2.1. How to make a legitimate mail look Phishing

Spammers are trying really hard to make their mails look good so people read and click on the links. But what happens when legitimate companies screw up and their mails look phishing??

../_images/screenshot-300x129.png

Today I received a mail which on first glance came from “tvlicensing.co.uk”. They are trying to get me to sign up online. It does include a “license number” and when I looked up my paper copy turns out to be the same number.. Did TV license loose lots of account details??

../_images/screenshot-2-300x258.png

The real kicker here is all the links in the e-mail all point to an IP address “213.212.107.11”, yes an IP address not a domain name!! Worse yet.. the URL appears encoded/encrypted:

hxxp://213.212.107.11/CT000229NzgxODOA==.HTML?D=2017-04-27

The mail headers also include a bunch of different domains.

Received: from tc2tvliis001.services.adroot.ms ([10.30.22.3]) by mail02.tv-l.co.uk with Microsoft SMTPSVC(6.0.3790.3959); Thu, 27 Apr 2017 21:30:12 +0100

X-Virus-Scanned: CHECKING at iris.britewhite.net

Received-Spf: Pass (sender SPF authorized) identity=mailfrom; client-ip=213.212.107.11; helo=mail02.tv-l.co.uk; envelope-from=axciom@tv-l.co.uk;

So who is tv-l.co.uk? adroot.ms?

To be honest at this point I’m really not sure if this is real or phishing? I don’t think I’ll be clicking on any of the links and will just ignore the mail.. I suggest anyone else who sees this does the same.