” And why a server in BVI?”

Actually, the servers appear to be in places like Austin and Houston Texas, and not at all in the BVI. The company is a shell, the address is a common shell company mail drop, from what I can see.

Zzzz….. this sounds like a tempest in a teacup.

If you wanna try to unravel it heres the DNS info:
IP information 208.91.197.27
IP address 208.91.197.27
Description Confluence Networks Inc
Location Road Town, British Virgin Islands (VG) flag
Registry arin
Network information
IP address 208.91.197.27
Reverse DNS (PTR record) not available
DNS server (NS record) ns3.confluence-networks.com (67.15.47.187)
ns4.confluence-networks.com (209.61.162.6)
ASN number 40034
ASN name (ISP) Confluence Networks Inc
IP-range/subnet 208.91.196.0/23
208.91.196.0 – 208.91.197.255
Network tools
Hosting information

Summary of domains, mail servers and name servers currently hosted on this IP address.
Number of domains hosted 1,169,367
Number of mail servers hosted 944
Number of name servers hosted 625
Hosting history

Summary of domains, mail servers and name servers hosted in the past on this IP address.
Number of domains hosted 759,843
Number of mail servers hosted 1,537
Number of name servers hosted 1,786
SPAM database lookup
db.wpbl.info not listed good
dnsbl-1.uceprotect.net not listed good
psbl.surriel.com not listed good
recent.dnsbl.sorbs.net not listed good
smtp.dnsbl.sorbs.net not listed good
Number of SPAM hosts on 208.91.196.0/23 0
SPAM tools
Blocklist lookup
Adult hosting listed error
Dshield droplist not listed good
Hackers, Spyware, Botnets etc. not listed good
Open proxy not listed good
Spamhaus droplist not listed good
Open TCP/UDP ports

Status well known TCP and UDP ports. Note: we do not perform any port scan but use data of the ZMap project.
Description Protocol/Port Status
HTTP tcp80 Closed closed port
HTTPS tcp443 Closed closed port
DNS udp53 Open open port
Network Time Protocol (NTP) udp123 Closed closed port
NetBIOS Name Service udp137 Closed closed port
Session Initiation Protocol (SIP) udp5060 Closed closed port
Advertisements
eVerify.com
Domains on 208.91.197.27
Domain Tools
tacticalstudiesgroup.com
lungvt.org
it-omsk.com
touche.com
thecolumnists.com
onlinetiredealer.com
audiologia.info
oprmagazine.com
webstatsportal.com
choothomas.com
Domains around 208.91.197.27
IP address #domains Example
208.91.197.1 2 you.co
208.91.197.7 56609 myitreviews.com
208.91.197.12 1 xn--y8ja7eb.com
208.91.197.13 15730 funbarca.com
208.91.197.19 852 1019forlife.com
208.91.197.20 2196 gp4k.com
208.91.197.21 2 kentronix.com
208.91.197.22 15323 marceloebrard.org
208.91.197.23 35371 scruncher.com
208.91.197.24 47045 conceptpharm.com
208.91.197.25 47148 ufcwlocal21.org
208.91.197.26 111187 pokedex.com
208.91.197.27 1169367 tacticalstudiesgroup.com
208.91.197.28 254 goindigo.com
208.91.197.29 2 itsupportmanager.com
external websiteSee more items
Mail servers on 208.91.197.27
dc-7b00f05c.wondefullfashions.com
dc-1555add2.wonderfullmusicvideodownload.com
dc-ba7c84ef.wonderfullbisnisku.com
dc-23e60e27.knewwrinkle.com
ms59010166.msv1.invalid.pad4umail.com
creativemindz.com
mail.creativemindz.com
aydinbegenim.com
dc-23ceeab3.ayearwithoutfear.com
dc-a4b2f636.timberfrog.com
Note: maximum of 10 mail servers are shown.
Name servers on 208.91.197.27
mtl2.paysystems.com
mtl1.paysystems.com
ns4.paysystems.com
ns3.paysystems.com
http://www.crystalfable.com
ns0.fiduciaryasset.com
fvg9104.freshvegies.net
fvg9106.freshvegies.net
ns5.spcmg.com
backup.real-net.com
Note: maximum of 10 name servers are shown.
Whois information
NetRange: 208.91.196.0 – 208.91.199.255
CIDR: 208.91.196.0/22
NetName: CONFLUENCE-NETWORK-INC
NetHandle: NET-208-91-196-0-1
Parent: NET208 (NET-208-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS40034
Organization: Confluence Networks Inc (CN)
RegDate: 2011-04-15
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-208-91-196-0-1

OrgName: Confluence Networks Inc
OrgId: CN
Address: 3rd Floor, Omar Hodge Building, Wickhams
Address: Cay I, P.O. Box 362
City: Road Town
StateProv: Tortola
PostalCode: VG1110
Country: VG
RegDate: 2011-04-07
Updated: 2011-07-05
Ref: http://whois.arin.net/rest/org/CN

OrgNOCHandle: NOCAD51-ARIN
OrgNOCName: NOC Admin
OrgNOCPhone: +1-415-462-7734
OrgNOCEmail: [email protected]
OrgNOCRef: http://whois.arin.net/rest/poc/NOCAD51-ARIN

OrgAbuseHandle: ABUSE3065-ARIN
OrgAbuseName: Abuse Admin
OrgAbusePhone: +1-917-386-6118
OrgAbuseEmail: [email protected]
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3065-ARIN

OrgTechHandle: TECHA29-ARIN
OrgTechName: Tech Admin
OrgTechPhone: +1-415-358-0858
OrgTechEmail: [email protected]
OrgTechRef: http://whois.arin.net/rest/poc/TECHA29-ARIN
Geo information
Location Road Town, British Virgin Islands (VG) flag
Latitude and Longitude 18.42, -64.62
Geo location of IP address
Country information (British Virgin Islands)
Capital Road Town
Continent NA
Population 21,730
Area 153 km²
Currency USD
Top Level Domain .vg
Geo location of IP address
Update information

The information on this page is collected from many different sources on the internet. Below is the last update date given from each source.
AS number information 2015-03-01
Port scan data Cached, max 2 weeks old
PTR record and DNS servers Cached, max 1 week old
SPAM and blocklist databases 2015-03-06
Whois information 2015-03-04

I dunno and why would they use THAT particular host….even if that confluence is just an email forwarder to a forwarder to a forwarder thats problematic and what are the odds that it would tie in to Luchian or Kailis in ANY way shape or form? And why a server in BVI? something isnt right

“The current system has been set up by somebody with some expertise in security who went out of their way to add protection,” he said.

I’m not saying this was a optimal set-up, but it doesn’t seem like it was as simple as someone with a Gmail account. There was some level of obfuscation.