Phishing Emails with no included links

theKbStockpiler · 12-07-2018, 05:13 PM

I get a few emails a month,both in my in box and in spam that masquerade as a shipper or paypall or the like. They state the issue needs my attention but there are no links in the email.

My question is ,what is the purpose of this? Is this a learning curve for a would be attacker or did it actually serve a purpose?

Thanks for your expertise!

Mechanikx · 12-07-2018, 05:33 PM

Maybe they're hoping you will reply and then they can try to extract personal information from you.

scasey · 12-07-2018, 05:37 PM

No attachments? The ones I get usually have an attached, probably infected, pdf or doc file.

Mechanikx · 12-07-2018, 05:49 PM

Quote:

No attachments? The ones I get usually have an attached, probably infected, pdf or doc file.

Same. Maybe they're trying to switch things up and hoping people will let their guard down?

frankbell · 12-07-2018, 08:46 PM

I've gotten emails of this sort that have included phone numbers. Never tried calling one, though.

caseyl · 12-08-2018, 03:58 AM

I agree that these are probably sent to provoke a reply message, such as responding that the link wasn't included. In addition, if the user allows the download of inline images within their email client, these can be used as a tracking device.

TenTenths · 12-10-2018, 04:20 AM

You don't mention how your e-mail is processed before you view it. It's possible somewhere along the way the links are being stripped.

Another reason for no links is that the skript-kiddy didn't know how to use the script properly!

l0f4r0 · 12-10-2018, 04:32 AM

In addition to what has already been suggested (phone number, answer incitement, attachment), one cannot forget that phishing is often done by very low-level delinquents so sometimes the fraudulent links are simply missing (I noticed it some times)...

Michael Uplawski · 12-10-2018, 04:35 AM

All that is written, above..,

plus

some phishing mails and other UBE still include arbitrary text, in the headers for example, in the believe that it may fool Bayesian filters and render them inefficient. I had thought the futility of these attempts had become obvious years ago, but I still see it happen...

on the other hand.., I still receive Nigeria-Scums.

theKbStockpiler · 12-10-2018, 06:51 PM

Here's the Raw Message with my email address removed from a email with no subject and no message.

Quote:

X-Apparently-To: .com; Sun, 09 Dec 2018 18:54:51 +0000
Return-Path: <01010167945272b8-888366ab-2bad-4f0a-81f1-86ffb50ca33e-000000@us-west-2.amazonses.com>
X-YahooFilteredBulk: 54.240.27.204
Received-SPF: pass (domain of us-west-2.amazonses.com designates 54.240.27.204 as permitted sender)
X-YMailISG: DQrIe_AWLDtCO9E.JCthkeh.972j97t_rzDGtwYZYkgF16sV
6kylaKbfRWMm.Kn0zpHFb9WC5B3ELfOytZPHUhVr4RZY.H0JwPfITrTLddWx
GD9.qZ8F.Lh_fGAWEoZqf9C111HYIjGU3R8J9520HAvUUZvmnE3h5TG.84bZ
ZpQ2vNc9.kTrez3hmYp4ANfcCu9_6Z921cpE8mjx7vgTc.J6YV1JWPUAIc4U
IDwZZ_CzwdCLos.H1adIJdkXwUoDIlnSfJgLOa90IH6i4iOeJU5FeRtdgjr.
5FswRgoKWpRrbR4tMOA3U4z5fCFN4bMSCpPgC95TnqQzm7xYZVf9vbDHOBWC
1QR9o_fGFGhtEllqi_w2LFO5YwKxvKfdeh3evkERbqcyKRhOBcdRaWwFODHC
xd6XJQyfCqYWnEO2lSkFkxGp.XE9PsmJ4ddWCl31vq1AX0RglAOg8pqj1pb2
NvdZ3Ycvv.K9_JIOPl7bdvQE85Jsufe5hn1NISD9J6lwlpjcdWUCih50ue3R
2jWyEERTOrMeb00io8dKDfM53seMrrfParvpmmthoB6rqRwzNTEiCUodFgah
Fwm9zpXtC2NixXSfL6qorpRItPGb5rzzDltJtug_GuYeRuIWMwKLhFUzaY8n
UcltJBoumeLDUJ7oW52PIv141fgRjaaVXy3Kmlo.hss7h_UiAgDXnjCUBesU
hhI7o7_dVbDiXYA2uLAATU5k7ahyzVJOpkmT7Q4GcGHbUnFQNT3UuJgidDjy
mP0nf6Cg7Ny63PUDupmlmRhqhjuro2G3ppVhJk5yFzdCSELaShCgma1Poo6p
2.MqZi15nvYUiu3MofTw2WRUGmyU9ECYreGDJAIBIZBT0VgdhfQ.o7eQtxYe
QDIahjrKWH5NOkbwrTliEjnI2dEl9tQlB7O.Sl5v0D3OTaTx3um4Gp.awqV.
3uAD2OOzv0V9XO8VjTrPjmpBOE1Ja8XiAVnGvzpH6D6.ajDAHHQHq4xM6zb7
vFPLapV4NCRZJzpu7.2z2iB_Qqf33LL_1ed4Eibk1TWs7JVxHbOhwyr4HVHj
lKEE60xuQTi9uhK1mYR_V7uSz7DYlS1QiBENcQ--
X-Originating-IP: [54.240.27.204]
Authentication-Results: mta4276.mail.bf1.yahoo.com from=emailconfrm.com; domainkeys=neutral (no sig); from=amazonses.com; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO a27-204.smtp-out.us-west-2.amazonses.com) (54.240.27.204)
by mta4276.mail.bf1.yahoo.com with SMTPS; Sun, 09 Dec 2018 18:54:51 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
; d=amazonses.com; t=1544381690;
h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID

ate:Feedback-ID;
bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;
b=QDCexwKatq/mtbYlBlzpW6tYGR2Th1hggaUIpgKoD9GYAy9PQF3Qf3Y4f1PpUTDz
Q84+QVaau11FN/yi0XztvRBiSBMtrzKFZY2JxinQi3AYb2UbyoFaD4BHhj8V2gOm1/3
1rXwv0LM+9gINoECNVlEWAJNY6s3aha1Vy1pajn4=
From: verify@emailconfrm.com
To: .com
Subject:
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Message-ID: <01010167945272b8-888366ab-2bad-4f0a-81f1-86ffb50ca33e-000000@us-west-2.amazonses.com>
Date: Sun, 9 Dec 2018 18:54:50 +0000
X-SES-Outgoing: 2018.12.09-54.240.27.204
Feedback-ID: 1.us-west-2.ugBewWbb7/EIfUn3ZKWyHHu14U6y5KsgVQ0gWXKbgeI=:AmazonSES
Content-Length: 0

Michael Uplawski · 12-11-2018, 12:26 AM

There is not subject line, but the mail appears to come from Amazon. The sender has not made any effort whatsoever to hide behind falsified addresses or the like.

Are you sure that this is phishing and what tells you so?

l0f4r0 · 12-11-2018, 04:32 AM

There is nothing else left to say:

https://www.reddit.com/r/Scams/comme..._email_and_my/
http://www.sorbs.net/lookup.shtml (check 54.240.27.204)

theKbStockpiler · 12-11-2018, 04:41 PM

Quote:

http://www.sorbs.net/lookup.shtml (check 54.240.27.204)

This just checks the IP address,correct? I comes up as invalid with a service you don't have to register with.

Could someone point me in the right direction on how to understand the Raw message? I assume it's code with a base of 16 but I'm just guessing. Is there a safe way to view the message without a filter?

l0f4r0 · 12-12-2018, 05:11 AM

Quote:

Originally Posted by theKbStockpiler

This just checks the IP address,correct?

Yes, it checks the IP reputation according to SORBS blacklist only.

Quote:

Originally Posted by theKbStockpiler

I comes up as invalid with a service you don't have to register with.

What do you mean?
Currently, this IP is listed so is suspect:

Quote:

2 "Spam" entries [11:21:23 24 Nov 2018 GMT-05].
54.240.27.204 - 2 entries [11:21:23 24 Nov 2018 GMT-05].

Quote:

Originally Posted by theKbStockpiler

Could someone point me in the right direction on how to understand the Raw message? I assume it's code with a base of 16 but I'm just guessing.

You mean the whole header or just the X-YMailISG part (you can find more information on https://serverfault.com/questions/24...mailisg-header)?

Quote:

Originally Posted by theKbStockpiler

Is there a safe way to view the message without a filter?

It's not always recommended. A fraudulent email could try to find a vulnerability in your email client and exploit it. Otherwise, it could just try to know if you opened it so your email address is validated and you will receive more spam/phishing or advanced threats like social engineering...
If you really want to open this mail, maybe you could make sure your email client is up-to-date and open the message in text-mode only (no HTML)?