26 KiB
title | summary | date | lastmod | showBreadcrumbs |
---|---|---|---|---|
Netcup phishing | They really think I got my domain from Netcup *lol* | 2023-11-17T16:35:12+0100 | 2024-09-29T14:12:19+0000 | true |
Okay this one is not a "good" one, in terms of a good phishing email, because it is obviosly a phishing email since I do not have the mentioned product bought at mentioned company. But the fact that I get constantly emailed these made me finally post this to the website.
I get them mostly in a pair of two, one to my main domain and one to a subdomain (which
includes the term noreply
as part of the domainname).
The mail body
{{< alert >}}
Watch out for the link, as you might see, it gets rendered to a netcup.de
domain
as HTML, but the source code does look quite a bit different!
{{< /alert >}}
Sehr geehrte/r
Wir möchten Sie heute freundlich daran erinnern, dass die Domain oe7drt.com
Ihrer Firma, mit der dieses E-Mail-Konto verbunden ist, am 17.11.2023 abläuft.
Als verantwortungsbewusster Anbieter ist es uns ein Anliegen, Ihnen rechtzeitig
über diese bevorstehende Verlängerung zu informieren.
über den sicheren Link erneuern https://renew.netcup.de
Wir möchten sicherstellen, dass Ihre Online-Präsenz reibungslos läuft und Ihr
geschäftlicher Erfolg nicht beeinträchtigt wird. Daher empfehlen wir Ihnen
dringend, die Verlängerung Ihrer Domain vor dem Ablaufdatum zu beantragen.
Indem Sie Ihre Domain verlängern, stellen Sie sicher, dass Ihre Webseite
weiterhin erreichbar ist und Ihr E-Mail-Konto aktiv bleibt.
Dein netcup team
---------------------------------------------------------
netcup GmbH
Managing Directors:
- Oliver Werner
- Alexander Windbichler
Daimlerstr. 25
D-76185 Karlsruhe
Phone: +49 721 / 7540755 - 0
Fax: +49 721 / 7540755 - 9
Commercial register: HRB 705547, Amtsgericht Mannheim
---------------------------------------------------------
2 Attachment(s) (0.9 KB)
?Download all attachments[SUBMIT] ?Show attachments[SUBMIT]
?[SUBMIT]
{{< alert >}} Update on Nov 18 2023 {{< /alert >}}
I'm sorry, this is either a very dumb person (or group) or it is a very funny coincidence.
I got two new mails today in which the shown URL was changed to
www.customercontrolpanel.de
, the link still goes to the italian site (that you will find
further down in this article).
Following only the relevant part is shown.
<p>über den sicheren Link erneuern <a
href="https://elettrogi.it/"><strong>https://www.customercontrolpanel.de/?login_language=DE</strong></a></p>
<p>Wir möchten sicherstellen, dass Ihre Online-Präsenz…
{{< alert >}} Update on Jan 10 2024 {{< /alert >}}
Haha another two emails with yet another domainname: netcupde.com
. Well, the link now
looks like this:
1
2
3
4
5
6
<p>Erneuern Sie über den sicheren Link:
<a href="https://therapeutelyon.fr" target="_blank"
rel="noopener noreferrer"><strong>https://customerscontrolpanel.<em
style="color: rgb(0, 0, 0); font-style: inherit;
background-color: rgb(255, 255, 102);">
netcup</em>de.com/de/</strong></a></p>
I added some newlines into the html code, because the code is actually only two lines in the email but that would make this codeblock a bit harder to read (specially on mobile devices).
These additions of <em style="...
are the reason for me not initially finding the domain netcupde.com
in that email as that would be the first thing that I'd look up in the email sources (see the end
of line 3 and up on line 4).
{{< alert >}} Update on Jan 11 2024 {{< /alert >}}
Another domain comes in quick. I doubt that everyone looks up a domains whois information, but if you do, don't let them fool you. This one looks very valid, although it is not.
The new domain name I'm talking about is netcup.eu
and it is also registered at netcup.de
. The whois
information makes it look very related to each other...
$ whois netcup.eu
% [snip]
% WHOIS netcup.eu
Domain: netcup.eu
Script: LATIN
Registrant:
NOT DISCLOSED!
Visit www.eurid.eu for webbased WHOIS.
On-site(s):
NOT DISCLOSED!
Visit www.eurid.eu for webbased WHOIS.
Technical:
Organisation: netcup GmbH
Language: de
Email: mail@netcup.de
Registrar:
Name: netcup GmbH
Website: www.netcup.de
Name servers:
second-dns.netcup.net
third-dns.netcup.net
root-dns.netcup.net
Please visit www.eurid.eu for more info.
I don't understand, why Netcup does not ban any domainnames on their nameservers that include the term netcup in their name.
By the way, the new link refers to bodyplussize.pl
.
{{< alert circle-info >}} I guess I won't update this post much more, these emails seem to always show the same boring text and structure. {{< /alert >}}
The mail body source (html)
{{< alert "circle-info" >}} Note the highlighted line (18). There you have the real link that we mentioned above. {{< /alert >}}
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="MSHTML 11.00.10570.1001"></head>
<body>
<div class="content-message" dojoattachpoint="contentMsgPane">
<div class="text msg-view-text" role="text">
<div class="msg-view-text-cnt" dojoattachpoint="_messageTextCntNode">
<div class="xam_msg_class">
<meta content="text/html">
<p>Sehr geehrte/r</p>
<p><br></p>
<p>Wir möchten Sie heute freundlich daran erinnern, dass die
Domain <strong>oe7drt.com</strong> Ihrer Firma, mit der dieses
E-Mail-Konto verbunden ist, am <strong>17.11.2023</strong> abläuft. Als
verantwortungsbewusster Anbieter ist es uns ein Anliegen, Ihnen rechtzeitig
über diese bevorstehende Verlängerung zu informieren.</p>
<p>über den sicheren Link erneuern <a href="https://elettrogi.it/" target="_blank" rel="noopener noreferrer"><strong>https://renew.<em style="color: rgb(0, 0, 0); font-style: inherit; background-color: rgb(255, 255, 102);">netcup</em>.de</strong></a></p>
<p>Wir möchten sicherstellen, dass Ihre Online-Präsenz reibungslos läuft und Ihr
geschäftlicher Erfolg nicht beeinträchtigt wird. Daher empfehlen wir Ihnen
dringend, die Verlängerung Ihrer Domain vor dem Ablaufdatum zu beantragen.
Indem Sie Ihre Domain verlängern, stellen Sie sicher, dass Ihre Webseite
weiterhin erreichbar ist und Ihr E-Mail-Konto aktiv bleibt.</p>
<p>Dein <em style="color: rgb(0, 0, 0); font-style: inherit; background-color: rgb(255, 255, 102);">netcup</em>
team</p>
<p>---------------------------------------------------------</p>
<p><em style="color: rgb(0, 0, 0); font-style: inherit; background-color: rgb(255, 255, 102);">netcup</em>
GmbH<br>Managing Directors:<br>- Oliver Werner<br>- Alexander
Windbichler<br>Daimlerstr. 25<br>D-76185 Karlsruhe</p>
<p>Phone: +49 721 / 7540755 - 0<br>Fax: +49 721 / 7540755 - 9</p>
<p><br></p>
<p>Commercial register: HRB 705547, Amtsgericht Mannheim </p>
<p>---------------------------------------------------------
<br></p></div></div>
<div class="msg-view-quoted-message-button removed" dojoattachpoint="_showQuotedNode"><br></div></div>
<div class="attachments-area-container dijitContentPane collapsed removed all-deleted" id="uiLogic_webmail__view_AttachmentsArea_0" role="group" dir="ltr" dojotype="uiLogic.webmail._view.AttachmentsArea" widgetid="uiLogic_webmail__view_AttachmentsArea_0" region="bottom">
<div>
<div class="box" role="attachments-area">
<div class="attachments-download-warp" role="attachments-download-warp" style="display: none;">
<div class="view-attachments-info" role="attachments-info">2 Attachment(s) (0.9
