Thread: ateinc.net ???
View Single Post
  #5  
Old December 31st 17, 11:17 PM posted to alt.windows7.general
VanguardLH[_2_]
external usenet poster
  
Posts: 10,881
Default ateinc.net ???
Paul in Houston TX wrote:

wrote:

I have received an email from this address twice now:

ateinc.net/.smx/rec.htm

wanting to verify my identity. Naurally I turned it off.
Anyone recognize it?

They are in Virgina, USA, probably CIA, NSA, FBI, etc.

Wrong. Perhaps you intended to be facetious but forgot a smiley.

https://www.whois.com/whois/ateinc.net
Indonesian registrant
I was surprised the registrant doesn't hide behind a private domain
registration; however, despite IANA requiring a registrar to verify
validity of registrant information, registrants do lie. According to
the WhoIs information, that domain's registration expired back on

Their IPv6 addresses are to Cloudflare, a large CDN (Content Delivery
Network) often used for ad content but also other content. Their IPv4
addresses don't have a reverse DNS lookup. When I do an IPWhois on
their IPv4 addresses, they are in Cloudflare's IP pool.

When I look at their web site's code, there are lots of links to paths
that look like customer names. So it looks like it is a low-end or 3rd
tier webhosting provider where each web "site" is a path under their
domain (instead of provide direct domain redirection to the webhosted
site although it's possible to have both routes to a webhosted site).
Some of the sub-sites a

http://ateinc.net/wohnzimmer-orange-grau/ (Wohnzimmer Orange Grau)
http://ateinc.net/bad-braun/ (Bad Braun)
http://ateinc.net/spitzboden-ausbauen-ideen/ (Spitzboden Ausbauen Ideen)
http://ateinc.net/farben-wand-ideen-braun/ (Farben Wand Ideen Braun)
http://ateinc.net/schone-badezimmer-fotos/ (Schöne Badezimmer Fotos)
and so on

There was no navpath listed in their home page with "smx" as a substring
so it is a direct path (not linked on their home page). When I attempt
to go to ateinc.com/.smx/rec.html (to get headers, not to render the
page), I get the "404 Not Found" error page. So they dropped that
rec.html under that navpath. Could be it got reported as a phish site.
Could be they're done phishing ... for now.

Have no idea what the OP meant by "turned it off". You don't turn off
URLs. Those are just strings. Also, since an exhibit of the spam or
phish e-mail was not presented here for analysis, it is unknown if the
URL string the OP mentioned is from the href attribute of an A tag (to
where the hyperlink actually points) or from the comment section of the
A tag which can be anything. What a client displays as the URL for a
hyperlink is quite often the comment, not the actual URL. Also, the
Received headers would show from where the spam or phish e-mail
originated, not what the sender claimed in the From header. Without an
exhibit of the e-mail (with the recipient's headers obfuscated to his
their e-mail address), not possible to where the hyperlink actually
pointed or from where the e-mail originated.

The OP wants us to analyze an e-mail never presented. Zim zim ala bim,
the spirits are about to speak. Damn, my crystal ball needs a new
battery. Those take months to deliver, especially for my model that
takes 1.21 gigawatts (https://www.youtube.com/watch?v=I5cYgRnfFDA).
Ads