2012-03-25

The Mobile Browser Syndrome

Ever since I've become acquainted with browsing the web on my Android phone, I've began showing the following unvoluntary behavior: while browsing a web site on my desktop PC, I just double click the text column, expecting it to zoom full screen, as it happens on a mobile browser.
I've come to the idea that it wouldn't be bad.
And it seems I'm not the only one.
What browser will be the first one to actually implement it?
I'd bet on IE, as probably it'll use the same code base for the desktop and the tablet version in Windows 8.

2012-03-18

Who controls the remote control?

Would you click on allow?

The original story is about exploiting free product support by trying to sell premium support on non-existent issues.
Would you allow a complete stranger full control over your PC?

I've made some tests myself with two of the most prominent remote support offering: WebEx and Teamviewer.
WebEx does not allow unattended download of files: each file should be explicitly shared by the owner.
Teamviewer, instead, allows full filesystem access, and a file transfer request from the controlling end, opens a notification window on the remote side with full logging. Sadly that window can be minimized and can be easily ignored by a less expert user.

I'm not saying here that Teamviewer GmbH will exploit your computer, but there's a chance that someone using it, could.

So much for the corporate level support, but there is a whole market for personal connectivity.
I was browsing the appstore for an RDP/VNC app to control my PC, and I saw that there are plenty. Some of them even require you to install an host component on the target PC. Apparently this trend has been fueled by Microsoft, by disabling Remote Desktop on the Home edition of the latest Windows versions.
What kind of guarantee the user has that the host and the remote app don't do anything suspicious?
Most of them, don't even connect directly the client to the server, but use some kind of external gateway, to overcome NAT issues.
This a classic man-in-the-middle scheme.
Do you trust their encryption?
Do they keep a copy of your remote control session?
Nearly all of this remote control apps have file transfer capabilities:
Once you have given full access to your pc, how much it takes for the "man-in-the-middle" to download browser history, password cache, "My Documents" folder?

So, by looking at my cristal ball, I may say that the next wave of phishing malware will come in the form of free remote control tools.

2012-03-17

iShoe?

Guess who's going to sue you?


A pathetic attempt to profit on the Apple brand.

2012-03-13

VMware Player & USB



While on the go, I use an HUAWEI Mobile Broadband E1692 HSDPA USB Stick for 3G connection.
After some time that I wasn't using it, it stopped working. No error messages, it just won't get recognized any more in the USB devices. Nothing at all, not even an unknown device, just as if it wasn't even plugged in.

After some fiddling I recalled that I had installed VMware Player. Just as I removed it, the USB stick returned to life.

Note that I wasn't using it in a VM, but directly on the host. And there weren't any VMs running nor the player itself running.

I suspect, as the player can redirect USB ports to the VMs, that some kind of USB device filter was installed by the player that prevented the USB stick to be seen by the host OS. It seems to have affected only that particular stick, as other USB devices were running as usual.

2012-03-03

Gone phishing


I receive phishing attempts in my mailbox nearly on a daily basis.
All of them are so naives that they gain the trashcan in a matter of seconds, but today I've got one that left me thinking for a while.
This one actually refers to a credit card that I actually own: maybe there was a breach in an e-commerce site where I bought something in the past.

The from: field contains the actual sender of a legitimate CartaSI mail.
Logos (not shown here) are actually linked from the real CartaSI site.
The email text is nicely formatted and contains nearly no spelling errors.

I checked the headers, because at the moment I had some doubts:

From - Thu Mar 1 17:32:52 2012
X-Account-Key: account1
X-UIDL: ALBoUtQAAJG7T08WXAtFMQcfVF0
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Apparently-To: XXX@yahoo.it via 212.82.104.176; Thu, 01 Mar 2012 06:25:32 +0000
X-YahooFilteredBulk: 217.117.28.119
Received-SPF: none (domain of deltatrans.lt does not designate permitted sender hosts)

using a .lt domain to send .it emails may be accidental genius: on some fonts, lt looks very similar to It.

