Jump to content
Steve

Spoof email from United Bank for Africa

Recommended Posts

Of course it's an ocn.ne/ad.jp email. I don't bother reporting to them anymore because I find it pointless. 
I also reported it to netabuse (at) mtn.bj, but as you all know, they're notorious for not dealing with spam very well. 
I tried reporting to UBA's security email that I found doing a Google search and this is the result Gmail's mailer-daemon sent back:


 
Quote

 

Error Icon

Message not delivered

Your message couldn't be delivered to security@ubagroup.com because the remote server is misconfigured. See technical details below for more information.
The response from the remote server was:

550 5.4.1 [security@ubagroup.com]: Recipient address rejected: Access denied [AM5EUR03FT052.eop-EUR03.prod.protection.outlook.com]

 


Final-Recipient: rfc822; security@ubagroup.com
Action: failed
Status: 5.4.1
Remote-MTA: dns; ubagroup-com.mail.protection.outlook.com. (213.199.154.106,
 the server for the domain ubagroup.com.)
Diagnostic-Code: smtp; 550 5.4.1 [security@ubagroup.com]: Recipient address rejected: Access denied [AM5EUR03FT052.eop-EUR03.prod.protection.outlook.com]
Last-Attempt-Date: Tue, 22 May 2018 21:54:17 -0700 (PDT)

 


Original email:


Delivered-To: x
Received: by 10.55.27.222 with SMTP id m20-v6csp390695lfi;
        Tue, 22 May 2018 04:17:36 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZpYbvb6tOhQ+iZm9i/WTdteOSq3c4khjtYYTyC0U88eDbOBeooA888yF+t/0UxRT/np7P7W
X-Received: by 2002:a63:7c0b:: with SMTP id x11-v6mr18459486pgc.384.1526987856201;
        Tue, 22 May 2018 04:17:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526987856; cv=none;
        d=google.com; s=arc-20160816;
        b=jotNUqh782Or1fxX2A+r16K8REfifvVQHUFk5z9gyfBJuv9fVGAP0qgRPnjo4mlJlm
         5YHfAR2j+kzg//ih9YB/fNpUmB729kKKSfQ5xmy85c9ocuiieMz1ecmflWftDgmq0zZt
         ua3SRaWu+/U51hn2R73K/de9iT02t1D57414RVDakaMz2x2Ff/mf+JjI+1+HSBH4ks0c
         Mt/Ch7XCfglJUNJl2qNlsBwzd2es8/8rWynsVjdv6BfyYMYTWc5Vda9xPSfUfZJZRTwM
         IoSDNFFFcgvewA9H8VXA04Cwoz9NY2SAysTZj9TyYRNJjI1C8zilRSMwrDytlSbZ9WoN
         7bpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:subject:message-id:reply-to
         :from:date:arc-authentication-results;
        bh=LpXfDxdLzWxwHrFw1Qk9sqc0koHX4eJzLDY8tHHwhoo=;
        b=hOlAaQ8hWmtbEqeXcXlD0sYdvmdc30qlaSZMbFzJ+6d2giVZqBMmbmBVpMHj4KoQiO
         RLPsiMKUgcmBnHz8CeqGeJIjU+Zx78n91u+2hJRwIlmsVz7DXdXoWouGMvFNVwdU0LQZ
         6GQehGfouDlQGGKOHI+XO4IvcWjgt94jseISgkqAPFx351PaFRYBpFlvnaOtYr8yD1Lc
         GYzktMwi0v9FVN1HZyX9lojZgz5fnqsJ0D/d1FjPiAdHQekp5QrcLfT1ehd161lEYL0P
         7IxJLb8dgGDSG+1BNCrAJffzoPYGyTsD+l7Qyl16mqbM9hNktalB1qTiXvluMpBaSpcj
         815Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of www.@miracle.ocn.ne.jp designates 153.149.233.15 as permitted sender) smtp.mailfrom=www.@miracle.ocn.ne.jp
Return-Path: <www.@miracle.ocn.ne.jp>
Received: from mbkd0214.ocn.ad.jp (mbkd0214.ocn.ad.jp. [153.149.233.15])
        by mx.google.com with ESMTP id z18-v6si16038914pfd.357.2018.05.22.04.17.23;
        Tue, 22 May 2018 04:17:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of www.@miracle.ocn.ne.jp designates 153.149.233.15 as permitted sender) client-ip=153.149.233.15;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of www.@miracle.ocn.ne.jp designates 153.149.233.15 as permitted sender) smtp.mailfrom=www.@miracle.ocn.ne.jp
Received: from mf-smf-ucb035c3 (mf-smf-ucb035c3.ocn.ad.jp [153.153.66.232]) by mbkd0214.ocn.ad.jp (Postfix) with ESMTP id 0E1A418D8F6; Tue, 22 May 2018 20:17:23 +0900 (JST)
Received: from ntt.pod01.mv-mta-ucb022 ([153.149.142.85]) by mf-smf-ucb035c3 with ESMTP id L5IAfKI3F3vLcL5IAf4CBa; Tue, 22 May 2018 20:17:23 +0900
Received: from vcwebmail.ocn.ad.jp ([153.149.227.167]) by ntt.pod01.mv-mta-ucb022 with id pPHN1x00F3dLKTM01PHNBl; Tue, 22 May 2018 11:17:22 +0000
Received: from mzcstore202.ocn.ad.jp (mz-cb202p.ocn.ad.jp [180.8.111.9]) by vcwebmail.ocn.ad.jp (Postfix) with ESMTP; Tue, 22 May 2018 20:17:22 +0900 (JST)
Date: Tue, 22 May 2018 20:17:22 +0900 (JST)
From: "Mr.Emanuela Guidobaldi" <www.@miracle.ocn.ne.jp>
Reply-To: "Mr.Emanuela Guidobaldi" <ubabnk0012@live.fr>
Message-ID: <114857748.28834412.1526987842427.JavaMail.root@miracle.ocn.ne.jp>
Subject: Attention:My dear
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
X-Originating-IP: [197.234.221.192]

Attention:My dear
I waited for your message as you told me with none received. Remember,
i supposed to have traveled last night but the weather is too bad. I
will be leaving to Paraguay tomorrow.
Meanwhile, contact the Bank manager with below address, i have kept
the
cheque with them at amount of USD4.5Million. They will either mail it to you
or remit it for transfer depending on how you want it;
Mr.Emanuela Guidobaldi
united bank for Africa -(UBA) 
E-EMAIL US:ubabnk0012@live.fr

 

Edited by Steve

Share this post


Link to post
Share on other sites
1 hour ago, Steve said:

Of course it's an ocn.ne/ad.jp email. I don't bother reporting to them anymore because I find it pointless. I also reported it to netabuse (at) mtn.bj, but as you all know, they're notorious for not dealing with spam very well. I tried reporting to UBA's security email that I found doing a Google search and this is the result Gmail's mailer-daemon sent back:

They have a lot of compromised accounts which they act on, getting Japs to turn on Windows Defender is complicated?  would help if you learn what a SpamCop tracking URL was

Share this post


Link to post
Share on other sites
2 hours ago, Steve said:

? Here's the Tracking URL. Feel free to remove what you need from the URL after examining the report:

https://www.spamcop.net/sc?id=z6466108812zeb3430e28af1b6f93be3ffdc98bf48c7z

That's better "X-Originating-IP: [197.234.221.192]" is the botnet source all their IP's listed as a botnet, yes they are sent through a compromised  ocn computer "153.149.227.167" but not reported

Other hosts in this "neighborhood" with spam reports
197.234.221.1 197.234.221.4 197.234.221.5 197.234.221.12 197.234.221.13 197.234.221.42 197.234.221.43 197.234.221.46 197.234.221.47 197.234.221.54 197.234.221.66 197.234.221.68 197.234.221.69 197.234.221.70 197.234.221.80 197.234.221.91 197.234.221.105 197.234.221.108 197.234.221.120 197.234.221.161 197.234.221.170 197.234.221.172 197.234.221.183 197.234.221.188 197.234.221.192 197.234.221.193 197.234.221.205 197.234.221.224 197.234.221.232 197.234.221.236 197.234.221.238 197.234.221.243 197.234.221.245

Share this post


Link to post
Share on other sites
7 hours ago, petzl said:

That's better "X-Originating-IP: [197.234.221.192]" is the botnet source all their IP's listed as a botnet, yes they are sent through a compromised  ocn computer "153.149.227.167" but not reported

Other hosts in this "neighborhood" with spam reports
197.234.221.1 197.234.221.4 197.234.221.5 197.234.221.12 197.234.221.13 197.234.221.42 197.234.221.43 197.234.221.46 197.234.221.47 197.234.221.54 197.234.221.66 197.234.221.68 197.234.221.69 197.234.221.70 197.234.221.80 197.234.221.91 197.234.221.105 197.234.221.108 197.234.221.120 197.234.221.161 197.234.221.170 197.234.221.172 197.234.221.183 197.234.221.188 197.234.221.192 197.234.221.193 197.234.221.205 197.234.221.224 197.234.221.232 197.234.221.236 197.234.221.238 197.234.221.243 197.234.221.245

Why is it only blacklisted at abuseat and nowhere else? Is there a reason for that?

Share this post


Link to post
Share on other sites
4 hours ago, Steve said:

Why is it only blacklisted at abuseat and nowhere else? Is there a reason for that?

If it's on abuseat's CBL list, it will usually find its way to spamhaus's ZEN list as well, I think Spamhaus took the list over a year or two back. I'm also seeing listings on other lists as well.

Share this post


Link to post
Share on other sites
4 hours ago, lisati said:

If it's on abuseat's CBL list, it will usually find its way to spamhaus's ZEN list as well, I think Spamhaus took the list over a year or two back. I'm also seeing listings on other lists as well.

That is a public list which is available free to many ISP's, many have secret blocklists that are never known by anyone but them..

Share this post


Link to post
Share on other sites
18 hours ago, petzl said:

That's better "X-Originating-IP: [197.234.221.192]" is the botnet source all their IP's listed as a botnet, yes they are sent through a compromised  ocn computer "153.149.227.167" but not reported

Other hosts in this "neighborhood" with spam reports
197.234.221.1 197.234.221.4 197.234.221.5 197.234.221.12 197.234.221.13 197.234.221.42 197.234.221.43 197.234.221.46 197.234.221.47 197.234.221.54 197.234.221.66 197.234.221.68 197.234.221.69 197.234.221.70 197.234.221.80 197.234.221.91 197.234.221.105 197.234.221.108 197.234.221.120 197.234.221.161 197.234.221.170 197.234.221.172 197.234.221.183 197.234.221.188 197.234.221.192 197.234.221.193 197.234.221.205 197.234.221.224 197.234.221.232 197.234.221.236 197.234.221.238 197.234.221.243 197.234.221.245

Are emails with this string of IP addresses originating from Benin and OCN is just used to send the emails?

Share this post


Link to post
Share on other sites
3 hours ago, petzl said:

That is a public list which is available free to many ISP's, many have secret blocklists that are never known by anyone but them..

True. When I was running my own email server a few years back, I had what amounted to private blacklists, hidden from public view until an incoming email ran foul of the filtering I had in place. I never got round to running a DNSBL/RBL.

Share this post


Link to post
Share on other sites
16 hours ago, Steve said:

Are emails with this string of IP addresses originating from Benin and OCN is just used to send the emails?

https://www.talosintelligence.com/reputation_center/lookup?search=197.234.221.192
They have port 25 blocked so SpamCop is finding the source IP?
Seems  near all their entire IP range. CBL are saying their email servers themselves are infected with "sendsafe"

Share this post


Link to post
Share on other sites
5 hours ago, Steve said:

Why is this?

Crime gang running ISP?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×