I received an item of e-mail reporting to be an Amazon order cancellation. It looked fairly authentic: to the untrained eye with some curiosity, you may be fooled into clicking on the ORDER DETAILS link. If you are in the UK, one of the key clues is the fact that this e-mail is reporting itself as originating from amazon.com – in the UK we would expect such e-mail to come from amazon.co.uk. The same could be said for other non-.com editions of the Amazon site.
Closer inspection reveals that the ORDER DETAILS link doesn’t goto an Amazon web-page, but to a completely different site…in this case you’ll be taken to a site that offers you tablets for helping make something bigger! However, there’s nothing to tell you how dangerous the destination site is…a single click can cause a lot of damage.
I use MailWasher Pro as my client-side anti-spam filtering tool, it’s kind enough to expand links in e-mails such that the true destination is revealed, as the screenshot below demonstrates:
The learning experience behind this blog post is that you should never trust links on face value. Always hover the mouse over the link and see where it ultimately leads to: if it’s not going where you expect it to be going, resist the temptation to “just click on it”! If hovering the mouse over the link doesn’t help you, see if you can find the message source (In Outlook right clicking on an e-mail, choosing Message Options lets you look at the “Internet Headers” and the raw message).
—
FYI, here’s the full body of the original e-mail.
Received: ... from forum.mbfpro.biz ([94.23.20.147])
by twx8...com with smtp (Exim 4.69)
(envelope-from
id 1No5Qd-0001Xk-S3
for ...; Sun, 07 Mar 2010 01:37:14 +0000
Date: Sat, 6 Mar 2010 23:59:45 +0400 (UTC)
From: "order-update@amazon.com"
To:
Message-ID: <151840.7152476933828043636.JavaMail.correios@na-mm-relay.amazon.com>
Subject: Amazon.com - Your Cancellation (0713-48571-25595)
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-AMAZON-CLIENT-HOST: online-gp-48l06.iad9.amazon.com
Bounces-to: 20103c7b52838824c217f09b0630caf76b94d527f4@bounces.amazon.com
X-AMAZON-MAIL-RELAY-TYPE: notification
X-AMAZON-RTE-VERSION: 2.0
X-Spam-Status: No, score=4.1
X-Spam-Score: 41
X-Spam-Bar: ++++
X-Spam-Flag: NO
<html>
<head>
<title>Amazon.com - Your Cancellation
</head>
<body bgcolor="#FFFFFF" link="#0066CC">
Dear Customer,
<br />
Your order has been successfully canceled. For your reference, here`s a summary of your order:<br />
You just canceled order #859-8266172-041110
<br />Status: CANCELED
_____________________________________________________________________<br />
<a href="http://almedicgroup.com/robbie.html">ORDER DETAILS</a><br />
Sold by: Amazon.com, LLC
<br />
_____________________________________________________________________<br /><br />
Thanks Craig, I just updated my Mailwasher install from 2.0something beta to 6.5.2 (I’ve been using it a good long while but I never checked for updates!). Is the Pro upgrade worthwhile?
Phil
Yeah, this landed in my spam folder and I hovered over the link.
This was my header on it:
From order-update@amazon.com Tue Mar 9 04:40:31 2010
X-Apparently-To: REMOVED@REMOVED.com via 66.163.178.135; Mon, 08 Mar 2010 15:42:57 -0800
Return-Path:
X-REMOVEDFilteredBulk: 195.228.137.196
X-REMOVED: cMkUldYWLDsjRXtMuu1x5kVq4oe828rg6f2LJCBMIHA6IcjmDi_HAn7s0tsxxOA2phv1Xdi0B7OER7P8zoTBs_FsGU.y5t1KLSm8PZHhovgDX88D7d4Vby0FwGxHd3yWq2EHoS0ln09q6SiXEDoL6rhCvwSXUu1IbWNfd06sFHx1_HugRC2hk1Icl1XCoQnfef7dIUcVrQ7ww.P_l_liBfaxzWbPobvke2IRJdwNoB2uraApo2zqIipwNucxu_IiMi.P5xqgbRgjdusLlfJAHkHV407_henO7jlB6t9ZFL_aJL3t4xSzOFgUEPBJ6ReNywVX2QdkMus_PbAqQD0XyQ–
X-Originating-IP: [195.228.137.196]
Authentication-Results: mta1050.mail.ac4.REMOVED.com from=; domainkeys=neutral (no sig); from=amazon.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (HELO kissbkerkft.hu) (195.228.137.196)
by mta1050.mail.ac4.REMOVED.com with SMTP; Mon, 08 Mar 2010 15:42:56 -0800
Date: Tue, 9 Mar 2010 00:40:31 -0400 (UTC)
From: “order-update@amazon.com”
To:
Message-ID:
Subject: Amazon.com – Your Cancellation (822-319531-9278972)
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-AMAZON-CLIENT-HOST: online-gp-13j07.iad3.amazon.com
Bounces-to: 20109a9d79c8e967498341b8997c4d5294448d034a60eb@bounces.amazon.com
X-AMAZON-MAIL-RELAY-TYPE: notification
X-AMAZON-RTE-VERSION: 2.0
Content-Length: 1133
thanks for the post. Just received the same mail and it appeared to be very strange immediately. However, I made a order at amazon recently which is why I research this kind of email in the first place. Glad I found this site.
This is very dangerous though. I consider myself well educated in terms of internet stuff and even I was tempted to click the link simply because I am a regular amazon-user.
Regards,
clicked on the f+++ing link…
and closed the tab after recognizing that something´s wrong
what can happen?
I got
“Amazon.com – Your Cancellation (049-449250-9606186)”
from
Return-Path:
Received:from 198.66.239.203 (HELO aztex.com.au) (198.66.239.203)by mta305.mail.ogk.yahoo.co.jp with SMTP; Sat, 06 Mar 2010 07:51:25 +0900
and “ORDER DETAILS” is linked to http://ebis80.e151.ebizcanada.com/protozoan.html
So there are several type of messages.
Watch out.
Similar sort of thing, but mine said it came from Twitter – but I’m not with Twitter.
In the headers, it came from ‘kisbkerkft.hu’
I did not rfespond.
Hi
Obviously this kind of mail still continues. I received the same cancellation notice 2 days ago. I didn’t click as the mail came on an address that is never used for Amazon orders. However, it came just after I had made an order to Amazon.
Thank you for your good work in informing users of this kind of danger
Thanks for posting about this site. I am not very computer savvy, and was suspicious when I received almost the same exact e-mail you have posted here. I am not in the uk, but the us, so there was no immediate red flags that it was a phony besides the fact that I did not order anything from amazon in a while.
Hi, I just found one of these emails in the Gmail spam filter. I had not cancelled or placed an Amazon order so I did a search for Fake “Amazon.com – Your Cancellation” + spam, and found this page.
So thanks for confirming it is spam.
Glad I found this. One of our employees received this and thought it was suspicious. When I hovered over the cancellation number, it said “gorilla-grip.com” Hmmm…glad I was able to find this site quickly and confirm our suspicions.
I am glad I found this blog…I was not able to get the header, but forwarded the information to Amazon. I buy and sell on Amazon and knew I didnt order what was “cancelled”. Looks like the pfishers are looking to other alternatives to getting our information. These people need to get a life.
This website was a bit relief. I knew something was phone when it showed that I had cancelled an order on a book I never ordered in the first place.
I just received the same message in my e-mail. Hovered the cursor and it looked weird. So glad to have found this post. Thank you. Now, my question is; if I mark the e-mail as spam and get rid of it, will that affect my ability to receive genuine Amazon e-mails, or will the spam filter only catch messages from the actual sender of this message?
I just got the same email and clicked the link because I was worried my daugther might have purchased something on our kindle.
DOES ANYONE KNOW IF SOMETHING HARMFUL WILL HAPPEN TO YOUR COMPUTER IF YOU CLICK THE LINK?????
Google mail is doing a very good job identifying this on every occasion as spam. Nothing bad happened when I opened this on a test machine I keep especially for this stuff , it just goes to an annoying site. Maybe a tracking cookie but that is easily fixed.
