Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Scam - dodgy email received?  (Read 1029 times)

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9772
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Scam - dodgy email received?
« on: August 10, 2020, 10:47:37 PM »

Background: I have just transferred a domain name from NAMESCO to Andrews and Arnold. That completed today.

Possibly irrelevant: I received a couple of peculiar emails about confirming the details of the registration. The emails said they were from AA but the from: email address was peculiar, I followed the links in the email which took me to a page that said that my email address had been validated as the contact address for the domain.

Then this email arrives (below). It says it is from 123-reg, although they are nothing to do with this transfer. It has a url in it which I have not followed; unfortunately I donít feel I can quote it because I donít know what it will do. It would be interesting to see where it leads though. This is incredibly dodgy. Is this 123-reg trying to steal other registrarís domains or is it just completely bogus?

Code: [Select]

Return-Path: <services@123-reg.co.uk>
Delivered-To: <my-email-address>
Received: from mail-director-a.mi.aa.net.uk ([fd00:53:2::25:b])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
by mail-dovecot-a2.m.tch.aa.net.uk with LMTPS
id WB4YMGiMMV+xOwAAgYX0Ag
(envelope-from <services@123-reg.co.uk>)
for <<my-email-address>>; Mon, 10 Aug 2020 19:05:28 +0100
Received: from mail-exim-b.mi.aa.net.uk ([fd00:53:2::25:b])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
by mail-director-a.mi.aa.net.uk with LMTPS
id wLDnLmiMMV+yfAAAmW28Kg
(envelope-from <services@123-reg.co.uk>)
for <<my-email-address>>; Mon, 10 Aug 2020 19:05:28 +0100
Delivery-date: Mon, 10 Aug 2020 19:05:28 +0100
Received: from mailgateway.meshdigital.com ([109.68.33.19])
by mail-exim-b.mi.aa.net.uk with esmtp (Exim 4.92)
(envelope-from <services@123-reg.co.uk>)
id 1k5CAb-0002My-10
for <my-email-address>; Mon, 10 Aug 2020 19:05:28 +0100
Received: from localhost (mesh-mailgateway.hi.local [127.0.0.1])
by mailgateway.meshdigital.com (Postfix) with ESMTP id F3D962605D6
for <<my-email-address>>; Mon, 10 Aug 2020 19:05:11 +0100 (BST)
Received: from mailgateway.meshdigital.com ([127.0.0.1])
by localhost (mailgateway.meshdigital.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id ZQxhghq2PUqk for <<my-email-address>>;
Mon, 10 Aug 2020 19:05:11 +0100 (BST)
Received: from MAILER.meshdigital.net (MAILER.meshdigital.net [192.168.1.25])
by mailgateway.meshdigital.com (Postfix) with ESMTP id DC3A526013D
for <<my-email-address>>; Mon, 10 Aug 2020 19:05:11 +0100 (BST)
Received: from MAILER.meshdigital.net (192.168.1.25) by MAILER.meshdigital.net
 (192.168.1.25) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1913.5; Mon, 10 Aug
 2020 19:05:11 +0100
Received: from MESH-DB-APP01 (192.168.1.6) by MAILER.meshdigital.net
 (192.168.1.25) with Microsoft SMTP Server id 15.1.1913.5 via Frontend
 Transport; Mon, 10 Aug 2020 19:05:11 +0100
MIME-Version: 1.0
From: 123Reg/Webfusion <services@123-reg.co.uk>
To: <<my-email-address>>
Date: Mon, 10 Aug 2020 19:05:11 +0100
Subject: Transfer Request for <my-domain-name>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Message-ID: <07e18004-4041-4178-9798-5afd9208aecc@MAILER.meshdigital.net>
Received-SPF: SoftFail (MAILER.meshdigital.net: domain of transitioning
 services@123-reg.co.uk discourages use of 192.168.1.6 as permitted sender)
X-Message-Linecount: 53
X-Connected-IP: 109.68.33.19:55112
X-Body-Linecount: 25
X-Message-Size: 3175
X-Body-Size: 1633
X-Received-Count: 6
X-Recipient-Count: 1
X-Local-Recipient-Count: 1
X-Local-Recipient-Defer-Count: 0
X-Local-Recipient-Fail-Count: 0
X-Spam-Score: 0.8
X-Spam-Score-Int: 8
X-Spam-Bar: /
X-Spam-Report: Spam detection software, running on the system "mail-spamless-c.mi.aa.net.uk", has
 processed this message and it scored (0.8 points).
  pts  rule name              description
 ---- ---------------------- --------------------------------------------------
  0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                             [score: 0.5000]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.0 KAM_DMARC_STATUS       Test Rule for DKIM or SPF Failure with Strict
                             Alignment
  0.0 RCVD_NOT_IN_IPREPDNS   Sender not listed at
                             http://www.chaosreigns.com/iprep/
X-Spam-Mark-Threshold: 3
X-Spam-Reject-Threshold: 4
X-Spam-User: <my-email-address>
X-Spam-Flag: NO
X-Resolved-To: <my-email-address>
X-Delivered-To: <my-email-address>
X-Message-Age: 15
X-SpamSubject:

From: services@123-reg.co.uk

Attention: my-email-address

Re: Transfer of my-domain-name.com

123Reg/Webfusion has received a request from my-email-address on 10/08/2020 for us to become the new registrar of record.

Please read the following important information about transferring your domain name:
ē You must agree to enter into a new Registration Agreement with us. You can review the full terms and conditions of the Agreement at http://www.domainterms.com/.
ē Once you have entered into the Agreement, the transfer will take place within five (5) calendar days unless the current registrar of record denies the request.
ē Once a transfer takes place, you will not be able to transfer to another registrar for 60 days, apart from a transfer back to the original registrar, in cases where both registrars so agree or where a decision in the dispute resolution process so directs.

Please go to our website, https://www.approvemove.com?k=<deleted>

If you have any questions about this process, please contact yoursupportrequest@123-reg.co.uk, http://www.123-reg.co.uk/domain-names/.

Kind Regards

123Reg/Webfusion

Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1034
Re: Scam - dodgy email received?
« Reply #1 on: August 10, 2020, 10:55:15 PM »

Hi

@weaver - I think the domain is a .com

You have not given enough information to fully be sure but itís normal for the receiving provider to confirm details of ownership etc...

The headers look as though they have been sent from 123reg via aa

It could just be aa use 123reg

I am tired and suppose I should not post a reply tonight but you are over thinking this and been far too suspicious

I will reread tommorow and apologies if I am wrong but half posting is not good for information to help

Many thanks

John
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9772
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Scam - dodgy email received?
« Reply #2 on: August 10, 2020, 11:10:00 PM »

> itís normal for the receiving provider to confirm details of ownership etc...

Thatís what I thought regarding the two earlier emails. So perhaps I was not quite sooo foolish in following the links in them. They had my own name in it and the domain name and something of this sort was expected as the timing was right. I should have checked who it was really from though.

Coming back to the latest email quoted above: The thing is, I have no relationship with 123-reg regarding this domain. Iím not transferring anything to 123-reg, nor from 123-reg.

Also, I have now dug out the earlier suspicious emails that arrived earlier. Here is one example. This claims to be from AA but isnít. And who on earth is bb-online ?

Code: [Select]

Return-Path: <support@bb-online.com>
Delivered-To: <my-email-address>
Received: from mail-director-a.mi.aa.net.uk ([fd00:53:2::25:b])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
by mail-dovecot-a2.m.tch.aa.net.uk with LMTPS
id eNxNK6DoMF+vEwAAgYX0Ag
(envelope-from <support@bb-online.com>)
for <<my-email-address>>; Mon, 10 Aug 2020 07:26:40 +0100
Received: from mail-exim-b.mi.aa.net.uk ([fd00:53:2::25:b])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
by mail-director-a.mi.aa.net.uk with LMTPS
id CP9zKqDoMF/EEAAAmW28Kg
(envelope-from <support@bb-online.com>)
for <<my-email-address>>; Mon, 10 Aug 2020 07:26:40 +0100
Delivery-date: Mon, 10 Aug 2020 07:26:40 +0100
Received: from mail.bb-online.net ([213.123.60.197])
by mail-exim-b.mi.aa.net.uk with esmtp (Exim 4.92)
(envelope-from <support@bb-online.com>)
id 1k51GL-0003Rz-FW
for <my-email-address>; Mon, 10 Aug 2020 07:26:40 +0100
Received: from localhost.localdomain (T5-2 [10.0.2.66])
by mail.bb-online.net (8.14.5+Sun/8.13.6) with ESMTP id 07A6QOuv007171
for <<my-email-address>>; Mon, 10 Aug 2020 07:26:24 +0100 (BST)
Message-Id: <202008100626.07A6QOuv007171@mail.bb-online.net>
Date: Mon, 10 Aug 2020 07:26:23 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
To: <my-email-address>
Cc:
From: transfer <support@bb-online.com>
Reply-To:
Subject: ACTION REQUIRED - Andrews & Arnold Ltd transfer confirmation of
 <my-domain-name>
X-Message-Linecount: 49
X-Connected-IP: 213.123.60.197:42885
X-Body-Linecount: 34
X-Message-Size: 1497
X-Body-Size: 925
X-Received-Count: 2
X-Recipient-Count: 1
X-Local-Recipient-Count: 1
X-Local-Recipient-Defer-Count: 0
X-Local-Recipient-Fail-Count: 0
X-Spam-Score: 1.5
X-Spam-Score-Int: 15
X-Spam-Bar: +
X-Spam-Report: Spam detection software, running on the system "mail-spamless-c.mi.aa.net.uk", has
 processed this message and it scored (1.5 points).
  pts  rule name              description
 ---- ---------------------- --------------------------------------------------
  1.5 BAYES_60               BODY: Bayes spam probability is 60 to 80%
                             [score: 0.7133]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  0.0 KAM_DMARC_STATUS       Test Rule for DKIM or SPF Failure with Strict
                             Alignment
  0.0 RCVD_NOT_IN_IPREPDNS   Sender not listed at
                             http://www.chaosreigns.com/iprep/
  0.0 KAM_SHORT              Use of a URL Shortener for very short URL
X-Spam-Mark-Threshold: 3
X-Spam-Reject-Threshold: 4
X-Spam-User: <my-email-address>
X-Spam-Flag: NO
X-Resolved-To: <my-email-address>
X-Delivered-To: <my-email-address>
X-Message-Age: 15
X-SpamSubject:
X-AA-BETA: r=v_u m2=15 m3= m4= m5= m8= m9= reqint=30


To <my-own-name>.

You have recently transfered the domain name - <my-domain-name> with An=
drews & Arnold Ltd,
http://aa.net.uk/contact.html.

In order to reduce fraudulent domain registrations and increase data accura=
cy,
we would be extremely grateful if you could please take a second to confirm=
 the
transfer of your domain by clicking the URL below:

https://bbonline.useradmin.co.uk/<deleted>

If there is a problem with the above URL, please copy it and paste it into =
your
Internet browser address bar.

Should you have any questions about this, please contact;

Andrews & Arnold Ltd
sales@aa.net.uk

Thank you very much for your time and cooperation in this matter.

Kind regards

Hostmaster-Andrews & Arnold Ltd

This process is related to ICANN's whois accuracy program, 2013:
www.icann.org/en/resources/registrars/raa/approved-with-specs-27jun13-en.htm

« Last Edit: August 10, 2020, 11:15:16 PM by Weaver »
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9772
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Scam - dodgy email received?
« Reply #3 on: August 10, 2020, 11:19:10 PM »

@d2d4j - do you want me to quote the url that was in either of the emails?  The domain is indeed a .com.
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 32405
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Scam - dodgy email received?
« Reply #4 on: August 10, 2020, 11:23:23 PM »

Possibly the simplest way would be to directly check with A&A.  :-\
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9772
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Scam - dodgy email received?
« Reply #5 on: August 10, 2020, 11:28:49 PM »

I will do so.

ó

Have sent copies of the full emails to AA. I realise that 123-reg could have received a bogus email supposedly from me which has confused them. They could very well be innocent.
« Last Edit: August 10, 2020, 11:49:04 PM by Weaver »
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9772
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Scam - dodgy email received?
« Reply #6 on: August 11, 2020, 09:03:23 PM »

The earlier emails were initiated by AA, so I was ok to click the link enclosed, but there was nothing to tell me that it was ok - itís bad training people to just believe random from addresses are legit surely, no? AA said that that bb-online is something to do with nominate who deal with transfers. In the case of .uk domains Iíve had similar emails from nominet but then we know who nominet is and what they do.

As for the later email, AA are unable to comment. AA told me that AA auto-locks all domains regarding transfers away from AA so I donít need to worry.
Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1034
Re: Scam - dodgy email received?
« Reply #7 on: August 11, 2020, 10:16:11 PM »

Hi

I thought it was a genuine email

Never heard of bb and we use pdr and never seen an email from bb and as far as I know, neither has any clients of ours. In fact, looking at bb website it does not show any detail to that of what you say. Nominet website does!

Anyway glad itís resolved and perhaps next thread subject with regard to this may be better described

Many thanks

John
Logged

Alex Atkin UK

  • Kitizen
  • ****
  • Posts: 2296
    • My Broadband History
Re: Scam - dodgy email received?
« Reply #8 on: August 12, 2020, 03:24:20 AM »

It certainly seems like either AA or the domain registration system in general is not following security best practices.

If you are transferring to AA then anything you need to confirm should be done on AA servers, not some random third-party that looks bogus.

