These emails are using the BMX Mailer, with a Precedence field, online virtual fax numbers and has some ties to a Romanian web server. The goal is to switch you to their "domain registration" service for an affordable $75/year lol.
You only have to fax them a credit card form.
Here's a copy of the email:
Sent from a hotmail address, so clearly legitimate
It is important to note that the message guarantees 100% satisfaction.
So this hostname, email2u.us comes back to a Romanian registration. Probably nothing suspicious here #scoff
Return-path: <domainservicb73@hotmail.com>
Envelope-to: receiver@domain.com
Delivery-date: Sat, 27 Apr 2013 18:54:15 -0500
Received: from [184.82.95.130] (port=41871 helo=host.kevinz.com)
by hosteddomain.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.80)
(envelope-from <domainservicb73@hotmail.com>)
id 1UWEwY-0001rX-K2
for receiver@domain.com; Sat, 27 Apr 2013 18:54:15 -0500
Received: from domainin by host.kevinz.com with local (Exim 4.80)
(envelope-from <domainservicb73@hotmail.com>)
id 1UWEwN-000189-VO
for receiver@domain.com; Sat, 27 Apr 2013 19:54:04 -0400
To: receiver@domain.com
Subject: Domain Notification: JOE CITIZEN This is your Final Notice of Domain Listing - domain.com
(the php script seems to be common in these messages and the 99. address is a Canadia address)
From: Domain Services <domainservicb73@hotmail.com>
MIME-Version: 1.0
Content-Type: text/html;
X-Mailer: AT (undocumented X-mailer, seems to be a common string in these messages, see References)
Priority: High
Importance: High
Precedence: VBBV (not generally used, see This and RFC 2076 - The Precedence in these messages appears always to be a 4 Letter Upper Case Code - might be good intelligence spam blockers to check for)
Message-Id: <E1UWEwN-000189-VO@host.kevinz.com>
Date: Sat, 27 Apr 2013 19:54:03 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.kevinz.com
X-AntiAbuse: Original Domain - domain.com
X-AntiAbuse: Originator/Caller UID/GID - [500 501] / [47 12]
X-AntiAbuse: Sender Address Domain - hotmail.com
X-Get-Message-Sender-Via: host.kevinz.com: authenticated_id: domainin/only user confirmed/virtual account not confirmed
X-Spam-Status: No, score=5.2
X-Spam-Score: 52
X-Spam-Bar: +++++
X-Spam-Flag: NO
Common Strings:
- X-Mailer: AT
- Precendence: (followed by a 4 Upper Case Letter Code)
- /~domainin/info/mail_new2.php for <ip address>
Some digging around revealed some leaked information on the server, which is publicly accessible. This is a list of the "csv" files which have been uploaded to the server.
Information Leakage in HTML Files:
A host of csv files are leaked and identified on this server, including the following:
30mil_com-6-23.csv
30mil_com-6-24.csv
30mil_com-6-25.csv
30mil_com-6-26.csv
30mil_com-6-27.csv
30mil_com-6-28.csv
30mil_com-6-29.csv
30mil_com-6-30.csv
30mil_com-6-31.csv
30mil_com-6-32.csv
30mil_com-6-33.csv
and there are a bunch more files like this. Nothing beats having 30 million+ emails to choose from.184.82.95.130 Services
PORT STATE SERVICE VERSION53/tcp open domain ISC BIND 9.3.6-20.P1.el5_8.6
1723/tcp closed pptp
Device type: general purpose|firewall|proxy server|WAP
FYI: http://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/version_id-21860/ISC-Bind-9.3.0.html
Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at 184.82.95.130 Port 80
Information Leakage in Error Message:
[LF] <h1>404 Not Found</h1>[LF] Please forward this error screen to 184.82.95.130's [LF] <a href="mailto:kevinz50@ymail.com WebMaster</a>.[LF] </p>[LF]
Centralops on email2u.us
Domain Name: EMAIL2U.US Domain ID: D35316435-US Sponsoring Registrar: ENOM, INC. Sponsoring Registrar IANA ID: 48 Registrar URL (registration services): whois.enom.com Domain Status: clientTransferProhibited Registrant ID: 62EA327952C1BCAB Registrant Name: Andrei Manoliu Registrant Address1: atelierele noi Registrant City: bucharest Registrant State/Province: bucuresti Registrant Postal Code: 014571 Registrant Country: Romania Registrant Country Code: RO Registrant Phone Number: +40.767801428 Registrant Email: slabeste2011@yahoo.com Registrant Application Purpose: P1 Registrant Nexus Category: C12 Administrative Contact ID: EDAECA2EE634C95B Administrative Contact Name: Andrei Manoliu Administrative Contact Address1: atelierele noi Administrative Contact City: bucharest Administrative Contact State/Province: bucuresti Administrative Contact Postal Code: 014571 Administrative Contact Country: Romania Administrative Contact Country Code: RO Administrative Contact Phone Number: +40.767801428 Administrative Contact Email: slabeste2011@yahoo.com
BMX Mailer
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">[CRLF] [CRLF] <html>[CRLF] <head>[CRLF] → <title>BMX : Bulk Mailer</title>[CRLF] </head>[CRLF] [CRLF] <body>[CRLF] [CRLF] <form name="mail" method="post" action="mail_new2.php">[CRLF] [CRLF] <table width="60%" border="0" cellspacing="1" cellpadding="1" align="center" bgcolor=#DCDCDC>[CRLF] <tr><td colspan=2><font face=arial size=2><strong>Bulk Mailer</strong></font></td></tr>[CRLF] <tr> [CRLF] <td align="right"><font face="Arial, Helvetica, sans-serif" size="2">Subject:</font></td>[CRLF] <td> [CRLF] → → <select size="1" name="subjectid" style="width:250">[CRLF] → → → → <option value="">-- Select -- [CRLF] → → → → <option value=1>Domain Notification: {NAME} This is your Final Notice of Domain Listing - {WEBURL}→ → → → </select>[CRLF] </td>[CRLF] </tr>[CRLF] <tr>[CRLF] <td align=right><font face=arial size=2>Select Group:</font></td>[CRLF] <td>[CRLF] <select name="groupid">[CRLF] <option value=0>-- Select --[CRLF] <option value=1>Domain Services</select>[CRLF] </td>[CRLF]
Others have gotten this and posted their headers.
From - Fri Mar 22 17:28:39 2013
X-Account-Key: account2
X-UIDL: 12219
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00010000
X-Mozilla-Keys:
Return-Path: domainserhhjcb73@hotmail.com
Received: from spoolbl10-d.mail.gandi.net ([217.70.178.90])
by mail.brakstar.com
; Fri, 22 Mar 2013 17:24:00 +0100
Received: from mxcontact.gandi.net (mxcontact.gandi.net [217.70.177.36])
by spoolbl10-d.mail.gandi.net (Postfix) with ESMTP id 0D8E795AE38
for <societe@brakstar.com>; Fri, 22 Mar 2013 17:23:55 +0100 (CET)
Received: from server1.ryansheppard.com (unknown [209.198.1.90])
by mredir1-v.mgt.gandi.net (Postfix) with ESMTP id 4544EEC40A
for <8493FD79D2F73DED5468744CAF859FE6-763727@CONTACT.GANDI.NET>; Fri, 22 Mar 2013 17:23:55 +0100 (CET)
Received: from domainin by server1.ryansheppard.com with local (Exim 4.80)
(envelope-from <domainserhhjcb73@hotmail.com>)
id 1UIy2y-00032y-JH
for 8493FD79D2F73DED5468744CAF859FE6-763727@CONTACT.GANDI.NET; Fri, 22 Mar 2013 05:14:00 -0400
To: 8493FD79D2F73DED5468744CAF859FE6-763727@CONTACT.GANDI.NET
Subject: Domain Notification: SARL BRAKSTAR This is your Final Notice of Domain Listing - RATONIA.COM
X-PHP-Script: 209.198.1.90/~domainin/info/mail_new2.php for 99.237.121.36 (Again Canadian IP Address)
From: Domain Services <domainserhhjcb73@hotmail.com>
MIME-Version: 1.0
Content-Type: text/html;
X-Mailer: AT
Priority: High
Importance: High
Precedence: SSWD
Message-Id: <E1UIy2y-00032y-JH@server1.ryansheppard.com>
Date: Fri, 22 Mar 2013 05:14:00 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server1.ryansheppard.com
X-AntiAbuse: Original Domain - contact.gandi.net
X-AntiAbuse: Originator/Caller UID/GID - [500 501] / [47 12]
X-AntiAbuse: Sender Address Domain - hotmail.com
X-Get-Message-Sender-Via: server1.ryansheppard.com: authenticated_id: domainin/only user confirmed/virtual account not confirmed
X-Antivirus: avast! (VPS 130322-0, 22/03/2013), Inbound message
X-Antivir
References:
http://www.spamreg.com/reg495597.htm
http://www.ip-adress.com/whois/kevinz.com
http://www.holmpage.com/2011/10/spam-alert-domain-notification-this-is-your-final-notice-of-domain-listing/
http://www.webx.net/bmx/
http://www.brakstar.com/forum/braktopic_22844.html
http://www.elvey.com/spam/Domain_Services.html
