|
|
|
---
|
|
|
|
title: Netcup phishing
|
|
|
|
summary: They really think I got my domain from Netcup \*lol\*
|
|
|
|
date: 2023-11-17T16:35:12+0100
|
|
|
|
lastmod: 2024-09-29T14:00:55+0000
|
|
|
|
# categories:
|
|
|
|
#- spam
|
|
|
|
# tags:
|
|
|
|
|
|
|
|
# showBreadcrumbs: true
|
|
|
|
# showDate: false
|
|
|
|
# showReadingTime: false
|
|
|
|
# showWordCount: false
|
|
|
|
# showPagination: false
|
|
|
|
|
|
|
|
# feed_exclude: true
|
|
|
|
# site_exclude: true
|
|
|
|
---
|
|
|
|
|
|
|
|
Okay this one is not a "good" one, in terms of a good phishing email, because it
|
|
|
|
is obviosly a phishing email since I do not have the mentioned product bought at
|
|
|
|
mentioned company. But the fact that I get constantly emailed these made me finally
|
|
|
|
post this to the website.
|
|
|
|
|
|
|
|
I get them mostly in a pair of two, one to my main domain and one to a subdomain (which
|
|
|
|
includes the term `noreply` as part of the domainname).
|
|
|
|
|
|
|
|
## The mail body
|
|
|
|
|
|
|
|
{{< alert >}}
|
|
|
|
Watch out for the link, as you might see, it gets rendered to a `netcup.de` domain
|
|
|
|
as HTML, but the source code does look quite a bit different!
|
|
|
|
{{< /alert >}}
|
|
|
|
|
|
|
|
```plain
|
|
|
|
Sehr geehrte/r
|
|
|
|
|
|
|
|
|
|
|
|
Wir möchten Sie heute freundlich daran erinnern, dass die Domain oe7drt.com
|
|
|
|
Ihrer Firma, mit der dieses E-Mail-Konto verbunden ist, am 17.11.2023 abläuft.
|
|
|
|
Als verantwortungsbewusster Anbieter ist es uns ein Anliegen, Ihnen rechtzeitig
|
|
|
|
über diese bevorstehende Verlängerung zu informieren.
|
|
|
|
|
|
|
|
über den sicheren Link erneuern https://renew.netcup.de
|
|
|
|
|
|
|
|
Wir möchten sicherstellen, dass Ihre Online-Präsenz reibungslos läuft und Ihr
|
|
|
|
geschäftlicher Erfolg nicht beeinträchtigt wird. Daher empfehlen wir Ihnen
|
|
|
|
dringend, die Verlängerung Ihrer Domain vor dem Ablaufdatum zu beantragen.
|
|
|
|
Indem Sie Ihre Domain verlängern, stellen Sie sicher, dass Ihre Webseite
|
|
|
|
weiterhin erreichbar ist und Ihr E-Mail-Konto aktiv bleibt.
|
|
|
|
|
|
|
|
Dein netcup team
|
|
|
|
|
|
|
|
---------------------------------------------------------
|
|
|
|
|
|
|
|
netcup GmbH
|
|
|
|
Managing Directors:
|
|
|
|
- Oliver Werner
|
|
|
|
- Alexander Windbichler
|
|
|
|
Daimlerstr. 25
|
|
|
|
D-76185 Karlsruhe
|
|
|
|
|
|
|
|
Phone: +49 721 / 7540755 - 0
|
|
|
|
Fax: +49 721 / 7540755 - 9
|
|
|
|
|
|
|
|
|
|
|
|
Commercial register: HRB 705547, Amtsgericht Mannheim
|
|
|
|
|
|
|
|
---------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 Attachment(s) (0.9 KB)
|
|
|
|
?Download all attachments[SUBMIT] ?Show attachments[SUBMIT]
|
|
|
|
?[SUBMIT]
|
|
|
|
```
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
{{< alert >}}
|
|
|
|
**Update on Nov 18 2023**
|
|
|
|
{{< /alert >}}
|
|
|
|
|
|
|
|
I'm sorry, this is either a very dumb person (or group) or it is a very funny coincidence.
|
|
|
|
I got two new mails today in which the **shown URL** was changed to
|
|
|
|
`www.customercontrolpanel.de`, the link still goes to the italian site (that you will find
|
|
|
|
further down in this article).
|
|
|
|
|
|
|
|
Following only the relevant part is shown.
|
|
|
|
|
|
|
|
```html {hl_lines=7}
|
|
|
|
<p>über den sicheren Link erneuern <a
|
|
|
|
href="https://elettrogi.it/"><strong>https://www.customercontrolpanel.de/?login_language=DE</strong></a></p>
|
|
|
|
<p>Wir möchten sicherstellen, dass Ihre Online-Präsenz…
|
|
|
|
```
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
{{< alert >}}
|
|
|
|
**Update on Jan 10 2024**
|
|
|
|
{{< /alert >}}
|
|
|
|
|
|
|
|
Haha another two emails with yet another domainname: `netcupde.com`. Well, the link now
|
|
|
|
looks like this:
|
|
|
|
|
|
|
|
```html {linenos=table}
|
|
|
|
<p>Erneuern Sie über den sicheren Link:
|
|
|
|
<a href="https://therapeutelyon.fr" target="_blank"
|
|
|
|
rel="noopener noreferrer"><strong>https://customerscontrolpanel.<em
|
|
|
|
style="color: rgb(0, 0, 0); font-style: inherit;
|
|
|
|
background-color: rgb(255, 255, 102);">
|
|
|
|
netcup</em>de.com/de/</strong></a></p>
|
|
|
|
```
|
|
|
|
|
|
|
|
_I added some newlines into the html code, because the code is actually only two lines
|
|
|
|
in the email but that would make this codeblock a bit harder to read (specially on mobile
|
|
|
|
devices)._
|
|
|
|
|
|
|
|
These additions of `<em style="...` are the reason for me not initially finding the domain `netcupde.com`
|
|
|
|
in that email as that would be the first thing that I'd look up in the email sources (see the end
|
|
|
|
of line 3 and up on line 4).
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
{{< alert >}}
|
|
|
|
**Update on Jan 11 2024**
|
|
|
|
{{< /alert >}}
|
|
|
|
|
|
|
|
Another domain comes in quick. I doubt that everyone looks up a domains whois information, but if you
|
|
|
|
do, don't let them fool you. This one looks very valid, although it is not.
|
|
|
|
|
|
|
|
The new domain name I'm talking about is `netcup.eu` and it is also registered at `netcup.de`. The whois
|
|
|
|
information makes it look very related to each other...
|
|
|
|
|
|
|
|
```console
|
|
|
|
$ whois netcup.eu
|
|
|
|
% [snip]
|
|
|
|
% WHOIS netcup.eu
|
|
|
|
Domain: netcup.eu
|
|
|
|
Script: LATIN
|
|
|
|
|
|
|
|
Registrant:
|
|
|
|
NOT DISCLOSED!
|
|
|
|
Visit www.eurid.eu for webbased WHOIS.
|
|
|
|
|
|
|
|
On-site(s):
|
|
|
|
NOT DISCLOSED!
|
|
|
|
Visit www.eurid.eu for webbased WHOIS.
|
|
|
|
|
|
|
|
Technical:
|
|
|
|
Organisation: netcup GmbH
|
|
|
|
Language: de
|
|
|
|
Email: mail@netcup.de
|
|
|
|
|
|
|
|
Registrar:
|
|
|
|
Name: netcup GmbH
|
|
|
|
Website: www.netcup.de
|
|
|
|
|
|
|
|
Name servers:
|
|
|
|
second-dns.netcup.net
|
|
|
|
third-dns.netcup.net
|
|
|
|
root-dns.netcup.net
|
|
|
|
|
|
|
|
Please visit www.eurid.eu for more info.
|
|
|
|
```
|
|
|
|
|
|
|
|
I don't understand, why Netcup does not ban any domainnames on their
|
|
|
|
nameservers that include the term _netcup_ in their name.
|
|
|
|
|
|
|
|
By the way, the new link refers to `bodyplussize.pl`.
|
|
|
|
|
|
|
|
{{< alert circle-info >}}
|
|
|
|
I guess I won't update this post much more, these emails seem to always show the same
|
|
|
|
boring text and structure.
|
|
|
|
{{< /alert >}}
|
|
|
|
|
|
|
|
---
|
|
|
|
|
|
|
|
## The mail body source (html)
|
|
|
|
|
|
|
|
{{< alert "circle-info" >}}
|
|
|
|
Note the highlighted line (18). There you have the real link that we mentioned
|
|
|
|
above.
|
|
|
|
{{< /alert >}}
|
|
|
|
|
|
|
|
```html {hl_lines=18}
|
|
|
|
<head>
|
|
|
|
|
|
|
|
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
|
|
|
<meta name="GENERATOR" content="MSHTML 11.00.10570.1001"></head>
|
|
|
|
<body>
|
|
|
|
<div class="content-message" dojoattachpoint="contentMsgPane">
|
|
|
|
<div class="text msg-view-text" role="text">
|
|
|
|
<div class="msg-view-text-cnt" dojoattachpoint="_messageTextCntNode">
|
|
|
|
<div class="xam_msg_class">
|
|
|
|
<meta content="text/html">
|
|
|
|
<p>Sehr geehrte/r</p>
|
|
|
|
<p><br></p>
|
|
|
|
<p>Wir möchten Sie heute freundlich daran erinnern, dass die
|
|
|
|
Domain <strong>oe7drt.com</strong> Ihrer Firma, mit der dieses
|
|
|
|
E-Mail-Konto verbunden ist, am <strong>17.11.2023</strong> abläuft. Als
|
|
|
|
verantwortungsbewusster Anbieter ist es uns ein Anliegen, Ihnen rechtzeitig
|
|
|
|
über diese bevorstehende Verlängerung zu informieren.</p>
|
|
|
|
<p>über den sicheren Link erneuern <a href="https://elettrogi.it/" target="_blank" rel="noopener noreferrer"><strong>https://renew.<em style="color: rgb(0, 0, 0); font-style: inherit; background-color: rgb(255, 255, 102);">netcup</em>.de</strong></a></p>
|
|
|
|
<p>Wir möchten sicherstellen, dass Ihre Online-Präsenz reibungslos läuft und Ihr
|
|
|
|
geschäftlicher Erfolg nicht beeinträchtigt wird. Daher empfehlen wir Ihnen
|
|
|
|
dringend, die Verlängerung Ihrer Domain vor dem Ablaufdatum zu beantragen.
|
|
|
|
Indem Sie Ihre Domain verlängern, stellen Sie sicher, dass Ihre Webseite
|
|
|
|
weiterhin erreichbar ist und Ihr E-Mail-Konto aktiv bleibt.</p>
|
|
|
|
<p>Dein <em style="color: rgb(0, 0, 0); font-style: inherit; background-color: rgb(255, 255, 102);">netcup</em>
|
|
|
|
team</p>
|
|
|
|
<p>---------------------------------------------------------</p>
|
|
|
|
<p><em style="color: rgb(0, 0, 0); font-style: inherit; background-color: rgb(255, 255, 102);">netcup</em>
|
|
|
|
GmbH<br>Managing Directors:<br>- Oliver Werner<br>- Alexander
|
|
|
|
Windbichler<br>Daimlerstr. 25<br>D-76185 Karlsruhe</p>
|
|
|
|
<p>Phone: +49 721 / 7540755 - 0<br>Fax: +49 721 / 7540755 - 9</p>
|
|
|
|
<p><br></p>
|
|
|
|
<p>Commercial register: HRB 705547, Amtsgericht Mannheim </p>
|
|
|
|
<p>---------------------------------------------------------
|
|
|
|
<br></p></div></div>
|
|
|
|
<div class="msg-view-quoted-message-button removed" dojoattachpoint="_showQuotedNode"><br></div></div>
|
|
|
|
<div class="attachments-area-container dijitContentPane collapsed removed all-deleted" id="uiLogic_webmail__view_AttachmentsArea_0" role="group" dir="ltr" dojotype="uiLogic.webmail._view.AttachmentsArea" widgetid="uiLogic_webmail__view_AttachmentsArea_0" region="bottom">
|
|
|
|
<div>
|
|
|
|
<div class="box" role="attachments-area">
|
|
|
|
<div class="attachments-download-warp" role="attachments-download-warp" style="display: none;">
|
|
|
|
<div class="view-attachments-info" role="attachments-info">2 Attachment(s) (0.9
|
|
|
|
KB)</div><span class="dijit dijitReset dijitInline attachments-download dijitButton" widgetid="dijit_form_Button_42"><span class="dijitReset dijitInline dijitButtonNode" dojoattachevent="ondijitclick:_onButtonClick"><span tabindex="0" class="dijitReset dijitStretch dijitButtonContents" id="dijit_form_Button_42" role="button" aria-labelledby="dijit_form_Button_42_label" style="opacity: 0; user-select: none;" dojoattachpoint="titleNode,focusNode" wairole="button" waistate="labelledby-dijit_form_Button_42_label"><span class="dijitReset dijitInline dijitIcon" dojoattachpoint="iconNode"></span><span class="dijitReset dijitToggleButtonIconChar">?</span><span class="dijitReset dijitInline dijitButtonText" id="dijit_form_Button_42_label" dojoattachpoint="containerNode">Download all
|
|
|
|
attachments</span></span></span><input class="dijitOffScreen" type="button" dojoattachpoint="valueNode"></span>
|
|
|
|
<span class="dijit dijitReset dijitInline attachments-show dijitButton" widgetid="dijit_form_Button_44"><span class="dijitReset dijitInline dijitButtonNode" dojoattachevent="ondijitclick:_onButtonClick"><span tabindex="0" class="dijitReset dijitStretch dijitButtonContents" id="dijit_form_Button_44" role="button" aria-labelledby="dijit_form_Button_44_label" style="opacity: 0; user-select: none;" dojoattachpoint="titleNode,focusNode" wairole="button" waistate="labelledby-dijit_form_Button_44_label"><span class="dijitReset dijitInline dijitIcon" dojoattachpoint="iconNode"></span><span class="dijitReset dijitToggleButtonIconChar">?</span><span class="dijitReset dijitInline dijitButtonText" id="dijit_form_Button_44_label" dojoattachpoint="containerNode">Show
|
|
|
|
attachments</span></span></span><input class="dijitOffScreen" type="button" dojoattachpoint="valueNode"></span>
|
|
|
|
|
|
|
|
<div class="back-panel removed"><span class="dijit dijitReset dijitInline attachments-toggle view-landscape-button viewNextIcon dijitButton" widgetid="dijit_form_Button_43"><span class="dijitReset dijitInline dijitButtonNode" dojoattachevent="ondijitclick:_onButtonClick"><span tabindex="0" title="Hide" class="dijitReset dijitStretch dijitButtonContents" id="dijit_form_Button_43" role="button" aria-labelledby="dijit_form_Button_43_label" style="user-select: none;" dojoattachpoint="titleNode,focusNode" wairole="button" waistate="labelledby-dijit_form_Button_43_label"><span class="dijitReset dijitInline dijitIcon" dojoattachpoint="iconNode"></span><span class="dijitReset dijitToggleButtonIconChar">?</span><span class="dijitReset dijitInline dijitButtonText" id="dijit_form_Button_43_label" dojoattachpoint="containerNode"></span></span></span><input class="dijitOffScreen" type="button" dojoattachpoint="valueNode"></span>
|
|
|
|
</div></div>
|
|
|
|
<div class="box" role="attachments"></div></div></div></div></div>
|
|
|
|
</body>
|
|
|
|
```
|
|
|
|
|
|
|
|
## The mail source
|
|
|
|
|
|
|
|
```plain
|
|
|
|
Return-Path: <postmaster@onedk.net>
|
|
|
|
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
|
|
|
|
by sloti44n20 (Cyrus 3.9.0-alpha0-1108-g3a29173c6d-fm-20231031.005-g3a29173c) with LMTPA;
|
|
|
|
Fri, 17 Nov 2023 08:04:12 -0500
|
|
|
|
X-Cyrus-Session-Id: sloti44n20-1700226252-3181116-2-9777549396983539035
|
|
|
|
X-Sieve: CMU Sieve 3.0
|
|
|
|
X-Spam-known-sender: no
|
|
|
|
X-Spam-sender-reputation: 0 (email; noauth)
|
|
|
|
X-Spam-score: 14.5
|
|
|
|
X-Spam-hits: BAYES_99 3.5, BAYES_999 1.2, DCC_CHECK 1.1, DCC_REPUT_90_94 0.6,
|
|
|
|
FSL_BULK_SIG 1.593, HTML_MESSAGE 0.001, HTML_MIME_NO_HTML_TAG 0.377,
|
|
|
|
HTTPS_HTTP_MISMATCH 0.1, ME_NOAUTH 0.01, ME_SC_NH -0.001,
|
|
|
|
ME_SENDERREP_DENY 4, ME_VADEPHISHING 2, MIME_HTML_ONLY 0.1,
|
|
|
|
SPF_HELO_NONE 0.001, SPF_NONE 0.001, T_SCC_BODY_TEXT_LINE -0.01,
|
|
|
|
LANGUAGES de, BAYES_USED user, SA_VERSION 3.4.6
|
|
|
|
X-Backscatter: NotFound1
|
|
|
|
X-Backscatter-Hosts:
|
|
|
|
X-Spam-source: IP='37.120.188.231', Host='v2202311112809242991.luckysrv.de', Country='DE',
|
|
|
|
FromHeader='net', MailFrom='net'
|
|
|
|
X-Spam-charsets: html='windows-1252'
|
|
|
|
X-Resolved-to: dominic@...
|
|
|
|
X-Delivered-to: dominic@noreply....
|
|
|
|
X-Mail-from: postmaster@onedk.net
|
|
|
|
Received: from mx4 ([10.202.2.203])
|
|
|
|
by compute1.internal (LMTPProxy); Fri, 17 Nov 2023 08:04:12 -0500
|
|
|
|
Received: from mx4.messagingengine.com (localhost [127.0.0.1])
|
|
|
|
by mailmx.nyi.internal (Postfix) with ESMTP id 7FA301F20122
|
|
|
|
for <dominic@noreply....>; Fri, 17 Nov 2023 08:04:11 -0500 (EST)
|
|
|
|
Received: from mailmx.nyi.internal (localhost [127.0.0.1])
|
|
|
|
by mx4.messagingengine.com (Authentication Milter) with ESMTP
|
|
|
|
id 17A016E9B26.8E0F31F2037D;
|
|
|
|
Fri, 17 Nov 2023 08:04:11 -0500
|
|
|
|
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm1; t=
|
|
|
|
1700226251; b=LpZ7c6e8oXo/abJ3c3SIgseAfYAwmkcgCE9cMryacWzUPDXywM
|
|
|
|
2Bu+k0NpXZJaKcrAdOyuejBwIiFyqSq+TK/glo0Hk6DmC7TE8yw0HlddNInKUJ53
|
|
|
|
Fc/rTiqmgPpJXrUwryrmEZ4jJTcR+GIoUtXEIweftEhongl3cZvcVXf0gaE0Zxcg
|
|
|
|
Za3pbOgZ8xEBJADOyvCNPeZOAaNvNF5C19ylzywj0UO6lDX7v58OVI0GKyqdIMH9
|
|
|
|
i0kvloD/B/CDHnT6jHWav2C35s5NKnHX+SuNQ4/CPOG7uuRiC3+S2G4pTwP542Cq
|
|
|
|
Pu87hi1GKiH5VuM8m92JH9nwb70r5fB+fRCQ==
|
|
|
|
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
|
|
|
|
messagingengine.com; h=mime-version:from:reply-to:to:subject
|
|
|
|
:content-type:content-transfer-encoding:date:message-id; s=fm1;
|
|
|
|
t=1700226251; bh=NbXSTJaTKSRZgsx8I0IN3ukxEcOTFS+VrpzkYzr/Un8=; b=
|
|
|
|
lmluPcXbKIM06qPoH+sQ2YXHJlP5FQFfF/R43bgajaKkZ3mO5x7uGQA0BFsF+c1M
|
|
|
|
qwrJG7rG6hxW8aKmnlNyRIskwVt393qYEnCk29qDK4qVcG/34wlYG1J1jpMqPXXm
|
|
|
|
1oJx1wYrpvelG3ADuTXHXJcleupCGdCIwlo9y9InuAjKOMGjLW8zxCKVv2DvRQ8r
|
|
|
|
o8CNKpGY6iLcBctsE40CuXNHvNaxH9jsnXTqhhI6WJjugPek7JAof4JRSJDvVJX6
|
|
|
|
aZ7pl4xOsHH0psrC2u+kUUUiIvjFNoU+MBbsK0aG/ezThetyaYwkjQPuD0ZNgU5H
|
|
|
|
t5gJ0HdrTFSeQUft9LQlEg==
|
|
|
|
ARC-Authentication-Results: i=1; mx4.messagingengine.com;
|
|
|
|
x-csa=none;
|
|
|
|
x-me-sender=none;
|
|
|
|
x-ptr=pass smtp.helo=v2202311112809242991.luckysrv.de
|
|
|
|
policy.ptr=v2202311112809242991.luckysrv.de;
|
|
|
|
bimi=skipped (DMARC did not pass);
|
|
|
|
arc=none (no signatures found);
|
|
|
|
dkim=invalid (public key: not available, unknown key sha256)
|
|
|
|
header.d=onedk.net header.i=@onedk.net header.b=tKBKfGAz
|
|
|
|
header.a=unknown-sha256 header.s=dkim;
|
|
|
|
dmarc=none policy.published-domain-policy=none
|
|
|
|
policy.applied-disposition=none policy.evaluated-disposition=none
|
|
|
|
(p=none,d=none,d.eval=none) policy.policy-from=p
|
|
|
|
header.from=onedk.net;
|
|
|
|
iprev=pass smtp.remote-ip=37.120.188.231
|
|
|
|
(v2202311112809242991.luckysrv.de);
|
|
|
|
spf=none smtp.mailfrom=postmaster@onedk.net
|
|
|
|
smtp.helo=v2202311112809242991.luckysrv.de
|
|
|
|
X-ME-Authentication-Results: mx4.messagingengine.com;
|
|
|
|
x-aligned-from=pass (Address match);
|
|
|
|
x-return-mx=pass header.domain=onedk.net policy.is_org=yes
|
|
|
|
(MX Records found: mx-biz.mail.am0.yahoodns.net,mx-biz.mail.am0.yahoodns.net);
|
|
|
|
x-return-mx=pass smtp.domain=onedk.net policy.is_org=yes
|
|
|
|
(MX Records found: mx-biz.mail.am0.yahoodns.net,mx-biz.mail.am0.yahoodns.net);
|
|
|
|
x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384
|
|
|
|
smtp.bits=256/256;
|
|
|
|
x-vs=phishing score=607 state=101
|
|
|
|
Authentication-Results: mx4.messagingengine.com;
|
|
|
|
x-csa=none;
|
|
|
|
x-me-sender=none;
|
|
|
|
x-ptr=pass smtp.helo=v2202311112809242991.luckysrv.de
|
|
|
|
policy.ptr=v2202311112809242991.luckysrv.de
|
|
|
|
Authentication-Results: mx4.messagingengine.com;
|
|
|
|
bimi=skipped (DMARC did not pass)
|
|
|
|
Authentication-Results: mx4.messagingengine.com;
|
|
|
|
arc=none (no signatures found)
|
|
|
|
Authentication-Results: mx4.messagingengine.com;
|
|
|
|
dkim=invalid (public key: not available, unknown key sha256)
|
|
|
|
header.d=onedk.net header.i=@onedk.net header.b=tKBKfGAz
|
|
|
|
header.a=unknown-sha256 header.s=dkim;
|
|
|
|
dmarc=none policy.published-domain-policy=none
|
|
|
|
policy.applied-disposition=none policy.evaluated-disposition=none
|
|
|
|
(p=none,d=none,d.eval=none) policy.policy-from=p
|
|
|
|
header.from=onedk.net;
|
|
|
|
iprev=pass smtp.remote-ip=37.120.188.231
|
|
|
|
(v2202311112809242991.luckysrv.de);
|
|
|
|
spf=none smtp.mailfrom=postmaster@onedk.net
|
|
|
|
smtp.helo=v2202311112809242991.luckysrv.de
|
|
|
|
X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedvkedrudegtddggeejucetufdoteggodetrfdotf
|
|
|
|
fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
|
|
|
|
rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucgorfhhihhshhhinhhgqd
|
|
|
|
fkkffrucdliedtjedmnecujfgurhepggfhrhfvufgtgffofffksehhqhertdertdehnecu
|
|
|
|
hfhrohhmpedfpfgvthgtuhhpucfimhgsjfdfuceophhoshhtmhgrshhtvghrsehonhgvug
|
|
|
|
hkrdhnvghtqeenucggtffrrghtthgvrhhnpeffffdufeffudeiieelueeghfeiteffhfdt
|
|
|
|
hffhveeigffgfeefheelteejkeeuudenucffohhmrghinhepvghlvghtthhrohhgihdrih
|
|
|
|
htpdhnvghttghuphdruggvnecukfhppeefjedruddvtddrudekkedrvdefudenucfrhhhi
|
|
|
|
shhhihhnghdqkffkrfephhhtthhpshemsddsvghlvghtthhrohhgihdrihhtnecuvehluh
|
|
|
|
hsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepfeejrdduvddtrddukeekrddv
|
|
|
|
fedupdhhvghlohepvhdvvddtvdefudduudduvdektdelvdegvdelledurdhluhgtkhihsh
|
|
|
|
hrvhdruggvpdhmrghilhhfrhhomhepoehpohhsthhmrghsthgvrhesohhnvggukhdrnhgv
|
|
|
|
theqpdhnsggprhgtphhtthhopedupdhrtghpthhtohepoeguohhmihhnihgtsehnohhrvg
|
|
|
|
hplhihrdhovgejughrthdrtghomheq
|
|
|
|
X-ME-VSScore: 607
|
|
|
|
X-ME-VSCategory: phishing
|
|
|
|
X-ME-CSA: none
|
|
|
|
Received-SPF: none
|
|
|
|
(onedk.net: No applicable sender policy available)
|
|
|
|
receiver=mx4.messagingengine.com;
|
|
|
|
identity=mailfrom;
|
|
|
|
envelope-from="postmaster@onedk.net";
|
|
|
|
helo=v2202311112809242991.luckysrv.de;
|
|
|
|
client-ip=37.120.188.231
|
|
|
|
Received: from v2202311112809242991.luckysrv.de (v2202311112809242991.luckysrv.de [37.120.188.231])
|
|
|
|
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
|
|
|
|
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
|
|
|
|
(No client certificate requested)
|
|
|
|
by mx4.messagingengine.com (Postfix) with ESMTPS id 8E0F31F2037D
|
|
|
|
for <dominic@noreply....>; Fri, 17 Nov 2023 08:03:44 -0500 (EST)
|
|
|
|
Received: from v2202311112809242991.luckysrv.de (localhost [127.0.0.1])
|
|
|
|
by v2202311112809242991.luckysrv.de (Postfix) with ESMTP id 4SWxs61BzJz48xN
|
|
|
|
for <dominic@noreply....>; Fri, 17 Nov 2023 14:02:50 +0100 (CET)
|
|
|
|
Authentication-Results: v2202311112809242991.luckysrv.de (amavis); dkim=pass
|
|
|
|
reason="pass (just generated, assumed good)" header.d=onedk.net
|
|
|
|
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=onedk.net; h=
|
|
|
|
message-id:date:x-mailer:content-transfer-encoding:content-type
|
|
|
|
:subject:to:reply-to:from:mime-version; s=dkim; t=1700226169; x=
|
|
|
|
1702818170; bh=mEPVMchXmulep+z6c+qm5ufujgLqwDgvxHEmacERCZA=; b=t
|
|
|
|
KBKfGAzEtvWgwvWrD7w1wNLn5Ljp4RgfY5dBV+Y2EzCWLZVYJeih0lqaRU27jL61
|
|
|
|
ILRSW9WRbAu2tgr1M0wdQwOHQ4Dp7i3ps7AQJn4BpvFbTwR1b524Hs4t52xKMecy
|
|
|
|
Zf/X+yRzlRPVTO5mi0sPK0tmAEvN+TBmcsldK9RKgwIr8qUFau99OBBZlDoYUMRV
|
|
|
|
wMZOoJ3ccaPC5dooc/sDd+MbQSaGKH1Ubum0Ld9VtdOHlWHFs+tpujzYC/L/kxLl
|
|
|
|
4k/BSYsGw4IUurCbPZnoR5TIBuAV2hy4caZMtFELmeOG7ZuQjvr8wMJUNhwflzeQ
|
|
|
|
OUiV2kgjdZsHb3mtnjzHg==
|
|
|
|
X-Virus-Scanned: Debian amavis at v2202311112809242991.luckysrv.de
|
|
|
|
Received: from v2202311112809242991.luckysrv.de ([127.0.0.1])
|
|
|
|
by v2202311112809242991.luckysrv.de (v2202311112809242991.luckysrv.de [127.0.0.1]) (amavis, port 10024)
|
|
|
|
with ESMTP id nPsir9OSICbE for <dominic@noreply....>;
|
|
|
|
Fri, 17 Nov 2023 14:02:49 +0100 (CET)
|
|
|
|
Received: from vmi1464682 (localhost [IPv6:::1])
|
|
|
|
by v2202311112809242991.luckysrv.de (Postfix) with ESMTPS id 4SWxs55N6sz48x5
|
|
|
|
for <dominic@noreply....>; Fri, 17 Nov 2023 14:02:49 +0100 (CET)
|
|
|
|
MIME-Version: 1.0
|
|
|
|
From: "Netcup GmbH" <postmaster@onedk.net>
|
|
|
|
Reply-To: postmaster@onedk.net
|
|
|
|
To: dominic@noreply....
