Who knows of this email header stuff?

Who knows of this email header stuff? - Printable Version

+- MacResource (https://forums.macresource.com)
+-- Forum: My Category (https://forums.macresource.com/forumdisplay.php?fid=1)
+--- Forum: Tips and Deals (https://forums.macresource.com/forumdisplay.php?fid=3)
+--- Thread: Who knows of this email header stuff? (/showthread.php?tid=75226)

Pages: 1 2

Who knows of this email header stuff? - olnacl - 03-27-2009

I got an email purporting to be from General Dynamics:

I am Preston Ward from General Dynamics.
I have read your resume, and would like to schedule you for an interview.
Would you be available for Tuesday, March 31st at 9:30 am?

Here's the header:
Received: by 10.220.90.209 with SMTP id j17cs41358vcm; Fri, 27 Mar 2009 09:58:17 -0700 (PDT)
Received: by 10.140.250.14 with SMTP id x14mr1162420rvh.278.1238173094414; Fri, 27 Mar 2009 09:58:14 -0700 (PDT)
Received: from QMTA05.emeryville.ca.mail.comcast.net (qmta05.emeryville.ca.mail.comcast.net [76.96.30.48]) by mx.google.com with ESMTP id c20si3967229rvf.30.2009.03.27.09.58.13; Fri, 27 Mar 2009 09:58:14 -0700 (PDT)
Received: from IMTA21.emeryville.ca.mail.comcast.net ([76.96.30.31]) by QMTA05.emeryville.ca.mail.comcast.net with comcast id YGgD1b0010gH3T8A5GyECJ; Fri, 27 Mar 2009 16:58:14 +0000
Received: from hq-ipt01.anteon.com ([198.185.182.20]) by IMTA21.emeryville.ca.mail.comcast.net with comcast id YGyD1b01w0SotAW0MGyEtv; Fri, 27 Mar 2009 16:58:14 +0000
Received: from unknown (HELO VA063-EXHTS01.ad.local) ([10.170.2.208]) by hq-ipt01.anteon.com with ESMTP; 27 Mar 2009 12:58:12 -0400
Received: from EXCHCCR04.ad.local ([10.170.2.241]) by VA063-EXHTS01.ad.local ([10.170.2.208]) with mapi; Fri, 27 Mar 2009 12:58:12 -0400
Return-Path: Received-Spf: neutral (google.com: 76.96.30.48 is neither permitted nor denied by best guess record for domain of preston.ward@gdit.com) client-ip=76.96.30.48;
Authentication-Results: mx.google.com; spf=neutral (google.com: 76.96.30.48 is neither permitted nor denied by best guess record for domain of preston.ward@gdit.com) smtp.mail=preston.ward@gdit.com
X-Authority-Analysis: v=1.0 c=1 a=MTmjX6jZAAAA:8 a=lpZBRPUhhVhz4yy1VhsA:9 a=uhlzo_9VjulXGPWm8tBEfszzNxAA:4 a=b8hG5vVbyAkA:10 a=pY9dDry7DuoA:10 a=lWMP2IL0qb0A:10 a=E_u-LQg7Fd8A:10 a=tF3KPsdErqw8qrG21SkA:7 a=iYwUIco-jaBuhw1F6lMFSWo_Ur4A:4 a=37WNUvjkh6kA:10
X-Sender-Ip: 10.170.2.208
X-Sender-Reputation: None
X-Ironport-Av: E=Sophos;i="4.38,433,1233550800"; d="scan'208,217";a="381040356"
Thread-Topic: General Dynamics - McChord AFB

I know from nothing about these headers but can't believe this is real as it's on the wrong coast (for me) for one, and sent to an address I don't use for job hunting. I have to think it's some sort of scam.

Suggestions as to possible validity/scam, etc?

Re: Who knows of this email header stuff? - GGD - 03-27-2009

Looks real, it came from 198.185.182.20, which belongs to gdit.com, And the reply address will go back to gdit.com.

Might be that they use OCR to scan resumes and mangled someone else's email address turning it in to yours.

------------
Whois has started ...

OrgName: General Dynamics Information Technology, Inc.
OrgID: GDIT
Address: 3211 Jermantown Rd.
City: Fairfax
StateProv: VA
PostalCode: 22030
Country: US

NetRange: 198.185.182.0 - 198.185.182.255
CIDR: 198.185.182.0/24
NetName: GDIT-NET2
NetHandle: NET-198-185-182-0-1
Parent: NET-198-0-0-0-0
NetType: Direct Assignment
NameServer: DNS1.GDIT.COM
NameServer: DNS2.GDIT.COM
NameServer: DNS3.GDIT.COM
Comment:
RegDate: 1994-01-13
Updated: 2007-05-25

OrgTechHandle: DNSAD189-ARIN
OrgTechName: dns-admin
OrgTechPhone: +1-703-246-0200
OrgTechEmail: dns-admin@gdit.com

# ARIN WHOIS database, last updated 2009-03-26 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Re: Who knows of this email header stuff? - olnacl - 03-27-2009

Thanks for that info. he email included a phone number that's in WA.
I'd hate to miss on a potential job, but on the other hand, it IS on the wrong coast; there's a discrepancy between the name/location (but this is likely a head hunter and my last couple jobs were for companies that were located several states away from where I actually worked) and I'd hate to be the fool who replied and then got a scam letter. As I've been seeing an uptick on scam emails that have my correct name and email address, as this one does, I'm inclined to believe this is just another, but since there's no viagra, cialis etc being promoted...
Also, seems if they were interested in an interview at such short notice, they'd have called, as others have.

