by Snowderblazer
Fri Mar 21, 2014 10:42 pm
HI all
for many years i have helped people shut websites down as long as there is enough evidence
here is how to find out some stuff and what you need to do
1: Received Email
always open the email header ( original email option )
look for
Received:
Received-SPF:
Authentication-Results:
X-Spam-Processed:
X-Authenticated-Sender:
X-Return-Path:
below is an example of how i knew this was fake
Received: by 10.170.213.196
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 91.233.15.200 as permitted sender) client-ip=91.233.15.200;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning [email protected] does not designate 91.233.15.200 as permitted sender) [email protected];
dmarc=fail (p=NONE dis=NONE) header.from=gmail.com
X-Spam-Processed: mail.crystalbet.com
X-Authenticated-Sender: [email protected]
X-MDRemoteIP: 23.24.254.169
network tools
http://network-tools.com/default.asp?pr ... 70.213.196
http://network-tools.com/default.asp?pr ... 233.15.200
this ip pointed to ( mail.crystalbet.com )
91.233.15.200 is from Georgia(GE) in region Northern and Central Asia
all thats left to do is contact their hosting provider with the header information
which is enough proof its being used for phishing scams
2) if they contact you sing a gmail or other email account cliaming to be a company etc request they
contact you from a trusted domain for example their company email account, this is exactly what i done when
[email protected] contacted me
they then contacted me on from [email protected] via acrux.eatserver.nl
again here are matches in the header
Received: by 10.170.213.196
Return-Path: <[email protected]> - certainly not [email protected]
i generally report them to their ISP too or a DNSBL list
for many years i have helped people shut websites down as long as there is enough evidence
here is how to find out some stuff and what you need to do
1: Received Email
always open the email header ( original email option )
look for
Received:
Received-SPF:
Authentication-Results:
X-Spam-Processed:
X-Authenticated-Sender:
X-Return-Path:
below is an example of how i knew this was fake
Received: by 10.170.213.196
Received-SPF: softfail (google.com: domain of transitioning [email protected] does not designate 91.233.15.200 as permitted sender) client-ip=91.233.15.200;
Authentication-Results: mx.google.com;
spf=softfail (google.com: domain of transitioning [email protected] does not designate 91.233.15.200 as permitted sender) [email protected];
dmarc=fail (p=NONE dis=NONE) header.from=gmail.com
X-Spam-Processed: mail.crystalbet.com
X-Authenticated-Sender: [email protected]
X-MDRemoteIP: 23.24.254.169
network tools
http://network-tools.com/default.asp?pr ... 70.213.196
http://network-tools.com/default.asp?pr ... 233.15.200
this ip pointed to ( mail.crystalbet.com )
91.233.15.200 is from Georgia(GE) in region Northern and Central Asia
all thats left to do is contact their hosting provider with the header information
which is enough proof its being used for phishing scams
2) if they contact you sing a gmail or other email account cliaming to be a company etc request they
contact you from a trusted domain for example their company email account, this is exactly what i done when
[email protected] contacted me
they then contacted me on from [email protected] via acrux.eatserver.nl
again here are matches in the header
Received: by 10.170.213.196
Return-Path: <[email protected]> - certainly not [email protected]
i generally report them to their ISP too or a DNSBL list
