2012-03-03

Gone phishing


I receive phishing attempts in my mailbox nearly on a daily basis.
All of them are so naives that they gain the trashcan in a matter of seconds, but today I've got one that left me thinking for a while.
This one actually refers to a credit card that I actually own: maybe there was a breach in an e-commerce site where I bought something in the past.

The from: field contains the actual sender of a legitimate CartaSI mail.
Logos (not shown here) are actually linked from the real CartaSI site.
The email text is nicely formatted and contains nearly no spelling errors.

I checked the headers, because at the moment I had some doubts:

From - Thu Mar 1 17:32:52 2012
X-Account-Key: account1
X-UIDL: ALBoUtQAAJG7T08WXAtFMQcfVF0
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Apparently-To: XXX@yahoo.it via 212.82.104.176; Thu, 01 Mar 2012 06:25:32 +0000
X-YahooFilteredBulk: 217.117.28.119
Received-SPF: none (domain of deltatrans.lt does not designate permitted sender hosts)

using a .lt domain to send .it emails may be accidental genius: on some fonts, lt looks very similar to It.

X-YMailISG: 5g4dHhgWLDvs2PH2zZ6Fuu8M7oWhqKUQQknE9OKSGmsS5unT
DShTDd8bmXRLgEvh2DmiR8G.V.UKZepsU4uqnMsKS01oLuZg4dybwW.jYL8R
7pQdxiF2NGQzKDaehnTe2QlnMdm59sj0UaqeqtoUMpLQR_I.r4WGmdGUyqfm
2XH5WvqE1C32_Lf7hUr6lxGej1lQdxyJuWb95NnFv7vmSOIGY7vVCG9sY4ez
8pC1ZQ0foZODYdTjmap.f0VntxfTzv2UpK1ZXjp4cLuS_E6PlZBqIWFsWHVW
Aw4wGP9ZzMnECUij.XzXWN0ta_LB.b6aiecMYhpiPqzozJ68zNq5neEAsZ4Q
Gne9x0TsUBd0nVQ3hDnYOHA2E.m_Yg48A887_yHRAZS4gI0WcKGiNxZxtQvx
f6Z7QfV990ccqzp4zXfolfv2BDnzwBIYAjTwDVLGEzhxBd0FlZXeDNyDHIHM
vZL334PvSGGxeX4VN5GRDwZ0otmylzmxpTkPlSA7DBL6Ts0BcUhbPeNz9QYy
0W3eoOULgxJKPmf._.gyjM0gasrBQdh_snJM2qOEWz6o6fHGEjP.yYfzHcRo
InJYN4wYCn_as2PIGrV5d4GZp2O5NrgQkEI_79lJ0aXfoeIF_EPuJ071VdQS
yOD_yCRVg9q6Q1JU5ZP_oIUsaDWClppfvyHU2IX4mBQARbBF4oYAqiWi6h6b
5xi722hsLvZN6IkfmAYWrsd9HCeJWanePBEdhsHiNGyi22s5bAnVlFA9XYsx
bq2VKJavyOQ6uwOv3myKWLaBnX0I1ArurZSR.ZuyVjOQn9scdO1pFHCpH.im
VdQEZtfuJaTXdUBeqhjsjE_X1DUT0bMh.HmGDH1eFDFMm68.Bv1Knkgu1gyZ
Vd.8TBOn0v9ICGX_dTadAc0uE.V0cbgUMcBz0omVsA4Iu3DbTiv9TtUciBnt
4RtuhKegVt2T.y4kPAjvAuBlRSIR8M8I8ox3wr9Je.zeAOmud.HB5Wd40AFX
f0sb6KDBO.tAAFJAK2oOZbzY2ZTQe3jE0_L3jiH7QXPyH3Nee1a8Gp8TQ7.q
k8Q-
X-Originating-IP: [217.117.28.119]
Authentication-Results: mta1097.mail.ird.yahoo.com from=cartasi.it; domainkeys=neutral (no sig); from=cartasi.it; dkim=neutral (no sig)

the from field seems to prove the authenticity of the email.