X-YMailISG: 5g4dHhgWLDvs2PH2zZ6Fuu8M7oWhqKUQQknE9OKSGmsS5unT
DShTDd8bmXRLgEvh2DmiR8G.V.UKZepsU4uqnMsKS01oLuZg4dybwW.jYL8R
7pQdxiF2NGQzKDaehnTe2QlnMdm59sj0UaqeqtoUMpLQR_I.r4WGmdGUyqfm
2XH5WvqE1C32_Lf7hUr6lxGej1lQdxyJuWb95NnFv7vmSOIGY7vVCG9sY4ez
8pC1ZQ0foZODYdTjmap.f0VntxfTzv2UpK1ZXjp4cLuS_E6PlZBqIWFsWHVW
Aw4wGP9ZzMnECUij.XzXWN0ta_LB.b6aiecMYhpiPqzozJ68zNq5neEAsZ4Q
Gne9x0TsUBd0nVQ3hDnYOHA2E.m_Yg48A887_yHRAZS4gI0WcKGiNxZxtQvx
f6Z7QfV990ccqzp4zXfolfv2BDnzwBIYAjTwDVLGEzhxBd0FlZXeDNyDHIHM
vZL334PvSGGxeX4VN5GRDwZ0otmylzmxpTkPlSA7DBL6Ts0BcUhbPeNz9QYy
0W3eoOULgxJKPmf._.gyjM0gasrBQdh_snJM2qOEWz6o6fHGEjP.yYfzHcRo
InJYN4wYCn_as2PIGrV5d4GZp2O5NrgQkEI_79lJ0aXfoeIF_EPuJ071VdQS
yOD_yCRVg9q6Q1JU5ZP_oIUsaDWClppfvyHU2IX4mBQARbBF4oYAqiWi6h6b
5xi722hsLvZN6IkfmAYWrsd9HCeJWanePBEdhsHiNGyi22s5bAnVlFA9XYsx
bq2VKJavyOQ6uwOv3myKWLaBnX0I1ArurZSR.ZuyVjOQn9scdO1pFHCpH.im
VdQEZtfuJaTXdUBeqhjsjE_X1DUT0bMh.HmGDH1eFDFMm68.Bv1Knkgu1gyZ
Vd.8TBOn0v9ICGX_dTadAc0uE.V0cbgUMcBz0omVsA4Iu3DbTiv9TtUciBnt
4RtuhKegVt2T.y4kPAjvAuBlRSIR8M8I8ox3wr9Je.zeAOmud.HB5Wd40AFX
f0sb6KDBO.tAAFJAK2oOZbzY2ZTQe3jE0_L3jiH7QXPyH3Nee1a8Gp8TQ7.q
k8Q-
X-Originating-IP: [217.117.28.119]
Authentication-Results: mta1097.mail.ird.yahoo.com from=cartasi.it; domainkeys=neutral (no sig); from=cartasi.it; dkim=neutral (no sig)

the from field seems to prove the authenticity of the email.

Received: from 127.0.0.1 (EHLO www.deltatrans.lt) (217.117.28.119)
by mta1097.mail.ird.yahoo.com with SMTP; Thu, 01 Mar 2012 06:25:32 +0000
Received: by www.deltatrans.lt (Postfix, from userid 33)
id CE7BC151553B; Thu, 1 Mar 2012 08:24:09 +0200 (EET)
Date: Thu, 1 Mar 2012 08:24:09 +0200
To: XXX@yahoo.it
From: CartaSi <CartaSi_Informa@cartasi.it>

the From: field again seems correct

Reply-To:
Subject: Ripristina l'accesso al conto.
Message-ID: <8c4c304cdaf997627eb6de1671380860@217.117.28.119>
X-Priority: 3
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"

<table style="width:550px;">
<tr>
<td>
<img src="http://www.cartasi.it/immagini/brandCartasi2.gif" alt="Logo">

