When a friend of mine told me someone had registered a similar domain name to theirs, with a different suffix, and had been sending phishing emails with a forged signature to a variety of unrelated and unknown businesses, I was happy to help. After verifying there was no evidence of email or environment compromise, or internal data being spilled (just the letterhead), I look at the forged domain and emails.

One of the recipients was kind enough to send me a copy of the email, with headers. I was interested to note that the IP of the MUA sending the message was not present – the first MTA was the first IP in the list. So, I looked to the domain.

The registrar, domain privacy provider, and large org hosting the email all ignored my abuse complaints. I made a complaint with Netbeacon, who took the evidence I provided and sent it through the right channels. The domain was de-registered the following day.

Thanks, Netbeacon!