Results 1 to 9 of 9

Thread: Forged email from SPAM site, fakes EAA.ORG

  1. #1
    bwilson4web's Avatar
    Join Date
    Oct 2011
    Location
    Huntsville, AL
    Posts
    120

    Forged email from SPAM site, fakes EAA.ORG

    Hi,

    So this afternoon I got an e-mail claiming:

    We think you may be missing some of your EAA membership benefits!

    We want to make sure that you are receiving our emails into your Gmail inbox, as these give you information updated on things in and around EAA, and in general aviation.

    It only takes a few seconds to find out!
    Follow these 3 easy steps to find out . . .

    Well it turns out the e-mail headers were forged from "icpbounce.com", a notorious SPAM house. One can go nuts trying to figure out how these jerks got or figured out I'm an EAA member. Regardless, the little pile showed up and is now flagged as SPAM to gmail.

    For those curious as to how to decipher the header, I've replaced the "<" with "*" to denature any rendering effects:

    Delivered-To: bwilson4web@gmail.com
    Received: by 10.14.129.3 with SMTP id g3csp135685eei;
    Tue, 16 Apr 2013 13:51:56 -0700 (PDT)
    X-Received: by 10.49.131.133 with SMTP id om5mr4836566qeb.7.1366145515826;
    Tue, 16 Apr 2013 13:51:55 -0700 (PDT)
    Return-Path: *bounces+1170417.48547813.184522@icpbounce.com>
    Received: from drone054.ral.icpbounce.com (drone054.ral.icpbounce.com. [66.162.193.235])
    by mx.google.com with ESMTP id hg9si3145238qab.14.2013.04.16.13.51.55;
    Tue, 16 Apr 2013 13:51:55 -0700 (PDT)
    Received-SPF: pass (google.com: domain of bounces+1170417.48547813.184522@icpbounce.com designates 66.162.193.235 as permitted sender) client-ip=66.162.193.235;
    Authentication-Results: mx.google.com;
    spf=pass (google.com: domain of bounces+1170417.48547813.184522@icpbounce.com designates 66.162.193.235 as permitted sender) smtp.mail=bounces+1170417.48547813.184522@icpbounc e.com;
    dkim=pass header.i=@icontact.com
    DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=icontact.com;
    h=Mime-Version:From:Toate:Subject:List-Unsubscribe:Content-Type:Message-ID;
    bh=XWU/oOYb7gw6WXl0JP1qsTWYU94=;
    b=ffj7S6Z3eFSSCx+Kvbjtb2JhGrGo/yU5IZrHMh6kqxTH6HDnDpkcU5jnteu87Ga64lLbGp+zJz+t
    lI0va24z6Lcd3XQVsAs4GQh/LEXAgiLdqw4Ji8X675OA9u4twen6BrMB3xAwESyyV7PIqEdpTN 4e
    1qSD4lrmBfa3Qc1cjhE=
    Mime-Version: 1.0
    From: "EAA" *membership@eaa.org>
    To: *bwilson4web@gmail.com>
    Date: Tue, 16 Apr 2013 16:50:53 -0400
    Subject: Gmail Notice - Please Check Your Settings Today
    . . .

    The key triggers:

    1. Email that tries to get you to do something with a browser or the email client! Legitimate e-mail does not carry a payload or request asking that you 'do something' like this.
    2. "icpbounce.com" - has nothing to do with the EAA domain.
    3. [66.162.193.235] - probably someone's computer that has become a 'robot' for the SPAMers
    4. "From: ..." - easily forged by the SPAMer to give credibility to the e-mail. But the e-mail headers do not match.


    It is always so disappointing to see such nonsense but I learned years ago that SPAMers are sociopaths. They really do not care what you think as long as they can deliver their nonsense.

    I'm not sure how to communicate with official EAA about this. When 'search' didn't find any other postings, I figured to share it with the community.

    GOOD LUCK!
    Bob Wilson

  2. #2
    EAA Staff / Moderator Hal Bryan's Avatar
    Join Date
    Jul 2011
    Location
    Oshkosh, Wisconsin, United States
    Posts
    1,296
    Disregard my previous post - this is NOT spam, but a legitimate message from EAA via our email provider.

    I'll be back in the office tomorrow after several days off and will posture clarification then. In the meantime - false alarm.

