--- title: Netcup phishing summary: They really think I got my domain from Netcup \*lol\* date: 2023-11-17T16:35:12+0100 lastmod: 2023-11-18T11:50:01+0000 # categories: #- spam # tags: # showBreadcrumbs: true # showDate: false # showReadingTime: false # showWordCount: false # showPagination: false # feed_exclude: true # site_exclude: true --- Okay this one is not a "good" one, in terms of a good phishing email, because it is obviosly a phishing email since I do not have the mentioned product bought at mentioned company. But the fact that I get constantly emailed these made me finally post this to the website. I get them mostly in a pair of two, one to my main domain and one to a subdomain (which includes the term `noreply` as part of the domainname). ## The mail body {{< alert >}} Watch out for the link, as you might see, it gets rendered to a `netcup.de` domain as HTML, but the source code does look quite a bit different! {{< /alert >}} ~~~plain Sehr geehrte/r Wir möchten Sie heute freundlich daran erinnern, dass die Domain oe7drt.com Ihrer Firma, mit der dieses E-Mail-Konto verbunden ist, am 17.11.2023 abläuft. Als verantwortungsbewusster Anbieter ist es uns ein Anliegen, Ihnen rechtzeitig über diese bevorstehende Verlängerung zu informieren. über den sicheren Link erneuern https://renew.netcup.de Wir möchten sicherstellen, dass Ihre Online-Präsenz reibungslos läuft und Ihr geschäftlicher Erfolg nicht beeinträchtigt wird. Daher empfehlen wir Ihnen dringend, die Verlängerung Ihrer Domain vor dem Ablaufdatum zu beantragen. Indem Sie Ihre Domain verlängern, stellen Sie sicher, dass Ihre Webseite weiterhin erreichbar ist und Ihr E-Mail-Konto aktiv bleibt. Dein netcup team --------------------------------------------------------- netcup GmbH Managing Directors: - Oliver Werner - Alexander Windbichler Daimlerstr. 25 D-76185 Karlsruhe Phone: +49 721 / 7540755 - 0 Fax: +49 721 / 7540755 - 9 Commercial register: HRB 705547, Amtsgericht Mannheim --------------------------------------------------------- 2 Attachment(s) (0.9 KB) ?Download all attachments[SUBMIT] ?Show attachments[SUBMIT] ?[SUBMIT] ~~~ {{< alert >}} **Update on Nov 18 2023**: I'm sorry, this is either a very dumb person (or group) or it is a very funny coincidence. I got two new mails today in which the **shown URL** was changed to `www.customercontrolpanel.de`, the link still goes to the italian site (that you will find further down in this article). {{< /alert >}} Following only the relevant part is shown. ~~~html {hl_lines=7}

über den sicheren Link erneuern https://www.customercontrolpanel.de/?login_language=DE

Wir möchten sicherstellen, dass Ihre Online-Präsenz… ~~~ ## The mail body source (html) {{< alert "circle-info" >}} Note the highlighted line (18). There you have the real link that we mentioned above. {{< /alert >}} ~~~html {hl_lines=18}

Sehr geehrte/r


Wir möchten Sie heute freundlich daran erinnern, dass die Domain oe7drt.com Ihrer Firma, mit der dieses E-Mail-Konto verbunden ist, am 17.11.2023 abläuft. Als verantwortungsbewusster Anbieter ist es uns ein Anliegen, Ihnen rechtzeitig über diese bevorstehende Verlängerung zu informieren.

über den sicheren Link erneuern https://renew.netcup.de

Wir möchten sicherstellen, dass Ihre Online-Präsenz reibungslos läuft und Ihr geschäftlicher Erfolg nicht beeinträchtigt wird. Daher empfehlen wir Ihnen dringend, die Verlängerung Ihrer Domain vor dem Ablaufdatum zu beantragen. Indem Sie Ihre Domain verlängern, stellen Sie sicher, dass Ihre Webseite weiterhin erreichbar ist und Ihr E-Mail-Konto aktiv bleibt.

Dein netcup team

---------------------------------------------------------

netcup GmbH
Managing Directors:
- Oliver Werner
- Alexander Windbichler
Daimlerstr. 25
D-76185 Karlsruhe

Phone: +49 721 / 7540755 - 0
Fax: +49 721 / 7540755 - 9


Commercial register: HRB 705547, Amtsgericht Mannheim

---------------------------------------------------------

    

~~~ ## The mail source ~~~plain Return-Path: Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by sloti44n20 (Cyrus 3.9.0-alpha0-1108-g3a29173c6d-fm-20231031.005-g3a29173c) with LMTPA; Fri, 17 Nov 2023 08:04:12 -0500 X-Cyrus-Session-Id: sloti44n20-1700226252-3181116-2-9777549396983539035 X-Sieve: CMU Sieve 3.0 X-Spam-known-sender: no X-Spam-sender-reputation: 0 (email; noauth) X-Spam-score: 14.5 X-Spam-hits: BAYES_99 3.5, BAYES_999 1.2, DCC_CHECK 1.1, DCC_REPUT_90_94 0.6, FSL_BULK_SIG 1.593, HTML_MESSAGE 0.001, HTML_MIME_NO_HTML_TAG 0.377, HTTPS_HTTP_MISMATCH 0.1, ME_NOAUTH 0.01, ME_SC_NH -0.001, ME_SENDERREP_DENY 4, ME_VADEPHISHING 2, MIME_HTML_ONLY 0.1, SPF_HELO_NONE 0.001, SPF_NONE 0.001, T_SCC_BODY_TEXT_LINE -0.01, LANGUAGES de, BAYES_USED user, SA_VERSION 3.4.6 X-Backscatter: NotFound1 X-Backscatter-Hosts: X-Spam-source: IP='37.120.188.231', Host='v2202311112809242991.luckysrv.de', Country='DE', FromHeader='net', MailFrom='net' X-Spam-charsets: html='windows-1252' X-Resolved-to: dominic@... X-Delivered-to: dominic@noreply.... X-Mail-from: postmaster@onedk.net Received: from mx4 ([10.202.2.203]) by compute1.internal (LMTPProxy); Fri, 17 Nov 2023 08:04:12 -0500 Received: from mx4.messagingengine.com (localhost [127.0.0.1]) by mailmx.nyi.internal (Postfix) with ESMTP id 7FA301F20122 for ; Fri, 17 Nov 2023 08:04:11 -0500 (EST) Received: from mailmx.nyi.internal (localhost [127.0.0.1]) by mx4.messagingengine.com (Authentication Milter) with ESMTP id 17A016E9B26.8E0F31F2037D; Fri, 17 Nov 2023 08:04:11 -0500 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm1; t= 1700226251; b=LpZ7c6e8oXo/abJ3c3SIgseAfYAwmkcgCE9cMryacWzUPDXywM 2Bu+k0NpXZJaKcrAdOyuejBwIiFyqSq+TK/glo0Hk6DmC7TE8yw0HlddNInKUJ53 Fc/rTiqmgPpJXrUwryrmEZ4jJTcR+GIoUtXEIweftEhongl3cZvcVXf0gaE0Zxcg Za3pbOgZ8xEBJADOyvCNPeZOAaNvNF5C19ylzywj0UO6lDX7v58OVI0GKyqdIMH9 i0kvloD/B/CDHnT6jHWav2C35s5NKnHX+SuNQ4/CPOG7uuRiC3+S2G4pTwP542Cq Pu87hi1GKiH5VuM8m92JH9nwb70r5fB+fRCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=mime-version:from:reply-to:to:subject :content-type:content-transfer-encoding:date:message-id; s=fm1; t=1700226251; bh=NbXSTJaTKSRZgsx8I0IN3ukxEcOTFS+VrpzkYzr/Un8=; b= lmluPcXbKIM06qPoH+sQ2YXHJlP5FQFfF/R43bgajaKkZ3mO5x7uGQA0BFsF+c1M qwrJG7rG6hxW8aKmnlNyRIskwVt393qYEnCk29qDK4qVcG/34wlYG1J1jpMqPXXm 1oJx1wYrpvelG3ADuTXHXJcleupCGdCIwlo9y9InuAjKOMGjLW8zxCKVv2DvRQ8r o8CNKpGY6iLcBctsE40CuXNHvNaxH9jsnXTqhhI6WJjugPek7JAof4JRSJDvVJX6 aZ7pl4xOsHH0psrC2u+kUUUiIvjFNoU+MBbsK0aG/ezThetyaYwkjQPuD0ZNgU5H t5gJ0HdrTFSeQUft9LQlEg== ARC-Authentication-Results: i=1; mx4.messagingengine.com; x-csa=none; x-me-sender=none; x-ptr=pass smtp.helo=v2202311112809242991.luckysrv.de policy.ptr=v2202311112809242991.luckysrv.de; bimi=skipped (DMARC did not pass); arc=none (no signatures found); dkim=invalid (public key: not available, unknown key sha256) header.d=onedk.net header.i=@onedk.net header.b=tKBKfGAz header.a=unknown-sha256 header.s=dkim; dmarc=none policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=onedk.net; iprev=pass smtp.remote-ip=37.120.188.231 (v2202311112809242991.luckysrv.de); spf=none smtp.mailfrom=postmaster@onedk.net smtp.helo=v2202311112809242991.luckysrv.de X-ME-Authentication-Results: mx4.messagingengine.com; x-aligned-from=pass (Address match); x-return-mx=pass header.domain=onedk.net policy.is_org=yes (MX Records found: mx-biz.mail.am0.yahoodns.net,mx-biz.mail.am0.yahoodns.net); x-return-mx=pass smtp.domain=onedk.net policy.is_org=yes (MX Records found: mx-biz.mail.am0.yahoodns.net,mx-biz.mail.am0.yahoodns.net); x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384 smtp.bits=256/256; x-vs=phishing score=607 state=101 Authentication-Results: mx4.messagingengine.com; x-csa=none; x-me-sender=none; x-ptr=pass smtp.helo=v2202311112809242991.luckysrv.de policy.ptr=v2202311112809242991.luckysrv.de Authentication-Results: mx4.messagingengine.com; bimi=skipped (DMARC did not pass) Authentication-Results: mx4.messagingengine.com; arc=none (no signatures found) Authentication-Results: mx4.messagingengine.com; dkim=invalid (public key: not available, unknown key sha256) header.d=onedk.net header.i=@onedk.net header.b=tKBKfGAz header.a=unknown-sha256 header.s=dkim; dmarc=none policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=onedk.net; iprev=pass smtp.remote-ip=37.120.188.231 (v2202311112809242991.luckysrv.de); spf=none smtp.mailfrom=postmaster@onedk.net smtp.helo=v2202311112809242991.luckysrv.de X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedvkedrudegtddggeejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucgorfhhihhshhhinhhgqd fkkffrucdliedtjedmnecujfgurhepggfhrhfvufgtgffofffksehhqhertdertdehnecu hfhrohhmpedfpfgvthgtuhhpucfimhgsjfdfuceophhoshhtmhgrshhtvghrsehonhgvug hkrdhnvghtqeenucggtffrrghtthgvrhhnpeffffdufeffudeiieelueeghfeiteffhfdt hffhveeigffgfeefheelteejkeeuudenucffohhmrghinhepvghlvghtthhrohhgihdrih htpdhnvghttghuphdruggvnecukfhppeefjedruddvtddrudekkedrvdefudenucfrhhhi shhhihhnghdqkffkrfephhhtthhpshemsddsvghlvghtthhrohhgihdrihhtnecuvehluh hsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepfeejrdduvddtrddukeekrddv fedupdhhvghlohepvhdvvddtvdefudduudduvdektdelvdegvdelledurdhluhgtkhihsh hrvhdruggvpdhmrghilhhfrhhomhepoehpohhsthhmrghsthgvrhesohhnvggukhdrnhgv theqpdhnsggprhgtphhtthhopedupdhrtghpthhtohepoeguohhmihhnihgtsehnohhrvg hplhihrdhovgejughrthdrtghomheq X-ME-VSScore: 607 X-ME-VSCategory: phishing X-ME-CSA: none Received-SPF: none (onedk.net: No applicable sender policy available) receiver=mx4.messagingengine.com; identity=mailfrom; envelope-from="postmaster@onedk.net"; helo=v2202311112809242991.luckysrv.de; client-ip=37.120.188.231 Received: from v2202311112809242991.luckysrv.de (v2202311112809242991.luckysrv.de [37.120.188.231]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx4.messagingengine.com (Postfix) with ESMTPS id 8E0F31F2037D for ; Fri, 17 Nov 2023 08:03:44 -0500 (EST) Received: from v2202311112809242991.luckysrv.de (localhost [127.0.0.1]) by v2202311112809242991.luckysrv.de (Postfix) with ESMTP id 4SWxs61BzJz48xN for ; Fri, 17 Nov 2023 14:02:50 +0100 (CET) Authentication-Results: v2202311112809242991.luckysrv.de (amavis); dkim=pass reason="pass (just generated, assumed good)" header.d=onedk.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=onedk.net; h= message-id:date:x-mailer:content-transfer-encoding:content-type :subject:to:reply-to:from:mime-version; s=dkim; t=1700226169; x= 1702818170; bh=mEPVMchXmulep+z6c+qm5ufujgLqwDgvxHEmacERCZA=; b=t KBKfGAzEtvWgwvWrD7w1wNLn5Ljp4RgfY5dBV+Y2EzCWLZVYJeih0lqaRU27jL61 ILRSW9WRbAu2tgr1M0wdQwOHQ4Dp7i3ps7AQJn4BpvFbTwR1b524Hs4t52xKMecy Zf/X+yRzlRPVTO5mi0sPK0tmAEvN+TBmcsldK9RKgwIr8qUFau99OBBZlDoYUMRV wMZOoJ3ccaPC5dooc/sDd+MbQSaGKH1Ubum0Ld9VtdOHlWHFs+tpujzYC/L/kxLl 4k/BSYsGw4IUurCbPZnoR5TIBuAV2hy4caZMtFELmeOG7ZuQjvr8wMJUNhwflzeQ OUiV2kgjdZsHb3mtnjzHg== X-Virus-Scanned: Debian amavis at v2202311112809242991.luckysrv.de Received: from v2202311112809242991.luckysrv.de ([127.0.0.1]) by v2202311112809242991.luckysrv.de (v2202311112809242991.luckysrv.de [127.0.0.1]) (amavis, port 10024) with ESMTP id nPsir9OSICbE for ; Fri, 17 Nov 2023 14:02:49 +0100 (CET) Received: from vmi1464682 (localhost [IPv6:::1]) by v2202311112809242991.luckysrv.de (Postfix) with ESMTPS id 4SWxs55N6sz48x5 for ; Fri, 17 Nov 2023 14:02:49 +0100 (CET) MIME-Version: 1.0 From: "Netcup GmbH" Reply-To: postmaster@onedk.net To: dominic@noreply.... Subject: Deaktivierung des E-Mail-Postfachs aufgrund des Ablaufs der Domain oe7drt.com Content-Type: text/html; charset="windows-1252" Content-Transfer-Encoding: quoted-printable X-Mailer: Smart_Send_4_4_2 Date: Fri, 17 Nov 2023 14:02:49 +0100 Message-ID: <5196428650656248899676@vmi1464682> =0A =0A =0A =0A=0A
=0A
=0A<= div class=3D"msg-view-text-cnt" dojoattachpoint=3D"_messageTextCntNode">=0A=
=0A =0A

Sehr = geehrte/r

=0A


=0A

Wir m=F6chten Sie heute freundlich daran e= rinnern, dass die =0A Domain oe7drt.com Ihrer Fi= rma, mit der dieses =0A E-Mail-Konto verbunden ist, am 17.11.2023<= /strong> abl=E4uft. Als =0A verantwortungsbewusster Anbieter ist es uns ei= n Anliegen, Ihnen rechtzeitig =0A=FCber diese bevorstehende Verl=E4ngerun= g zu informieren.

=0A

=FCber den sicheren Link erneuern h= ttps://renew.netcup.de

=0A

Wir m= =F6chten sicherstellen, dass Ihre Online-Pr=E4senz reibungslos l=E4uft und = Ihr =0A gesch=E4ftlicher Erfolg nicht beeintr=E4chtigt wird. Daher empfehle= n wir Ihnen =0A dringend, die Verl=E4ngerung Ihrer Domain vor dem Ablaufda= tum zu beantragen. =0AIndem Sie Ihre Domain verl=E4ngern, stellen Sie sic= her, dass Ihre Webseite =0Aweiterhin erreichbar ist und Ihr E-Mail-Konto = aktiv bleibt.

=0A

Dein netcup =0Ateam

=0A---------------------------------------------------------

=0A

netcup =0AGmbH
Managing Directors:
- Oliver Werner- Alexander =0A Windbichler
Daimlerstr. 25
D-76185 Karlsruhe

= =0A

Phone: +49 721 / 7540755 - 0
Fax: +49 721 / 7540755 - 9

=0A

<= br>

=0A

Commercial register: HRB 705547, Amtsgericht Mannheim

=0A<= p>--------------------------------------------------------- =0A

<= /div>
     =0A

=0A=0A
=0A
=0A
=0A2 Attachment(s) = (0.9 =0A KB)
=3FDown= load all =0A attachments=0A =3FShow =0A attachments=0A =0A
=3F=0A
=0A
=0A ~~~ {{< alert "bug" >}} Please ignore the :date: signs in the sourcecode above, the content ist "emojified" and I have currently no idea how to turn this off... {{< /alert >}} ## Why is this email invalid? First of all, the sending host is not a Netcup GmbH server, it's hostname is `v2202311112809242991.luckysrv.de`. This makes the mail suspicious, but the main criteria why this email is no valid in no way: my domain `oe7drt.com` is not managed at Netcup at all. There is just an A and AAAA (and others) record that points to a root server at Netcup. {{< alert >}} **Update on Nov 18 2023**: Oh, just because I updated the new URL they present you: they also send from a new hostname: `v2202311110463243091.nicesrv.de` -- well, both domains are saved on Netcup DNS servers which may indicate something ;-) {{< /alert >}} I thought I might share this one as well, because I get about 6-8 emails per day about my "netcup domain". The fun thing is, one of the domain has a _noreply_ in the domain name; I use this for several git repositories (like Github does). And to eliminate any kind of misinterpretation: the domain includes **noreply** -- not **nodeliver**. ## Quite a few huh? ![image showing 18 mails from November 6 to November 18](mails.png "Quantity is not the same as quality.")