MMS photo in a zip from Vodafone - or is it a trojan?
2sides2everystory
Posts: 1,744 Forumite
in Techie Stuff
We have to be so careful these days with what arrives in the inbox, even when we know we have a pretty good antivirus (I use Kaspersky). I have already avoided the final step in opening this mail attachment (I was gambling by opening the zip but I did feared to open the EXE of the same name inside).
Can any of you techies tell from the email headers below whether this really was from Vodafone?
Return-path: <foodse@vodafone.com>
Envelope-to: {my email address}
Delivery-date: Thu, 17 Jan 2013 02:47:27 +0000
Received: from [212.159.9.108] (helo=avasin18.plus.net)
by inmx16.plus.net with esmtp (PlusNet MXCore v2.00) id 1TvfVn-0000eX-9l
for {my email address}; Thu, 17 Jan 2013 02:47:27 +0000
Received: from [101.78.164.189] ([101.78.164.189])
by avasin18.plus.net with Plusnet Cloudmark Gateway
id oqnM1k00H45Vuwd01qnQv2; Thu, 17 Jan 2013 02:47:27 +0000
X-IPAS: Level1
X-CM-Score: 100.00
X-CNFS-Analysis: v=2.0 cv=QfC4SLnv c=1 sm=1 p=xq6_pkGAOlbCYWpp:21
p=QOr0OkOuIMb1-ZXN:21 p=ZV_qDKm3Awa1T0n3:21 p=mNgdpxbmAeamLjvkckwA:9
p=ZWCv5kBEPJ9kZKX4gzgA:14 a=l1Zg887NEoglIa0EtzNIIA==:17 a=mD8GtjjJo7UA:10
a=4qsattqYYrUA:10 a=xqWC_Br6kY4A:10 a=Ebs0h9rcAAAA:8 a=BPojhmU9NfcA:10
a=Ox1ZiSh4rIFn8Da0_r8A:9 a=CjuIK1q_8ugA:10 a=Mb_K_RCCF9ZOil8kfa4A:9
a=_W_S_7VecoQA:10 a=IKIoO-ieCDEA:10 a=l1Zg887NEoglIa0EtzNIIA==:117
Received: from VFUS-MBX03.vf-us.internal.vodafone.com ([::1]) by
VFUS-CAS01.vf-us.internal.vodafone.com ([10.181.10.42]) with mapi; Thu, 17 Jan 2013 10:47:24 +0800
From: <mms@getmyphoto.vodafone.com>
To: <{my email address}>
Date: Thu, 17 Jan 2013 10:47:24 +0800
Message-ID: <1D1ZVJ0GID3O0SW0ILYMC98H5M9915QY@legspas6.prd.it1.sp.vodafone.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=a__tumfs_37_76_54"
X-pn-pstn: Spam 1
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: A new picture or video message [Vodafone MMS]
8744Y4G_MMS.ZIP (application/zip), 40 K
Can any of you techies tell from the email headers below whether this really was from Vodafone?
Return-path: <foodse@vodafone.com>
Envelope-to: {my email address}
Delivery-date: Thu, 17 Jan 2013 02:47:27 +0000
Received: from [212.159.9.108] (helo=avasin18.plus.net)
by inmx16.plus.net with esmtp (PlusNet MXCore v2.00) id 1TvfVn-0000eX-9l
for {my email address}; Thu, 17 Jan 2013 02:47:27 +0000
Received: from [101.78.164.189] ([101.78.164.189])
by avasin18.plus.net with Plusnet Cloudmark Gateway
id oqnM1k00H45Vuwd01qnQv2; Thu, 17 Jan 2013 02:47:27 +0000
X-IPAS: Level1
X-CM-Score: 100.00
X-CNFS-Analysis: v=2.0 cv=QfC4SLnv c=1 sm=1 p=xq6_pkGAOlbCYWpp:21
p=QOr0OkOuIMb1-ZXN:21 p=ZV_qDKm3Awa1T0n3:21 p=mNgdpxbmAeamLjvkckwA:9
p=ZWCv5kBEPJ9kZKX4gzgA:14 a=l1Zg887NEoglIa0EtzNIIA==:17 a=mD8GtjjJo7UA:10
a=4qsattqYYrUA:10 a=xqWC_Br6kY4A:10 a=Ebs0h9rcAAAA:8 a=BPojhmU9NfcA:10
a=Ox1ZiSh4rIFn8Da0_r8A:9 a=CjuIK1q_8ugA:10 a=Mb_K_RCCF9ZOil8kfa4A:9
a=_W_S_7VecoQA:10 a=IKIoO-ieCDEA:10 a=l1Zg887NEoglIa0EtzNIIA==:117
Received: from VFUS-MBX03.vf-us.internal.vodafone.com ([::1]) by
VFUS-CAS01.vf-us.internal.vodafone.com ([10.181.10.42]) with mapi; Thu, 17 Jan 2013 10:47:24 +0800
From: <mms@getmyphoto.vodafone.com>
To: <{my email address}>
Date: Thu, 17 Jan 2013 10:47:24 +0800
Message-ID: <1D1ZVJ0GID3O0SW0ILYMC98H5M9915QY@legspas6.prd.it1.sp.vodafone.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=a__tumfs_37_76_54"
X-pn-pstn: Spam 1
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: A new picture or video message [Vodafone MMS]
8744Y4G_MMS.ZIP (application/zip), 40 K
0
Comments
-
I'd just delete it, I can't imagine any reason why Vodafone would send a zip file, and even if it is from them do you really care if you never see it?0
-
Why take the chance ?Be happy...;)0
-
Its come from a spoof email and is definitly dodgy just delete and forget0
-
If the contents of the ZIP is an EXE then its bad. If it really was an MMS then it would be a MOV or 3GP file most likely.0
-
-
I received about 5 of these yesterday, and a couple this morning. Just deleted them, why would anyone I don't know be sending me MMS's ? Even if they weren't nasty viruses, they might be nasty pictures.
Basically, I never open any mail that has an attachment that I'm not expecting to receive. Even if I receive one from a known contact, I check with them if I wasn't expecting an attachment, in case a virus has got into their contacts list.I try not to get too stressed out on the forum. I won't argue, i'll just leave a thread if you don't like what I say.
0 -
Thanks to those who definitely identified it as malware.
My reason for posting was because it is a particularly difficult one for a non-techie to unravel by means of the header info and although I suspected it, I wasn't sure despite being pretty savvy, so I thought others might benefit from seeing it.
Can the techies amongst us tell us which parts of the header give away the fact that it is spoofed?
To the unitiated, this one masquerades quite effectively as an MMS either received by or sent by Vodafone. Do we know the current mobile numbers of everyone we know? It just so happens I have some friends away skiing at the moment and I would not have been surprised to receive an MMS from an unrecognised UK mobile as some are avoiding the cost of using their own handsets for data whilst up the mountain away from Wifi. It therefore wouldn't surprise me if a handset was borrowed for the purpose of some humorous group photo or whatever.
Of course, thinking that one obvious with hindsight stage further about it, unless I too was with Vodafone, why would Vodafone be emailing me about it rather than texting me the link if the photo couldn't be delivered direct to my handset?
Yes it is very easy to ignore everything we are not expecting but wouldn't life be boring!
What is totally unacceptable is that we are bombarded by so many of these trojan attempts to break into our computers, isn't it? You would think that major Antivirus and Email server protections would be a little more robust by now. If techies in this forum can spot a spoof header a mile off, then why did it ever reach me?0 -
Nothing obvious - just the .exe hiding inside a .zip file named 8744Y4G_MMS.2sides2everystory wrote: »Can the techies amongst us tell us which parts of the header give away the fact that it is spoofed?0 -
Received: from [101.78.164.189] ([101.78.164.189])
Registered in HK of course it could be part of a botnet
🍺 😎 Still grumpy, and No, Cloudflare I am NOT a robot 🤖BUT my responses are now out of my control they are posted via ChatGPT or the latest AI0
This discussion has been closed.
Categories
- All Categories
- 343.1K Banking & Borrowing
- 250.1K Reduce Debt & Boost Income
- 449.7K Spending & Discounts
- 235.2K Work, Benefits & Business
- 607.9K Mortgages, Homes & Bills
- 173K Life & Family
- 247.8K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards