Re: [DNSOP] Phishing? was Fwd: nthpermutation

Ólafur Guðmundsson <olafur@cloudflare.com> Sun, 25 March 2018 22:15 UTC

Return-Path: <olafur@cloudflare.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1832124207 for <dnsop@ietfa.amsl.com>; Sun, 25 Mar 2018 15:15:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.026
X-Spam-Level:
X-Spam-Status: No, score=-0.026 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DEAR_SOMETHING=1.973, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id axc0Zr-7aE_B for <dnsop@ietfa.amsl.com>; Sun, 25 Mar 2018 15:15:36 -0700 (PDT)
Received: from mail-wr0-x236.google.com (mail-wr0-x236.google.com [IPv6:2a00:1450:400c:c0c::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86A1D120726 for <dnsop@ietf.org>; Sun, 25 Mar 2018 15:15:36 -0700 (PDT)
Received: by mail-wr0-x236.google.com with SMTP id c24so17001907wrc.6 for <dnsop@ietf.org>; Sun, 25 Mar 2018 15:15:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=i02NOXDrEDo+qkoUb8L2Tge+AmwJFkUA5RE0H3Y/3yQ=; b=dRCq9P2vvvDgAzjiNj5bhqwBbaMG9PWqI5+6DT7a1kQjSC1F5sdyX1F2kTkyTvcCSk OdK636soyKGZbyaobxH4t0J/s1/CHjQB/UecW0ro7r3RmX7P38FMqvmcHWqgrxkVOHuF zAd/XXorFDCq5mMQ43VQZqPPEydRvsLuz1LRg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=i02NOXDrEDo+qkoUb8L2Tge+AmwJFkUA5RE0H3Y/3yQ=; b=Ezht+5M96dfP9OjOAHlzjx9GtkjAtdbaDDBMBEH2Sxkc8zaSn4FL3B8ZDXe8soHDnh r79sd71Z0Az+EUsbH2dgFul2y3g4outUIt7/XqNxq6l5r4KZi84t8PfKgKCgwNlCozBf H5LRuIAMcRSXzL3fIq5h0RjPfiKp0jG6171zsv411hEWNRKfcmpfzEyQqw5Su8wV6ito Sd5rHObRTNmIzozQEQZEMJAFl5jb4Cduala7GHAR9A7zhriUMJEND21merZ7puFnM9zz cXUiEEkZOQQXaoTOX/R3QyAD/SPccJDxHhzASIJVTc71WhmMV6PL9alh7RGJWQLwXjQV q9ig==
X-Gm-Message-State: AElRT7HsJEJjs3nO4hRDwwt989PtlhVJbuPcVdjARd/tJE2vYSILpyRI bBreyCdAWt1mBU5z0beLs8Y8raiGzvw/fgEfjDFSUJ3/Kik=
X-Google-Smtp-Source: AG47ELsSJ1sq3wfAJXtxOlLVMrOqjb9XFmHldWQrX13Oo6K6x91HEGdDsqWpIY2H/ER2ws4btrHb7wUUS3kGaSO3VuI=
X-Received: by 10.223.134.4 with SMTP id 4mr21605542wrv.230.1522016134944; Sun, 25 Mar 2018 15:15:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.169.41 with HTTP; Sun, 25 Mar 2018 15:15:34 -0700 (PDT)
In-Reply-To: <8c50a895-2522-1e1d-3d22-18433519c522@nthpermutation.com>
References: <DM__180322101642_54671022674@s.mopo-ip.com.cn> <8c50a895-2522-1e1d-3d22-18433519c522@nthpermutation.com>
From: Ólafur Guðmundsson <olafur@cloudflare.com>
Date: Sun, 25 Mar 2018 23:15:34 +0100
Message-ID: <CAN6NTqwqtTDKfH8T7RZL7fV9jYhndwf_+ZBDsJcmi0kMLQAbOw@mail.gmail.com>
To: Michael StJohns <msj@nthpermutation.com>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a1147d44c10dea3056843ffc1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/t2OrqyDcbPAtgDVtVzOs7iRRk10>
Subject: Re: [DNSOP] Phishing? was Fwd: nthpermutation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Mar 2018 22:15:39 -0000

Mike,

This is a domain extortion attempt, they want you to buy the domain at
inflated price
https://security.stackexchange.com/questions/56290/is-this-domain-registration-service-email-a-scam#56304

Olafur


On Sun, Mar 25, 2018 at 11:04 PM, Michael StJohns <msj@nthpermutation.com>
wrote:

> Apologies for dumping this here, but I figured if anyone had a clue they'd
> probably be on this list. Is anyone familiar with mopo-io.com.cn?   Is
> this a legitimate email (or company)?  If not, its one of the better
> phishing emails I've seen.
>
> Thanks - Mike
>
>
> -------- Forwarded Message --------
> Subject: nthpermutation
> Date: Thu, 22 Mar 2018 11:59:50 +0800
> From: Sharon Han <Han@mopo-ip.com.cn> <Han@mopo-ip.com.cn>
> To: msj <msj@nthpermutation.com> <msj@nthpermutation.com>
>
> (Letter to the President or Brand Owner, thanks)
>
> Dear Sir/Madam,
>
> We are the department of Asian Domain Registration Service in China. I
> have something to confirm with you. We formally received an application on
> March 22, 2018 that a company which self-styled "Gulf East Ltd " were
> applying to register "nthpermutation" as their Brand Name and some domain
> names through our firm.
>
> Now we are handling this registration, and after our initial checking, we
> found the name were similar to your company's, so we need to check with you
> whether your company has authorized that company to register these names.
> If you authorized this, we will finish the registration at once. If you did
> not authorize, please let us know within 5 workdays, so that we will handle
> this issue better. After the deadline we will unconditionally finish the
> registration for "Gulf East Ltd ". Looking forward to your prompt reply.
>
>
>
> Best regards,
>
> Sharon Han
> Tel: 0086.5516349 1192
> Fax: 0086.5516349 1192
> Address:No.313, Changjiang Zhonglu, Hefei 230000 China
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>