[Abuse #VLQXRWTKCF] Abusive use of your service ns303036.ip-188-165-247.eu

Hello,

The hosting of an abusive content (Phishing) on your dedicated server ns303036.ip-188-165-247.eu has been reported to or noticed by our Abuse Team.

Technical details (such as URLs) showing the aforementioned problem follow :

— start of the technical details —
\— about — 247.rbx.abcvg.ovh \— description follows — IP Serveur OVH : 188.165.247.197

Cette IP a t repre effectuant des attaques de phishing labors via google docs dans le corps de leur mails.
Les domaines utiliss pointant vers cette ip sont les suivantes :

playfieldproductions.com
movie-theater-bedbugs.com
ilikehunting.com

Les domaines sont redirigs avec dnsmadeeasy.com

Merci d.effectuer le blocage de cet utilisateur malveillant. \— logs follow — Return-Path: <email-removed@provider.com>
Received: from lmtpproxyd (imesp334 [10.99.2.34])
by backend8 (Cyrus v2.3.16) with LMTPA;
Tue, 10 Nov 2020 07:40:50 +0100
X-Sieve: CMU Sieve 2.3
Received: from imesp334.bercy.cp (localhost [127.0.0.1])
by imesp334 (Cyrus v2.3.16-Debian-2.3.16-1dgfip2) with LMTPA;
Tue, 10 Nov 2020 07:40:50 +0100
Received: from localhost (localhost [127.0.0.1])
by imesp334.bercy.cp (Postfix) with ESMTP id 1E5E612817C
for <email-removed@provider.com>; Tue, 10 Nov 2020 07:40:50 +0100 (CET)
X-Virus-Scanned: amavisd-new at dgfip.finances.gouv.fr
Received: from imesp334.bercy.cp ([127.0.0.1])
by localhost (imesp334.bercy.cp [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 7yi-r+Lajdef for <email-removed@provider.com>;
Tue, 10 Nov 2020 07:40:49 +0100 (CET)
Received: from [10.127.117.161] (unknown [10.127.117.161])
by imesp334.bercy.cp (Postfix) with ESMTP id B8F53128177
for <email-removed@provider.com.>; Tue, 10 Nov 2020 07:40:49 +0100 (CET)
Subject: Fwd: Sopra Steria Notification
References: <email-removed@provider.com>
To: email-removed@provider.com
From: «GAVEN Samuel (DGFiP — DG — Bureau CF-1C)»
<email-removed@provider.com>
X-Forwarded-Message-Id: <email-removed@provider.com>
Message-ID: <email-removed@provider.com>
Date: Tue, 10 Nov 2020 07:40:49 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <email-removed@provider.com>
Content-Type: multipart/alternative;
boundary=»\————BE99211E2467893483714DAE»

This is a multi-part message in MIME format.
\—————BE99211E2467893483714DAE
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Bonjour,

8me message suspect

\——— Message transfr ———
*Sujet :* Sopra Steria Notification
*De :* Keavy Bryant <email-removed@provider.com>
*Pour :* Gaven Samuel (75) <email-removed@provider.com>

*Date :* Lundi 09 Novembre 2020, 23:24

Good morning GAVEN Samuel!
There will be no payments at the end of the month due to a complaint
from our client. The application was registered by our chief accountant,
we will deduct it from you.

A copy of the document:
https://docs.google.com/document/d/e/2PACX-1vTlEjb5RgZKuQZu1atxQnj51KFkft21bX9al_tjTCE_p419PAtZOtLZucnTizEomnHvPY3hs6dWlpWE/pub
(copy and paste to the browser)

Sopra Steria Notification

\—————BE99211E2467893483714DAE
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
<head>

<meta http-equiv=»content-type» content=»text/html; charset=utf-8″>
</head>
<body smarttemplateinserted=»true»>
<div id=»smartTemplate4-template»>Bonjour,<br>
<br>
8me message suspect en provenance de notre prestataire SOPRA qui
je le rappelle a fait l.objet d.une attaque suite la
compromission de ses serveurs de messagerie. </div>
<br>
<div id=»smartTemplate4-quoteHeader»><br>
\——— Message transfr ———<br>
<b>Sujet :</b> Sopra Steria Notification<br>
<b>De :</b> Keavy Bryant
<a class=»moz-txt-link-rfc2396E» href=»mailto:email-removed@provider.com»><email-removed@provider.com></a><br>
<b>Pour :</b> Gaven Samuel (75)
<a class=»moz-txt-link-rfc2396E» href=»mailto:email-removed@provider.com»><email-removed@provider.com></a><br>
<br>
<b>Date :</b> Lundi 09 Novembre 2020, 23:24<br>
<br>
</div>
<div class=»moz-forward-container»>
<meta http-equiv=»Content-Type» content=»text/html; charset=utf-8″>
<div align=»left»><font face=»Arial» size=»2″><font
face=»Helvetica»>
<p><font size=»3″>Good morning GAVEN Samuel!<br>
There will be no payments at the end of themonth due to
a complaint from our client. The application was
registered by our chief accountant, we will deduct it
from you.</font></p>
<p><font size=»3″>A copy of the document: <a
moz-do-not-send=»true»
href=»https://docs.google.com/document/d/e/2PACX-1vTlEjb5RgZKuQZu1atxQnj51KFkft21bX9al_tjTCE_p419PAtZOtLZucnTizEomnHvPY3hs6dWlpWE/pub»>https://docs.google.com/document/d/e/2PACX-1vTlEjb5RgZKuQZu1atxQnj51KFkft21bX9al_tjTCE_p419PAtZOtLZucnTizEomnHvPY3hs6dWlpWE/pub</a><br>
(copy and paste to the browser)<br>
<br>
<br>
</font></p>
<p><font size=»3″>Sopra Steria Notification</font></p>
</font></font></div>
</div>
</body>
</html>

\—————BE99211E2467893483714DAE—

Category: phishing \— Forwarded email(s) —

— end of the technical details —

Your should investigate and fix this problem, as it constitutes a violation to our terms of service.

Please answer to this e-mail indicating which measures you’ve taken to stop the abusive behaviour.

Cordially,

The OVHcloud Abuse team.

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *