Current File : /home/mak/mail/new/1756039158.M275940P21929.cloud.berardocollection.com,S=11388,W=11595

Return-Path: <takedown-response+74317036@netcraft.com>
Delivered-To: mak@cloud.berardocollection.com
Received: from cloud.berardocollection.com
	by cloud.berardocollection.com with LMTP
	id gLlHEPYHq2ipVQAAuY/3dA
	(envelope-from <takedown-response+74317036@netcraft.com>)
	for <mak@cloud.berardocollection.com>; Sun, 24 Aug 2025 13:39:18 +0100
Return-path: <takedown-response+74317036@netcraft.com>
Envelope-to: webmaster@mak.pt
Delivery-date: Sun, 24 Aug 2025 13:39:18 +0100
Received: from mail-1c.netcraft.com ([52.31.138.216]:38083)
	by cloud.berardocollection.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.98.1)
	(envelope-from <takedown-response+74317036@netcraft.com>)
	id 1uqA0D-000000005sP-0cnd
	for webmaster@mak.pt;
	Sun, 24 Aug 2025 13:39:18 +0100
Received: from barb.netcraft.com (unknown [10.9.0.151])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mail-1c.netcraft.com (Postfix) with ESMTPS id 89C2F81EA
	for <webmaster@mak.pt>; Sun, 24 Aug 2025 12:38:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netcraft.com;
	s=default202405-yu9bqteb95aqcfpg; t=1756039087;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=G0YOI8Rkq8Wxuykcc5M+bdCBX/P+NGjLjTXWTvcwBx0=;
	b=gvWxr1FC8f1nyMgo6jWu4e6q4DwR2fE3c2wCnAJBfL9AI9o8cp3gT59STqXaql0Mt+IyUl
	6kwYgjO+GF6wBuTWOnD+DHhykpS+YgboMGPH1OcUc9yw8iVlfm0HBn24VVO89h1svxqSX+
	2qm44aVT++nFj4PWdDOXI/r5XyHjdvGVexOh2eGYImTarnMH7IHo7LNn5GxpD7LCtlbbsY
	KGkJO2Rcylh569FVDK8Fd0XuPf76CwfO6iBTwXl6H/USBvTexKHgTPu+7Dje5tJ+T5fGTe
	9oHRcy4/imwm3+dyCil46PLZK23yCBiMK65sZCBvczl/KUYr5D9OoKT0eapVHw==
Received: by barb.netcraft.com (Postfix, from userid 507)
	id 6C63DDF3; Sun, 24 Aug 2025 12:38:04 +0000 (UTC)
Content-Transfer-Encoding: 8bit
Content-Type: multipart/report; boundary="_----------=_175603908438423472974"; report-type="feedback-report"
MIME-Version: 1.0
Date: Sun, 24 Aug 2025 12:38:04 +0000
From: Netcraft Takedown Service <takedown-response+74317036@netcraft.com>
Subject: Re: Issue 74317036: Phishing attack at hxxps://mak[.]pt/.oduk/oimz.html
References: <17c8f53646a6b85c921ac83530d3c29b@takedown.netcraft.com>
In-Reply-To: <17c8f53646a6b85c921ac83530d3c29b@takedown.netcraft.com>
To: webmaster@mak.pt
Message-Id: <a5a4dc389900317ba81ecb77096825c9@takedown.netcraft.com>
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
X-Spam-Status: No, score=-2.1
X-Spam-Score: -20
X-Spam-Bar: --
X-Ham-Report: Spam detection software, running on the system "cloud.berardocollection.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  Olá, Nós descobrimos um ataque de phishing localizado na
    sua rede: hxxps://mak[.]pt/.oduk/ [109.71.44.169] hxxps://mak[.]pt/.oduk/oimz.html
    [109.71.44.169] 
 Content analysis details:   (-2.1 points, 5.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: cetelem.fr]
  0.0 URIBL_DBL_BLOCKED      ADMINISTRATOR NOTICE: The query to
                             dbl.spamhaus.org was blocked. See
                             https://www.spamhaus.org/returnc/vol/
                             [URIs: cetelem.fr]
  0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
                             The query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                             [52.31.138.216 listed in sa-accredit.habeas.com]
  0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
                             query to Validity was blocked.  See
                             https://knowledge.validity.com/hc/en-us/articles/20961730681243
                              for more information.
                             [52.31.138.216 listed in bl.score.senderscore.com]
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
                             [score: 0.0000]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                             valid
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
                             envelope-from domain
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
                             author's domain
X-Spam-Flag: NO

This is a multi-part message in MIME format.

--_----------=_175603908438423472974
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="UTF-8"

Olá,

Nós descobrimos um ataque de phishing localizado na sua rede:

hxxps://mak[.]pt/.oduk/ [109.71.44.169]
hxxps://mak[.]pt/.oduk/oimz.html [109.71.44.169]

É possível que este ataque esteja sendo restrito para que seja visível apenas em alguns países. Antes de decidir que o ataque foi resolvido, confirme se ele não pode ser visualizado nos seguintes países:
França
Entendemos que este site é simplesmente um redirecionamento para conteúdo expirado, porém costumava redirecionar para conteúdo fraudulento. O redirecionamento é controlado por um fraudador, portanto, pode ser reutilizado para ataques futuros, tornando sua remoção ainda mais importante.
Anteriormente, entramos em contato com você sobre esse problema em 2025-08-23 06:24:10 (UTC).

Você pode não ter tido conhecimento deste ataque, porém, você ainda é responsável pela sua remoção

Este ataque tinha como alvo nosso cliente, Cetelem, URL do site http://www.cetelem.fr/‎.

Por favor remova este conteúdo fraudulento, e qualquer outro conteúdo fraudulento associado, o mais cedo possível.

Adicionalmente, por favor mantenha o conteúdo fraudulento seguro para que o nosso cliente e agências de aplicação da lei podem investigar este incidente mais quando o site está offline.

Mais informações sobre o problema detectado são fornecidas em https://incident.netcraft.com/1d004c59185c/

NOVO: Uma versão beta dos nossos relatórios de incidentes de próxima geração está disponível em https://beta.incident.netcraft.com/reports/xp3m2mjkn3hfzr4mwy37fy
Consulte https://beta.incident.netcraft.com/about para obter mais detalhes, incluindo suporte API. Entre em contato com incident-feedback@netcraft.com com qualquer comentário ou para obter mais informações.

Atenciosamente,

Netcraft

Telefone: +44(0)1225 447500
Fax: +44(0)1225 448600
Número do problema Netcraft: 74317036

Para contactar-nos sobre actualizações neste ataque, por favor responda a este e-mail. Por favor nota: respostas a este endereço são registrado, mas não são lidos sempre. Se você acredita que recebeu esta mensagem por engano, ou se precisa de mais apoio, por favor contacte: support@netcraft.com.

Este mail pode ser analisado com ferramentas x-arf. Visita http://www.xarf.org/ para mais informações sobre x-arf.
-------------------
Hello,

We have discovered a phishing attack on your network.

hxxps://mak[.]pt/.oduk/ [109.71.44.169]
hxxps://mak[.]pt/.oduk/oimz.html [109.71.44.169]

It is possible that this attack is being restricted so it is only visible from certain countries. Before deciding that the attack has been resolved please confirm it cannot be viewed from the following countries:
France
We understand that this site is simply a redirect to expired content, however it used to redirect to fraudulent content. The redirect is controlled by a fraudster so can be reused for future attacks, making its removal all the more important.
We previously contacted you about this issue on 2025-08-23 06:24:10 (UTC).

You may not have been aware of this attack, however, you are still responsible for removing it.

This attack was targeting our customer, Cetelem, website URL http://www.cetelem.fr/‎.

Please remove this fraudulent content, and any other associated fraudulent content, as soon as possible.

Additionally, please keep the fraudulent content safe so that our customer and law enforcement agencies can investigate this incident further once the site is offline.

More information about the detected issue is provided at https://incident.netcraft.com/1d004c59185c/

NEW: A beta version of our next generation incident reports is available at https://beta.incident.netcraft.com/reports/xp3m2mjkn3hfzr4mwy37fy
See https://beta.incident.netcraft.com/about for more details including API support. Please contact incident-feedback@netcraft.com with any feedback or for more information.

Kind regards,

Netcraft

Phone: +44(0)1225 447500
Fax: +44(0)1225 448600
Netcraft Issue Number: 74317036

To contact us about updates regarding this attack, please respond to this email. Please note: replies to this address will be logged, but aren't always read. If you believe you have received this email in error, or you require further support, please contact: support@netcraft.com.

This mail can be parsed with x-arf tools. Visit http://www.xarf.org/ for more information about x-arf.
--_----------=_175603908438423472974
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Content-Type: message/feedback-report
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Sun, 24 Aug 2025 12:38:04 +0000

Feedback-Type: xarf
User-Agent: Netcraft
Version: 1
--_----------=_175603908438423472974
Content-Disposition: attachment; filename="xarf.json"
Content-Transfer-Encoding: base64
Content-Type: application/json; charset=utf-8; name="xarf.json"
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.030 (F2.85; T2.17; A2.20; B3.15; Q3.13)
Date: Sun, 24 Aug 2025 12:38:04 +0000

eyJSZXBvcnQiOnsiRmlyc3RTZWVuIjoiMjAyNS0wOC0yM1QwNjoyMzoyOVoiLCJTb3VyY2VJcCI6
IjEwOS43MS40NC4xNjkiLCJSZXBvcnRlck5vdGVzIjoiU2VlIGh0dHBzOi8vaW5jaWRlbnQubmV0
Y3JhZnQuY29tLzFkMDA0YzU5MTg1Yy8gZm9yIG1vcmUgaW5mb3JtYXRpb24iLCJSZXBvcnRlckNh
c2VJRCI6Ijc0MzE3MDM2IiwiU291cmNlVXJsIjoiaHR0cHM6Ly9tYWsucHQvLm9kdWsvb2ltei5o
dG1sIiwiRGF0ZSI6IjIwMjUtMDgtMjRUMTI6MzY6NTBaIiwiUmVwb3J0Q2xhc3MiOiJDb250ZW50
IiwiUmVwb3J0VHlwZSI6IlBoaXNoaW5nIn0sIkRpc2Nsb3N1cmUiOnRydWUsIlZlcnNpb24iOiIx
IiwiT25CZWhhbGZPZiI6eyJDb21wbGFpbmFudE9yZ0VtYWlsIjoidGFrZWRvd24tcmVzcG9uc2Ur
NzQzMTcwMzZAbmV0Y3JhZnQuY29tIiwiQ29tcGxhaW5hbnRPcmciOiJDZXRlbGVtIiwiQ29tcGxh
aW5hbnRPcmdEb21haW4iOiJ3d3cuY2V0ZWxlbS5mciJ9LCJSZXBvcnRlckluZm8iOnsiUmVwb3J0
ZXJPcmdEb21haW4iOiJuZXRjcmFmdC5jb20iLCJSZXBvcnRlck9yZyI6Ik5ldGNyYWZ0IiwiUmVw
b3J0ZXJPcmdFbWFpbCI6InRha2Vkb3duLXJlc3BvbnNlKzc0MzE3MDM2QG5ldGNyYWZ0LmNvbSJ9
fQ==

--_----------=_175603908438423472974--