Odd Microsoft email?

[Mooncalf]

I just received an e-mail from windowssecurity@email.microsoft.com that states

*** PLEASE NOTE: Due to the critical importance of this message,
this communication is being sent to all of our Microsoft customers
to alert you of this Security Bulletin. ***

It has been widely reported in the press and on Microsoft's own web
site, that on July 16th we released a critical security bulletin
(MS03-026) and a patch regarding a vulnerability in the Windows
operating system. We wanted to make sure that if you were not aware
of this bulletin and corresponding patch that you take a moment to
go to http://www.microsoft.com/security/ security_bulletins/
ms03-026.asp to find out if you are running an affected version of
the Windows operating system and get the specific information as to
what you need to do to apply this patch if you have not already.

Although we encourage you to pay attention to all security bulletins
and to deploy patches in a timely manner we wanted to call special
attention to this particular instance as we have become aware of
some activity on the internet that we believe increases the
likelihood of the exploitation of this vulnerability. Specifically,
code has been published on several web sites that would allow
someone to spread a worm/virus that takes advantage of the
vulnerability in question thereby impacting your
computing environment.

Although it is our goal to produce the most secure and dependable
products possible, we do become aware of these types of
vulnerabilities. In order to minimize the risks of such
vulnerabilities to your computing environment, we encourage you to
subscribe to the Windows Update service by going to
http://www.windowsupdate.com and also subscribe to Microsoft's
security notification service at http://register.microsoft.com/
subscription/subscribeme.asp?ID=xxx if you have not already. By
subscribing to these two services you will automatically receive
information on the latest software updates and the latest security
notifications thereby improving the likelihood that your computing
environment will be safe from worms and viruses that occur.

We apologize for any inconvenience the implementation of this patch
might cause and appreciate you taking the time to update
your system.

Thank you,
Microsoft Corporation

The links that it contains don't correspond to the one ones it says it directs you to. For example all of them start with http://email.microsoft.com/m/s.asp? and then a string of digits yet I know the actual bulletin is located at http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp.

Is this legitimate? E-mailing every MS customer?

 

[dighn]

oops

 

[MercenaryForHire]

Did you ever register anything with Uncle Bill?

Then he's got your email address, and can do whatever he wants with it.

- M4H

 

[Mooncalf]

Just signed up for the Tech Bulletins which I am hoping this is what this is but they have never contained links like this and normally correspond to the actual bulletins online.

Can't recall ever getting a "special message". Hoping others that subscribe to it can confirm if it is legitimate or not.

 

[TheCorm]

I have received an email that looked just like it had actually come from Microsoft....really well done but was a hoax to try and get people to mess their systems up....so be wary...can't confirm if it's legit or not.

 

[Mooncalf]

Well, if anyone else gets this then definitely don't click the links until someone can confirm one way or another (I didn't as I wasn't sure, already have the patch, and knew the link wasn't the actual bulletin).

If you are not sure you have the patch and want to read about it use the link I provided at http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp as that is the real bulletin. The links in the e-mail say where they go to as in the e-mail I provided above but the actual link when you hover over it doesn't correspond (even though Microsoft is mentioned in the url).

 

[beer]

Our sysadmin confirmed this.

It looks legitimate and is a big windows glitch.

 

[rudeguy]

its probably due to CNN's story about all the holes in XP. Either way mark it as spam and move on

 

[Mooncalf]

He confirmed the e-mail was legit (with the urls that don't match up with what they say nor the normal tech bulletin page for this patch) or that the patch is legit?

 

[Shuxclams]

Its not a good idea to click anything. Microsoft WOULD NEVER send an email to anyone. How would they know your a W1ndows user?


the site is "email.microsoft.com" - IP : 209.11.136.150

Microsoft does not have that IP or is even in that range.

207.46.134.190 - 207.46.134.222 - 207.46.249.190 - 207.46.249.222 - 207.46.249.27 - 207.46.249.155.












