Subject: A new settings file for the email@example.com mailbox
Dear user of the blahblah.tld mailing service!
We are informing you that because of the security upgrade of the mailing service your mailbox (firstname.lastname@example.org) settings were changed. In order to apply the new set of settings click on the following link:
Best regards, blahblah.tld Technical Support.
The link is a forgery, underneath it is actually blahblah.tld.polikka.eu/owa/service_directory/settings.php
polikka.eu was registered just today, the registration details are:
October 14, 2009
October 14, 2009, 4:35 pm
Probably fake you might think, except that "j.k. Droujba-1" is an address in Sofia, not Paris. And it belongs to a company called GE-88 Ltd who have a website of ge-88.com. So, the email address in the WHOIS does seem to trace back to a Bulgarian company. And what does GE-88 Ltd do? Ummm.. well, it appears to manufacture alloys. It could be fake, perhaps their mailserver is compromised..
Nameservers are ns1.supranull.com and ns1.trapsing.net (18.104.22.168 - Noc4Hosts Inc) (although the site is not resolving at the moment).
Just as I was typing this in, another one came through using the domain oikkkkua.co.uk as a redirector:
805 E. Stocker
Webfusion Ltd t/a 123-Reg.co.uk [Tag = 123-REG]
Registered on: 14-Oct-2009
Renewal date: 14-Oct-2011
Last updated: 14-Oct-2009
Registration request being processed.
Again, this one isn't resolving yet but it was just registered today.