iTunes leakage or email address harvest?

I received a suspicious looking email today, claiming someone had made a purchase in Russia using my iTunes ID. A trip to iTunes revealed no such purchase. Nevertheless, I changed my password again, as I suspect this false claim might be the result of an iTunes leakage or someone harvesting email address in the hope that they are being used as iTunes IDs.

The email headers, slightly redacted, is as follows:

Return-Path: <info@flamslatt.se>
Received: from graveyard4-1.ilait.eu (graveyard4-1.ilait.eu [178.63.104.73])
    by <final MTA> with ESMTP id t2H6sMtR067259
    for <my iTunes ID>; Tue, 17 Mar 2015 07:55:26 +0100 (CET)
    (envelope-from info@flamslatt.se)
Message-Id: <201503170655.t2H6sMtR067259@final MTA>
Received: from smtp1-3.ilait.se (smtp1-3.ilait.se [94.246.96.43])
    by graveyard4-1.ilait.eu (Postfix) with ESMTPS id C18CC50D22D
    for <my iTunes ID>; Tue, 17 Mar 2015 06:30:19 +0000 (UTC)
Received: from msnavision (unknown [111.93.77.78])
    by smtp1-3.ilait.se (Postfix) with ESMTPA id EBDC21A3A9
    for <my iTunes ID>; Tue, 17 Mar 2015 06:29:15 +0000 (UTC)
From: "iTunes Store" <info@flamslatt.se>
Subject: Your receipt No.3489120981
To: <my iTunes ID>
Content-Type: multipart/alternative; boundary="KXu9U3h0ROPL1GpKUmbqEP53=_NHapPmTs0"
MIME-Version: 1.0
Date: Tue, 17 Mar 2015 11:59:48 +0530

The originator is apparently info@flamslatt.se. The DNS domain flamslatt.se is valid, but I doubt Apple would use anything other than their own DNS domain name. The receiver was simply the email address, not something like "First name Last name" <email-address@some.fqdn>. It’s difficult to tell what Apple would do.

The Message-Id header was added by the receiving MTA, not by any of the other MTAs along the way, and certainly not by the originator. The timezone from the Date header, suggests India. There’s a delay of approx. 25 minutes when comparing the received timestamps along the way.

Nah, this email isn’t legit.

The plain text contents of the email is the following, slightly redacted:

--KXu9U3h0ROPL1GpKUmbqEP53=_NHapPmTs0
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

 - This mail is in HTML. Some elements may be ommited in plain text. -



Order Number: 3489120981
Thank you for buying the following product:
Product Name: i-DRIVER - Pocket Edition

>From iTunes Store
Receipt Date: 3/16/2015 Order total: 12.47
?
Your last login purchase from <my iTunes ID> was =
initiated from: Russia (Moscow)

If you did not authorize this purchase, please visit the

iTunes Payment Cancellation Form
iTunes
You can find the iTunes Store Terms of Sale and Sales Policies by laun=
ching your iTunes application and clicking on

Terms of Sale or Sales Policies
Apple ID Summary

Purchase History
This is not a VAT notice. Copyright 2015 iTunes S.r.l.

All rights reserved
--KXu9U3h0ROPL1GpKUmbqEP53=_NHapPmTs0

Notice the spelling error in the first line, that line was probably placed there by the spam software.

The HTML version is largely the same as the plain text version. The only difference being a bit.ly link to a supposedly “iTunes Payment Cancellation Form” and a link to https://www.apple.com/uk/legal/. The latter link is probably something Apple would use, however they would use a full apple.com URL rather than resorting to a bit.ly shorthand URL for the former link. Or at least they should.

To sum it all up: scrutinise all emails such as the one above before doing anything suggested by said email.

Published by

Trond Endrestøl

I stopped counting my age years ago. Personal interests besides computers and computer networks include, but are not limited to, astronomy, comics, music, and science (fiction).