[mailop] AMAZON SES anyone?

Fri, 17 Mar 2017 02:22:35 -0700 

Hi,
we've come accross some odd messages hitting spam traps coming from amazonses but pretending to be amazon.com messages. There is a possible security flaw in the SPF for amazon.com permitting amazonses.com to send email on behalf of amazon.com and making it vulnerable to phishing. 

Here is a sample message:

Return-Path: <deliverability.te...@amazon.com>
Delivered-To: spam...@excello.cz
Received: from posta.excello.cz
        by posta.excello.cz (Dovecot) with LMTP id +XS2LEpXyli9GwAA3RyBeg
        for <spam...@excello.cz>; Thu, 16 Mar 2017 10:13:46 +0100
Received: from bq.virusfree.cz (bq.virusfree.cz [IPv6:2001:67c:15a2::b])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by posta.excello.cz (Postfix) with ESMTPS id 977092C9CB8
        for <s...@virusfree.cz>; Thu, 16 Mar 2017 10:13:46 +0100 (CET)
Received: (qmail 5623 invoked from network); 16 Mar 2017 10:13:46 +0100
Received: from bq.virusfree.cz by bq.virusfree.cz
 (VF-Scanner: Clear:RC:0(54.240.11.93):;
 processed in 0.0 s); 16 Mar 2017 09:13:46 +0000
X-VF-Scanner-Mail-From: deliverability.te...@amazon.com
X-VF-Scanner-Rcpt-To: s...@virusfree.cz
X-VF-Scanner-ID: 20170316091346.429791.5384.bq.0
Received: from a11-93.smtp-out.amazonses.com (54.240.11.93)
  by bx.virusfree.cz with ESMTPS (TLSv1, ECDHE-RSA-AES128-SHA); 16 Mar 2017 
10:13:46 +0100
Received-SPF: pass (bq: domain of amazon.com designates 54.240.11.93 as 
permitted sender) client-ip=54.240.11.93; 
envelope-from=deliverability.te...@amazon.com; 
helo=a11-93.smtp-out.amazonses.com;
From: deliverability.te...@amazon.com
Content-Type: text/plain
Subject: Account update
Date: Thu, 16 Mar 2017 09:04:04 +0000
Message-ID: 
<0100015ad65c1837-5fe81fb9-a931-468e-b8c1-17f72806f2dd-000...@email.amazonses.com>
To: bobbr...@250ok.co
X-250ok-CID: amazon2017.03.16-54.240.11.93
X-SES-Outgoing: 2017.03.16-54.240.11.93

Thanks for visiting Amazon.com! Per your request:

You have successfully changed your password.

Visit Your Account at Amazon.com to view your orders, make changes to any order 
that hasn't yet entered the shipping process, update your subscriptions, and 
much more.

Should you need to contact us for any reason, please know that we can give out 
order information only to the name and e-mail address associated with your 
account.

Thanks again for shopping with us.


--
Jakub Olexa
Mailkit s.r.o.

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop






















					Reply via email to