I'm not saying that you're wrong to report it, or that you're wrong to
be upset if you feel that they didn't handle it. But I do want to offer
some insight that I believe I possess, which I believe you may not. If
you put in this much effort every time you see one of these types of
emails, this is going to be your life from now on. They typically come
from compromised users on shared web hosting providers. Not always, but
often enough. That means that virtually every network containing a
shared web hosting provider is going to send these. At best, if you're
lucky, half of them will care.
On 2025-12-03 23:21, Lennart Mühlenmeier - GFF via mailop wrote:
Dear list,
this is my first post here. I am the IT officer and thus postmaster of
a
Berlin based NGO. Since our founding in 2015, we have tried to host
everything ourselves – including our mail server. It's unironically
fun.
On 2025-11-19 our boss recieved a phishing mail asking him to click a
link to reset his password for his expiring mail account. He flagged
this malicious mail internally. I took care of it this week after my
holidays.
The URL to "reset the password" was clearly malicious, pointing to a
cPanel Webmail Login Field hosted in India. I'll also flag this website
to the hoster, but my problem right now is about the phishing mail,
which was sent out of AS29802 HIVELOCITY, Inc. based in Florida, USA.
The headers of the mail included:
Received: from jupiter.ileysinc.com (jupiter.ileysinc.com
[209.133.220.9])
by mail.freiheitsrechte.org (Postfix) with ESMTPS id
205F42395EEA
for <[email protected]>; Wed, 19 Nov 2025 09:44:32
+0100 (CET)
[…]
X-AntiAbuse: This header was added to track abuse, please include it
with any abuse report
X-AntiAbuse: Primary Hostname - jupiter.ileysinc.com
X-AntiAbuse: Original Domain - freiheitsrechte.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - freiheitsrechte.org
X-Get-Message-Sender-Via: jupiter.ileysinc.com: authenticated_id:
[email protected]
X-Authenticated-Sender: jupiter.ileysinc.com: [email protected]
As you may see, this actor also spoofed the sender, showing as it must
have come from our own mail server. We do not check DKIM strictly…
On 2025-12-02 I sent an abuse complaint to [email protected],
including context about the abuse, and even attaching the mail
including
its headers.
On 2025-12-03 I recieved the following reply:
Hi, we have determined that this abuse case regarding IP 209.133.220.9
is not valid. Please refrain from making illegitimate reports to our
abuse team, thank you. This is an automated message, please do not
reply
to this email.
I guess they just do not care. I never heard of that AS before. My
questions for this mailing list are:
1. Are they known for being oblivious?
2. Could there be any other reason for such a reply?
I feel like I'm being taken for a ride with that kind of answer, but I
also have to laugh a little. If anyone needs a hoster to send phishing
campaigns, you now know where to go. If their reply was a mistake,
well…
that should not happen, if you work in the abuse team IMHO.
Happy about any input on this, thanks!
Best
Lennart
--
Gesellschaft für Freiheitsrechte e.V.
Boyenstraße 41
D - 10115 Berlin
Lennart Mühlenmeier
IT-Referent
Pronomen: er/ihm
[email protected]
3701F7B941FC3FBCF22853782D6E1CB58D4460E3
Unbequem seit 2015.
Was wir bisher erreicht haben:
https://freiheitsrechte.org/10ygff
Mit Ihnen geht noch mehr:
https://freiheitsrechte.org/mitmachen
Spendenkonto der GFF:
IBAN: DE88 4306 0967 1182 9121 00
BIC: GENODEM1GLS
Für die Grundrechte vor Gericht.
Machen Sie mit: https://freiheitsrechte.org/join
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