KB)</div><span class="dijit dijitReset dijitInline attachments-download dijitButton" widgetid="dijit_form_Button_42"><span class="dijitReset dijitInline dijitButtonNode" dojoattachevent="ondijitclick:_onButtonClick"><span tabindex="0" class="dijitReset dijitStretch dijitButtonContents" id="dijit_form_Button_42" role="button" aria-labelledby="dijit_form_Button_42_label" style="opacity: 0; user-select: none;" dojoattachpoint="titleNode,focusNode" wairole="button" waistate="labelledby-dijit_form_Button_42_label"><span class="dijitReset dijitInline dijitIcon" dojoattachpoint="iconNode"></span><span class="dijitReset dijitToggleButtonIconChar">?</span><span class="dijitReset dijitInline dijitButtonText" id="dijit_form_Button_42_label" dojoattachpoint="containerNode">Download all
attachments</span></span></span><input class="dijitOffScreen" type="button" dojoattachpoint="valueNode"></span>
<span class="dijit dijitReset dijitInline attachments-show dijitButton" widgetid="dijit_form_Button_44"><span class="dijitReset dijitInline dijitButtonNode" dojoattachevent="ondijitclick:_onButtonClick"><span tabindex="0" class="dijitReset dijitStretch dijitButtonContents" id="dijit_form_Button_44" role="button" aria-labelledby="dijit_form_Button_44_label" style="opacity: 0; user-select: none;" dojoattachpoint="titleNode,focusNode" wairole="button" waistate="labelledby-dijit_form_Button_44_label"><span class="dijitReset dijitInline dijitIcon" dojoattachpoint="iconNode"></span><span class="dijitReset dijitToggleButtonIconChar">?</span><span class="dijitReset dijitInline dijitButtonText" id="dijit_form_Button_44_label" dojoattachpoint="containerNode">Show
attachments</span></span></span><input class="dijitOffScreen" type="button" dojoattachpoint="valueNode"></span>
<div class="back-panel removed"><span class="dijit dijitReset dijitInline attachments-toggle view-landscape-button viewNextIcon dijitButton" widgetid="dijit_form_Button_43"><span class="dijitReset dijitInline dijitButtonNode" dojoattachevent="ondijitclick:_onButtonClick"><span tabindex="0" title="Hide" class="dijitReset dijitStretch dijitButtonContents" id="dijit_form_Button_43" role="button" aria-labelledby="dijit_form_Button_43_label" style="user-select: none;" dojoattachpoint="titleNode,focusNode" wairole="button" waistate="labelledby-dijit_form_Button_43_label"><span class="dijitReset dijitInline dijitIcon" dojoattachpoint="iconNode"></span><span class="dijitReset dijitToggleButtonIconChar">?</span><span class="dijitReset dijitInline dijitButtonText" id="dijit_form_Button_43_label" dojoattachpoint="containerNode"></span></span></span><input class="dijitOffScreen" type="button" dojoattachpoint="valueNode"></span>
</div></div>
<div class="box" role="attachments"></div></div></div></div></div>
</body>
The mail source
Return-Path: <postmaster@onedk.net>
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
by sloti44n20 (Cyrus 3.9.0-alpha0-1108-g3a29173c6d-fm-20231031.005-g3a29173c) with LMTPA;
Fri, 17 Nov 2023 08:04:12 -0500
X-Cyrus-Session-Id: sloti44n20-1700226252-3181116-2-9777549396983539035
X-Sieve: CMU Sieve 3.0
X-Spam-known-sender: no
X-Spam-sender-reputation: 0 (email; noauth)
X-Spam-score: 14.5
X-Spam-hits: BAYES_99 3.5, BAYES_999 1.2, DCC_CHECK 1.1, DCC_REPUT_90_94 0.6,
FSL_BULK_SIG 1.593, HTML_MESSAGE 0.001, HTML_MIME_NO_HTML_TAG 0.377,
HTTPS_HTTP_MISMATCH 0.1, ME_NOAUTH 0.01, ME_SC_NH -0.001,
ME_SENDERREP_DENY 4, ME_VADEPHISHING 2, MIME_HTML_ONLY 0.1,
SPF_HELO_NONE 0.001, SPF_NONE 0.001, T_SCC_BODY_TEXT_LINE -0.01,
LANGUAGES de, BAYES_USED user, SA_VERSION 3.4.6
X-Backscatter: NotFound1
X-Backscatter-Hosts:
X-Spam-source: IP='37.120.188.231', Host='v2202311112809242991.luckysrv.de', Country='DE',
FromHeader='net', MailFrom='net'
X-Spam-charsets: html='windows-1252'
X-Resolved-to: dominic@...
X-Delivered-to: dominic@noreply....
X-Mail-from: postmaster@onedk.net
Received: from mx4 ([10.202.2.203])
by compute1.internal (LMTPProxy); Fri, 17 Nov 2023 08:04:12 -0500
Received: from mx4.messagingengine.com (localhost [127.0.0.1])
by mailmx.nyi.internal (Postfix) with ESMTP id 7FA301F20122
for <dominic@noreply....>; Fri, 17 Nov 2023 08:04:11 -0500 (EST)
Received: from mailmx.nyi.internal (localhost [127.0.0.1])
by mx4.messagingengine.com (Authentication Milter) with ESMTP
id 17A016E9B26.8E0F31F2037D;
Fri, 17 Nov 2023 08:04:11 -0500
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm1; t=
1700226251; b=LpZ7c6e8oXo/abJ3c3SIgseAfYAwmkcgCE9cMryacWzUPDXywM
2Bu+k0NpXZJaKcrAdOyuejBwIiFyqSq+TK/glo0Hk6DmC7TE8yw0HlddNInKUJ53
Fc/rTiqmgPpJXrUwryrmEZ4jJTcR+GIoUtXEIweftEhongl3cZvcVXf0gaE0Zxcg
Za3pbOgZ8xEBJADOyvCNPeZOAaNvNF5C19ylzywj0UO6lDX7v58OVI0GKyqdIMH9
i0kvloD/B/CDHnT6jHWav2C35s5NKnHX+SuNQ4/CPOG7uuRiC3+S2G4pTwP542Cq
Pu87hi1GKiH5VuM8m92JH9nwb70r5fB+fRCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=mime-version:from:reply-to:to:subject
:content-type:content-transfer-encoding:date:message-id; s=fm1;
t=1700226251; bh=NbXSTJaTKSRZgsx8I0IN3ukxEcOTFS+VrpzkYzr/Un8=; b=
lmluPcXbKIM06qPoH+sQ2YXHJlP5FQFfF/R43bgajaKkZ3mO5x7uGQA0BFsF+c1M
qwrJG7rG6hxW8aKmnlNyRIskwVt393qYEnCk29qDK4qVcG/34wlYG1J1jpMqPXXm
1oJx1wYrpvelG3ADuTXHXJcleupCGdCIwlo9y9InuAjKOMGjLW8zxCKVv2DvRQ8r
o8CNKpGY6iLcBctsE40CuXNHvNaxH9jsnXTqhhI6WJjugPek7JAof4JRSJDvVJX6
aZ7pl4xOsHH0psrC2u+kUUUiIvjFNoU+MBbsK0aG/ezThetyaYwkjQPuD0ZNgU5H
t5gJ0HdrTFSeQUft9LQlEg==
ARC-Authentication-Results: i=1; mx4.messagingengine.com;
x-csa=none;
x-me-sender=none;
x-ptr=pass smtp.helo=v2202311112809242991.luckysrv.de
policy.ptr=v2202311112809242991.luckysrv.de;
bimi=skipped (DMARC did not pass);
arc=none (no signatures found);
dkim=invalid (public key: not available, unknown key sha256)
header.d=onedk.net header.i=@onedk.net header.b=tKBKfGAz
header.a=unknown-sha256 header.s=dkim;
dmarc=none policy.published-domain-policy=none
policy.applied-disposition=none policy.evaluated-disposition=none
(p=none,d=none,d.eval=none) policy.policy-from=p
header.from=onedk.net;
iprev=pass smtp.remote-ip=37.120.188.231
(v2202311112809242991.luckysrv.de);
spf=none smtp.mailfrom=postmaster@onedk.net
smtp.helo=v2202311112809242991.luckysrv.de
X-ME-Authentication-Results: mx4.messagingengine.com;
x-aligned-from=pass (Address match);
x-return-mx=pass header.domain=onedk.net policy.is_org=yes
(MX Records found: mx-biz.mail.am0.yahoodns.net,mx-biz.mail.am0.yahoodns.net);
x-return-mx=pass smtp.domain=onedk.net policy.is_org=yes
(MX Records found: mx-biz.mail.am0.yahoodns.net,mx-biz.mail.am0.yahoodns.net);
x-tls=pass smtp.version=TLSv1.3 smtp.cipher=TLS_AES_256_GCM_SHA384
smtp.bits=256/256;
x-vs=phishing score=607 state=101
Authentication-Results: mx4.messagingengine.com;
