I hope this is the correct place to post this.
I received an email form supposedly “Mweb Account” stating the following:
“Dear Customer
Your email account is currently in arrears.
Download the statement attached and make payment as indicated in the statement.
Failure to make payment your email account will be suspended Yours in Connectivity Mweb “ and there was a link to a .html file attached. The sender is “MWEB Account [email protected]” and I knew this was spam. So I used this site to analyse the email header: https://www.whatismyip.com/email-header-analyzer/
With the following results:
Email header
Return-Path: <[email protected]>
Received: from mta04-dc01.cm.synaq.com (LHLO mta04-dc01.cm.synaq.com)
(10.1.5.113) by store328-dc01.cm.synaq.com with LMTP; Mon, 31 Aug 2020
00:38:30 +0200 (SAST)
Received: from localhost (localhost [127.0.0.1])
by mta04-dc01.cm.synaq.com (Postfix) with ESMTP id 5AE0CE5AC11;
Mon, 31 Aug 2020 00:38:30 +0200 (SAST)
X-Virus-Scanned: amavisd-new at mta04-dc01.cm.synaq.com
Received: from mta04-dc01.cm.synaq.com ([127.0.0.1])
by localhost (mta04-dc01.cm.synaq.com [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id 6Qo4JHXF94Zz; Mon, 31 Aug 2020 00:38:30 +0200 (SAST)
Received: from securemail-pl-mx7.synaq.com (securemail-pl-mx7.synaq.com [196.35.198.147])
by mta04-dc01.cm.synaq.com (Postfix) with ESMTPS id 31B4CE5AC0E;
Mon, 31 Aug 2020 00:38:30 +0200 (SAST)
Received: from bat.birch.relay.mailchannels.net ([23.83.209.13])
by securemail-pl-mx7.synaq.com with esmtps (TLSv1.2
HE-RSA-AES256-GCM-SHA384:256)
(Exim 4.92.3)
(envelope-from <[email protected]>)
id 1kCVxt-000VfB-0e; Mon, 31 Aug 2020 00:38:21 +0200
X-Sender-Id:
webafrica|x-smartermail-authenticated-as|[email protected]
Received: from relay.mailchannels.net (localhost [127.0.0.1])
by relay.mailchannels.net (Postfix) with ESMTP id 47F9834156B;
Sun, 30 Aug 2020 22:20:18 +0000 (UTC)
Received: from winmails01.hostserv.co.za (100-96-8-67.trex.outbound.svc.cluster.local [100.96.8.67])
(Authenticated sender: webafrica)
by relay.mailchannels.net (Postfix) with ESMTPA id 550DB3411CB;
Sun, 30 Aug 2020 22:20:10 +0000 (UTC)
X-Sender-Id:
webafrica|x-smartermail-authenticated-as|[email protected]
Received: from winmails01.hostserv.co.za (winmails01.hostserv.co.za
[41.185.13.221])
(using TLSv1.2 with cipher AES256-GCM-SHA384)
by 0.0.0.0:2500 (trex/5.18.8);
Sun, 30 Aug 2020 22:20:18 +0000
X-MC-Relay: Junk
X-MailChannels-SenderId:
webafrica|x-smartermail-authenticated-as|[email protected]
X-MailChannels-Auth-Id: webafrica
Message-ID: <[email protected]>
X-Rock-Dime: 0b77e8ff64409ec5_1598826018100_537003319
X-MC-Loop-Signature: 1598826018100:2263965931
X-MC-Ingress-Time: 1598826018100
X-SmarterMail-Authenticated-As: [email protected]
Received: from [192.168.43.130] (UnknownHost [41.115.53.135]) by winmails01.hostserv.co.za with SMTP;
Sun, 30 Aug 2020 23:26:29 +0200
Content-Type: multipart/mixed; boundary="===============1367530164=="
MIME-Version: 1.0
Subject: Unpaid Account
To: Recipients <[email protected]>
From: "MWEB Account" <[email protected]>
Date: Sun, 30 Aug 2020 23:26:29 +0200
X-IS-SYNAQ-MX: bat.birch.relay.mailchannels.net ([23.83.209.13])
X-SYNAQ-Pinpoint-Information: Please contact MWEB for more information
X-SYNAQ-Pinpoint-ID: 1kCVxt-000VfB-0e
X-SYNAQ-Pinpoint: Found to be clean
X-SYNAQ-Pinpoint-SpamCheck: not spam, SpamAssassin (not cached, score=3.149,
required 5, BAYES_50 1.20, HTML_MESSAGE 0.00,
MSGID_FROM_MTA_HEADER 0.00, PHISHY_LANG 0.01,
RCVD_IN_MSPIKE_H2 -0.00, RCVD_IN_UCEPROTECT_1 0.01,
SPF_HELO_SOFTFAIL 0.73, SPF_SOFTFAIL 0.67, S_HTML_ATTACH 0.50,
TVD_PH_BODY_ACCOUNTS_PRE 0.00, T_FILL_THIS_FORM_FRAUD_PHISH 0.01,
T_FILL_THIS_FORM_SHORT 0.01, T_HTML_ATTACH 0.01)
X-SYNAQ-Pinpoint-SpamScore: sss
X-Pinpoint-From: [email protected]
X-Spam-Flag: NO
Email Source IP Info
% This is the AfriNIC Whois server.
"Times New Roman";color:#212529;mso-fareast-language:EN-ZA">% The AFRINIC whois database is subject to the following terms of Use. See style='color:black;mso-color-alt:windowtext'>href="https://afrinic.net/whois/terms">mso-fareast-font-family:"Times New Roman";mso-fareast-language:EN-ZA">https://afrinic.net/whois/termsstyle='font-size:10.5pt;mso-fareast-font-family:"Times New Roman";color:#212529;
mso-fareast-language:EN-ZA'>color:#212529;mso-fareast-language:EN-ZA">
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '41.115.0.0 - 41.115.127.255'
% No abuse contact registered for 41.115.0.0 - 41.115.127.255
inetnum: 41.115.0.0 - 41.115.127.255
netname: MTNSA-41-115-0-0-17
descr: Mobile Broadband Internet - Newlands (Johannesburg)
country: ZA
admin-c: MBIP-AFRINIC
tech-c: MBIP-AFRINIC
status: ASSIGNED PA
remarks: report abuse to [email protected]
mnt-by: MTNBUSINESS-MNT
source: AFRINIC # Filtered
parent: 41.112.0.0 - 41.127.255.255
role: MTN Business IP Maintainer
address: MTN Business
address: Heron Place
address: c/o Century Boulevard and Heron Crescent
address: Stand no 6465
address: Century City
address: Cape Town
address: South Africa
admin-c: AT32-AFRINIC
tech-c: AT32-AFRINIC
nic-hdl: MBIP-AFRINIC
mnt-by: MTNBUSINESS-MNT
source: AFRINIC # Filtered
Sorry for this long post….but according to the above am I correct in saying that this phishing email came from an MTN server?
I received an email form supposedly “Mweb Account” stating the following:
“Dear Customer
Your email account is currently in arrears.
Download the statement attached and make payment as indicated in the statement.
Failure to make payment your email account will be suspended Yours in Connectivity Mweb “ and there was a link to a .html file attached. The sender is “MWEB Account [email protected]” and I knew this was spam. So I used this site to analyse the email header: https://www.whatismyip.com/email-header-analyzer/
With the following results:
Email header
Return-Path: <[email protected]>
Received: from mta04-dc01.cm.synaq.com (LHLO mta04-dc01.cm.synaq.com)
(10.1.5.113) by store328-dc01.cm.synaq.com with LMTP; Mon, 31 Aug 2020
00:38:30 +0200 (SAST)
Received: from localhost (localhost [127.0.0.1])
by mta04-dc01.cm.synaq.com (Postfix) with ESMTP id 5AE0CE5AC11;
Mon, 31 Aug 2020 00:38:30 +0200 (SAST)
X-Virus-Scanned: amavisd-new at mta04-dc01.cm.synaq.com
Received: from mta04-dc01.cm.synaq.com ([127.0.0.1])
by localhost (mta04-dc01.cm.synaq.com [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id 6Qo4JHXF94Zz; Mon, 31 Aug 2020 00:38:30 +0200 (SAST)
Received: from securemail-pl-mx7.synaq.com (securemail-pl-mx7.synaq.com [196.35.198.147])
by mta04-dc01.cm.synaq.com (Postfix) with ESMTPS id 31B4CE5AC0E;
Mon, 31 Aug 2020 00:38:30 +0200 (SAST)
Received: from bat.birch.relay.mailchannels.net ([23.83.209.13])
by securemail-pl-mx7.synaq.com with esmtps (TLSv1.2
HE-RSA-AES256-GCM-SHA384:256)(Exim 4.92.3)
(envelope-from <[email protected]>)
id 1kCVxt-000VfB-0e; Mon, 31 Aug 2020 00:38:21 +0200
X-Sender-Id:
webafrica|x-smartermail-authenticated-as|[email protected]
Received: from relay.mailchannels.net (localhost [127.0.0.1])
by relay.mailchannels.net (Postfix) with ESMTP id 47F9834156B;
Sun, 30 Aug 2020 22:20:18 +0000 (UTC)
Received: from winmails01.hostserv.co.za (100-96-8-67.trex.outbound.svc.cluster.local [100.96.8.67])
(Authenticated sender: webafrica)
by relay.mailchannels.net (Postfix) with ESMTPA id 550DB3411CB;
Sun, 30 Aug 2020 22:20:10 +0000 (UTC)
X-Sender-Id:
webafrica|x-smartermail-authenticated-as|[email protected]
Received: from winmails01.hostserv.co.za (winmails01.hostserv.co.za
[41.185.13.221])
(using TLSv1.2 with cipher AES256-GCM-SHA384)
by 0.0.0.0:2500 (trex/5.18.8);
Sun, 30 Aug 2020 22:20:18 +0000
X-MC-Relay: Junk
X-MailChannels-SenderId:
webafrica|x-smartermail-authenticated-as|[email protected]
X-MailChannels-Auth-Id: webafrica
Message-ID: <[email protected]>
X-Rock-Dime: 0b77e8ff64409ec5_1598826018100_537003319
X-MC-Loop-Signature: 1598826018100:2263965931
X-MC-Ingress-Time: 1598826018100
X-SmarterMail-Authenticated-As: [email protected]
Received: from [192.168.43.130] (UnknownHost [41.115.53.135]) by winmails01.hostserv.co.za with SMTP;
Sun, 30 Aug 2020 23:26:29 +0200
Content-Type: multipart/mixed; boundary="===============1367530164=="
MIME-Version: 1.0
Subject: Unpaid Account
To: Recipients <[email protected]>
From: "MWEB Account" <[email protected]>
Date: Sun, 30 Aug 2020 23:26:29 +0200
X-IS-SYNAQ-MX: bat.birch.relay.mailchannels.net ([23.83.209.13])
X-SYNAQ-Pinpoint-Information: Please contact MWEB for more information
X-SYNAQ-Pinpoint-ID: 1kCVxt-000VfB-0e
X-SYNAQ-Pinpoint: Found to be clean
X-SYNAQ-Pinpoint-SpamCheck: not spam, SpamAssassin (not cached, score=3.149,
required 5, BAYES_50 1.20, HTML_MESSAGE 0.00,
MSGID_FROM_MTA_HEADER 0.00, PHISHY_LANG 0.01,
RCVD_IN_MSPIKE_H2 -0.00, RCVD_IN_UCEPROTECT_1 0.01,
SPF_HELO_SOFTFAIL 0.73, SPF_SOFTFAIL 0.67, S_HTML_ATTACH 0.50,
TVD_PH_BODY_ACCOUNTS_PRE 0.00, T_FILL_THIS_FORM_FRAUD_PHISH 0.01,
T_FILL_THIS_FORM_SHORT 0.01, T_HTML_ATTACH 0.01)
X-SYNAQ-Pinpoint-SpamScore: sss
X-Pinpoint-From: [email protected]
X-Spam-Flag: NO
Email Source IP Info
- The email source IP address is: 41.115.53.135
- The email source IP host name is: 41.115.53.135
- Country: South Africa
- City: Durban
- Area Code: -
- Latitude: -29.8556
- Longitude: 31.0449
- ISP: MTN SA
- Organization: MTN SA
% This is the AfriNIC Whois server.
"Times New Roman";color:#212529;mso-fareast-language:EN-ZA">% The AFRINIC whois database is subject to the following terms of Use. See style='color:black;mso-color-alt:windowtext'>href="https://afrinic.net/whois/terms">mso-fareast-font-family:"Times New Roman";mso-fareast-language:EN-ZA">https://afrinic.net/whois/termsstyle='font-size:10.5pt;mso-fareast-font-family:"Times New Roman";color:#212529;
mso-fareast-language:EN-ZA'>color:#212529;mso-fareast-language:EN-ZA">
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '41.115.0.0 - 41.115.127.255'
% No abuse contact registered for 41.115.0.0 - 41.115.127.255
inetnum: 41.115.0.0 - 41.115.127.255
netname: MTNSA-41-115-0-0-17
descr: Mobile Broadband Internet - Newlands (Johannesburg)
country: ZA
admin-c: MBIP-AFRINIC
tech-c: MBIP-AFRINIC
status: ASSIGNED PA
remarks: report abuse to [email protected]
mnt-by: MTNBUSINESS-MNT
source: AFRINIC # Filtered
parent: 41.112.0.0 - 41.127.255.255
role: MTN Business IP Maintainer
address: MTN Business
address: Heron Place
address: c/o Century Boulevard and Heron Crescent
address: Stand no 6465
address: Century City
address: Cape Town
address: South Africa
admin-c: AT32-AFRINIC
tech-c: AT32-AFRINIC
nic-hdl: MBIP-AFRINIC
mnt-by: MTNBUSINESS-MNT
source: AFRINIC # Filtered
Sorry for this long post….but according to the above am I correct in saying that this phishing email came from an MTN server?
