SolarStar Report post Posted September 7, 2013 I found this message today in my inbox. What makes it so special ? It seems to have come from Microsoft when you look at the sender. But really, it is very sophisticated scam. In case you also receive a similar mail. Never open the link inside it. I'm still figuring out a way to report this mail to microsoft. Maybe you can help me ? Share this post Link to post Share on other sites
hussam Report post Posted September 7, 2013 (edited) Even if you report it to Microsoft, they won't do anything. What you can do is check the email headers and tell the originating IP address. Then do a whois check on that IP address and report it to it's ISP for abuse/spam. Edited September 7, 2013 by hussam Share this post Link to post Share on other sites
Panatella Report post Posted September 7, 2013 Even if you report it to Microsoft, they won't do anything. What you can do is check the email headers and tell the originating IP address. Then do a whois check on that IP address and report it to it's ISP for abuse/spam. yep, hussam is right ! Do that Solar. Share this post Link to post Share on other sites
SolarStar Report post Posted September 8, 2013 This is the information I found in the Quellcode: Authentication-Results: hotmail.com; spf=none (sender IP is 198.57.188.175) smtp.mailfrom=data@microsoft.de; dkim=none header.d=microsoft.de; x-hmca=none header.id=data@microsoft.de I tried to get a result with this tool here but no origin was found: http://www.heise.de/netze/tools/whois/ Share this post Link to post Share on other sites
hussam Report post Posted September 8, 2013 (edited) whois 198.57.188.175 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=198.57.188.175?showDetails=true&showARIN=false&ext=netref2 # NetRange: 198.57.128.0 - 198.57.255.255 CIDR: 198.57.128.0/17 OriginAS: AS46606 NetName: UNIFIEDLAYER-NETWORK-12 NetHandle: NET-198-57-128-0-1 Parent: NET-198-0-0-0-0 NetType: Direct Allocation RegDate: 2012-07-27 Updated: 2012-11-14 Ref: http://whois.arin.net/rest/net/NET-198-57-128-0-1 OrgName: Unified Layer OrgId: BLUEH-2 Address: 1958 South 950 East City: Provo StateProv: UT PostalCode: 84606 Country: US RegDate: 2006-08-08 Updated: 2012-11-26 Ref: http://whois.arin.net/rest/org/BLUEH-2 ReferralServer: rwhois://rwhois.unifiedlayer.com:4321 OrgTechHandle: NETWO5508-ARIN OrgTechName: Network Operations OrgTechPhone: +1-888-401-4678 OrgTechEmail: netops@unifiedlayer.com OrgTechRef: http://whois.arin.net/rest/poc/NETWO5508-ARIN OrgNOCHandle: NETWO5508-ARIN OrgNOCName: Network Operations OrgNOCPhone: +1-888-401-4678 OrgNOCEmail: netops@unifiedlayer.com OrgNOCRef: http://whois.arin.net/rest/poc/NETWO5508-ARIN OrgAbuseHandle: ABUSE3581-ARIN OrgAbuseName: Abuse Department OrgAbusePhone: +1-888-401-4678 OrgAbuseEmail: abuse@unifiedlayer.com OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3581-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # Found a referral to rwhois.unifiedlayer.com:4321. %rwhois V-1.5:000080:00 rwhois.unifiedlayer.com (by Unified Layer, V-1.0.0) network:Class-Name:network network:ID: NETBLK-UL.198.57.128.0/17 network:Auth-Area: 198.57.128.0/17 network:Network-Name: UL-198.57.128.0/17 network:IP-Network: 198.57.128.0/17 network:Organization: Unified Layer network:Tech-Contact: netops@unifiedlayer.com network:Admin-Contact: netops@unifiedlayer.com network:Abuse-Contact: abuse@unifiedlayer.com network:Created: 20121119 network:Updated: 20121119 network:Updated-By: netops@unifiedlayer.com %ok So email abuse@unifiedlayer.com with contents of the emails and the email headers. Except since the email is in german, it is very likely that the origin IP address is a compromised personal computer used to send email spam without the owner's knowledge. Edited September 8, 2013 by hussam Share this post Link to post Share on other sites
aredhel Report post Posted September 12, 2013 Solar, don't bother with the IP address, of course those phishers and scammers hide behind proxies or operate from virus-infected normal home users' PCs. I get heaps of such mails, trying get get my banking pins, paypal password, ebay login, you name it they want it. Share this post Link to post Share on other sites
Devnul Report post Posted September 27, 2013 Solar, don't bother with the IP address, of course those phishers and scammers hide behind proxies or operate from virus-infected normal home users' PCs. I get heaps of such mails, trying get get my banking pins, paypal password, ebay login, you name it they want it. Solar is from the past, this is new to him. Share this post Link to post Share on other sites