---
title: Netcup phishing
summary: They really think I got my domain from Netcup \*lol\*
date: 2023-11-17T16:35:12+0100
lastmod: 2024-09-29T14:12:19+0000
# categories:
#- spam
# tags:

showBreadcrumbs: true
# showDate: false
# showReadingTime: false
# showWordCount: false
# showPagination: false

# feed_exclude: true
# site_exclude: true
---

Okay this one is not a "good" one, in terms of a good phishing email, because it
is obviosly a phishing email since I do not have the mentioned product bought at
mentioned company. But the fact that I get constantly emailed these made me finally
post this to the website.

I get them mostly in a pair of two, one to my main domain and one to a subdomain (which
includes the term `noreply` as part of the domainname).

## The mail body

{{< alert >}}
Watch out for the link, as you might see, it gets rendered to a `netcup.de` domain
as HTML, but the source code does look quite a bit different!
{{< /alert >}}

```plain
Sehr geehrte/r


Wir möchten Sie heute freundlich daran erinnern, dass die Domain oe7drt.com
 Ihrer Firma, mit der dieses E-Mail-Konto verbunden ist, am 17.11.2023 abläuft.
Als verantwortungsbewusster Anbieter ist es uns ein Anliegen, Ihnen rechtzeitig
über diese bevorstehende Verlängerung zu informieren.

über den sicheren Link erneuern https://renew.netcup.de

Wir möchten sicherstellen, dass Ihre Online-Präsenz reibungslos läuft und Ihr
geschäftlicher Erfolg nicht beeinträchtigt wird. Daher empfehlen wir Ihnen
dringend, die Verlängerung Ihrer Domain vor dem Ablaufdatum zu beantragen.
Indem Sie Ihre Domain verlängern, stellen Sie sicher, dass Ihre Webseite
weiterhin erreichbar ist und Ihr E-Mail-Konto aktiv bleibt.

Dein netcup team

---------------------------------------------------------

netcup GmbH
Managing Directors:
- Oliver Werner
- Alexander Windbichler
Daimlerstr. 25
D-76185 Karlsruhe

Phone: +49 721 / 7540755 - 0
Fax: +49 721 / 7540755 - 9


Commercial register: HRB 705547, Amtsgericht Mannheim

---------------------------------------------------------

    

2 Attachment(s) (0.9 KB)
?Download all attachments[SUBMIT] ?Show attachments[SUBMIT]
?[SUBMIT]
```

---

{{< alert >}}
**Update on Nov 18 2023**
{{< /alert >}}

I'm sorry, this is either a very dumb person (or group) or it is a very funny coincidence.
I got two new mails today in which the **shown URL** was changed to
`www.customercontrolpanel.de`, the link still goes to the italian site (that you will find
further down in this article).

Following only the relevant part is shown.

```html {hl_lines=7}
<p>über den sicheren Link erneuern <a
href="https://elettrogi.it/"><strong>https://www.customercontrolpanel.de/?login_language=DE</strong></a></p>
<p>Wir möchten sicherstellen, dass Ihre Online-Präsenz…
```

---

{{< alert >}}
**Update on Jan 10 2024**
{{< /alert >}}

Haha another two emails with yet another domainname: `netcupde.com`. Well, the link now
looks like this:

```html {linenos=table}
<p>Erneuern Sie über den sicheren Link:
  <a href="https://therapeutelyon.fr" target="_blank"
  rel="noopener noreferrer"><strong>https://customerscontrolpanel.<em
style="color: rgb(0, 0, 0); font-style: inherit;
  background-color: rgb(255, 255, 102);">
  netcup</em>de.com/de/</strong></a></p>
```

_I added some newlines into the html code, because the code is actually only two lines
in the email but that would make this codeblock a bit harder to read (specially on mobile
devices)._

These additions of `<em style="...` are the reason for me not initially finding the domain `netcupde.com`
in that email as that would be the first thing that I'd look up in the email sources (see the end
of line 3 and up on line 4).

---

{{< alert >}}
**Update on Jan 11 2024**
{{< /alert >}}

Another domain comes in quick. I doubt that everyone looks up a domains whois information, but if you
do, don't let them fool you. This one looks very valid, although it is not.

