I got one beepmode.co.uk email address that's published on the interwebs. Unsurprisingly, I get a fair amount of spam via the address. The company hosting my emails, Mythic Beasts, recently added the option to use SpamAssissin and that has made quite a difference. It's a bit tricky to find the right level of spam filtering though. Emails with a high spam score are simply sent to /dev/null and as I don't have access to the logs I don't know have any information about purged emails. Lowering the spam threshold can obviously result in genuine emails being deleted.
To find the optimum level of spam filtering I've been looking at the headers of lots of spam emails. One junk email that caught my attention was an email from email@example.com. It's a typical phishing email; it warns me that my email address will be deactivated within the next 24 hours unless I hit the "verify your account" button. The email looks professional and the copy is well-written.
The email wasn't weeded out by SpamAssassin: it got a score of 7.3. I guess that's largely because the domain mailx9.co has a valid SPF record (220.127.116.11 is allowed to sent emails for mailx9.co) and because the mail server that relayed the email (premium126.web-hosting.com) isn't on any major block lists. Only the IP address of the original sender (18.104.22.168) appears on block lists. For what it's worth, the latter IP address is Vietnamese.
The plus side of this is that it's very transparent how the email was relayed. Here are the (slightly redacted) headers:
Envelope-To: firstname.lastname@example.org Delivery-Date: Sun, 19 Jul 2020 10:02:03 +0100 Received: from haggis.mythic-beasts.com ([2a00:1098:0:86:1000:0:2:1]) by ocelot.mythic-beasts.com with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jx5Cs-0007T5-OM for email@example.com; Sun, 19 Jul 2020 10:02:02 +0100 Received-Spf: pass (haggis.mythic-beasts.com: domain of mailx9.co designates 22.214.171.124 as permitted sender) client-ip=126.96.36.199; firstname.lastname@example.org; helo=premium126-1.web-hosting.com; Received: from [188.8.131.52] (port=39707 helo=premium126-1.web-hosting.com) by haggis.mythic-beasts.com with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from ) id 1jx5Cq-0005wO-DX for email@example.com; Sun, 19 Jul 2020 10:02:02 +0100 Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mailx9.co; s=default; [...] List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=sgVvr [...] IA==; Received: from [184.108.40.206] (port=63972 helo=mailx9.co) by premium126.web-hosting.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from ) id 1jx5Cj-001Fxx-8R for firstname.lastname@example.org; Sun, 19 Jul 2020 05:01:58 -0400 From: Email Admin To: email@example.com Subject: Please verify your account Date: 19 Jul 2020 02:01:50 -0700 (19/07/20 10:01:50) Message-Id: <20200719020150.C84949BCBC9E190F@mailx9.co> Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: quoted-printable X-Outgoing-Spam-Status: No, score=2.3 X-Antiabuse: This header was added to track abuse, please include it with any abuse report X-Antiabuse: Primary Hostname - premium126.web-hosting.com X-Antiabuse: Original Domain - beepmode.co.uk X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12] X-Antiabuse: Sender Address Domain - mailx9.co X-Get-Message-Sender-Via: premium126.web-hosting.com: authenticated_id: firstname.lastname@example.org X-Authenticated-Sender: premium126.web-hosting.com: email@example.com [...] X-Blackcat-Spam-Score: 73 X-Spam-Status: No, score=7.3 [...]
And with that information it's easy to establish who is facilitating the phishing operation:
$ dig mailx9.co NS +short dns2.namecheaphosting.com. dns1.namecheaphosting.com. $ dig mailx9.co A +short 220.127.116.11 $ dig -x 18.104.22.168 +short premium126-5.web-hosting.com. $ dig web-hosting.com SOA +short ns1.web-hosting.com. hosting-notifications.namecheaphosting.com. 2020072321 3600 7200 1209600 1800
Clicking the "verify your account" button take you to the phishing website. Like the email, the site looks professional – it even has a valid Sertigo SSL certificate. I don't recommend visiting the site, but to give you an idea I've taken a screenshot.
If you look closely there are some red flags. For instance, the links in the navigation and the link to "top tips to improve your safety online" don't work. Still, it's convincing. I know people who would fall for this scam.
Reporting the scam
I decided to report the email and website to Namecheap. My ticket was acknowledged after 50 minutes and I got a canned response three hours later:
"Please be assured that we will investigate the matter you reported and take action based on the results of our investigation. Please also be aware that, while Namecheap investigates every complaint, we cannot always respond with the results of the investigation and your ticket might be closed accordingly."
That was a week ago. The website is still up and running, and no doubt the criminals behind the scam are still sending emails to addresses scraped from the interwebs. Meanwhile, the hosting company just looks away.