Outernaut 0 Posted April 4 This is new one for me. This scam comes from domainregistrationcorp.com (address is "502 Bad Gateway") The scam warns owners of domain to renew at ridiculous rates, and for certain, those that do, Inever see their renewal, only a hole in their pocket. https://www.spamcop.net/sc?id=z6708342598za3c1a7e1620502b088a404a350ad0835z ~o~ Share this post Link to post Share on other sites
gnarlymarley 0 Posted April 4 2 hours ago, Outernaut said: https://www.spamcop.net/sc?id=z6708342598za3c1a7e1620502b088a404a350ad0835z The tracking URL seems to be missing an IP on the Received line. Without that IP, it cannot proceed to report such IP. Received: from esteemcom by elm.nocdirect.com with local (Exim 4.93) (envelope-from <info@domainregistrationcorp.com>) id 1lT0m1-0006Jl-Cb for x; Sun, 04 Apr 2021 07:18:33 -0400 Share this post Link to post Share on other sites
petzl 0 Posted April 4 1 hour ago, gnarlymarley said: The tracking URL seems to be missing an IP on the Received line. Without that IP, it cannot proceed to report such IP. Received: from esteemcom by elm.nocdirect.com with local (Exim 4.93) (envelope-from <info@domainregistrationcorp.com>) id 1lT0m1-0006Jl-Cb for x; Sun, 04 Apr 2021 07:18:33 -0400 Seem to be from Outernaut's internal network? Share this post Link to post Share on other sites
gnarlymarley 0 Posted April 5 1 hour ago, petzl said: Seem to be from Outernaut's internal network? Maybe came from a web form? Share this post Link to post Share on other sites
Outernaut 0 Posted April 5 18 hours ago, petzl said: Seem to be from Outernaut's internal network? Not quite. After reviewing @gnarlymarley and checking again, it may be they used a contact form. The form did not have any captcha so I put a non-invasive invisible captcha on. We'll see. Thanks to you both for your asistance, ~o~ Share this post Link to post Share on other sites
gnarlymarley 0 Posted April 5 1 hour ago, Outernaut said: After reviewing @gnarlymarley and checking again, it may be they used a contact form. If it was a contact form, you should be able to look up the IP in the http logs. It would be good to have the form add some email headers, such as a "Received:" header that has the IP, hostname, and protocol, just like your email server does. Another header maybe something like "X-WebForm:". Also, I would expect the receiving email server to show the IP of the server with the contact form. Share this post Link to post Share on other sites