Posts Tagged ‘Administrative’

Another Bluehost Phishing Email

Saturday, September 2nd, 2017

Remember the previous Bluehost phishing attack I mentioned?

Today I got another one.

Here’s the raw source (with a few inserted line breaks to keep it from running into the righthand column).

Headers:

Message ID
Created at: Sat, Sep 2, 2017 at 12:50 AM (Delivered after 3 seconds)
From: Bluehost
To: lawrencepersonXXXXX@gmail.com
Subject: Request to reset your domain associated with this e-mail address
SPF: PASS with IP 74.220.222.232 Learn more

(XXXXX added to email address here and below to defeat spambot scrappers.)

Payload

Delivered-To: lawrencepersonXXXXX@gmail.com
Received: by 10.129.53.151 with SMTP id c145csp343693ywa;
Fri, 1 Sep 2017 22:54:47 -0700 (PDT)
X-Received: by 10.99.120.71 with SMTP id t68mr4941018pgc.177.1504331447706;
Fri, 01 Sep 2017 22:50:47 -0700 (PDT)
X-Google-Smtp-Source: ADKCNb5s73v956ds860PK1kR3YVGj/j+bLV2uYQNDDlbJ/kZIPjlLkqlSdvnwz3d/dZQs6C8Ug2m
X-Received: by 10.99.120.71 with SMTP id t68mr4941001pgc.177.1504331446972;
Fri, 01 Sep 2017 22:50:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1504331446; cv=none;
d=google.com; s=arc-20160816;
b=QOjWmOjsvjB9+8HswySoFQOQ4lsCvpPME27NN9zJfx8
gZofrql3IwevgfSp0e1Btxg
aIL8DmnXCGllyd8AvPrBrN/Ly3+iKtBxdbk3oua+d9vYBYOgYWcLW
+kMvQAcV81hB1El
PXLWVLUV78BXenGJMUIs0voePL345QIlDhjigRRvOYs4/cOFXhr/
0nE0A+F45lneFaUx
oG7oYSk3QBVJtvwWUd2z1ksn24R8kTgwWfFZGqVEUm6fji4tA6J1Qv
1IwL7GWDtmI/ab
pdU/Dh9cvT3lR2bDOFQaSje0NQuibGyFY3ouNGDdRygJIJKjldi
EoUsqxE1zCoCrfZU1
l+Dw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=date:message-id:cc:from:content-transfer-encoding:mime-version
:subject:to:arc-authentication-results;
bh=pAtFnsm7hK/sCRTeHL/WZ2Afvt74elEbNil2YQ/rHSk=;
b=t9vALxsoLpH2sKGGjbqvx/KAJOGJQaT/2qVFWCaNXJOybuHwoMGmaRh1
eP62jnkD5s
nQXOsgK3wQfj/l2Nq1tuA05l+FfQgRlLFSFs/4YKSjcrIveLp/ht/ergUZGv1ydawsDk
PdNYonJnmlykTW7HQxAhtRbbFP5dohfLGcGcdUmOsV6XjUZQK+
9agN78MxBBfFj33V7j
aUCkZ/BINSFb2Jt4IzOaQdnnVzoBwY8R1aLg0+GdVf26wZuYLBiN
hAXOJY1SVCjGrrwd
GiGw2eMbMyG5V1VjGlhJPx8Wan7eA/lXr+hrwnuEalFaGk66Ni8lV7
nADN9StIh7AyMp
aY7Q==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of doorsofv@box1175.bluehost.com designates 74.220.222.232 as permitted sender) smtp.mailfrom=doorsofv@box1175.bluehost.com
Return-Path:
Received: from outbound-ss-1849.hostmonster.com ([74.220.222.232])
by mx.google.com with ESMTPS id a2si1461087pll.210.2017.09.01.22.50.46
for
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Fri, 01 Sep 2017 22:50:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of doorsofv@box1175.bluehost.com designates 74.220.222.232 as permitted sender) client-ip=74.220.222.232;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of doorsofv@box1175.bluehost.com designates 74.220.222.232 as permitted sender) smtp.mailfrom=doorsofv@box1175.bluehost.com
Received: from cmgw2 (cmgw2.unifiedlayer.com [67.20.127.202]) by soproxy7.mail.unifiedlayer.com (Postfix) with ESMTP id 84A09215C39 for ; Fri,
1 Sep 2017 23:50:46 -0600 (MDT)
Received: from box1175.bluehost.com ([50.87.248.175]) by cmgw2 with id 4Vqj1w00l3no00q01Vqmx1; Fri, 01 Sep 2017 23:50:46 -0600
X-Authority-Analysis: v=2.2 cv=IspuSP3g c=1 sm=1 tr=0 a=ZGpYF3R9av1KVggUQYjyig==:117 a=ZGpYF3R9av1KVggUQYjyig==:17 a=IkcTkHD0fZMA:10 a=2JCJgTwv5E4A:10 a=eLEXLPMnAAAA:8 a=cNaOj0WVAAAA:8 a=3gznCMWBZ5u3K-Cr9X4A:9 a=8jPl8b1L-dkswZAf:21 a=7g7r5GJnjx26k2DO:21 a=L4Rp5h-_gRjJhvEI:21 a=QEXdDO2ut3YA:10 a=TnA9z4vs7e96t_Vj_DNd:22
Received: from doorsofv by box1175.bluehost.com with local (Exim 4.87) (envelope-from ) id 1do1KN-003TIa-D2 for lawrencepersonXXXXX@gmail.com; Fri, 01 Sep 2017 23:50:43 -0600
To: lawrencepersonXXXXX@gmail.com
Subject: Request to reset your domain associated with this e-mail address
X-PHP-Originating-Script: 1982:mail.php
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Bluehost
Cc:
Message-Id:
Date: Fri, 01 Sep 2017 23:50:43 -0600
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box1175.bluehost.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [1982 1982] / [47 12]
X-AntiAbuse: Sender Address Domain - box1175.bluehost.com
X-BWhitelist: no
X-Source-IP:
X-Exim-ID: 1do1KN-003TIa-D2
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender:
X-Source-Auth: doorsofv
X-Email-Count: 38
X-Source-Cap: ZG9vcnNvZnY7ZG9vcnNvZnY7Ym94MTE3NS5ibHVlaG9zdC5jb20=
X-Local-Domain: yes


=09

=09=09

=09=09=09

=09=09

=09=09

=09=09=09

=09=09

=09

3D'Bluehost'
=09=09=20
=09=09=09=09

=09=09=09=09We received a request to reset your domain associated with this=
e-mail address.

=09=09=09=09This request was generated by a user clicking the 'Domain Reset=
' link. If you want it to be reset, then you can safely ignore this message=
.
=09=09=09=09

=09=09=09=09

=09=09=09=09If you did not request to have your domain reset, or do not wan=
t it to be reset, please protect your domain. You can refuse this request a=
nd securely reset your password by clicking the link below:=20
=09=09=09=09

=09=09=09=09=20
=09=09=09=09

=09=09=09=09https://my.bluehost.com/web-hosting/password/
=09=09=09=09

=09=09=09=09=20
=09=09=09=09

=09=09=09=09Alternatively, you can copy and paste the link into your browse=
r's address window, or retype it there.
=09=09=09=09

=09=09=09=09=20
=09=09=09=09Thank you,
=09=09=09=09Bluehost Support
=09=09=09=09http://w=
ww.bluehost.com/

=09=09=09=09For support go to http://bluehost.com/help
=09=09=09


Interestingly, even though all of that is in a code tag, part of it (including the link) is still rendered. (I don’t need to tell you not to click that, do I?) I wonder if the 3D class stuff bypasses standard rendering layers.

Here’s the important segment (opening and closing greater than and less than signs omitted):

a href=3D'http://my.bluehost.pazencore.com/web-hosting/?q=3DbG=
F3cmVuY2VwZXJzb25AZ21haWwuY29tDQ=3D=3D' target=3D'_blank'>https://my.bluehost.com/web-hosting/password/

Here’s the whois registrant and admin contact for pazencore.com domain:

Name: EDOUARD VAN DE VELDE
Organization: EDOUARDVDV
Mailing Address: BAKKUMMERSTRAAT 37, CASTRICUM 1901 HJ NL
Phone: +31.0615954306
Ext:
Fax:
Fax Ext:
Email:EDOUARDVDV@HOTMAIL.COM

More interestingly, here’s the tech contact:

Tech Contact
Name: BLUEHOST INC
Organization: BLUEHOST.COM
Mailing Address: 550 E TIMPANOGOS PKWY, OREM UTAH 84097 US
Phone: +1.8017659400
Ext:
Fax: +1.8017651992
Fax Ext:
Email:WHOIS@BLUEHOST.COM

So here we have a Bluehost phishing scam being run from a Bluehost domain.

I think it’s time to have an interesting discussion with BlueHost support…

Weird WordPress/Firefox Cache Issue

Monday, May 15th, 2017

So I just published scenes from the liberal freakout, but it’s not showing up on the main blog page, nor in a next link from the previous page, nor linked from any of the Index topics. Visibility is on and the publication date is today.

Edited to add: This isn’t showing up either. Something screwy is going on…

Edited to add 2: This appears to be fixed in most browsers…except my own Firefox browser, which stubbornly insists on not showing the new content despite a restart and cache clearing.

Next step: Restart the Mac.

Edited to add 3: Restarting the Mac finally fixed the problem on Firefox…but that second note above still isn’t showing up in Safari on my iPhone. I’m starting to think something screwy is going on with Blue Hosts’s caching system…

Edited to add 4: Firefox now shows this post, but not the third note added above. Safari iPhone shows only the first note, Safari Mac shows only the first two notes. All the notes are visible when you click on the post itself, but not on the main blog page. This makes me think it’s a Blue Host caching issue (though they deny it via Twitter).

Winner Winner Chicken Dinner

Sunday, January 1st, 2017

I’m proud to announce that BattleSwarm Blog has been named to The Fabulous 50 Blog List by Director Blue.

Quote:

Best Grassroots Blog
Lawrence Person’s BattleSwarm: Person’s LinkSwarms extract pure wheat from chaff.”

Thanks! And there are a lot of other great blogs in the fab 50 list worth checking out.

Welcome Cal Watchdog to the Blogroll

Tuesday, September 1st, 2015

Keeping with with California’s ongoing descent into a failed state is a never-ending task. That’s why I’m adding Cal Watchdog to the blogroll, a long overdue move.

Do check them out if you like the Texas vs> California roundup…

Instead of Actual Content: Story Pipeline Deadlock Edition

Tuesday, April 7th, 2015

Right now in the Pipeline of Half-Completed Blog Posts, I have:

  • A post on the “Sad Puppies” Hugo Awards controversy
  • Another update on Greece (which supposedly runs out of money on Thursday)
  • Analysis of the Iran Nuclear Weapons Deal
  • Another Texas vs. California update
  • Unfortunately, today is going to be unusually busy, so instead of finishing those and offering up actual content, here are some Golden Retriever videos:

    Having An Intermittant Database Connection Problem

    Monday, December 29th, 2014

    I seem to be having an intermittent database connection problem for old posts. Not seeing it right now, but if you see it crop up again, let me know.

    Blogroll Addition: Rock in a Sea of Chaos

    Friday, May 30th, 2014

    One of the bloggers who showed up at Borepatch’s blogmeet was “That Guy” from Rock in a Sea of Chaos. That seems like a sufficient excuse to add another Austin gun blogger to the blogroll, so here he is…

    Administrative Note: Blog Back Up

    Thursday, May 15th, 2014

    This week I’ve been having some fairly heinous performance issues with the blog, as in “takes 30 second to a minute to load the dashboard” heinous. After some song and dance from BlueHost support (“CPU throttling! Chinese hackers!”), they took the server (and thus my blog) offline to resolve the issue.

    Both server and blog are now back up, and things are generally better performance-wise (if still not exactly snappy).

    Blogroll Addition: Zero Hedge

    Monday, January 27th, 2014

    Newly added to the blogroll: Zero Hedge, for all your DOOM-y international economic news needs.

    Also consider this your “I didn’t have time to put up an extensive blog post” post…

    Blogroll Cleaning

    Thursday, January 2nd, 2014

    It’s a new year, so here are a few long-overdue administrative updates to the blogroll.

  • Added Texas Conservative Republican News.
  • Removed Urban Grounds, since Robbie Cooper hung up his blogging gloves.
  • Removed Matt S. Dowling, because one post in the last year isn’t cutting it. Sorry, Matt…
  • Updated the link for An American Housewife.
  • Updated the link to SooperMexican.
  • Other notes:

  • I was going to add Sibyl West’s Ramparts 360, but she seems to have dropped off the map.
  • I would add Cahnman’s Musings, except he still hasn’t put up a blogroll…
  • Any Texas blogs I’m missing you think should be up here?