Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 21 October 2014

ALERT: iTunes Phish (and an FYI for Novanetworks.ie!)

Just received the following iTunes phish;



The phish is located on a compromised site at OVH (already reported);

hxxp://oumicuisine.com/wp-content//themes/ingredients_wordpress/ingredients/scripts/cache/appitunesconnect.apple.com.webobjects/
IP: 213.186.33.3

The actual origin of the phish, was Novanetworks and frustratingly, the only address they list in the AS records - doesn't appear to exist;

Wed 2014-10-22 00:46:26: --> RCPT To:<hostmaster@novanetworks.ie>
Wed 2014-10-22 00:46:26: <-- 550-5.1.1 The email account that you tried to reach does not exist. Please try
Wed 2014-10-22 00:46:26: <-- 550-5.1.1 double-checking the recipient's email address for typos or
Wed 2014-10-22 00:46:26: <-- 550-5.1.1 unnecessary spaces. Learn more at
Wed 2014-10-22 00:46:26: <-- 550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 lz10si16563251wjb.73 - gsmtp


Perhaps I'm just hard to understand, who knows. I phoned Novanetworks tech support, to find first, he thought I said my broadband wasn't working (I didn't), then asked it if was a sales call (nope, wrong again). Upon explaining again, I was asked for the email address it was sent to, gave that and advised it was a spam trap (for some reason this surprised him - I was asked why I'd want to receive spam, so explained and who I work for (seems he's not heard of Malwarebytes, which is curious)).

Explained yet again, and was asked for my name and number (could've sworn I'd provided my name at the beginning of the call) to which I was advised the details will be passed to "Dave" to be handled. This should be interesting!

The headers for those wondering;

Return-path: <purchase@novanetworks.ie>
Received: from mail.novanetworks.ie (mail.novanetworks.ie [91.142.110.25])
    by [REMOVED] ([REMOVED])
    with ESMTP id 54-md50000064028.msg for <[REMOVED]>;
    Wed, 22 Oct 2014 00:30:23 +0100
Authentication-Results: [REMOVED]
    spf=pass smtp.mail=purchase@novanetworks.ie;
    x-ip-ptr=pass dns.ptr=mail.novanetworks.ie (ip=91.142.110.25);
    x-ip-helo=pass smtp.helo=mail.novanetworks.ie (ip=91.142.110.25)
Received-SPF: pass ([REMOVED]: domain of purchase@novanetworks.ie
    designates 91.142.110.25 as permitted sender)
    x-spf-client=MDaemon.PRO.v14.0.3
    receiver=[REMOVED]
    client-ip=91.142.110.25
    envelope-from=<purchase@novanetworks.ie>
    helo=mail.novanetworks.ie
X-Spam-Processed: [REMOVED], Wed, 22 Oct 2014 00:30:23 +0100
    (not processed: domain it-mate.co.uk is excluded from spam filtering)
X-MDPtrLookup-Result: pass dns.ptr=mail.novanetworks.ie (ip=91.142.110.25) ([REMOVED])
X-MDHeloLookup-Result: pass smtp.helo=mail.novanetworks.ie (ip=91.142.110.25) ([REMOVED])
X-MDDK-Result: neutral ([REMOVED])
X-MDDKIM-Result: neutral ([REMOVED])
X-MDSPF-Result: unapproved ([REMOVED])
X-Rcpt-To: [REMOVED]
X-MDRcpt-To: [REMOVED]
X-MDRemoteIP: 91.142.110.25
X-Return-Path: purchase@novanetworks.ie
X-Envelope-From: purchase@novanetworks.ie
X-MDaemon-Deliver-To: [REMOVED]
Received: from 2013-SERVER.adc.local (unknown [91.142.97.142])
    by mail.novanetworks.ie (Postfix) with SMTP id 15294C566F;
    Wed, 22 Oct 2014 02:03:31 +0100 (IST)
Received: from 128.225.61.40 by mail.novanetworks.ie; Tue, 21 Oct 2014 17:25:34 -0700
Message-ID: <DGFFCHQSBJGBPYGNGBDA@yahoo.co.uk>
From: " iTunes Connect" <purchase@novanetworks.ie>
Reply-To: " iTunes Connect" <purchase@novanetworks.ie>
To: [REMOVED]
Subject: Your new purchase from the iTunes Connect

Date: Tue, 21 Oct 2014 19:25:34 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="--4664828197532104595"
X-Priority: 3
X-CS-IP: 162.6.184.192


/edit

Dave over at Novanetworks.ie has advised he's now fixed the hostmaster address.

No comments: