Outernaut Posted April 4, 2021 Share Posted April 4, 2021 This is new one for me. This scam comes from domainregistrationcorp.com (address is "502 Bad Gateway") The scam warns owners of domain to renew at ridiculous rates, and for certain, those that do, Inever see their renewal, only a hole in their pocket. https://www.spamcop.net/sc?id=z6708342598za3c1a7e1620502b088a404a350ad0835z ~o~ Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted April 4, 2021 Share Posted April 4, 2021 2 hours ago, Outernaut said: https://www.spamcop.net/sc?id=z6708342598za3c1a7e1620502b088a404a350ad0835z The tracking URL seems to be missing an IP on the Received line. Without that IP, it cannot proceed to report such IP. Received: from esteemcom by elm.nocdirect.com with local (Exim 4.93) (envelope-from <info@domainregistrationcorp.com>) id 1lT0m1-0006Jl-Cb for x; Sun, 04 Apr 2021 07:18:33 -0400 Quote Link to comment Share on other sites More sharing options...
petzl Posted April 4, 2021 Share Posted April 4, 2021 1 hour ago, gnarlymarley said: The tracking URL seems to be missing an IP on the Received line. Without that IP, it cannot proceed to report such IP. Received: from esteemcom by elm.nocdirect.com with local (Exim 4.93) (envelope-from <info@domainregistrationcorp.com>) id 1lT0m1-0006Jl-Cb for x; Sun, 04 Apr 2021 07:18:33 -0400 Seem to be from Outernaut's internal network? Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted April 5, 2021 Share Posted April 5, 2021 1 hour ago, petzl said: Seem to be from Outernaut's internal network? Maybe came from a web form? Quote Link to comment Share on other sites More sharing options...
Outernaut Posted April 5, 2021 Author Share Posted April 5, 2021 18 hours ago, petzl said: Seem to be from Outernaut's internal network? Not quite. After reviewing @gnarlymarley and checking again, it may be they used a contact form. The form did not have any captcha so I put a non-invasive invisible captcha on. We'll see. Thanks to you both for your asistance, ~o~ Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted April 5, 2021 Share Posted April 5, 2021 1 hour ago, Outernaut said: After reviewing @gnarlymarley and checking again, it may be they used a contact form. If it was a contact form, you should be able to look up the IP in the http logs. It would be good to have the form add some email headers, such as a "Received:" header that has the IP, hostname, and protocol, just like your email server does. Another header maybe something like "X-WebForm:". Also, I would expect the receiving email server to show the IP of the server with the contact form. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.