I know this is probably off-topic but I would be very grateful if somebody could point me to the proper forums or something. I posted here since I don’t know of any other forums with people who can understand what is happening.
As far as I remember, no spam ever landed in my gmail inbox. Curiously, an email from a hotmail account that I set to forward to the gmail account managed that. I clicked show original and from what I could see, it came from the hotmail account. I went hotmail (because the source email in gmail contains the forwardings and stuff which I think will not interest anybody) and here is the email. It also comes with an attached document (which I did not upload).
----------------------------- From: John Kivlin (John.Kivlin@edinburgh.gov.uk) You moved this message to its current location. Sent: Fri 12/06/13 8:07 PM To: win@winner.be ---------------------------- Confirmation Email Ref No: (BHRTS-12462264572311) Reply Email: base.line@aol.com Following official publication result of the end of year email sweepstakes program released on 4th December, 2013. Organized by the B-PLUS LOTTERY EMAIL SWEEPSTATKS. your electronic email address attached to a Ticket Number (R-54456102-6 )has won the prize Sum of 1,500,000.00 Only (1.5M Euro Only). For further enquires and claims of your winning CONTACT: Mr. Jean Paul CITY/ COUNTRY: Bruxelles Belgium. TEL: +32487966076 Reply to Email: base.line@aol.com It is important to note you that your award information was released today with the following particulars attached to it. E-mail Ticket BHRTS-12462264572311 Reference NO:JKLU-65-71-63-22 Serial NO: 4413-82 Batch NO: 00/23888/DUHT DRAW LUCKY No: 23-56-89-63-85-36*0 Your Full Name & Telephone Number Please open the attached file and fill it very carefully Please note that all winning must be claimed not later than 21 working days. Sincerely, Mrs. Deborah Friedmann. CITY/ COUNTRY: Bruxelles-Belgium. ********************************************************************** This email and files transmitted with it are confidential and are intended for the sole use of the individual or organisation to whom they are addressed. If you have received this eMail in error please notify the sender immediately and delete it without using, copying, storing, forwarding or disclosing its contents to any other person. The Council has endeavoured to scan this eMail message and attachments for computer viruses and will not be liable for any losses incurred by the recipient. **********************************************************************As far as I know, my email isn't [b]win@winner.be[/b] I tried [b]View Message Source[/b]. Results follow:
x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uensydyekesGC2M= Authentication-Results: hotmail.com; spf=pass (sender IP is 193.39.157.26) smtp.mailfrom=John.Kivlin@edinburgh.gov.uk; dkim=none header.d=edinburgh.gov.uk; x-hmca=pass header.id=John.Kivlin@edinburgh.gov.uk X-SID-PRA: John.Kivlin@edinburgh.gov.uk X-AUTH-Result: PASS X-SID-Result: PASS X-Message-Status: n:n X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MTtHRD0xO1NDTD0w X-Message-Info: 9OBUEiYur8qLpx2wXz5jkncbHT87PpDGt7ZXk52Pba4UaVhDBI0v+Cx9y76Wx9h1MjQ4LkEjdXKi6gL7Hb0hhbPsV0o7F5Xy7xv8m+nwUS/Asueg6DJcfq8nXzbPmoXsBj5A1o5xnvWyBJSgwUeFX/sl2vUbW0pF24GQfYlbBkeDtCBieQvhe7m6W9Q8B9SgC2xMUlB5w8iW+pqEY05ccibNdz4RXXfd Received: from smtp3.edin.org ([193.39.157.26]) by SNT0-MC4-F23.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900); Fri, 6 Dec 2013 08:07:45 -0800 Received: from c-cap-sec-02.corpad.corp.edinburgh.gov.uk (unknown [192.168.17.96]) by smtp3.edin.org (Postfix) with ESMTP id E46228B4F; Fri, 6 Dec 2013 16:07:42 +0000 (GMT) Received: from C-CAP-MAIL-01.corpad.corp.edinburgh.gov.uk (c-cap-exch-02.corpad.corp.edinburgh.gov.uk [192.168.227.194]) by c-cap-sec-02.corpad.corp.edinburgh.gov.uk (8.14.5/8.14.5) with ESMTP id rB6G6IgP027951; Fri, 6 Dec 2013 16:06:59 GMT x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01CEF29D.0072F92A" Subject: Confirmation Email Ref No: (BHRTS-12462264572311) Date: Fri, 6 Dec 2013 16:05:04 -0000 Message-ID: <7F080E1A65E0634D9E0ECDCD4D2E839901FAB3EF@C-CAP-MAIL-01.corpad.corp.edinburgh.gov.uk> X-MS-Has-Attach: yes X-MS-TNEF-Correlator: Thread-Topic: Confirmation Email Ref No: (BHRTS-12462264572311) Thread-Index: Ac7ynO0DVkcjHeIoSRaR2sNktD1cng== From: "John Kivlin" To: Return-Path: John.Kivlin@edinburgh.gov.uk X-OriginalArrivalTime: 06 Dec 2013 16:07:45.0507 (UTC) FILETIME=[4CF27B30:01CEF29D]This is a multi-part message in MIME format.
------_=NextPart_001_01CEF29D.0072F92A
Content-Type: multipart/alternative;
boundary="----=_NextPart_002_01CEF29D.0072F92A"------_=_NextPart_002_01CEF29D.0072F92A
Content-Type: text/plain; charset=“iso-8859-1”
Content-Transfer-Encoding: quoted-printable
Insert email here. See above quote. Exactly the same.
------_=_NextPart_002_01CEF29D.0072F92A Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printableHere I cut what looks like the email but in html instead.
------_=_NextPart_002_01CEF29D.0072F92A--------_=_NextPart_001_01CEF29D.0072F92A
Content-Type: application/msword; name=“P.B-PLUS DOC…doc”
Content-Transfer-Encoding: base64
Content-Description: P.B-PLUS DOC…doc
Content-Disposition: attachment; filename=“P.B-PLUS DOC…doc”
Here comes a ton of gibberish, like a really long randomly generated password (probably 10 pages or more)…
------_=_NextPart_001_01CEF29D.0072F92A--Email Source ends here. I had to cut out a portion of text which I would have included but could not due to the forums 10 000 character limit. Originally my post would have been around 15 000 characters. (Now its 8 500). I could upload the whole thing if somebody needs to see it.
I remembered somebody somewhere mentioned whois.com and a lookup gives:
edinburgh.gov.uk is available!even if hitting [b]edinburgh.gov.uk[/b] does land me on a page titled "The City of Edinburgh Council", which looks pretty legitimate to me... I forgot why but in the middle of looking around, somehow I also looked up edin.org on whois.com
Domain ID:D1948201-LROR Domain Name:EDIN.ORG Created On:10-Sep-1998 04:00:00 UTC Last Updated On:23-Jul-2012 13:59:45 UTC Expiration Date:09-Sep-2015 04:00:00 UTC Sponsoring Registrar:ASCIO Technologies, Inc. - Denmark (R76-LROR) Status:OK Registrant ID:24040204-NSI Registrant Name:City of Edinburgh Council Registrant Organization:City of Edinburgh Council Registrant Street1:Wellington Court Registrant Street2: Registrant Street3: Registrant City:Edinburgh Registrant State/Province:Scotland Registrant Postal Code:EH1 3EG Registrant Country:GB Registrant Phone:+1.9999999999 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:email@edinburgh.gov.uk Admin ID:40802719-NSI Admin Name:Jacqueline Allan Admin Organization:The City of Edinburgh Council Admin Street1:Waverley Court Admin Street2:Level 2/2 4 East Market Street Admin Street3: Admin City:Edinburgh Admin State/Province: Admin Postal Code:EH8 8BG Admin Country:GB Admin Phone:+1.444131529 Admin Phone Ext.: Admin FAX:+1.444131529 Admin FAX Ext.: Admin Email:email@edinburgh.gov.uk Tech ID:AT80747982973 Tech Name:Jacqueline Allan Tech Organization:The City of Edinburgh Council Tech Street1:Level 2.2, Waverley Court 4 Tech Street2:East Market Street Tech Street3: Tech City:Edinburgh Tech State/Province:Edinburgh Tech Postal Code:EH8 8BG Tech Country:GB Tech Phone:+44.1315294473 Tech Phone Ext.: Tech FAX:+44.1315297479 Tech FAX Ext.: Tech Email:email@edinburgh.gov.uk Name Server:NS0.EDIN.ORG Name Server:NS1.EDIN.ORG Name Server: Name Server: Name Server: DNSSEC:Unsignedrelated domain names
edinburgh.gov.uk
Huh what?
Clicking the link (here edinburgh.gov.uk is a link) lands me the same page as above: “edinburgh.gov.uk is available!”
Now I am confused… First I get an email not addressed to me, which manages to bypass my gmail spam filters (That’s why it piqued my interest) and sent from a non-existent edinburgh.gov.uk according to whois.com. All the while, edinburgh.gov.uk lands me on a City of Edinburgh Council page which incidentally is registered under edin.org…
Anybody with any sort of idea how can happen?