I would NEVER click a link in an e-mail that is going to a different domain to that which the e-mail originated from.  I receive too many actual bogus e-mails trying to steal my domains when they come up for renewal to risk that.
Logged
INTAKE (ECI) 2x Home Hub 5A OpenWrt:  1x Zen,1x Plusnet Hauwei B535-232: Voxi 4G Router: pfSense (i5-7200U) WiFi: Ubiquiti nanoHD
Thinkbroadband Quality Monitors & Zen Referral

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9772
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Scam - dodgy email received?
« Reply #9 on: August 13, 2020, 08:07:45 AM »

> next thread subject with regard to this may be better described

Quite so. There is a missing question mark on the end of that line. I didnít mean to say it was a scam, I was asking for opinions about it. And I had not yet thought of the idea that 123-reg may have received a bogus email from someone using my email address as a from address. The fact remains that something dodgy was going on somewhere, as no domain was being transferred to 123-reg, nor away from them, the whole thing was none of their business.

I could perhaps ask mods to add a question mark on the end of the original subject.

@John - it isnít resolved. I still have absolutely no idea what 123-reg was doing sending me that email. I am now assuming they were misled.

@Alex - agreed, the whole thing is not good, and afterwards I complained to the boss of AA about the whole issue of authorising transfers-out from AA. I was told that it is possible to have enhanced security for this but not how, and that particular issue is not written up on the AA support website. In any case the default AA protocol seems too slack, unless I was misinformed. AA offers 2FA for some things but Iím unclear about transfers-out. (This was a transfer in to AA.)

Referring to the earlier emails initiated by AA - the whole thing of sending emails or causing emails to be sent from a random from-address is really bad. I wasnít clear what would happen if I just ignored them. I wondered if the transfers to AA would be stalled if I just binned them. I wasnít thinking straight, should have done nothing and contacted AA directly. It did turn out to be ok but that isnít the point. I thought it was ok because it was an expected event, not out of the blue. But AA are simply making work for themselves if they are causing emails to be sent which simply cause every recipient to contact support for an ok.

> I would NEVER click a link in an e-mail that is going to a different domain to that which the e-mail originated from.

Agreed but I would go further; donít click on any link in any email that is from a random from-address. Simply bin it. Thatís what I should have done and the fact that in this case I guessed correctly that it was ok is irrelevant- I broke the rule with the earlier emails, and did the right thing with the 123-reg one.

> I receive too many actual bogus e-mails trying to steal my domains when they come up for renewal to risk that.

Interesting, thatís good to know. Iím thinking I should quote a distinctive email contact address in the whois info so I will then be able to see that some nuisance email just came from someone trawling the whois info, but unfortunately I suspect there are some genuine uses for that whois contact. Registration agents should split this role; have one email address for whois info only and a different email address for customer contact and renewal notices and explain what these are all to be used for.
« Last Edit: August 13, 2020, 08:19:51 AM by Weaver »
Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1034
Re: Scam - dodgy email received?
« Reply #10 on: August 13, 2020, 08:32:07 AM »

Hi

@weaver - if you want to progress 123reg you need to report to their support/fraud department

However, for clarification in order to move a .com

Losing registrar where domain is currently held

Domain needs unlocking and this generates a EPP code

Gaining registrar where domain is been moved too

Initiate a domain transfer in - this requires the EPP code to complete the transfer request in

No EPP code means you cannot complete the new order

You should receive 3 emails as follows

1 email from losing registrar showing the EPP code and stating 5 day before auto lock

2 from gaining registrar stating they will become the new registrar etc... just like your 123reg email you shown

3 confirmation from losing registrar that domain will be moved on whatever date unless you do not want to move it, and shows a link to cancel domain transfer.

No registrar should initiate a domain transfer from an email request and cannot transfer without the EPP code for a .com

A TAG change is different and should only be changed by the client and not by the registrar

Many thanks

John
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 9772
  • Retd sw dev; A&A; 4 ◊ 7km ADSL2; IPv6; Firebrick
Re: Scam - dodgy email received?
« Reply #11 on: August 13, 2020, 10:51:05 AM »

Many thanks John - thatís really helpful, a compact summary of the protocol.




I got this very helpful clarification from AA - their earlier email from AA support was rather ambiguous / vague and it was unhelpful.

Quote
Just to clarify - the process to transfer a (.com) domain is more involved than just an email request.
The process requires an 'auth code' - we'd email this to the customer contact we have on record upon request.
The new registrar requires this auth code to initiate the transfer.

So a single (spoofed) email requesting a domain transfer will not result in the domain being transferred in error. We'd send you the auth code, at which point you can either use it to transfer the domain, or query it with us as being a fraudulent attempt to transfer your domain.
I hope this clarifies the matter
« Last Edit: August 13, 2020, 10:54:50 AM by Weaver »
Logged

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 40195
  • Penguins CAN fly
    • DSLstats
Re: Scam - dodgy email received?
« Reply #12 on: August 13, 2020, 11:04:44 AM »

I could perhaps ask mods to add a question mark on the end of the original subject.

Done :)
Logged
  Eric