Beware fake QR emails

Old Apr 17, 19, 12:30 am
  #1  
Original Poster
 
Join Date: Mar 2017
Location: UK
Programs: BA Gold
Posts: 420
Beware fake QR emails

Not directly a QR thing but people trying to use QR's good name for nefarious purposes. I'm sure you're all aware of this in all sorts of businesses but thought it worth a reminder as I seem to be getting these every day now. Still lots of pointers that they are fake but they are slightly better quality than the average and when in a cluster of other (genuine) emails they maybe inadvertently clicked on. I attach a picture.

The links in the document go to sites in Brazil and Russia: most common being time (dot) amiek (dot) ru


tinkicker is offline  
Old Apr 17, 19, 4:42 am
  #2  
 
Join Date: Dec 2002
Programs: QR Plat
Posts: 2,158
This is because QR has the wrong settings in their SPF records in DNS:
[email protected] ~ $ dig +short txt qatarairways.com.qa grep -i spf
"v=spf1 ip4:213.130.112.226 ip4:212.77.217.214 ip4:78.100.59.144 ip4:78.100.138.179 include:icpbounce.com include:sendgrid.net a:spf.vibe.travel a:web2.sniperhire.net ~all"
[email protected] ~ $ dig +short txt qmiles.com grep -i spf
"v=spf1 ip4:213.130.112.226 ip4:212.77.217.214 ip4:78.100.59.144 ip4:78.100.138.179 ip4:12.130.153.25 ip4:12.130.154.100 ~all"

...if that only said "-all" at the end and not "~all".

This brought to you by the same gang of people that disables using passord managers with their website. Clots.

-A
ph-ndr is offline  
Old Apr 17, 19, 6:10 am
  #3  
 
Join Date: Jan 2016
Location: LON
Programs: BAEC, Accor
Posts: 2,047
To be fair to QR, in an SPF record ~all (soft fail) is valid configuration, it's just that it has a different impact to -all (hard fail). For various business reasons QR may need the soft fail because they have various systems they might not be 100% in control of which need to transit email on behalf of Qatar that they do not want to clobber with unintended consequences and end up impacting customer communications.

For those readers now scratching their head with all this technobabble, an SPF record is a way for a domain owner to assert what systems are permitted to send email on behalf of their domain. Qatar have published a record but if someone doing a lookup finds that an email being received is coming from a system that is not on the list the soft fail directs them to treat the message with more suspicion that it might be forged or coming from an untrustworthy source rather than outright reject it (hard fail). The suggestion is that if Qatar had made the SPF instruction to be hard fail then the fraudulent email might have been rejected before it was delivered.
Cryofern likes this.
plunet is offline  
Old Apr 17, 19, 11:41 am
  #4  
 
Join Date: Dec 2002
Programs: QR Plat
Posts: 2,158
The configuration is technically valid as it is. The configuration is not a good posture for a company that is very customer facing. By using ~all they tell us "we haven't got enough control of this" and "we are not giving this issue enough priority and that the majority of the downside here it carried by the customer and not us". That is not a good message to send. If this has been the posture of a company where most of the customers were other professional entities (imagine a producer of a product whose customers were other companies) then it would be a more fair game. End users are mostly in a poor position to deal with these kind of issues.

Also, combined with no published CAA record then you open up more abuse for the phishing emails to mimic their own marketing emails.

-A
ph-ndr is offline  
Old Apr 18, 19, 1:05 am
  #5  
 
Join Date: Aug 2015
Posts: 1,132
I mean, if you want go that route, even Google has "~all":

[9:04:41] t15-6:klausa:~ $ dig +short txt gmail.com
"globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
"v=spf1 redirect=_spf.google.com"
[9:04:43] t15-6:klausa:~ $ dig +short txt _spf.google.com
"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

I think you'd be hard-pressed to argue that Google doesn't have "enough control of" their email infrastracture...
klausa is offline  
Old Apr 18, 19, 6:42 am
  #6  
 
Join Date: Oct 2017
Posts: 87
I have been receiving 2 of those emails a day but they go straight to the Junk folder.
Professional Bum is offline  
Old Apr 21, 19, 4:43 pm
  #7  
 
Join Date: Feb 2008
Location: CLE
Posts: 1,783
I received one email that went to junk mail. Originated in Brazil. Deleted!
CosmosHuman is offline  
Old Apr 23, 19, 6:53 pm
  #8  
 
Join Date: Jul 2013
Programs: AA MM, AA EXP; OW Emerald, EK silver
Posts: 595
Received 2 yesterday and 4 today!! Deleted on receipt. Just curious the source from which the hacks are getting our email addresses. Is Qatar investigating or do they even care?
dwugson is offline  
Old Apr 23, 19, 11:40 pm
  #9  
Company Representative, Qatar Airways
 
Join Date: Jan 2019
Programs: QR Privilege Club
Posts: 62
Thanks all for sharing these phishing emails. Like many companies, our name and brand is sometimes used by fraudsters for nefarious purposes, as the OP suggests. Our digital and fraud prevention teams are investigating and doing all they can to prevent these emails being sent.
msm2000uk likes this.
goingplacestogether is offline  
Old Apr 24, 19, 6:07 am
  #10  
 
Join Date: Dec 2002
Programs: QR Plat
Posts: 2,158
Originally Posted by goingplacestogether View Post
Thanks all for sharing these phishing emails. Like many companies, our name and brand is sometimes used by fraudsters for nefarious purposes, as the OP suggests. Our digital and fraud prevention teams are investigating and doing all they can to prevent these emails being sent.
I apreciate all efforts, but as you can see from the info above I think the use of the word "all" in this context is slightly couragous from QR's part.

-A
ph-ndr is offline  
Old Apr 24, 19, 3:45 pm
  #11  
 
Join Date: Feb 2008
Location: CLE
Posts: 1,783
I’m happy to say I’ve not t received anymore span emails. However, would love to fly this airline.
CosmosHuman is offline  

Thread Tools
Search this Thread
Search Engine: