FlyerTalk Forums

FlyerTalk Forums (https://www.flyertalk.com/forum/index.php)
-   Qatar Airways | Privilege Club (https://www.flyertalk.com/forum/qatar-airways-privilege-club-644/)
-   -   Beware fake QR emails (https://www.flyertalk.com/forum/qatar-airways-privilege-club/1965771-beware-fake-qr-emails.html)

tinkicker Apr 17, 19 12:30 am

Beware fake QR emails
 
Not directly a QR thing but people trying to use QR's good name for nefarious purposes. I'm sure you're all aware of this in all sorts of businesses but thought it worth a reminder as I seem to be getting these every day now. Still lots of pointers that they are fake but they are slightly better quality than the average and when in a cluster of other (genuine) emails they maybe inadvertently clicked on. I attach a picture.

The links in the document go to sites in Brazil and Russia: most common being time (dot) amiek (dot) ru


https://cimg8.ibsrv.net/gimg/www.fly...796b5abf15.png

ph-ndr Apr 17, 19 4:42 am

This is because QR has the wrong settings in their SPF records in DNS:
[email protected] ~ $ dig +short txt qatarairways.com.qa grep -i spf
"v=spf1 ip4:213.130.112.226 ip4:212.77.217.214 ip4:78.100.59.144 ip4:78.100.138.179 include:icpbounce.com include:sendgrid.net a:spf.vibe.travel a:web2.sniperhire.net ~all"
[email protected] ~ $ dig +short txt qmiles.com grep -i spf
"v=spf1 ip4:213.130.112.226 ip4:212.77.217.214 ip4:78.100.59.144 ip4:78.100.138.179 ip4:12.130.153.25 ip4:12.130.154.100 ~all"

...if that only said "-all" at the end and not "~all".

This brought to you by the same gang of people that disables using passord managers with their website. Clots.

-A

plunet Apr 17, 19 6:10 am

To be fair to QR, in an SPF record ~all (soft fail) is valid configuration, it's just that it has a different impact to -all (hard fail). For various business reasons QR may need the soft fail because they have various systems they might not be 100% in control of which need to transit email on behalf of Qatar that they do not want to clobber with unintended consequences and end up impacting customer communications.

For those readers now scratching their head with all this technobabble, an SPF record is a way for a domain owner to assert what systems are permitted to send email on behalf of their domain. Qatar have published a record but if someone doing a lookup finds that an email being received is coming from a system that is not on the list the soft fail directs them to treat the message with more suspicion that it might be forged or coming from an untrustworthy source rather than outright reject it (hard fail). The suggestion is that if Qatar had made the SPF instruction to be hard fail then the fraudulent email might have been rejected before it was delivered.

ph-ndr Apr 17, 19 11:41 am

The configuration is technically valid as it is. The configuration is not a good posture for a company that is very customer facing. By using ~all they tell us "we haven't got enough control of this" and "we are not giving this issue enough priority and that the majority of the downside here it carried by the customer and not us". That is not a good message to send. If this has been the posture of a company where most of the customers were other professional entities (imagine a producer of a product whose customers were other companies) then it would be a more fair game. End users are mostly in a poor position to deal with these kind of issues.

Also, combined with no published CAA record then you open up more abuse for the phishing emails to mimic their own marketing emails.

-A

klausa Apr 18, 19 1:05 am

I mean, if you want go that route, even Google has "~all":

[9:04:41] t15-6:klausa:~ $ dig +short txt gmail.com
"globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
"v=spf1 redirect=_spf.google.com"
[9:04:43] t15-6:klausa:~ $ dig +short txt _spf.google.com
"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

I think you'd be hard-pressed to argue that Google doesn't have "enough control of" their email infrastracture...

Professional Bum Apr 18, 19 6:42 am

I have been receiving 2 of those emails a day but they go straight to the Junk folder.

CosmosHuman Apr 21, 19 4:43 pm

I received one email that went to junk mail. Originated in Brazil. Deleted!

dwugson Apr 23, 19 6:53 pm

Received 2 yesterday and 4 today!! Deleted on receipt. Just curious the source from which the hacks are getting our email addresses. Is Qatar investigating or do they even care?

goingplacestogether Apr 23, 19 11:40 pm

Thanks all for sharing these phishing emails. Like many companies, our name and brand is sometimes used by fraudsters for nefarious purposes, as the OP suggests. Our digital and fraud prevention teams are investigating and doing all they can to prevent these emails being sent.

ph-ndr Apr 24, 19 6:07 am


Originally Posted by goingplacestogether (Post 31031454)
Thanks all for sharing these phishing emails. Like many companies, our name and brand is sometimes used by fraudsters for nefarious purposes, as the OP suggests. Our digital and fraud prevention teams are investigating and doing all they can to prevent these emails being sent.

I apreciate all efforts, but as you can see from the info above I think the use of the word "all" in this context is slightly couragous from QR's part.

-A

CosmosHuman Apr 24, 19 3:45 pm

I’m happy to say I’ve not t received anymore span emails. However, would love to fly this airline.


All times are GMT -6. The time now is 8:09 pm.


This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright 2021 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.