The images come from the official site

</td>
</tr>
<tr>
<td>
<span style=" padding-left:25px;font-family:Georgia, 'Times new Roman', Times, Serif; font-style:italic;font-size:1.1em;"><!--821fsu67-->G<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->l<!--821fsu67-->e c<!--821fsu67-->l<!--821fsu67-->i<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->e<!--821fsu67-->,<!--821fsu67--></span><br />
<p style="padding:10px 25px;font-family:'Helvetica Neue', 'Helvetica', Arial, 'Sans-serif'; font-size:1em;">

<!--821fsu67-->I<!--821fsu67-->l<!--821fsu67--> t<!--821fsu67-->u<!--821fsu67-->o a<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->o<!--821fsu67-->u<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67--> è s<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->t<!--821fsu67-->o b<!--821fsu67-->l<!--821fsu67-->o<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->a<!--821fsu67-->t<!--821fsu67-->o <!--821fsu67-->a<!--821fsu67--> c<!--821fsu67-->a<!--821fsu67-->u<!--821fsu67-->s<!--821fsu67-->a d<!--821fsu67-->i n<!--821fsu67-->u<!--821fsu67-->m<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->o<!--821fsu67-->s<!--821fsu67-->i t<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->v<!--821fsu67-->i d<!--821fsu67-->i l<!--821fsu67-->o<!--821fsu67-->g<!--821fsu67-->i<!--821fsu67-->n f<!--821fsu67-->a<!--821fsu67-->l<!--821fsu67-->l<!--821fsu67-->i<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->. S<!--821fsu67-->i p<!--821fsu67-->r<!--821fsu67-->e
<!--821fsu67-->g<!--821fsu67-->a d<!--821fsu67-->i l<!--821fsu67-->e<!--821fsu67-->g<!--821fsu67-->g<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->e a<!--821fsu67-->t<!--821fsu67-->t<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->m<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->e q<!--821fsu67-->u<!--821fsu67-->e<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->a e<!--821fsu67-->-<!--821fsu67-->m<!--821fsu67-->a<!--821fsu67-->i<!--821fsu67-->l <!--821fsu67-->e<!--821fsu67--> a<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->e<!--821fsu67-->d<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->e a<!--821fsu67-->l n<!--821fsu67-->o<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->r<!--821fsu67-->o s<!--821fsu67-->i<!--821fsu67-->t<!--821fsu67-->o c<!--821fsu67-->l<!--821fsu67-->i<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->a<!--821fsu67-->n<!--821fsu67-->d<!--821fsu67-->o s<!--821fsu67-->u<!--821fsu67-->l l<!--821fsu67-->i<!--821fsu67-->n<!--8
21fsu67-->k f<!--821fsu67-->o<!--821fsu67-->r<!--821fsu67-->n<!--821fsu67-->i<!--821fsu67-->t<!--821fsu67-->o <!--821fsu67-->i<!--821fsu67-->n<!--821fsu67--> q<!--821fsu67-->u<!--821fsu67-->e<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->a e<!--821fsu67-->-<!--821fsu67-->m<!--821fsu67-->a<!--821fsu67-->i<!--821fsu67-->l<!--821fsu67--> e<!--821fsu67--> r<!--821fsu67-->i<!--821fsu67-->p<!--821fsu67-->r<!--821fsu67-->i<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->n<!--821fsu67-->a<!--821fsu67-->r<!--821fsu67-->e l<!--821fsu67-->'<!--821fsu67-->a<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->e<!--821fsu67-->s<!--821fsu67-->s<!--821fsu67-->o a<!--821fsu67-->l c<!--821fsu67-->o<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->o<!--821fsu67-->. S<!--821fsu67-->i p<!--821fsu67-->r<!--821fsu67-->e<!--821fsu67-->g<!--821fsu67-->a<!--821fsu67--> <!--821fsu67-->d<!--821fsu67-->i n<!--821fsu67-->o<!--821fsu67-->n u<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->l<!--821fsu67
-->i<!--821fsu67-->z<!--821fsu67-->z<!--821fsu67-->a<!--821fsu67-->r<!--821fsu67-->e i<!--821fsu67-->l l<!--821fsu67-->i<!--821fsu67-->n<!--821fsu67-->k a<!--821fsu67-->l<!--821fsu67-->l<!--821fsu67-->'<!--821fsu67-->i<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->n<!--821fsu67-->o d<!--821fsu67-->i q<!--821fsu67-->u<!--821fsu67-->e<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->a e<!--821fsu67-->-<!--821fsu67-->m<!--821fsu67-->a<!--821fsu67-->i<!--821fsu67-->l a<!--821fsu67--> r<!--821fsu67-->i<!--821fsu67-->p<!--821fsu67-->r<!--821fsu67-->i<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->n<!--821fsu67-->a<!--821fsu67-->r<!--821fsu67-->e u<!--821fsu67-->n<!--821fsu67--> a<!--821fsu67-->l<!--821fsu67-->t<!--821fsu67-->r<!--821fsu67-->o c<!--821fsu67-->o<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->o d<!--821fsu67-->i q<!--821fsu67-->u<!--821fsu67-->a<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->o i<!--821fsu67-->l t<!--821fsu67-
->u<!--821fsu67-->o<!--821fsu67-->, p<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->c<!--821fsu67-->h<!--821fsu67-->é i<!--821fsu67-->l c<!--821fsu67-->o<!--821fsu67-->l<!--821fsu67-->l<!--821fsu67-->e<!--821fsu67-->g<!--821fsu67-->a<!--821fsu67-->m<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->o è u<!--821fsu67-->n<!--821fsu67-->i<!--821fsu67-->v<!--821fsu67-->o<!--821fsu67-->c<!--821fsu67-->a<!--821fsu67-->m<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->e g<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->a<!--821fsu67-->t<!--821fsu67-->o e<!--821fsu67-->d è c<!--821fsu67-->o<!--821fsu67-->m<!--821fsu67-->p<!--821fsu67-->a<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->b<!--821fsu67-->i<!--821fsu67-->l<!--821fsu67-->e s<!--821fsu67-->o<!--821fsu67-->l<!--821fsu67-->o c<!--821fsu67-->o<!--821fsu67-->n i<!--821fsu67-->l t<!--821fsu67-->u<!--821fsu67-->o a<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->o<!--821fsu67--
>u<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->.

The email text is hidden inside comment fields, probably to hide it from antispam filters.

<br /><br />
<a href="kotlin-novator.ru/upload/iblock/ff6/kotlin/novator/CartaSi/id/cliente/passaport/buletino/1/2/3/carta/index.php?id=www.cartasi.it?loosers"><!--821fsu67-->h<!--821fsu67-->t<!--821fsu67-->t<!--821fsu67-->p<!--821fsu67-->:<!--821fsu67-->/<!--821fsu67-->/<!--821fsu67-->w<!--821fsu67-->w<!--821fsu67-->w<!--821fsu67-->.<!--821fsu67-->c<!--821fsu67-->a<!--821fsu67-->r<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->s<!--821fsu67-->i<!--821fsu67-->.<!--821fsu67-->i<!--821fsu67-->t<!--821fsu67-->/<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->t<!--821fsu67-->o<!--821fsu67-->l<!--821fsu67-->a<!--821fsu67-->r<!--821fsu67-->i<!--821fsu67-->/<!--821fsu67-->i<!--821fsu67-->n<!--821fsu67-->d<!--821fsu67-->e<!--821fsu67-->x<!--821fsu67-->.<!--821fsu67-->j<!--821fsu67-->s<!--821fsu67-->p<!--821fsu67-->?<!--821fsu67-->I<!--821fsu67-->d<!--821fsu67-->_<!--821fsu67-->C<!--821fsu67-->l<!--821fsu67-->i<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->e<!--821fsu67-->=<!--821

But this one finally breaks the spell for good: the link is clearly not from CartaSI. There's even an insult to them (cartasi -> loosers).

fsu67-->1<!--821fsu67-->3<!--821fsu67-->j<!--821fsu67-->e<!--821fsu67-->9<!--821fsu67-->u<!--821fsu67-->2<!--821fsu67-->3<!--821fsu67-->r<!--821fsu67-->/<!--821fsu67-->2<!--821fsu67-->f<!--821fsu67-->3<!--821fsu67-->2<!--821fsu67-->r</a><br /><br/>
<span style="font-family:courier;">T<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->v<!--821fsu67-->i <!--821fsu67-->d<!--821fsu67-->i<!--821fsu67--> a<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->e<!--821fsu67-->s<!--821fsu67-->s<!--821fsu67-->o<!--821fsu67-->: <b><!--821fsu67-->3<!--821fsu67--></b><br />
I<!--821fsu67-->n<!--821fsu67-->d<!--821fsu67-->i<!--821fsu67-->r<!--821fsu67-->i<!--821fsu67-->z<!--821fsu67-->z<!--821fsu67-->o I<!--821fsu67-->P<!--821fsu67-->: <b><!--821fsu67-->2<!--821fsu67-->1<!--821fsu67-->7<!--821fsu67-->.<!--821fsu67-->1<!--821fsu67-->1<!--821fsu67-->2<!--821fsu67-->.<!--821fsu67-->3<!--821fsu67-->5<!--821fsu67-->.<!--821fsu67-->7<!--821fsu67-->7 <!--821fsu67-->(<!--821fsu67-->R<!--821fsu67-->U<!--821fsu67-->-<!--821fsu67-->R<!--821fsu67-->u<!--821fsu67-->s<!--821fsu67-->s<!--821fsu67-->i<!--821fsu67-->a<!--821fsu67-->)<!--821fsu67--></b><br /></span>
<hr/>
<p style="padding:10px 25px;font-family:'Helvetica Neue', 'Helvetica', Arial, 'Sans-serif';font-size:.8em;color:#585858;"><!--821fsu67-->I<!--821fsu67-->l c<!--821fsu67-->r<!--821fsu67-->e<!--821fsu67-->s<!--821fsu67-->c<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->e n<!--821fsu67-->u<!--821fsu67-->m<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->o d<!--821fsu67-->i a<!--821fsu67-->t<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->h<!--821fsu67-->i d<!--821fsu67-->i p<!--821fsu67-->h<!--821fsu67-->i<!--821fsu67-->s<!--821fsu67-->h<!--821fsu67-->i<!--821fsu67-->n<!--821fsu67-->g s<!--821fsu67-->u<!--821fsu67-->i n<!--821fsu67-->o<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->r<!--821fsu67-->i c<!--821fsu67-->l<!--821fsu67-->i<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->i c<!--821fsu67-->i h<!--821fsu67-->a f<!--821fsu67-->a<!--821fsu67-->t<!--821fsu67-->t<!--821fsu67-->o m<!--821fsu67-->o<!--821fsu67-->d<!--82
1fsu67-->i<!--821fsu67-->f<!--821fsu67-->i<!--821fsu67-->c<!--821fsu67-->a<!--821fsu67-->r<!--821fsu67-->e l<!--821fsu67-->a n<!--821fsu67-->o<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->r<!--821fsu67-->a p<!--821fsu67-->o<!--821fsu67-->l<!--821fsu67-->i<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->c<!--821fsu67-->a s<!--821fsu67-->u<!--821fsu67-->l<!--821fsu67-->l<!--821fsu67-->a p<!--821fsu67-->r<!