Corporate Blog

Continual problems with South African ISPs and mail service providers (Afrihost and Xneelo)

27 July 2025 23:36:22 +0000

I’ve just spent about seven hours writing a long, detailed and evidence-based reply to a client who just receives nothing but BS, delay tactics and obfuscation from a South African mail service provider named Afrihost. (Please see here for the details of the never-ending Xneelo debacle, which is similar.) I am posting this here so that I can at least get some mileage out of this waste of seven hours of my life, on a Sunday.

Names and addresses have been changed or redacted to protect the guilty.

Hi Bob,

Thanks for your email. You only sent one side of a supposed email
exchange with Afrihost; there was no "back-and-forth" so I see no
evidence, namely domains (besides your own domains, which are only one
side of the equation, and hotmail.com), IP addresses, dates, times and
(most importantly) bounce messages. In particular I see no evidence --
no *proof* -- on Afrihost's side that what they are saying is true.
Anybody can say and claim anything they want, but it's pointless if
they don't back it up with evidence.

Unlike in politics, everything I have said in the past about email and
everything I will say in the future (including below) is technical and
backed up by hard evidence. Lying to paying clients is a complete waste
of time and will not end well, but it seems that the support
departments of bigger companies like Afrihost are schooled in BS and
delay tactics, rather than providing actual support or admitting fault
and actually fixing their broken systems.

This email is long (I won't apologise) because email is complicated and
this message is based on the work that Afrihost won't do to address
your one puny complaint because they have a lots of other complaining
customers to BS with their lies. The hours (about six so far today just
to answer your email full of Afrihost lies) of work *I* have to do to
give you a full and honest answer and explanation is something that
doesn't increase their share price, so they won't do it. But my efforts
seem to be worthless because everyone seems to believe BS these days
rather than concrete proof.

Here is my actual evidence / hard proof:

* https://multirbl.valli.org/lookup/ucebox.co.za.html
* This is a domain-based list of mail servers that are in blacklists,
and this is a search based on ucebox.co.za, which shows their domain in
one blacklist.

* https://multirbl.valli.org/lookup/smtp.ucebox.co.za.html
* This is the same as above, but with the alleged name of their sending
(SMTP) server (definitions below) provided in the Afrihost message
below, and the results show that their SMTP server is in the same
blacklist.

* https://multirbl.valli.org/lookup/197.242.159.57.html
* The sub-domain smtp.ucebox.co.za resolves to twelve different IP
addresses. This is a search for one of those IP addresses, and that IP
address is in five blacklists!

* https://multirbl.valli.org/lookup/41.76.215.28.html
* Like the search above, this is a search for another of their twelve
IP addresses -- both this one and the one above are random choices because
I'm not repeating the search twelve times when the results for *two* of
them are bad enough. This IP address is in six blacklists!

A quick glance shows that the blacklists all seem to be the same (which
is not surprising), so they are not in a total of 13 blacklists, just
the greatest number of 6. In comparison, NinerNet's mail server is in
three:

https://multirbl.valli.org/lookup/178.62.195.26.html

The point is not to compare numbers and say that our number is smaller
and so we're better; the point is to say that we're aware of the
problem, and the information we have provided on our blogs (
https://blog.niner.net/tag/email and https://status.niner.net/tag/mail
) goes towards explaining certain things.

In there we explain our presence in two of the blacklists (Ascams and
UCEPROTECT), which cover every single one of the IP addresses owned by
our data centre; it is *not* because our mail server has done anything
to be in that blacklist. The only full remedy to that problem is for us
to move our mail server to another data centre with another company,
which is not something that we can do on a whim and without
considerable forethought and planning, but which we *will* be doing on
the next move. What we do to overcome this problem is to redirect all
email to certain domains through our secondary SMTP server; problem
solved. It's impossible for us to know in advance what those
destination domains are, but as soon as one is reported by one of our
clients we direct all future messages to that domain through our
secondary SMTP server. Problem *immediately* and *fully* solved. (By
the way, hotmail.com is one of those domains, which is why you'll
receive this via our secondary outbound/SMTP mail server.)

The third blacklist (Polspam) is a Polish blacklist. It's a bit more
complicated to determine why we're on that list, but my *educated* (I
emphasise) guess is that we're on it for the exact same reason we're on
the other two blacklists, because all of our data centre's IP addresses
are blacklisted.

Have you asked Afrihost why they are on at least six blacklists and
what they're doing about it? I believe the answer to that question is
"no", and even if you asked you will *not* get an answer, or you will
be told in relatively polite terms that you don't know anything about
email and that they are perfect and NinerNet is the problem ... the
aforementioned BS. This is similar to the issue with another South
African ISP, which we have documented exhaustively at:

status.niner.net/2024/01/19/email-messages-from-xneelo-formerly-hetzner-south-africa-senders-blocked

We don't get into these arguments with non-South African ISPs and mail
service providers, so I'm forced to come to the conclusion that South
African's don't give a damn.

Definitions:

* Blacklist (also "blocklist" for those that want to be politically
correct): A list of servers -- usually based on their IP addresses, not
domains -- that have sent spam or malware in the recent past. The full
definition is broader than that (as I've partially explained above) but
if you want a longer explanation than this already long email I suggest
you use an Internet search engine I refer to below. Blacklists exist to
remove servers from the email system that have shown problematic
behaviour in the *recent* past so that legitimate receiving mail
servers -- such as NinerNet's -- don't have to process "junk" email,
and legitimate email receivers -- such as you -- don't have to read and
process junk email.

