Just another phishing email

A phishing email from mail@mailx9.co. The email urges me to click a button to verify my email account. If I don't my email address will be deactivated!
Another day, another phishing attempt.

I got one beepmode.co.uk email address that's published on the interwebs. Unsurprisingly, I get a fair amount of spam via the address. The company hosting my emails, Mythic Beasts, recently added the option to use SpamAssissin and that has made quite a difference. It's a bit tricky to find the right level of spam filtering though. Emails with a high spam score are simply sent to /dev/null and as I don't have access to the logs I don't know have any information about purged emails. Lowering the spam threshold can obviously result in genuine emails being deleted.

The email

To find the optimum level of spam filtering I've been looking at the headers of lots of spam emails. One junk email that caught my attention was an email from mail@mailx9.co. It's a typical phishing email; it warns me that my email address will be deactivated within the next 24 hours unless I hit the "verify your account" button. The email looks professional and the copy is well-written.

The email wasn't weeded out by SpamAssassin: it got a score of 7.3. I guess that's largely because the domain mailx9.co has a valid SPF record (162.0.229.240 is allowed to sent emails for mailx9.co) and because the mail server that relayed the email (premium126.web-hosting.com) isn't on any major block lists. Only the IP address of the original sender (103.99.1.171) appears on block lists. For what it's worth, the latter IP address is Vietnamese.

The plus side of this is that it's very transparent how the email was relayed. Here are the (slightly redacted) headers:

Return-Path: 
Envelope-To: feedback@beepmode.co.uk
Delivery-Date: Sun, 19 Jul 2020 10:02:03 +0100
Received: from haggis.mythic-beasts.com ([2a00:1098:0:86:1000:0:2:1])
        by ocelot.mythic-beasts.com with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.92)
        (envelope-from )
        id 1jx5Cs-0007T5-OM
        for feedback@beepmode.co.uk; Sun, 19 Jul 2020 10:02:02 +0100
Received-Spf: pass (haggis.mythic-beasts.com: domain of mailx9.co designates 162.0.229.240 as permitted sender) client-ip=162.0.229.240; envelope-from=mail@mailx9.co; helo=premium126-1.web-hosting.com;
Received: from [162.0.229.240] (port=39707 helo=premium126-1.web-hosting.com)
        by haggis.mythic-beasts.com with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.92.3)
        (envelope-from )
        id 1jx5Cq-0005wO-DX
        for feedback@beepmode.co.uk; Sun, 19 Jul 2020 10:02:02 +0100
Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mailx9.co;
         s=default; [...] List-Unsubscribe:List-Subscribe:
        List-Post:List-Owner:List-Archive;
        bh=sgVvr [...] IA==;
Received: from [103.99.1.171] (port=63972 helo=mailx9.co)
        by premium126.web-hosting.com with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        (Exim 4.93)
        (envelope-from )
        id 1jx5Cj-001Fxx-8R
        for feedback@beepmode.co.uk; Sun, 19 Jul 2020 05:01:58 -0400
From: Email Admin 
To: feedback@beepmode.co.uk
Subject: Please verify your account
Date: 19 Jul 2020 02:01:50 -0700 (19/07/20 10:01:50)
Message-Id: <20200719020150.C84949BCBC9E190F@mailx9.co>
Mime-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
X-Outgoing-Spam-Status: No, score=2.3
X-Antiabuse: This header was added to track abuse, please include it with any abuse report
X-Antiabuse: Primary Hostname - premium126.web-hosting.com
X-Antiabuse: Original Domain - beepmode.co.uk
X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-Antiabuse: Sender Address Domain - mailx9.co
X-Get-Message-Sender-Via: premium126.web-hosting.com: authenticated_id: mail@mailx9.co
X-Authenticated-Sender: premium126.web-hosting.com: mail@mailx9.co
[...]
X-Blackcat-Spam-Score: 73
X-Spam-Status: No, score=7.3
[...]
        

And with that information it's easy to establish who is facilitating the phishing operation:

$ dig mailx9.co NS +short
dns2.namecheaphosting.com.
dns1.namecheaphosting.com.

$ dig mailx9.co A +short
162.0.229.244

$ dig -x 162.0.229.244 +short
premium126-5.web-hosting.com.

$ dig web-hosting.com SOA +short
ns1.web-hosting.com. hosting-notifications.namecheaphosting.com. 2020072321 3600 7200 1209600 1800
        

The website

Clicking the "verify your account" button take you to the phishing website. Like the email, the site looks professional – it even has a valid Sertigo SSL certificate. I don't recommend visiting the site, but to give you an idea I've taken a screenshot.

If you look closely there are some red flags. For instance, the links in the navigation and the link to "top tips to improve your safety online" don't work. Still, it's convincing. I know people who would fall for this scam.

Reporting the scam

I decided to report the email and website to Namecheap. My ticket was acknowledged after 50 minutes and I got a canned response three hours later:

"Please be assured that we will investigate the matter you reported and take action based on the results of our investigation. Please also be aware that, while Namecheap investigates every complaint, we cannot always respond with the results of the investigation and your ticket might be closed accordingly."

That was a week ago. The website is still up and running, and no doubt the criminals behind the scam are still sending emails to addresses scraped from the interwebs. Meanwhile, the hosting company just looks away.