SHUX

 

[PowerMacG5]

I have also received this e-mail. Here is the header:

Return-path <windowssecurity@email.microsoft.com>
Received from mta1.srv.hcvlny.cv.net (mta1.srv.hcvlny.cv.net [167.206.5.4]) by mstr5.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HJ4000IOA0UC9@mstr5.srv.hcvlny.cv.net> for xxx@optonline.net; Mon, 04 Aug 2003 18:48:30 -0400 (EDT)
Received from asv5.srv.hcvlny.cv.net (asv5.srv.hcvlny.cv.net [167.206.5.154]) by mta1.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with ESMTP id <0HJ400761A116G@mta1.srv.hcvlny.cv.net> for xxx@optonline.net (ORCPT xxx@optonline.net); Mon, 04 Aug 2003 18:48:38 -0400 (EDT)
Received from mh.microsoft.m0.net (mh.microsoft.m0.net [209.11.164.116]) by asv5.srv.hcvlny.cv.net (8.12.9/8.12.9) with ESMTP id h74MmBca011740 for <xxx@optonline.net>; Mon, 04 Aug 2003 18:48:15 -0400 (EDT)
Received from [209.11.138.100] by 10.201.1.116 (mh.microsoft.m0.net) with SMTP; Mon, 04 Aug 2003 16:21:50 +0000
Date Mon, 04 Aug 2003 15:40:28 -0700 (PDT)
From Microsoft <windowssecurity@email.microsoft.com>
Subject Security Update for Microsoft Windows
To xxx@optonline.net
Errors-to windowssecurity@email.microsoft.com
Reply-to windowssecurity@email.microsoft.com
Message-id <9708797999.1060036829003@m0.net>
MIME-version 1.0
Content-type multipart/alternative; boundary="Boundary_(ID_H2qbeTAgdj2nhMBrlwBKkQ)"
X-cid 9708797999
X-pid 228387
Original-recipient rfc822;xxx@optonline.net

The originating IP is not from MS. It is from someplace called Digital Impact. I have no idea what to think.

 

[PowerMacG5]

Originally posted by: Shuxclams
Its not a good idea to click anything. Microsoft WOULD NEVER send an email to anyone. How would they know your a W1ndows user? the site is "email.microsoft.com" - IP : 209.11.136.150 Microsoft does not have that IP or is even in that range. 207.46.134.190 - 207.46.134.222 - 207.46.249.190 - 207.46.249.222 - 207.46.249.27 - 207.46.249.155. SHUX

They would know if you ever subscribed to a newsletter, Bulletin, etc...

 

[NogginBoink]

Originally posted by: Shuxclams
Its not a good idea to click anything. Microsoft WOULD NEVER send an email to anyone. How would they know your a W1ndows user?


the site is "email.microsoft.com" - IP : 209.11.136.150

Microsoft does not have that IP or is even in that range.

207.46.134.190 - 207.46.134.222 - 207.46.249.190 - 207.46.249.222 - 207.46.249.27 - 207.46.249.155.

Microsoft frequently emails their customers, especially if you have signed up for their security bulletins.

If you go to http://www.microsoft.com/security, the first link on the page (http://www.microsoft.com/security/security_bulletins/ms03-026.asp) is a link to MS03-026.

In addition, I am aware that after MS03-026 was published, proof of concept exploit code was published on the web.

This sounds legit to me.

 

[Shuxclams]

Well then smart guys, why the name resolution for email.microsoft.com and the fact it traversed three IP address?






http://email.microsoft.com/ And the fact that the "LINK" for "http://www.microsoft.com/security/security_bulletins/ms03-026.asp" actually goes to "http://email.microsoft.com/m/s.asp?HB9707675316X2612303X228387X" first.











SHUX

 

[Shuxclams]

Registrant:
Digital Impact (DIGITALIMPACT3-DOM)
177 Bovet Rd. Suite 200
San Mateo, CA 94402
US

Domain Name: DIGITALIMPACT.COM

Administrative Contact:
Digital Impact (AD13461-OR) dnsadmin@DIGITAL-IMPACT.COM
177 BOVET RD
SAN MATEO, CA 94402-3116
US
650-356-3400 fax: 650-357-3515
Technical Contact:
Digital Impact (TD4914-ORG) dnstechsupp@DIGITAL-IMPACT.COM
177 BOVET RD STE 200
SAN MATEO, CA 94402-3118
US
650.356.3400 fax: 650.356.3515

Record expires on 16-Sep-2009.
Record created on 13-Sep-2002.
Database last updated on 4-Aug-2003 21:01:24 EDT. <~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Domain servers in listed order:

NS1.DIGITALIMPACT.NET 209.11.136.84
NS2.DIGITALIMPACT.NET 209.11.136.166