Received: from 127.0.0.1 (EHLO www.deltatrans.lt) (217.117.28.119)
by mta1097.mail.ird.yahoo.com with SMTP; Thu, 01 Mar 2012 06:25:32 +0000
Received: by www.deltatrans.lt (Postfix, from userid 33)
id CE7BC151553B; Thu, 1 Mar 2012 08:24:09 +0200 (EET)
Date: Thu, 1 Mar 2012 08:24:09 +0200
To: XXX@yahoo.it
From: CartaSi <CartaSi_Informa@cartasi.it>

the From: field again seems correct

Reply-To:
Subject: Ripristina l'accesso al conto.
Message-ID: <8c4c304cdaf997627eb6de1671380860@217.117.28.119>
X-Priority: 3
X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version ]
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="iso-8859-1"

<table style="width:550px;">
<tr>
<td>
<img src="http://www.cartasi.it/immagini/brandCartasi2.gif" alt="Logo">

The images come from the official site

</td>
</tr>
<tr>
<td>
<span style=" padding-left:25px;font-family:Georgia, 'Times new Roman', Times, Serif; font-style:italic;font-size:1.1em;"><!--821fsu67-->G<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->l<!--821fsu67-->e c<!--821fsu67-->l<!--821fsu67-->i<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->e<!--821fsu67-->,<!--821fsu67--></span><br />
<p style="padding:10px 25px;font-family:'Helvetica Neue', 'Helvetica', Arial, 'Sans-serif'; font-size:1em;">

<!--821fsu67-->I<!--821fsu67-->l<!--821fsu67--> t<!--821fsu67-->u<!--821fsu67-->o a<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->o<!--821fsu67-->u<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67--> è s<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->t<!--821fsu67-->o b<!--821fsu67-->l<!--821fsu67-->o<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->a<!--821fsu67-->t<!--821fsu67-->o <!--821fsu67-->a<!--821fsu67--> c<!--821fsu67-->a<!--821fsu67-->u<!--821fsu67-->s<!--821fsu67-->a d<!--821fsu67-->i n<!--821fsu67-->u<!--821fsu67-->m<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->o<!--821fsu67-->s<!--821fsu67-->i t<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->v<!--821fsu67-->i d<!--821fsu67-->i l<!--821fsu67-->o<!--821fsu67-->g<!--821fsu67-->i<!--821fsu67-->n f<!--821fsu67-->a<!--821fsu67-->l<!--821fsu67-->l<!--821fsu67-->i<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->. S<!--821fsu67-->i p<!--821fsu67-->r<!--821fsu67-->e
<!--821fsu67-->g<!--821fsu67-->a d<!--821fsu67-->i l<!--821fsu67-->e<!--821fsu67-->g<!--821fsu67-->g<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->e a<!--821fsu67-->t<!--821fsu67-->t<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->m<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->e q<!--821fsu67-->u<!--821fsu67-->e<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->a e<!--821fsu67-->-<!--821fsu67-->m<!--821fsu67-->a<!--821fsu67-->i<!--821fsu67-->l <!--821fsu67-->e<!--821fsu67--> a<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->e<!--821fsu67-->d<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->e a<!--821fsu67-->l n<!--821fsu67-->o<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->r<!--821fsu67-->o s<!--821fsu67-->i<!--821fsu67-->t<!--821fsu67-->o c<!--821fsu67-->l<!--821fsu67-->i<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->a<!--821fsu67-->n<!--821fsu67-->d<!--821fsu67-->o s<!--821fsu67-->u<!--821fsu67-->l l<!--821fsu67-->i<!--821fsu67-->n<!--8
21fsu67-->k f<!--821fsu67-->o<!--821fsu67-->r<!--821fsu67-->n<!--821fsu67-->i<!--821fsu67-->t<!--821fsu67-->o <!--821fsu67-->i<!--821fsu67-->n<!--821fsu67--> q<!--821fsu67-->u<!--821fsu67-->e<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->a e<!--821fsu67-->-<!--821fsu67-->m<!--821fsu67-->a<!--821fsu67-->i<!--821fsu67-->l<!--821fsu67--> e<!--821fsu67--> r<!--821fsu67-->i<!--821fsu67-->p<!--821fsu67-->r<!--821fsu67-->i<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->n<!--821fsu67-->a<!--821fsu67-->r<!--821fsu67-->e l<!--821fsu67-->'<!--821fsu67-->a<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->e<!--821fsu67-->s<!--821fsu67-->s<!--821fsu67-->o a<!--821fsu67-->l c<!--821fsu67-->o<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->o<!--821fsu67-->. S<!--821fsu67-->i p<!--821fsu67-->r<!--821fsu67-->e<!--821fsu67-->g<!--821fsu67-->a<!--821fsu67--> <!--821fsu67-->d<!--821fsu67-->i n<!--821fsu67-->o<!--821fsu67-->n u<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->l<!--821fsu67
-->i<!--821fsu67-->z<!--821fsu67-->z<!--821fsu67-->a<!--821fsu67-->r<!--821fsu67-->e i<!--821fsu67-->l l<!--821fsu67-->i<!--821fsu67-->n<!--821fsu67-->k a<!--821fsu67-->l<!--821fsu67-->l<!--821fsu67-->'<!--821fsu67-->i<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->n<!--821fsu67-->o d<!--821fsu67-->i q<!--821fsu67-->u<!--821fsu67-->e<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->a e<!--821fsu67-->-<!--821fsu67-->m<!--821fsu67-->a<!--821fsu67-->i<!--821fsu67-->l a<!--821fsu67--> r<!--821fsu67-->i<!--821fsu67-->p<!--821fsu67-->r<!--821fsu67-->i<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->n<!--821fsu67-->a<!--821fsu67-->r<!--821fsu67-->e u<!--821fsu67-->n<!--821fsu67--> a<!--821fsu67-->l<!--821fsu67-->t<!--821fsu67-->r<!--821fsu67-->o c<!--821fsu67-->o<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->o d<!--821fsu67-->i q<!--821fsu67-->u<!--821fsu67-->a<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->o i<!--821fsu67-->l t<!--821fsu67-
->u<!--821fsu67-->o<!--821fsu67-->, p<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->c<!--821fsu67-->h<!--821fsu67-->é i<!--821fsu67-->l c<!--821fsu67-->o<!--821fsu67-->l<!--821fsu67-->l<!--821fsu67-->e<!--821fsu67-->g<!--821fsu67-->a<!--821fsu67-->m<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->o è u<!--821fsu67-->n<!--821fsu67-->i<!--821fsu67-->v<!--821fsu67-->o<!--821fsu67-->c<!--821fsu67-->a<!--821fsu67-->m<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->e g<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->a<!--821fsu67-->t<!--821fsu67-->o e<!--821fsu67-->d è c<!--821fsu67-->o<!--821fsu67-->m<!--821fsu67-->p<!--821fsu67-->a<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->b<!--821fsu67-->i<!--821fsu67-->l<!--821fsu67-->e s<!--821fsu67-->o<!--821fsu67-->l<!--821fsu67-->o c<!--821fsu67-->o<!--821fsu67-->n i<!--821fsu67-->l t<!--821fsu67-->u<!--821fsu67-->o a<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->o<!--821fsu67--
>u<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->.

The email text is hidden inside comment fields, probably to hide it from antispam filters.

<br /><br />
<a href="kotlin-novator.ru/upload/iblock/ff6/kotlin/novator/CartaSi/id/cliente/passaport/buletino/1/2/3/carta/index.php?id=www.cartasi.it?loosers"><!--821fsu67-->h<!--821fsu67-->t<!--821fsu67-->t<!--821fsu67-->p<!--821fsu67-->:<!--821fsu67-->/<!--821fsu67-->/<!--821fsu67-->w<!--821fsu67-->w<!--821fsu67-->w<!--821fsu67-->.<!--821fsu67-->c<!--821fsu67-->a<!--821fsu67-->r<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->s<!--821fsu67-->i<!--821fsu67-->.<!--821fsu67-->i<!--821fsu67-->t<!--821fsu67-->/<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->t<!--821fsu67-->o<!--821fsu67-->l<!--821fsu67-->a<!--821fsu67-->r<!--821fsu67-->i<!--821fsu67-->/<!--821fsu67-->i<!--821fsu67-->n<!--821fsu67-->d<!--821fsu67-->e<!--821fsu67-->x<!--821fsu67-->.<!--821fsu67-->j<!--821fsu67-->s<!--821fsu67-->p<!--821fsu67-->?<!--821fsu67-->I<!--821fsu67-->d<!--821fsu67-->_<!--821fsu67-->C<!--821fsu67-->l<!--821fsu67-->i<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->e<!--821fsu67-->=<!--821

