Sunday, April 28, 2013

Let's Deep Dive a Domain Registration Scam Email

Having an internet presence for so long, I have seen many of these.

These emails are using the BMX Mailer, with a Precedence field, online virtual fax numbers and has some ties to a Romanian web server. The goal is to switch you to their "domain registration" service for an affordable $75/year lol.

You only have to fax them a credit card form.

Here's a copy of the email:


Sent from a hotmail address, so clearly legitimate


It is important to note that the message guarantees 100% satisfaction.




So this hostname, email2u.us comes back to a Romanian registration. Probably nothing suspicious here #scoff
Return-path: <domainservicb73@hotmail.com>
Envelope-to: receiver@domain.com
Delivery-date: Sat, 27 Apr 2013 18:54:15 -0500
Received: from [184.82.95.130] (port=41871 helo=host.kevinz.com)
     by hosteddomain.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
     (Exim 4.80)
     (envelope-from <domainservicb73@hotmail.com>)
     id 1UWEwY-0001rX-K2
     for receiver@domain.com; Sat, 27 Apr 2013 18:54:15 -0500
Received: from domainin by host.kevinz.com with local (Exim 4.80)
     (envelope-from <domainservicb73@hotmail.com>)
     id 1UWEwN-000189-VO
     for receiver@domain.com; Sat, 27 Apr 2013 19:54:04 -0400
To: receiver@domain.com
Subject: Domain Notification: JOE CITIZEN This is your Final Notice of Domain Listing - domain.com

X-PHP-Script: 184.82.95.130/~domainin/info/mail_new2.php for 99.247.101.189 

 (the php script seems to be common in these messages and the 99. address is a Canadia address)

From: Domain Services <domainservicb73@hotmail.com>
MIME-Version: 1.0
Content-Type: text/html;

 X-Mailer: AT (undocumented X-mailer, seems to be a common string in these messages, see References)

Priority: High
Importance: High

 Precedence: VBBV (not generally used, see This and RFC 2076 - The Precedence in these messages appears always to be a 4 Letter Upper Case Code - might be good intelligence spam blockers to check for)

Message-Id: <E1UWEwN-000189-VO@host.kevinz.com>
Date: Sat, 27 Apr 2013 19:54:03 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.kevinz.com
X-AntiAbuse: Original Domain - domain.com
X-AntiAbuse: Originator/Caller UID/GID - [500 501] / [47 12]
X-AntiAbuse: Sender Address Domain - hotmail.com
X-Get-Message-Sender-Via: host.kevinz.com: authenticated_id: domainin/only user confirmed/virtual account not confirmed
X-Spam-Status: No, score=5.2
X-Spam-Score: 52
X-Spam-Bar: +++++
X-Spam-Flag: NO


Common Strings:


  • X-Mailer: AT
  • Precendence: (followed by a 4 Upper Case Letter Code)
  • /~domainin/info/mail_new2.php for <ip address>

Some digging around revealed some leaked information on the server, which is publicly accessible. This is a list of the "csv" files which have been uploaded to the server.


Information Leakage in HTML Files:


A host of csv files are leaked and identified on this server, including the following:

 
30mil_com-6-23.csv   
30mil_com-6-24.csv   
30mil_com-6-25.csv   
30mil_com-6-26.csv   
30mil_com-6-27.csv   
30mil_com-6-28.csv   
30mil_com-6-29.csv   
30mil_com-6-30.csv   
30mil_com-6-31.csv   
30mil_com-6-32.csv   
30mil_com-6-33.csv
and there are a bunch more files like this. Nothing beats having 30 million+ emails to choose from.

184.82.95.130 Services

PORT     STATE  SERVICE VERSION
53/tcp   open   domain  ISC BIND 9.3.6-20.P1.el5_8.6
1723/tcp closed pptp
Device type: general purpose|firewall|proxy server|WAP


FYI: http://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/version_id-21860/ISC-Bind-9.3.0.html

Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at 184.82.95.130 Port 80

Information Leakage in Error Message:

[LF]
<h1>404 Not Found</h1>[LF]

    Please forward this error screen to 184.82.95.130's [LF]
    <a href="mailto:kevinz50@ymail.com
    WebMaster</a>.[LF]
</p>[LF]


Centralops on email2u.us


Domain Name:                                 EMAIL2U.US
Domain ID:                                   D35316435-US
Sponsoring Registrar:                        ENOM, INC.
Sponsoring Registrar IANA ID:                48
Registrar URL (registration services):       whois.enom.com
Domain Status:                               clientTransferProhibited
Registrant ID:                               62EA327952C1BCAB
Registrant Name:                             Andrei  Manoliu
Registrant Address1:                         atelierele noi
Registrant City:                             bucharest
Registrant State/Province:                   bucuresti
Registrant Postal Code:                      014571
Registrant Country:                          Romania
Registrant Country Code:                     RO
Registrant Phone Number:                     +40.767801428
Registrant Email:                            slabeste2011@yahoo.com
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C12
Administrative Contact ID:                   EDAECA2EE634C95B
Administrative Contact Name:                 Andrei  Manoliu
Administrative Contact Address1:             atelierele noi
Administrative Contact City:                 bucharest
Administrative Contact State/Province:       bucuresti
Administrative Contact Postal Code:          014571
Administrative Contact Country:              Romania
Administrative Contact Country Code:         RO
Administrative Contact Phone Number:         +40.767801428
Administrative Contact Email:                slabeste2011@yahoo.com


