The First Phishing Email I Almost Fell For

By Rich

Like many of you, I get a ton of spam/phishing email to my various accounts. Since my email is very public, I get a little more than most people. It’s so bad I use 3 layers of spam/virus filtering, and still have some messages slip through (1 cloud based filter [Postini, which will probably change soon], one on-premise UTM [Astaro], and SpamSieve on my Mac). If something gets through all of that, I still have some additional precautions I take on my desktop to (hopefully) help against targeted malware. Despite all that, I assume that someday I’ll be compromised, and it will probably be ugly.

This morning I got the first phishing email in a very long time that almost tricked me into clicking. It came from “Administrator” at one of my hosts and read:


On October 22, 2009 server upgrade will take place. Due to this the system may be offline for approximately half an hour. The changes will concern security, reliability and performance of mail service and the system as a whole. For compatibility of your browsers and mail clients with upgraded server software you should run SSl certificates update procedure. This procedure is quite simple. All you have to do is just to click the link provided, to save the patch file and then to run it from your computer location. That’s all.

http://updates.[cut for safety]

Thank you in advance for your attention to this matter and sorry for possible inconveniences.

System Administrator

Two things tipped me off. First, that system is a private one administered by a friend. While he does send updates like this out, he always signs them with his name. Second, the URL is clearly not really that domain (but you have to read the entire thing). And finally, it leads to an Active Server Pages domain, which that administrator never uses since our system is *nix based.

But it was early in the morning, I hadn’t had coffee yet, and we often need to upgrade our SSL after a system update on this server, so I still almost clicked on it.

According to Twitter this is a Zbot generated message:

SecBarbie: RT @mikkohypponen ZBot malware being spammed out right now in emails starting “On October 22, 2009 server upgrade will take place” Ignore it.

Thanks Erin!

It’s interesting that despite multiple obvious markers this was malicious, and be being very attuned to these sorts of things, I still almost clicked on it. It just goes to show you how easy it is to screw up and make a mistake, even when you’re a paranoid freak who really shouldn’t be let out of the house.

No Related Posts

I hear ya, reppep. While I do want to educate people who didn’t know the risks of clicking spam, if someone accidentally does it, I’m more than aware it happens either from being fooled or even just a finger twitching on the mouse at the wrong moment. So I try not to be too heavy-handed with my browbeating when it happens.

But it does illustrate my heavy leaning on technology controls for security. :)

By LonerVamp


What does “five nines reliability” (accuracy) get us for spam? Do you think you’ve received 100,000 spam email messages between all your accounts yet? I don’t track it any more, but I might have. Certainly for a medium-sized or large organization, that’s an easy threshold to reach. So if you have 99.999% successful detection, you’re still screwed.

It’s why I don’t call people ‘stupid’ if they get 0wned—maybe they were not clueful, or perhaps they were just unlucky, and their 15 minutes of infamy came a bit earlier than the fellow next door, but they’ll get theirs sooner or later…

By reppep

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.