The new domain name I'm talking about is `netcup.eu` and it is also registered at `netcup.de`. The whois
information makes it look very related to each other...

```console
$ whois netcup.eu
% [snip]
% WHOIS netcup.eu
Domain: netcup.eu
Script: LATIN

Registrant:
        NOT DISCLOSED!
        Visit www.eurid.eu for webbased WHOIS.

On-site(s):
        NOT DISCLOSED!
        Visit www.eurid.eu for webbased WHOIS.

Technical:
        Organisation: netcup GmbH
        Language: de
        Email: mail@netcup.de

Registrar:
        Name: netcup GmbH
        Website: www.netcup.de

Name servers:
        second-dns.netcup.net
        third-dns.netcup.net
        root-dns.netcup.net

Please visit www.eurid.eu for more info.
```

I don't understand, why Netcup does not ban any domainnames on their
nameservers that include the term _netcup_ in their name.

By the way, the new link refers to `bodyplussize.pl`.

{{< alert circle-info >}}
I guess I won't update this post much more, these emails seem to always show the same
boring text and structure.
{{< /alert >}}

---

## The mail body source (html)

{{< alert "circle-info" >}}
Note the highlighted line (18). There you have the real link that we mentioned
above.
{{< /alert >}}

```html {hl_lines=18}
<head>
 
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">  
<meta name="GENERATOR" content="MSHTML 11.00.10570.1001"></head> 
<body>
<div class="content-message" dojoattachpoint="contentMsgPane">
<div class="text msg-view-text" role="text">
<div class="msg-view-text-cnt" dojoattachpoint="_messageTextCntNode">
<div class="xam_msg_class">
<meta content="text/html">    
<p>Sehr geehrte/r</p>
<p><br></p>
<p>Wir möchten Sie heute freundlich daran erinnern, dass die 
 Domain&nbsp;<strong>oe7drt.com</strong>&nbsp;Ihrer Firma, mit der dieses 
 E-Mail-Konto  verbunden ist, am <strong>17.11.2023</strong> abläuft. Als  
 verantwortungsbewusster Anbieter ist es uns ein Anliegen, Ihnen rechtzeitig  
über  diese bevorstehende Verlängerung zu informieren.</p>
<p>über den sicheren Link erneuern <a href="https://elettrogi.it/" target="_blank" rel="noopener noreferrer"><strong>https://renew.<em style="color: rgb(0, 0, 0); font-style: inherit; background-color: rgb(255, 255, 102);">netcup</em>.de</strong></a></p>
<p>Wir möchten sicherstellen, dass Ihre Online-Präsenz reibungslos läuft und Ihr 
 geschäftlicher Erfolg nicht beeinträchtigt wird. Daher empfehlen wir Ihnen  
 dringend, die Verlängerung Ihrer Domain vor dem Ablaufdatum zu beantragen.  
Indem  Sie Ihre Domain verlängern, stellen Sie sicher, dass Ihre Webseite  
weiterhin  erreichbar ist und Ihr E-Mail-Konto aktiv bleibt.</p>
<p>Dein <em style="color: rgb(0, 0, 0); font-style: inherit; background-color: rgb(255, 255, 102);">netcup</em> 
team</p>
<p>---------------------------------------------------------</p>
<p><em style="color: rgb(0, 0, 0); font-style: inherit; background-color: rgb(255, 255, 102);">netcup</em> 
GmbH<br>Managing Directors:<br>- Oliver Werner<br>- Alexander  
 Windbichler<br>Daimlerstr. 25<br>D-76185 Karlsruhe</p>
<p>Phone: +49 721 / 7540755 - 0<br>Fax: +49 721 / 7540755 - 9</p>
<p><br></p>
<p>Commercial register: HRB 705547, Amtsgericht Mannheim </p>
<p>---------------------------------------------------------    
<br></p></div></div>&nbsp;&nbsp;&nbsp;&nbsp;	
<div class="msg-view-quoted-message-button removed" dojoattachpoint="_showQuotedNode"><br></div></div>
<div class="attachments-area-container dijitContentPane collapsed removed all-deleted" id="uiLogic_webmail__view_AttachmentsArea_0" role="group" dir="ltr" dojotype="uiLogic.webmail._view.AttachmentsArea" widgetid="uiLogic_webmail__view_AttachmentsArea_0" region="bottom">
<div>
<div class="box" role="attachments-area">
<div class="attachments-download-warp" role="attachments-download-warp" style="display: none;">
<div class="view-attachments-info" role="attachments-info">2 Attachment(s) (0.9 
 KB)</div><span class="dijit dijitReset dijitInline attachments-download dijitButton" widgetid="dijit_form_Button_42"><span class="dijitReset dijitInline dijitButtonNode" dojoattachevent="ondijitclick:_onButtonClick"><span tabindex="0" class="dijitReset dijitStretch dijitButtonContents" id="dijit_form_Button_42" role="button" aria-labelledby="dijit_form_Button_42_label" style="opacity: 0; user-select: none;" dojoattachpoint="titleNode,focusNode" wairole="button" waistate="labelledby-dijit_form_Button_42_label"><span class="dijitReset dijitInline dijitIcon" dojoattachpoint="iconNode"></span><span class="dijitReset dijitToggleButtonIconChar">?</span><span class="dijitReset dijitInline dijitButtonText" id="dijit_form_Button_42_label" dojoattachpoint="containerNode">Download all 
 attachments</span></span></span><input class="dijitOffScreen" type="button" dojoattachpoint="valueNode"></span>
			  <span class="dijit dijitReset dijitInline attachments-show dijitButton" widgetid="dijit_form_Button_44"><span class="dijitReset dijitInline dijitButtonNode" dojoattachevent="ondijitclick:_onButtonClick"><span tabindex="0" class="dijitReset dijitStretch dijitButtonContents" id="dijit_form_Button_44" role="button" aria-labelledby="dijit_form_Button_44_label" style="opacity: 0; user-select: none;" dojoattachpoint="titleNode,focusNode" wairole="button" waistate="labelledby-dijit_form_Button_44_label"><span class="dijitReset dijitInline dijitIcon" dojoattachpoint="iconNode"></span><span class="dijitReset dijitToggleButtonIconChar">?</span><span class="dijitReset dijitInline dijitButtonText" id="dijit_form_Button_44_label" dojoattachpoint="containerNode">Show 
 attachments</span></span></span><input class="dijitOffScreen" type="button" dojoattachpoint="valueNode"></span>
			  
<div class="back-panel removed"><span class="dijit dijitReset dijitInline attachments-toggle view-landscape-button viewNextIcon dijitButton" widgetid="dijit_form_Button_43"><span class="dijitReset dijitInline dijitButtonNode" dojoattachevent="ondijitclick:_onButtonClick"><span tabindex="0" title="Hide" class="dijitReset dijitStretch dijitButtonContents" id="dijit_form_Button_43" role="button" aria-labelledby="dijit_form_Button_43_label" style="user-select: none;" dojoattachpoint="titleNode,focusNode" wairole="button" waistate="labelledby-dijit_form_Button_43_label"><span class="dijitReset dijitInline dijitIcon" dojoattachpoint="iconNode"></span><span class="dijitReset dijitToggleButtonIconChar">?</span><span class="dijitReset dijitInline dijitButtonText" id="dijit_form_Button_43_label" dojoattachpoint="containerNode"></span></span></span><input class="dijitOffScreen" type="button" dojoattachpoint="valueNode"></span>
			  </div></div>
<div class="box" role="attachments"></div></div></div></div></div>
</body>
```

