Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Email headers of the fake email I received are below. Can anyone identify anything out it?

-------

Received: (qmail 30963 invoked by uid 30297); 16 Oct 2018 19:04:18 -0000

Received: from unknown (HELO sg2plibsmtp01-1.prod.sin2.secureserver.net) ([182.50.144.11])

          (envelope-sender <klye@clientdomain.com>)

          by sg2plsmtp19-01-25.prod.sin2.secureserver.net (qmail-1.03) with SMTP

          for <reema@mydomain.net>; 16 Oct 2018 19:04:18 -0000
Received: from se1-lax1.servconfig.com ([104.244.124.86])

               by bizsmtp with ESMTP

               id CUdcgdXtBUMdaCUdegyEaT; Tue, 16 Oct 2018 12:04:18 -0700
Received: from res203.servconfig.com ([192.145.239.44])

               by se1-lax1.servconfig.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)

               (Exim 4.89)

               (envelope-from <klye@clientdomain.com>)

               id 1gCUdY-0005Jd-Kn; Tue, 16 Oct 2018 15:04:16 -0400
Received: from [::1] (port=46403 helo=res203.servconfig.com)

               by res203.servconfig.com with esmtpa (Exim 4.91)

               (envelope-from <klye@clientdomain.com>)

               id 1gCUdY-00GWW5-7H; Tue, 16 Oct 2018 12:04:12 -0700
MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="=_cb44418026f16861773c2073108229cd"

Date: Tue, 16 Oct 2018 12:04:12 -0700

From: Kyle <klye@clientdomain.com>

To: Reema<reema@mydoamin.net>

Cc: 'mail' <mail.globax@dr.com>

Subject: RE: pharma zonisamide

Reply-To: Kyle <Kyle.clientname@dr.com>

Mail-Reply-To: Kyle <Kyle.clientname@dr.com>

Message-ID: <4d778f3b89a049b84840dbdb372798b8@clientname.com>

X-Sender: Klye@clientname.com

User-Agent: Roundcube Webmail/1.3.3

X-Get-Message-Sender-Via: res203.servconfig.com: authenticated_id: shahrukh@makamil.com

X-Authenticated-Sender: res203.servconfig.com: shahrukh@makamil.com

X-Originating-IP: 192.145.239.44

X-SpamExperts-Domain: res203.servconfig.com

X-SpamExperts-Username: 192.145.239.44

Authentication-Results: servconfig.com; auth=pass smtp.auth=192.145.239.44@res203.servconfig.com

X-SpamExperts-Outgoing-Class: unsure

X-SpamExperts-Outgoing-Evidence: Combined (0.35)

X-Recommended-Action: accept

X-Filter-ID: EX5BVjFpneJeBchSMxfU5rwL/g85tQulnBE8gPHu3/F602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx

q3u0UDjvO73ACdMYEFGu+gF5O7WstgsinfpazlJl1tCn592ZdmdEXY8S/zCkg36vZ3GfohIs0UGl

z8CJSOMrvzx9TVg3RkVXN8poxUmHw7z8Cv3zSk4rk5hzVqcRQipB56OduRZxKuP+q8NuOKfRBnSy

EKI1nLnoREI39Ng7w+jWwVgutjGnTGAA1gLIPnzkgagc0cD3QuccXSndMw0FQ8jqfUr8AYYpMlsI

IQUIsICEfKR4uJdogE2eQHlogxUcYs0rxQ+mI9H9Xex/9Lq8f02pgNORt7R9OjAEo9UzDH0ARpN0

wUZt3fvT7ao3SadG2ABiWXtkF0i/CT5LMFdUTCs59oTfl5U/c8+QAw6oOeWTc8nT5GWcPd0rEuGj

FyZoidhtHm+WobglkKcTLdh5JwRD9s9xE+dH789QVPIx9duafGFU3kR9F9u9KyBXj+FNLU1SvJx5

/9jlDHh8k6TTdHl8m1/8O/8FS0gu/BXEFm6f2M41IWv/Qw0zmRSx+YTH48mhNBhct/JFBLt+LA62

e0Pg9eDnrJN9b+G2BSscQzbFMcfSu4J7ix6iCoZ5CaKPMqg2RgTcAelen7CXsT6fZe+0gbPIz96e

qtNrhqU0j58VnbXM/vIJoxTw4G77xMwEh26uoYRpiF4am0X83e22zM8wHY/QU2XjdKVHj6Omz2pU

52OZqldRRmxkB/4b3LJEbiGaRFZKY17WKvlei/52nCwh3EKwhLPN528N6lMd564J8QyHtUdRVUYN

O3udn1JlHoAi4F0jBWcShbww79KoIp0Sgs8f/ZTrGlUY2jbf3Q54l9HRkQvIejKclyAbTmc6f/07

0aI4MKggmD9XUhkU65ggFOIOfY0If3FAzbmaNBxeMIrqE6TxR86t2EiC6GwMws7GvvozwLzzGiRR

EvmQrtvSbV4fnBHAY64qloNFm00WuJU2Ru5B4WNJiz4C8c3Na3gFdtxXZg==

X-Report-Abuse-To: spam@se1-lax1.servconfig.com

X-CMAE-Envelope: MS4wfGTkLN5Q3Etz9Wkc3k/s+48X4HLNxcMTgPNW9dd3KWT52iaJK7tSMbsyZjm0/hi9J87LipDUTpWV2p/qyIS3IuuXa62TTzrOmM1SRoaJXZY91Lfa/lzj

i8Jb2TdRHL58hBIRNSmmPIf9tFZ8lSpapy/8CF5h3TDIczyZlwy+0j+T7U+zeMfEALDdLQAg1NCO7Q==

X-Nonspam: None



Your client's /Round Cube/ installation may be exploited, as that is where the email originated from:

  User-Agent: Roundcube Webmail/1.3.3


Do you recognize this domain?

> authenticated_id: shahrukh@makamil.com


No. This is some unknown email address.


https://b2bpk.com/company/ma-kamil-pharma-57113.html

Weird that the domain points to another Pharma company operating from Karachi, Pakistan. Maybe contacting them to find out who "Shahrukh" is might be a good first step.

EDIT: Looks like 0898 found more details https://news.ycombinator.com/item?id=18310807


Looks like it pretty transparently sends all replies to "dr.com". Seems like something our email client should warn us about explicitly, instead of just showing "Reply To: Kyle".


Can we find out something from it?


I think rnotaro solved the whole mystery: https://news.ycombinator.com/item?id=18310631


https://www.mustakbil.com/people/profile/e07492f85c7041b4922...


Well you may be able to get their contact details by contacting InMotion Hosting, who runs the web server they sent the mail out of. If you take 'res203.servconfig.com' and stick it in here: https://www.ultratools.com/tools/ipWhoisLookup , you should be able to get their abuse team email. Although this won't get the money back... it will just help you punish the spoofer a bit.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: