Blue Tracker
World of Warcraft Blue Posts
Diablo II: Resurrected Blue Posts
Diablo III Blue Posts
Hearthstone Blue Posts
Overwatch Blue Posts
Heroes of the Storm Blue Posts
Diablo IV Blue Posts
BlizzCon Blue Posts
Warcraft Rumble Blue Posts

Is this a Valid return path? (e-mail query)

Forum Avatar
Grajaad
#0 - Nov. 4, 2010, 12:08 a.m.
Blizzard Post
I received a e-mail about someone trying to change my B.Net login e-mail address. Now normally the phishing e-mails like this have hotmail ect... return paths for the sender. But when I opened up the full headers I saw this.

Return-Path: <donotreply@blizzard.com>
X-YahooFilteredBulk: 66.232.142.80
Received-SPF: fail (mta123.mail.ac4.yahoo.com: domain of donotreply@blizzard.com does not designate 66.232.142.80 as permitted sender)
X-YMailISG: 5HAEanEcZAoNMsCGGx3BDZkvFsOfvTZahZqG2cKCUV9BHSbb 706FU1Rm6URJrw1u5lORymTKyLAdZMnX..hei8AnHj52S95n1MzoFyHrqiNH x3pRmdkSjjly6Uw13J7RT5Tf8KbeTUq.CfrxwI6krTDsjaOdiEyRINSsWrud 4WY3.n9fadDH4T.g0ILgBETPs3Ofud1XWRAcgkABe5ooKZeMowbGiFZeSffZ kQkyJyHXjkzSOQfb2gh6jhCB9eB9rtaQYTtKqWVnDthyObL6UvzwmJYq9V3u bRXEKt.PfzKSwkOfD1qM6JJYkl.yWwdQgpEbHXNQJljYdRhOuIvb08FM62PW 5wEe8nW9fX6pAzbS6C2fjkKCA_JeJgieFlqSwL1r8BlDprS_3M2.DSzRwAg_ w8ZkLfRqCV4.ll4rvV4m60bFwjswqP0aiogx5UM4u0.l79VAOghPm6.IA4Ju F0FSBZSBLQ_7UweXOVagP1d1dfqIeQCKDDwRhm.cV6JkDcZElRWitVaAmBD_ Ofa14lNtjyjiGOQinQAB3px6aNHBtFKnsTm0fCpwiP6_nv38MLtJ_Gqvs5ZT ZA0NleDt6lm6zMmfE0li7guPVXsuG8G4G7_akYTwLN5SrLOk09_chjXdQEHl m_JIsJEIZ8beeh0AJ5lCiYBz6.lX82XzNDhgmwZPuZG0UkLZjIDFTN4c4bIq QwJwP.kelMXC9rWBQN.cSn4FG1sOMIQIMiwA7KXm3.xb0xA6eaMLLoOX9NwG WKQWUoyswc424UcoHTP5pyl9SAlg3L8F.uUU3.g9AYrwZKvpy76Fkyux5Psd ez0F.CCeseE7WdEecE3YcBMH8nrWftiMZLIZ9zJdwu8Bs2J6NvJ3OsCbbFI6 YfPbQVmntI99xztuiwiBHCxS3rilU4K36t0A04CGxIBRiAca9nTO5ETkCXlM mW5rnraNG_J4joVZmTygek4ij0x2lOr4jW32TIEpSsEVF7LORmwig_gLrImm PJINw6IMznnBJ4FT7ej0WCQGqfb9cCAFBZCplSNhYSG9ATXO6CW87DhxDkR8 EbjwiE5IXqA@*!@*%!#*@#*%!*%#*#@#!!**%EDid8ZZHgsTJ_moHZ7Td8_jq8pdlsYb7k4HOKKhpNh9i xSNdE85LwDKRftZ3MLk8ZXDSFTUhwF6SLXb.uxpMCciTS4f0UYn_PQ--
X-Originating-IP: [66.232.142.80]
Authentication-Results: mta123.mail.ac4.yahoo.com from=blizzard.com; domainkeys=neutral (no sig); from=blizzard.com; dkim=neutral (no sig)
Received: from 127.0.0.1 (HELO blizzard.com) (66.232.142.80) by mta123.mail.ac4.yahoo.com with SMTP; Sun, 31 Oct 2010 13:05:20 -0700
Received: from battle.net ([192.168.160.1]) (envelope-sender <donotreply@blizzard.com>) by 192.168.160.128 with ESMTP for <>; Sun, 31 Oct 2010 12:17:39 +0800
Message-ID: <12593E4A68DEB4AD270B0279D6393194@battle.net>
From: "donotreply@blizzard.com" <donotreply@blizzard.com> Add sender to Contacts
To:
Subject: =?utf-8?B?TmV3IFJlcXVlc3TigI/igI8gTm90aWZp?= =?utf-8?B?Y2F0aW9uIC0gQ2hhbmdlIHRoZSA=?= =?utf-8?B?TG9naW4gQWRkcmVzcw==?=
Date: Sun, 31 Oct 2010 12:17:21 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0212_01A56E64.1A0A1A10"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
Content-Length: 4935



In the e-mail was also a 'link' to contact the billing and account services team but it looked a tad fishy to me when i moused over it as it had the word 'item' in the link mouseover.



Is this actually a valid Blizzard header and some hacker is trying to get my B.Net e-mail changed? Or is it that they have become more clever? A blue confirmation on which it is would be most appreciated. Oh and if it is a factual e-mail posting the billing and account services info for me so i can verify that link would be great too.
Forum Avatar
Nevalistis
#2 - Nov. 4, 2010, 12:16 a.m.
Blizzard Post
As Pahanda stated, this appears to be a phish. If you don't mind, our Hacks team would appreciate if you could forward it along to them at hacks@blizzard.com and, if you don't mind, include the full header you investigated.

Thanks for bringing this to our attention! >^.^<