x-csa=none;
x-me-sender=none;
x-ptr=pass smtp.helo=v2202311112809242991.luckysrv.de
policy.ptr=v2202311112809242991.luckysrv.de
Authentication-Results: mx4.messagingengine.com;
bimi=skipped (DMARC did not pass)
Authentication-Results: mx4.messagingengine.com;
arc=none (no signatures found)
Authentication-Results: mx4.messagingengine.com;
dkim=invalid (public key: not available, unknown key sha256)
header.d=onedk.net header.i=@onedk.net header.b=tKBKfGAz
header.a=unknown-sha256 header.s=dkim;
dmarc=none policy.published-domain-policy=none
policy.applied-disposition=none policy.evaluated-disposition=none
(p=none,d=none,d.eval=none) policy.policy-from=p
header.from=onedk.net;
iprev=pass smtp.remote-ip=37.120.188.231
(v2202311112809242991.luckysrv.de);
spf=none smtp.mailfrom=postmaster@onedk.net
smtp.helo=v2202311112809242991.luckysrv.de
X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedvkedrudegtddggeejucetufdoteggodetrfdotf
fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucgorfhhihhshhhinhhgqd
fkkffrucdliedtjedmnecujfgurhepggfhrhfvufgtgffofffksehhqhertdertdehnecu
hfhrohhmpedfpfgvthgtuhhpucfimhgsjfdfuceophhoshhtmhgrshhtvghrsehonhgvug
hkrdhnvghtqeenucggtffrrghtthgvrhhnpeffffdufeffudeiieelueeghfeiteffhfdt
hffhveeigffgfeefheelteejkeeuudenucffohhmrghinhepvghlvghtthhrohhgihdrih
htpdhnvghttghuphdruggvnecukfhppeefjedruddvtddrudekkedrvdefudenucfrhhhi
shhhihhnghdqkffkrfephhhtthhpshemsddsvghlvghtthhrohhgihdrihhtnecuvehluh
hsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepfeejrdduvddtrddukeekrddv
fedupdhhvghlohepvhdvvddtvdefudduudduvdektdelvdegvdelledurdhluhgtkhihsh
hrvhdruggvpdhmrghilhhfrhhomhepoehpohhsthhmrghsthgvrhesohhnvggukhdrnhgv
theqpdhnsggprhgtphhtthhopedupdhrtghpthhtohepoeguohhmihhnihgtsehnohhrvg
hplhihrdhovgejughrthdrtghomheq
X-ME-VSScore: 607
X-ME-VSCategory: phishing
X-ME-CSA: none
Received-SPF: none
(onedk.net: No applicable sender policy available)
receiver=mx4.messagingengine.com;
identity=mailfrom;
envelope-from="postmaster@onedk.net";
helo=v2202311112809242991.luckysrv.de;
client-ip=37.120.188.231
Received: from v2202311112809242991.luckysrv.de (v2202311112809242991.luckysrv.de [37.120.188.231])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by mx4.messagingengine.com (Postfix) with ESMTPS id 8E0F31F2037D
for <dominic@noreply....>; Fri, 17 Nov 2023 08:03:44 -0500 (EST)
Received: from v2202311112809242991.luckysrv.de (localhost [127.0.0.1])
by v2202311112809242991.luckysrv.de (Postfix) with ESMTP id 4SWxs61BzJz48xN
for <dominic@noreply....>; Fri, 17 Nov 2023 14:02:50 +0100 (CET)
Authentication-Results: v2202311112809242991.luckysrv.de (amavis); dkim=pass
reason="pass (just generated, assumed good)" header.d=onedk.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=onedk.net; h=
message-id:date:x-mailer:content-transfer-encoding:content-type
