A customer had momentary trouble sending mail to someone. The
first attempt failed, but the second went through. An examination
of the logs revealed a couple of interesting things.
First, the recipient mail server sent a strange handshake. The
Kerio mail server recorded this log entry:
(IP replaced with all 9's)
553 Bogus helo FRONT4.com. <http://unblock.secureserver.net/?ip=188.8.131.52>
If you follow that, you come to a legitimate looking screen telling you
that the address is blacklisted. However, it seems a little sparse
for a real blacklist site - they usually give you more information.
I also checked the client's IP on the more common blacklist sites:
none of them have him listed.
If you try to find this "secureserver.net" in Google, there is no
listing. An attempt to go there or to www.secureserver.net in a browser redirects to "http://www.securepaynet.net/gdshop/404error.asp". Suspicious: is this some sort of extortion scheme?
The domain is registered with GoDaddy - that's a little suspicious too
just because GoDaddy is the registrar of a lot of bottom-feeders. It
isn't very old, either: less than a year. They have an interesting
Most of the pages are place-holders or redirect elsewhere.
This just doesn't smell like a real outfit.
That "FRONT4.com" doesn't exist either.
I think this is some sort of scam. I definitely wouldn't plug in
my email address there.
As to how they got to that server, I don't know - dns hijacking,
Got something to add? Send me email.
Increase ad revenue 50-250% with Ezoic
More Articles by Anthony Lawrence
Find me on Google+
© 2009-11-07 Anthony Lawrence