Dear list, this is my first post here. I am the IT officer and thus postmaster of a Berlin based NGO. Since our founding in 2015, we have tried to host everything ourselves – including our mail server. It's unironically fun.
On 2025-11-19 our boss recieved a phishing mail asking him to click a link to reset his password for his expiring mail account. He flagged this malicious mail internally. I took care of it this week after my holidays. The URL to "reset the password" was clearly malicious, pointing to a cPanel Webmail Login Field hosted in India. I'll also flag this website to the hoster, but my problem right now is about the phishing mail, which was sent out of AS29802 HIVELOCITY, Inc. based in Florida, USA. The headers of the mail included: > Received: from jupiter.ileysinc.com (jupiter.ileysinc.com [209.133.220.9]) > by mail.freiheitsrechte.org (Postfix) with ESMTPS id 205F42395EEA > for <[email protected]>; Wed, 19 Nov 2025 09:44:32 +0100 (CET) > […] > X-AntiAbuse: This header was added to track abuse, please include it with any > abuse report > X-AntiAbuse: Primary Hostname - jupiter.ileysinc.com > X-AntiAbuse: Original Domain - freiheitsrechte.org > X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] > X-AntiAbuse: Sender Address Domain - freiheitsrechte.org > X-Get-Message-Sender-Via: jupiter.ileysinc.com: authenticated_id: > [email protected] > X-Authenticated-Sender: jupiter.ileysinc.com: [email protected] As you may see, this actor also spoofed the sender, showing as it must have come from our own mail server. We do not check DKIM strictly… On 2025-12-02 I sent an abuse complaint to [email protected], including context about the abuse, and even attaching the mail including its headers. On 2025-12-03 I recieved the following reply: > Hi, we have determined that this abuse case regarding IP 209.133.220.9 > is not valid. Please refrain from making illegitimate reports to our > abuse team, thank you. This is an automated message, please do not reply > to this email. I guess they just do not care. I never heard of that AS before. My questions for this mailing list are: 1. Are they known for being oblivious? 2. Could there be any other reason for such a reply? I feel like I'm being taken for a ride with that kind of answer, but I also have to laugh a little. If anyone needs a hoster to send phishing campaigns, you now know where to go. If their reply was a mistake, well… that should not happen, if you work in the abuse team IMHO. Happy about any input on this, thanks! Best Lennart -- Gesellschaft für Freiheitsrechte e.V. Boyenstraße 41 D - 10115 Berlin Lennart Mühlenmeier IT-Referent Pronomen: er/ihm [email protected] 3701F7B941FC3FBCF22853782D6E1CB58D4460E3 Unbequem seit 2015. Was wir bisher erreicht haben: https://freiheitsrechte.org/10ygff Mit Ihnen geht noch mehr: https://freiheitsrechte.org/mitmachen Spendenkonto der GFF: IBAN: DE88 4306 0967 1182 9121 00 BIC: GENODEM1GLS Für die Grundrechte vor Gericht. Machen Sie mit: https://freiheitsrechte.org/join
signature.asc
Description: PGP signature
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