:subject:to:reply-to:from:mime-version; s=dkim; t=1700226169; x=
1702818170; bh=mEPVMchXmulep+z6c+qm5ufujgLqwDgvxHEmacERCZA=; b=t
KBKfGAzEtvWgwvWrD7w1wNLn5Ljp4RgfY5dBV+Y2EzCWLZVYJeih0lqaRU27jL61
ILRSW9WRbAu2tgr1M0wdQwOHQ4Dp7i3ps7AQJn4BpvFbTwR1b524Hs4t52xKMecy
Zf/X+yRzlRPVTO5mi0sPK0tmAEvN+TBmcsldK9RKgwIr8qUFau99OBBZlDoYUMRV
wMZOoJ3ccaPC5dooc/sDd+MbQSaGKH1Ubum0Ld9VtdOHlWHFs+tpujzYC/L/kxLl
4k/BSYsGw4IUurCbPZnoR5TIBuAV2hy4caZMtFELmeOG7ZuQjvr8wMJUNhwflzeQ
OUiV2kgjdZsHb3mtnjzHg==
X-Virus-Scanned: Debian amavis at v2202311112809242991.luckysrv.de
Received: from v2202311112809242991.luckysrv.de ([127.0.0.1])
by v2202311112809242991.luckysrv.de (v2202311112809242991.luckysrv.de [127.0.0.1]) (amavis, port 10024)
with ESMTP id nPsir9OSICbE for <dominic@noreply....>;
Fri, 17 Nov 2023 14:02:49 +0100 (CET)
Received: from vmi1464682 (localhost [IPv6:::1])
by v2202311112809242991.luckysrv.de (Postfix) with ESMTPS id 4SWxs55N6sz48x5
for <dominic@noreply....>; Fri, 17 Nov 2023 14:02:49 +0100 (CET)
MIME-Version: 1.0
From: "Netcup GmbH" <postmaster@onedk.net>
Reply-To: postmaster@onedk.net
To: dominic@noreply....
Subject: Deaktivierung des E-Mail-Postfachs aufgrund des Ablaufs der Domain oe7drt.com
Content-Type: text/html; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Smart_Send_4_4_2
Date: Fri, 17 Nov 2023 14:02:49 +0100
Message-ID: <5196428650656248899676@vmi1464682>
<head>=0A =0A<meta http-equiv=3D"Content-Type" content=3D"text/html; charse=
t=3Dwindows-1252"> =0A<meta name=3D"GENERATOR" content=3D"MSHTML 11.00.105=
70.1001"></head> =0A<body>=0A<div class=3D"content-message" dojoattachpoint=
=3D"contentMsgPane">=0A<div class=3D"text msg-view-text" role=3D"text">=0A<=
div class=3D"msg-view-text-cnt" dojoattachpoint=3D"_messageTextCntNode">=0A=
<div class=3D"xam_msg_class">=0A<meta content=3D"text/html"> =0A<p>Sehr =
geehrte/r</p>=0A<p><br></p>=0A<p>Wir m=F6chten Sie heute freundlich daran e=
rinnern, dass die =0A Domain <strong>oe7drt.com</strong> Ihrer Fi=
rma, mit der dieses =0A E-Mail-Konto verbunden ist, am <strong>17.11.2023<=
/strong> abl=E4uft. Als =0A verantwortungsbewusster Anbieter ist es uns ei=
n Anliegen, Ihnen rechtzeitig =0A=FCber diese bevorstehende Verl=E4ngerun=
g zu informieren.</p>=0A<p>=FCber den sicheren Link erneuern <a href=3D"htt=
ps://elettrogi.it/" target=3D"_blank" rel=3D"noopener noreferrer"><strong>h=
ttps://renew.<em style=3D"color: rgb(0, 0, 0); font-style: inherit; backgro=
und-color: rgb(255, 255, 102);">netcup</em>.de</strong></a></p>=0A<p>Wir m=
=F6chten sicherstellen, dass Ihre Online-Pr=E4senz reibungslos l=E4uft und =
Ihr =0A gesch=E4ftlicher Erfolg nicht beeintr=E4chtigt wird. Daher empfehle=
n wir Ihnen =0A dringend, die Verl=E4ngerung Ihrer Domain vor dem Ablaufda=
tum zu beantragen. =0AIndem Sie Ihre Domain verl=E4ngern, stellen Sie sic=