But this one finally breaks the spell for good: the link is clearly not from CartaSI. There's even an insult to them (cartasi -> loosers).

fsu67-->1<!--821fsu67-->3<!--821fsu67-->j<!--821fsu67-->e<!--821fsu67-->9<!--821fsu67-->u<!--821fsu67-->2<!--821fsu67-->3<!--821fsu67-->r<!--821fsu67-->/<!--821fsu67-->2<!--821fsu67-->f<!--821fsu67-->3<!--821fsu67-->2<!--821fsu67-->r</a><br /><br/>
<span style="font-family:courier;">T<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->v<!--821fsu67-->i <!--821fsu67-->d<!--821fsu67-->i<!--821fsu67--> a<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->e<!--821fsu67-->s<!--821fsu67-->s<!--821fsu67-->o<!--821fsu67-->: <b><!--821fsu67-->3<!--821fsu67--></b><br />
I<!--821fsu67-->n<!--821fsu67-->d<!--821fsu67-->i<!--821fsu67-->r<!--821fsu67-->i<!--821fsu67-->z<!--821fsu67-->z<!--821fsu67-->o I<!--821fsu67-->P<!--821fsu67-->: <b><!--821fsu67-->2<!--821fsu67-->1<!--821fsu67-->7<!--821fsu67-->.<!--821fsu67-->1<!--821fsu67-->1<!--821fsu67-->2<!--821fsu67-->.<!--821fsu67-->3<!--821fsu67-->5<!--821fsu67-->.<!--821fsu67-->7<!--821fsu67-->7 <!--821fsu67-->(<!--821fsu67-->R<!--821fsu67-->U<!--821fsu67-->-<!--821fsu67-->R<!--821fsu67-->u<!--821fsu67-->s<!--821fsu67-->s<!--821fsu67-->i<!--821fsu67-->a<!--821fsu67-->)<!--821fsu67--></b><br /></span>
<hr/>
<p style="padding:10px 25px;font-family:'Helvetica Neue', 'Helvetica', Arial, 'Sans-serif';font-size:.8em;color:#585858;"><!--821fsu67-->I<!--821fsu67-->l c<!--821fsu67-->r<!--821fsu67-->e<!--821fsu67-->s<!--821fsu67-->c<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->e n<!--821fsu67-->u<!--821fsu67-->m<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->o d<!--821fsu67-->i a<!--821fsu67-->t<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->h<!--821fsu67-->i d<!--821fsu67-->i p<!--821fsu67-->h<!--821fsu67-->i<!--821fsu67-->s<!--821fsu67-->h<!--821fsu67-->i<!--821fsu67-->n<!--821fsu67-->g s<!--821fsu67-->u<!--821fsu67-->i n<!--821fsu67-->o<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->r<!--821fsu67-->i c<!--821fsu67-->l<!--821fsu67-->i<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->i c<!--821fsu67-->i h<!--821fsu67-->a f<!--821fsu67-->a<!--821fsu67-->t<!--821fsu67-->t<!--821fsu67-->o m<!--821fsu67-->o<!--821fsu67-->d<!--82
1fsu67-->i<!--821fsu67-->f<!--821fsu67-->i<!--821fsu67-->c<!--821fsu67-->a<!--821fsu67-->r<!--821fsu67-->e l<!--821fsu67-->a n<!--821fsu67-->o<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->r<!--821fsu67-->a p<!--821fsu67-->o<!--821fsu67-->l<!--821fsu67-->i<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->c<!--821fsu67-->a s<!--821fsu67-->u<!--821fsu67-->l<!--821fsu67-->l<!--821fsu67-->a p<!--821fsu67-->r<!--821fsu67-->i<!--821fsu67-->v<!--821fsu67-->a<!--821fsu67-->c<!--821fsu67-->y <!--821fsu67-->e<!--821fsu67--> a<!--821fsu67-->n<!--821fsu67-->che <!--821fsu67-->p<!--821fsu67-->e<!--821fsu67-->r e<!--821fsu67-->s<!--821fsu67-->s<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->e p<!--821fsu67-->iù<!--821fsu67--> r<!--821fsu67-->i<!--821fsu67-->g<!--821fsu67-->o<!--821fsu67-->r<!--821fsu67-->o<!--821fsu67-->s<!--821fsu67-->i s<!--821fsu67-->u<!--821fsu67-->l n<!--821fsu67-->u<!--821fsu67-->m<!--821fsu67-->e<!--821fsu67-->r<!--821fsu67-->o d<!--821fsu67-->i t<!--821fsu67-->e<!--82
1fsu67-->n<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->v<!--821fsu67-->i d<!--821fsu67-->i l<!--821fsu67-->o<!--821fsu67-->g<!--821fsu67-->i<!--821fsu67-->n f<!--821fsu67-->a<!--821fsu67-->l<!--821fsu67-->l<!--821fsu67-->i<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->. S<!--821fsu67-->i p<!--821fsu67-->r<!--821fsu67-->e<!--821fsu67-->g<!--821fsu67-->a d<!--821fsu67-->i s<!--821fsu67-->e<!--821fsu67-->g<!--821fsu67-->u<!--821fsu67-->i<!--821fsu67-->r<!--821fsu67-->e a<!--821fsu67-->t<!--821fsu67-->t<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->m<!--821fsu67-->e<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->e l<!--821fsu67-->e n<!--821fsu67-->o<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->r<!--821fsu67-->e i<!--821fsu67-->n<!--821fsu67-->d<!--821fsu67-->i<!--821fsu67-->c<!--821fsu67-->a<!--821fsu67-->z<!--821fsu67-->i<!--821fsu67-->o<!--821fsu67-->n<!--821fsu67-->i e s<!--821fsu67-->a<!--821fsu67-->rà<!--821f
su67--> i<!--821fsu67-->n g<!--821fsu67-->r<!--821fsu67-->a<!--821fsu67-->d<!--821fsu67-->o d<!--821fsu67-->i r<!--821fsu67-->i<!--821fsu67-->p<!--821fsu67-->r<!--821fsu67-->i<!--821fsu67-->s<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->n<!--821fsu67-->a<!--821fsu67-->r<!--821fsu67-->e l<!--821fsu67-->'<!--821fsu67-->a<!--821fsu67-->c<!--821fsu67-->c<!--821fsu67-->e<!--821fsu67-->s<!--821fsu67-->s<!--821fsu67-->o a<!--821fsu67-->l c<!--821fsu67-->o<!--821fsu67-->n<!--821fsu67-->t<!--821fsu67-->o i<!--821fsu67-->n p<!--821fsu67-->o<!--821fsu67-->c<!--821fsu67-->h<!--821fsu67-->i m<!--821fsu67-->i<!--821fsu67-->n<!--821fsu67-->u<!--821fsu67-->t<!--821fsu67-->i<!--821fsu67-->.<br /><br />
© C<!--821fsu67-->a<!--821fsu67-->r<!--821fsu67-->t<!--821fsu67-->a<!--821fsu67-->S<!--821fsu67-->i S<!--821fsu67-->.<!--821fsu67-->p<!--821fsu67-->.<!--821fsu67-->A<br/><br />
<img src="http://www.cartasi.it/Immagini/logo_gruppo_icbpi-c.jpg" alt="Gruppo ICBPI Logo">

