Select Page

For more phishing samples, see my phishy email collection.

Somebody paid attention to details with this forgery. It only one small typo. There’s no easy way to tell where this really came from by looking at the content. But hover over the link to see where it really points – why would Netflix have a billing center in France? I give it a B+. I’ll paste in the relevant portions of the email header below the screenshot.

Relevant portion of the email header

Received: from ( by
mail2016.infrasupport.local ( with Microsoft SMTP Server id
15.1.1531.3 via Frontend Transport; Mon, 26 Oct 2020 21:38:46 -0500
From: Netflix
Subject: Your payment information has been updated.
Date: Tue, 27 Oct 2020 02:38:45 +0000

Great job of managing details. Notice the forged Netflix name in the email header. But a whois lookup for IP Address shows it actually came from Comcast.

NetRange: -
NetName:        CCCH3-4
NetHandle:      NET-50-128-0-0-1
Parent:         NET50 (NET-50-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS7922
Organization:   Comcast Cable Communications, LLC (CCCS)
RegDate:        2010-10-21
Updated:        2016-08-31

We can narrow it further by looking at the reverse DNS name. The Linux host command shows it’s apparently part of a static IP Address block inside Comcast, which suggests it came from a compromised server and not a home computer.

# host domain name pointer