Below is the email with headers. I never registered on the site, so it's clearly phishing, but the links in the email point to the real Avast site. The delivery path also looks legit since both IP addresses (77.234.40.28 and 5.45.62.32) belong to Avast according to whois. I received this through my own Postfix SMTP server.
I can think of only two explanations:
- Avast is spamming people to increase its user base (unlikely?)
- Someone else registered using my email address (accidentally?)
Is there an alternate explanation I missed?
Return-Path: <myavast@avast.com>
X-Original-To: redacted@redacted.com
Delivered-To: redacted@helios.redacted.com
X-Greylist: delayed 00:06:20 by SQLgrey-1.8.0
Received: from prg18.ff.avast.com (prg18.ff.avast.com [77.234.40.28])
by helios.redacted.com (Postfix) with ESMTP id 29FDE338513
for <redacted@redacted.com>; Tue, 24 Feb 2015 16:31:39 +0000 (UTC)
Received: from ams01-022.ff.avast.com (ams01-022.ff.avast.com [5.45.62.32])
by prg18.ff.avast.com (Postfix) with ESMTP id 4AC4863FE
for <redacted@redacted.com>; Tue, 24 Feb 2015 17:25:18 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=avast.com;
s=default; t=1424795118;
bh=xtbTFzHy9Gx8+0K7moXgMhL46s4Nd1+AiW/7CP7eGo4=;
h=Date:From:To:Subject;
b=KsOT6/s2YsnQ4P1ZSpgzbOjusgVHCzTBc/y2UdqTzbFec9rIMF4ayuzx1fmKpsIeh
56CkPMIriPpJ/w8rNIEAA74rqUtXaTa6P+8CF+ePo0cDurc5+zvTFBLdx29NxWzpNa
Pdsm/tnBF7mWyY67HAFIlNgKGiDq2YUX+rB/jp2I=
Received: from ams01-022.ff.avast.com (localhost [127.0.0.1])
by ams01-022.ff.avast.com (Postfix) with ESMTP id 2EE47120243
for <redacted@redacted.com>; Tue, 24 Feb 2015 17:25:18 +0100 (CET)
Date: Tue, 24 Feb 2015 17:25:18 +0100 (CET)
From: AVAST Software <myavast@avast.com>
To: redacted@redacted.com
Message-ID: <2116255645.5085975.1424795118191.JavaMail.id@ams01-022.ff.avast.com>
Subject: =?utf-8?Q?Avast_antivirus_account_=E2=80=93_please_confirm?=
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_5085973_1976669953.1424795118189"
------=_Part_5085973_1976669953.1424795118189
Content-Type: multipart/alternative;
boundary="----=_Part_5085974_319880981.1424795118189"
------=_Part_5085974_319880981.1424795118189
Content-Type: text/html;
charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<?xml version=3D"1.0" encoding=3D"UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www=
http://.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns=3D"http://ift.tt/lH0Osb" xml:lang=3D"cs" lang=3D"cs">
<head>
=09<meta http-equiv=3D"content-type" content=3D"text/html; charset=3Dutf-8"=
/>
</head>
<body>
=09<div style=3D"padding-bottom:5px;"></div>You recently registered an AVAS=
T Account. <br/><br/> Please click this link to verify your account: <br/><=
br/> <a href=3D"http://ift.tt/1DR7XM2
34hqKcwm6mBRkqLFub05pnfriPWmujAtoDTpqMhNH3FTE1T">http://ift.tt/17Tmt9I
/confirm/registration?token=3DN1r34hqKcwm6mBRkqLFub05pnfriPWmujAtoDTpqMhNH3=
FTE1T</a> <br/><br/> NOTE: Information email only =E2=80=93 PLEASE DO NOT R=
EPLY <br/><br/>AVAST Software<div style=3D"padding-top:5px;"><a href=3D"htt=
p://www.avast.com">http://ift.tt/1DR7XM4;
</body>
</html>
------=_Part_5085974_319880981.1424795118189--
------=_Part_5085973_1976669953.1424795118189--
Here's the SMTP transaction log:
Feb 24 16:25:19 helios postfix/smtpd[28347]: connect from prg18.ff.avast.com[77.234.40.28]
Feb 24 16:25:19 helios sqlgrey: grey: new: 77.234.40(77.234.40.28), myavast@avast.com -> redacted@redacted.com
Feb 24 16:25:19 helios postfix/smtpd[28347]: NOQUEUE: reject: RCPT from prg18.ff.avast.com[77.234.40.28]: 450 4.7.1 <redacted@redacted.com>: Recipient address rejected: Greylisted for 5 minutes; from=<myavast@avast.com> to=<redacted@redacted.com> proto=ESMTP helo=<prg18.ff.avast.com>
Feb 24 16:25:19 helios postfix/smtpd[28347]: disconnect from prg18.ff.avast.com[77.234.40.28]
Feb 24 16:28:39 helios postfix/anvil[28329]: statistics: max connection rate 2/60s for (smtp:66.45.103.63) at Feb 24 16:23:23
Feb 24 16:28:39 helios postfix/anvil[28329]: statistics: max connection count 2 for (smtp:66.45.103.63) at Feb 24 16:23:23
Feb 24 16:28:39 helios postfix/anvil[28329]: statistics: max cache size 1 at Feb 24 16:23:22
Feb 24 16:31:38 helios postfix/smtpd[28367]: connect from prg18.ff.avast.com[77.234.40.28]
Feb 24 16:31:39 helios sqlgrey: grey: reconnect ok: 77.234.40(77.234.40.28), myavast@avast.com -> redacted@redacted.com (00:06:20)
Feb 24 16:31:39 helios sqlgrey: grey: from awl: 77.234.40, myavast@avast.com added
Feb 24 16:31:39 helios postfix/smtpd[28367]: 29FDE338513: client=prg18.ff.avast.com[77.234.40.28]
Feb 24 16:31:39 helios postfix/cleanup[28370]: 29FDE338513: message-id=<2116255645.5085975.1424795118191.JavaMail.id@ams01-022.ff.avast.com>
Feb 24 16:31:39 helios postfix/qmgr[13941]: 29FDE338513: from=<myavast@avast.com>, size=2691, nrcpt=1 (queue active)
Feb 24 16:31:39 helios postfix/smtpd[28367]: disconnect from prg18.ff.avast.com[77.234.40.28]
Feb 24 16:31:39 helios postfix/local[28371]: 29FDE338513: to=<redacted@helios.redacted.com>, orig_to=<redacted@redacted.com>, relay=local, delay=0.3, delays=0.26/0.03/0/0.01, dsn=2.0.0, status=sent (delivered to mailbox)
Feb 24 16:31:39 helios postfix/qmgr[13941]: 29FDE338513: removed
Aucun commentaire:
Enregistrer un commentaire