| Server IP : 172.67.216.113 / Your IP : 104.23.243.32 [ Web Server : Apache System : Linux cpanel01wh.bkk1.cloud.z.com 2.6.32-954.3.5.lve1.4.59.el6.x86_64 #1 SMP Thu Dec 6 05:11:00 EST 2018 x86_64 User : cp648411 ( 1354) PHP Version : 7.2.34 Disable Function : NONE Domains : 0 Domains MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : OFF | Pkexec : OFF Directory : /home2/cp648411/mail/.spam/new/ |
Upload File : |
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from cpanel01wh.bkk1.cloud.z.com
by cpanel01wh.bkk1.cloud.z.com with LMTP
id +D7YE9fkn2UHLQ8ACXZrZg
(envelope-from <[email protected]>)
for <[email protected]>; Thu, 11 Jan 2024 19:53:43 +0700
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Thu, 11 Jan 2024 19:53:43 +0700
Received: from mail2.netcraft.com ([52.31.138.216]:41863)
by cpanel01wh.bkk1.cloud.z.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.96.2)
(envelope-from <[email protected]>)
id 1rNuYy-004SnG-1F
for [email protected];
Thu, 11 Jan 2024 19:53:43 +0700
Received: from walleye.netcraft.com (ip-10-8-0-81.eu-west-1.compute.internal [10.8.0.81])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail2.netcraft.com (Postfix) with ESMTPS id CE7B5B6C4
for <[email protected]>; Thu, 11 Jan 2024 12:52:52 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail2.netcraft.com CE7B5B6C4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netcraft.com;
s=default202103; t=1704977572;
bh=9pOnbV0e6PjwNkFOligNJBxoetb+HCk8XitcWv2Ixu0=;
h=Date:From:Subject:To:From;
b=0kz2x0Nj5fpzNAO0OeSmUunoa8cvGgSCcZQ3z36W16E3tGtYEabIzqGh+jhZRhMXe
B/dUHbvOPdlYt+VGV1FiB3e4AuPyJN7kX1CIwNTiKgMPp/xVGYcFmjJ3H9MF+sfcwl
c9QQ6zk2e8WITSMAprdgQ5d7le88Z9EqiSXTdTr544DyFNLAbV2mcp6ItkYZP8gqjg
TEsQGQ+n9Drd5010viOFx0/1A4h1sd+WbQ11Ijfz/2a+XioP4dEM9BNGj5+LVANW7d
SM0vSJPyhT16fts79XsA7mnRWz98Y8zrbgGdvs+UQC5vjAQ1nSh/iY4/zJzu++R2kk
LrOtiHaPU27ew==
Received: by walleye.netcraft.com (Postfix, from userid 507)
id CB8A4B14; Thu, 11 Jan 2024 12:52:52 +0000 (UTC)
Content-Transfer-Encoding: 8bit
Content-Type: multipart/report; boundary="_----------=_17049775723834168198"; report-type="feedback-report"
MIME-Version: 1.0
Date: Thu, 11 Jan 2024 12:52:52 +0000
From: Netcraft Takedown Service <[email protected]>
To: [email protected]
Message-Id: <[email protected]>
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
X-Spam-Status: Yes, score=5.8
X-Spam-Score: 58
X-Spam-Bar: +++++
X-Spam-Report: Spam detection software, running on the system "cpanel01wh.bkk1.cloud.z.com",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: Hello, We have discovered a phishing attack on your network.
hxxp://www[.]simded[.]com/CaiiiXa/home hxxps://www[.]simded[.]com/CaiiiXa/home/Forma.html
hxxp://www[.]simded[.]com/CaiiiXa/ hxxps://www[.]simded[.]com/CaiiiXa/home/
hxxp://simded[.]com/CaiiiXa/home/T [...]
Content analysis details: (5.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
5.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
-0.0 SPF_PASS SPF: sender matches SPF record
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
-0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
envelope-from domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-0.0 T_SCC_BODY_TEXT_LINE No description available.
X-Spam-Flag: YES
Subject: ***SPAM*** Issue 49923866: Phishing attack at hxxp://www[.]simded[.]com/CaiiiXa/home
This is a multi-part message in MIME format.
--_----------=_17049775723834168198
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"
Hello,
We have discovered a phishing attack on your network.
hxxp://www[.]simded[.]com/CaiiiXa/home
hxxps://www[.]simded[.]com/CaiiiXa/home/Forma.html
hxxp://www[.]simded[.]com/CaiiiXa/
hxxps://www[.]simded[.]com/CaiiiXa/home/
hxxp://simded[.]com/CaiiiXa/home/Tarjeta.html
hxxp://simded[.]com/CaiiiXa/home/Espera.html
hxxps://simded[.]com/CaiiiXa/index.php
hxxps://simded[.]com/CaiiiXa/home/index.html
hxxp://simded[.]com/CaiiiXa/home/index.html
hxxp://simded[.]com/CaiiiXa/index.php
hxxps://simded[.]com/CaiiiXa/home/Tarjeta.html
hxxps://simded[.]com/CaiiiXa/home/Forma.html
hxxps://simded[.]com/CaiiiXa/home/Espera.html
hxxps://simded[.]com/CaiiiXa/home/Espera2.html
It is possible that this attack is being restricted so it is only visible from certain countries. Before deciding that the attack has been resolved please confirm it cannot be viewed from the following countries:
Spain
France
We previously contacted you about this issue on 2024-01-10 14:33:08 (UTC).
Since our last notification, the following additional URL(s) have been detected:
hxxp://www[.]simded[.]com/CaiiiXa/
hxxp://www[.]simded[.]com/CaiiiXa/home
hxxps://www[.]simded[.]com/CaiiiXa/home/
hxxps://www[.]simded[.]com/CaiiiXa/home/Forma.html
You may not have been aware of this attack, however, you are still responsible for removing it.
This attack targets our customer, Caixa Bank, website URL https://www.caixabank.es/.
Please remove this fraudulent content, and any other associated fraudulent content, as soon as possible.
Additionally, please keep the fraudulent content safe so that our customer and law enforcement agencies can investigate this incident further once the site is offline.
More information about the detected issue is provided at https://incident.netcraft.com/7f7968fc0f30/
Kind regards,
Netcraft
Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 50012032
To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: [email protected].
This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.
--_----------=_17049775723834168198
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: message/feedback-report
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Thu, 11 Jan 2024 12:52:52 +0000
Feedback-Type: xarf
User-Agent: Netcraft
Version: 1
--_----------=_17049775723834168198
Content-Disposition: attachment; filename="xarf.json"
Content-Transfer-Encoding: base64
Content-Type: application/json; charset=utf-8; name="xarf.json"
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Thu, 11 Jan 2024 12:52:52 +0000
eyJSZXBvcnRlckluZm8iOnsiUmVwb3J0ZXJPcmdEb21haW4iOiJuZXRjcmFmdC5jb20iLCJSZXBv
cnRlck9yZyI6Ik5ldGNyYWZ0IiwiUmVwb3J0ZXJPcmdFbWFpbCI6InRha2Vkb3duLXJlc3BvbnNl
KzQ5OTIzODY2QG5ldGNyYWZ0LmNvbSJ9LCJSZXBvcnQiOnsiU291cmNlVXJsIjoiaHR0cDovL3d3
dy5zaW1kZWQuY29tL0NhaWlpWGEvaG9tZSIsIkRhdGUiOiIyMDI0LTAxLTExVDEyOjMzOjIwWiIs
IlJlcG9ydENsYXNzIjoiQ29udGVudCIsIlJlcG9ydGVyTm90ZXMiOiJTZWUgaHR0cHM6Ly9pbmNp
ZGVudC5uZXRjcmFmdC5jb20vN2Y3OTY4ZmMwZjMwLyBmb3IgbW9yZSBpbmZvcm1hdGlvbiIsIlJl
cG9ydFR5cGUiOiJQaGlzaGluZyIsIkZpcnN0U2VlbiI6IjIwMjQtMDEtMTFUMTI6MzI6MTRaIiwi
UmVwb3J0ZXJDYXNlSUQiOiI1MDAxMjAzMiIsIlNvdXJjZUlwIjoiMTA0LjIxLjkxLjI0NiJ9LCJP
bkJlaGFsZk9mIjp7IkNvbXBsYWluYW50T3JnRG9tYWluIjoid3d3LmNhaXhhYmFuay5lcyIsIkNv
bXBsYWluYW50T3JnRW1haWwiOiJ0YWtlZG93bi1yZXNwb25zZSs0OTkyMzg2NkBuZXRjcmFmdC5j
b20iLCJDb21wbGFpbmFudE9yZyI6IkNhaXhhIEJhbmsifSwiRGlzY2xvc3VyZSI6dHJ1ZSwiVmVy
c2lvbiI6IjEifQ==
--_----------=_17049775723834168198--