First of all I want to apologise to anybody who received a scam phishing email that pretended or appeared to come from our email address email@example.com. These emails were not sent from this server but from a scummy server controlled by a hosting company in Iceland who are used frequently by criminals for malware, scams, phishing etc.
All the emails came from 126.96.36.199
The emails looked like these emails. Both sites mentioned in the emails were taken down by the hosting company within minutes of this phishing campaign starting.
Update 30 May 2019: this campaign is still continuing. Several different versions of the emails being spammed out. I am now up to somewhere in the region of 30,000 returns or Dmarc reject reports. This does make it a bit harder to filter out the dross but I am still finding, reporting & blocking malware.
These criminals continue to try to use 000webhost for their phishing scams. As soon as they go up, they get taken down very quickly.
I have no idea how many actual emails were sent but so far in the last 24 hours I have received over 12,000 DMARC failures, Bounces and other returns. I am still receiving the bounces and returns this morning.
I use DMARC, SPF And DKIM authentication on all outgoing email, so in theory any properly set up mail server will reject all these emails as failing authentication. But we know that many potential recipients will not have DMARC, Spam scanning or other authentication failure set up properly to automatically reject on their email account or server so might have received a copy of one of these. Unfortunately some of these recipients might detect the mail as spam & automatically or manually report it to one of the spam blacklists by the apparent (spoofed) sender instead of the sending IP address. This means I have to spend several hours over the next few days & weeks constantly checking blacklists & removing myself from them.
I have been on the receiving end of phishing scams like this before but on previous occasions, I only received a few hundred bounces or failures. This was a particularly aggressive phishing campaign, that I feel was designed in part to try to destroy my reputation and try to stop me posting about these criminal gangs.
All of the obscured or blurred parts of the email in these screenshots are either the recipient’s name, email address or domain.
All the emails had one of these 2 subjects
- Subject: victimsdomain.com Online Maintenance Notice Kindly Confirm Now
- Verify This Computer To Access Your Email