|
|
|
|
Subject: Deaktivierung des E-Mail-Postfachs aufgrund des Ablaufs der Domain oe7drt.com
|
|
|
|
Content-Type: text/html; charset="windows-1252"
|
|
|
|
Content-Transfer-Encoding: quoted-printable
|
|
|
|
X-Mailer: Smart_Send_4_4_2
|
|
|
|
Date: Fri, 17 Nov 2023 14:02:49 +0100
|
|
|
|
Message-ID: <5196428650656248899676@vmi1464682>
|
|
|
|
|
|
|
|
<head>=0A =0A<meta http-equiv=3D"Content-Type" content=3D"text/html; charse=
|
|
|
|
t=3Dwindows-1252"> =0A<meta name=3D"GENERATOR" content=3D"MSHTML 11.00.105=
|
|
|
|
70.1001"></head> =0A<body>=0A<div class=3D"content-message" dojoattachpoint=
|
|
|
|
=3D"contentMsgPane">=0A<div class=3D"text msg-view-text" role=3D"text">=0A<=
|
|
|
|
div class=3D"msg-view-text-cnt" dojoattachpoint=3D"_messageTextCntNode">=0A=
|
|
|
|
<div class=3D"xam_msg_class">=0A<meta content=3D"text/html"> =0A<p>Sehr =
|
|
|
|
geehrte/r</p>=0A<p><br></p>=0A<p>Wir m=F6chten Sie heute freundlich daran e=
|
|
|
|
rinnern, dass die =0A Domain <strong>oe7drt.com</strong> Ihrer Fi=
|
|
|
|
rma, mit der dieses =0A E-Mail-Konto verbunden ist, am <strong>17.11.2023<=
|
|
|
|
/strong> abl=E4uft. Als =0A verantwortungsbewusster Anbieter ist es uns ei=
|
|
|
|
n Anliegen, Ihnen rechtzeitig =0A=FCber diese bevorstehende Verl=E4ngerun=
|
|
|
|
g zu informieren.</p>=0A<p>=FCber den sicheren Link erneuern <a href=3D"htt=
|
|
|
|
ps://elettrogi.it/" target=3D"_blank" rel=3D"noopener noreferrer"><strong>h=
|
|
|
|
ttps://renew.<em style=3D"color: rgb(0, 0, 0); font-style: inherit; backgro=
|
|
|
|
und-color: rgb(255, 255, 102);">netcup</em>.de</strong></a></p>=0A<p>Wir m=
|
|
|
|
=F6chten sicherstellen, dass Ihre Online-Pr=E4senz reibungslos l=E4uft und =
|
|
|
|
Ihr =0A gesch=E4ftlicher Erfolg nicht beeintr=E4chtigt wird. Daher empfehle=
|
|
|
|
n wir Ihnen =0A dringend, die Verl=E4ngerung Ihrer Domain vor dem Ablaufda=
|
|
|
|
tum zu beantragen. =0AIndem Sie Ihre Domain verl=E4ngern, stellen Sie sic=
|
|
|
|
her, dass Ihre Webseite =0Aweiterhin erreichbar ist und Ihr E-Mail-Konto =
|
|
|
|
aktiv bleibt.</p>=0A<p>Dein <em style=3D"color: rgb(0, 0, 0); font-style: i=
|
|
|
|
nherit; background-color: rgb(255, 255, 102);">netcup</em> =0Ateam</p>=0A<p=
|
|
|
|
>---------------------------------------------------------</p>=0A<p><em sty=
|
|
|
|
le=3D"color: rgb(0, 0, 0); font-style: inherit; background-color: rgb(255, =
|
|
|
|
255, 102);">netcup</em> =0AGmbH<br>Managing Directors:<br>- Oliver Werner<b=
|
|
|
|
r>- Alexander =0A Windbichler<br>Daimlerstr. 25<br>D-76185 Karlsruhe</p>=
|
|
|
|
=0A<p>Phone: +49 721 / 7540755 - 0<br>Fax: +49 721 / 7540755 - 9</p>=0A<p><=
|
|
|
|
br></p>=0A<p>Commercial register: HRB 705547, Amtsgericht Mannheim </p>=0A<=
|
|
|
|
p>--------------------------------------------------------- =0A<br></p><=
|
|
|
|
/div></div> =0A<div class=3D"msg-view-quoted-messag=
|
|
|
|
e-button removed" dojoattachpoint=3D"_showQuotedNode"><br></div></div>=0A<d=
|
|
|
|
iv class=3D"attachments-area-container dijitContentPane collapsed removed a=
|
|
|
|
ll-deleted" id=3D"uiLogic_webmail__view_AttachmentsArea_0" role=3D"group" d=
|
|
|
|
ir=3D"ltr" dojotype=3D"uiLogic.webmail._view.AttachmentsArea" widgetid=3D"u=
|
|
|
|
iLogic_webmail__view_AttachmentsArea_0" region=3D"bottom">=0A<div>=0A<div c=
|
|
|
|
lass=3D"box" role=3D"attachments-area">=0A<div class=3D"attachments-downloa=
|
|
|
|
d-warp" role=3D"attachments-download-warp" style=3D"display: none;">=0A<div=
|
|
|
|
class=3D"view-attachments-info" role=3D"attachments-info">2 Attachment(s) =
|
|
|
|
(0.9 =0A KB)</div><span class=3D"dijit dijitReset dijitInline attachments-d=
|
|
|
|
ownload dijitButton" widgetid=3D"dijit_form_Button_42"><span class=3D"dijit=
|
|
|
|
Reset dijitInline dijitButtonNode" dojoattachevent=3D"ondijitclick:_onButto=
|
|
|
|
nClick"><span tabindex=3D"0" class=3D"dijitReset dijitStretch dijitButtonCo=
|
|
|
|
ntents" id=3D"dijit_form_Button_42" role=3D"button" aria-labelledby=3D"diji=
|
|
|
|
t_form_Button_42_label" style=3D"opacity: 0; user-select: none;" dojoattach=
|
|
|
|
point=3D"titleNode,focusNode" wairole=3D"button" waistate=3D"labelledby-dij=
|
|
|
|
it_form_Button_42_label"><span class=3D"dijitReset dijitInline dijitIcon" d=
|
|
|
|
ojoattachpoint=3D"iconNode"></span><span class=3D"dijitReset dijitToggleBut=
|
|
|
|
tonIconChar">=3F</span><span class=3D"dijitReset dijitInline dijitButtonTex=
|
|
|
|
t" id=3D"dijit_form_Button_42_label" dojoattachpoint=3D"containerNode">Down=
|
|
|
|
load all =0A attachments</span></span></span><input class=3D"dijitOffScreen=
|
|
|
|
" type=3D"button" dojoattachpoint=3D"valueNode"></span>=0A <span class=
|
|
|
|
=3D"dijit dijitReset dijitInline attachments-show dijitButton" widgetid=3D"=
|
|
|
|
dijit_form_Button_44"><span class=3D"dijitReset dijitInline dijitButtonNode=
|
|
|
|
" dojoattachevent=3D"ondijitclick:_onButtonClick"><span tabindex=3D"0" clas=
|
|
|
|
s=3D"dijitReset dijitStretch dijitButtonContents" id=3D"dijit_form_Button_4=
|
|
|
|
4" role=3D"button" aria-labelledby=3D"dijit_form_Button_44_label" style=3D"=
|
|
|
|
opacity: 0; user-select: none;" dojoattachpoint=3D"titleNode,focusNode" wai=
|
|
|
|
role=3D"button" waistate=3D"labelledby-dijit_form_Button_44_label"><span cl=
|
|
|
|
ass=3D"dijitReset dijitInline dijitIcon" dojoattachpoint=3D"iconNode"></spa=
|
|
|
|
n><span class=3D"dijitReset dijitToggleButtonIconChar">=3F</span><span clas=
|
|
|
|
s=3D"dijitReset dijitInline dijitButtonText" id=3D"dijit_form_Button_44_lab=
|
|
|
|
el" dojoattachpoint=3D"containerNode">Show =0A attachments</span></span></s=
|
|
|
|
pan><input class=3D"dijitOffScreen" type=3D"button" dojoattachpoint=3D"valu=
|
|
|
|
eNode"></span>=0A =0A<div class=3D"back-panel removed"><span class=3D"d=
|
|
|
|
ijit dijitReset dijitInline attachments-toggle view-landscape-button viewNe=
|
|
|
|
xtIcon dijitButton" widgetid=3D"dijit_form_Button_43"><span class=3D"dijitR=
|
|
|
|
eset dijitInline dijitButtonNode" dojoattachevent=3D"ondijitclick:_onButton=
|
|
|
|
Click"><span tabindex=3D"0" title=3D"Hide" class=3D"dijitReset dijitStretch=
|
|
|
|
dijitButtonContents" id=3D"dijit_form_Button_43" role=3D"button" aria-labe=
|
|
|
|
lledby=3D"dijit_form_Button_43_label" style=3D"user-select: none;" dojoatta=
|
|
|
|
chpoint=3D"titleNode,focusNode" wairole=3D"button" waistate=3D"labelledby-d=
|
|
|
|
ijit_form_Button_43_label"><span class=3D"dijitReset dijitInline dijitIcon"=
|
|
|
|
dojoattachpoint=3D"iconNode"></span><span class=3D"dijitReset dijitToggleB=
|
|
|
|
uttonIconChar">=3F</span><span class=3D"dijitReset dijitInline dijitButtonT=
|
|
|
|
ext" id=3D"dijit_form_Button_43_label" dojoattachpoint=3D"containerNode"></=
|
|
|
|
span></span></span><input class=3D"dijitOffScreen" type=3D"button" dojoatta=
|
|
|
|
chpoint=3D"valueNode"></span>=0A </div></div>=0A<div class=3D"box" role=
|
|
|
|
=3D"attachments"></div></div></div></div></div>=0A</body>
|
|
|
|
```
|
|
|
|
|
|
|
|
{{< alert "bug" >}}
|
|
|
|
Please ignore the :date: signs in the sourcecode above, the content ist
|
|
|
|
"emojified" and I have currently no idea how to turn this off...
|
|
|
|
{{< /alert >}}
|
|
|
|
|
|
|
|
## Why is this email invalid?
|
|
|
|
|
|
|
|
First of all, the sending host is not a Netcup GmbH server, it's hostname
|
|
|
|
is `v2202311112809242991.luckysrv.de`. This makes the mail suspicious, but the
|
|
|
|
main criteria why this email is no valid in no way: my domain `oe7drt.com` is
|
|
|
|
not managed at Netcup at all. There is just an A and AAAA (and others) record
|
|
|
|
that points to a root server at Netcup.
|
|
|
|
|
|
|
|
{{< alert >}}
|
|
|
|
**Update on Nov 18 2023**:
|
|
|
|
Oh, just because I updated the new URL they present you: they also send from a
|
|
|
|
new hostname: `v2202311110463243091.nicesrv.de` -- well, both domains are
|
|
|
|
saved on Netcup DNS servers which may indicate something ;-)
|
|
|
|
{{< /alert >}}
|
|
|
|
|
|
|
|
I thought I might share this one as well, because I get about 6-8 emails per day
|
|
|
|
about my "netcup domain". The fun thing is, one of the domain has a _noreply_ in
|
|
|
|
the domain name; I use this for several git repositories (like Github does). And
|
|
|
|
to eliminate any kind of misinterpretation: the domain includes **noreply** --
|
|
|
|
not **nodeliver**.
|
|
|
|
|
|
|
|
## Quite a few huh?
|
|
|
|
|
|
|
|
![image showing 18 mails from November 6 to November 18](mails.png "Quantity is not the same as quality.")
|
|
|
|
|