviously, your computer was infected by a recent virus and now runs a trojaned proxy server.
Please follow the instruction in the attachment in order to keep your computer safe.
Have a nice day,
The his.com support team.
———————————
Verizon blocking port 25
We’ve received a number of reports from Verizon DSL customers that they’ve suddenly lost the ability to send mail. Verizon started blocking port 25 (the SMTP port, used to send email) for DSL and FIOS customers in some areas in 2009, and evidently they’ve now made this system-wide. There’s a Verizon writeup at:
The solution is to change the settings in your email software to use port 587 instead of port 25 for SMTP. If you continue to have problems and can’t send mail, open a support ticket at http://info.his.com/support/support.his.com.html or, if you’re using a Verizon DSL or FIOS connection, call Verizon.
Verizon is doing this to help stop the flood of spam coming from virus-infected customer PCs. A number of other residential internet providers (Cox, Roadrunner, Comcast, BellSouth, Earthlink, NetZero) are doing this as well.
Facebook Phishing Email
We’ve started seeing email that looks like this:
(This is just a screengrab image – the links above aren’t live).
The message looks real enough (which is the idea) but it did not come from Facebook. The link actually goes to servers in 15 locations in Korea, Japan, Brazil, Hungary, Poland and the Ukraine, where you’ll be asked to enter your Facebook login info and while you’re at it you’ll be exposed to a variety of malware designed to harvest passwords and make you part of this botnet.
Postini should be catching these so you may not see one unless you’ve added ‘facebookmail.com’ to your approved senders list, in which case the messages will come through unfiltered.