her, dass Ihre Webseite =0Aweiterhin erreichbar ist und Ihr E-Mail-Konto =
aktiv bleibt.</p>=0A<p>Dein <em style=3D"color: rgb(0, 0, 0); font-style: i=
nherit; background-color: rgb(255, 255, 102);">netcup</em> =0Ateam</p>=0A<p=
>---------------------------------------------------------</p>=0A<p><em sty=
le=3D"color: rgb(0, 0, 0); font-style: inherit; background-color: rgb(255, =
255, 102);">netcup</em> =0AGmbH<br>Managing Directors:<br>- Oliver Werner<b=
r>- Alexander =0A Windbichler<br>Daimlerstr. 25<br>D-76185 Karlsruhe</p>=
=0A<p>Phone: +49 721 / 7540755 - 0<br>Fax: +49 721 / 7540755 - 9</p>=0A<p><=
br></p>=0A<p>Commercial register: HRB 705547, Amtsgericht Mannheim </p>=0A<=
p>--------------------------------------------------------- =0A<br></p><=
/div></div> =0A<div class=3D"msg-view-quoted-messag=
e-button removed" dojoattachpoint=3D"_showQuotedNode"><br></div></div>=0A<d=
iv class=3D"attachments-area-container dijitContentPane collapsed removed a=
ll-deleted" id=3D"uiLogic_webmail__view_AttachmentsArea_0" role=3D"group" d=
ir=3D"ltr" dojotype=3D"uiLogic.webmail._view.AttachmentsArea" widgetid=3D"u=
iLogic_webmail__view_AttachmentsArea_0" region=3D"bottom">=0A<div>=0A<div c=
lass=3D"box" role=3D"attachments-area">=0A<div class=3D"attachments-downloa=
d-warp" role=3D"attachments-download-warp" style=3D"display: none;">=0A<div=
class=3D"view-attachments-info" role=3D"attachments-info">2 Attachment(s) =
(0.9 =0A KB)</div><span class=3D"dijit dijitReset dijitInline attachments-d=
ownload dijitButton" widgetid=3D"dijit_form_Button_42"><span class=3D"dijit=
Reset dijitInline dijitButtonNode" dojoattachevent=3D"ondijitclick:_onButto=
nClick"><span tabindex=3D"0" class=3D"dijitReset dijitStretch dijitButtonCo=
ntents" id=3D"dijit_form_Button_42" role=3D"button" aria-labelledby=3D"diji=
t_form_Button_42_label" style=3D"opacity: 0; user-select: none;" dojoattach=
point=3D"titleNode,focusNode" wairole=3D"button" waistate=3D"labelledby-dij=
it_form_Button_42_label"><span class=3D"dijitReset dijitInline dijitIcon" d=
ojoattachpoint=3D"iconNode"></span><span class=3D"dijitReset dijitToggleBut=
tonIconChar">=3F</span><span class=3D"dijitReset dijitInline dijitButtonTex=
t" id=3D"dijit_form_Button_42_label" dojoattachpoint=3D"containerNode">Down=
load all =0A attachments</span></span></span><input class=3D"dijitOffScreen=
" type=3D"button" dojoattachpoint=3D"valueNode"></span>=0A <span class=
=3D"dijit dijitReset dijitInline attachments-show dijitButton" widgetid=3D"=
dijit_form_Button_44"><span class=3D"dijitReset dijitInline dijitButtonNode=
" dojoattachevent=3D"ondijitclick:_onButtonClick"><span tabindex=3D"0" clas=
s=3D"dijitReset dijitStretch dijitButtonContents" id=3D"dijit_form_Button_4=
4" role=3D"button" aria-labelledby=3D"dijit_form_Button_44_label" style=3D"=
opacity: 0; user-select: none;" dojoattachpoint=3D"titleNode,focusNode" wai=
role=3D"button" waistate=3D"labelledby-dijit_form_Button_44_label"><span cl=
ass=3D"dijitReset dijitInline dijitIcon" dojoattachpoint=3D"iconNode"></spa=
n><span class=3D"dijitReset dijitToggleButtonIconChar">=3F</span><span clas=
s=3D"dijitReset dijitInline dijitButtonText" id=3D"dijit_form_Button_44_lab=
el" dojoattachpoint=3D"containerNode">Show =0A attachments</span></span></s=
pan><input class=3D"dijitOffScreen" type=3D"button" dojoattachpoint=3D"valu=
eNode"></span>=0A =0A<div class=3D"back-panel removed"><span class=3D"d=
ijit dijitReset dijitInline attachments-toggle view-landscape-button viewNe=
xtIcon dijitButton" widgetid=3D"dijit_form_Button_43"><span class=3D"dijitR=
eset dijitInline dijitButtonNode" dojoattachevent=3D"ondijitclick:_onButton=
Click"><span tabindex=3D"0" title=3D"Hide" class=3D"dijitReset dijitStretch=
dijitButtonContents" id=3D"dijit_form_Button_43" role=3D"button" aria-labe=
lledby=3D"dijit_form_Button_43_label" style=3D"user-select: none;" dojoatta=
chpoint=3D"titleNode,focusNode" wairole=3D"button" waistate=3D"labelledby-d=
ijit_form_Button_43_label"><span class=3D"dijitReset dijitInline dijitIcon"=
dojoattachpoint=3D"iconNode"></span><span class=3D"dijitReset dijitToggleB=
uttonIconChar">=3F</span><span class=3D"dijitReset dijitInline dijitButtonT=
ext" id=3D"dijit_form_Button_43_label" dojoattachpoint=3D"containerNode"></=
span></span></span><input class=3D"dijitOffScreen" type=3D"button" dojoatta=
chpoint=3D"valueNode"></span>=0A </div></div>=0A<div class=3D"box" role=
=3D"attachments"></div></div></div></div></div>=0A</body>
{{< alert "bug" >}} Please ignore the 📅 signs in the sourcecode above, the content ist "emojified" and I have currently no idea how to turn this off... {{< /alert >}}
Why is this email invalid?
First of all, the sending host is not a Netcup GmbH server, it's hostname
is v2202311112809242991.luckysrv.de
. This makes the mail suspicious, but the
main criteria why this email is no valid in no way: my domain oe7drt.com
is
not managed at Netcup at all. There is just an A and AAAA (and others) record
that points to a root server at Netcup.
{{< alert >}}
Update on Nov 18 2023:
Oh, just because I updated the new URL they present you: they also send from a
new hostname: v2202311110463243091.nicesrv.de
-- well, both domains are
saved on Netcup DNS servers which may indicate something ;-)
{{< /alert >}}
I thought I might share this one as well, because I get about 6-8 emails per day about my "netcup domain". The fun thing is, one of the domain has a noreply in the domain name; I use this for several git repositories (like Github does). And to eliminate any kind of misinterpretation: the domain includes noreply -- not nodeliver.