Re: Who knows of this email header stuff? - GGD - 03-27-2009

olnacl wrote:
Thanks for that info. he email included a phone number that's in WA.
I'd hate to miss on a potential job, but on the other hand, it IS on the wrong coast; there's a discrepancy between the name/location (but this is likely a head hunter and my last couple jobs were for companies that were located several states away from where I actually worked) and I'd hate to be the fool who replied and then got a scam letter. As I've been seeing an uptick on scam emails that have my correct name and email address, as this one does, I'm inclined to believe this is just another, but since there's no viagra, cialis etc being promoted...
Also, seems if they were interested in an interview at such short notice, they'd have called, as others have.

A WA phone number makes sense since his subject line says that it's for McChord AFB (located in Washington state). All seems pretty consistent with being real other than the mystery of how he got your email address and if he really intended to contact you.

Re: Who knows of this email header stuff? - olnacl - 03-27-2009

Right. Thank you for your sleuthing.

I did reply, thanking him for the opportunity to interview and requesting information on the position they are trying to fill. If they come back asking for my SSN and bank account numbers, well, I'll just have to believe it's a scam. On the other hand, I have worked as a contractor these past 11 years, getting my pay check from three different companies located far from the building in which I actually toiled.

I appreciate your help.

Re: Who knows of this email header stuff? - Doc - 03-27-2009

It's got a faked sender address. It didn't come from General Dynamics. It came from a Comcast account.

Also, no "Preston Ward" turns up in a search with General Dynamics.

The email address is in the correct format for their servers. (Mark.Meudt@gdit.com is a media-contact. Note the period separating the first and last name.)

The location of the sender is wrong. It should be coming from Virginia, not California.

...AND you never sent them a resume AND it came in at an address that you don't use for that kind of business.

Congratulations. You've just verified your email address for a spammer/phisher.

Re: Who knows of this email header stuff? - GGD - 03-27-2009

Doc wrote:
It's got a faked sender address. It didn't come from General Dynamics. It came from a Comcast account.

Also, no "Preston Ward" turns up in a search with General Dynamics.

The email address is in the correct format for their servers. (Mark.Meudt@gdit.com is a media-contact. Note the period separating the first and last name.)

The location of the sender is wrong. It should be coming from Virginia, not California.

...AND you never sent them a resume AND it came in at an address that you don't use for that kind of business.

Congratulations. You've just verified your email address for a spammer/phisher.

It got to Comcast from gdit. [198.185.182.20 (anteon.com is a general dynamics company)

Received: from hq-ipt01.anteon.com ([198.185.182.20]) by IMTA21.emeryville.ca.mail.comcast.net with comcast id YGyD1b01w0SotAW0MGyEtv; Fri, 27 Mar 2009 16:58:14 +0000

My guess is that olnacl's email address that this was sent to is a comcast account (which might be forwarded to a gmail account based on the headers)

The senders address is in exactly the form that you are saying it should be.

Return-Path:
So you're saying that General Dynamics is a phising operation? From those email headers, exactly where is the phisher's email account that will receive this?

Please expand upon how you came to that conclusion.

Re: Who knows of this email header stuff? - Doc - 03-27-2009

Damn! You're right. I read it backwards.
:damnyou:

My bad. Smile

Even so, I stand by this:

...AND you never sent them a resume AND it came in at an address that you don't use for that kind of business.

Companies don't just stumble upon resumes and ask random people to come in for interviews.

It may very well be a spammer or a bogus recruiter scheme run through a zombie PC on their network.

Re: Who knows of this email header stuff? - GGD - 03-27-2009

Doc wrote:
Damn! You're right. I read it backwards.
:damnyou:

My bad.

Even so, I stand by this:

...AND you never sent them a resume AND it came in at an address that you don't use for that kind of business.

Companies don't just stumble upon resumes and ask random people to come in for interviews.

It may very well be a spammer or a bogus recruiter scheme run through a zombie PC on their network.

I agree that how they got his email address is a mystery, and if they even intended to contact him rather than someone else. But the phone number that was in the email might be another clue, if it's a number for some subdivision of GDIT in WA. It would seem unlikely that a phisher had control over an email account and a phone line at GDIT. That phone number and an email account at GDIT are the only ways to reply if this were a phisher.

But back to the original question about the origin of the email, I think we're both in agreement that it did originate from General Dynamics. Beyond that, everything about the contents of the message is pure speculation.

Re: Who knows of this email header stuff? - olnacl - 03-27-2009

Doc wrote:
Damn! You're right. I read it backwards.
:damnyou:

My bad.

Even so, I stand by this:

...AND you never sent them a resume AND it came in at an address that you don't use for that kind of business.

Companies don't just stumble upon resumes and ask random people to come in for interviews.

It may very well be a spammer or a bogus recruiter scheme run through a zombie PC on their network.

OK, all the above is why I was concerned, but - my resume is out with more than one head hunter, some of whom I've had long term, mutually satisfactory arrangements with as a contractor. It is not impossible that one of them passed my resume on to another head hunter - it's happened before. Also, some of my former co-workers have passed my resume on to their headhunters. I got my last job through the recommendation of a former co-worker who moved to a new company prior to the work getting shipped to the Czech Republic.

I've sent no personal info other than, as Doc mentioned, a legitimate email address, but spammers have had that for years. While I appreciate the convenience of an address like firstname.lastname@wherever.com, I think that is an invitation to privacy invasion. It is the policy of at least my last employer and while there, I spent more time each morning deleting spam from my company mailbox than I did responding to interoffice communications. Once spammers figure out that mail gets to a corporate address it doesn't take a spammer brain surgeon to just try the same firstname.lastname followed by @ispname.com, net, .etc.

I'll post the results of all this (if any).