Discussion:
Skype current version
Add Reply
micky
2018-10-02 17:30:09 UTC
Reply
Permalink
There is a bigger email component to this post further down.

I got an email today saying that they could tell I had recently used
Skype ver. 7 and that support for that was ending in November.

Update Now.

I almost did that until I checked my Skype and it said it was version
12! About this Version: Skype 12.1815.210.0 Is this an old phishing
email and they forgot to change 7 to 12?

But I went to Skype Download and by golly, it wants to install version
8. Not 12 or 13.

What's going on? Do I have version 12 now or version 7?

Another strange thing about the email I got is that none of the headers
show. I use Eudora and it's set up to show To:, From:, Date:, and
Subject: and if I click on Blah-blah-blah, it shows the rest. For this
email, maybe the first or second ever, no header is showing and if I
click on Blah-blah-blah, once the headers showed for a couple seconds,
but then it scrolled down, and when I went back up, they weren't there.
Hiding them and showing them again usually didn't show any (though the
same thing happened one more time), but the white margin at the top
increased by an inch.

Aha, Ctrl-A shows the header lines in blue, 43 lines per vertical inch.
So the headers are in white on a white background. When I enlarge the
page, I can make them 4 inches high, but they are still too short and
thin to read!

So let's copy them here. I think that will change their size:
Return-Path:
bounce-35_html-1647051933-16695-7227104-***@bounce.email.skype.com
Received: from mx01.rcn.cmh.synacor.com (LHLO mx.rcn.com) (10.33.3.179)
by
md03.rcn.cmh.synacor.com with LMTP; Tue, 2 Oct 2018 12:36:48 -0400
(EDT)
Return-Path:
<bounce-35_html-1647051933-16695-7227104-***@bounce.email.skype.com>
X_CMAE_Category: , ,
X-CNFS-Analysis: v=2.2 cv=VK+fpJHX c=1 sm=1 tr=0
a=B0jK1sH+Vpi0t7ow20oYrA==:117 a=pvRaRfHP+WpTeLDZu5Q1qg==:17
a=KGjhK52YXX0A:10 a=6giede-wJD4A:10 a=smKx5t2vBNcA:10
a=r77TgQKjGQsHNAKrUKIA:9 a=BZSrzMhrAAAA:8 a=yMhMjlubAAAA:8
a=sHkOoLhA2rukYXD2AQ8A:9 a=QEXdDO2ut3YA:10 a=SSmOFEACAAAA:8
a=FTdzzXgEAAAA:8 a=X3osjzD9AAAA:8 a=zY8zc4w2AAAA:8
a=1d2ZUhy_XEPZWRU1DWcA:9 a=P9ldekxQUiuG6ZBH:21 a=_W_S_7VecoQA:10
a=frz4AuCg-hUA:10 a=9WGsHDE11_sA:10 a=WzykwQ6jd5kA:10 a=_6a4iHMk3kYA:10
a=iatny8nKl_1owlmUhX6e:22 a=KuMVtDEgDhYueJReMcEt:22
a=FwbGyI3MexpDk7mo7g3h:22
X-CM-Score: 0
X-Scanned-by: Cloudmark Authority Engine
X-Received-HELO: from [38.102.228.57] (helo=litemail57.bigfoot.com)
Authentication-Results: mx01.rcn.cmh.synacor.com
smtp.mail=bounce-35_html-1647051933-16695-7227104-***@bounce.email.skype.com;
spf=fail; sender-id=fail
Authentication-Results: mx01.rcn.cmh.synacor.com
header.DKIM-Signature=***@email.skype.com; dkim=permfail (body hash
did not verify)
Authentication-Results: mx01.rcn.cmh.synacor.com
header.from=***@email.skype.com; sender-id=fail
Received-SPF: fail (mx01.rcn.cmh.synacor.com: domain
bounce.email.skype.com does not designate 38.102.228.57 as permitted
sender)
Received: from [38.102.228.57] ([38.102.228.57:4487]
helo=litemail57.bigfoot.com)
by mx.rcn.com (envelope-from
<bounce-35_html-1647051933-16695-7227104-***@bounce.email.skype.com>)
(ecelerity 3.6.25.56547 r(Core:3.6.25.0)) with ESMTP
id EC/D2-10158-F9E93BB5; Tue, 02 Oct 2018 12:36:48 -0400
Received: by LITEMAIL57.bigfoot.com (LiteMail v3.03(LITEMAIL57)) with
SMTP id 1810020935_LITEMAIL57_7662224_10221386;
Tue, 02 Oct 2018 09:36:46 -0700
Received: from mta21.email2.microsoft.com ([136.147.186.21])
by litemail17.bigfoot.net with SMTP id 1538497996.12200;
Tue, 02 Oct 2018 12:33:18 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608;
d=email.skype.com;

h=From:To:Subject:Date:MIME-Version:Reply-To:List-ID:Message-ID:Content-Type;
i=***@email.skype.com;
bh=h1fQj6alJJLzv7zdhCGOwCO9J0Y=;

b=qHWjrbmqyln7/3kIygD+dwp/i98ZXXbuAS6P8pNVHLeGA1+lSMfbacGR6uPKQ4kKwF7e4t0w5l1E

yv6PbXC1mklEiM3TqDzqkehK0TYYk6aSyILgJx1ZbMx0sajZpBX/4BkWNpqQUoaHaTdDt/5rzs6y
TwJZEw9nmxhnNXR1/L4=
Received: by mta21.email2.microsoft.com id hmef9q163hss for
<***@bigfoot.com>; Tue, 2 Oct 2018 16:32:13 +0000 (envelope-from
<bounce-35_HTML-1647051933-16695-7227104-***@bounce.email.skype.com>)
From: "Skype" <***@email.skype.com>
To: <***@bigfoot.com>
Subject: A Skype update may be required
Date: Tue, 02 Oct 2018 10:32:13 -0600
MIME-Version: 1.0
Reply-To: "Skype"
<reply-fef41576736d01-35_HTML-1647051933-7227104-***@email.skype.com>
List-ID: <7225442.xt.local>
X-CSA-Complaints: ***@eco.de
x-job: 7227104_16695
Message-ID:
<cae27014-f982-4b67-a41b-***@atl1s07mta660.xt.local>
Content-Type: multipart/alternative;
boundary="WDPsX9sf6CVy=_?:"
Content-Transfer-Encoding:

So, does this look real? How suspicious is it that they tried so hard
to hide the headers? The Skype page about phishing says that
email.skype.com is one of their 7 genuine domains, but can't a phisher
use any from address he wants?



P.S.
On the phone, the updates happen automatically I assume and I don't
know where to find the version number of any app I have. What's a guy
to do?

BTW, who named phishing phishing? Surely not the phishermen?
Joel
2018-10-02 17:41:37 UTC
Reply
Permalink
Post by micky
There is a bigger email component to this post further down.
I got an email today saying that they could tell I had recently used
Skype ver. 7 and that support for that was ending in November.
Update Now.
I almost did that until I checked my Skype and it said it was version
12! About this Version: Skype 12.1815.210.0 Is this an old phishing
email and they forgot to change 7 to 12?
But I went to Skype Download and by golly, it wants to install version
8. Not 12 or 13.
What's going on? Do I have version 12 now or version 7?
Authentication-Results: mx01.rcn.cmh.synacor.com
spf=fail; sender-id=fail
Authentication-Results: mx01.rcn.cmh.synacor.com
did not verify)
Authentication-Results: mx01.rcn.cmh.synacor.com
Received-SPF: fail (mx01.rcn.cmh.synacor.com: domain
bounce.email.skype.com does not designate 38.102.228.57 as permitted
sender)
So, does this look real? How suspicious is it that they tried so hard
to hide the headers? The Skype page about phishing says that
email.skype.com is one of their 7 genuine domains, but can't a phisher
use any from address he wants?
It looks fake, and the content of it sounds fake. I would ignore it.
--
Joel Crump
Frank Slootweg
2018-10-02 18:51:14 UTC
Reply
Permalink
Post by micky
There is a bigger email component to this post further down.
I got an email today saying that they could tell I had recently used
Skype ver. 7 and that support for that was ending in November.
Update Now.
I almost did that until I checked my Skype and it said it was version
12! About this Version: Skype 12.1815.210.0
My Skype does *not* say "About this Version:", but just "Skype TM
Version ...", so you should probably re-check what you did.
Post by micky
Is this an old phishing email and they forgot to change 7 to 12?
I don't think so. The first (from bottom to top) 'Received:' header
Post by micky
Received: by mta21.email2.microsoft.com id hmef9q163hss for
The first header is hard to fake/forge, so if it's legit, that's a
good indication of the message to be legit.
Post by micky
But I went to Skype Download and by golly, it wants to install version
8. Not 12 or 13.
Correct.
Post by micky
What's going on? Do I have version 12 now or version 7?
I'm sure you have 7. Just go to (Windows) Control Panel -> Programs
and Features (or whatever is the Window 10 equivalent) and check there.
Mine says 7.40 iunder Name and and 7.40.103 under Version.

[...]
Post by micky
So, does this look real? How suspicious is it that they tried so hard
to hide the headers? The Skype page about phishing says that
email.skype.com is one of their 7 genuine domains, but can't a phisher
use any from address he wants?
I don't think anybody hid anything. It's probably you not knowing how
to get Eudora to show you what you want/need.

And yes, it's trivial to fake From:/To:/Cc:/Bcc: etc..

[..]
Post by micky
P.S.
On the phone, the updates happen automatically I assume and I don't
know where to find the version number of any app I have. What's a guy
to do?
Settings -> Manage apps -> tap on desired app, i.e. Skype -> Bingo!
VanguardLH
2018-10-03 01:47:02 UTC
Reply
Permalink
Post by Frank Slootweg
Post by micky
Received: by mta21.email2.microsoft.com id hmef9q163hss for
The first header is hard to fake/forge, so if it's legit, that's a
good indication of the message to be legit.
If you know which is the first Received header added by a mail server
and not inserted by a spammer. An old trick is for the spammer's client
to add a fake Received header to the body of their message. Normally
the header section is delimited from the body by a blank line (presence
of /n/n after the last header); however, I've seen the fake Received
header in the header section (no blank delimiter line). Maybe this is
the spammer using their own SMTP server to connect to a real e-mail
provider's SMTP server, and the spammer has their server (using the same
SMTP commands as any e-mail client) prepending the fake Received header
before passing it onto the real SMTP server.

Normally you look for the 'from' clause in a Received header to match on
the 'by' clause in the just-prior Received header. That fails when a
server has internal routing that only show a 'from' clause or only shows
a 'by' clause but those often have IP addresses at the e-mail provider
or using internal IP addresses. Sometimes the Received headers are
rather mangled, so it can be tough to be sure no bogus ones were added
by the spammer before passing it through the following SMTP servers.

The first Received header is an example of an incomplete header: no
'from' clause. That's because it was an internal handoff.
micky
2018-10-04 06:07:34 UTC
Reply
Permalink
In alt.comp.os.windows-10, on 2 Oct 2018 18:51:14 GMT, Frank Slootweg
Post by Frank Slootweg
Post by micky
There is a bigger email component to this post further down.
I got an email today saying that they could tell I had recently used
Skype ver. 7 and that support for that was ending in November.
Update Now.
I almost did that until I checked my Skype and it said it was version
12! About this Version: Skype 12.1815.210.0
My Skype does *not* say "About this Version:", but just "Skype TM
Version ...", so you should probably re-check what you did.
Post by micky
Is this an old phishing email and they forgot to change 7 to 12?
I don't think so. The first (from bottom to top) 'Received:' header
Post by micky
Received: by mta21.email2.microsoft.com id hmef9q163hss for
The first header is hard to fake/forge, so if it's legit, that's a
good indication of the message to be legit.
Post by micky
But I went to Skype Download and by golly, it wants to install version
8. Not 12 or 13.
Correct.
Post by micky
What's going on? Do I have version 12 now or version 7?
I'm sure you have 7. Just go to (Windows) Control Panel -> Programs
and Features (or whatever is the Window 10 equivalent) and check there.
Mine says 7.40 iunder Name and and 7.40.103 under Version.
Good idea. I'd forgotten that versions are listed there.

But it's not even there! That's when I remembered that Skype came
included in some version of Win10. And I guess that is the reason for
the different version number.

I found it a nuisance to Search for Skype before opening it so I managed
to create a shortcut and pin it to the task bar, and I thought I once
updated it by going to the skype download webpage.
Post by Frank Slootweg
[...]
Post by micky
So, does this look real? How suspicious is it that they tried so hard
to hide the headers? The Skype page about phishing says that
email.skype.com is one of their 7 genuine domains, but can't a phisher
use any from address he wants?
I don't think anybody hid anything. It's probably you not knowing how
to get Eudora to show you what you want/need.
And yes, it's trivial to fake From:/To:/Cc:/Bcc: etc..
Then it's strange that the Skype anti-phishing page bothers to say what
their valid domains are and without giving a warning that seeing one
means nothing.
Post by Frank Slootweg
[..]
Post by micky
P.S.
On the phone, the updates happen automatically I assume and I don't
know where to find the version number of any app I have. What's a guy
to do?
Settings -> Manage apps -> tap on desired app, i.e. Skype -> Bingo!
Dennis Lee Bieber
2018-10-04 13:53:14 UTC
Reply
Permalink
Post by micky
Then it's strange that the Skype anti-phishing page bothers to say what
their valid domains are and without giving a warning that seeing one
means nothing.
It means that /sending/ data /to/ the domain would be safe. Many
phishing attempts may fake the routing headers, but contain embedded URLs
that do NOT connect to the real site. They rely upon people clicking links
without checking the real URL the link text is hiding.

That is -- instead of a link (say "Upgrade Skype") being to

https://www.skype.com/en/get-skype/ <=== safe to visit

it really points to something like

http://my.phish.host/skype/get-skype/ <=== not safe/fake
--
Wulfraed Dennis Lee Bieber AF6VN
***@ix.netcom.com HTTP://wlfraed.home.netcom.com/
Frank Slootweg
2018-10-04 17:52:55 UTC
Reply
Permalink
Post by micky
In alt.comp.os.windows-10, on 2 Oct 2018 18:51:14 GMT, Frank Slootweg
Post by Frank Slootweg
Post by micky
There is a bigger email component to this post further down.
I got an email today saying that they could tell I had recently used
Skype ver. 7 and that support for that was ending in November.
Update Now.
I almost did that until I checked my Skype and it said it was version
12! About this Version: Skype 12.1815.210.0
My Skype does *not* say "About this Version:", but just "Skype TM
Version ...", so you should probably re-check what you did.
Post by micky
Is this an old phishing email and they forgot to change 7 to 12?
I don't think so. The first (from bottom to top) 'Received:' header
Post by micky
Received: by mta21.email2.microsoft.com id hmef9q163hss for
The first header is hard to fake/forge, so if it's legit, that's a
good indication of the message to be legit.
Post by micky
But I went to Skype Download and by golly, it wants to install version
8. Not 12 or 13.
Correct.
Post by micky
What's going on? Do I have version 12 now or version 7?
I'm sure you have 7. Just go to (Windows) Control Panel -> Programs
and Features (or whatever is the Window 10 equivalent) and check there.
Mine says 7.40 iunder Name and and 7.40.103 under Version.
Good idea. I'd forgotten that versions are listed there.
But it's not even there! That's when I remembered that Skype came
included in some version of Win10. And I guess that is the reason for
the different version number.
As VanguardLH mentioned, the version 12 thingy is an UWP (Universal
Windows Platform) / Metro / Modern / <whatever> *app* which uses Windows
10's Fisher-Price interface (Thanks, Stan)!

You should be ashamed of yourself! Not just for having the poor taste
of using such a disgusting POS, but having the audacity to publicly and
openly confess such a disgraceful act!

Shame on you!
micky
2018-10-04 19:45:24 UTC
Reply
Permalink
In comp.mail.eudora.ms-windows, on 4 Oct 2018 17:52:55 GMT, Frank
Post by Frank Slootweg
Post by micky
In alt.comp.os.windows-10, on 2 Oct 2018 18:51:14 GMT, Frank Slootweg
Post by Frank Slootweg
Post by micky
There is a bigger email component to this post further down.
I got an email today saying that they could tell I had recently used
Skype ver. 7 and that support for that was ending in November.
Update Now.
I almost did that until I checked my Skype and it said it was version
12! About this Version: Skype 12.1815.210.0
My Skype does *not* say "About this Version:", but just "Skype TM
Version ...", so you should probably re-check what you did.
Post by micky
Is this an old phishing email and they forgot to change 7 to 12?
I don't think so. The first (from bottom to top) 'Received:' header
Post by micky
Received: by mta21.email2.microsoft.com id hmef9q163hss for
The first header is hard to fake/forge, so if it's legit, that's a
good indication of the message to be legit.
Post by micky
But I went to Skype Download and by golly, it wants to install version
8. Not 12 or 13.
Correct.
Post by micky
What's going on? Do I have version 12 now or version 7?
I'm sure you have 7. Just go to (Windows) Control Panel -> Programs
and Features (or whatever is the Window 10 equivalent) and check there.
Mine says 7.40 iunder Name and and 7.40.103 under Version.
Good idea. I'd forgotten that versions are listed there.
But it's not even there! That's when I remembered that Skype came
included in some version of Win10. And I guess that is the reason for
the different version number.
As VanguardLH mentioned, the version 12 thingy is an UWP (Universal
So it doesn't stand for UnWanted Program?
Post by Frank Slootweg
Windows Platform) / Metro / Modern / <whatever> *app* which uses Windows
10's Fisher-Price interface (Thanks, Stan)!
You should be ashamed of yourself! Not just for having the poor taste
of using such a disgusting POS, but having the audacity to publicly and
openly confess such a disgraceful act!
Shame on you!
I'm ashamed of myself for many reasons, but not sure why I should be
here.

That I use Skype, or that I use the Skype that came with windows?

As to the first, what is better?
As to the second, I thought maybe I could install a totally separate
copy, but then I'd have two copies, wasted space, and I didn't want
that.
Frank Slootweg
2018-10-04 20:08:10 UTC
Reply
Permalink
Post by micky
In comp.mail.eudora.ms-windows, on 4 Oct 2018 17:52:55 GMT, Frank
Post by Frank Slootweg
Post by micky
In alt.comp.os.windows-10, on 2 Oct 2018 18:51:14 GMT, Frank Slootweg
Post by Frank Slootweg
Post by micky
There is a bigger email component to this post further down.
I got an email today saying that they could tell I had recently used
Skype ver. 7 and that support for that was ending in November.
Update Now.
I almost did that until I checked my Skype and it said it was version
12! About this Version: Skype 12.1815.210.0
My Skype does *not* say "About this Version:", but just "Skype TM
Version ...", so you should probably re-check what you did.
Post by micky
Is this an old phishing email and they forgot to change 7 to 12?
I don't think so. The first (from bottom to top) 'Received:' header
Post by micky
Received: by mta21.email2.microsoft.com id hmef9q163hss for
The first header is hard to fake/forge, so if it's legit, that's a
good indication of the message to be legit.
Post by micky
But I went to Skype Download and by golly, it wants to install version
8. Not 12 or 13.
Correct.
Post by micky
What's going on? Do I have version 12 now or version 7?
I'm sure you have 7. Just go to (Windows) Control Panel -> Programs
and Features (or whatever is the Window 10 equivalent) and check there.
Mine says 7.40 iunder Name and and 7.40.103 under Version.
Good idea. I'd forgotten that versions are listed there.
But it's not even there! That's when I remembered that Skype came
included in some version of Win10. And I guess that is the reason for
the different version number.
As VanguardLH mentioned, the version 12 thingy is an UWP (Universal
So it doesn't stand for UnWanted Program?
Post by Frank Slootweg
Windows Platform) / Metro / Modern / <whatever> *app* which uses Windows
10's Fisher-Price interface (Thanks, Stan)!
Of course it *is* an UnWanted Program, but as I said, it *stands for*
'Universal Windows Platform'. And because we're talking about Microsoft
here, 'Universal' means that it's anything but. So don't expect your
Windows 8.1. thingy to run on Windows 10 or vice versa. 'Compatibility'?
You silly, silly boy!
Post by micky
Post by Frank Slootweg
You should be ashamed of yourself! Not just for having the poor taste
of using such a disgusting POS, but having the audacity to publicly and
openly confess such a disgraceful act!
Shame on you!
I'm ashamed of myself for many reasons, but not sure why I should be
here.
That I use Skype, or that I use the Skype that came with windows?
As to the first, what is better?
No, that you use Skype is fine. Skype is great. It's the best since
sliced bread. I Skype all the time. Sadly enough there's never anyone at
the other end. I wonder why *that* is?
Post by micky
As to the second, I thought maybe I could install a totally separate
copy, but then I'd have two copies, wasted space, and I didn't want
that.
A bit of consisency in your arguments wouldn't come astray! You imply
that you don't want to waste space, but at the same time you admit that
you're running Windows 10! What's up with *that*!?

Not to mention that you can't run 10. Limp yes, run no!

So be a man - or at least act like one - and upgrade to at least
Windows 8.1, but preferably to Windows 7!

VanguardLH
2018-10-02 18:54:53 UTC
Reply
Permalink
Post by micky
I got an email today saying that they could tell I had recently used
Skype ver. 7 and that support for that was ending in November.
Update Now.
I almost did that until I checked my Skype and it said it was version
12! About this Version: Skype 12.1815.210.0 Is this an old phishing
email and they forgot to change 7 to 12?
But I went to Skype Download and by golly, it wants to install version
8. Not 12 or 13.
What's going on? Do I have version 12 now or version 7?
https://en.wikipedia.org/wiki/Skype

That lists:

Windows - 8.31
Windows UWP - 12.1815

UWP = Universal Windows Platform
https://docs.microsoft.com/en-us/windows/uwp/get-started/universal-application-platform-guide

UWPs are those apps (versus programs) that run on Win8+. So, it depends
on whether you are running a local full program or a UWP app.
Post by micky
<list of headers in scam mail>
The last Received header (the one at the top) is for your end. They get
prepended to the header section as the message passes through each mail
server. When tracing them download to the sender's server, some
spammers will insert bogus headers hoping you think their spam
originated from elsewhere. In tracing through them (and changing the
'by' and 'from' clause order to more easily see that the following
Received header's 'from' clause is the same as the prior Received
header's 'by' clause, and getting rid of what is after 'with' since that
doesn't help with tracking), they look like:

Received:
by md03.rcn.cmh.synacor.com with ...
from mx01.rcn.cmh.synacor.com (LHLO mx.rcn.com) (10.33.3.179)
Received:
from [38.102.228.57] ([38.102.228.57:4487]
(from = Bigfoot - perhaps Synacor added this header)
Received:
by LITEMAIL57.bigfoot.com (LiteMail v3.03(LITEMAIL57)) with ...
(internal processing by Bigfoot, so no 'from' clause)
Received:
by litemail17.bigfoot.net with ...
from mta21.email2.microsoft.com ([136.147.186.21]) <--.
Received: |-- these match
by mta21.email2.microsoft.com id hmef9q163hss <--'
for <***@bigfoot.com> ...(envelope-from
<bounce-35_HTML-1647051933-16695-7227104-***@bounce.email.skype.com>)

I don't see an obvious bogus header but the scammer hides behind
Bigfoot. Looks like someone using Skype (Microsoft) sent the e-mail to
a Bigfoot account that is configured to redirect e-mails sent to it so
they go to you. I haven't used Bigfoot in many years. When I used it,
it was just a redirection service used to hide your true e-mail address
but when receiving e-mail; i.e., you gave out your Bigfoot e-mail
address and Bigfoot redirected the e-mail to your true e-mail account;
however, any replies to such redirected e-mails originated from your
true account, so Bigfoot wasn't a very good forwarding service (only
incoming mails hide your true account but replies exposed your true
account).

I don't use Skype but the first Received header indicates it was a
bounce, so the spammer deliberately bounced a message, like they sent to
Bigfoot which sent to Skype (which you won't see in this message's
headers) which bounced back to Bigfoot which then redirected to you.
Maybe Bigfoot now allows mailing lists, so bouncing back to Bigfoot
would send the bounce to the mailing list. I doubt a spammer would
dedicate a Bigfoot account just to you.

Synacor/RCN must be associated with your e-mail provider (perhaps e-mail
service from your ISP) as that is the last Received header. For proper
Received header tracking, Syncacor should've added a Received header
with a 'from' clause showing Bigfoot and a 'by' clause showing their own
server that received the message from Bigfoot.

Looks like the scammer used Bigfoot to send to Skype with a deliberately
invalid target knowing it would bounce back to Bigfoot which would
return the bounced message to a multiple accounts. From:

https://ef.bigfoot.com/ef/en/infopage.jsp?show=forwarding.default

the free account would be too limited for a scammer or spammer: just 50
messages per day. The premium account allows power forwarding
(https://ef.bigfoot.com/ef/en/infopage.jsp?show=forwarding.default#4)
which might be how the scammer gets Bigfoot to send bounces back to
multiple targets. That means you could complain to Bigfoot about the
spam/scam message using ***@Bigfoot.com to get them to kill that
account (if they keep logs or the To header in Skype's bounce is valid).
Post by micky
So, does this look real?
No.
Post by micky
How suspicious is it that they tried so hard
to hide the headers? The Skype page about phishing says that
email.skype.com is one of their 7 genuine domains, but can't a phisher
use any from address he wants?
Looks like a deliberate bounce by the spammer. Send to an invalid
target at Skype, Skype sends a bounce, the sending server returns the
bounce where configured (which lists multiple "owning" accounts and how
the spammer targets a mailing list).

It's been a long time since I inhabited the alt.spam newsgroups but, as
I recall, there are folks there that may be more expert at parsing the
headers in an e-mail. You'll have to filter out all the Google Groupers
(since those are spammers dumping their turds in that newsgroup).

I tried to submit the headers to Spamcop.net's parser but your copy here
was too mangled. Note: If your newsreader can NOT wrap lines for some
lines then do that for the headers you copy into your message here. I
gave up trying to edit the headers so the parser could understand them.
You could open a free account at Spamcop.net and submit a report. When
you enter the suspect e-mail's headers and body, they will parse it to
show how they traced through the headers.
Post by micky
BTW, who named phishing phishing? Surely not the phishermen?
https://en.wikipedia.org/wiki/Phishing

"fishing" mispelled but phonetically the same as "phishing", as in
"phishing for suckers" (yep, there are fish called suckers).
Frank Slootweg
2018-10-02 19:54:21 UTC
Reply
Permalink
VanguardLH <***@nguard.lh> wrote:
[...]
Post by VanguardLH
by md03.rcn.cmh.synacor.com with ...
from mx01.rcn.cmh.synacor.com (LHLO mx.rcn.com) (10.33.3.179)
from [38.102.228.57] ([38.102.228.57:4487]
(from = Bigfoot - perhaps Synacor added this header)
by LITEMAIL57.bigfoot.com (LiteMail v3.03(LITEMAIL57)) with ...
(internal processing by Bigfoot, so no 'from' clause)
by litemail17.bigfoot.net with ...
from mta21.email2.microsoft.com ([136.147.186.21]) <--.
Received: |-- these match
by mta21.email2.microsoft.com id hmef9q163hss <--'
I don't see an obvious bogus header but the scammer hides behind
Bigfoot.
No, Bigfoot very likely is micky's MSP, because his From: line (of his
post) says '***@bigfoot.com'.

[...]
Post by VanguardLH
I don't use Skype but the first Received header indicates it was a
bounce, so the spammer deliberately bounced a message, like they sent to
Bigfoot which sent to Skype (which you won't see in this message's
headers) which bounced back to Bigfoot which then redirected to you.
I just checked my mail archive and in August 2017, I got a similar
(legit) email message from Skype with a similar Received: header:

Received: by mta9.email2.microsoft.com id hksgus163hs2 for
<frank.slootweg@<NOYB>.<TLD>>; Wed, 30 Aug 2017 20:37:01 +0000
(envelope-from
<bounce-35_HTML-1209483855-13346-7227104-***@bounce.email.skype.com>)

My message went directly from mta9.email2.microsoft.com to my MSP, so
the header was *not* forged.

[...]
Post by VanguardLH
Post by micky
So, does this look real?
No.
I think it does (look real) and you got off on the wrong (Big)foot! :-)

BTW, in my response to micky I said that the first/bottom 'Received:'
header was hard to forge. I of course meant the last/top one.

[...]
VanguardLH
2018-10-03 01:38:40 UTC
Reply
Permalink
Post by Frank Slootweg
[...]
Post by VanguardLH
by md03.rcn.cmh.synacor.com with ...
from mx01.rcn.cmh.synacor.com (LHLO mx.rcn.com) (10.33.3.179)
from [38.102.228.57] ([38.102.228.57:4487]
(from = Bigfoot - perhaps Synacor added this header)
by LITEMAIL57.bigfoot.com (LiteMail v3.03(LITEMAIL57)) with ...
(internal processing by Bigfoot, so no 'from' clause)
by litemail17.bigfoot.net with ...
from mta21.email2.microsoft.com ([136.147.186.21]) <--.
Received: |-- these match
by mta21.email2.microsoft.com id hmef9q163hss <--'
I don't see an obvious bogus header but the scammer hides behind
Bigfoot.
No, Bigfoot very likely is micky's MSP, because his From: line (of his
[...]
Post by VanguardLH
I don't use Skype but the first Received header indicates it was a
bounce, so the spammer deliberately bounced a message, like they sent to
Bigfoot which sent to Skype (which you won't see in this message's
headers) which bounced back to Bigfoot which then redirected to you.
I just checked my mail archive and in August 2017, I got a similar
Received: by mta9.email2.microsoft.com id hksgus163hs2 for
(envelope-from
My message went directly from mta9.email2.microsoft.com to my MSP, so
the header was *not* forged.
[...]
Post by VanguardLH
Post by micky
So, does this look real?
No.
I think it does (look real) and you got off on the wrong (Big)foot! :-)
BTW, in my response to micky I said that the first/bottom 'Received:'
header was hard to forge. I of course meant the last/top one.
[...]
You could be correct if micky is using Bigfoot. If so, Bigfoot is
forwarding the e-mail to micky's real e-mail provider (Synacor/RCN) and
the first Received header is from an MS server to micky's Bigfoot
account. Odd that MS would use a server with a hostname of bounce (in
the envelope data showing the sender). From micky's copy of the headers
and his post here, looks like he has more than one Bigfoot account
(misc07 and mm2005). If they were his own accounts, I'd have thought
micky would've munged those out to prevent his own Bigfoot accounts from
getting harvested. Nothing to munge out in Synacor/RCN's Received
header to identify his account there.

Seeing the message body would also indicate if the e-mail were a scam or
authentic by looking at to where the hyperlinks point.

Other than the e-mail issue, according to the wikipedia article there
are different versions of Skype depending on whether you get the client
program or the UWP app.

On another issue, micky showed the following header:

Authentication-Results: mx01.rcn.cmh.synacor.com
header.DKIM-Signature=***@email.skype.com; dkim=permfail (body hash
did not verify)

The message got modified in transit. Makes me wonder if micky's Bigfoot
account is adding a signature or otherwise modifying the original
message so its hash got changed.
micky
2018-10-03 07:26:01 UTC
Reply
Permalink
In comp.mail.eudora.ms-windows, on Tue, 2 Oct 2018 20:38:40 -0500,
Post by VanguardLH
You could be correct if micky is using Bigfoot. If so, Bigfoot is
forwarding the e-mail to micky's real e-mail provider (Synacor/RCN) and
the first Received header is from an MS server to micky's Bigfoot
account. Odd that MS would use a server with a hostname of bounce (in
the envelope data showing the sender). From micky's copy of the headers
and his post here, looks like he has more than one Bigfoot account
(misc07 and mm2005).
Yes, I have several. (Sorry it took all day to get back to you about
this.)

I was going to use different ones for different purposes, but it didnt'
really work out well. And I shouldn't badmouth bigfoot, which has not
charged me for 15 or 20 years, but they've had outages, for 2 to 4 days,
2 or 3 times, and I think once for 6 weeks. I don't know if they
affected paying customers or not, but I suspect they did, because the
outages didn't come with a request to start paying.

I was going to delete one address if it got too much spam, but then I'd
use one address for two or more purposes so if I deleted it, I wouldn't
get the emails I wanted. So I never deleted any of them.
Post by VanguardLH
If they were his own accounts, I'd have thought
micky would've munged those out to prevent his own Bigfoot accounts from
getting harvested.
Good point there. I did with one instance, but I see now that I missed
the other one. Just didn't see it.
Post by VanguardLH
Nothing to munge out in Synacor/RCN's Received
header to identify his account there.
Seeing the message body would also indicate if the e-mail were a scam or
authentic by looking at to where the hyperlinks point.
Other than the e-mail issue, according to the wikipedia article there
are different versions of Skype depending on whether you get the client
program or the UWP app.
Yes, that must be where the conflict in version numbers comes from.
Years ago I searched for Skype in my windows and then created a shortcut
for it that I pinned to the taskbar, plus I think I updated it before as
if it were not a windows=embedded program, and so gradually I forgot
that it was part of windows.
Post by VanguardLH
Authentication-Results: mx01.rcn.cmh.synacor.com
did not verify)
The message got modified in transit. Makes me wonder if micky's Bigfoot
account is adding a signature or otherwise modifying the original
message so its hash got changed.
Aha. For years it didn't do anything, but for the last 2 years or so
it sometimes** adds a banner at the top, and it did that in this case. I
didn't know until you just said it that that couuld make hashes not
match.

**I don't know why sometimes it does and sometimes it doesn't. Maybe
it depends on how many emails I've gotten in a month with each one.
Bigfoot is very generous and I'd recommend it if it werent' for outages.

But I have to read the thread again much more slowly to really
understand it. I'll post back in a day or two.
VanguardLH
2018-10-03 11:11:10 UTC
Reply
Permalink
Post by micky
Post by micky
Authentication-Results: mx01.rcn.cmh.synacor.com
did not verify)
The message got modified in transit. Makes me wonder if micky's
Bigfoot account is adding a signature or otherwise modifying the
original message so its hash got changed.
Aha. For years it didn't do anything, but for the last 2 years or so
it sometimes** adds a banner at the top, and it did that in this case. I
didn't know until you just said it that that couuld make hashes not
match.
**I don't know why sometimes it does and sometimes it doesn't. Maybe
it depends on how many emails I've gotten in a month with each one.
Bigfoot is very generous and I'd recommend it if it werent' for outages.
But I have to read the thread again much more slowly to really
understand it. I'll post back in a day or two.
I remember looking at another forwarding service (forget its name but
think they disappeared since then - maybe it was SpamMotel) where they
added a statistics banner to the top of the forwarded e-mail. The
problem is that it would corrupt digitally signed e-mails. Not
necessarily encrypted e-mails but those where the sender hashed their
e-mail using an e-mail certificate to create a digital signature. Any
modification of the e-mail would invalidate the digital signature.

The same can happen using anti-virus software that appends a fake
signature onto outgoing e-mails, like Avast and others. The signature
is fake because it is not a valid signature delimiter line, like 3
dashes and a newline instead of 2 dashes, a space, and then a newline.
When the client composes the e-mail and digitally signs it (by computing
a hash to record in the header) using the certificate added to that
client, it then passes through the AV's proxy to get modified to add the
fake signature. The client's hash is no longer valid after the
modification to later add the fake signature which is spam promoting the
AV program hence spamifying the sender's outbound e-mails.

Anything that watermarks an e-mail outside the client that digitally
signed it will invalidate the digital signature. In the aforementioned
forwarding service, there was an option of whether or not to add the
statistics banner to e-mails that they forwarded to my real account.
Maybe Bigfoot has a similar user-configurable switch.

A long time back I played with Bigfoot. As a forwarding service, they
were okay. However, as an anonymizing forwarding service, they sucked.
E-mails forwarded through them were as-is to your real account. If you
replied to those e-mails, the replies originated from whatever accounts
you configured in your e-mail client, so it highly likely your real
account got exposed in the headers because the origination for your
reply was through your own real account. While the Received headers
would show your reply came from your real account instead of from
Bigfoot, your client may be adding headers showing through which account
your reply was sent. Your real account might also add headers at the
server to identify the sender. In contrast, Spamgourmet (free and paid)
and SpamEx (paid only - they dropped their free accounts a long time
ago). Spamgourmet lets me create aliases on the fly. SpamEx required
me to log into my account there to create the alias. When SpamEx had
free accounts although crippled (but with quotas well above my typical
e-mail volume), I used them. When they discarded the free accounts, I
moved to Spamgourmet who, by the way, is used by several companies to
provide aliased forwarding services, like at Craigslist.

Another problem with Bigfoot is that a lot of sites refuse to allow you
to use those forwarding services. Sometimes I hit one that refuses to
let me use a Spamgourmet forwarding alias. They want a real account.
For example, when registering an account at many web-based forums, they
won't let me use a forwarding service. Those are blacklisted by the
forum sites. Some won't even let you use Gmail or Hotmail because those
are free accounts, and the forum wants you using something like your ISP
e-mail service. I learned a long time ago to protect my real e-mail
address, so the first e-mail address that I give any site regardless of
how well they are known is an aliased forwarding e-mail address, like
with Spamgourmet. I've had stores starting spewing spam at me because,
for example, I wanted them to notify me when a ship-to-store purchase
was ready for pickup. Only after they've proven non-spammy after about
6 months do I update my account with them to reflect my real e-mail, or
sometimes all they ever get is the alias.

Another problem with Bigfoot is they seem to batch up the forwards to
your real account. That is, they will receive several e-mails before
they get around to forwarding them to your real account. As I recall,
their batch interval was 1 hour. That was for the free account that I
had with them back then.

While not true of Bigfoot, Spamgourmet, SpamEx or true aliased
forwarding e-mail providers, some services (e.g., MailDrop) dump your
e-mails into a pool that other users can see if they know or guess your
e-mail address used at that service, so your e-mails aren't private.
I've seen this mostly with several disposable e-mail services. I
remember Gmail trying to allow disposable e-mail addresses by simply
appending something like +alias to the username. Yeah, like folks told
to use user+***@hotmail.com can't figure out your true account.

All e-mail services have outages. Sometimes their fault, like their
equipment going down or they do maintenance, and sometimes not their
fault, like a webhosting service going down or the server at a
contracted service going down. Bigfoot may have gone down occasionally
but I've also had temporarily outages at SpamGourment, SpamEx, my ISP,
and even Hotmail (although it's been a few years since that last
happened).
Frank Slootweg
2018-10-03 17:54:32 UTC
Reply
Permalink
Yesterday, I wrote:
[...]
Post by Frank Slootweg
I just checked my mail archive and in August 2017, I got a similar
Received: by mta9.email2.microsoft.com id hksgus163hs2 for
(envelope-from
My message went directly from mta9.email2.microsoft.com to my MSP, so
the header was *not* forged.
I just got another 'A Skype update may be required' e-mail notification.

It's similar to the above mentioned August 2017 one and similar to
micky's.

Also this one went directly from mta40.email2.microsoft.com to my MSP.

I checked the links in this e-mail and they all point to skype.com,
i.e. legit.

Note to micky: The 'From:' line is my correct e-mail address, i.e. the
e-mail address in my Skype Account and the body of the message contains
my correct 'Account Name:' (i.e. my Skype Name).

Conclusion: The e-mails are legit.
Dennis Lee Bieber
2018-10-02 20:17:25 UTC
Reply
Permalink
Post by micky
Received: from mx01.rcn.cmh.synacor.com (LHLO mx.rcn.com) (10.33.3.179)
by
md03.rcn.cmh.synacor.com with LMTP; Tue, 2 Oct 2018 12:36:48 -0400
(EDT)
C:\Users\Wulfraed>tracert email.skype.com

Tracing route to email.skype.com [136.147.129.27]
over a maximum of 30 hops:

Note the IP number...

C:\Users\Wulfraed>tracert 136.147.129.27

Tracing route to reply-mx.s7.exacttarget.com [136.147.129.27]
over a maximum of 30 hops:

Note the primary domain name associated with that IP number

https://www.crunchbase.com/organization/exacttarget
"""
ExactTarget, Inc. is a provider of on-demand email marketing software
solutions. Their suite of on-demand one-to-one marketing applications
enables clients to send business-critical and event-triggered
communications to increase sales, optimize marketing investments, and
strengthen customer relationships. They offer four editions of their
on-demand software application along with integrated solutions such as
ExactTarget for AppExchange and ExactTarget for Microsoft Dynamics CRM.
"""

Might be real, though the idea that Skype has to subcontract their
email services -- especially as I believe Skype is now owned by M$
themselves -- is a bit boggling.
Post by micky
X-Received-HELO: from [38.102.228.57] (helo=litemail57.bigfoot.com)
Authentication-Results: mx01.rcn.cmh.synacor.com
spf=fail; sender-id=fail
Authentication-Results: mx01.rcn.cmh.synacor.com
did not verify)
Authentication-Results: mx01.rcn.cmh.synacor.com
Received-SPF: fail (mx01.rcn.cmh.synacor.com: domain
bounce.email.skype.com does not designate 38.102.228.57 as permitted
sender)
Three possible fails by some intermediate.
Post by micky
Received: from mta21.email2.microsoft.com ([136.147.186.21])
by litemail17.bigfoot.net with SMTP id 1538497996.12200;
Tue, 02 Oct 2018 12:33:18 -0400
Though that does claim to be a M$ mail agent.
Post by micky
Received: by mta21.email2.microsoft.com id hmef9q163hss for
but bounce.email.skype.com does not resolve to an IP number...
Complaints go to a GERMAN host?
Post by micky
So, does this look real? How suspicious is it that they tried so hard
to hide the headers? The Skype page about phishing says that
email.skype.com is one of their 7 genuine domains, but can't a phisher
use any from address he wants?
See my comment about being boggled.


However, the v12 vs v8/v7 matter?

https://answers.microsoft.com/en-us/skype/forum/skype_win10-skype_messms-skype_instamessms/skype-versions-12-v-8/419d97cd-06df-4d16-ae7e-1ff3986b6640


Skype v8 is a full standalone application -- but...

https://support.skype.com/en/faq/fa10328/what-are-the-system-requirements-for-skype?platform=mac?q=system

seems to be limited as to Win10 editions it will run on (My Win10 Pro is
1803 which appears to mean Skype v14 is required -- though I just started
Skype and after fiddling with logging in got to an "about" that shows v12)

https://support.skype.com/en/faq/fa10328/what-are-the-system-requirements-for-skype

just says it is "preinstalled" on "Anniversary Edition" and higher, doesn't
specify 12/14/whatever. (I also have a "Skype for Business" that I think
came with Office 2016)
--
Wulfraed Dennis Lee Bieber AF6VN
***@ix.netcom.com HTTP://wlfraed.home.netcom.com/
Loading...