A customer had momentary trouble sending mail to someone. The first attempt failed, but the second went through. An examination of the logs revealed a couple of interesting things.
First, the recipient mail server sent a strange handshake. The Kerio mail server recorded this log entry:
(IP replaced with all 9's)
553 Bogus helo FRONT4.com. <https://unblock.secureserver.net/?ip=18.104.22.168>
If you follow that, you come to a legitimate looking screen telling you that the address is blacklisted. However, it seems a little sparse for a real blacklist site - they usually give you more information. I also checked the client's IP on the more common blacklist sites: none of them have him listed.
If you try to find this "secureserver.net" in Google, there is no listing. An attempt to go there or to www.secureserver.net in a browser redirects to "https://www.securepaynet.net/gdshop/404error.asp". Suspicious: is this some sort of extortion scheme?
The domain is registered with GoDaddy - that's a little suspicious too just because GoDaddy is the registrar of a lot of bottom-feeders. It isn't very old, either: less than a year. They have an interesting DNS, too. Most of the pages are place-holders or redirect elsewhere. This just doesn't smell like a real outfit.
That "FRONT4.com" doesn't exist either.
I think this is some sort of scam. I definitely wouldn't plug in my email address there.
As to how they got to that server, I don't know - dns hijacking, perhaps..
Got something to add? Send me email.
More Articles by Anthony Lawrence © 2009-11-07 Anthony Lawrence