    Hal Bryan
    EAA Lifetime 638979
    Vintage 714005 | Warbirds 553527
    Managing Editor
    EAA—The Spirit of Aviation

  3. #3
    Mike Switzer's Avatar
    Join Date
    Jul 2011
    Location
    Central Illinois
    Posts
    979
    Hal, I recognize the format of the above posted email, please don't be telling us you guys are using the same "spam" email marketing people as AOPA & NRA. (Which could explain why I never saw anything like the above email as I blocked them a long time ago) (Yea, AOPA & NRA were using the same email marketing provider, no I don't remember their name, I had my guy block them)

  4. #4
    bwilson4web's Avatar
    Join Date
    Oct 2011
    Location
    Huntsville, AL
    Posts
    120
    Well at least we know. I've already blocked it . . . too many 'warning signs'. The worst was seeing a non-EAA domain sourcing the message.

    I understand outsourcing but would suggest this could be done with a little more skill. There are way too many SPAMhaus out there.

    Bob Wilson

  5. #5

    Join Date
    Nov 2011
    Location
    Minnetonka MN
    Posts
    142
    Is there a way to get even with spammers? I know of the trick of holding the cursor over the reply to address to see where it actually goes, at least for a PC and Thunderbird.

  6. #6
    EAA Staff / Moderator Hal Bryan's Avatar
    Join Date
    Jul 2011
    Location
    Oshkosh, Wisconsin, United States
    Posts
    1,296
    Mike, I don't know off the top of my head what vendor the NRA and AOPA use or used, but can reconfirm that this email was legitimate. This was something we'd sent to a number of members with Gmail accounts because we were getting reports that an unusually high percentage of of our newsletter subscribers that use Gmail weren't getting them because they'd been marked as spam for one reason or another.

    If anyone is curious, here's the original email:

    http://www.eaa.org/newsletters/1301_gmail.html

    In addition, I want to be clear that we didn't hire a "spam marketing company" to communicate with our members. We use this particular vendor for all of our large scale emails, including e-Hotline, which goes to something like 110,000 subscribers each week. In addition, every email is composed, designed, created, etc., in-house by EAA staff. You're not getting things with our name on it just because some marketer at some outside company thought it was a good idea.

    We use a vendor for a number of reasons - I'm not the expert (clearly!) but I know that two of them are A) because we don't have the server capacity to send things like e-Hotline ourselves and B) using a service like iContact let's us see some basic analytics data, like what percentage of e-Hotline subscribers, for instance, actually open the mail. That's extremely important for us as it's one of the only ways we can tell if we're doing a good job or not, beyond the handful of people who write or call with feedback. If we were to publish a newsletter and a bunch of people subscribed to it but only a small percentage actually opened it, clearly we're doing something wrong.

    Apologies again for the initial confusion caused by my "on the go" response last night.

    Hal Bryan
    EAA Lifetime 638979
    Vintage 714005 | Warbirds 553527
    Managing Editor
    EAA—The Spirit of Aviation

  7. #7
    CarlOrton's Avatar
    Join Date
    Jul 2011
    Location
    DFW Area
    Posts
    729
    Ok. Just curious, Hal. What percentage of the 110,000 eHotline recipients DO open it? I'd like to think it would be a high number.

    Carl Orton
    Sonex #1170 / Zenith 750 Cruzer
    http://mykitlog.com/corton

  8. #8
    Mike Switzer's Avatar
    Join Date
    Jul 2011
    Location
    Central Illinois
    Posts
    979
    OK, Hal, I misunderstood. This sentence "We think you may be missing some of your EAA membership benefits!" is exactly how the spam emails start out that I was getting from other organizations trying to trick you into buying third party items from insurance companies, lifelock, etc.

  9. #9
    EAA Staff / Moderator Hal Bryan's Avatar
    Join Date
    Jul 2011
    Location
    Oshkosh, Wisconsin, United States
    Posts
    1,296
    Quote Originally Posted by CarlOrton View Post
    Ok. Just curious, Hal. What percentage of the 110,000 eHotline recipients DO open it? I'd like to think it would be a high number.
    Carl, my colleague Sara is the one who tracks those numbers and she's out of the office today, so I'll have to get back to you. I want to say that the average was somewhere north of 60%, but that's a vague memory. I do know that it's well, well above the industry average - in other words, it's always a number we're very happy with.

    Quote Originally Posted by Mike Switzer View Post
    OK, Hal, I misunderstood. This sentence "We think you may be missing some of your EAA membership benefits!" is exactly how the spam emails start out that I was getting from other organizations trying to trick you into buying third party items from insurance companies, lifelock, etc.
    Mike, I see your point - this is great feedback! If we need to send out an email like this again, we'll revisit that language and see what we come up with.

    Hal Bryan
    EAA Lifetime 638979
    Vintage 714005 | Warbirds 553527
    Managing Editor
    EAA—The Spirit of Aviation

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •