
Ask HN: How best to report phishing emails to a domain holder? - Swinx43
I have received a phishing email from an email address using the Northeastern Illinois University. I cannot find and address to which to send an email regarding this and get no response on Twitter.<p>What is the best way to report this?
======
devillius
I would send emails to abuse@neiu.edu and phishing@neiu.edu. In addition, you
could perform a whois lookup on the domain to get the Technical Contact:
[https://who.is/whois/neiu.edu](https://who.is/whois/neiu.edu) and send an
email to admin@neiu.edu

If you wanted to take it another step forward, here are the folks you could
probably contact:
[https://ssb.neiu.edu/mercury_neiuprod/GZKDIRL.P_DISPLAY_DEPT...](https://ssb.neiu.edu/mercury_neiuprod/GZKDIRL.P_DISPLAY_DEPT_DETAILS?alpha_in=Technology+Services)

Hope this helps.

~~~
Swinx43
Thank you very much for the information.

------
jlgaddis
If nothing else, send a report to soc@ren-isac.net. If NEIU is a member, the
folks at the watch desk will have te ability to immediately get in touch with
someone in security there.

I'm no longer at an .edu (and so no longer a member of REN-ISAC) but this was
a great, quick way to get ahold of someone at another institution quickly.

(n.b.: This goes for pretty much any .edu.)

------
twobyfour
It's also entirely possible that the email isn't being sent by them or anyone
affiliated with them. FROM headers on email are miserably easy to spoof.

I've had thousands of spam emails sent with senders listed as nonexistent
addresses from one of my domains. They were sent from third-party servers (my
servers were not compromised and I had no open relays), and I only found out
because of all the bouncebacks from naive receiving servers.

The only thing the domain holder can do at that point is to set up DomainKeys
and similar measures - which still won't prevent spammers from using the
domain, it'll just cause more of the mail to bounce back as spam.

~~~
Swinx43
Thank you very much for that information. I was wondering what one can do if
the email address is actually spoofed and not coming from the domain it seems
to.

~~~
notspanishflu
You need to watch the email headers and look for the originating IP. Then
you'll see if the presumed FROM address is what it says.

If it's an spoofed email, send an abuse report to the owner of that
originating IP [+], including full headers and full body text.

[+] If the originating IP is from a country you know it won't give a shit,
look for the next jump.

------
bjpbakker
First check the domain registration record. Many domain registrations include
an abuse or technical contact, or at least an administrative contact.

If not, try abuse, postmaster, webmaster, et al like suggested by others
already.

------
lm_nop
Additionally, I send phishing emails to reportphishing@apwg.org which alerts
the Anti-Phishing working group... Not sure what happens once they get my
forwarded emails...

------
cypherg
I normally send to admin@, abuse@, phishing@, and hope that at least one don't
get kicked back.

------
ryanlol
>What is the best way to report this?

Flag as spam and move on with your life.

~~~
Swinx43
While I appreciate your view of simply brushing it off I would really hope
that someone would pay me the common courtesy of letting me know when people
are spoofing or spamming from a domain I own.