--821fsu67-->i<!--821fsu67-->v<!--821fsu67-->a<!--821fsu67-->c<!--821fsu67-->y <!--821fsu67-->e<!--821fsu67--> a<!--821fsu67-->n<!--821fsu67-->che <!--821fsu67-->p<!--821fsu67-->e<!--821fsu67-->r e<!--821fsu67-->s<!--821fsu67-->s<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->e p<!--821fsu67-->iù<!--821fsu67--> r<!--821fsu67-->i<!--821fsu67-->g<!--821fsu67-->o<!--821fsu67-->r<!--821fsu67-->o<!--821fsu67-->s<!--821fsu67-->i s<!--821fsu67-->u<!--821fsu67-->l n<!--821fsu67-->u<!--821fsu67-->m<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->o d<!--821fsu67-->i t<!--821fsu67-->e<!--82
1fsu67-->n<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->v<!--821fsu67-->i d<!--821fsu67-->i l<!--821fsu67-->o<!--821fsu67-->g<!--821fsu67-->i<!--821fsu67-->n f<!--821fsu67-->a<!--821fsu67-->l<!--821fsu67-->l<!--821fsu67-->i<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->. S<!--821fsu67-->i p<!--821fsu67-->r<!--821fsu67-->e<!--821fsu67-->g<!--821fsu67-->a d<!--821fsu67-->i s<!--821fsu67-->e<!--821fsu67-->g<!--821fsu67-->u<!--821fsu67-->i<!--821fsu67-->r<!--821fsu67-->e a<!--821fsu67-->t<!--821fsu67-->t<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->m<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->e l<!--821fsu67-->e n<!--821fsu67-->o<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->r<!--821fsu67-->e i<!--821fsu67-->n<!--821fsu67-->d<!--821fsu67-->i<!--821fsu67-->c<!--821fsu67-->a<!--821fsu67-->z<!--821fsu67-->i<!--821fsu67-->o<!--821fsu67-->n<!--821fsu67-->i e s<!--821fsu67-->a<!--821fsu67-->rà<!--821f
su67--> i<!--821fsu67-->n g<!--821fsu67-->r<!--821fsu67-->a<!--821fsu67-->d<!--821fsu67-->o d<!--821fsu67-->i r<!--821fsu67-->i<!--821fsu67-->p<!--821fsu67-->r<!--821fsu67-->i<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->n<!--821fsu67-->a<!--821fsu67-->r<!--821fsu67-->e l<!--821fsu67-->'<!--821fsu67-->a<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->e<!--821fsu67-->s<!--821fsu67-->s<!--821fsu67-->o a<!--821fsu67-->l c<!--821fsu67-->o<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->o i<!--821fsu67-->n p<!--821fsu67-->o<!--821fsu67-->c<!--821fsu67-->h<!--821fsu67-->i m<!--821fsu67-->i<!--821fsu67-->n<!--821fsu67-->u<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->.<br /><br />
© C<!--821fsu67-->a<!--821fsu67-->r<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->S<!--821fsu67-->i S<!--821fsu67-->.<!--821fsu67-->p<!--821fsu67-->.<!--821fsu67-->A<br/><br />
<img src="http://www.cartasi.it/Immagini/logo_gruppo_icbpi-c.jpg" alt="Gruppo ICBPI Logo">

