The Latest in IT Security

dpolg-bundespolizei.org is not DPolG or the Bundespolizei

31
Aug
2011

DPolG is a staff a association of the German Federal Police (Bundespolizei). So you might expect that dpolg-bundespolizei.org is something to do with the DPolG.. especially when the www.dpolg-bundespolizei.org resolves to 77.87.229.14, which is the same IP address as bundespolizei.de which is the German Federal Police.

But something is very wrong with this domain.Let’s start with the WHOIS details:

Domain ID:D163178250-LROR
Domain Name:DPOLG-BUNDESPOLIZEI.ORG
Created On:30-Aug-2011 11:02:35 UTC
Last Updated On:30-Aug-2011 11:02:35 UTC
Expiration Date:30-Aug-2012 11:02:35 UTC
Sponsoring Registrar:Regtime Ltd. (R1602-LROR)
Status:TRANSFER PROHIBITED
Status:ADDPERIOD
Registrant ID:CO1014850-RT
Registrant Name:ALex Potolot
Registrant Organization:ALex Potolot
Registrant Street1:49-12 Shepherd Street
Registrant Street2:
Registrant Street3:
Registrant City:London
Registrant State/Province:London
Registrant Postal Code:W12 7HF
Registrant Country:GB
Registrant Phone:+44.2073290240
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:[email protected]

It’s kind of odd that a German police domain should be registered to a person in the UK using a free email address. But what is odder is that the address does not exist. Although there is a Shepherd Street in London, the postcode is not W12 7HF, that’s the postcode for Stanlake Road in Hammersmith. Shepherd Street’s postcode begins W1J 7Jx in any case, and there’s no number 49 on that road (it is approximately the location of the Park Lane Mews Hotel).

Let’s check the nameservers:
Name Server:NS1.NAMESELF.COM
Name Server:NS2.NAMESELF.COM
Nameself.com is DNS service for Russian registrar WebNames.ru. (aka Regtime Ltd) who are also the domain registrar. Why would the German police use a Russian registrar?

The next clue is in the MX handlers – these are the servers that handle mail for dpolg-bundespolizei.org:

  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 20 ALT1.ASPMX.L.GOOGLE.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 20 ALT2.ASPMX.L.GOOGLE.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX2.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX3.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX4.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 30 ASPMX5.GOOGLEMAIL.COM
  dpolg-bundespolizei.org MX (Mail Exchanger) Priority: 10 ASPMX.L.GOOGLE.COM
So, the domain is using Google for mail handling. DPolG use their own mailservers, not Google.

Something is definitely amiss here, and it wouldn’t be the first time that the Bundespolizei name was used for malicious purposes as there has been a recent rash of malware using it. On balance, a domain with a fake UK address registered via a Russian registrar and using Google for mail handling is unlikely to be legitimate. Avoid.

  1. Waschtrommel September 7, 2011

    Hi,

    the domain is probably used for email purposes of a so-called “bundes-trojaner’ hoax:
    see
    http://www.trojaner-board.de/103221-bundespolizei-neue-variante-vom-bundes-trojaner.html#post700213

    Regards, haimerl

Leave a reply


Categories

FRIDAY, OCTOBER 23, 2020
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments