Account Upgrade! Not!

The first rule you should remember about all email is that the "headers" contain what the "sender" wants you to read. The "from", "reply to" and "return path" are all data constructed by the sender. Most senders don't mess with this data but some will attempt to deceive you. Let's go over the email in question by clicking the down arrow next to the "Reply" link and choosing "Show Original".

                                                                                                                                                                                                                                                              
Delivered-To: hostmaster@ls.net
Received: by 10.101.119.14 with SMTP id w14cs322212anm;
        Wed, 7 Jul 2010 15:13:13 -0700 (PDT)
Received: by 10.142.199.20 with SMTP id w20mr8394732wff.251.1278540789162;
        Wed, 07 Jul 2010 15:13:09 -0700 (PDT)
Return-Path: <helpdesk@ls.net>
Received: from nemont.vision.net (nemont.vision.net [216.129.224.1])
        by mx.google.com with ESMTP id q10si14723006rvp.28.2010.07.07.15.12.43;
        Wed, 07 Jul 2010 15:13:08 -0700 (PDT)
Received-SPF: neutral (google.com: 216.129.224.1 is neither permitted nor denied by best guess record for domain of helpdesk@ls.net) client-ip=216.129.224.1;
Authentication-Results: mx.google.com; spf=neutral (google.com: 216.129.224.1 is neither permitted nor denied by best guess record for domain of helpdesk@ls.net) smtp.mail=helpdesk@ls.net
Received: from webmail.nemont.net (localhost [127.0.0.1])
by nemont.vision.net (Postfix) with ESMTP id 472014513E;
Wed,  7 Jul 2010 16:13:07 -0600 (MDT)
Received: from 222.169.11.234 (proxying for 83.229.4.231)
        (SquirrelMail authenticated user rbakke)
        by webmail.nemont.net with HTTP;
        Wed, 7 Jul 2010 16:13:07 -0600
Message-ID: <1c3ea3f85d581f19095f7610979313ab.squirrel@webmail.nemont.net>
Date: Wed, 7 Jul 2010 16:13:07 -0600
Subject: Account Upgrade!
From: "LSNet Internet Access" <helpdesk@ls.net>
Reply-To: helpdesk09@dishmail.net
User-Agent: SquirrelMail/1.4.19
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
To: undisclosed-recipients:;


----ls.net Webmail Technical Services-----

Account Subscriber,

Due to excess abandoned webmail accounts, We are currently performing
maintenance on our Digital webmail Server to improve the spam filter
services in our webmail systems for better online services to avoid virus
and spam mails. In order to ensure you do not experience service
interruption, respond to this email immediately and enter your Username/id
here (********) password here (********) and future password here
(********). Checkout new features and enhancements with our newly improved
and secured webmail.

NB: We require your username and password for Identification purpose only.

----Copyright � 1997-2010 ls.net!. All rights reserved----- 

If you were to reply, your message would be sent to - helpdesk09@dishmail.net. That has nothing to do with ls.net.

Google says they got the message from

nemont.vision.net [216.129.224.1]

You can chase that IP address at Robtex - http://www.robtex.com/ip/216.129.224.1.html - but the information is of no interest.

Nemont.vision.net says they got it from 222.169.11.234. That's in China. Nemont accepted the message because it came from an authenticated user "rbakke". "rbakke" is probably one of the poor blokes that gave up his username and password through a similar scam.

I have had dozens of people explain that they never open email unless they know who it came from. I rarely succeed, but I insist they never know where a message came from because that address can trivially be forged. There is one way to dramatically improve knowing where a message came from but that requires the sender to "sign" their messages with a specially constructed "key" but that is a long story in itself.