E-mail from [email protected]
#1
Original Poster
Join Date: Nov 2014
Location: USA
Programs: UA Gold, Marriott Gold
Posts: 1,195
E-mail from [email protected]
I just received an email purporting to be from [email protected]. It says:
The email header shows a return path of [email protected] but a message ID ending in outlook.com.
Regardless, there is NO way I'm responding to this by replying via email with sensitive personal information. If this is legit, United needs to do a better job of identity verification -- but I'm assuming it's not legit, return path not withstanding.
You recently submitted a request to correct your personal data and a request to access your personal data.
To address your requests, we must verify your identity for security purposes, and we have determined that we need additional information for our identity verification process. We would kindly ask you to respond to this email within two weeks with your date of birth (MM/DD/YYYY) and with as much detail as possible on what you would like to be corrected. Once we receive this additional information, we will complete our identity verification process and address your requests as appropriate, which we anticipate will occur within a reasonable amount of time.
If you have a MileagePlus account, you can also update your personal details and marketing preferences anytime by logging into your MileagePlus account here or contacting the MileagePlus service center here.
Please note that we may not be able to correct certain information, such as where we are maintaining a record or as related to historical transactions. If you are requesting a correction because you believe that historical information reflects an inaccuracy, we may request additional details to confirm that the correction is appropriate.
Sincerely,
United Airlines
To address your requests, we must verify your identity for security purposes, and we have determined that we need additional information for our identity verification process. We would kindly ask you to respond to this email within two weeks with your date of birth (MM/DD/YYYY) and with as much detail as possible on what you would like to be corrected. Once we receive this additional information, we will complete our identity verification process and address your requests as appropriate, which we anticipate will occur within a reasonable amount of time.
If you have a MileagePlus account, you can also update your personal details and marketing preferences anytime by logging into your MileagePlus account here or contacting the MileagePlus service center here.
Please note that we may not be able to correct certain information, such as where we are maintaining a record or as related to historical transactions. If you are requesting a correction because you believe that historical information reflects an inaccuracy, we may request additional details to confirm that the correction is appropriate.
Sincerely,
United Airlines
Regardless, there is NO way I'm responding to this by replying via email with sensitive personal information. If this is legit, United needs to do a better job of identity verification -- but I'm assuming it's not legit, return path not withstanding.
#2
Moderator: United Airlines
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.997MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 66,859
Did you make a request? That would be my first test of legitimacy.
If so, what are you trying to correct that can not be address via your account?
If so, what are you trying to correct that can not be address via your account?
#3
Join Date: Oct 2021
Location: Bay Area
Posts: 347
I just received an email purporting to be from [email protected]. It says:
The email header shows a return path of [email protected] but a message ID ending in outlook.com.
Regardless, there is NO way I'm responding to this by replying via email with sensitive personal information. If this is legit, United needs to do a better job of identity verification -- but I'm assuming it's not legit, return path not withstanding.
The email header shows a return path of [email protected] but a message ID ending in outlook.com.
Regardless, there is NO way I'm responding to this by replying via email with sensitive personal information. If this is legit, United needs to do a better job of identity verification -- but I'm assuming it's not legit, return path not withstanding.
#4
Join Date: May 2011
Programs: UA GS, UA 2MM, HH LT Diamond, Bonvoy Titanium
Posts: 1,803
I think you're being a bit too paranoid. I received this as well after making a Privacy request and responded. If you're worried, simply reply and type in the email address manually instead of relying on the auto-filled address. [email protected] is listed on United's website as their point of contact for privacy requests.
#5
Join Date: Oct 2021
Location: Bay Area
Posts: 347
If you don't trust the email, simply ignore it and United will disregard your privacy request. I'd be more concerned if United was allowing people to make requests in my name without any sort of verification.
#7
Moderator: United Airlines
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.997MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 66,859
Folks getting this email, whiich I just did, perhaps you triggered this based on responding to links provided in United Might Sell our Data
This technique of manually entering the email is good internet hygiene and removes any concerns of phishing
In most cases, paranoia is overrated
.. If you're worried, simply reply and type in the email address manually instead of relying on the auto-filled address. [email protected] is listed on United's website as their point of contact for privacy requests.
In most cases, paranoia is overrated
#9
Join Date: Dec 2014
Location: DC
Posts: 57
if you're seeing outlook.com in the headers, do you use outlook the app or microsoft 365 to receive the e-mail in question? if so, then, there's your answer. i get my gmail in outlook and every e-mail i receive (or send, but that's separate) has an outlook.com header bc it passes thru their servers to get to me
#10
FlyerTalk Evangelist
Join Date: May 2000
Location: TPA for now. Hopefully LIS for retirement
Posts: 13,708
#11
Moderator: United Airlines
Join Date: Jun 2007
Location: SFO
Programs: UA Plat 1.997MM, Hyatt Discoverist, Marriott Plat/LT Gold, Hilton Silver, IHG Plat
Posts: 66,859
Yes, if you did not make the request. this would be a red flag. But I'm guessing most reporting this did make the request and there were some safeguards in the initial request but do not remember the details.
#12
Join Date: May 2011
Programs: UA GS, UA 2MM, HH LT Diamond, Bonvoy Titanium
Posts: 1,803
Folks getting this email, whiich I just did, perhaps you triggered this based on responding to links provided in United Might Sell our Data
This technique of manually entering the email is good internet hygiene and removes any concerns of phishing
In most cases, paranoia is overrated
This technique of manually entering the email is good internet hygiene and removes any concerns of phishing
In most cases, paranoia is overrated
#13
Original Poster
Join Date: Nov 2014
Location: USA
Programs: UA Gold, Marriott Gold
Posts: 1,195
My point in posting this was 1) see if anyone else got a similar e-mail and 2) to warn anyone else getting one of these. If United monitors this page, it wouldn't hurt for them to know this is a stupid way to do authentication but I really don't think this is legit.
if you're seeing outlook.com in the headers, do you use outlook the app or microsoft 365 to receive the e-mail in question? if so, then, there's your answer. i get my gmail in outlook and every e-mail i receive (or send, but that's separate) has an outlook.com header bc it passes thru their servers to get to me
Last edited by WineCountryUA; Dec 29, 2023 at 4:48 pm Reason: merged consecutive posts by same member
#14
FlyerTalk Evangelist
Join Date: Dec 2006
Location: Pacific Northwest
Programs: UA Gold 1MM, AS 75k, AA Plat, Bonvoyed Gold, Honors Dia, Hyatt Explorer, IHG Plat, ...
Posts: 16,857
I have a corporate email account that uses Microsoft Outlook servers (but of course has its own domain). I just checked an email I sent from that account to myself on gmail, and it, too, has "namprdXX.prod.outlook.com" in the Message ID header field. It wouldn't be surprising if United used Microsoft Outlook servers for their corporate email services.
Of course, if you never actually requested something, maybe you should forward the message to [email protected] and ask what this is about.
Of course, if you never actually requested something, maybe you should forward the message to [email protected] and ask what this is about.
#15
Join Date: Feb 2005
Location: CLE, DCA, and 30k feet
Programs: Honors LT Diamond; United 1K; Hertz PC
Posts: 4,167
"Just because you're paranoid doesn't mean they aren't out to get you"
That said it appears that United is using Office 365 for email infrastructure so the .outlook.com traces are to be expected.
One option is to look at the full message headers for signs that might lead you . In Outlook (on PC, at least) open the message then File -> Properties and they're in the box labeled "Internet Headers", you can CTRL+A then CTRL+C to copy and paste to something more readable to than the tiny box. In GMail while viewing a message click the three dots at the far right then "Show Original".
For example/comparison, headers for a legitimate email received from an individual at United are below with heavy redactions for their anonymity. In particular the Received: headers are read chronologically with the newest entry at the top, and stop reading at the last at the last entry that is made by a server you control or trust (since headers ca be forged much like caller ID can be spoofed...but everything that touches the message after that will add its own header.
That said it appears that United is using Office 365 for email infrastructure so the .outlook.com traces are to be expected.
One option is to look at the full message headers for signs that might lead you . In Outlook (on PC, at least) open the message then File -> Properties and they're in the box labeled "Internet Headers", you can CTRL+A then CTRL+C to copy and paste to something more readable to than the tiny box. In GMail while viewing a message click the three dots at the far right then "Show Original".
For example/comparison, headers for a legitimate email received from an individual at United are below with heavy redactions for their anonymity. In particular the Received: headers are read chronologically with the newest entry at the top, and stop reading at the last at the last entry that is made by a server you control or trust (since headers ca be forged much like caller ID can be spoofed...but everything that touches the message after that will add its own header.
Received: from My Corp Mail Server 1.local (10.5.0.12) by My Corp Mail Server 1.local (10.5.0.12) with Microsoft SMTP Server (TLS) id xx.x.xxxx.xx via Mailbox Transport; Thu, 9 Nov 2023 06:16:30 -0500
Received: from My Corp Mail Server 1.local (10.5.0.12) by My Corp Mail Server 1.local (10.5.0.12) with Microsoft SMTP Server (TLS) id xx.x.xxxx.xx; Thu, 9 Nov 2023 6:16:29 -0500
Received: from My Corp Mail Server 3.local (10.5.0.19) by My Corp Mail Server 1.local (10.5.0.12) with Microsoft SMTP Server id xx.x.xxxx.xx via Frontend Transport; Thu, 9 Nov 2023 06:16:29 -0500
Received: by My Corp Mail Server 3.local (Postfix, from userid 1001) id 6AA8382070C; Thu, 9 Nov 2023 11:16:29 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin x.x.x (20xx-xx-xx) on My Corp Mail Server 3
X-Spam-Level:
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_A U,HTML_IMAGE_RATIO_04,HTML_MESSAGE,RCVD_IN_DNSWL_L OW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NO NE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4
Received: from mx0a-00212602.pphosted.com (mx0a-00212602.pphosted.com [67.231.145.22]) by My Corp Mail Server 3.local (Postfix) with ESMTPS id 37E148203A0 for <My Corp Email Addrss>; Thu, 9 Nov 2023 11:16:25 +0000 (UTC)
Received: from pps.filterd (m0142708.ppops.net [127.0.0.1]) by mx0a-00212602.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3A99qfFG035188 for <My Corp Email Addrss>; Thu, 9 Nov 2023 05:16:23 -0600 DKIM-Signature: [...]
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2169.outbound.protection.outlook.com [104.47.57.169]) by mx0a-00212602.pphosted.com (PPS) with ESMTPS id 3u7w2ntuhm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <My Corp Email Addrss>; Thu, 09 Nov 2023 05:16:23 -0600
ARC-Seal: [...]
ARC-Message-Signature: [...] bh=qCSLcF6gUhbVbUQK8YTuo4W/F
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=united.com; dmarc=pass action=none header.from=united.com; dkim=pass header.d=united.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ual.onmicrosoft.com; s=selector2-ual-onmicrosoft-com; h=Fromate:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=[...]
Received: from DM8PR10MB5414.namprd10.prod.outlook.com (2603:10b6:8:32::10) by BY5PR10MB4273.namprd10.prod.outlook.com (2603:10b6:a03:205::19) with Microsoft SMTP Server (version=TLS1_2,cipher=TLS_ECDHE_RSA_WITH_AES_256_ GCM_SHA384) id 15.20.6954.28; Thu, 9 Nov 2023 11:16:17 +0000
Received: from DM8PR10MB5414.namprd10.prod.outlook.com ([fe80::29fd:56db:668d:4119]) by DM8PR10MB5414.namprd10.prod.outlook.com ([fe80::29fd:56db:668d:4119%4]) with mapi id 15.20.6954.029; Thu, 9 Nov 2023 11:16:17 +0000
From: "someone at united" <someone@united.com>
To: lincolnjkc <My Corp Email Addrss>
Subject: FW: Email Subject
Thread-Topic: Email Subject
Thread-Index: [...]
Date: Thu, 9 Nov 2023 11:16:16 +0000
Message-ID: <[...]@DM8PR10MB5414.namprd10.prod.outlook.com>
References: <[...]><[...]@SA1PR09MB7376.namprd09.prod.outlook.com>
In-Reply-To: <[...]@SA1PR09MB7376.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: [...]
x-ms-office365-filtering-correlation-id: [...]
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: [...]
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM8PR10MB5414.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: [....]
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2023 11:16:16.8844 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: [...]
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: [...]
X-MS-Exchange-Transport-CrossTenantHeadersStamped: [...]
X-Proofpoint-GUID: [...]
X-Proofpoint-ORIG-GUID: [...]
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.61 9,FMLib:17.11.176.26 definitions=2023-11-09_10,2023-11-09_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 impostorscore=0 adultscore=0 bulkscore=0 phishscore=0 suspectscore=0 clxscore=1011 spamscore=0 lowpriorityscore=0 priorityscore=1501 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311060000 definitions=main-2311090082
Return-Path: someone@united.com
X-MS-Exchange-Organization-AuthSource: My Corp Mail Server 1.local
X-MS-Exchange-Organization-AuthAs: External
X-MS-Exchange-Organization-AuthMechanism: 10
X-MS-Exchange-Organization-Network-Message-Id: [...]
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
Received: from My Corp Mail Server 1.local (10.5.0.12) by My Corp Mail Server 1.local (10.5.0.12) with Microsoft SMTP Server (TLS) id xx.x.xxxx.xx; Thu, 9 Nov 2023 6:16:29 -0500
Received: from My Corp Mail Server 3.local (10.5.0.19) by My Corp Mail Server 1.local (10.5.0.12) with Microsoft SMTP Server id xx.x.xxxx.xx via Frontend Transport; Thu, 9 Nov 2023 06:16:29 -0500
Received: by My Corp Mail Server 3.local (Postfix, from userid 1001) id 6AA8382070C; Thu, 9 Nov 2023 11:16:29 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin x.x.x (20xx-xx-xx) on My Corp Mail Server 3
X-Spam-Level:
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_A U,HTML_IMAGE_RATIO_04,HTML_MESSAGE,RCVD_IN_DNSWL_L OW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NO NE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4
Received: from mx0a-00212602.pphosted.com (mx0a-00212602.pphosted.com [67.231.145.22]) by My Corp Mail Server 3.local (Postfix) with ESMTPS id 37E148203A0 for <My Corp Email Addrss>; Thu, 9 Nov 2023 11:16:25 +0000 (UTC)
Received: from pps.filterd (m0142708.ppops.net [127.0.0.1]) by mx0a-00212602.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3A99qfFG035188 for <My Corp Email Addrss>; Thu, 9 Nov 2023 05:16:23 -0600 DKIM-Signature: [...]
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2169.outbound.protection.outlook.com [104.47.57.169]) by mx0a-00212602.pphosted.com (PPS) with ESMTPS id 3u7w2ntuhm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <My Corp Email Addrss>; Thu, 09 Nov 2023 05:16:23 -0600
ARC-Seal: [...]
ARC-Message-Signature: [...] bh=qCSLcF6gUhbVbUQK8YTuo4W/F
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=united.com; dmarc=pass action=none header.from=united.com; dkim=pass header.d=united.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ual.onmicrosoft.com; s=selector2-ual-onmicrosoft-com; h=Fromate:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=[...]
Received: from DM8PR10MB5414.namprd10.prod.outlook.com (2603:10b6:8:32::10) by BY5PR10MB4273.namprd10.prod.outlook.com (2603:10b6:a03:205::19) with Microsoft SMTP Server (version=TLS1_2,cipher=TLS_ECDHE_RSA_WITH_AES_256_ GCM_SHA384) id 15.20.6954.28; Thu, 9 Nov 2023 11:16:17 +0000
Received: from DM8PR10MB5414.namprd10.prod.outlook.com ([fe80::29fd:56db:668d:4119]) by DM8PR10MB5414.namprd10.prod.outlook.com ([fe80::29fd:56db:668d:4119%4]) with mapi id 15.20.6954.029; Thu, 9 Nov 2023 11:16:17 +0000
From: "someone at united" <someone@united.com>
To: lincolnjkc <My Corp Email Addrss>
Subject: FW: Email Subject
Thread-Topic: Email Subject
Thread-Index: [...]
Date: Thu, 9 Nov 2023 11:16:16 +0000
Message-ID: <[...]@DM8PR10MB5414.namprd10.prod.outlook.com>
References: <[...]><[...]@SA1PR09MB7376.namprd09.prod.outlook.com>
In-Reply-To: <[...]@SA1PR09MB7376.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: [...]
x-ms-office365-filtering-correlation-id: [...]
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: [...]
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM8PR10MB5414.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: [....]
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Nov 2023 11:16:16.8844 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: [...]
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: [...]
X-MS-Exchange-Transport-CrossTenantHeadersStamped: [...]
X-Proofpoint-GUID: [...]
X-Proofpoint-ORIG-GUID: [...]
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.987,Hydra:6.0.61 9,FMLib:17.11.176.26 definitions=2023-11-09_10,2023-11-09_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 impostorscore=0 adultscore=0 bulkscore=0 phishscore=0 suspectscore=0 clxscore=1011 spamscore=0 lowpriorityscore=0 priorityscore=1501 mlxscore=0 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2311060000 definitions=main-2311090082
Return-Path: someone@united.com
X-MS-Exchange-Organization-AuthSource: My Corp Mail Server 1.local
X-MS-Exchange-Organization-AuthAs: External
X-MS-Exchange-Organization-AuthMechanism: 10
X-MS-Exchange-Organization-Network-Message-Id: [...]
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0