Curious spam email. Can't understand

I know this is probably off-topic but I would be very grateful if somebody could point me to the proper forums or something. I posted here since I don’t know of any other forums with people who can understand what is happening.

As far as I remember, no spam ever landed in my gmail inbox. Curiously, an email from a hotmail account that I set to forward to the gmail account managed that. I clicked show original and from what I could see, it came from the hotmail account. I went hotmail (because the source email in gmail contains the forwardings and stuff which I think will not interest anybody) and here is the email. It also comes with an attached document (which I did not upload).

----------------------------- From: John Kivlin (John.Kivlin@edinburgh.gov.uk) You moved this message to its current location. Sent: Fri 12/06/13 8:07 PM To: win@winner.be ---------------------------- Confirmation Email Ref No: (BHRTS-12462264572311) Reply Email: base.line@aol.com Following official publication result of the end of year email sweepstakes program released on 4th December, 2013. Organized by the B-PLUS LOTTERY EMAIL SWEEPSTATKS. your electronic email address attached to a Ticket Number (R-54456102-6 )has won the prize Sum of 1,500,000.00 Only (1.5M Euro Only). For further enquires and claims of your winning CONTACT: Mr. Jean Paul CITY/ COUNTRY: Bruxelles Belgium. TEL: +32487966076 Reply to Email: base.line@aol.com It is important to note you that your award information was released today with the following particulars attached to it. E-mail Ticket BHRTS-12462264572311 Reference NO:JKLU-65-71-63-22 Serial NO: 4413-82 Batch NO: 00/23888/DUHT DRAW LUCKY No: 23-56-89-63-85-36*0 Your Full Name & Telephone Number Please open the attached file and fill it very carefully Please note that all winning must be claimed not later than 21 working days. Sincerely, Mrs. Deborah Friedmann. CITY/ COUNTRY: Bruxelles-Belgium. ********************************************************************** This email and files transmitted with it are confidential and are intended for the sole use of the individual or organisation to whom they are addressed. If you have received this eMail in error please notify the sender immediately and delete it without using, copying, storing, forwarding or disclosing its contents to any other person. The Council has endeavoured to scan this eMail message and attachments for computer viruses and will not be liable for any losses incurred by the recipient. **********************************************************************
As far as I know, my email isn't [b]win@winner.be[/b] I tried [b]View Message Source[/b]. Results follow:
x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uensydyekesGC2M= Authentication-Results: hotmail.com; spf=pass (sender IP is 193.39.157.26) smtp.mailfrom=John.Kivlin@edinburgh.gov.uk; dkim=none header.d=edinburgh.gov.uk; x-hmca=pass header.id=John.Kivlin@edinburgh.gov.uk X-SID-PRA: John.Kivlin@edinburgh.gov.uk X-AUTH-Result: PASS X-SID-Result: PASS X-Message-Status: n:n X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MTtHRD0xO1NDTD0w X-Message-Info: 9OBUEiYur8qLpx2wXz5jkncbHT87PpDGt7ZXk52Pba4UaVhDBI0v+Cx9y76Wx9h1MjQ4LkEjdXKi6gL7Hb0hhbPsV0o7F5Xy7xv8m+nwUS/Asueg6DJcfq8nXzbPmoXsBj5A1o5xnvWyBJSgwUeFX/sl2vUbW0pF24GQfYlbBkeDtCBieQvhe7m6W9Q8B9SgC2xMUlB5w8iW+pqEY05ccibNdz4RXXfd Received: from smtp3.edin.org ([193.39.157.26]) by SNT0-MC4-F23.Snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900); Fri, 6 Dec 2013 08:07:45 -0800 Received: from c-cap-sec-02.corpad.corp.edinburgh.gov.uk (unknown [192.168.17.96]) by smtp3.edin.org (Postfix) with ESMTP id E46228B4F; Fri, 6 Dec 2013 16:07:42 +0000 (GMT) Received: from C-CAP-MAIL-01.corpad.corp.edinburgh.gov.uk (c-cap-exch-02.corpad.corp.edinburgh.gov.uk [192.168.227.194]) by c-cap-sec-02.corpad.corp.edinburgh.gov.uk (8.14.5/8.14.5) with ESMTP id rB6G6IgP027951; Fri, 6 Dec 2013 16:06:59 GMT x-mimeole: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01CEF29D.0072F92A" Subject: Confirmation Email Ref No: (BHRTS-12462264572311) Date: Fri, 6 Dec 2013 16:05:04 -0000 Message-ID: <7F080E1A65E0634D9E0ECDCD4D2E839901FAB3EF@C-CAP-MAIL-01.corpad.corp.edinburgh.gov.uk> X-MS-Has-Attach: yes X-MS-TNEF-Correlator: Thread-Topic: Confirmation Email Ref No: (BHRTS-12462264572311) Thread-Index: Ac7ynO0DVkcjHeIoSRaR2sNktD1cng== From: "John Kivlin" To: Return-Path: John.Kivlin@edinburgh.gov.uk X-OriginalArrivalTime: 06 Dec 2013 16:07:45.0507 (UTC) FILETIME=[4CF27B30:01CEF29D]

