Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 21 October 2014

ALERT: iTunes Phish (and an FYI for!)

Just received the following iTunes phish;

The phish is located on a compromised site at OVH (already reported);


The actual origin of the phish, was Novanetworks and frustratingly, the only address they list in the AS records - doesn't appear to exist;

Wed 2014-10-22 00:46:26: --> RCPT To:<>
Wed 2014-10-22 00:46:26: <-- 550-5.1.1 The email account that you tried to reach does not exist. Please try
Wed 2014-10-22 00:46:26: <-- 550-5.1.1 double-checking the recipient's email address for typos or
Wed 2014-10-22 00:46:26: <-- 550-5.1.1 unnecessary spaces. Learn more at
Wed 2014-10-22 00:46:26: <-- 550 5.1.1 lz10si16563251wjb.73 - gsmtp

Perhaps I'm just hard to understand, who knows. I phoned Novanetworks tech support, to find first, he thought I said my broadband wasn't working (I didn't), then asked it if was a sales call (nope, wrong again). Upon explaining again, I was asked for the email address it was sent to, gave that and advised it was a spam trap (for some reason this surprised him - I was asked why I'd want to receive spam, so explained and who I work for (seems he's not heard of Malwarebytes, which is curious)).

Explained yet again, and was asked for my name and number (could've sworn I'd provided my name at the beginning of the call) to which I was advised the details will be passed to "Dave" to be handled. This should be interesting!

The headers for those wondering;

Return-path: <>
Received: from ( [])
    by [REMOVED] ([REMOVED])
    with ESMTP id 54-md50000064028.msg for <[REMOVED]>;
    Wed, 22 Oct 2014 00:30:23 +0100
Authentication-Results: [REMOVED]
    x-ip-ptr=pass (ip=;
    x-ip-helo=pass (ip=
Received-SPF: pass ([REMOVED]: domain of
    designates as permitted sender)
X-Spam-Processed: [REMOVED], Wed, 22 Oct 2014 00:30:23 +0100
    (not processed: domain is excluded from spam filtering)
X-MDPtrLookup-Result: pass (ip= ([REMOVED])
X-MDHeloLookup-Result: pass (ip= ([REMOVED])
X-MDDK-Result: neutral ([REMOVED])
X-MDDKIM-Result: neutral ([REMOVED])
X-MDSPF-Result: unapproved ([REMOVED])
X-Rcpt-To: [REMOVED]
X-MDaemon-Deliver-To: [REMOVED]
Received: from 2013-SERVER.adc.local (unknown [])
    by (Postfix) with SMTP id 15294C566F;
    Wed, 22 Oct 2014 02:03:31 +0100 (IST)
Received: from by; Tue, 21 Oct 2014 17:25:34 -0700
Message-ID: <>
From: " iTunes Connect" <>
Reply-To: " iTunes Connect" <>
Subject: Your new purchase from the iTunes Connect

Date: Tue, 21 Oct 2014 19:25:34 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Priority: 3


Dave over at has advised he's now fixed the hostmaster address.

No comments: