2014.07.25: Phishing Attempt, "Re-Validate Your School Mail Box"

Over the weekend IT received numerous reports of a phishing attempt that landed in a large number of CalArts inboxes:


This message produced the most "this doesn't look right" forwards to us than any other attempt that I'm aware of.  From a security perspective our communities' reasonable skepticism is very encouraging to see, especially when it involves attempts like this.

As a matter of standard practice CalArts IT will never ask for your password via email, and we encourage you to forward any suspicious looking email (even from known senders or contacts) to us so we can either verify it as good or take appropriate actions to prevent security breaches.

Raw Email Data:

Delivered-To: *****@calarts.edu
Received: by with SMTP id ck12csp91403veb;
Fri, 25 Jul 2014 21:31:14 -0700 (PDT)
X-Received: by with SMTP id hf10mr23371323pbc.30.1406349074306;
Fri, 25 Jul 2014 21:31:14 -0700 (PDT)
Return-Path: <yz446@njit.edu>
Received: from psmtp.com (na3sys009amx187.postini.com [])
by mx.google.com with SMTP id fw12si5556157pdb.511.2014.
for <*****@calarts.edu>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Fri, 25 Jul 2014 21:31:14 -0700 (PDT)
Received-SPF: neutral (google.com: is neither permitted nor denied by domain of yz446@njit.edu) client-ip=;
Authentication-Results: mx.google.com;
spf=neutral (google.com: is neither permitted nor denied by domain of yz446@njit.edu) smtp.mail=yz446@njit.edu
Received: from mail-we0-f194.google.com ([]) (using TLSv1) by na3sys009amx187.postini.com ([]) with SMTP;
Sat, 26 Jul 2014 04:31:13 GMT
Received: by mail-we0-f194.google.com with SMTP id u56so1732721wes.1
for <*****@calarts.edu>; Fri, 25 Jul 2014 21:31:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
X-Gm-Message-State: ALoCoQne2vycWvZox1oS4GYRg3PhYZcogTueY3feIjpzvjJtqRc9KPecANn2o7rByHrOGYOyiNTh
MIME-Version: 1.0
X-Received: by with SMTP id dr1mr10810047wib.19.1406349062529;
Fri, 25 Jul 2014 21:31:02 -0700 (PDT)
Sender: yz446@njit.edu
Received: by with HTTP; Fri, 25 Jul 2014 21:31:02 -0700 (PDT)
Date: Fri, 25 Jul 2014 20:31:02 -0800
X-Google-Sender-Auth: FCw_rzqgQDrc-Ls3cg4ufgHOEp8
Message-ID: <CAKpHbYC8q03HhhRmUEodVvE1LbVwGStu2JV-Fz1jK2r9YTLJ-Q@mail.gmail.com>
Subject: Re-Validate Your School Mail Box
From: "WEBMASTER I.T DESKTOP" <webmaster.master@outlook.com>
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary=f46d041825944d71dd04ff112888
Bcc: *****@calarts.edu
X-pstn-dkim: 0 skipped:not-enabled

Content-Type: text/plain; charset=UTF-8

Re-Validate- *< Click Here>>*

*NOTE:* That Failure to comply may result in the loss of your account
within the next 24 hours.

Signed By Webmaster.
*Maintained by the Technology Department. Copyright 2014.*

Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">I.T HELP-DESK<br><div style=3D"font:13px arial,sans-serif;=
e-Validate-=C2=A0<span>=C2=A0</span><b style=3D"color:rgb(0,0,255)"><u><a s=
tyle=3D"color:rgb(17,85,204)" target=3D"_blank" rel=3D"nofollow">&lt; Click=

<div style=3D"font:13px arial,sans-serif;color:rgb(34,34,34);text-transform=
rmal">=C2=A0=C2=A0<span> </span><br><u><span style=3D"color:rgb(255,0,0);fo=
nt-weight:bold">NOTE:</span></u><span>=C2=A0</span>That Failure to comply m=
ay result in the loss of your account within the next 24 hours.<br>

<br>Signed By Webmaster.<br><b>Maintained by the Technology Department. Cop=
yright 2014.</b></div></div>


Have more questions? Submit a request


  • Avatar
    Chandra Khan

    Thanks Cris
    This is really very helpful.


    Comment actions Permalink

Please sign in to leave a comment.