## The mail source

```plain
Return-Path: <postmaster@onedk.net>
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
	 by sloti44n20 (Cyrus 3.9.0-alpha0-1108-g3a29173c6d-fm-20231031.005-g3a29173c) with LMTPA;
	 Fri, 17 Nov 2023 08:04:12 -0500
X-Cyrus-Session-Id: sloti44n20-1700226252-3181116-2-9777549396983539035
X-Sieve: CMU Sieve 3.0
X-Spam-known-sender: no
X-Spam-sender-reputation: 0 (email; noauth)
X-Spam-score: 14.5
X-Spam-hits: BAYES_99 3.5, BAYES_999 1.2, DCC_CHECK 1.1, DCC_REPUT_90_94 0.6,
  FSL_BULK_SIG 1.593, HTML_MESSAGE 0.001, HTML_MIME_NO_HTML_TAG 0.377,
  HTTPS_HTTP_MISMATCH 0.1, ME_NOAUTH 0.01, ME_SC_NH -0.001,
  ME_SENDERREP_DENY 4, ME_VADEPHISHING 2, MIME_HTML_ONLY 0.1,
  SPF_HELO_NONE 0.001, SPF_NONE 0.001, T_SCC_BODY_TEXT_LINE -0.01,
  LANGUAGES de, BAYES_USED user, SA_VERSION 3.4.6
X-Backscatter: NotFound1
X-Backscatter-Hosts: 
X-Spam-source: IP='37.120.188.231', Host='v2202311112809242991.luckysrv.de', Country='DE',
  FromHeader='net', MailFrom='net'
X-Spam-charsets: html='windows-1252'
X-Resolved-to: dominic@...
X-Delivered-to: dominic@noreply....
X-Mail-from: postmaster@onedk.net
Received: from mx4 ([10.202.2.203])
  by compute1.internal (LMTPProxy); Fri, 17 Nov 2023 08:04:12 -0500
Received: from mx4.messagingengine.com (localhost [127.0.0.1])
	by mailmx.nyi.internal (Postfix) with ESMTP id 7FA301F20122
	for <dominic@noreply....>; Fri, 17 Nov 2023 08:04:11 -0500 (EST)
Received: from mailmx.nyi.internal (localhost [127.0.0.1])
    by mx4.messagingengine.com (Authentication Milter) with ESMTP
    id 17A016E9B26.8E0F31F2037D;
    Fri, 17 Nov 2023 08:04:11 -0500
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm1; t=
    1700226251; b=LpZ7c6e8oXo/abJ3c3SIgseAfYAwmkcgCE9cMryacWzUPDXywM
    2Bu+k0NpXZJaKcrAdOyuejBwIiFyqSq+TK/glo0Hk6DmC7TE8yw0HlddNInKUJ53
    Fc/rTiqmgPpJXrUwryrmEZ4jJTcR+GIoUtXEIweftEhongl3cZvcVXf0gaE0Zxcg
    Za3pbOgZ8xEBJADOyvCNPeZOAaNvNF5C19ylzywj0UO6lDX7v58OVI0GKyqdIMH9
    i0kvloD/B/CDHnT6jHWav2C35s5NKnHX+SuNQ4/CPOG7uuRiC3+S2G4pTwP542Cq
    Pu87hi1GKiH5VuM8m92JH9nwb70r5fB+fRCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
    messagingengine.com; h=mime-version:from:reply-to:to:subject
    :content-type:content-transfer-encoding:date:message-id; s=fm1;
    t=1700226251; bh=NbXSTJaTKSRZgsx8I0IN3ukxEcOTFS+VrpzkYzr/Un8=; b=
    lmluPcXbKIM06qPoH+sQ2YXHJlP5FQFfF/R43bgajaKkZ3mO5x7uGQA0BFsF+c1M
    qwrJG7rG6hxW8aKmnlNyRIskwVt393qYEnCk29qDK4qVcG/34wlYG1J1jpMqPXXm
    1oJx1wYrpvelG3ADuTXHXJcleupCGdCIwlo9y9InuAjKOMGjLW8zxCKVv2DvRQ8r
    o8CNKpGY6iLcBctsE40CuXNHvNaxH9jsnXTqhhI6WJjugPek7JAof4JRSJDvVJX6
    aZ7pl4xOsHH0psrC2u+kUUUiIvjFNoU+MBbsK0aG/ezThetyaYwkjQPuD0ZNgU5H
    t5gJ0HdrTFSeQUft9LQlEg==
ARC-Authentication-Results: i=1; mx4.messagingengine.com;
    x-csa=none;
    x-me-sender=none;
    x-ptr=pass smtp.helo=v2202311112809242991.luckysrv.de
    policy.ptr=v2202311112809242991.luckysrv.de;
    bimi=skipped (DMARC did not pass);
    arc=none (no signatures found);
    dkim=invalid (public key: not available, unknown key sha256)
    header.d=onedk.net header.i=@onedk.net header.b=tKBKfGAz
    header.a=unknown-sha256 header.s=dkim;
    dmarc=none policy.published-domain-policy=none
    policy.applied-disposition=none policy.evaluated-disposition=none
    (p=none,d=none,d.eval=none) policy.policy-from=p
    header.from=onedk.net;
    iprev=pass smtp.remote-ip=37.120.188.231
    (v2202311112809242991.luckysrv.de);
    spf=none smtp.mailfrom=postmaster@onedk.net
    smtp.helo=v2202311112809242991.luckysrv.de
X-ME-Authentication-Results: mx4.messagingengine.com;
    x-aligned-from=pass (Address match);
    x-return-mx=pass header.domain=onedk.net policy.is_org=yes
      (MX Records found: mx-biz.mail.am0.yahoodns.net,mx-biz.mail.am0.yahoodns.net);
    x-return-mx=pass smtp.domain=onedk.net policy.is_org=yes
      (MX Records found: mx-biz.mail.am0.yahoodns.net,mx-biz.mail.am0.yahoodns.net);
    x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384
      smtp.bits=256/256;
    x-vs=phishing score=607 state=101
Authentication-Results: mx4.messagingengine.com;
    x-csa=none;
    x-me-sender=none;
    x-ptr=pass smtp.helo=v2202311112809242991.luckysrv.de
      policy.ptr=v2202311112809242991.luckysrv.de
Authentication-Results: mx4.messagingengine.com;
    bimi=skipped (DMARC did not pass)
Authentication-Results: mx4.messagingengine.com;
    arc=none (no signatures found)
Authentication-Results: mx4.messagingengine.com;
    dkim=invalid (public key: not available, unknown key sha256)
      header.d=onedk.net header.i=@onedk.net header.b=tKBKfGAz
      header.a=unknown-sha256 header.s=dkim;
    dmarc=none policy.published-domain-policy=none
      policy.applied-disposition=none policy.evaluated-disposition=none
      (p=none,d=none,d.eval=none) policy.policy-from=p
      header.from=onedk.net;
    iprev=pass smtp.remote-ip=37.120.188.231
      (v2202311112809242991.luckysrv.de);
    spf=none smtp.mailfrom=postmaster@onedk.net
      smtp.helo=v2202311112809242991.luckysrv.de
X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedvkedrudegtddggeejucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
    rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucgorfhhihhshhhinhhgqd
    fkkffrucdliedtjedmnecujfgurhepggfhrhfvufgtgffofffksehhqhertdertdehnecu
    hfhrohhmpedfpfgvthgtuhhpucfimhgsjfdfuceophhoshhtmhgrshhtvghrsehonhgvug
    hkrdhnvghtqeenucggtffrrghtthgvrhhnpeffffdufeffudeiieelueeghfeiteffhfdt
    hffhveeigffgfeefheelteejkeeuudenucffohhmrghinhepvghlvghtthhrohhgihdrih
    htpdhnvghttghuphdruggvnecukfhppeefjedruddvtddrudekkedrvdefudenucfrhhhi
    shhhihhnghdqkffkrfephhhtthhpshemsddsvghlvghtthhrohhgihdrihhtnecuvehluh
    hsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepfeejrdduvddtrddukeekrddv
    fedupdhhvghlohepvhdvvddtvdefudduudduvdektdelvdegvdelledurdhluhgtkhihsh
    hrvhdruggvpdhmrghilhhfrhhomhepoehpohhsthhmrghsthgvrhesohhnvggukhdrnhgv
    theqpdhnsggprhgtphhtthhopedupdhrtghpthhtohepoeguohhmihhnihgtsehnohhrvg
    hplhihrdhovgejughrthdrtghomheq
X-ME-VSScore: 607
X-ME-VSCategory: phishing
X-ME-CSA: none
Received-SPF: none
    (onedk.net: No applicable sender policy available)
    receiver=mx4.messagingengine.com;
    identity=mailfrom;
    envelope-from="postmaster@onedk.net";
    helo=v2202311112809242991.luckysrv.de;