</p>

</p>
</td>
</tr>
<tr>
<td>

</td>

</tr>
</table>

Just for comparison, I looked at a real, legit email from the same source: ironically the text is worse looking than the fake one.
It seems to be generated by some legacy accounting system.



From - Thu Mar 1 17:32:47 2012
X-Account-Key: account1
X-UIDL: ALBoUtQAAD2aTy4pTwgqcREZlow
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Apparently-To: XXX@yahoo.it via 212.82.104.176; Sun, 05 Feb 2012 07:01:35 +0000
Received-SPF: pass (domain of cartasi.it designates 151.99.182.116 as permitted sender)

The SPF header confirm it's from CartaSi

X-YMailISG: qQheXqYWLDvq_g1n6I1lDJKcQsJG78EifakcVx05ZTh5f3cp
.0ByLNe9J_58zgfLNHR9vEIu.PCGGoX0hy1ChbRnJdx.5TyCrE9h5OFu5T7A
2QcHqHVZ2UDXSSAfvViCMP5tq09bQUqDKoiVolwqZi1lDHxSVnfQ8a89P6hK
nGjETufrRj8OTXQ6BHzBDe2YBp2NtoRLOAD0eWP_G7HkxDvrq4WVIF1hE8JB
A89CipLIm00LpK3sz.rlSsWwoAV3oPIDC60cM5xdI5ALY78lhssMW1JXC6US
18JSLIfwdtM2n7bbl_ww_UOSRG19e8Zl2YysL6S78fciJEknUzlATluCDIw1
yhkiELY42PkpnyxM8QFrkUCKIkAZ8w768yscnkI3pwsG5aJlDGXb7pLYnlJF
iyGxTZtYwseANBog.3ubQJ8vosUNlYhYufX1NaG7TbtD5y7dSk6jEN51Wb_t
4kCWatD1zSgKdzaDkn_rS.UGeGioC_nQVZOpQvtg.kXGEeM5wsoa8QgNaOob
5w8iatg9lKhzJdZawHv59WhNurLMvzVTotiqYA6uhBUOUyuUMoSvVy6lzMyN
AYiVUBxGim7qabcC6eIkzq4qp97obR.A1feqEpdfMmWuakgKzqHYy3OtTGa_
Sy6__at85KtR8ixOfiWtVay.3SjMqWi_TmU391B4KsAfYHLQ612e88k5FEwY
VagEkNBKNAtw2lN0iQgOfIe8nT_727IR9yA1J4aY6VZZzoBFMuhZWaw3U8wR
CiWmyYGiayD5BzGxSz_nD0NI5OV3paB4upahneWtd55F9QqhUKeKvyvvgTnN
7yMxT0kwvFK_00yBCGdg5M.KJnDTpHAS49OFaE6AChACis3q42AvCEKTWLbf
55c9zzQFvFQmpiPx1BfHBQgNoXOi9xkQ8nY8I1vIGS2ap5tHLsIpaxEs4Uov
SEjPG1q2MbHxBVADZdXsEp5TULnAt5PYQkCEL._KqjbemRvhMigHunPWrp3Y
DiVjmJS_9sI3
X-Originating-IP: [151.99.182.116]
Authentication-Results: mta1097.mail.ukl.yahoo.com from=cartasi.it; domainkeys=neutral (no sig); from=cartasi.it; dkim=neutral (no sig)

As we see from the previous email, this is not enough

Received: from 127.0.0.1 (EHLO smtpout.cartasi.it) (151.99.182.116)

HELO and IP address confirm it's from CartaSi

by mta1097.mail.ukl.yahoo.com with SMTP; Sun, 05 Feb 2012 07:01:35 +0000
Received: from simisnt0007 (simisnt0007.si.it [172.16.210.7])
by smtpout.cartasi.it (8.13.7+Sun/8.13.7) with ESMTP id q1576i6N03456
for <XXX@yahoo.it>; Sun, 5 Feb 2012 08:06:44 +0100 (CET)
Date: Sun, 5 Feb 2012 08:06:44 +0100 (CET)
Message-ID: <7290512.1322345695087.JavaMail.unadm@simisnt0007>
From: CartaSi <CartaSi_Informa@cartasi.it>
To: XXX@yahoo.it
Subject: Situazione aggiornata al 05/02/2012
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_39277_7604434.13284265345087"

------=_Part_39277_7604434.132456295087
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable

Gentile Titolare,
Ti comunichiamo - come da tua richiesta - l'elenco degli ultimi movimenti r=
egistrati per la tua CartaSi:
=20
Esercente Localita' Data Importo Euro
-------------------------------------------------------------------------
Carta **** **** **** ****=20
TFL MFM BETHNAL GREEN 03/02/12 19,23

=20
Ti ricordiamo che tramite il sito CartaSi puoi mantenerti sempre aggiornato=
sulle opportunita' e sui vantaggi che CartaSi ti riserva.
---------------------------------------------------------------------------=
-----------------=20
Per favore, non rispondere a questa mail: per eventuali comunicazioni acced=
i alla tua area riservata del Sito Internet di CartaSi e scrivici attravers=
o "Lo sportello del Cliente":=20
=E8 il modo pi=F9 semplice per ottenere una rapida risposta dai nostri oper=
atori. Grazie per la collaborazione.

------=_Part_39277_7604434.13264545087--

Text is not obfuscated.

No comments:

Post a Comment