Possible phishing email

[ELIFE-MZ]

I've received couple of these today. Didn't click the link in the email for obvious reasons. The email was sent to correct email address and it was addressed to me.

Subject: Confirm your Sedo Account

Dear xxxxxxxx,

Thank you for becoming a Sedo member!

In order to submit your offer for you must first verify that the email you provided is a valid email address.

**********************************
Email Confirmation Code

 

[Sam]

Yes had that one i forwarded it to sedo

Sent from my Nexus 7 using Tapatalk

 

[Retired_Member42]

Are you sure this isn't a Sedo mistake? I got the mail via an address I rarely use for anything other than Sedo and the link in the mail was legit sedo.co.uk?

 

[ELIFE-MZ]

It's possible. I guess only Sedo can answer that.

 

[websaway]

I've received couple of these today. Didn't click the link in the email for obvious reasons. The email was sent to correct email address and it was addressed to me.

Subject: Confirm your Sedo Account

Dear xxxxxxxx,

Thank you for becoming a Sedo member!

In order to submit your offer for you must first verify that the email you provided is a valid email address.

**********************************
Email Confirmation Code

Received the same email today.

 

[diablo]

Also received this - addresses me by name and does link to my account without having to login so presumably is from Sedo, but no idea why they are being sent. Someone press the wrong button?

 

[golddiggerguy]

Same here for an email account for a catch all for a name I've never used.

 

[Paullas]

Ive recieved 2 today to 2 different email addresses.

 

[Retired_Member42]

I'm going to unsubscribe this thread before every Acorn member posts that they've had one

 

[Systreg]

I haven't received one.

 

[anthony]

I have one too.

 

[Skinner]

Could this have been from the heartbleed thing ?

I'm a bit under the weather at the moment so not fully on it, so maybe barking up the wrong tree, but phishing around the time of a security flaw bit too coincidental.

 

[murph]

I had a password reset attempt email from vbulletin just after the Heartbleed thing came out

 

[Systreg]

Has anyone checked the full email headers including IP addresses to see where they were sent from?

 

[anthony]

Has anyone checked the full email headers including IP addresses to see where they were sent from?

Don't know if this gives any indication or not:

Delivered-To: [email protected]
Received: by 10.170.202.131 with SMTP id t125csp15428yke;
Sat, 12 Apr 2014 01:47:29 -0700 (PDT)
X-Received: by 10.180.104.161 with SMTP id gf1mr1790032wib.38.1397292449118;
Sat, 12 Apr 2014 01:47:29 -0700 (PDT)
Return-Path: <[email protected]>
Received: from mailscan1.extendcp.co.uk (mailscan11.extendcp.co.uk. [79.170.45.20])
by mx.google.com with ESMTPS id e3si2224533wix.110.2014.04.12.01.47.28
for <[email protected]>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Sat, 12 Apr 2014 01:47:29 -0700 (PDT)
Received-SPF: neutral (google.com: 79.170.45.20 is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=79.170.45.20;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 79.170.45.20 is neither permitted nor denied by best guess record for domain of [email protected]) [email protected]
Received: from lb1.hi.local ([10.0.1.197] helo=mailscan2.extendcp.co.uk)
by mailscan-fw192.hi.local with esmtp (Exim 4.80.1)
(envelope-from <[email protected]>)
id 1WYtay-00013h-Iu
for [email protected]; Sat, 12 Apr 2014 09:47:28 +0100
Received: from lb1.hi.local ([10.0.1.197] helo=mail40.extendcp.co.uk)
by mailscan2.extendcp.co.uk with esmtps (UNKNOWNHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.80.1)
(envelope-from <[email protected]>)
id 1WYtax-0003Zk-Sq
for [email protected]; Sat, 12 Apr 2014 09:47:28 +0100
Received: from smtp1-pl.ffm.fhe3rz.net ([82.98.86.203] helo=smtp1-pl.pl.ffm.fhe3rz.net)
by mail40.extendcp.com with esmtp (Exim 4.80.1)
id 1WYtax-0001lW-PF
for [email protected]; Sat, 12 Apr 2014 09:47:27 +0100
Received: from sedoreals82.pl.i.sedorz.net (sedoreals82.pl.i.sedorz.net [10.0.6.53])
by smtp1-pl.pl.ffm.fhe3rz.net (Postfix) with ESMTP id 758D79B05
for <[email protected]>; Sat, 12 Apr 2014 10:47:27 +0200 (CEST)
Received: by sedoreals82.pl.i.sedorz.net (Postfix, from userid 33)
id 70648A00471; Sat, 12 Apr 2014 10:47:27 +0200 (CEST)
To: [email protected]
Subject: Confirm your Sedo Account
Date: Sat, 12 Apr 2014 10:47:27 +0200
From: Sedo <[email protected]>
Reply-to: [email protected]
Message-ID: <[email protected]>
X-Priority: 3
X-Mailer: PHPMailer [version 1.73]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="utf-8"
X-Spam-Score: 0.0
X-SpamFlt-Status: Not Detected
X-KASFlt-Status: Lua profiles 59621 [Apr 12 2014]
X-KASFlt-Status: Version: 5.0.1
X-KASFlt-Status: Rate: 0
X-KASFlt-Status: Status: not_detected
X-KASFlt-Status: Method: none
X-SpamFlt-Phishing: Not Detected

 

[Systreg]

The email appears to be sent from Sedo, unless there has been IP spoofing involved, this was the originating IP address from which it was sent:

82.98.86.203 - Sedo Gmbh - Germany

 

[Retired_Member42]

All the hostnames and IP's stack up with other legit Sedo e-mails. It appears legit header wise although given the link in the e-mail itself was actually sedo.co.uk it'd be a pretty useless phishing attempt...

 

[newguy]

I received one too. Seems like it's from sedo rather than a phishing attempt. No idea why they sent it though.

 

[Sam]

Just confirmed with Sedo this is a spoof email please ignore if you have had one

 

[Brassneck]

Just confirmed with Sedo this is a spoof email please ignore if you have had one

To me it looked genuine but possibly sent out by mistake. I notice the Sedo rep is viewing the thread so would be good to hear something official.


Stephen