    client-ip=37.120.188.231
Received: from v2202311112809242991.luckysrv.de (v2202311112809242991.luckysrv.de [37.120.188.231])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mx4.messagingengine.com (Postfix) with ESMTPS id 8E0F31F2037D
	for <dominic@noreply....>; Fri, 17 Nov 2023 08:03:44 -0500 (EST)
Received: from v2202311112809242991.luckysrv.de (localhost [127.0.0.1])
	by v2202311112809242991.luckysrv.de (Postfix) with ESMTP id 4SWxs61BzJz48xN
	for <dominic@noreply....>; Fri, 17 Nov 2023 14:02:50 +0100 (CET)
Authentication-Results: v2202311112809242991.luckysrv.de (amavis); dkim=pass
 reason="pass (just generated, assumed good)" header.d=onedk.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=onedk.net; h=
	message-id:date:x-mailer:content-transfer-encoding:content-type
	:subject:to:reply-to:from:mime-version; s=dkim; t=1700226169; x=
	1702818170; bh=mEPVMchXmulep+z6c+qm5ufujgLqwDgvxHEmacERCZA=; b=t
	KBKfGAzEtvWgwvWrD7w1wNLn5Ljp4RgfY5dBV+Y2EzCWLZVYJeih0lqaRU27jL61
	ILRSW9WRbAu2tgr1M0wdQwOHQ4Dp7i3ps7AQJn4BpvFbTwR1b524Hs4t52xKMecy
	Zf/X+yRzlRPVTO5mi0sPK0tmAEvN+TBmcsldK9RKgwIr8qUFau99OBBZlDoYUMRV
	wMZOoJ3ccaPC5dooc/sDd+MbQSaGKH1Ubum0Ld9VtdOHlWHFs+tpujzYC/L/kxLl
	4k/BSYsGw4IUurCbPZnoR5TIBuAV2hy4caZMtFELmeOG7ZuQjvr8wMJUNhwflzeQ
	OUiV2kgjdZsHb3mtnjzHg==
X-Virus-Scanned: Debian amavis at v2202311112809242991.luckysrv.de
Received: from v2202311112809242991.luckysrv.de ([127.0.0.1])
 by v2202311112809242991.luckysrv.de (v2202311112809242991.luckysrv.de [127.0.0.1]) (amavis, port 10024)
 with ESMTP id nPsir9OSICbE for <dominic@noreply....>;
 Fri, 17 Nov 2023 14:02:49 +0100 (CET)
Received: from vmi1464682 (localhost [IPv6:::1])
	by v2202311112809242991.luckysrv.de (Postfix) with ESMTPS id 4SWxs55N6sz48x5
	for <dominic@noreply....>; Fri, 17 Nov 2023 14:02:49 +0100 (CET)
MIME-Version: 1.0
From: "Netcup GmbH" <postmaster@onedk.net>
Reply-To: postmaster@onedk.net
To: dominic@noreply....
Subject: Deaktivierung des E-Mail-Postfachs aufgrund des Ablaufs der Domain oe7drt.com
Content-Type: text/html; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Smart_Send_4_4_2
Date: Fri, 17 Nov 2023 14:02:49 +0100
Message-ID: <5196428650656248899676@vmi1464682>

<head>=0A =0A<meta http-equiv=3D"Content-Type" content=3D"text/html; charse=
t=3Dwindows-1252">  =0A<meta name=3D"GENERATOR" content=3D"MSHTML 11.00.105=
70.1001"></head> =0A<body>=0A<div class=3D"content-message" dojoattachpoint=
=3D"contentMsgPane">=0A<div class=3D"text msg-view-text" role=3D"text">=0A<=
div class=3D"msg-view-text-cnt" dojoattachpoint=3D"_messageTextCntNode">=0A=
<div class=3D"xam_msg_class">=0A<meta content=3D"text/html">    =0A<p>Sehr =
geehrte/r</p>=0A<p><br></p>=0A<p>Wir m=F6chten Sie heute freundlich daran e=
rinnern, dass die =0A Domain&nbsp;<strong>oe7drt.com</strong>&nbsp;Ihrer Fi=
rma, mit der dieses =0A E-Mail-Konto  verbunden ist, am <strong>17.11.2023<=
/strong> abl=E4uft. Als  =0A verantwortungsbewusster Anbieter ist es uns ei=
n Anliegen, Ihnen rechtzeitig  =0A=FCber  diese bevorstehende Verl=E4ngerun=
g zu informieren.</p>=0A<p>=FCber den sicheren Link erneuern <a href=3D"htt=
ps://elettrogi.it/" target=3D"_blank" rel=3D"noopener noreferrer"><strong>h=
ttps://renew.<em style=3D"color: rgb(0, 0, 0); font-style: inherit; backgro=
und-color: rgb(255, 255, 102);">netcup</em>.de</strong></a></p>=0A<p>Wir m=
=F6chten sicherstellen, dass Ihre Online-Pr=E4senz reibungslos l=E4uft und =
Ihr =0A gesch=E4ftlicher Erfolg nicht beeintr=E4chtigt wird. Daher empfehle=
n wir Ihnen  =0A dringend, die Verl=E4ngerung Ihrer Domain vor dem Ablaufda=
tum zu beantragen.  =0AIndem  Sie Ihre Domain verl=E4ngern, stellen Sie sic=
her, dass Ihre Webseite  =0Aweiterhin  erreichbar ist und Ihr E-Mail-Konto =
aktiv bleibt.</p>=0A<p>Dein <em style=3D"color: rgb(0, 0, 0); font-style: i=
nherit; background-color: rgb(255, 255, 102);">netcup</em> =0Ateam</p>=0A<p=
>---------------------------------------------------------</p>=0A<p><em sty=
le=3D"color: rgb(0, 0, 0); font-style: inherit; background-color: rgb(255, =
255, 102);">netcup</em> =0AGmbH<br>Managing Directors:<br>- Oliver Werner<b=
r>- Alexander  =0A Windbichler<br>Daimlerstr. 25<br>D-76185 Karlsruhe</p>=
=0A<p>Phone: +49 721 / 7540755 - 0<br>Fax: +49 721 / 7540755 - 9</p>=0A<p><=
br></p>=0A<p>Commercial register: HRB 705547, Amtsgericht Mannheim </p>=0A<=
p>---------------------------------------------------------    =0A<br></p><=
/div></div>&nbsp;&nbsp;&nbsp;&nbsp;	=0A<div class=3D"msg-view-quoted-messag=
e-button removed" dojoattachpoint=3D"_showQuotedNode"><br></div></div>=0A<d=
iv class=3D"attachments-area-container dijitContentPane collapsed removed a=
ll-deleted" id=3D"uiLogic_webmail__view_AttachmentsArea_0" role=3D"group" d=
ir=3D"ltr" dojotype=3D"uiLogic.webmail._view.AttachmentsArea" widgetid=3D"u=
iLogic_webmail__view_AttachmentsArea_0" region=3D"bottom">=0A<div>=0A<div c=
lass=3D"box" role=3D"attachments-area">=0A<div class=3D"attachments-downloa=
d-warp" role=3D"attachments-download-warp" style=3D"display: none;">=0A<div=
 class=3D"view-attachments-info" role=3D"attachments-info">2 Attachment(s) =
(0.9 =0A KB)</div><span class=3D"dijit dijitReset dijitInline attachments-d=
ownload dijitButton" widgetid=3D"dijit_form_Button_42"><span class=3D"dijit=
Reset dijitInline dijitButtonNode" dojoattachevent=3D"ondijitclick:_onButto=
nClick"><span tabindex=3D"0" class=3D"dijitReset dijitStretch dijitButtonCo=
ntents" id=3D"dijit_form_Button_42" role=3D"button" aria-labelledby=3D"diji=
t_form_Button_42_label" style=3D"opacity: 0; user-select: none;" dojoattach=
point=3D"titleNode,focusNode" wairole=3D"button" waistate=3D"labelledby-dij=
it_form_Button_42_label"><span class=3D"dijitReset dijitInline dijitIcon" d=
ojoattachpoint=3D"iconNode"></span><span class=3D"dijitReset dijitToggleBut=
tonIconChar">=3F</span><span class=3D"dijitReset dijitInline dijitButtonTex=
t" id=3D"dijit_form_Button_42_label" dojoattachpoint=3D"containerNode">Down=
load all =0A attachments</span></span></span><input class=3D"dijitOffScreen=
" type=3D"button" dojoattachpoint=3D"valueNode"></span>=0A			  <span class=
=3D"dijit dijitReset dijitInline attachments-show dijitButton" widgetid=3D"=
dijit_form_Button_44"><span class=3D"dijitReset dijitInline dijitButtonNode=
" dojoattachevent=3D"ondijitclick:_onButtonClick"><span tabindex=3D"0" clas=
s=3D"dijitReset dijitStretch dijitButtonContents" id=3D"dijit_form_Button_4=
4" role=3D"button" aria-labelledby=3D"dijit_form_Button_44_label" style=3D"=
opacity: 0; user-select: none;" dojoattachpoint=3D"titleNode,focusNode" wai=
role=3D"button" waistate=3D"labelledby-dijit_form_Button_44_label"><span cl=
ass=3D"dijitReset dijitInline dijitIcon" dojoattachpoint=3D"iconNode"></spa=
n><span class=3D"dijitReset dijitToggleButtonIconChar">=3F</span><span clas=
s=3D"dijitReset dijitInline dijitButtonText" id=3D"dijit_form_Button_44_lab=
el" dojoattachpoint=3D"containerNode">Show =0A attachments</span></span></s=
pan><input class=3D"dijitOffScreen" type=3D"button" dojoattachpoint=3D"valu=
eNode"></span>=0A			  =0A<div class=3D"back-panel removed"><span class=3D"d=
ijit dijitReset dijitInline attachments-toggle view-landscape-button viewNe=
xtIcon dijitButton" widgetid=3D"dijit_form_Button_43"><span class=3D"dijitR=
eset dijitInline dijitButtonNode" dojoattachevent=3D"ondijitclick:_onButton=
Click"><span tabindex=3D"0" title=3D"Hide" class=3D"dijitReset dijitStretch=
 dijitButtonContents" id=3D"dijit_form_Button_43" role=3D"button" aria-labe=
lledby=3D"dijit_form_Button_43_label" style=3D"user-select: none;" dojoatta=
chpoint=3D"titleNode,focusNode" wairole=3D"button" waistate=3D"labelledby-d=
ijit_form_Button_43_label"><span class=3D"dijitReset dijitInline dijitIcon"=
 dojoattachpoint=3D"iconNode"></span><span class=3D"dijitReset dijitToggleB=
uttonIconChar">=3F</span><span class=3D"dijitReset dijitInline dijitButtonT=
ext" id=3D"dijit_form_Button_43_label" dojoattachpoint=3D"containerNode"></=
span></span></span><input class=3D"dijitOffScreen" type=3D"button" dojoatta=
chpoint=3D"valueNode"></span>=0A			  </div></div>=0A<div class=3D"box" role=
=3D"attachments"></div></div></div></div></div>=0A</body>
```

{{< alert "bug" >}}
Please ignore the :date: signs in the sourcecode above, the content ist
"emojified" and I have currently no idea how to turn this off...
{{< /alert >}}

## Why is this email invalid?

First of all, the sending host is not a Netcup GmbH server, it's hostname
is `v2202311112809242991.luckysrv.de`. This makes the mail suspicious, but the
main criteria why this email is no valid in no way: my domain `oe7drt.com` is
not managed at Netcup at all. There is just an A and AAAA (and others) record
that points to a root server at Netcup.

{{< alert >}}
**Update on Nov 18 2023**:
Oh, just because I updated the new URL they present you: they also send from a
new hostname: `v2202311110463243091.nicesrv.de` -- well, both domains are
saved on Netcup DNS servers which may indicate something ;-)
{{< /alert >}}

I thought I might share this one as well, because I get about 6-8 emails per day
about my "netcup domain". The fun thing is, one of the domain has a _noreply_ in
the domain name; I use this for several git repositories (like Github does). And
to eliminate any kind of misinterpretation: the domain includes **noreply** --
not **nodeliver**.

## Quite a few huh?

![image showing 18 mails from November 6 to November 18](mails.png "Quantity is not the same as quality.")