On Thu, Apr 07, 2016 at 03:33:12PM +0000, Jay R. Ashworth via Outages wrote:
----- Original Message -----
From: "Joe Abley via Outages" <outages@outages.org>
On 5 Apr 2016, at 15:29, Joe Zabramski via Outages <outages@outages.org> wrote:
I received a very similar message from Amazon on 3/7/16. Discussion boards seemed to indicate it was legit, however my password was never actually changed by Amazon as the e-mail indicated, nor did I ever change it manually as a result.
The e-mail also appeared legit on the headers, but now that I look at a little more closely it originated from amazonses.com <http://amazonses.com/> which is seems like it might be an e-mail service you can subscribe to?
My assumption would have been that it was a phishing attempt, and that any credentials I had shared in response to the e-mail ought to be assumed compromised immediately.
I'm not familiar with this "discussion board" approach to trusting unexpected requests for login details.
Well, in fairness, none of these things require you to trust anything more than that your browser has you where the URL and certificate badge say it is.
"Amazon SES" is, of course the AWS Simple Email Service, but I don't know if that's a valid domain for it.
Yes, amazonses.com is the valid domain for AWS SES. What this means is the Email Joe received was actually sent via Amazon's SES service (possibly via SMTP, possibly via API), regardless of whatever other domains/hostnames/etc. were involved or shown in the mail. Amazon's documentation doesn't make this readily apparent, but you can find definitive mentions of it here: https://sesblog.amazon.com/blog/category/Announcements https://sesblog.amazon.com/post/TxEH4YOF3YJG0L/Amazon-SES-IP-addresses http://docs.aws.amazon.com/ses/latest/DeveloperGuide/received-email-problems... The most notable is the first link, quoting: "By default, SES uses its own MAIL FROM domain (amazonses.com or a subdomain of that) when it sends your emails." AWS SES runs an *incredibly* tight ship (I cannot stress this point hard enough), so if you're receiving Emails of a suspicious or nefarious nature which are truly coming via AWS SES, and your own review of the details shows that it's nefarious and did in fact come via AWS SES, you should report it. They absolutely can and will look into it -- because all outbound SMTP via SES, as well as API calls, are authenticated with a key which ties to an account/user/customer. Abuse form: https://aws.amazon.com/forms/report-abuse The easiest way to tell where an Email actually came from is to read all of the Received: headers one at a time. (Sometimes they're in most-recent-first order, other times they're not and you get to piece them together by paying very close attention). -- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator http://jdc.koitsu.org/ | | Making life hard for others since 1977. PGP 4BD6C0CB |