Recently in Webmail Category

Another variant of the "Your webmail quota has exceeded the set quota" scam.  This one is sent from "Localhost" and one of the BIGGEST CLUE that this is a scam...  Do you know someone named "Localhost"?

There's nothing very specific in the details of this e-mail to lead you to believe that they have any information about you and was sent out to see if anyone would take the bait.  Definitely something you can simply throw away and not worry about.  Just don't click on the link provided.

Your webmail quota has exceeded the set quota which is 20GB. you are currently running on 20.9GB. To re-activate and increase your webmail quota please click the link below.

http://ow.ly/244BZ

Failure to do so may result in the cancellation of your webmail account.

Thanks, and sorry for the inconvienence.

Localhost

This email originated from Treasure Valley Community College and it appears as though someone's account got hacked/compromised.

If you recently received an e-mail from something as vague as "Email Administrator IT Service", don't believe it (not that you would have anyways).  The body of the message is something like the following:

Dear subscribers.

This message is from the Email Administrator  IT Service to all our email account subscribers.You are to provide to us the below information to revalidate your account due to spam and to upgrade the new 2010 spam version.

Notice:Your access.k12.wv.us  Email account will be expired after a week, if you do not revalidate or update your account. Please do co-operate with us so we can serve you better, contact the adminstrator!!****

User Name:
Password:
Confirm Your Password:
Alternative Email :

Thank You.
 Email Administrator
Warning Code :ID67565434

Okay, just reading this message should be throwing up alarms in your mind.  No IT administrator would ever ask you for your password, they are admins and have the ability to make changes that doesn't require your password.  This particular e-mail originated from within Canada.

Received: from duo.kics.bc.ca (68.233.169.222)
  by XXXXXXXXXXXXXXXXX with SMTP; 15 May 2010 17:16:15 -0400
Received: (qmail 18103 invoked from network); 15 May 2010 21:08:54 -0000
Received: from unknown (HELO squirrel.kics.bc.ca) (68.233.169.222)
  by kics.bc.ca with SMTP; 15 May 2010 21:08:53 -0000
Received: from 82.128.112.55
        (SquirrelMail authenticated user market@eco.kics.bc.ca)
        by squirrel.kics.bc.ca with HTTP;
        Sat, 15 May 2010 14:08:53 -0700 (PDT)
Message-ID: <46ef1fc8b2696f757c51403ff8ec660f.squirrel@squirrel.kics.bc.ca>
Date: Sat, 15 May 2010 14:08:53 -0700 (PDT)
Subject: Dear subscribers.
From: "E-MAIL. MANAGEMENT" <info@microsoft.org>
Reply-To: upgradingteam@24.tc

This is something to look out for.  Below is a capture of the actual email item.

This variation to the email notification "Webmail: Your mailbox has exceeded the storage limit" is designed to dupe folks into clicking on the link that will take you a website that is suppose to fix your email settings.  Of course, that's far from the truth.  The link that you click on will no doubt trick you into downloading a malicious malware package on your computer.

Looks like the free usage of GoogleGroups and Yahoo!Groups is the home of many of these emails with the following pattern:

http://XXXXXX.googlegroups.com/web/XXXXXXX
http://f1.grp.yahoofs.com/XXXXXXXXXXXXXXXXX

The email headers shows that it originated from Argentina (190.176.213.228)

Received: (qmail 22391 invoked from network); 9 May 2010 15:34:08 -0400
Received: from 190-176-213-228.speedy.com.ar (HELO NTFRQLO) (190.176.213.228)
  by XXXXXXXXXXXXXXXXXX with SMTP; 9 May 2010 15:34:07 -0400
Message-ID: <000d01caefae$95d7db60$6400a8c0@futonstbc8>
From: XXXXXXXXXXXXXXXXXXXXXXXX
To: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Subject: setting for your mailbox XXXXXXXXXXXXXXXXXXXX are changed
Date: Sun, 9 May 2010 21:34:05 +0100

The IP address belongs to Telefonica de Argentina:

inetnum:     190.176/15
status:      allocated
owner:       Telefonica de Argentina
ownerid:     AR-TEAR7-LACNIC
responsible: Agust�n Gomez Dhers
address:     AV. ING. HUERGO - OBS. JUDICIALES, 723,
address:     1065 - Buenos Aires - CF
country:     AR
phone:       +54 11 4333-2220 []
owner-c:     TEA
tech-c:      TEA
abuse-c:     TEA
inetrev:     190.176/15
nserver:     DNS1.MRSE.COM.AR
nsstat:      20100505 AA
nslastaa:    20100505
nserver:     DNS2.MRSE.COM.AR
nsstat:      20100505 AA
nslastaa:    20100505
nserver:     DNS3.MRSE.COM.AR
nsstat:      20100505 AA
nslastaa:    20100505
nserver:     DNS4.MRSE.COM.AR
nsstat:      20100505 AA
nslastaa:    20100505
created:     20080311
changed:     20080311



Update: 2010-05-12

http://monerxmonerx.googlegroups.com/web/setup.zip
http://videoxman.googlegroups.com/web/1.html

Update: 2010-05-13

http://f1.grp.yahoofs.com/v1/wAjrSwtpvg6L6efPNZBiYDP__uzORA7CvCfs583JeF5kU1cW01CupKTBEyymaZZeXC3n4Mvczz4J4m6bIFXFmA/open.exe

Looks like either a server had been compromised or someone at the California State University in Northridge decided to try his/her hand at attempting obtain information or maybe inject a worm/virus onto your computer.

Received: (qmail 31022 invoked from network); 14 Apr 2010 21:31:07 -0400
Received: from rohu.csun.edu (HELO exchange.csun.edu) (130.166.5.59)
  by XXXXXXXXXXXX with (RC4-MD5 encrypted) SMTP; 14 Apr 2010 21:31:07 -0400
Received: from CSUN-EX-V02.csun.edu ([130.166.5.50]) by rohu.csun.edu
 ([130.166.5.59]) with mapi; Wed, 14 Apr 2010 18:31:06 -0700
From: "Harris, Matt L" <matt.harris@csun.edu>
To: "web12@web3mail.com" <web12@web3mail.com>
Date: Wed, 14 Apr 2010 18:31:05 -0700
Subject: Your mailbox has exceeded the storage limit
Thread-Topic: Your mailbox has exceeded the storage limit
Thread-Index: AQHK3DtRDngNxnIjEUK+gzUoUJKX3w==
Message-ID: <A27A52097686DC4DA76C6E2FB114348C3BD395CC12@CSUN-EX-V02.csun.edu>

Or maybe it's a comprised system.  Below is a copy of the text.

Your mailbox has exceeded the storage limit which is 20GB as set by your webmail administrator,
you are currently running on 20.9GB, you may not be able to send or receive new mail until you re-validate your mailbox.
To re-validate your mailbox please CLICK below and you will be redirected to your webmail upgrade form which you are to
fill and submit fot your mailbox upgrade.
To re-validate your mailbox please
CLICK HERE
<a href="http://jotform.com/form/1103203219%3EThanks">Thanks,
Webmail Administrator.

JOTFORM.COM is a registered domain with GODADDY.COM, INC.

Registrant:
   Interlogy, LLC
   5214 39th Ave Apt 2C
   Woodside, New York 11377
   United States

   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: JOTFORM.COM
      Created on: 09-Nov-05
      Expires on: 09-Nov-12
      Last Updated on: 18-Feb-09

   Administrative Contact:
      Tank, Aytekin  atank@interlogy.com
      Interlogy, LLC
      5214 39th Ave Apt 2C
      Woodside, New York 11377
      United States
      2035555555      Fax --

   Technical Contact:
      Tank, Aytekin  atank@interlogy.com
      Interlogy, LLC
      5214 39th Ave Apt 2C
      Woodside, New York 11377
      United States
      2035555555      Fax --

   Domain servers in listed order:
      NS1.INET-SVCS.COM
      NS2.INET-SVCS.COM
      NS1.GEODNS.NET
      NS2.GEODNS.NET