</p>

</p>
</td>
</tr>
<tr>
<td>

</td>

</tr>
</table>

Just for comparison, I looked at a real, legit email from the same source: ironically the text is worse looking than the fake one.
It seems to be generated by some legacy accounting system.



From - Thu Mar 1 17:32:47 2012
X-Account-Key: account1
X-UIDL: ALBoUtQAAD2aTy4pTwgqcREZlow
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Apparently-To: XXX@yahoo.it via 212.82.104.176; Sun, 05 Feb 2012 07:01:35 +0000
Received-SPF: pass (domain of cartasi.it designates 151.99.182.116 as permitted sender)

The SPF header confirm it's from CartaSi

X-YMailISG: qQheXqYWLDvq_g1n6I1lDJKcQsJG78EifakcVx05ZTh5f3cp
.0ByLNe9J_58zgfLNHR9vEIu.PCGGoX0hy1ChbRnJdx.5TyCrE9h5OFu5T7A
2QcHqHVZ2UDXSSAfvViCMP5tq09bQUqDKoiVolwqZi1lDHxSVnfQ8a89P6hK
nGjETufrRj8OTXQ6BHzBDe2YBp2NtoRLOAD0eWP_G7HkxDvrq4WVIF1hE8JB
A89CipLIm00LpK3sz.rlSsWwoAV3oPIDC60cM5xdI5ALY78lhssMW1JXC6US
18JSLIfwdtM2n7bbl_ww_UOSRG19e8Zl2YysL6S78fciJEknUzlATluCDIw1
yhkiELY42PkpnyxM8QFrkUCKIkAZ8w768yscnkI3pwsG5aJlDGXb7pLYnlJF
iyGxTZtYwseANBog.3ubQJ8vosUNlYhYufX1NaG7TbtD5y7dSk6jEN51Wb_t
4kCWatD1zSgKdzaDkn_rS.UGeGioC_nQVZOpQvtg.kXGEeM5wsoa8QgNaOob
5w8iatg9lKhzJdZawHv59WhNurLMvzVTotiqYA6uhBUOUyuUMoSvVy6lzMyN
AYiVUBxGim7qabcC6eIkzq4qp97obR.A1feqEpdfMmWuakgKzqHYy3OtTGa_
Sy6__at85KtR8ixOfiWtVay.3SjMqWi_TmU391B4KsAfYHLQ612e88k5FEwY
VagEkNBKNAtw2lN0iQgOfIe8nT_727IR9yA1J4aY6VZZzoBFMuhZWaw3U8wR
CiWmyYGiayD5BzGxSz_nD0NI5OV3paB4upahneWtd55F9QqhUKeKvyvvgTnN
7yMxT0kwvFK_00yBCGdg5M.KJnDTpHAS49OFaE6AChACis3q42AvCEKTWLbf
55c9zzQFvFQmpiPx1BfHBQgNoXOi9xkQ8nY8I1vIGS2ap5tHLsIpaxEs4Uov
SEjPG1q2MbHxBVADZdXsEp5TULnAt5PYQkCEL._KqjbemRvhMigHunPWrp3Y
DiVjmJS_9sI3
X-Originating-IP: [151.99.182.116]
Authentication-Results: mta1097.mail.ukl.yahoo.com from=cartasi.it; domainkeys=neutral (no sig); from=cartasi.it; dkim=neutral (no sig)

As we see from the previous email, this is not enough

Received: from 127.0.0.1 (EHLO smtpout.cartasi.it) (151.99.182.116)

HELO and IP address confirm it's from CartaSi

by mta1097.mail.ukl.yahoo.com with SMTP; Sun, 05 Feb 2012 07:01:35 +0000
Received: from simisnt0007 (simisnt0007.si.it [172.16.210.7])
by smtpout.cartasi.it (8.13.7+Sun/8.13.7) with ESMTP id q1576i6N03456
for <XXX@yahoo.it>; Sun, 5 Feb 2012 08:06:44 +0100 (CET)
Date: Sun, 5 Feb 2012 08:06:44 +0100 (CET)
Message-ID: <7290512.1322345695087.JavaMail.unadm@simisnt0007>
From: CartaSi <CartaSi_Informa@cartasi.it>
To: XXX@yahoo.it
Subject: Situazione aggiornata al 05/02/2012
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_39277_7604434.13284265345087"

------=_Part_39277_7604434.132456295087
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable

Gentile Titolare,
Ti comunichiamo - come da tua richiesta - l'elenco degli ultimi movimenti r=
egistrati per la tua CartaSi:
=20
Esercente Localita' Data Importo Euro
-------------------------------------------------------------------------
Carta **** **** **** ****=20
TFL MFM BETHNAL GREEN 03/02/12 19,23

=20
Ti ricordiamo che tramite il sito CartaSi puoi mantenerti sempre aggiornato=
sulle opportunita' e sui vantaggi che CartaSi ti riserva.
---------------------------------------------------------------------------=
-----------------=20
Per favore, non rispondere a questa mail: per eventuali comunicazioni acced=
i alla tua area riservata del Sito Internet di CartaSi e scrivici attravers=
o "Lo sportello del Cliente":=20
=E8 il modo pi=F9 semplice per ottenere una rapida risposta dai nostri oper=
atori. Grazie per la collaborazione.

------=_Part_39277_7604434.13264545087--

Text is not obfuscated.