Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 21 October 2014

ALERT: iTunes Phish (and an FYI for Novanetworks.ie!)

Just received the following iTunes phish;



The phish is located on a compromised site at OVH (already reported);

hxxp://oumicuisine.com/wp-content//themes/ingredients_wordpress/ingredients/scripts/cache/appitunesconnect.apple.com.webobjects/
IP: 213.186.33.3

The actual origin of the phish, was Novanetworks and frustratingly, the only address they list in the AS records - doesn't appear to exist;

Wed 2014-10-22 00:46:26: --> RCPT To:<hostmaster@novanetworks.ie>
Wed 2014-10-22 00:46:26: <-- 550-5.1.1 The email account that you tried to reach does not exist. Please try
Wed 2014-10-22 00:46:26: <-- 550-5.1.1 double-checking the recipient's email address for typos or
Wed 2014-10-22 00:46:26: <-- 550-5.1.1 unnecessary spaces. Learn more at
Wed 2014-10-22 00:46:26: <-- 550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 lz10si16563251wjb.73 - gsmtp


Perhaps I'm just hard to understand, who knows. I phoned Novanetworks tech support, to find first, he thought I said my broadband wasn't working (I didn't), then asked it if was a sales call (nope, wrong again). Upon explaining again, I was asked for the email address it was sent to, gave that and advised it was a spam trap (for some reason this surprised him - I was asked why I'd want to receive spam, so explained and who I work for (seems he's not heard of Malwarebytes, which is curious)).

Explained yet again, and was asked for my name and number (could've sworn I'd provided my name at the beginning of the call) to which I was advised the details will be passed to "Dave" to be handled. This should be interesting!

The headers for those wondering;

Return-path: <purchase@novanetworks.ie>
Received: from mail.novanetworks.ie (mail.novanetworks.ie [91.142.110.25])
    by [REMOVED] ([REMOVED])
    with ESMTP id 54-md50000064028.msg for <[REMOVED]>;
    Wed, 22 Oct 2014 00:30:23 +0100
Authentication-Results: [REMOVED]
    spf=pass smtp.mail=purchase@novanetworks.ie;
    x-ip-ptr=pass dns.ptr=mail.novanetworks.ie (ip=91.142.110.25);
    x-ip-helo=pass smtp.helo=mail.novanetworks.ie (ip=91.142.110.25)
Received-SPF: pass ([REMOVED]: domain of purchase@novanetworks.ie
    designates 91.142.110.25 as permitted sender)
    x-spf-client=MDaemon.PRO.v14.0.3
    receiver=[REMOVED]
    client-ip=91.142.110.25
    envelope-from=<purchase@novanetworks.ie>
    helo=mail.novanetworks.ie
X-Spam-Processed: [REMOVED], Wed, 22 Oct 2014 00:30:23 +0100
    (not processed: domain it-mate.co.uk is excluded from spam filtering)
X-MDPtrLookup-Result: pass dns.ptr=mail.novanetworks.ie (ip=91.142.110.25) ([REMOVED])
X-MDHeloLookup-Result: pass smtp.helo=mail.novanetworks.ie (ip=91.142.110.25) ([REMOVED])
X-MDDK-Result: neutral ([REMOVED])
X-MDDKIM-Result: neutral ([REMOVED])
X-MDSPF-Result: unapproved ([REMOVED])
X-Rcpt-To: [REMOVED]
X-MDRcpt-To: [REMOVED]
X-MDRemoteIP: 91.142.110.25
X-Return-Path: purchase@novanetworks.ie
X-Envelope-From: purchase@novanetworks.ie
X-MDaemon-Deliver-To: [REMOVED]
Received: from 2013-SERVER.adc.local (unknown [91.142.97.142])
    by mail.novanetworks.ie (Postfix) with SMTP id 15294C566F;
    Wed, 22 Oct 2014 02:03:31 +0100 (IST)
Received: from 128.225.61.40 by mail.novanetworks.ie; Tue, 21 Oct 2014 17:25:34 -0700
Message-ID: <DGFFCHQSBJGBPYGNGBDA@yahoo.co.uk>
From: " iTunes Connect" <purchase@novanetworks.ie>
Reply-To: " iTunes Connect" <purchase@novanetworks.ie>
To: [REMOVED]
Subject: Your new purchase from the iTunes Connect

Date: Tue, 21 Oct 2014 19:25:34 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="--4664828197532104595"
X-Priority: 3
X-CS-IP: 162.6.184.192


/edit

Dave over at Novanetworks.ie has advised he's now fixed the hostmaster address.

Monday, 20 October 2014

Updated: Spambot Search Tool

* Fixed incorrect sName spec (check_spammers_plain.php, line #1106)
* Licence changed to MIT (more appropriate given it's code) - http://opensource.org/licenses/MIT

Download
http://support.it-mate.co.uk/index.asp?mode=Products&p=spambotsearchtool

Tuesday, 14 October 2014

INFO: Email issues [Update]

Just an update folks. Primary mail servers are still throwing a wobbly, so I've migrated it to my internal mail servers. Unfortunately, if you've sent me an email in the last 7 days or so, I have to ask you please re-send it.

Thank you for your patience.

Thursday, 9 October 2014

INFO: Incoming email

Just a note folks, the mail server that receives my incoming email is down (has been for around 10-15 mins or there abouts). Domain Monster are aware of it and are working on sorting it out.

Needless to say, I can't receive email at present.

Monday, 6 October 2014

INFO: Doogee Voyager2 DG310 users

I was alerted to an issue by a user with a Doogee Voyager2 DG310 mobile phone, of an issue accessing the hpHosts site.

After a lot of arguing with the server, it appears there was an issue with the firewall blocking requests. The firewall needed re-installing anyway (it had issues logging for some reason), so have done that and re-configured it from scratch (you'll likely have noticed the server going on and offline a bit in the last 12 hours or so), and after a little testing with the Doogee Voyager2 DG310 UA, the issue now appears finally resolved.

If you're using this mobile and are still having issues, please drop me an email.