Discontinuation of the 5x2.de email? (Update) I investigated

As the title says

The email address on this site as the contact information is going to be shut down on 31, Jul 2025. I had been too busy to notice, but I found I received a notification on 30, Jun 2025. I really liked the domain name sbu.de so I’m very disappointed.

For that reason, I changed my contact email address.

Full text of the email

Wichtige Ankündigung Abschaltung des E-Mail-Dienstes 5x2.de zum 30. Juni 2025

MIME-Version: 1.0
From: 5x2 Team <support@5x2-online.de>
Subject: Wichtige =?UTF-8?Q?Ank=C3=BCndigung?=: Abschaltung des E-Mail-Dienstes 5x2.de zum 30. Juni 2025
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Message-ID: <syny3j.pbihu5@5x2.de>
To: kt2@sbu.de

Hallo Rikuto Kitazawa,

wir bedanken uns ganz herzlich dafür, dass Sie unseren Freemail-Dienst 5x2.de genutzt haben. Leider müssen wir Ihnen mitteilen, dass dieser Service zum 31. Juli 2025 endgültig eingestellt wird. Ab diesem Datum ist weder der Versand noch der Empfang von E-Mails über Ihr 5x2.de-Postfach möglich.

Bitte sichern Sie sämtliche E-Mails, Kontakte und Anhänge bis zum Abschaltdatum, indem Sie Ihr Postfach lokal archivieren oder auf ein anderes E-Mail-Konto übertragen. Dafür können Sie beispielsweise ein E-Mail-Programm wie Thunderbird oder Outlook per IMAP auf Ihr 5x2.de-Postfach und auf ein neues Postfach (z. B. Gmail, GMX o. Ä.) einrichten und dann die Ordnerstruktur mitsamt allen Nachrichten einfach per Drag & Drop in das neue Konto kopieren. Alternativ stehen spezialisierte Tools zur Verfügung, etwa imapsync (für Linux, macOS, Windows), mit dem Sie Ihre Mailbox automatisiert serverseitig auf einen anderen IMAP-Server spiegeln können, oder MailStore Home (Windows), das vollständige Postfach-Backups anlegt. Nach dem 30. Juni 2025 werden alle Konten und Inhalte unwiderruflich gelöscht.

Die Beendigung des Dienstes erfolgt in Übereinstimmung mit unseren AGB (§5 Kündigung des Vertrages): Ihr Nutzungsvertrag endet automatisch mit der Einstellung des Dienstes, eine zusätzliche Kündigung Ihrerseits ist nicht erforderlich.

Nach §17 DS-GVO werden Ihre personenbezogenen Daten im Zuge der Dienstabschaltung gelöscht, sobald sie nicht mehr zur Vertragserfüllung oder aus gesetzlichen Aufbewahrungsgründen erforderlich sind. Bis zur Löschung gelten unsere Datenschutzerklärung und die gesetzlichen Fristen.

Bei Fragen stehen wir Ihnen gerne unter support@5x2-online.de zur Verfügung.

Noch einmal vielen Dank für Ihre Treue. Wir bedauern, Ihnen diesen Dienst nicht weiter anbieten zu können, und hoffen, dass die Datensicherung für Sie problemlos verläuft.

Mit freundlichen Grüßen

Ihr 5x2.de Team

---------------------------------------------------------------------------

ViWa Invest GmbH
Dorfäckerstraße 25
90427 Nürnberg

Email: support@5x2-online.de

Geschäftsführer: Darko Vipic

HReg: HRB 24218
Amtsgericht Nürnberg

Ust.Id Nr.: DE261348960

---------------------------------------------------------------------------

P.S.

2025-10-17 : Since this article seems to have some demand, I added the email I saved as a keepsake. It basically says, “Sorry for the sudden service termination. You won’t be able to access your emails anymore, so please back them up before the deadline. We’ll delete your personal information as soon as it’s no longer required by law.”

2026-01-22 : I have added an investigation section below.

Investigation（2026-01-22）

Is 5x2.de shutting down a fakenews?

I received several emails pointing out that 5x2.de still running its service. Then I confirmed that both login and sending/receiving emails functioned without issue at least via web.

Suspecting that might be a phishing email, I decided to personally investigate that as a learning exercise. Please do not pursue who is at fault based on this information, because there may be inaccuracies in what I’ve written here.

What’s the conclusion?

Nothing definite was learned.

To begin with, the suspicion that this might be a fakenews stands on the fact that, there has been no other announcement regarding the service’s discontinuation aside from this email.

I should note that the decision to continue using 5x2.de should be made by each individual at their own discretion, after considering the following three facts.

This email was received through a process that is clearly different from normal emails.
This email resembles the one you receive when registering your account.
The name at the beginning of this email’s body is the same name that I registered to the account.

The email when account registration could have been viewed by any number of people who had previously been able to create an account, so it would be easy for a bad actor to imitate that process itself. The problem lies with the name registered to the account, which should be information known only to the user themselves or the system administrator.

Things to Check

First, I had to figure out how to investigate.

Looking the web reveals a jumble of information ranging from rough methods like just looking email header for suspicious elements to discussions of specific authentication technologies. For complete novices, grasping the full picture is difficult in itself.

Putting the details aside for now, I understood the general flow to be as follows:

If any email authentication technologies are listed in the headers, verify them.
Check the Received header to see which servers the email passed through.
Verify the actual IP address of the sender.

Check the header

Return-Path: <support@5x2-online.de>
    from infomail.5x2.de (infomail.5x2.de [78.47.162.61])
    by 5x2.de (b1gMailServer) with ESMTP id 7F99096A
    for <kt2@sbu.de>; Mon, 30 Jun 2025 11:52:31 +0200 (CEST)
MIME-Version: 1.0
X-Mailer: ViWa Mailing System
From: 5x2 Team <support@5x2-online.de>
Subject: Wichtige =?UTF-8?Q?Ank=C3=BCndigung?=: Abschaltung des E-Mail-Dienstes 5x2.de zum 30. Juni 2025
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Message-ID: <syny3j.pbihu5@5x2.de>
x-viwa-trusted: <2a2bb09d040c9ff74b3818125e51320e@5x2.de>
To: kt2@sbu.de

First, let’s just extract the header portion.

What’s immediately clear is that neither SPF nor DKIM, and certainly not DMARC, are being used — literally no authentication technology at all.

That aside, what’s unusual is the absence of a Received header and instead have a cluttered Return-Path header.

The protocol used for forwarding appears to be ESMTP, but the Return-Path information corresponds to the content of the sender’s command MAIL FROM:<sender email address used for error reporting> within the SMTP session, what is called the Envelope From ¹. This is added by the receiving server at the very end of the mail delivery process, so it’s very odd for it to contain anything other than an email address. At first glance, it appears to follow the format of a Received header, but rather than a simple bug, it feels more like mimicry — a clever attempt to deceive humans who take the trouble to check headers.

Moreover, the absence of the Received header indicates this is definitely not a normal email. This is because the content should have been added by the SMTP server (MTA) that received this email.

Possible explanations seem to include the following ²:

The email was delivered directly to the recipient’s mailbox (i.e., not via standard SMTP protocol transmission)
Some mail systems have settings that generate announcement messages delivered directly to the user’s mailbox
The receiving system is configured to omit the Received header

Since I cannot rule out the possibility that the system administrator sent this email directly to my mailbox, it seems I cannot definitively conclude it’s spoofed based solely on the headers.

Check the body

I hadn’t planned to mention this, but the name at the beginning of this email’s body matches the information registered to the account. If this email was sent by an imposter unrelated to the system, it means account information has also been leaked simultaneously — which is absolutely the worst-case scenario³.

Check the SPF records

SPF (Sender Policy Framework) is a domain authentication method where the administrator of the sending mail server pre-registers the addresses used for sending mail in DNS. The receiving server then compares these addresses against those associated with the sender’s domain to verify if they match⁴.

Since there’s no Received: header, the actual sending IP address is unknown, making this check meaningless. Moreover, since the email arrived over half a year ago, the address could very well have changed by now.

Still, let’s take a look for reference. The SPF record for 5x2-online.de can be viewed with nslookup -type=TXT 5x2-online.de.

5x2-online.de   text = "v=spf1 ip4:5.9.97.130 ip4:78.47.197.224/29 ip4:138.201.155.19 ip4:78.47.117.190 ip4:78.46.96.79 ~all"

This SPF record permits email transmission from addresses matching the following patterns:

Addresses matching 5.9.97.130
Addresses within the 78.47.197.224/29 block (specifically 78.47.197.224 - 78.47.197.231)
Addresses matching 138.201.155.19
Addresses matching 78.47.117.190
Addresses matching 78.46.96.79
Senders not matching any of the above are warned as SoftFail (the transmission itself is not blocked).

Ultimately, since the sender address is unknown, verification is impossible, but the address contained in the Return-Path did not match this pattern. That said, because the original rule is lenient, it fails SPF but can still be received.

Incidentally, a WHOIS lookup revealed the address is held by Hetzner Online GmbH (AS24940), a German company. This likely indicates some business relationship with ViWa Invest GmbH, the operator of 5x2.de, but nothing further is known.

Additionally, no records were registered for infomail.5x2.de.

(FYI) What about the emails sent by users?

I’ve been considering the possibility that the system sent the email directly, but as a reference, I’d like to show what headers are added to emails sent by users via the web.

Below is the header portion of an email sent from my own address to the same address.

Return-Path: <kt2@sbu.de>
Received: from smtp.5x2.de (10.0.10.14 [10.0.10.14])
    by 5x2.de with ESMTPS id 19889AB7
    for <kt2@sbu.de>; Sun, 18 Jan 2026 05:27:16 +0100 (CET)
X-Result-Filter: passed=all;iZBViZUL9dnTfwy/fOYHHrPmoxWLud5UZT4KYxe06A/ZuB4K2C8ybJ8kUq1yTEhFsGwpEVG0R2i2YLs2l3RsO3c54CS/sWO4TmoNt6pKzloQlJJmChiI/3dmxxqgzuhXVmUyjmAu8aUJkC11EFqZ/1jfPIg9SGvHfasnE+UPjEzzZ3dsypmoxd97jjhVnhUkUhL6Q+w30T/+7hFmV6HzQj1EgSMtTSoYQgj/iMaViacwoPwKILePsEYyyLq9FNzUsazI5Xo5r80ujkKOFR2HX9A3V5Nq/mycdiK3EYq7jBxUNlc++HMcKTpyXqldNk61lnnr3hLE/5yK4mmAdzd3wDTLvhSv5r9QIGzb6FKZrKkzqALOXd7s2hK7r1PRUSq9tkau8XUuwp6ow/CQ6ZhRUcKjSjrRESKwHNB8JWMMmPn/2yRowl2K8dz9RLqytBbavQh2+NFD0s8JOcA1ESVptMr2HCpK7+4wEKUlszUTSCRsmw45vJexbwz4GrWGemRqNQ1KmPnxDJjogZY428WYO1n88zKAaCiQG291KjDH0TzxdkEFWvojnISP+k+J8SWfEYkHS9JtWkm2yIdgMoSRRDNIFVfjkYqAi6y4NEGNLN2cB1gPvRWcw2RrwI/tLf63/bgPAsqFplNGh/JuBUgF3k5VAgqkrI/8gHsk
Received: from account.5x2.de (account.5x2.de [136.243.126.156])
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
     key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
    (No client certificate requested)
    by smtp.5x2.de (Postfix) with ESMTPSA id 7C59916004E
    for <kt2@sbu.de>; Sun, 18 Jan 2026 05:27:16 +0100 (CET)
MIME-Version: 1.0
Date: Sun, 18 Jan 2026 04:27:15 +0000
Content-Type: multipart/alternative;
 boundary="--=_RainLoop_735_279961653.1768710435"
X-Mailer: RainLoop/1.16.0
From: kt2@sbu.de
Message-ID: <12a37ce0503c74b30d88f8a537e173b5@sbu.de>
Subject: test
To: kt2@sbu.de

As mentioned above, “sending and receiving emails works without any issues” is literally true. You can see emails encrypted⁵ with TLS 1.3 being sent from account.5x2.de, received by smtp.5x2.de, and delivered to the user’s mailbox.

Checking the SPF record showed it appeared to be sent from outside the address, so strictly speaking it failed SPF. However, I also sent to an external email address that displays Authentication-Results, and that one cleared SPF, DKIM, and DMARC. This suggests the system likely changes its handling based on whether the destination is internal or external.

The other email

Actually, there is one email I can definitively state was sent from the system. It’s the registration completion email that arrives when you sign up for an account.

Below is its header.

Return-Path: <support@5x2-online.de>
    from infomail.5x2.de (infomail.5x2.de [78.47.162.61])
    by 5x2.de (b1gMailServer) with ESMTP id 7F99096A
    for <kt2@sbu.de>; Fri, 08 Dec 2023 03:05:24 +0100 (CET)
MIME-Version: 1.0
X-Mailer: ViWa Mailing System
From: 5x2 Team <support@5x2-online.de>
Subject: Willkommen bei 5x2.de
Content-Type: multipart/mixed;
    boundary="=_1f0007dda0a704f78c2e2fc87b412335"
Message-ID: <s5bsh0.pdwq4v@5x2.de>
x-viwa-trusted: <ddcba2de83563673a833e8957f0546df@5x2.de>
To: kt2@sbu.de

--=_1f0007dda0a704f78c2e2fc87b412335
Content-Type: multipart/related;
    boundary="=_70634b1ee7e0d96c90789e2939a7e130"

--=_70634b1ee7e0d96c90789e2939a7e130
Content-Type: multipart/alternative;
    boundary="=_f3d27a65811fa04eb6ecef506d553e0f"

--=_f3d27a65811fa04eb6ecef506d553e0f
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit

It’s like two peas in a pod… The absence of a Received header and the content written in the Return-Path (except for the date and time⁶) are exactly the same⁷.

What’s the real story?

I’ve suspected spoofing up to this point, but considering that the header information doesn’t conclusively prove spoofing, and that the name at the beginning of the body matches the one registered to the account, concluding that the service discontinuation email is spoofed would simultaneously mean admitting a data breach occurred. Regardless of the truth, I simply cannot say, “It’s fine, let’s keep using it.”

The real situation is probably that some mailer configuration error or something caused strange headers to be set, and because the email arrived in the mailbox without issue, it was overlooked.

I believe this email is telling the truth, and that’s precisely why I think the service termination has simply been postponed in some form. Indeed, 5x2.de has stopped accepting new registrations. The ViWa Invest GmbH website isn’t updated very actively, and 5x2.de is apparently described only as “our own project,” not as a business⁸.

Let me make one final point clear: don’t pin your hopes on a whimsical extension of life, lest you get burned.

“Unfortunately, no new registrations are possible at this time.”

エンベロープ From | 鳩丸ぐろっさり (用語集)↩︎
spam - email header without recieved or source ip informations - Stack Overflow ↩︎
Unlike Google, there is no way to retrieve registration information from a username or email address without logging in on 5x2.de (at least to my knowledge).↩︎
具体的には、メール送信時に利用するサーバのIPアドレスを送信側のDNSに「SPFレコード」として事前に登録。受信側はメール受信時に送信側のSPFレコードと照合し、なりすましかどうかを判断します –送信ドメイン認証（SPF / DKIM / DMARC）の仕組みと、なりすましメール対策への活用法を徹底解説 – エンタープライズIT [COLUMNS]

↩︎
Since it is simply encrypted between servers, it is not encrypted for system administrators.↩︎
There is a difference that CET is Central European Time (UTC+1)，CEST is Central European Summer Time (UTC+2)↩︎
Actually, in addition to this, I also received another email with the subject line Sicherheitswarnung: Loggen Sie sich auf 5x2.de ein from “Postmaster | 5x2.de” <postmaster@5x2.de> on Wed, 3 Apr 2024 00:15:11 +0200 (CEST). The content stated, “If you wish to continue using email via IMAP/POP3, log in within 7 days.” This email used PHPMailer instead of the ViWa Mailing System and had entirely different headers. Since the sender address was confirmed to be properly from Viwa Invest GmbH, it was excluded from this verification.↩︎
Durch unser eigenes Projekt 5x2.de können wir auf eine leistungsstarke Mailserver-Infrastruktur zurückgreifen.（Thanks to our own project, 5x2.de, we have access to a powerful mail server infrastructure. Translated with DeepL） – Infrastrukturlösungen / Ihr Zugang zur deutschen Post

↩︎