Abused for phishing email



  • Someone is using the address smrn@vivaldi.net and maybe the account for sending phishing email to customers of ours. It is also the reply address for this phishing mail. I checked if the account exists at Vivaldi and it does. I cannot find this user.

    Is there anyone who can find the user and block the account?

    Kind Regards

    Eric

    Example of the mail:

    Von: "Motorcycle Storehouse B.V." smrn@vivaldi.net
    Betreff: Aw: Invoice Overdue
    Datum: 12. Oktober 2017 um 10:32:39 MESZ

    Hello,

    We are contacting you in regard of pending overdue/outstanding invoice.

    kindly send statement of unpaid invoices and update us when overdue will be paid.

    Please do this as soon as possible,as we lost all our data due to security upgrade.You can check up with your accounts department regarding this.

    I would be really thankful to you,if you could look into the matter personally and settle our dues at the earliest as we need to prepare the balance sheet for the accounted month.

    Also we would be sending payable account details,Please note our account details have changed as of October 1st 2017

    If invoice has already been paid,Please disregard this message.We greatly appreciate your business.

    Your prompt reply will be much appreciated.

    Thanks,
    Sales Team
    Motorcycle Storehouse B.V.
    Industrieweg 22
    9781 AC Bedum
    The Netherlands
    Phone: +31 (0) 50 303 22 75
    Fax: +31 (0) 50 303 22 77
    **** mail address deleted

    This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.


  • Moderator

    Please contact vivaldi.com/contact/



  • Hi Gwen
    I did, got a (standard) reply, to try also on the forum:

    Hi Eric,

    Thanks for reaching out to us! We're doing our best to reply you as soon as possible. In the meantime, visit our forum on https://forum.vivaldi.net/, sometimes you can get a faster reply there. In case you're having some issues with connecting to the forum, please tell us your username so we can help you further.

    Thanks for using Vivaldi!

    Cheers,
    Team Vivaldi


  • Vivaldi Team

    Hi and thanks for reporting this to us.
    We have banned the user account in question.


  • Moderator

    Our community Manager checks the spam mail address.

    Eric, how can you be sure that the spam mail really comes from vivaldi .net?
    Did you check the sending mail server's ip in mail headers?
    The last sender IP should be 82.221.99.162 [mail.vivaldi.net].

    Many spammers fake the sender address easily so the receiving person might think it is from vivaldi .net



  • @isak Thanks, Isak.



  • @gwen-dragon Hi Gwen, well the reply address is smrn@vivaldi.net. And the header of the email see below

    Regards Eric

    X-Spam-Level: **
    In-Reply-To: <ce9af35c89fc4e024ce4bd7ca576f49a@webmail.vivaldi.net>
    X-Toi-Spam: u;0;2017-10-12T08:32:47Z
    Return-Path: <smrn@vivaldi.net>
    Return-Path: <smrn@vivaldi.net>
    Mime-Version: 1.0
    X-Virus-Scanned: Debian amavisd-new at vivaldi.net
    X-Toi-Msgid: 886f8588-dc93-4dce-b80a-f924d292310f
    X-Priority: 3 (Normal)
    Message-Id: <75ba441391c103461b35388322a5975e@webmail.vivaldi.net>
    X-Mailer: AfterLogic webmail client
    Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=vivaldi.net; h= references:in-reply-to:subject:subject:from:from:x-mailer :message-id:content-type:content-type:date:date:mime-version :received:received; s=dkim; t=1507797169; bh=+dtiJkjjK6aVCih5HsI AOV48qvp3qaHjGIHVVZucaUA=; b=wECqNtj7p9sfBySm1uGEJEpMHLWeYf3iAIx 8WarTnDkekEe5lPVKGR6ldCy7ePrDvxmW8A6/WNL/uux17pW/xmr1wORgPy8KJHJ oQ5DYeA5sw0MfpFqcPzivlNgK8o0UcQSxRl5zE4cGig7KtFNlzFaRzFnqQnTcEJy 2lF8wDQw=
    References: <7316a76c0500f6c21b0b45aad33bab58@webmail.vivaldi.net> <ce9af35c89fc4e024ce4bd7ca576f49a@webmail.vivaldi.net>
    X-Toi-Virusscan: unchecked
    X-Spam-Status: No, hits=2.5 required=5.0 tests=KERIO_ANTI_SPAM: -0.000, BAYES_50: 1.567, HTML_MESSAGE: 0.001, MISSING_HEADERS: 1.021, URIBL_BLOCKED: 0.001, TOTAL_SCORE: 2.590,autolearn=no
    Content-Type: multipart/related; boundary="----=_Part_926_323266946.1507797159"
    X-Kerio-Anti-Spam: Build: [Engines: 2.15.8.1113, Stamp: 3], Multi: [Enabled, t: (0.000008,0.009906)], BW: [Enabled, t: (0.000007)], RTDA: [Enabled, t: (0.468558), Hit: No, Details: v2.6.12; Id: 15.5f4886.1bs2u69b9.2h7tc], total: 0(700)
    X-Envelope-To: <client@email.com> **@@address altered before posting**
    Received: from mailin58.aul.t-online.de ([172.20.27.247]) by ehead18b12.aul.t-online.de (Dovecot) with LMTP id gNk1Fa8o31n/ZQAAZOKcCA; Thu, 12 Oct 2017 10:32:47 +0200
    Received: from mail.vivaldi.net ([**82.221.99.162**]) by mailin58.aul.t-online.de with (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384 encrypted) esmtp id 1e2Yv4-0WZkDw0; Thu, 12 Oct 2017 10:32:42 +0200
    Received: from localhost (localhost [127.0.0.1]) by mail.vivaldi.net (Postfix) with ESMTP id CAC8939E; Thu, 12 Oct 2017 08:32:51 +0000 (GMT)
    Received: from mail.vivaldi.net ([127.0.0.1]) by localhost (mail.vivaldi.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cy-ueaNDIFe6; Thu, 12 Oct 2017 08:32:49 +0000 (GMT)
    Received: from webmail.vivaldi.net (unknown [10.20.20.55]) (**Authenticated sender: smrn**) by mail.vivaldi.net (Postfix) with ESMTPSA id 47F803FB; Thu, 12 Oct 2017 08:32:49 +0000 (GMT)
    

  • Moderator

    @mcs_eric I just asked for more infromation and got it from you.
    You are right, the spammer really used mail from vivaldi.net.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.