Hello folks,
Today, I got yet another call and email from someone claiming to be an account manager at Amazon. The phone number is a 204 telephone number That number iis: +1 204-515-6163 which belongs to Canada.
Here are the headers of the message I get.
Return-Path:
prvs=3706eb91e=znaahmed@amazon.com
Delivered-To:
Received: from cp1-daltx.nocwest.net
by cp1-daltx.nocwest.net with LMTP
id YHX3IyLMwWM/GAAAcL4iug
(envelope-from
prvs=3706eb91e=znaahmed@amazon.com)
for
jared@personal.jaredrimer.net
; Fri, 13 Jan 2023 16:24:50 -0500
Return-path:
prvs=3706eb91e=znaahmed@amazon.com
Envelope-to:
Delivery-date: Fri, 13 Jan 2023 16:24:50 -0500
Received: from smtp-fw-33001.amazon.com ([207.171.190.10]:21944)
by cp1-daltx.nocwest.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.96)
(envelope-from
prvs=3706eb91e=znaahmed@amazon.com)
id 1pGRXg-0001fp-1j
for
;
Fri, 13 Jan 2023 16:24:50 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=amazon.com;
i=@amazon.com
; q=dns/txt; s=amazon201209;
t=1673645089; x=1705181089;
h=from:to:subject:date:message-id:mime-version;
bh=1i0fnNhg8UFsIxYrYxKnZvkvXGSalzmivrtSmAol8CA=;
b=ajG1BxJsdvYKlp0arQZbIrwRqBTDwJW2HR1jPA8axoqJKiZKrdbZxFe9
SSf9i7fadCXpwFIyy6dKtYRVOHFzF7V7dnYM3k5tSdQAf6F+LkO7kteuz
CbGPCs0nJUAzWKIDmAJhdgnF/Y/74czdwDca+RjvtKU1vljf1a6NY4zaq
U=;
X-Amazon-filename: image001.png
X-IronPort-AV: E=Sophos;i=”5.97,214,1669075200″;
d=”png’150?scan’150,208,217,150″;a=”255036661″
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-iad-1d-m6i4x-b404fda3.us-east-1.amazon.com) ([10.43.8.6])
by smtp-border-fw-33001.sea14.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jan 2023 21:24:02 +0000
Received: from EX13MTAUWB001.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38])
by email-inbound-relay-iad-1d-m6i4x-b404fda3.us-east-1.amazon.com (Postfix) with ESMTPS id F20FD83140
for
jared@personal.jaredrimer.net
; Fri, 13 Jan 2023 21:24:01 +0000 (UTC)
Received: from EX19D001UWA004.ant.amazon.com (10.13.138.251) by
EX13MTAUWB001.ant.amazon.com (10.43.161.207) with Microsoft SMTP Server (TLS)
id 15.0.1497.45; Fri, 13 Jan 2023 21:24:01 +0000
Received: from EX19D001UWA004.ant.amazon.com (10.13.138.251) by
EX19D001UWA004.ant.amazon.com (10.13.138.251) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.7;
Fri, 13 Jan 2023 21:24:01 +0000
Received: from EX19D001UWA004.ant.amazon.com ([fe80::2a53:56d5:307c:7d5]) by
EX19D001UWA004.ant.amazon.com ([fe80::2a53:56d5:307c:7d5%5]) with mapi id
15.02.1118.020; Fri, 13 Jan 2023 21:24:01 +0000
From: “Nasser, Ahmed [C]”
znaahmed@amazon.com
To:
“”
jared@personal.jaredrimer.net
Subject: Amazon Business
Thread-Topic: Amazon Business
Thread-Index: AdknlVrsCU59DjAszkO0V7StRi4lpA==
Date: Fri, 13 Jan 2023 21:24:01 +0000
Message-ID:
<>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.197.94.146]
Content-Type: multipart/related;
boundary=”004_222324030813470790d1510920740662amazoncom“;
type=”multipart/alternative”
MIME-Version: 1.0
Precedence: Bulk
X-Spam-Status: No, score=-9.6
X-Spam-Score: -95
X-Spam-Bar: ———
X-Ham-Report: Spam detection software, running on the system “cp1-daltx.nocwest.net”,
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Hello , My name is Ahmed , account manager from Amazon Business.
I am contacting you today because you are currently using a Consumer account
which only allows you to purchase at retail prices.
Content analysis details: (-9.6 points, 5.0 required)
pts rule name description
—- ———————- ————————————————–
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: amazon.fr]
-0.0 SPF_PASS SPF: sender matches SPF record
-7.5 USER_IN_DEF_SPF_WL From: address is in the default SPF
welcome-list
0.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author’s domain
-0.0 DKIMWL_WL_HIGH DKIMwl.org – High trust sender
X-Spam-Flag: NO
According to the Abuse IP database the IP 207.171.190.10
does belong to Amazon and is being used as an transit IP.
If you look at the DKIM section of the headers, it indicate that it is not signed.
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
While portions of the header indicate that it is valid, one portion shows amazon.fr, possibly another branch of amazon.
This gentleman is offering me Amazon Business. I get Email that greets me by name and talks about Amazon business, but i’ve not taken advantage of it because I don’t have an interest in it.
This email is a general greeting of Hello. He introduces himself and offers the service.
The HTML message for bullet points is spaced.
The link within the message at the end when using shft+f1 or context key, copy link shows a safe link that points to amazon.fr which again is a possible branch of amazon, yet there is something about the mail that is unsigned.
The final piece that I’m going to give you is the last line of the email. It says: znaahmed@amazonco
Now that, isn’t a valid email address! If you were a valid address, you’d put your address in correctly, now wouldn’t you?
Take a look at this, contact amazon and urge them to do something about this type of abuse. Don’t answer calls with this number. I did, was very courteous, yet I now get more phone calls. I believe this gentleman is not an Amazon employee and has taled on their network.
I’ve also sent this to Phishlabs for their review. I probably won’t get a response, but that is OK. I don’t need one. Let the comments begin.
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.
Shaun,
I will not engague with outside parties to deal with potential scammers. You are not aware that this is not the first time this person has contacted me. Amazon is aware of the situation and has documented information that I have given them. Things have been confirmed as of the call I made after posting this, and an investigation within the company will commense.
Wile it is probably fun for people to have other people contact scammers, verification using tools verifies it was sent by Amazon servers. I’m sorry, but this comment, while it could be helpful for fun purposes, doesn’t solve the overall problem and will probably not help in this case.
I can’t verify if the phone number is a valid phone number or a phone number used for outbound calls, but i have done verification of email which might not look good if the person is engaging in behavior Amazon condones if in fact they are an employee. I’m unclear if I am going to bring it up on TSB or not, but Amazon replied via twitter to lend assistance and provided me steps to get in touch with them via twitter.
Companies are monitoring for their name and brand now. We must be caucious on how we proceed. I do like the idea of contacting folks, but I get so much spam at jaredrimer.net that seems clearly spam that there is no phone number or other method for those. But this, is a different case I’m afraid.
have you tried to forward this to ?
The channel doesn’t get as much love as it once has and these guys aren’t the highest guys exactly but they have been in the business of taking em down or just playing round.
From what they share, etc they appear to have a wide network of baters some that don’t broadcast but some new faces on the system.
They have virtual machines, I think vpns and some network security at least they seem to be able to handle things.
They even have a dedicated number for spammers to get them and will accept other things.
I once had them let themselves right in and get the scammer to send a load of data for payment, etc.
Obviously they have their limit and do have to access other databases but they do enjoy murdering scammers and well they are australian so my neighbours if not cussins at least.
So yeah they exist.