If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
I received an item of e-mail reporting to be an Amazon order cancellation. It looked fairly authentic: to the untrained eye with some curiosity, you may be fooled into clicking on the ORDER DETAILS link. If you are in the UK, one of the key clues is the fact that this e-mail is reporting itself as originating from amazon.com – in the UK we would expect such e-mail to come from amazon.co.uk. The same could be said for other non-.com editions of the Amazon site.
Closer inspection reveals that the ORDER DETAILS link doesn’t goto an Amazon web-page, but to a completely different site…in this case you’ll be taken to a site that offers you tablets for helping make something bigger! However, there’s nothing to tell you how dangerous the destination site is…a single click can cause a lot of damage.
I use MailWasher Pro as my client-side anti-spam filtering tool, it’s kind enough to expand links in e-mails such that the true destination is revealed, as the screenshot below demonstrates:
The learning experience behind this blog post is that you should never trust links on face value. Always hover the mouse over the link and see where it ultimately leads to: if it’s not going where you expect it to be going, resist the temptation to “just click on it”! If hovering the mouse over the link doesn’t help you, see if you can find the message source (In Outlook right clicking on an e-mail, choosing Message Options lets you look at the “Internet Headers” and the raw message).
—
FYI, here’s the full body of the original e-mail.
by twx8…com with smtp (Exim 4.69)
(envelope-from
id 1No5Qd-0001Xk-S3
for …; Sun, 07 Mar 2010 01:37:14 +0000
Date: Sat, 6 Mar 2010 23:59:45 +0400 (UTC)
From: “order-update@amazon.com”
To:
Message-ID: <151840.7152476933828043636.JavaMail.correios@na-mm-relay.amazon.com>
Subject: Amazon.com – Your Cancellation (0713-48571-25595)
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-AMAZON-CLIENT-HOST: online-gp-48l06.iad9.amazon.com
Bounces-to: 20103c7b52838824c217f09b0630caf76b94d527f4@bounces.amazon.com
X-AMAZON-MAIL-RELAY-TYPE: notification
X-AMAZON-RTE-VERSION: 2.0
X-Spam-Status: No, score=4.1
X-Spam-Score: 41
X-Spam-Bar: ++++
X-Spam-Flag: NO
<html>
<head>
<title>Amazon.com – Your Cancellation
</head>
<body bgcolor=”#FFFFFF” link=”#0066CC”>
Dear Customer,
<br />
Your order has been successfully canceled. For your reference, here`s a summary of your order:<br />
You just canceled order #859-8266172-041110
<br />Status: CANCELED
_____________________________________________________________________<br />
<a href=”http://almedicgroup.com/robbie.html”>ORDER DETAILS</a><br />
Sold by: Amazon.com, LLC
<br />
_____________________________________________________________________<br /><br />
RSS 2.0
10:30 pm on March 7th, 2010 1
Thanks Craig, I just updated my Mailwasher install from 2.0something beta to 6.5.2 (I’ve been using it a good long while but I never checked for updates!). Is the Pro upgrade worthwhile?
Phil
1:54 am on March 9th, 2010 2
Yeah, this landed in my spam folder and I hovered over the link.
This was my header on it:
From order-update@amazon.com Tue Mar 9 04:40:31 2010
X-Apparently-To: REMOVED@REMOVED.com via 66.163.178.135; Mon, 08 Mar 2010 15:42:57 -0800
Return-Path:
X-REMOVEDFilteredBulk: 195.228.137.196
X-REMOVED: cMkUldYWLDsjRXtMuu1×5kVq4oe828rg6f2LJCBMIHA6IcjmDi_HAn7s0tsxxOA2phv1Xdi0B7OER7P8zoTBs_FsGU.y5t1KLSm8PZHhovgDX88D7d4Vby0FwGxHd3yWq2EHoS0ln09q6SiXEDoL6rhCvwSXUu1IbWNfd06sFHx1_HugRC2hk1Icl1XCoQnfef7dIUcVrQ7ww.P_l_liBfaxzWbPobvke2IRJdwNoB2uraApo2zqIipwNucxu_IiMi.P5xqgbRgjdusLlfJAHkHV407_henO7jlB6t9ZFL_aJL3t4xSzOFgUEPBJ6ReNywVX2QdkMus_PbAqQD0XyQ–
X-Originating-IP: [195.228.137.196]
Authentication-Results: mta1050.mail.ac4.REMOVED.com from=; domainkeys=neutral (no sig); from=amazon.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (HELO kissbkerkft.hu) (195.228.137.196)
by mta1050.mail.ac4.REMOVED.com with SMTP; Mon, 08 Mar 2010 15:42:56 -0800
Date: Tue, 9 Mar 2010 00:40:31 -0400 (UTC)
From: “order-update@amazon.com”
To:
Message-ID:
Subject: Amazon.com – Your Cancellation (822-319531-9278972)
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-AMAZON-CLIENT-HOST: online-gp-13j07.iad3.amazon.com
Bounces-to: 20109a9d79c8e967498341b8997c4d5294448d034a60eb@bounces.amazon.com
X-AMAZON-MAIL-RELAY-TYPE: notification
X-AMAZON-RTE-VERSION: 2.0
Content-Length: 1133
9:12 am on March 10th, 2010 3
thanks for the post. Just received the same mail and it appeared to be very strange immediately. However, I made a order at amazon recently which is why I research this kind of email in the first place. Glad I found this site.
This is very dangerous though. I consider myself well educated in terms of internet stuff and even I was tempted to click the link simply because I am a regular amazon-user.
Regards,
10:41 am on March 10th, 2010 4
clicked on the f+++ing link…
and closed the tab after recognizing that something´s wrong
what can happen?
7:35 am on March 11th, 2010 5
I got
“Amazon.com – Your Cancellation (049-449250-9606186)”
from
Return-Path:
Received:from 198.66.239.203 (HELO aztex.com.au) (198.66.239.203)by mta305.mail.ogk.yahoo.co.jp with SMTP; Sat, 06 Mar 2010 07:51:25 +0900
and “ORDER DETAILS” is linked to http://ebis80.e151.ebizcanada.com/protozoan.html
So there are several type of messages.
Watch out.
1:08 pm on April 25th, 2010 6
Similar sort of thing, but mine said it came from Twitter – but I’m not with Twitter.
In the headers, it came from ‘kisbkerkft.hu’
I did not rfespond.