This is a multi-part message in MIME format.

------_=NextPart_001_01CEF29D.0072F92A
Content-Type: multipart/alternative;
boundary="----
=_NextPart_002_01CEF29D.0072F92A"

------_=_NextPart_002_01CEF29D.0072F92A
Content-Type: text/plain; charset=“iso-8859-1”
Content-Transfer-Encoding: quoted-printable


Insert email here. See above quote. Exactly the same.

------_=_NextPart_002_01CEF29D.0072F92A Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Here I cut what looks like the email but in html instead.
------_=_NextPart_002_01CEF29D.0072F92A--

------_=_NextPart_001_01CEF29D.0072F92A
Content-Type: application/msword; name=“P.B-PLUS DOC…doc”
Content-Transfer-Encoding: base64
Content-Description: P.B-PLUS DOC…doc
Content-Disposition: attachment; filename=“P.B-PLUS DOC…doc”


Here comes a ton of gibberish, like a really long randomly generated password (probably 10 pages or more)…

------_=_NextPart_001_01CEF29D.0072F92A--
Email Source ends here. I had to cut out a portion of text which I would have included but could not due to the forums 10 000 character limit. Originally my post would have been around 15 000 characters. (Now its 8 500). I could upload the whole thing if somebody needs to see it.

I remembered somebody somewhere mentioned whois.com and a lookup gives:

edinburgh.gov.uk is available!
even if hitting [b]edinburgh.gov.uk[/b] does land me on a page titled "The City of Edinburgh Council", which looks pretty legitimate to me... I forgot why but in the middle of looking around, somehow I also looked up edin.org on whois.com
Domain ID:D1948201-LROR Domain Name:EDIN.ORG Created On:10-Sep-1998 04:00:00 UTC Last Updated On:23-Jul-2012 13:59:45 UTC Expiration Date:09-Sep-2015 04:00:00 UTC Sponsoring Registrar:ASCIO Technologies, Inc. - Denmark (R76-LROR) Status:OK Registrant ID:24040204-NSI Registrant Name:City of Edinburgh Council Registrant Organization:City of Edinburgh Council Registrant Street1:Wellington Court Registrant Street2: Registrant Street3: Registrant City:Edinburgh Registrant State/Province:Scotland Registrant Postal Code:EH1 3EG Registrant Country:GB Registrant Phone:+1.9999999999 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:email@edinburgh.gov.uk Admin ID:40802719-NSI Admin Name:Jacqueline Allan Admin Organization:The City of Edinburgh Council Admin Street1:Waverley Court Admin Street2:Level 2/2 4 East Market Street Admin Street3: Admin City:Edinburgh Admin State/Province: Admin Postal Code:EH8 8BG Admin Country:GB Admin Phone:+1.444131529 Admin Phone Ext.: Admin FAX:+1.444131529 Admin FAX Ext.: Admin Email:email@edinburgh.gov.uk Tech ID:AT80747982973 Tech Name:Jacqueline Allan Tech Organization:The City of Edinburgh Council Tech Street1:Level 2.2, Waverley Court 4 Tech Street2:East Market Street Tech Street3: Tech City:Edinburgh Tech State/Province:Edinburgh Tech Postal Code:EH8 8BG Tech Country:GB Tech Phone:+44.1315294473 Tech Phone Ext.: Tech FAX:+44.1315297479 Tech FAX Ext.: Tech Email:email@edinburgh.gov.uk Name Server:NS0.EDIN.ORG Name Server:NS1.EDIN.ORG Name Server: Name Server: Name Server: DNSSEC:Unsigned

related domain names
edinburgh.gov.uk

Huh what?
Clicking the link (here edinburgh.gov.uk is a link) lands me the same page as above: “edinburgh.gov.uk is available!

Now I am confused… First I get an email not addressed to me, which manages to bypass my gmail spam filters (That’s why it piqued my interest) and sent from a non-existent edinburgh.gov.uk according to whois.com. All the while, edinburgh.gov.uk lands me on a City of Edinburgh Council page which incidentally is registered under edin.org

Anybody with any sort of idea how can happen?

To start with NEVER click a link (or open an attachment) in an unsolicited/suspect emails, this is a common route to infection. This is route of entry is particularly true of the CryptoLocker malware currently doing the rounds.

Now I am confused... First I get an email not addressed to me, which manages to bypass my gmail spam filters (That's why it piqued my interest) and sent from a non-existent edinburgh.gov.uk according to whois.com. All the while, edinburgh.gov.uk lands me on a City of Edinburgh Council page which incidentally is registered under edin.org...
Piqued your interest - curiosity killed the cat.

Suspect/unsolicited emails should be deleted (and the trash folder cleared), don’t waste time investigation and certainly not opening links, etc…

The To address doesn’t have to be to you as there will be a lot of BCC: (Blind Carbon Copy) email addresses that you can’t see and your email will be in it.

The From email address can easily be faked, so it is unlikely to come from that address, it is just another hook to pull you in, quasi official looking address.

The viruses and worms forum is generally the correct place of suspect infections, etc.

You may have dodged a bullet (unless you are experiencing malware symptoms on your system), but your actions put you at risk. Any suspect unsolicited email should be deleted, especially get rich for free you’ve won a lottery you never entered, etc. etc. You have to be much more suspicious.

Thanks for the quick reply. Just one last question. Can malware still attack my computer if I read my emails within a browser and not click any included links? I mean gmail is supposed to not load attachments by default from unknown senders.

Some could, it depends on what the content of the email is, iframes could be in emails, they are usually used to load dynamic content (text, images, etc.) into the frame. That can connect to a site and actually run a script, now what the script might be is up to who sends the email.

So it is possible to end up with a driveby download in the same way as you can visiting a web page.

However, if avast sees an iFrame in an email it considers it suspicious so you may well get an alert on it or if it is trying to connect to a malicious site. But that, nor Gmail checking can’t be 100% guaranteed, that is why it isn’t advised to do anything with spam/unexpected/suspicious email other than delete it.

EDIT: reread your post, I though you were talking of opening the email in an email program not the browser. But all that I mentioned can still occur in an email viewed through a browser, the only real difference being that the Web Shield would be scanning it rather than the Mail Shield.

I admit I was surprised when you said

You may have dodged a bullet (unless you are experiencing malware symptoms on your system), but your actions put you at risk. Any suspect unsolicited email should be deleted, especially get rich for free you’ve won a lottery you never entered, etc. etc. You have to be much more suspicious.
I suppose not explicitly saying I use webmail was rather misleading. I apologize.

Is there any difference between the Web Shield and the Mail Shield that makes reading email through an email program safer (or less safe)?

A quick search showed some cases where the avast Mail Shield cannot scan emails (MS outlook mainly from what I gathered) . Would it be better to simply use webmail and not worry about specific problems which can vary from program to program?

Dodging the bullet relates to opening spam/unknown/suspicious email and then clicking on links within it as that is currently the infection method of CryptoLocker.

The web shield should I believe provider greater protection (but you shouldn’t rely on this) than the mail shield. The Web Shield now has incorporated the old Network & Script shields (three shields now combined into one). Whilst viewing the email in your browser also means that you can have browser security based add-ons (firefox and NoScript, etc.).

The MS Outlook is somewhat different as it uses a Plugin which essentially means that avast is working within it, rather than the Mail Shield is outside of your email client trying redirect email through a proxy so that the email can be scanned. So there are lots of differences in how MS Outlook and other clients such as Thunderbird are handled.

I would continue to use web mail, but also curb your curiosity is always advised and simply delete unsolicited/unknown/suspicious emails.

I use MailWasher Pro anti-spam (not free) and all email is monitored against its heuristic anti-spam filters and my own rules; many of my rules catch not just spam but suspect emails. It only downloads a small part of the email which is viewed in text mode and determines if it is spam, etc. I can flag emails for deletion that manage to get past those filters (and edit the filter as required. I can then delete suspect/spam emails from the the email server, I don’t download them for viewing on my system.

I see. I’ll try to be more careful. Thank you for your time. Good day to you sir :smiley:

You’re welcome.