Reply To: Beware This Scam Attempt!

[Nigel Graham 2Participant @nigelgraham2]

Odder and odder.

Diogenes – No, I am still on the proper service!

……..

Are there any programmers or similar here, please? I cannot read server-control codes but there seems a peculiar likeness in what I have received, visible only by using the analysis tool on the normal tool-bar but really intended for IT professionals.

 

I closed this site then out of curiosity ran ‘View Source’ on the reply from Amazon, which they managed to send twice.

I also thought the message English slightly odd, but the firm might be using an overseas call-centre. Anyway, this is the routing. Notice the word “amasonses”?

So from Amazon... supposedly:

Return-Path: <202408231138107c70a43d5a7348e78cc326feae90p0eu-C1NYSK3ECZRIDF@bounces.amazon.co.uk>
Received: from btprdrgi023.btinternet.com ([10.248.67.160])
by btprdfep059.mx.internal with ESMTP
id <20240823113810.FFOU10764.btprdfep059.mx.internal@btprdrgi023.btinternet.com>
for <****@****>; Fri, 23 Aug 2024 12:38:10 +0100
Authentication-Results: btinternet.com;
dmarc=pass header.from=amazon.co.uk;
dkim=pass;
dkim=pass;
spf=none smtp.helo=a1-126.smtp-out.eu-west-1.amazonses.com;
spf=pass smtp.mailfrom=bounces.amazon.co.uk;
arc=none smtp.client-ip=54.240.1.126;
bimi=skipped
X-OWM-SPF-MAILFROM: Pass
X-OWM-SPF: 0
Received-SPF: none (btprdrgi023.btinternet.com: domain
a1-126.smtp-out.eu-west-1.amazonses.com does not designate permitted sender
hosts) identity=helo; receiver=btprdrgi023.btinternet.com;

After that it is even more computerese.

This is the equivalent for the fake BT message (it is still in my Deleted folder).

Return-Path: <010201917955a23a-03c259c6-0513-4690-bdbc-7bf9531cee93-000000@eu-west-1.amazonses.com>
Received: from btprdrgi039.btinternet.com ([10.248.67.31])
by btprdfep009.mx.internal with ESMTP
id <20240822090541.RATC1724510.btprdfep009.mx.internal@btprdrgi039.btinternet.com>
for <****@****>; Thu, 22 Aug 2024 10:05:41 +0100
Authentication-Results: btinternet.com;
dmarc=pass header.from=message.bt.com;
dkim=pass;
dkim=pass;
spf=none smtp.helo=e239-18.smtp-out.eu-west-1.amazonses.com;
spf=pass smtp.mailfrom=eu-west-1.amazonses.com;
arc=none smtp.client-ip=23.251.239.18;
bimi=skipped
X-OWM-SPF-MAILFROM: Pass
X-OWM-SPF: 0
Received-SPF: none (btprdrgi039.btinternet.com: domain
e239-18.smtp-out.eu-west-1.amazonses.com does not designate permitted sender
hosts) identity=helo; receiver=btprdrgi039.btinternet.com;
client-ip=23.251.239.18; helo=e239-18.smtp-out.eu-west-1.amazonses.com;
Received-SPF: pass (btprdrgi039.btinternet.com: domain eu-west-1.amazonses.com

……

Hoax BT:

spf=none smtp.helo=a1-126.smtp-out.eu-west-1.amazonses.com;
spf=pass smtp.mailfrom=bounces.amazon.co.uk;

HOAX??? Amazon:

spf=none smtp.helo=e239-18.smtp-out.eu-west-1.amazonses.com;
spf=pass smtp.mailfrom=eu-west-1.amazonses.com;

 

I am going to report the “Amazon” message as a phishing attempt…… Luckily its message simply asked me for the e-address used by Amazon for the account it thinks I have, so its senders have learnt nothing new.