Oct 15, 2020
Fake DHL message
www.dhl.multimeterspecialist.nl [195.238.75.30]
Spam IP 81.91.179.84
seen from Italy
seen from Italy
seen from Malaysia
seen from India
seen from United States
seen from Estonia
seen from China
seen from Italy
seen from United Kingdom
seen from United States
seen from Maldives
seen from Russia
seen from Germany
seen from Italy
seen from Malaysia
seen from United States
seen from Germany
seen from United States
seen from Macao SAR China
seen from Italy
Fake DHL message
www.dhl.multimeterspecialist.nl [195.238.75.30]
Spam IP 81.91.179.84
@Office365 | @OfficeSupport
⚠ belismajewels.com/wp-includes/images/Drive-1/OneDrive/
☣ AS17439 [146.88.26.170] 🇮🇳
🌐 @GoDaddy @GoDaddyHelp 🖧 @netmagic 🔐 @letsencrypt
Old domain (2012), new self signed cert = likely a defaced WP based host of some jewelry shop.
Intermediate jumphost dubaitravelsandtours.com 302 to prevent the real one flagged by the parsers of services like @SpamCop_net.
ейййй пощата се била запълнила
Scam phishing link leads to:(replace interpuncts with dots for the real link)
https://umbellately-wool·000webhostapp·com/notification1·php?email=
This is a hosting provider, spam report sent to them.
Directory browsing enabled, no index file - virus totalled the files inside:
7zip with the .php files:https://mega.nz/#!XoI1Taba!9sLcr8jTVPXur9kurT3TdEcYvQW1rsnECsbV6_2LLxY
1.php
https://www.virustotal.com/gui/file-analysis/M2ZiZjY4N2M1MGY5ZmRlMTA2ODJjMjY4NWVlZTc2Y2Y6MTU2MTk1NTM0NQ==/detection
notofication1.php
https://www.virustotal.com/gui/file-analysis/N2QxY2RhZTg1YjFjNmIxYjJlZGYzYjZjMjY5YTMzN2Q6MTU2MTk1NTQyMw==/detection
Clueless users, who have already entered their credentials (report sent to haveibeenpwned):
address: Account: [[-Email-]] Password: hidden host: hosted-by.leaseweb.com
address: yahoo.com Account: [email protected] Password: hidden host: hosted-by.leaseweb.com
address: trans-4-m.com Account: [email protected] Password: hidden host: 188.66.80.169
address: eastkentcomponents.co.uk Account: [email protected] Password: hidden host: 176-35-52-107.xdsl.murphx.net
address: mail.utoronto.ca Account: [email protected] Password: hidden host: toroon473nw-lp130-01-76-69-140-177.dsl.bell.ca
address: onvol.net Account: [email protected] Password: hidden host: c163-44.i06-9.onvol.net
address: onvol.net Account: [email protected] Password: hidden host: c163-44.i06-9.onvol.net
address: westfish.de Account: [email protected] Password: hidden host: 72.12.194.91
address: tjshengdu.com Account: [email protected] Password: hidden host: 23.99.97.175
address: pulsar-development.com Account: [email protected] Password: hidden host: cust-ce.liquidtelecom.net
address: aspironengir.com Account: [email protected] Password: hidden host: 1.22.13.146
address: thermi.in Account: [email protected] Password: hidden
host: 223.225.15.155
address: melita.com Account: [email protected] Password: hidden host: c24-16.i07-7.onvol.net
address: pulsar-development.com Account: [email protected] Password: hidden host: abts-mum-dynamic-156.2.70.182.airtelbroadband.in
address: pulsar-development.com Account: [email protected] Password: hidden host: 102.164.128.236
address: tiantang-group.com Account: [email protected] Password: hidden host: 196.207.165.138
address: zs-kwangna.com Account: [email protected] Password: hidden host: 120.239.168.62
address: uipe.co.ug Account: [email protected] Password: hidden host: 154.0.140.173
address: melita.com Account: [email protected] Password: hidden host: c40-205.i04-11.onvol.net
address: Account: [[-Email-]] Password: hidden host: 41.203.78.234
address: michalasplants.gr Account: [email protected] Password: hidden host: athedsl-416141.home.otenet.gr
address: Account: [[-Email-]] Password: gagagagaga host: hosted-by.leaseweb.com
address: copylandia.com.ph Account: [email protected] Password: hidden
Full email with headers:
From - Mon Jul 1 07:07:06 2019 X-Account-Key: account3 X-UIDL: 1042748947.51761 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Return-Path: <[email protected]> Received: from mx2.mail.bg ([unix socket]) by stor3 (Cyrus 2.5.10-Debian-2.5.10-3) with LMTPA; Mon, 01 Jul 2019 01:35:04 +0300 X-Sieve: CMU Sieve 2.4 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on stor3.stor3 X-Spam-Level: **** X-Spam-Status: No, score=4.6 required=5.0 tests=BAYES_50, HTML_FONT_LOW_CONTRAST,HTML_FONT_SIZE_LARGE,HTML_MESSAGE, MIME_HTML_ONLY,RCVD_IN_RP_RNBL,RDNS_NONE,SURBL_BLOCKED, TO_NO_BRKTS_NORDNS_HTML shortcircuit=no autolearn=no autolearn_force=no version=3.4.2 Received-SPF: none (mailbox.com: No applicable sender policy available) receiver=mx3.mail.bg; identity=mailfrom; envelope-from="[email protected]"; helo=mailbox.com; client-ip=37.49.230.13 Received: from mailbox.com (unknown [37.49.230.13]) by mx2.mail.bg (Postfix) with ESMTP id 9BAFD4000045 for <>; Mon, 1 Jul 2019 01:35:03 +0300 (EEST) From: ''mail.bg'' <[email protected]> To: Subject: Incoming Message(s) On-Hold Date: 30 Jun 2019 15:35:02 -0700 Message-ID: <[email protected]> MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html><head> <meta name=3D"GENERATOR" content=3D"MSHTML 11.00.9600.16438"> <meta http-equiv=3D"X-UA-Compatible" content=3D"IE=3Dedge"> </head> <body> =20 <div class=3D"moz-text-html" lang=3D"x-western"> <table width=3D"600" align=3D"center" style=3D"color: rgb(120, 63, 4); text= -transform: none; text-indent: 0px; letter-spacing: normal; font-family: Ro= boto, RobotoDraft, Helvetica, Arial, sans-serif; font-size: 18px; font-styl= e: normal; font-weight: 400; word-spacing: 0px; white-space: normal; border= -collapse: collapse; orphans: 2; widows: 2; font-variant-ligatures: normal;= font-variant-caps: normal; -webkit-text-stroke-width: 0px; text-decoration= -style: initial; text-decoration-color: initial;" border=3D"0" cellspacing= =3D"0" cellpadding=3D"0"> <tbody> <tr> <td width=3D"100%" align=3D"center" style=3D"margin: 0px; padding-top: 25px= ; padding-bottom: 10px; font-family: Roboto, RobotoDraft, Helvetica, Arial,= sans-serif;" colspan=3D"3"> <div> <div align=3D"center"> <h2 style=3D"color: black; line-height: 22px; font-weight: normal;"><strong= ><font size=3D"6"><font face=3D"Helvetica, Arial, sans-serif">Incoming pend= ing messages....</font><font face=3D"comic sans ms, sans-serif">(8)</font><= /font></strong></h2></div></div></td></tr> <tr> <td width=3D"100" style=3D"margin: 0px; font-family: Roboto, RobotoDraft, H= elvetica, Arial, sans-serif;"> </td> <td width=3D"400" align=3D"center" style=3D"margin: 0px; font-family: Robot= o, RobotoDraft, Helvetica, Arial, sans-serif;"> <div> <div align=3D"left"> <p style=3D"margin: 1em 0px; line-height: 25px; font-family: Helvetica, Ari= al, sans-serif; font-size: 16px;"><strong><font color=3D"#555555">Hello,&nb= sp;</font><font color=3D"#222222"></font><br></strong></p> <p style=3D"margin: 1em 0px; color: rgb(85, 85, 85); line-height: 25px;"><s= trong style=3D"font-family: Helvetica, Arial, sans-serif; font-size: 16px;"= >Your mailbox </strong><strong style=3D"color: rgb(120, 63, 4); font-f= amily: Helvetica, Arial, sans-serif; font-size: 16px;"><font color=3D"#2222= 22">(mail.bg) </font></strong><strong><span style=3D"font-family: He= lvetica, Arial, sans-serif; font-size: 16px;">has reached its limit and you= have</span></strong><strong> <span style=3D"font-family: Helvetica, Arial, sans-serif; font-size: 16px;= "> </span><font face=3D"comic sans ms, sans-serif" size=3D"4">(4)</fon= t></strong><strong><span style=3D"font-family: Helvetica, Arial, sans-serif= ; font-size: 16px;"> unread mails pending, Kindly click below to updat= e your mail storage to our upgraded extra GB quota.</span></strong></p></di= v></div></td> <td width=3D"100" style=3D"margin: 0px; font-family: Roboto, RobotoDraft, H= elvetica, Arial, sans-serif;"> </td></tr></tbody></table> <table width=3D"600" align=3D"center" style=3D"color: rgb(120, 63, 4); text= -transform: none; text-indent: 0px; letter-spacing: normal; font-family: Ro= boto, RobotoDraft, Helvetica, Arial, sans-serif; font-size: 18px; font-styl= e: normal; font-weight: 400; word-spacing: 0px; white-space: normal; border= -collapse: collapse; orphans: 2; widows: 2; font-variant-ligatures: normal;= font-variant-caps: normal; -webkit-text-stroke-width: 0px; text-decoration= -style: initial; text-decoration-color: initial;" border=3D"0" cellspacing= =3D"0" cellpadding=3D"0"> <tbody> <tr> <td width=3D"200" style=3D"margin: 0px; font-family: Roboto, RobotoDraft, H= elvetica, Arial, sans-serif;"> </td> <td width=3D"200" align=3D"center" style=3D"margin: 0px; padding-top: 25px;= font-family: Roboto, RobotoDraft, Helvetica, Arial, sans-serif;"> <table width=3D"200" height=3D"50" align=3D"center" style=3D"border-collaps= e: collapse;" border=3D"0" cellspacing=3D"0" cellpadding=3D"0"> <tbody> <tr> <td width=3D"200" height=3D"50" align=3D"center" style=3D"margin: 0px; bord= er-radius: 4px; font-family: Roboto, RobotoDraft, Helvetica, Arial, sans-se= rif;" bgcolor=3D"#369dd8"> <div> <div align=3D"center"> <p style=3D"margin: 1em 0px; color: rgb(85, 85, 85); line-height: 25px; fon= t-family: Helvetica, Arial, sans-serif; font-size: 16px;"><strong> <a style=3D"border-radius: 4px; color: rgb(255, 255, 255);" href=3D"https:/= /umbellately-wool.000webhostapp.com/[email protected]= g" target=3D"_blank" data-saferedirecturl=3D"https://www.google.com/url?q= =3Dhttps://buenosarestp.xyz/version/update?email%3D%5B%5B-Email-%5D%5D&= source=3Dgmail&ust=3D1552151851573000&usg=3DAFQjCNEaB7oetLKnGs9i3T4= 513JB8NC6Iw">Update Storage now</a> </strong></p></div></div></td></tr></tbody></table></td> <td width=3D"200" style=3D"margin: 0px; font-family: Roboto, RobotoDraft, H= elvetica, Arial, sans-serif;"> <p style=3D"margin: 1em 0px; color: rgb(85, 85, 85); line-height: 25px; fon= t-family: Helvetica, Arial, sans-serif; font-size: 16px;"> </p></td></= tr></tbody></table> <div style=3D"color: rgb(34, 34, 34); text-transform: none; text-indent: 0p= x; letter-spacing: normal; font-family: Roboto, RobotoDraft, Helvetica, Ari= al, sans-serif; font-size: 18px; font-style: normal; font-weight: 400; word= -spacing: 0px; white-space: normal; orphans: 2; widows: 2; font-variant-lig= atures: normal; font-variant-caps: normal; -webkit-text-stroke-width: 0px; = text-decoration-style: initial; text-decoration-color: initial;"> <table width=3D"600" align=3D"center" style=3D"border-collapse: collapse;" = border=3D"0" cellspacing=3D"0" cellpadding=3D"0"> <tbody> <tr> <td width=3D"100%" style=3D"margin: 0px; padding-top: 65px; font-family: Ro= boto, RobotoDraft, Helvetica, Arial, sans-serif;" colspan=3D"2"> <h5><em style=3D"background-color: rgb(255, 255, 255);"><font color=3D"#ff0= 000">If you're no longer interested in receiving account updates on your ma= ilbox kindly Ignore this message and click unsubscribe using the link below= =2E You have few hours left to Update and avoid loosing mail data</font></e= m></h5> <hr style=3D"height: 1px; color: rgb(51, 51, 51); background-color: rgb(221= , 221, 221);"> </td></tr> <tr> <td width=3D"60%" height=3D"70" valign=3D"middle" style=3D"margin: 0px; pad= ding-bottom: 20px; font-family: Roboto, RobotoDraft, Helvetica, Arial, sans= -serif;"> <div> <div align=3D"left"><span style=3D"line-height: 26px; font-family: Helvetic= a, Arial, sans-serif; font-size: 13px;"><strong><font color=3D"#181818">Sen= t to @mail.bg by </font><font color=3D"#222222">mail.b= g</font></strong></span><br><b><font face=3D"tahoma, sans-serif" size=3D"2"= >Mail Service</font></b></div></div></td></tr></tbody></table></div></div><= /body></html>
If you use Gmail, and report your spam via spamcop.net you may have noticed something a little off in the past couple of weeks. I had thought my account had been banned, blocked, broken, dunno̷…
spam | spamassassin & blacklist
A compléter :
blacklist
http://psbl.surriel.com
http://barracudacentral.org/rbl/removal-request
http://www.spamcop.net/
http://www.spamhaus.org/sbl/
whitelist:
http://www.dnswl.org/