* BS: This is about as profane as I will get in communications with a
client, although in situations like this it's getting more and more
difficult not to turn the air blue. It's an adjective, a noun, a verb
and probably various other parts of speech. If you're unclear on the
meaning, that's what Internet search engines are for.

* SMTP: Simple Mail Transfer Protocol. This protocol is how mail
servers communicate with one another, and the term "SMTP" is also used
as an adjective.

* Various other colour lists: They exist, but neither Afrihost's
domains nor IP addresses are in any, so I won't get into what they are
and are not.

I took a look at [YOUR WEBSITE]. I note that
(assuming that's you) you're involved in "Compliance & Business
Solutions", and that, "[You] believe that great businesses are built on
strong systems, clear strategy, and full compliance." Email is all
about "compliance" with "standards" which, as benign as that word
sounds, are actually the non-negotiable "rules" that have to be
followed to get an email message from point A to point B. Afrihost have
made all sorts of claims in the email you forwarded to me, but they
have not told you how you can check on those claims. On the other hand,
NinerNet has shown you all the third-party evidence that backs up the
claims I've made.

I will address some of the things they have said:

* "We’ve confirmed that the messages from [YOUR EXTERNALLY HOSTED EMAIL
ADDRESS] are successfully sent and accepted by the outbound mail relay
(smtp.ucebox.co.za) with a 250 OK response, indicating successful handoff.":

* While I'm willing to accept that someone has made a mistake in their
rush to get to the next complaint from one of their customers and I
don't want to be pedantic, an "outbound mail relay" does not "accept"
email messages (as far as this issue is concerned), it offers/sends
them. The "250 OK response" is what they see in the logs on their mail
server, but since they didn't actually provide the specific lines of
the logs (with dates and times) NinerNet has absolutely no way of
correlating their claims against the corresponding lines in the logs of
our mail server. This is how auditing works, as you would very well
know from the list of qualifications on your website.

* "Additionally, the same emails are being successfully delivered to
[HOTMAIL ADDRESS], which confirms there’s no issue on our end
with sending or authentication (SPF, DKIM, and DMARC all pass":

* Again, NinerNet is not Hotmail and doesn't know how Hotmail servers
work. It does *not* confirm *anything* other than the fact that Hotmail
and NinerNet handle email from blacklisted IP addresses differently. And
they didn't tell you how to confirm that their claims that their "SPF,
DKIM, and DMARC" all pass. I took a quick look at some of their public
DNS records -- did I mention how many hours I've already spent on this
reply? -- and at least one of them are broken. It's not a significant
one, but if they can't get one of them right how and why should I or
you assume that they got the rest of them right?!

* "You may check if there is [sic] any server-side filters or rules
that might be rejecting, flagging, or silently discarding these
messages. if not, you may whitelist the domain at the [YOUR DOMAIN]
side and check again.":

* This is a good idea. I have checked whatever blacklists you might
have in place through the control panel on the mail server and you
don't seem to be blocking anything relevant, but you will have to log
into the webmail to see if there are any filters in place there that
could be causing a problem. I have looked for ucebox.co.za and the IP
addresses that smtp.ucebox.co.za uses in our server-wide blacklists,
and they are not there. That means that if email from their servers to
our server are bouncing -- that hasn't explicitly been stated -- then
they're bouncing because of the blacklists their servers are in. This
means that the blacklists are working as intended and as advertised,
which I consider to be a good thing.

While in the control panel I had a look at the logs of email you've
received at [YOUR DOMAIN], and I note four recent email messages
successfully received from [YOUR EXTERNALLY HOSTED EMAIL ADDRESS]:

* RE: Bank confirmation letter, Lease agreement and Invoices.
* 2025-07-26 11:44:09 CAT

* TEST
* 2025-07-27 12:23:03 CAT

* Last Test
* 2025-07-27 12:23:15 CAT

* test new
* 2025-07-27 17:08:37 CAT

Those were all successfully received, which makes me wonder why I have
spent six hours writing this email. For that reason I will end this
message here and claim, like Afrihost, that there is no problem.

Craig

On Sun, 2025-07-27 at 15:07 +0000, [NINERNET CLIENT] wrote:
> Hi Craig,
>
> Trust you are well? Please see below emails and my back-and-forth
> exchange with Afrihost. None of my emails from my [EXTERNALLY HOSTED DOMAIN]
> domain is being received by our [NINERNET-HOSTED DOMAIN]. are you able to check
> into it please?
>
> Thanks and Regards,
>
> [NINERNET CLIENT]
> [PHONE NUMBER]
>
>
>
> From: Afrihost <hosting@afrihost.com>
> Sent: 27 July 2025 16:59
> To: [NINERNET AND AFRIHOST CLIENT]
> Subject: [#PXQ-982-73116]: blocked emails
>
> Hello there.
>
> Following up on the issue regarding non-delivery of emails to
> [NINERNET CLIENT]:
>
> We’ve confirmed that the messages from [AFRIHOST-HOSTED EMAIL ADDRESS]
> are successfully sent and accepted by the outbound mail relay
> (smtp.ucebox.co.za) with a 250 OK response, indicating successful
> handoff.
>
> Additionally, the same emails are being successfully delivered to
> [CLIENT'S HOTMAIL ADDRESS], which confirms there’s no issue on our end
> with sending or authentication (SPF, DKIM, and DMARC all pass
>
> You may check if there is any server-side filters or rules that might
> be rejecting, flagging, or silently discarding these messages. if not
> , you may whitelist the domain at the [CLIENT'S DOMAIN] side and check
> again.
>
> Regards,
> Sreehari RS
> Check out some of our hosting tutorials by going to the following
> link:
> https://answers.afrihost.com/video-hosting

--
NinerNet Communications | Craig Hartnett
* https://www.niner.net | [EMAIL ADDRESS]
Phone: +1 604 630 1772 | +260 96 209 8871 | 1 855 NINERNET

We do not have these discussions with our clients about ISPs and mail service providers in Europe, North America, South America, Asia or Oceania. Incompetence seems to be concentrated in South Africa.

Tags: afrihost, email, reputation, xneelo
Categories: Warnings
2 Comments »

Crowdstrike incident: Client update

20 July 2024 13:24:51 +0000

After a very trying day for many customers around the world that use Microsoft Windows or rely on companies that use Microsoft Windows — like Hotmail/Outlook.com, Office 365, Google Cloud / Compute Engine, Amazon Web Services (AWS), Azure, etc., etc., etc. — we would like to take this opportunity to ensure that our clientele know that we were wholly unaffected by the worldwide chaos.

Is this blog post an opportunistic jab at people who rely on an operating system and company that was late to realise the potential of the Internet? Yes, of course. Why? Well, just look at the trouble that Microsoft gave us last month, and are still giving us today. Microsoft are not our favourite people these days, even though Microsoft themselves weren’t responsible for the Crowdstrike failure.

Hey, we get it, shi … stuff happens. Our status blog currently shows 207 posts in the “incidents” category since 2009. Of course, that’s not 207 failures; at the very most it’s 104 failures if you assume a post announcing an incident and a second announcing it’s over, but in reality some incidents had multiple posts and some posts were only to alert clients to issues with other companies. I’d say that there were far fewer than 100 incidents in fifteen years; feel free to do the maths and check our live uptime monitor for yourself. But one does wonder how an update was pushed out by Crowdstrike without it being tested. That’s just unfathomable. On the other hand, NinerNet doesn’t check every single update we apply to our servers, but we have to rely on our operating system vendors to do that for us. As Crowdstrike customers and their customers found out yesterday, the IT world is very interdependent.

Of course, NinerNet will almost certainly have some major incident in the future, and I know that some will then say that this post will come back to bite us in the ass. Not really. I’m always amused when an incident happens and people say or claim, “We will learn and it will never happen again!” That cracks me up. Incidents — whether they are global IT meltdowns or plane crashes — are almost always human-caused. So yeah, it will happen again, and NinerNet will have some issue at some time in the future and we will learn from it and promise that we will take steps to prevent it from happening again. But we have never and will never claim that it will never happen again.

The other purpose of this post is for marketing. The word “marketing” is a four-letter word to me, simply because about the only skill that marketers have is the ability to lie, with a straight face. I certainly wouldn’t accuse Microsoft or Crowdstrike of any kind of over-marketing or marketing subterfuge but, you know, there’s a part of me that looks askance at claims made by companies that over-promise and under-deliver … and over-promising and under-delivering are pretty much the meat and potatoes of marketers! It is far beyond my remit to determine whether or not either Microsoft or Crowdstrike have ever over-promised or under-delivered, but yesterday under-delivery was rampant.

Update, 2024-07-24: I wasn’t planning to drive home any of my points above, but I was cleaning up some open browser tabs and there were a few Crowdstrike-related tabs still open.

At “Helping our customers through the CrowdStrike outage” Microsoft proudly states, “We currently estimate that CrowdStrike’s update affected 8.5 million Windows devices, or less than one percent of all Windows machines.” Umm, so? Your point is? What they fail to state here is that those 8.5 million Windows devices affected many, many more millions (a billion?) of poor saps who rely on companies that rely on Crowdstrike that relies on Microsoft’s crappy operating system. It reminds me of a saying: “Figures don’t lie, but liars sure as hell can figure!”.

George Kurtz, CEO of Crowdstrike, also stated in a tweet, “Today was not a security or cyber incident. Our customers remain fully protected.” This statement is freaking hilarious! If you can’t turn on your “Windows device”, of course it’s “fully protected”! OMG, this is one for the comedy annals!

Browsing through Mr. Kurtz’s Twitter feed you see a lot of the aforementioned “marketing”:

* Wow… another great quarter in the books for $CRWD.
* $CRWD delivered a strong 2Q23 with record $218M net new ARR, $2.14B ending ARR, record net new customers & $136M free cash flow.
* $CRWD delivered record Q4 results.

*yawn*

Tags: down time, reputation, security
Categories: Interest, Warnings
Comments Off

Recent scam/phishing message(s)

17 May 2024 07:43:56 +0000

Please be advised that there is a phishing message getting through the spam filters with the subject:

Oops, Error updating the POP/IMAP server of YOUR-DOMAIN.TLD

In the actual email, “YOUR-DOMAIN.TLD” just happens to be the domain of the email address to which the scam was sent (see screenshot below). (What a coincidence!) These are not sent by NinerNet, as even a cursory look at the “From” field will show. We also do not use folksy words like “Oops” in business and technical emails, and we don’t pose as the “webmaster” of your domain. We are NinerNet, and that is how we always present ourselves to you, our client.

If you click the button to “Update Preferences” (or whatever action your copy of the message urges you to take) — which we strongly urge you not to do! — you will be taken to a page that looks like the log-in page for a webmail system (not our webmail system, I hasten to emphasise!), where the scammers expect that you will enter your email log-in information. Your log-in will fail, of course, but you will have given your real email password to the scammer, who will then use it to hijack your account.

If you or someone in your organisation falls for this, change the password for that account immediately! It’s not shameful to fall for a scam; many are convincing and we are all busy people who sometimes do something we regret when we are busy and distracted. What is important is that you recognise what has happened and take action to prevent any further damage.

Please be aware of and do not fall for these types of messages! The spam filter has been catching a lot of these types of messages lately, but the casual language of this one seems to be defeating our spam filters.

Please ensure that your employees, colleagues and other associates know about these scam messages. You should also remind yourself and your employees, colleagues and associates of the information on our website at the following links:

Thank-you for your time and attention to this vitally important matter. Please contact NinerNet if you have any questions.

Phishing scam email, 2024-05-16.

Tags: scams, spam
Categories: Warnings
Comments Off

Compromised email accounts are being accessed via webmail

29 August 2022 11:01:18 +0000

It is becoming more and more common, once an email account has been compromised by a computer virus or other malware, for the email account in question to be accessed through the webmail. When this happens, one or all of three things (and sometimes more) happen:

The criminal behind the virus/malware uses your webmail account to send spam or more viruses (the viruses will be stopped by our server though, but sometimes some spam will still get through),
The criminal poses as you (or one of your employees) and dupes your customers into sending payments to their bank account(s), and/or
The criminal creates filters in your email account to siphon off email to external email accounts they or their associates control.

While all are very negative and need to be stopped quickly — and this is why a compromised email account’s password must be changed, and the old password never used again — the last is particularly insidious as you might not use the filters, or you may not even know that they exist! Filters are a legitimate tool for people to use to handle some email in an automated fashion, and they have been around as long as email has been around.

The bottom line is that a compromised email account is a very serous matter. Your machines and devices need to be protected, by security software (anti-virus software, firewalls, encryption, anti-malware software, etc.), physically (access control, passwords, physical locks, etc.), and with education, knowledge and vigilance. If an email account is compromised the reason should be determined and the cause fixed or addressed in some other way. You then also need to examine the (now formerly) compromised account; one of the first things you should check is the integrity of the account’s filters. If unauthorised filters remain in place, the account is still compromised.

It is vital that you not gloss over an email account compromise as a “cost of doing business” and just carry on as usual after the inconvenience in your day. If you do not take all of the above steps your lack of action will come back to bite you in the buttocks, as Forrest Gump said. And this bite could cost your business in money, goodwill and business.

Another thing to consider is that the mail server’s control panel allows its users to designate any email account as a “domain admin”. We have always discouraged this, instead creating dedicated accounts for domain admins, but it’s a popular and widely used feature. However, consider this: If you designate bob@example.com as a “domain admin”, and Bob’s account is compromised, then the criminal behind the compromise will have access to all of the email accounts on the example.com domain. The results could be significantly more than just the inconvenience of having one email account compromised.

Something else for you to consider is how you can protect your employees from phishing emails. (Please see our “scams” section for many examples of scam emails, many of which are phishing emails.) Phishing emails try to get their recipients to click a link where they are asked to enter their email address and email password. Of course, none of us would be fooled by this, but many people a day are. How the page where people are asked to enter their log-in information looks depends on the nature of the email. If it was allegedly from a bank, the log-in page will be an exact copy of the log-in page for the bank they’re trying to present themselves as. If they’re trying to get your email password, everything will look like a webmail log-in page. It’s convincing. When you enter your log-in information, either nothing will happen, or your browser will be redirected to a legitimate webmail log-in page, but you won’t (of course) be logged in. In the meantime, your log-in information will be saved, and available for the scammer to use.

If this happens to you, you must immediately change the password on your account.

But back to the original question: How can you protect your company from your employees potentially falling for this phishing scam? One way is to not give your employees their email passwords. If they don’t have it, they can’t enter it in a phishing form. Of course, you need to weigh the advantages and disadvantages of this. A disadvantage is that you or your IT person will have to enter it for them when setting up their email account on their machine and/or phone, but the advantage is that they won’t be able to make the mistake of inadvertently providing their password.

If you haven’t recently, it’s probably a good idea to check the filters in your webmail account right now to confirm that you put them all there and that you still need them. And while you’re at it, change your email password too! Make sure it’s at least 12 characters long, includes upper- and lower-case letters, numbers and special characters. And use a password manager too. We use and strongly recommend KeePass.

Tags: compromise, control panel, domain admin, email filtering, encryption, fraud, malware, password, security, spam, viruses, webmail
Categories: Updated posts, Warnings
Comments Off

Significant recent spam activity

16 March 2022 02:30:11 +0000

In the last 48 hours we have seen a significant increase in the number of email accounts that have been compromised due to the virus infection of a large number of our clients’ machines and/or devices. In one case that we know of, one of our resellers stated that they “have a company wide nightmare [of] machines spamming each other and everyone they have ever talked to via email.” This is not good. They have been working with their client to get a handle on this, and as of Tuesday their time this issue seems to be under control for them.

However, since then we have had multiple other email accounts compromised on multiple domains. Please note that email accounts are “compromised” when the machine or device on which the account is configured is infected with a virus. This is not under the control of NinerNet, but you and your employees and colleagues. Please ensure that you have updated anti-virus programs or apps installed, and please do not open attachments from unknown senders. Even attachments from known senders must be treated with extreme care, because viruses tend to come from other infected machines, and they could be the machines or devices of people you know.

Some reminders for all clients:

Please ensure you have anti-virus software (or an app) installed on all machines (computers) and devices (phones/tablets),
Please only open attachments after they have been scanned for viruses,
Please be extra careful of attachments sent from unknown senders, and
NinerNet’s mail server scans incoming and outgoing messages for viruses, but if the vendor of the software isn’t aware of the existence of the virus it may get through. If you also have anti-virus software installed, then that additional scan could make the difference between a normal day and an expensive day you’d rather forget.

At this point it looks like we nipped these outbreaks in the bud, so our mail servers are not in any additional blacklists. However, please do contact NinerNet support if you have any issues with outgoing email, or if you have any questions.

Thank-you.

Tags: email, reputation, security, spam
Categories: Notices, Warnings
Comments Off

Yet another note about scam emails

19 May 2021 07:36:15 +0000

Phishing scam email, 2021-05-12.

The scam and phishing emails continue to come in. The most recent example is particularly aggressive. Please do not fall for it.

NinerNet would never send out an email this aggressive or threatening.

Please review our last two blog posts about these kinds of emails. They are all 100% scams.

Another one of these emails had this “from” field:

From: Domain@nc036.ninernet.net, Admin@nc036.ninernet.net

The footer of the emails also contains a note that states, “example.com Webmail Support”, where “example.com” is the domain in the recipient’s email address. This is all automated, and doesn’t make it any more legitimate.

If you have any questions or concerns, please do contact NinerNet support. Thank-you.

Tags: scams, security, spam
Categories: Warnings
Comments Off

Warning about sexual blackmail/extortion scam emails

13 April 2021 09:32:21 +0000

We have, in the past, warned of sexual extortion and blackmail emails. These reared their ugly heads in 2018, and have continued to circulate in various forms since. I have received them myself, and they are unnerving.

Today we warn you again, but with added urgency because we know of someone who has fallen for this scam. This is not unusual, because people fall prey to these scammers every day, but it is even more saddening when it’s someone you know.

Here is the email they fell for:

From: KJi
Sent: April 05, 2021 1:23 AM
To: Recipients
Subject: Evidences Against You

Hello,

It’s so shameful how people can’t be satisfied with their marriages.

We know you are cheating on your spouse and this has been backed-up with
evidences from your hacked mobile device for your fyi.

Just a little favor from you to me can go along way in esnuring things don’t
get bitter with your spouse finding out.

Kindly send an equivalent of 1200$ worth of bitcoin to this wallet
:bc1qt9fx8fz2fydy0q5h0ruvd30a7ujqxmx80hn3tn

Trust me, this is very little compared to what will happen if you don’t
cooporate with us and i believe you love your family no matter what.

In 48hrs time,if we don’t receive this token of 1200$ worth of btc from you,
you will receive pictures and screenshots via email and same will be sent to
your spouse as well.

Your time start counting now and note that any attempt to file a complaint
will not result to nohing as this e-mail cannot be traced and same as my
bitcoin id.

If, by any chance I find out that you have shared this message with anyone
else, I will make things go viral immediately

Rdgs,

KJ

Note all the spelling, grammatical and punctuation errors.

There is no way for this person to get their money back, as there is no way to find the scammer. And it is a scam; the sender does not have any “evidences”. It’s a shot in the dark, and the chances of their mass email finding someone who really is being unfaithful in their marriage — and are feeling guilty and don’t want to be outed — are actually pretty good!

Please take this warning seriously, and don’t be fooled by these emails. They are just scams. We strongly suggest that you circulate this information to your colleagues, co-workers, employees, family and friends. Knowledge is power against the scammers.

Tags: scams
Categories: Warnings
Comments Off

Compendium of scam emails

13 April 2021 09:26:41 +0000

Scam and “phishing” emails arrive daily by the truck load. We can’t send a warning every time we ourselves get a scam or phishing email. If we did, our own emails would become just noise in the background.

However, we present here eighteen screenshots of scam, spam and phishing emails that we have received or seen over the last four years. If you’re not sure what one of these emails look like, we encourage you to look these over. The approaches vary, but here are some common factors:

They advise you that your email account is over quota, and you must take some immediate action to prevent catastrophe — i.e., the loss of all your email.
Your email account is being closed or upgraded.
The webmail for your account is being upgraded, and you have to take action.
Your domain is being cancelled or expired within a few hours or a couple of days.
Payment for the renewal of your domain is overdue.
Wordy expiration notices that are unclear about what exactly is expiring and how it could theoretically affect you.
Domain SEO (search engine optimisation) notices made up to look like invoices for domain renewal.
Emails with links that disguise the true destination to which you are clicking. Always check the status bar in your email program or app — before you click, while hovering your mouse pointer over the link — to determine whether or not your browser will really be going to a domain you recognise — e.g., niner.net if you are a NinerNet Communications client.
Emails that try to sound like they come from your own company’s IT department, complete with copyright notices.
“Final” renewal notices that are a surprise.
Fine print at the end of the email that makes ludicrous statements that contradict the meat of the email, such as, “We do not directly register or renew domain names” or “THIS IS NOT A BILL” (in an email that looks like it’s a bill to renew your domain); “We have clearly mentioned the source mail-id of this email, also clearly mentioned our subject lines and they are in no way misleading” (in an email that tries to mislead you into paying what looks like an invoice).
Urgent server warnings, that aren’t urgent server warnings at all.

NinerNet Communications is judicious about how many emails we send out, and how often we do. We’re also careful to ensure that we use proper spelling and grammar. Our emails do not contain copyright notices and pages of meaningless legal notices. (Maybe they should, but currently they don’t. We’re real people who tend to believe that our clients are also real people with brains.) With that in mind, here is a non-exhaustive list of things you should look for to determine if an email you’ve received really is from NinerNet and if it’s legitimate:

Is it from an email address on the niner.net domain? (Configure your email program or app to show you the sender’s actual email address, not just their name.) If it’s not, it’s not from us and you can probably ignore it if it claims to be about your hosting or domain.
Does it try to scare you or make you angry, such that you might take immediate action? If it does, it’s definitely not from us.
Is it in HTML or “rich text”, with different colours and types of fonts, and does it contain images or things that look like buttons (especially that say “secure online payment”)? It’s very likely not from us.
Are there copyright notices in the email? Definitely not from us.
Does it flatter you with words such as “esteemed” or “valued”? Not from us. (You are esteemed and valued, for sure; we just don’t lay it on thick with you!)
Does the email address you by the name in your email address? For example, if your email address is accounts@example.com, does it address you as “accounts” as if that was your name? Not from us.
Does it ask for personal information or ask you to update or confirm personal information? Very likely not from us unless you’re a brand new client.
Look very carefully at the sender’s address. Does the font on your email program make some letters look like others? For example, if the sender looks like bob@example.com, are you sure his domain isn’t exarnple.com? With some fonts the “r” and the “n” together look like the “m” in “example”.

Of course, the above checklist can be applied to any email you receive, including emails that purport to be from your bank.

Attachments: Don’t open attachments from unknown senders or that you are not expecting, even from known senders. Also make sure you have anti-virus software installed.

Our automated notices telling you that your mail box is full, or close to it, are extremely brief and do not try to scare you or offer you links to “free upgrades” or anything like that.

If you click on a link in an email and enter information on a form — especially a password — and then realise that it’s a scam/phishing, immediately change that password. You should also contact NinerNet, or whoever that account is with, to inform them what has happened.

Finally, when we do send you an email to advise you of something that applies to all (or most) clients — such as server moves, upgrades, etc. — we include a link to our blog (blog.niner.net) so that you can confirm that information.

Below, then, are the eighteen screenshots of scam, spam and phishing emails. The first is particularly noteworthy, as it is a sexual blackmail/extortion scam that seeks payment via Bitcoin. It and similar emails will be the subject of our next blog post.

If you have any questions, please contact NinerNet support. Thank-you.

Sexual blackmail bitcoin email scam.

: Urgent server warning email scam.

: Mailbox over storage revalidation email scam.

: Mailbox is full email scam.

: Using old version email scam.

: Important domain seo notification email scam.

: Domain service cancellation scam.

: Upgrade account email scam.

: Secure online payment email scam.

: Domain service cancellation scam.

: Domain danger suspended scam.

: Pending unread messages email scam.

: Notice of final renewal domain scam.

: Domain cancellation notice scam.

: Closing old versions email scam.

: Mailbox upgrade quota email scam.

: New version webmail email scam.

: Check pending incoming email scam.

Tags: domain renewals, scams
Categories: Warnings
Comments Off

Scammers never sleep

31 December 2018 10:02:41 +0000

If you thought you could get a break from scammers over Christmas, think again. This one landed in our in box on Christmas day, as is clear from the date the countdown starts!

From: greatroadnorth.com is about to expire. <no-replay@renewal-service.info>
Reply-to: “greatroadnorth.com is about to expire.” <no-replay@renewal-service.info>
Subject: Domain Administrator
Date: Tue, 25 Dec 2018 17:52:19 +0000
Return-path: <01020167e67ef75e-d5d2ee16-fd2f-457e-9a8d-00dba3dc6492-000000@eu-west-1.amazonses.com>
X-spam-score: 2.125

Tucows Domains Inc.
====================
IMPORTANT NOTIFICATION
====================
greatroadnorth.com
Date: 2018-12-25

Dear Domain Administrator,

The Domain SEO-listing shown below are set for renewal and need to be processed in the next 48 hours.

No need to worry, please go to this link and follow the instructions:
renewal-service.info/greatroadnorth.com

Your product details are listed below:
====================

Product Name:
SEO-Renewal for greatroadnorth.com
Expire Time:
48 hours from 2018-12-25
Renewal cost per annum:
$69.00

====================
Amount due: $69.00

PAYMENT INFORMATION
Information on how to renew your domain can be found here:
renewal-service.info/greatroadnorth.com

This offer is only valid for 48 hours as a courtesy to let you know that your domain is expiring soon and this search engine optimization offer will expire.
Should your domain name expire, there is going to be a signifcant drop
in search engine services for your website, email and any other associated services.
This domain seo registration for greatroadnorth.com limited time offer will end in 48 hours from 2018-12-25.

Thank you!

Sincerely,
Renewal department

====================

Note:
You received this message because you elected to receive notification offers. Should you no longer wish to receive our offers, please unsubscribe here. If you have multiple accounts with us, you must opt out for each one individually.

Some characteristics of this spam/scam:

Your name (available from the WHOIS) will be in the subject, along with a flag emoji to draw attention to the email.
The name of your legitimate domain registrar (also available from the WHOIS) will be at the top of the email, even though they did not send the email.
There is the usual very close deadline (48 hours), after which the world will end for you and your domain.
The plain-looking links in the email mask tracking links to the domain wizz.netvalue.io.
The scammer makes the unusual claim that not sending them money will cause “a signifcant [sic] drop in search engine services for your … email”. This, of course, is absolutely false, as your email traffic is not tied directly to search engine traffic anyway.
Sent through the best and biggest “bulletproof” spam hosting service in the world: Amazon.

Given the fact that most gTLD registrars (including the ones we use) have not pubished WHOIS information since May 2018, these scams are being sent to old mailing lists compiled before publishing stopped, and are out of date. (For example, the domain that is the subject of this email no longer exists.) Changing the contact email address on your domain and shutting down the old address is something you should consider doing.

Tags: scams, spam
Categories: Warnings
Comments Off

Extortion scam email

24 July 2018 04:57:43 +0000

We have had a particularly nasty extortion email brought to our attention by two different clients in the last four days. Some research reveals that it has been around since at least late last year, but variants of extortion emails are almost as old as email itself. However, the personal nature of the current incarnation of these emails is alarming to those who receive it, even those with a clear conscience.

Unfortunately, as with most (if not all) scams, the scammers have been successful. In this case, because they demand payment of their ransom in Bitcoin, and the Bitcoin system allows public tracking of all transactions (just not the identities of the senders and receivers), researchers have been able to see that the Bitcoin addresses used in these scam emails have indeed received payments. A quick glance shows payments reaching into six figures (in US dollars) for some Bitcoin addresses (like bank account numbers, but not subject to the same scrutiny as happens when you open a bank account), and since it seems that few (if any) Bitcoin addresses have been used twice (although they are probably controlled by a small number of criminals), you can multiply that many times over.

One of the key features of the current round of emails that seem to have cropped up in the last week is the inclusion of a password that you may have used at some point in the past, both in the subject and the body of the email, to get your attention. This adds plausibility to the extortion attempt. However, keep in mind that huge databases of personal information are being breached by hackers all the time. The well-known tracking website “Have I Been Pwned” includes over five billion breached accounts (and growing) in its database. They compile their database from the raw data released by hackers after they penetrate the systems of the likes of LinkedIn, MySpace, Adobe, Ashley Madison and many others, so those databases are out there and will be forever. If a website or company you use was hacked and your password was stored by them in an unencrypted form, then there are databases out there that contain enough information to put together your email address and a password you have used, and possibly your name, address and phone number too. (Some people have received these extortion attempts via postal mail.) Do an old-fashioned mail merge and voila, you have an email message that could scare you into parting with anywhere from hundreds to tens of thousand of dollars in a vain attempt to keep a secret that a scammer made up in his or her own imagination.

As with all spam and scam emails, these are best ignored. They are just mass produced by the millions and fired out at the Internet shotgun-style.

Some have commented in the links we provide below that they have contacted the police about these emails (or letters) and received the cold shoulder. This is unsurprising. One of the benefits of computers is also one of their downsides; the fact that you can send an hilarious cat video to a few thousand of your closest friends is the same technology that allows scammers to multiply their own efforts considerably and with very little effort or expense. Your national police force probably already has this in their in tray, and when combined with other law-enforcement efforts it will probably rise to the top one day when they pull Guido over for speeding and realise that he is the mastermind behind all of this. Case closed.

There are many “top ten things you should do to remain safe on the Internet” lists out there. None will cover it all in only ten items, but here are some things for you to consider in the vein of the contents of these emails that we have reproduced below:

Don’t reuse passwords. If you consistently use the same email address and password for different websites, then when one of them is breached, all of your accounts are breached. Use a different password for every single website. It’s not that hard. Use a password manager like KeePass to generate and track random, complicated passwords that you will never remember and never need to remember.
Cover your webcam lens with an opaque cover when it is not in use. Some webcams include such a cover you can flip over the lens. If yours doesn’t, you can get a sticky cover that you can easily remove and reapply that doesn’t leave residue on the lens. We buy ours from the Electronic Frontier Foundation, but you can get generic ones or small metal covers you can install that you then slide to cover the lens (do a Web search for “webcam cover“), or you could use a sticky note or even a plaster / adhesive bandage.
Tell your friends and family. Friends don’t let friends pay bogus ransoms for bogus extortion attempts. Send them a link to this post at blog.niner.net/2018/07/24/extortion-scam-email

If you have any questions or concerns about this, please contact us and we will be happy to answer your questions. Thanks for your time.

Links to external websites with additional information documenting this scam

Reasonably Clever Extortion E-mail Based on Password Theft (16 July 2018)
Sextortion Scam Uses Recipient’s Hacked Passwords (12 July 2018)
My Bitcoin blackmail experience started with a well-written letter (10 April 2018)
Bitcoin Porn Blackmail Scam Reports Surge (12 March 2018) (Ironically, this post ends with a “helpful” affiliate link [for which the website is paid] to a website where you [the scammed individual] can buy Bitcoin to pay your ransom! How thoughtless of these morons.)
E-mail video scam (23 November 2017)
Extortion Phishing: So, closer to the point. You surfed the internet with porn, which I’ve placed with the virus … (1 September 2017)

The two emails brought to our attention are below. The wording is not identical, but the style and substance are the same and they seem to be written by the same person. In these emails we have masked our clients’ names, email addresses and passwords, of course.

Email 1

———- Forwarded message ———
From: Juliana Bradford <ydewillyfx@outlook.com>
Date: Mon, 23 Jul 2018 at 19:46
Subject: CLIENT NAME – PASSWORD
To: CLIENT EMAIL ADDRESS

I am well aware PASSWORD one of your passphrase. Lets get right to point. There is no one who has compensated me to investigate you. You do not know me and you’re most likely wondering why you’re getting this e-mail?

In fact, I actually setup a malware on the X streaming (pornography) web-site and do you know what, you visited this web site to experience fun (you know what I mean). While you were viewing videos, your internet browser began functioning as a Remote control Desktop that has a key logger which provided me accessibility to your screen and web camera. Right after that, my software collected all your contacts from your Messenger, social networks, as well as e-mailaccount. After that I created a video. First part displays the video you were viewing (you have a nice taste haha), and 2nd part displays the view of your cam, yea it is you.

You get two alternatives. Shall we read each of these choices in particulars:

First choice is to disregard this email message. In this scenario, I am going to send out your very own recorded material to every single one of your contacts and also just think concerning the awkwardness you will see. And consequently if you happen to be in an important relationship, just how it will eventually affect?

2nd alternative is to pay me $7000. Lets refer to it as a donation. Consequently, I most certainly will without delay discard your video recording. You could go on your daily life like this never occurred and you surely will never hear back again from me.

You will make the payment by Bitcoin (if you don’t know this, search for “how to buy bitcoin” in Google).

BTC Address to send to: 18sPsLXYDqKZnZ6Mb5xbYS168QFPYrQC75
[case sensitive, copy & paste it]

Should you are planning on going to the law enforcement, well, this mail can not be traced back to me. I have covered my actions. I am just not looking to ask you for money a whole lot, I simply want to be paid. I’ve a special pixel within this mail, and right now I know that you have read this message. You have one day to make the payment. If I do not receive the BitCoins, I will certainly send your video recording to all of your contacts including friends and family, co-workers, and many others. Nevertheless, if I do get paid, I will destroy the video right away. If you need proof, reply with Yea then I will certainly send out your video recording to your 7 friends. It’s a nonnegotiable offer and so please don’t waste my personal time & yours by responding to this message.

Email 2

——– Forwarded Message ——–
Subject: RE: CLIENT NAME – PASSWORD
Date: Thu, 19 Jul 2018 05:03:35 +0000
From: Antonio Simmons <jrcsxeugeniouks@outlook.com>
To: CLIENT EMAIL ADDRESS

I will directly come to the point. I do know PASSWORD is your pass word. More to the point, I am aware about your secret and I’ve evidence of your secret. You do not know me personally and nobody paid me to look into you.

It’s just your bad luck that I came across your bad deeds. Well, I placed a malware on the adult video clips (porno) and you visited this site to have fun (you know what I mean). While you were busy watching videos, your internet browser initiated operating as a Rdp (Remote desktop) that has a key logger which gave me access to your display screen as well as web camera. Right after that, my software program gathered your entire contacts from messenger, facebook, and mailbox.

Next, I put in more hours than I probably should’ve looking into your life and made a two view video. 1st part shows the video you were watching and second part shows the view from your web camera (its you doing dirty things).

Honestly, I am ready to forget all information about you and let you continue with your daily life. And I am going to present you 2 options that will make it happen. Those two option is with the idea to ignore this letter, or simply pay me $ 2900. Let’s explore these 2 options in more detail.

Option One is to ignore this email message. Let us see what is going to happen if you opt this option. I will certainly send your video to your entire contacts including family members, co-workers, and so forth. It does not shield you from the humiliation your self will face when family and friends discover your dirty details from me.

Option 2 is to send me $ 2900. We will call it my “privacy tip”. Now lets see what will happen if you choose this option. Your secret remains your secret. I’ll erase the recording immediately. You go on with your routine life that none of this ever occurred.

At this point you may be thinking, “I will complain to the police”. Let me tell you, I have covered my steps in order that this e mail cannot be linked to me plus it won’t prevent the evidence from destroying your lifetime. I’m not seeking to steal all your savings. I just want to get compensated for the time I placed into investigating you. Let’s assume you decide to produce all of this vanish entirely and pay me my confidentiality fee. You will make the payment via Bitcoin (if you don’t know how, type “how to buy bitcoins” on google search)

Amount to be paid: $ 2900
Bitcoin Address to Send to: 1GQK1MNV5N7B9pV8L63W7nGfChJkKp7ymq
(It is CASE sensitive, so you should copy and paste it carefully)

Tell nobody what you should use the bitcoin for or they may not provide it to you. The method to get bitcoin will take a short time so do not delay.
I’ve a specific pixel within this email message, and now I know that you’ve read this e mail. You have 24 hours to make the payment. If I don’t get the BitCoin, I will definately send out your video to your contacts including close relatives, colleagues, and many others. You better come up with an excuse for friends and family before they find out. Nonetheless, if I do get paid, I’ll destroy the video and all other proofs immediately. It’s a non negotiable offer, thus do not waste my personal time & yours. Your time is running out.

Tags: scams
Categories: Warnings
Comments Off