Q: Is this a spam message? (Kopano subscription expired)
micro last edited by bhuisman
some minutes ago we received an email which obviously is treated as unsolicited content and may contain malicious results if clicked on any of the links listed. It seems it is targeted to real Kopano customers, be warned if you receive such mail messages! The message claims that your Kopano subscription expired and you should renew it soon. This is how the email looks like when you receive it (company name and serial numbers are obfuscated):
Sender: Kopano Team <firstname.lastname@example.org>
Subject: Your Kopano subscription expired. Renew now to receive a custom deal.
Your Kopano subscription has expired. Find out what to do. View this email in your browser.
Just a quick email to let you know that your Kopano subscription has expired. If you’d like to keep using Kopano, please renew your subscription now. All serials that are not renewed will be removed on 31 January 2020.
Why renew? Here are two of many good reasons:
Access to QA-tested packages
Professional support services
Customized Renewal Deal
If you renew your subscription before December 31, 2019, you’ll be entitled to a one-time, tailor-made deal! Don’t want to renew? Let us know so we can delete your serial from our systems.
Serial (displaying max. 10) Company Users Expire Date
ZBJWE0S4GHEKFBV4HQGH8FSLM Our Company Name 5 2016-03-14
ZFGHT3T2VHFLE9FHJGHJ0HFVV Our Company Name 100 2016-03-14
Background info: we are subscriber/customer of Kopano and the email sender was email@example.com but we never received such email from this sender in the past. Our reseller is not involved with this incident. The serial numbers noted in this message was not correct, our serial is quite different. According the information here, there must have been leaked data from Kopano! because in the past we had two licenses like shown here, one was 5 user, and the other one 100. This is real information although the serials are not correct.
First of all here is some detail retrieved from the email source header. Please note that I obfuscated the real content so the meta data will not match. However it shows the real message header source content how we received it:
Return-Path: <firstname.lastname@example.org> Received: from myhost.mydomain.tld ([::ffff:127.0.0.1]:38533) by myhost (kopano-dagent) with LMTP; Fri, 29 Nov 2019 11:02:11 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by myhost.mydomain.tld (Postfix) with ESMTP id 24B91308BA2 for <email@example.com>; Fri, 29 Nov 2019 11:02:11 +0100 (CET) X-Virus-Scanned: Fedora amavisd-new at myhost.mydomain.tld Received: from myhost.mydomain.tld ([127.0.0.1]) by localhost (myhost.mydomain.tld [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uvAeS-VW_IL3 for <firstname.lastname@example.org>; Fri, 29 Nov 2019 11:02:07 +0100 (CET) Received: from mta.mydomain.tld (mta.mydomain.tld [192.168.100.149]) by myhost.mydomain.tld (Postfix) with ESMTP id 5466105184B for <email@example.com>; Fri, 29 Nov 2019 11:02:07 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mta.mydomain.tld (Postfix) with ESMTP id 54BC3A5E13 for <firstname.lastname@example.org>; Fri, 29 Nov 2019 11:02:07 +0100 (CET) X-Virus-Scanned: Fedora amavisd-new at mta.mydomain.tld Received: from mta.mydomain.tld ([127.0.0.1]) by localhost (mta.mydomain.tld [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XLwXqcV-_rFa for <email@example.com>; Fri, 29 Nov 2019 11:02:06 +0100 (CET) X-Greylist: delayed 1519 seconds by postgrey-1.35 at mta; Fri, 29 Nov 2019 11:02:05 CET Received: from mail179.suw16.mcsv.net (mail179.suw16.mcsv.net [184.108.40.206]) by mta.mydomain.tld (Postfix) with ESMTPS id 8D31D4DA73 for <firstname.lastname@example.org>; Fri, 29 Nov 2019 11:02:05 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchimpapp.net; s=k1; t=1393782400; i=info=9B4Fkopano.email@example.com; bh=qV8Tn331lI3n66DvcpQ56uZ46VnrR3m1mMm3O0611Xz=; h=Subject:From:Reply-To:To:Date:Message-ID:List-ID:List-Unsubscribe: Content-Type:MIME-Version; b=md8J4nfJqjf831Vuaie8355VvhjHqjJv73Jfg(1q94Hh18aH3hfHvcnqpg81Nq8NF K3ja812JnfikLq88qJjcN18fvgHj3qifs56VkdW4m9fjbx5fVG1fj15H44n3mmX00z Krjh8h1HQ841L89iI1a62An49a2F220V93Jfk43D= Subject: =?utf-8?Q?Your=20Kopano=20subscription=20expired.=20Renew=20now=20to=20receive=20a=20custom=20deal.?= From: =?utf-8?Q?Kopano=20Team?= <firstname.lastname@example.org> Reply-To: =?utf-8?Q?Kopano=20Team?= <email@example.com> To: <firstname.lastname@example.org> Date: Fri, 29 Nov 2019 10:46:17 +0000 Message-ID: <email@example.com> X-Mailer: MailChimp Mailer - **BL3mR4xnEr33k2D3N8D6g4F** X-Campaign: mailchimp0a5b12a063be11a8c4f3acc45.92ca3a94b1 X-campaignid: mailchimp0a5b12a063be11a8c4f3acc45.92ca3a94b1 X-Report-Abuse: Please report abuse for this campaign here: https://mailchimp.com/contact/abuse/?u=0a5b12a063be11a8c4f3acc45&id=92ca3a94b1&e=e83bb5a77c X-MC-User: 0a5b12a063be11a8c4f3acc45 Feedback-ID: 51991294:51991294.3736113:us1:mc List-ID: 0a5b12a063be11a8c4f3acc45mc list <0a5b12a063be11a8c4f3acc45.617293.list-id.mcsv.net> X-Accounttype: bf List-Unsubscribe: <https://kopano.us1.list-manage.com/unsubscribe?u=0a5b12a063be11a8c4f3acc45&id=a736104762&e=e83bb5a77c&c=92ca3a94b1>, <mailto:firstname.lastname@example.org?subject=unsubscribe> List-Unsubscribe-Post: List-Unsubscribe=One-Click Content-Type: multipart/alternative; boundary="_----------=_MCPart_577163952" MIME-Version: 1.0
There have been reported similar attacks from this host in the past, as you can read here:
Many of you certainly know there were data leaked from Zarafa in the past with names and email addresses of customers. You’ll find the list here:
However this leak seems to be something different and not related to the old forum leak.
==> We have reported this incident to the affected domain hoster, mail provider and ISP of that attacer because their services are abused. They should check this and block its access from the net.
It is worth to mention it here because you might also get this spam message. Maybe the Kopano team can investigate further and take some precautionary actions to inform their subscribed customers.
Thanks for listening.
This post is deleted!
bhuisman last edited by
Thanks for being alert on such messages. However - this is a legitimate message, part of campaign to remind customers that did not renew their subscriptions for some time, and make them a special offer to renew their subscription with Kopano. Not intended to cause a stir or to scare customers. This campaign is sent through Mailchimp.
This message does not contain any leaked data, and there was no data leaked - the serials you have received in the email are actual serials and are or have been associated with your email address. I am unable to verify this since you have obfuscated the serials (if you want me to check, send them in a direct message).
As you have seen, the buttons at the bottom of the message have a final destination of a form where you can ask to be contacted by our sales team. None of your personal data is present there either.
It would have been great if - instead of reporting the message to various organizations - you would have checked with us if the email was intended and legitimate. The only way you could have received such a message, is if you are an existing Kopano customer or have been in the past.
Feel free to contact me via DM, email or our sales team if you have any followup questions or concerns.
ps. I am going to change the topic title to be less misleading.
micro last edited by micro
thanks for coming back and investigating into this topic. I will contact you in a separate mail to this.
Well, I never received such a “Subscription expired” message in the past years and as I showed the message lists a serial which is not valid since 3 or 4 years. I have checked that before sending out this email on our Kopano Portal. This was a sign that the data is not actual and additionally this email message stated, that our license has expired in 2016. Well we have end of 2019 now. That all caused me to be careful.
I know from other experiences that are many bad guys out there abusing services of well-known companies and they try this by sending out phishing mails. We had some attacks in the past, one of them even were successfull for the attacker (not by email but by faking invoices with different account bank numbers which we received). I also know (for sure!) there are tons of faked newsletters that have only one intention: to let the customer click onto the “unsubscribe” link at the bottom, which in real is ==> a fake! by clicking on the unsubscribe link the user is not really unsubscribed, but he acknowledged/confirmed that he is a real human behind a real email address. So he got victim, his mail address is distributed across a large illegal network and he will receive tons of spam messages in future. No, this is nothing I tell for joke or for scaring anyone, this is real !
for reasons of all that I did NOT click on any of the links of this message and for sure not on the unsubscribe link. As I knew about the data leak of the old zarafa forum, I took the time to investigate and post this warning message because my intention was to protect others out there. I am sorry for any inconvenience caused and at the same time thankful for fast feedback of Felix and you.
I will send you a separate message. Thanks for your understanding.
wleithner last edited by
We received a similiar message and did some research before allerting anyone.
Our security systems cleared the Sender, Domain and involved Servers so we got in contact with kopano and got these, quite old, serials removed.
No need to trouble anyone. Took us about 10 minutes to verify all.