BMX Mailer



<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">[CRLF]
[CRLF]
<html>[CRLF]
<head>[CRLF]
<title>BMX : Bulk Mailer</title>[CRLF]
</head>[CRLF]
[CRLF]
<body>[CRLF]
[CRLF]
<form name="mail" method="post" action="mail_new2.php">[CRLF]
[CRLF]
  <table width="60%" border="0" cellspacing="1" cellpadding="1" align="center" bgcolor=#DCDCDC>[CRLF]
<tr><td colspan=2><font face=arial size=2><strong>Bulk Mailer</strong></font></td></tr>[CRLF]
    <tr> [CRLF]
      <td align="right"><font face="Arial, Helvetica, sans-serif" size="2">Subject:</font></td>[CRLF]
      <td> [CRLF]
        <select size="1" name="subjectid" style="width:250">[CRLF]
<option value="">-- Select -- [CRLF]
<option value=1>Domain Notification: {NAME} This is your Final Notice of Domain Listing - {WEBURL}</select>[CRLF]
      </td>[CRLF]
    </tr>[CRLF]
<tr>[CRLF]
<td align=right><font face=arial size=2>Select Group:</font></td>[CRLF]
<td>[CRLF]
<select name="groupid">[CRLF]
<option value=0>-- Select --[CRLF]
<option value=1>Domain Services</select>[CRLF]
</td>[CRLF]

Others have gotten this and posted their headers. 



From - Fri Mar 22 17:28:39 2013
X-Account-Key: account2
X-UIDL: 12219
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00010000
X-Mozilla-Keys:
Return-Path: domainserhhjcb73@hotmail.com
Received: from spoolbl10-d.mail.gandi.net ([217.70.178.90])
by mail.brakstar.com
; Fri, 22 Mar 2013 17:24:00 +0100
Received: from mxcontact.gandi.net (mxcontact.gandi.net [217.70.177.36])
by spoolbl10-d.mail.gandi.net (Postfix) with ESMTP id 0D8E795AE38
for <societe@brakstar.com>; Fri, 22 Mar 2013 17:23:55 +0100 (CET)
Received: from server1.ryansheppard.com (unknown [209.198.1.90])
by mredir1-v.mgt.gandi.net (Postfix) with ESMTP id 4544EEC40A
for <8493FD79D2F73DED5468744CAF859FE6-763727@CONTACT.GANDI.NET>; Fri, 22 Mar 2013 17:23:55 +0100 (CET)
Received: from domainin by server1.ryansheppard.com with local (Exim 4.80)
(envelope-from <domainserhhjcb73@hotmail.com>)
id 1UIy2y-00032y-JH
for 8493FD79D2F73DED5468744CAF859FE6-763727@CONTACT.GANDI.NET; Fri, 22 Mar 2013 05:14:00 -0400
To: 8493FD79D2F73DED5468744CAF859FE6-763727@CONTACT.GANDI.NET
Subject: Domain Notification: SARL BRAKSTAR This is your Final Notice of Domain Listing - RATONIA.COM

X-PHP-Script: 209.198.1.90/~domainin/info/mail_new2.php for 99.237.121.36 (Again Canadian IP Address)

From: Domain Services <domainserhhjcb73@hotmail.com>
MIME-Version: 1.0
Content-Type: text/html;

X-Mailer: AT

Priority: High
Importance: High

Precedence: SSWD

Message-Id: <E1UIy2y-00032y-JH@server1.ryansheppard.com>
Date: Fri, 22 Mar 2013 05:14:00 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server1.ryansheppard.com
X-AntiAbuse: Original Domain - contact.gandi.net
X-AntiAbuse: Originator/Caller UID/GID - [500 501] / [47 12]
X-AntiAbuse: Sender Address Domain - hotmail.com
X-Get-Message-Sender-Via: server1.ryansheppard.com: authenticated_id: domainin/only user confirmed/virtual account not confirmed
X-Antivirus: avast! (VPS 130322-0, 22/03/2013), Inbound message
X-Antivir



References:
http://www.spamreg.com/reg495597.htm
http://www.ip-adress.com/whois/kevinz.com
http://www.holmpage.com/2011/10/spam-alert-domain-notification-this-is-your-final-notice-of-domain-listing/
http://www.webx.net/bmx/
http://www.brakstar.com/forum/braktopic_22844.html
http://www.elvey.com/spam/Domain_Services.html

Posted by at 7:31 AM
Labels: , , , , ,

2 comments:

  1. Web Hosting IndiaJuly 21, 2013 at 10:54 AM

    A long article and full of information about domain name scam. I curse those scam ester, they made online life much hard.

    ReplyDelete
  2. BloggerDecember 31, 2016 at 8:51 AM

    I have been using AVG security for a number of years, I'd recommend this Anti virus to you all.

    ReplyDelete

Subscribe to: Post Comments (Atom)