I found your weblog web site on the search engines and test just a few of your early posts. Continue to keep up the excellent operate. I just further up your RSS feed to my Msn News Reader. In search of forward to reading more from you later on!
For anyone concerned if you clicked the link.. download and install MalwareBytes it is a wonderful program for getting rid of malware/adware. It’s also best to run the full scan in safe mode to permanently delete harmful files and keep them from regenerating themselves!! As always run the definition updates regularly.
I just received one of these emails. I thought it was strange because I have not ordered anything from Amazon. I hovered over the link which is suppose to point to Amazon and it pointed to some type of website, but it had numbers and then something like (ivies.html) at the end of it. Don’t know what the numbers mean it was 3 numbers followed a dot. Something like this 111.111.111.11/with ivies(dot)html. I deleted the email. I never click on links in emails regardless of who it is from.
I recd similar email today, I have published the header below. The email seems to have been sent from anonymous e-mailer and the originating IP address is 121.78.244.172(Korea). The link in email directs to “http://200.196.254.27/proclaiming.html”. Inspect each email carefully before opening any link, even if it is from known source. The hackers typically find your close contacts and send email from those contacts.
From order-update@amazon.com Thu May 3 03:08:15 2012
X-Apparently-To: ishwar33@yahoo.com via 106.10.150.124; Wed, 02 May 2012 03:13:28 -0700
Return-Path:
Received-SPF: none (domain of cambridgerealestate.com does not designate permitted sender hosts)
X-YMailISG: 6CdlGVgWLDvDKisyQAEcyGkjKspHsVpLoKSHrcfVE2Q5eEQ5
7eAiaRDEP7gfyvL73CnGxyrXH7vUf_c5F_YI02U6ttehhSVdIBqyFMMhT.jd
zjg9mwbWi5qWwORD8vWul3ttDcbbSHH0KqDNwmfqPtyCT.cRSB77rFYGv.RF
uaxXTGsCLb6scTZov0bV6Lc53pkEcDGW.VUIpWiLwe6rqx4l_M0tjvfgV1pC
xLAwrtUslRyb.fcC_qtHMkgFieiBaaDtTUNGPVxxi8fgwE39ZemJWRsDpqYy
yWv52ysCzpjOLaE.K9Oqe61nXK4kkiZIPEcDWbGe3bXVDuIbh6lRtHhlHU_Q
GTZn8ULj.vWOTYSHTvdYwj3okw1EFx_tNsH.51Bq4mdXm8gtYveHmjsIrGmn
DUvySwQcg5qPwtdxr.w4zuWdnNuinuTmginp5AMpe5QqVgnzhYU7d.cz69ns
wunVVjSdrDL8Mof0QpEHbSmff8avRTrGXa06NYhARi5aCqkjvZP1xruEXby7
Toc3nMKA_lEjkZUpfkrVw1q0oprWy36PiRNgfM7laN7ZIcCID1MhDrqhMUW_
PgmF_hSTueDg7Cu0iTGNpxtisGvzw4UEx9.pXagdQQ0gvof9RPKQxuEygH4A
2yjXZM.pS9AY_VQTuwF_f.b2T1ols4b3ZEDzEtu_JIdSy.NJsohpswR9f5rx
FJYvRHyneN5VRwyJMM5Cnmm4j14gIL68F7C6T7ObO5SKndQhbwcFlcsfj6jG
pct.vct8cDcfC5RLxnhOSDw6vCzg.8A5YgvljAlK5_Pd4o7Fc7tfChOzQ.1i
P39.KzBPU4j4.Apw9vt7Y.cFAJG_20s.vuybfdCw9k5bFr2UmyRAffIrSnAB
fS6lD2qp.TKwSpTpUTy9U6krsohgqJaAVt3Oqp2DvJgywovLD9Xkoh5R8gWx
qS_JwEkYc5iKUWW6XNQFJn3OIPkMVJQHNtnokoukvJaZ.nCqyLUD6jKU2SMy
X839tHJZqxu8.R76V4.X_4NQhnpfuUsWi_4_CQsTR12DiEG5ohi_EeDJnULD
C_uJ7RNdB5pA62DYqiOtufUUORxi.a5691NXYkcnSlFZtzxUog_LeBNFpz92
fDAgTZd_we1Q6xESOoRVgUAcNBbygI.pbst404qziTGpI4P5mbk1zsDObCeT
frY-
X-Originating-IP: [121.78.244.172]
Authentication-Results: mta1185.mail.sk1.yahoo.com from=amazon.com; domainkeys=neutral (no sig); from=amazon.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (HELO localhost) (121.78.244.172)
by mta1185.mail.sk1.yahoo.com with SMTP; Wed, 02 May 2012 03:13:28 -0700
Date: Wed, 2 May 2012 19:08:15 +0000 (UTC)
From: “order-update@amazon.com”
Reply-To: “order-update@amazon.com”
To: “ishwar33@yahoo.com”
Message-ID:
Subject: Amazon.com – Your Cancellation (139-9285-4393)
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Bounces-to: 760bbae32d5ce660a65863d2b1b2aa536f565e140426a88@bounces.amazon.com
X-AMAZON-MAIL-RELAY-TYPE: notification
X-AMAZON-RTE-VERSION: 2.0
Content-Length: 1100
i received the same mails recently. firstly i thought that someone hacked my mail to sign in to amazon, but after i read this article, i’m very glad that it’s just a spam email and can be ignored.
I’ve been getting one or two of these every day for about a week. Very frequent Amazon customer, but their “help” is no help. abuse@ just bounces back. So, how do we find the person who is doing this and deal with them?
I have been getting a few of these every week. I never clicked on the link, but I replied to the email with this comment:
“Your mail order goat bride delivery will be carried out as you requested.”
It may not even slightly offend the originators of the scam, but it just makes me feel better.
I just received two similar e-mails.
I was suspicious because the books it said were cancelled were not ones I’ve ever even heard of. I was worried perhaps someone had hacked my Amazon account and ordered items somehow.
Then I noticed it was from Amazon.com and not Amazon.ca as I usually deal with.
I have been getting at least one of these a day this week also. Have not ordered anything for it to be cancelled. All appear as a book or title.
Call Amazon customer service and complain. Forward to stop-spoofing@amazon.com. This is a link to a Canada Drug comany
I wish I could find these people and hang them up by their toes.
Only their toes Vicki!? You’re too nice!!
I am getting so many of these (7 to 10 a week) that I am inclined to block amazon.COM as I live in UK and deal with UK entity and therefore the .co.uk extension.
I do use Mailwasher Pro but they are getting through there unhindered except for manual detection and deletion. Seems so heavy handed to have to block a “legitimate address”.
I suppose I could make all amazon.com emails spam in MW Pro and just watch out for the legitimate amazon.com ones that I get once in a blue moon from the US company.
Even when you think you know what you are doing and careful it’s such a pain!!
Anybody found a nice clean workaround?
I getting these emails all the time. Amazon.com’s website says that the email is authentic if it ends in @amazon.com – Obviously this is not true. They never responded when I contacted them.
Hi,
Hello, you used to write fantastic, but the last few posts have been kinda boring… I miss your tremendous writings. Past few posts are just a little out of track! come on!”Partake of some of life’s sweet pleasures. And yes, get comfortable with yourself.
HI My Name is Becky and i am from United Kingdom of (UK), I wish to share my testimonies with the general public about what this man called Dr Iduh of: redtemple@live.com,for what he has just done for me , this man has just brought back my lost family to me with his great spell caster, i was married to this Man called John Mike we were together for a long time and we loved our self’s but when i was unable to give him a child for 4 years he left me and told me he can’t continue anymore then i was now looking for ways to get him back until a friend of mine told me about this man and gave his contact email: redtemple@live.com then you wont believe this when i contacted this man on my problems he prepared this spell cast and bring my lost Husband back and after a month my i miss my month so i did a test and the result stated am pregnant am happy today am a Mother with a baby boy, thank you once again the great Iduh for what you have done for me, if you are out there passing through this same kind of problems of you need a lost love back or any kind of problems for you can contact him today on his mail: redtemple@live.com,and he will also help you as well
Do you need an urgent loan? if yes contact us today at email{oceanfinanecesss@live.com} for more info