Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What really irks me is getting an email like this:

    Shipping account suspended
	
    Dear XXXX,
    FedEx shipping privileges for account number ending in NNNN 
    have been suspended. To access and update your credit card
    data, log in to FedEx® Billing Online.

    Log in today (Button)
This just screams "scam", especially since I haven't used the FedEx account in months. When I log into FedEx (not using the link in the email), my account shows a zero balance and no outstanding messages. So I send the email, with headers, to "abuse@fedex.com". (They never answered.)

I call FedEx Revenue Services, and they can't find anything wrong with the account. They tell me the account isn't suspended. They want the expiration date on my credit card updated before the end of the month, but it hasn't expired yet.

I look at the message source, and it looks like it's really coming from FedEx, and the link really goes to FedEx. I keep looking, and can't find anything wrong in the headers. It's a legit email. It's just stupidity at FedEx.

Sloppy work, FedEx, sending out an email like that. You're training people to click on links they should not click on.



I got a similar dodgy looking email from Dell. It was from some different e-mail address (dellteam.com instead of dell.com). It was a failed transaction.

The email was completely dodgy, had several typos. There was a lack of instructions on what to do, just a "please contact us". I tried to contact customer service instead of the representative, but it was impossible because I needed an order code, which they never gave me. Emails to the individuals were never replied to and he insisted on only calling and handling a bank transfer over the phone.

The whole situation was very similar to a man in the middle attack.

It turned out to be legit, but the whole situation makes me never want to order anything from them again.


I've made the same complaint, "you're training people to click on links," to I-forget-who. "Your security is important to us, and we'll send that directly to the crickets."

Either the people you are able to contact don't care, because they have no idea what you're talking about, or they don't care because they wrote/required exactly what you're complaining about, out of expediency or ignorance.


It is very easy to spoof an email address[1], so it could be that it is someone from outside of FedEx.

https://superuser.com/questions/505503/how-can-you-fake-an-e...


However you can still check the IP address of the mail server that sent the mail. Some things to look at:

1. Check PTR for IP and verify that the A or AAAA record for that name points back to the same IP.

2. Compare with IP address of server that sent previous mail to you.

3. Check SPF records for the domain.

4. Check MX records for the domain. Keep in mind that they might be using different servers for sending than for receiving though and that MX is for receiving.


These sound like good steps to determine if a sender is legitimate. Is there a plugin that already does this for existing email clients?


Google gmail and inbox both show this information if you click the "view full message" option on any particular email


I'm pretty sure GP means Is there a client that runs this check in the background, and either tells you or marks it Spam.


With SPF, DKIM, DMARC, coupled with blacklists and the reputation system of big mail providers that's making it difficult to host your own email, it's actually quite to impersonate an email address.

Try it, then see how many times you can hit a @gmail address.


I found that this does not stop one from sending emails that appear to originate from addresses like info@paypal.com as long as the contents of the email are different from known spam emails. They are not flagged by GMail at all as long as you send them from a reputable email server through services like mailgun.com.


SPF will catch these really easily.


Sure but if the link leads to the actual FedEx website then what would be the point?


One possibility is the "Hostile Subdomain Takeover" attack recently mentioned here, where an attacker could have control of, say, help.fedex.com https://news.ycombinator.com/item?id=14860149


Tweet their customer service (@FedExHelp). My friend who works in tech support (not at FedEx) recommends this practice.


How well would something like that work with a completely-fresh Twitter account?


I wonder if the link is to something on FedEx's site that has an XSS vuln and redirects elsewhere?


There should be a way to give a credit-card number that is automatic identified as fraud and triggers persecution when used.


Everyone knows that such spam mails are NOT sent by the company, but by scammers. Look at the raw email header.

So why is this comment on top?

It seems HN got mainstream and with it the usefulness is declining - low quality comments staying on top that can be answered by common sense.


For the record, that's John Nagle:

https://en.m.wikipedia.org/wiki/Nagle%27s_algorithm


Generally it's good to assume that Animats knows more about how the internet works than you do, especially if it is something related to networks.


It's likely that Animats knows what he's doing.

He also says that the email contains a link to the real website, not to a scam website.

So, if it was sent by a scammer what's the purpose? How does it work?

And if it was sent by the company, why are they sending email that looks like a scam?


The mail header entry at the point it leaves FedEx's systems and enters my website is:

    Received: from pvma00057.prod.fedex.com ([204.135.8.98]:61625 helo=mx28.infosec.fedex.com)
	by gator4118.hostgator.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.87)
	(envelope-from <prvs=1370ad99fd=bounce@nds.fedex.com>)
	id 1dWn4C-00092V-Dd
	for nagle@animats.com; Sun, 16 Jul 2017 12:10:48 -0500
    DKIM-Signature: v=1; a=rsa-sha256; d=fedex.com; s=edc; c=relaxed/relaxed;
	q=dns/txt; i=@fedex.com; t=1500225037;
	h=From:Sender:Reply-To:Subject:Date:Message-ID:To;
	bh=M2wd7ncO9bsu5aQpoaGPtLYIjzi/OkxO+5qgmnqO1D4=;
	b=ktUTxDShfkakjcLd2BEwRVC4X4ItHdPYvR+Dqyj6oiWPWrsuWA98jHqIssipCXHa
	XsPn72sxMnWIlwy0LLC3r2WGTUBHg7afy0K804QLQ2ztSHr7CnMZ4jFh0O6A9ElQ
	16twStNpiG9XBF4Gho08WHg+EUrKSnTqPwknnhOg+9BVyKZLsQhsGAk1Bl/Vgu9z
	55RxPd3VjDlAM04i+sZZaLLTX3TLA8jbMHNgZpwx01j6/whY2RVktfMYvmJZo3n9
	6XVJTcUVA3QiXb32Ps9OwGpOZQMSR0EKGrXSEUyk8YEGDZmFkZOgy6cUZBuzKRXs
	yPqdVtE4gHvuck8T5nrllg==;
    X-AuditID: cc870862-345fb700000012f5-3f-596b9e0d6fb1
That looks OK. Unless FedEx has an open mail forwarder, a break-in at "pvma00057.prod.fedex.com", or DNS trouble, that's from FedEx.


IP seems legit, is from FedEx - apologize.

  NetRange:       204.135.0.0 - 204.135.255.255
  CIDR:           204.135.0.0/16
  NetName:        FEDEX-2009-BLOCK
  NetHandle:      NET-204-135-0-0-1
  Parent:         NET204 (NET-204-0-0-0-0)
  NetType:        Direct Assignment
  OriginAS:       AS7726
  Organization:   FedEx (FEC)
  RegDate:        2009-07-20
  Updated:        2017-04-29
  Ref:            https://whois.arin.net/rest/net/NET-204-135-0-0-1

  OrgName:        FedEx
  OrgId:          FEC
  Address:        70 FedEx Parkway
  City:           Collierville
  StateProv:      TN
  PostalCode:     38017
  Country:        US
  RegDate:        
  Updated:        2014-06-02
  Ref:            https://whois.arin.net/rest/org/FEC




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: