Bitcoin Forum
December 04, 2016, 02:05:00 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: OKPAY is scam (probably not)  (Read 12871 times)
jwzguy
Hero Member
*****
Offline Offline

Activity: 868



View Profile
April 11, 2012, 04:05:58 PM
 #21

Whoever wrote it certainly didn't lend themselves any credibility by faking the return address.

19wXnWTeGuraN9g5UsMAi119sWzDCQcr7S
Bitcoin Logo shirts!
1480817100
Hero Member
*
Offline Offline

Posts: 1480817100

View Profile Personal Message (Offline)

Ignore
1480817100
Reply with quote  #2

1480817100
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480817100
Hero Member
*
Offline Offline

Posts: 1480817100

View Profile Personal Message (Offline)

Ignore
1480817100
Reply with quote  #2

1480817100
Report to moderator
1480817100
Hero Member
*
Offline Offline

Posts: 1480817100

View Profile Personal Message (Offline)

Ignore
1480817100
Reply with quote  #2

1480817100
Report to moderator
Maged
Legendary
*
Offline Offline

Activity: 1260


View Profile
April 11, 2012, 04:51:00 PM
 #22

Got it also, from support@okpay.com.

The email wording made it sound like someone who was pissed about the account being frozen, but it's very possible it was frozen for legitimate reasons. And definitely hacking their email server is not cool... so I'd reserve judgement either way in this case.
Not hacked, just impersonating. If they have a good SPF record, most filters will catch it and delete it.

Code:
> okpay.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
okpay.com       text =

        "v=spf1 a:mail.regall.net mx:mail.regall.net +all"
>

^That tells mail server to ignore email purporting to be from okpay.com, UNLESS it comes from "mail.regall.net". However, many servers ignore this option, since it was tacked on to the protocol after SMTP was initially created.
Actually, because of that +all, it says that all mail servers are valid senders for okpay.com. NEVER put +all in your spf record. That alone says that you should avoid OKPAY at all costs, since their security is likely just as bad.

rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
April 11, 2012, 04:55:16 PM
 #23

Actually, because of that +all, it says that all mail servers are valid senders for okpay.com. NEVER put +all in your spf record. That alone says that you should avoid OKPAY at all costs, since their security is likely just as bad.
Now that you point it out, that is very lame. + is only for testing, and as you noted it allows all senders. They should be using - or ~ which either fails hard or fails soft respectively. Someone should email them and tell them they are doing it wrong.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
dooglus
Legendary
*
Offline Offline

Activity: 1988



View Profile
April 11, 2012, 05:27:23 PM
 #24

the question is: where did they got my email from (ok thats not that hard): but how did they know i have a login there?

maybe its just a pissed employee

I got the email too and don't have an OKPAY account.  Maybe it was sent to every address from the MtGox and/or Intersango email list leaks.

Here's how my copy looked.  It was CC'ed to me, and sent to myadultweb@gmail.com.

Code:
Received: by 10.112.1.41 with SMTP id 9csp144016lbj;
        Wed, 11 Apr 2012 06:30:37 -0700 (PDT)
Received: by 10.101.72.11 with SMTP id z11mr4048862ank.25.1334151036931;
        Wed, 11 Apr 2012 06:30:36 -0700 (PDT)
Return-Path: <support@okpay.com>
Received: from okpay.com ([69.194.161.228])
        by mx.google.com with SMTP id z65si2441973yhl.65.2012.04.11.06.30.35;
        Wed, 11 Apr 2012 06:30:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of support@okpay.com designates 69.194.161.228 as permitted sender) client-ip=69.194.161.228;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of support@okpay.com designates 69.194.161.228 as permitted sender) smtp.mail=support@okpay.com
Message-ID: <CC273857.CE4024EE@okpay.com>
Date: Wed, 11 Apr 2012 14:09:34 +0100
Reply-To: "OKPAY" <support@okpay.com>
From: "OKPAY" <support@okpay.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.14) Gecko/20080421 Thunderbird/2.0.0.14
X-Accept-Language: en-us
MIME-Version: 1.0
To: "AOL Users" <myadultweb@gmail.com>
Cc: "AOL Users" <dooglus@[me]>
Subject: OKPAY is SCAM!
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello,

I want to warn you that OKPay is scam payment processor.

They were fine while I was making small transfers, but as soon as my
balance reached 11000 USD, they blocked it.

And it's blocked since August last year.

Stay away from OKPAY!

BombaUcigasa
Legendary
*
Offline Offline

Activity: 1414



View Profile
April 11, 2012, 05:37:22 PM
 #25

Please explain this to me:

Quote
OKPAY.COM DNS RECORDS
Record    Type    TTL    Priority    Content
forum.okpay.com    CNAME    1 hour       racoon.regall.net
mail.okpay.com    MX    1 hour    10    mail.regall.net
okpay.com    A    1 hour       67.227.182.219 (Wilmington, DE, US)
okpay.com    MX    1 hour    10    mail.regall.net
okpay.com    NS    1 hour       ns2.regall.net
okpay.com    NS    1 hour       ns1.regall.net
okpay.com    SOA    1 hour       ns.regall.net. kostya.regall.net. 2012011702 3600 7200 12960000 36000
okpay.com    TXT    1 hour       v=spf1 a:mail.regall.net mx:mail.regall.net +all
www.okpay.com    A    1 hour       67.227.182.219 (Wilmington, DE, US)


Quote
REGALL.NET DNS RECORDS
Record    Type    TTL    Priority    Content
mail.regall.net    A    1 hour       173.224.112.179 ()
ns1.regall.net    A    1 hour       173.224.112.179 ()
ns2.regall.net    A    1 hour       188.138.40.123 ()
racoon.regall.net    A    1 hour       173.224.112.179 ()
regall.net    A    1 hour       173.224.112.179 ()
regall.net    MX    1 hour    10    mail.regall.net
regall.net    NS    1 hour       ns2.regall.net
regall.net    NS    1 hour       ns1.regall.net
regall.net    SOA    1 hour       ns.regall.net. kostya.regall.net. 2011102601 3600 7200 129600 36000
regall.net    TXT    1 hour       v=spf1 a:mail.regall.net mx:mail.regall.net ?all
www.regall.net    CNAME    1 hour       racoon.regall.net

Quote
Received: from okpay.com ([69.194.161.228])
        by mx.google.com with SMTP id z65si2441973yhl.65.2012.04.11.06.30.35;
        Wed, 11 Apr 2012 06:30:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of support@okpay.com designates 69.194.161.228 as permitted sender) client-ip=69.194.161.228;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of support@okpay.com designates 69.194.161.228 as permitted sender) smtp.mail=support@okpay.com
defxor
Hero Member
*****
Offline Offline

Activity: 530


View Profile
April 11, 2012, 06:13:50 PM
 #26

Got this to an email address that was specifically used for MtGox and has never been used anywhere else.

It's from the MtGox hack. Similar emails have been sent to that list before.
rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
April 11, 2012, 06:16:10 PM
 #27

Please explain this to me:

Quote
OKPAY.COM DNS RECORDS
Record    Type    TTL    Priority    Content
forum.okpay.com    CNAME    1 hour       racoon.regall.net
mail.okpay.com    MX    1 hour    10    mail.regall.net
okpay.com    A    1 hour       67.227.182.219 (Wilmington, DE, US)
okpay.com    MX    1 hour    10    mail.regall.net
okpay.com    NS    1 hour       ns2.regall.net
okpay.com    NS    1 hour       ns1.regall.net
okpay.com    SOA    1 hour       ns.regall.net. kostya.regall.net. 2012011702 3600 7200 12960000 36000
okpay.com    TXT    1 hour       v=spf1 a:mail.regall.net mx:mail.regall.net +all
www.okpay.com    A    1 hour       67.227.182.219 (Wilmington, DE, US)


Quote
REGALL.NET DNS RECORDS
Record    Type    TTL    Priority    Content
mail.regall.net    A    1 hour       173.224.112.179 ()
ns1.regall.net    A    1 hour       173.224.112.179 ()
ns2.regall.net    A    1 hour       188.138.40.123 ()
racoon.regall.net    A    1 hour       173.224.112.179 ()
regall.net    A    1 hour       173.224.112.179 ()
regall.net    MX    1 hour    10    mail.regall.net
regall.net    NS    1 hour       ns2.regall.net
regall.net    NS    1 hour       ns1.regall.net
regall.net    SOA    1 hour       ns.regall.net. kostya.regall.net. 2011102601 3600 7200 129600 36000
regall.net    TXT    1 hour       v=spf1 a:mail.regall.net mx:mail.regall.net ?all
www.regall.net    CNAME    1 hour       racoon.regall.net

Quote
Received: from okpay.com ([69.194.161.228])
        by mx.google.com with SMTP id z65si2441973yhl.65.2012.04.11.06.30.35;
        Wed, 11 Apr 2012 06:30:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of support@okpay.com designates 69.194.161.228 as permitted sender) client-ip=69.194.161.228;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of support@okpay.com designates 69.194.161.228 as permitted sender) smtp.mail=support@okpay.com
That indicates that some noob didn't set up SPF correctly, and so gmail is allowing the mail to pass normally because of the error.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
max in montreal
Hero Member
*****
Offline Offline

Activity: 504


View Profile
April 11, 2012, 06:32:40 PM
 #28

I got the same email but never had an account there. Probably from the leaked info from MT Gox last year. Huh
Stephen Gornick
Legendary
*
Offline Offline

Activity: 1988



View Profile
April 11, 2012, 07:43:59 PM
 #29

Probably from the leaked info from MT Gox last year. Huh

Yes, that is what happened. That is confirmed by the information provided by dexfor.

There have been other leaks as well, (e..g, pool that had its user database list stolen), so the sender might have sent to additional addresses than just the nearly 40,000 email addresses leaked durign the June 2011 Mt. Gox breach but at least this indicates that it wasn't a new breach that somehow identified specifically who is using OK Pay.

Transisto
Donator
Legendary
*
Offline Offline

Activity: 1624



View Profile WWW
April 11, 2012, 08:25:36 PM
 #30

I bet had he wrote the same one the forum, he would have had help getting his money back and OKpay would have been in much worst situation.

Must me some 13yo kid ... with 11000$ ? well whatever.
MagicalTux
VIP
Hero Member
*
Offline Offline

Activity: 617


Working on new MtGox features


View Profile WWW
April 11, 2012, 10:00:08 PM
 #31

Please explain this to me:

Quote
OKPAY.COM DNS RECORDS
Record    Type    TTL    Priority    Content
forum.okpay.com    CNAME    1 hour       racoon.regall.net
mail.okpay.com    MX    1 hour    10    mail.regall.net
okpay.com    A    1 hour       67.227.182.219 (Wilmington, DE, US)
okpay.com    MX    1 hour    10    mail.regall.net
okpay.com    NS    1 hour       ns2.regall.net
okpay.com    NS    1 hour       ns1.regall.net
okpay.com    SOA    1 hour       ns.regall.net. kostya.regall.net. 2012011702 3600 7200 12960000 36000
okpay.com    TXT    1 hour       v=spf1 a:mail.regall.net mx:mail.regall.net +all
www.okpay.com    A    1 hour       67.227.182.219 (Wilmington, DE, US)

v=spf1 a:mail.regall.net mx:mail.regall.net +all

+all means "everybody welcome"

zer0
Sr. Member
****
Offline Offline

Activity: 350



View Profile
April 11, 2012, 11:18:07 PM
 #32

Typical black PR. 'I got scammed, here is zero proof'
I know a few WMZ and LR exchangers that use OKpay bank accounts as their own for receiving wires and sending funds in huge amounts and no indication they've been scammed everything biz as usual

Stephen Gornick
Legendary
*
Offline Offline

Activity: 1988



View Profile
April 13, 2012, 05:29:49 PM
 #33

Nice, now the disgruntled customer (or scammer or whatever) is claiming "OKPAY is closing".  Got this email:

Quote
From: "OKPAY" <support@okpay.com>
To: [me]
Subject: OKPAY Closing
Date: Fri, 13 Apr 2012 17:58:02 +0100


Dear partners,

Due to legal issues OKPay will close all operations by May 1. 2012.

Please use this time to withdraw your available balance.

Sincerely yours,
Konstantin Romanovsky
OKPay CEO
http://www.okpay.com
D x O


Nice try!

rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
April 13, 2012, 09:37:57 PM
 #34

Nice, now the disgruntled customer (or scammer or whatever) is claiming "OKPAY is closing".  Got this email:

Quote
From: "OKPAY" <support@okpay.com>
To: [me]
Subject: OKPAY Closing
Date: Fri, 13 Apr 2012 17:58:02 +0100


Dear partners,

Due to legal issues OKPay will close all operations by May 1. 2012.

Please use this time to withdraw your available balance.

Sincerely yours,
Konstantin Romanovsky
OKPay CEO
http://www.okpay.com
D x O


Nice try!

Wow, what a dick move.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
OKPAY
Jr. Member
*
Offline Offline

Activity: 32


OKPAY Inc. representative


View Profile WWW
April 16, 2012, 08:56:00 AM
 #35

Quote
Why can I encounter with the “OKPAY is scam” information?

As we have already stated our policy in relation to any illegal activity (scam, fraud, phishing, money laundering) is very strict. We value and protect our honest and decent customers; we do not tolerate the violation of the safety and rights of the OKPAY Community.

Therefore all sorts of hackers, scammers and fraudsters that got banned by the Security Service are trying to compromise and falsify the information and spreading various rumors about "okpay is scam", "okpay is closing", etc. These rumors are without any foundation and are aimed only at discrediting the name of the Company.
https://www.okpay.com/en/company/news/okpay-aml-scam-prevention.html

The situation is exactly as described. Security department found illegal activity (fake documents and money laundering case) in order to resolve the situation and clear the transaction a scammer was asked to complete verification steps.

Bitcoin >> OKPAY payments are instant. We require 6 confirmations to complete a transfer.
Stephen Gornick
Legendary
*
Offline Offline

Activity: 1988



View Profile
April 16, 2012, 10:52:56 AM
 #36

spreading various rumors about "okpay is scam", "okpay is closing", etc. These rumors are without any foundation and are aimed only at discrediting the name of the Company.

Well, at least now you have your DNS configured with SPF properly (and thus the next attempt if there is one will likely go to my spam box):

"v=spf1 a:mail.regall.net mx:mail.regall.net ~all"  (reportedly was +all before, per MagicalTux above).

 - http://en.wikipedia.org/wiki/Sender_Policy_Framework


OKPAY
Jr. Member
*
Offline Offline

Activity: 32


OKPAY Inc. representative


View Profile WWW
April 17, 2012, 08:13:00 AM
 #37


Well, at least now you have your DNS configured with SPF properly (and thus the next attempt if there is one will likely go to my spam box):

Yep, thank you!

Bitcoin >> OKPAY payments are instant. We require 6 confirmations to complete a transfer.
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
April 17, 2012, 09:51:29 AM
 #38

Only the fact that they list an A record followed by a MX record that resolves to the same IP as the A on their SPF says everything. The +all at the end is just the icing on the cake lol


rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
April 17, 2012, 12:59:25 PM
 #39

Only the fact that they list an A record followed by a MX record that resolves to the same IP as the A on their SPF says everything. The +all at the end is just the icing on the cake lol


It's possible for both values to be different, and happens often with large installations.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
Raoul Duke
aka psy
Legendary
*
Offline Offline

Activity: 1442



View Profile
April 17, 2012, 05:40:11 PM
 #40

Only the fact that they list an A record followed by a MX record that's exactly the same hostname as the A on their SPF says everything. The +all at the end is just the icing on the cake lol


It's possible for both values to be different, and happens often with large installations.

That would be true if they used IP addresses or different hostnames. Given that they are using a hostname, using the same value on both is redundant, even if the hostname resolves to 10 different IP addresses (which isn't the case).
I didn't word it correctly, sorry about that. I fixed my statement on the above quote.

Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!