I got this email today and here is how it shows up in gmail
BTC-E
no_reply@btc-e.com via smtp.com 5:58 AM (5 hours ago)
to me
Hello!
We inform you that you scan the downloaded document # 14327223
http://ge.tt/... <rest of url redacted> can not be verified for the following reason:
-Specified in the certificate data in a language other than the language passport data
Please provide a new file to check.
Sincerely,
Representative Director
BTC-E Co., Ltd.
Shibuya-ku, Tokyo
One thing to look for is this
what this is saying is the email was sent indicating it was sent from btc-e.com however it actually came from smtp.com. Now that this isn't that uncommon many sites move their email off their domain however there is a way of authenticating these off email domains and it wasn't done.
So any time you see a "via" in gmail be wary. There is a high chance it is a phishing attempt. It could be an uneducated operator or some misconfiguration but your phishing radar should be going off when you see a redirected email.
Looking at the source
Delivered-To: <redacted>
Received: by 10.170.132.70 with SMTP id y67csp158747ykb;
Tue, 11 Mar 2014 02:58:50 -0700 (PDT)
X-Received: by 10.66.162.74 with SMTP id xy10mr46827749pab.4.1394531930066;
Tue, 11 Mar 2014 02:58:50 -0700 (PDT)
Return-Path: <
no_reply@btc-e.com>
Received:
from mailer134.gate183.sl.smtp.com (mailer134.gate183.sl.smtp.com. [192.40.183.134]) by mx.google.com with ESMTP id pi6si17253804pbb.10.2014.03.11.02.58.49
for <
gerald@tangiblecryptography.com>;
Tue, 11 Mar 2014 02:58:50 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning
no_reply@btc-e.com does not designate 192.40.183.134 as permitted sender) client-ip=192.40.183.134;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning no_reply@btc-e.com does not designate 192.40.183.134 as permitted sender) smtp.mail=no_reply@btc-e.com; dkim=pass header.i=@smtp.com
Return-Path: <
no_reply@btc-e.com>
X-MSFBL: Z2VyYWxkQHRhbmdpYmxlY3J5cHRvZ3JhcGh5LmNvbUAxOTJfNDBfMTgzXzEzNEBz
bXRwY29tXzExQA==
DKIM-Signature: v=1; a=rsa-sha256; d=smtp.com; s=smtpcomcustomers; c=relaxed/simple;
q=dns/txt; i=@smtp.com; t=1394531929;
h=From:Subject:To:Date:MIME-Version:Content-Type;
bh=EptpTsx18R734YExCd0CN520kmNgDylmBwR2r+Pyuqw=;
b=f2hvNXaJT9YyFXhXAYg7qRLTST5KlgacBGLJE/rQYLnlNXuiUMbLxMlOvgePe0Mc
lmS0HCW2hdDJ4BGdqwpVWMxdTIUR8JtiIz8XF4oSkXTYG80GoFz5SWxGfX7w4K9j
9gqnLIbogpkBa+DxB0xX7pENIlH6Pf/XkyQScWaf1bA=;
Received: from [216.55.179.130] ([216.55.179.130:61625] helo=216-55-179-130.dedicated.codero.net)
by sl-mta06.smtp.com (envelope-from <
no_reply@btc-e.com>)
(ecelerity 3.5.5.39309 r(Platform:3.5.5.0)) with ESMTPSA (cipher=AES256-SHA)
id DD/65-01037-95EDE135; Tue, 11 Mar 2014 09:58:49 +0000
From: "BTC-E" <
no_reply@btc-e.com>
Message-ID: <DD.65.01037.95EDE135@sl-mta06>
Subject: BTC-E Passport
To: <redacted>
Content-Type: multipart/alternative; boundary="chnq7o2neA2=_nG4ebCT6XPRtS76K4DnFp"
MIME-Version: 1.0
Organization: BTC-E
Date: Tue, 11 Mar 2014 02:58:51 -0700
X-SMTPCOM-Tracking-Number: 755a5166-7a64-405b-9339-37db125228cb
X-SMTPCOM-Sender-ID: 24012
X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to abuse@smtp.comA couple of things in here. The first is that the sent from and reply to emails are simply lines of text. There is absolutely no security. You can send email with a from email address of
obama@whitehouse.com as easily as you can type the letters. So never rely on those.
This show where the email actually originated from
Received: from mailer134.gate183.sl.smtp.com (mailer134.gate183.sl.smtp.com. [192.40.183.134])
now as I said before it isn't that uncommon for email to originate off domain however this is the warning sign
spf=softfail (google.com: domain of transitioning no_reply@btc-e.com does not designate 192.40.183.134 as permitted sender) smtp.mail=no_reply@btc-e.com; In simple terms it is saying btc-e has not approved the originating server to send email on its behalf. Google should really make these types of "soft" failures more pronounced with scary warnings but they don't.
Lastly the actual originator is a commercial service. They provided this information in the header
X-SMTPCOM-Tracking-Number: 755a5166-7a64-405b-9339-37db125228cb
X-SMTPCOM-Sender-ID: 24012
X-SMTPCOM-Spam-Policy: SMTP.com is a paid relay service. We do not tolerate UCE of any kind. Please report it ASAP to abuse@smtp.com If your email client gives you the option to report as phishing (not just report as spam) be sure to do so. Most will forward this back to in this case to
abuse@smtp.com.
You can also manually forward it to
abuse@smtp.com and report it is phishing.
