📧 The Official Spam Emails Thread™

anotherusername

@ben_lubar I wish the people attached to those faceless voices could be told that their voice talent is being used for a scam.

anotherusername

accalia

@anotherusername said in 📧 The Official Spam Emails Thread™:

oooh... proxy abuse to get the outlook.com domain in the URL..... nice.

anotherusername

@accalia yeah, between that and the sender address (not sure if spoofed, hacked, or if they somehow managed to snag that domain name) it looks surprisingly legit. They're getting smart. :/

aliceif

@anotherusername
Kratos Defense? Isn't Kratos a character from a video game'?

anotherusername

@aliceif yes... both a Greek mythological character and a video game character.

Kratos (mythology) - Wikipedia

Kratos (God of War) - Wikipedia

And, apparently, a real company.

Kratos Defense & Security Solutions

Technology innovation for national security

Kratos develops transformative, affordable technology, platforms, and systems for U.S. National Security related customers, allies, and commercial enterprises.

anotherusername

@accalia actually, I'm not seeing anything in the email headers that strongly suggests spoofing. (Then again, I'm not 100% sure what to look for.)

izzion

@anotherusername
Normal things I'm looking for in the header of a suspect email is:

• Did the e-mail pass SPF (though at this point, if it doesn't, your mail client almost certainly will put it in Junk E-mail)
• Did the e-mail pass DMARC/DKIM? Below is an example of a "soft pass" - DMARC isn't completely set up for this sending domain, but based on SPF results and some other DNS lookups, the IP and domain seem to match (IP and domains changed to protect the innocent)

Authentication-Results: spf=pass (sender IP is 987.789.987.789)
smtp.mailfrom=foo.bar; example.com; dkim=none (message not signed)
header.d=none;example.com; dmarc=bestguesspass action=none
header.from=foo.bar;example.com; dkim=none (message not signed)
header.d=none;

• Is there a Reply-To address header that differs from the From header? (which would be a soft spam indicator)
• Is there an X-Sender address header? If so, are the From and X-Sender headers from different domains? (VERY MAJOR spoofing indicator)

The X-Sender / From header is the most common way now to "sneak" the spoofed From address through - Outlook and similar mail clients will show the results of the "From" header, but most SPF checks will pass if either the X-Sender or the From matches the sending IP. Which is where DMARC comes in, because that's providing an authoritative list of "these domains are allowed to X-Sender with my From domain", but DMARC hasn't been widely adopted yet, so X-Sender spoofing is still a thing.

anotherusername

@izzion

Authentication-Results: spf=pass (sender IP is 148.163.157.244)
 smtp.mailfrom=kratosdefense.com; REDACTED; dkim=none (message not signed)
 header.d=none;REDACTED; dmarc=bestguesspass action=none
 header.from=kratosdefense.com;REDACTED; dkim=none (message not signed)
 header.d=none;
Received-SPF: Pass (protection.outlook.com: domain of kratosdefense.com
 designates 148.163.157.244 as permitted sender)
 receiver=protection.outlook.com; client-ip=148.163.157.244;
 helo=mx0a-001f5801.pphosted.com;

There are no Reply-To or X-Sender headers. The From header is the address displayed.

The only thing that looks suspicious is that pphosted.com address, and it also lists wfinet.com a couple of times in the Received path.

izzion

@anotherusername
Then yeah, I would agree that those headers don't look particularly suspicious.

Greybeard

;; ANSWER SECTION:
kratosdefense.com.	600	IN	MX	20 mx0b-001f5801.pphosted.com.
kratosdefense.com.	600	IN	MX	10 mx0a-001f5801.pphosted.com.

Tsaukpaetra

Speaking of headers, got a spam message that consisted of a zipped-zip file containing a JS document:

0_1486192845110_23845.js.txt

Headers:

Received: by 10.202.79.78 with SMTP id d75msoib;
        Fri, 3 Feb 2017 05:05:23 -0800 (PST)
X-Received: by 10.36.26.9 with SMTP id 9mr890624iti.25.1486127123484;
        Fri, 03 Feb 2017 05:05:23 -0800 (PST)
Return-Path: <m.halvorson@[redacted].com>
Received: from [redacted].com ([105.209.70.4])
        by mx.google.com with SMTP id e3si1294281ith.24.2017.02.03.05.05.21
        for <registration@[redacted].com>;
        Fri, 03 Feb 2017 05:05:23 -0800 (PST)
Received-SPF: temperror (google.com: error in processing during lookup of m.halvorson@[redacted].com: DNS error) client-ip=105.209.70.4;
Authentication-Results: mx.google.com;
       spf=temperror (google.com: error in processing during lookup of m.halvorson@[redacted].com: DNS error) smtp.mailfrom=m.halvorson@[redacted].com;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=usask.ca
Date: Fri, 03 Feb 2017 13:05:18 -0000
Importance: High
To: "registration" <registration@[redacted].com>
Message-ID: <148612711836.5138.15474597948869462615@105.209.70.4>
Content-Type: multipart/related;boundary="----=_NextPart_000_0001_01D27E50.75A8C4FC"
Subject: 
From: <m.halvorson@usask.ca>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal

This is a multi-part message in MIME format.

------=_NextPart_000_0001_01D27E50.75A8C4FC
Content-Type: application/zip; name="1668.zip"
Content-Disposition: attachment
Content-Transfer-Encoding: base64

Blah blah blah

We don't even have a halvorson!

CoyneTheDup

Almost highbrow. Dropping the MH17 name is a nice touch.

44793 country code is Bochum, North Rhine-Westphalia, Germany. The offer is nice, too: $6.2 million US. Not bites here, though.

Received 2/3/17.

---

Stephanie Smith Solicitors & Associates
15 Bloomsbury Square London,
WC1A2LS, United Kingdom

I am the personal attorney to Steven Vandersande, a Netherland who was a consultant with Shell UK LTD here in London, who hereinafter shall be referred to as my client. Unfortunately My Client lost his life in a plane crash MH17 on the 17th July, 2014 during one of his trip from Netherlands (Amsterdam) to Malaysia (Kuala Lumpur). My Client left no clear beneficiary to the fund deposited with a Security Company as Next of Kin except some vital documents related to the deposit that is still with me.

All efforts by me to trace his Next of Kin and relatives have proved abortive because he did not make any will prior to his death. Since then I have made several inquiries to locate any of my late clients extended relatives and this has proved unsuccessful. After my several unsuccessful attempts to locate any member of his family hence I contacted you.

I am contacting you to assist in claiming the money left behind by my client before they get confiscated or declared unclaimed by the security company where this huge deposit was deposited. Particularly, the Finance Company where He had the said fund valued at US$15,500,000.00 (Fifteen Million Five Hundred Thousand United Sates Dollars Only) deposited has issued me a notice to provide the next of kin. Consequent upon this, my idea is that we can have a deal/agreement and I am going to do this legally with your name as the true beneficiary of the amount in question as I have all legal document to back our claim, I seek your consent to present you as the next of kin to the deceased so that the proceeds of this account valued at $15,500,000.00 Million US dollars can be paid to your account abroad, note that 40% of this money will be for you, in respect to the provision of a foreign account and 50% for me, 10% will be used for the reimbursement of any expenditure we may incur in the cause of the transaction.

I guarantee that this will be executed under a legitimate arrangement that will protect you from any breach of the law; all I need from you is your utmost collaboration and sincerity for us to thrive in this deal. I want you to reply me immediately and include your direct phone number so that we can discuss more as regard to this transaction. Thank you and Please treat this matter with utmost confidentiality. I wait your urgent response.

Yours Sincerely,
Barr. Stephanie Smith.
Phone: +447937156092
My Direct Fax: +448458741197.
Solicitor.

HardwareGeek

@CoyneTheDup If one wishes to impersonate a solicitor in London, one would think that learning to write grammatically correct English would be an obvious prerequisite.

CoyneTheDup

@HardwareGeek said in 📧 The Official Spam Emails Thread™:

@CoyneTheDup If one wishes to impersonate a solicitor in London, one would think that learning to write grammatically correct English would be an obvious prerequisite.

With the average level of grammar these days, who would notice? Either way? It's at least as good as the average email I get at work.

Maciejasjmj

@accalia said in 📧 The Official Spam Emails Thread™:

proxy abuse

Looks like an open redirect to me...

remi

@HardwareGeek In my experience with sollicitors (buying/selling house), it would be more realistic to expect an email badly written, full of automatic sentences that don't mean anything, and that don't answer the question. Which means the spam is perfectly credible in that regard.

What it fails though is that sollicitors email only arrived after asking a question at least twice, and sometimes also calling them to request an answer. Would be nice if spam did that...

anotherusername

aliceif

@CoyneTheDup said in 📧 The Official Spam Emails Thread™:

44793 country code is Bochum, North Rhine-Westphalia, Germany.

Wrong. 44793 is the postal code of Bochum.

The German country code is +49, btw.

accalia

@aliceif said in 📧 The Official Spam Emails Thread™:

The German country code is +49, btw.

and Cuba's international dialing code is +119 (or was.... i think they might have changed it as you will see...)

I remember that because we had an office system that had to dial 9 to get an outside line, then if you wanted to dial cuba you dialed 119[NUMBERS]

but.... if you DIDN'T pause for long enough between getting the outside line and dialing the country code the PBX picked up that you had dialed 911 and completed the call (so if you need to dial 911 you don't need to remember to get the outside line. that's actually required of phone systems)

I lost count of how many times people accidentally called 911 instead of calling their contacts in cuba.... but when we started faxing them things got interesting as instead of apologizxing for the wrong number the police showed up in person becuase the fax didn't pause, got caught by the special 911 rule and no one was on the line to say it was a misdial.....

Jaloopa

@accalia said in 📧 The Official Spam Emails Thread™:

I remember that because we had an office system that had to dial 9 to get an outside line, then if you wanted to dial cuba you dialed 119[NUMBERS]

Wouldn't it be 900119 or 9+119?

accalia

@Jaloopa said in 📧 The Official Spam Emails Thread™:

@accalia said in 📧 The Official Spam Emails Thread™:

I remember that because we had an office system that had to dial 9 to get an outside line, then if you wanted to dial cuba you dialed 119[NUMBERS]

Wouldn't it be 900119 or 9+119?

this was ten years ago or so. i don't recall all the details, all i know is the phones/faxes ended up calling 911 accidentally

also..... where is the + key on a standard telephone?

RaceProUK

@accalia said in 📧 The Official Spam Emails Thread™:

also..... where is the + key on a standard telephone?

I believe it's the 0 key.

Edit: This is of course for a UK keypad; if you have a foreign keypad, YMMV, IANAL, etc.

accalia

@RaceProUK said in 📧 The Official Spam Emails Thread™:

I believe it's the 0 key.

..... then...... why not write 0?!Q!

"Standard" US keypad for reference:

I say standard, because while i've never seen a touchtone phone with a different layout in person, i am aware that some do actually exist (in particular i know there's a touchtone phone where the keys are arranged as a rotary dial but with buttons instead of fingerholes

RaceProUK

@accalia said in 📧 The Official Spam Emails Thread™:

@RaceProUK said in 📧 The Official Spam Emails Thread™:

I believe it's the 0 key.

..... then...... why not write 0?!Q!

I guess it's because not every country uses the same number sequence to initiate an international call (e.g. US uses 011, UK uses 00), so + is used as a substitute.

PleegWat

@RaceProUK Probably. In NL, the normal international access is 00. Default used to be dialling locally, single zero interlocally (to a different city). I'm not sure if that still works though.

loopback0

@PleegWat 00 works in the UK too. TBH I thought it was 00 everywhere until now.

dcon

@HardwareGeek said in 📧 The Official Spam Emails Thread™:

@CoyneTheDup If one wishes to impersonate a solicitor in London, one would think that learning to write grammatically correct English would be an obvious prerequisite.

How would you know a solicitor wrote grammatically correct English when it's impossible to understand anything a lawyer writes?

CoyneTheDup

@aliceif said in 📧 The Official Spam Emails Thread™:

@CoyneTheDup said in 📧 The Official Spam Emails Thread™:

44793 country code is Bochum, North Rhine-Westphalia, Germany.

Wrong. 44793 is the postal code of Bochum.

The German country code is +49, btw.

Oh. Oops, bad Google search. +44 is UK. How about that? Phone # matches supposed address.

'course, with IP phone, it could ring in North Elbonia.

CoyneTheDup

@accalia said in 📧 The Official Spam Emails Thread™:

@aliceif said in 📧 The Official Spam Emails Thread™:

The German country code is +49, btw.

and Cuba's international dialing code is +119 (or was.... i think they might have changed it as you will see...)

I remember that because we had an office system that had to dial 9 to get an outside line, then if you wanted to dial cuba you dialed 119[NUMBERS]

but.... if you DIDN'T pause for long enough between getting the outside line and dialing the country code the PBX picked up that you had dialed 911 and completed the call (so if you need to dial 911 you don't need to remember to get the outside line. that's actually required of phone systems)

I lost count of how many times people accidentally called 911 instead of calling their contacts in cuba.... but when we started faxing them things got interesting as instead of apologizxing for the wrong number the police showed up in person becuase the fax didn't pause, got caught by the special 911 rule and no one was on the line to say it was a misdial.....

"91" is basically the worst PBX outdial code for the US. I worked for a company that had that code, but my team were located in a refurbished house (direct phone lines). You would not believe how many visiting coworkers dialed 911 trying to call long distance. (I remember warning someone before letting them use my phone...they still did it.)

The company redid its PBX and changed it to 91 for local and 90 for long distance, because the local authorities threatened to fine them per call if they didn't change it. Helped a bit, I guess.

But now I work for the parent company. Brand-spanking new buildings, all new phones, 91 outdial code. (Partial mitigation: you don't dial the 1 for long distance anymore.)

izzion

@CoyneTheDup
I also love the rationale that goes into having an outdial code in the first place. "Oh, we need to ensure we don't have random people walking in off the street and using our phone system for outrageously expensive calls. I know! An outdial code, no one will ever get that!"

(Ok, most of the time, it's just people being lazy and using the default settings for the PBX. And it was probably originally the default because the first PBXes were invented in an era where telephone numbers and exchange dialing were assigned differently than they are now, so there was more overlap in patterns between 'extensions' and 'external numbers' and the system needed to distinguish between the two somehow. But still. It's 2017. We shouldn't be using outdial codes, we should be securing 'public' phones and not enabling international / premium dialing except for extensions that really need it)

Luhmann

@izzion
There are cases where you want to make the distinction on the PBX between company internal but maybe not internal to this PBX and really external.
In modern PBXs it's generally a Trunk access code e.g. the '0' or '91' just select the external trunk line and all following numbers are just send over the trunk and should be interpreted at the other side. You use this when combining PBXs or IVRs e.g. 89, 899, 89999, 8999999999 are all send to trunk 8. And the endpoint there should just figure out what to do with 9, 99 or 99999999999999999999999998

izzion

@Luhmann
It'll come down to how much overlap there is in the dialing scheme for the remote PBX versus an external call versus the local PBX, but if your system isn't capable of determining how to route the call without your end user explicitly telling it how to route the call, then you have a Disco-PBX and you need to fix the programming on it. Or throw out the piece of junk and get a better PBX. But probably just the programming.

Luhmann

@izzion said in 📧 The Official Spam Emails Thread™:

Disco-PBX

They all are but remember that on phone communication the kind of metadata you can send along with the call to identify the origin and destination is very, very limited. You have the calling and called and maybe, maybe an additional parameter that can contain numeric info.

remi

@izzion said in 📧 The Official Spam Emails Thread™:

It'll come down to how much overlap there is in the dialing scheme for the remote PBX versus an external call versus the local PBX

I wonder how much of that is due to historical reasons. It seems that nowadays it would be very easy to distinguish what makes an external number valid (e.g. in most of Europe, as far as I know, it starts with a 0) and avoid that for internal ones. But, staying in Europe, you only need to go back a few years (*) to find a situation where every digit was a possible one for the start of an external number, so the PBX would have had to do more work to find out.

At that time, it was probably easier to have the user dial a special digit first, and the habit stuck since then. Especially since some time ago, users were more aware of whether they wanted an internal or external number. Now, with mobile phones and IP phones and stuff, there are probably more special cases (e.g. dialing an internal extension might redirect to a mobile phone that might actually be in the outside world).

(*) OK, probably at least 10-15 if not 20... but you know how most systems are conservative. I would not be that surprised to learn that some companies still use systems bought that long ago, and therefore designed even longer ago!

CoyneTheDup

@izzion

The outdial code is just like namespaces in a computer language. For example, if internal extension number starts with 7, so the system can be made to get an outside trunk if the first digit dialed is 7.

But 911 went national in 1968--basically 50 years ago. You'd think PBX designers would have gotten a clue that 91 is a bad outdial choice by now.

izzion

@CoyneTheDup
Except it's not at all like namespaces, because you're forcing the end user to remember and input the outdial code. Instead of just gaining some organization for the computer and the future maintenance coder.

I'm a Digium Certified Asterisk Professional, albeit lapsed because I don't work in that leg of IT any more. This has been a solved problem in the NANP for my entire professional career, and it really bugs me that PBX architects are either too lazy or too stuck in tradition that they don't properly think about the cost versus benefit of an outdial code.

Also, as more areas in the NANP go to required 10 digit dialing, it's going to become more pronounced. PBX engineers should know what valid number patterns look like, should construct their system to route calls based on the pattern, and should make the system work like a cell phone (no 1 required, no outdial codes) as much as possible, so that the system is actually end user usable.

WHAAARRRRGGGGAAAARRRRRBBBBLLLLLLLL

djls45

@Zecc I wanted to upvote this, but

Aaaaaand it's gone!

izzion

Spammer with a From of "Cadwalader, Wickersham and Taft LLP" said:

Who the fuck are you and why is there a charge from yourdomain.example on my card?
Here you can view my statement , get back to me asap.

bofa_card_statement_myname.doc <defanged link that went somewhere naughty>

Thank you
Dillon Beverly

Well, I guess @Lorne-Kates is branching out into spam e-mail now

Filed under: Fuck you, give me my money back

accalia

@izzion said in 📧 The Official Spam Emails Thread™:

Spammer with a From of "Cadwalader, Wickersham and Taft LLP" said:

Who the fuck are you and why is there a charge from yourdomain.example on my card?
Here you can view my statement , get back to me asap.

bofa_card_statement_myname.doc <defanged link that went somewhere naughty>

Thank you
Dillon Beverly

Well, I guess @Lorne-Kates is branching out into spam e-mail now

Filed under: Fuck you, give me my money back

huh..... that's a new one. clever too. taargets a business rather than an individual......

Arnoldo Adjani

@izzion Just got that one too. That's a new style as far as I'm concern. Never got the vulgar type before. Might fool some vulnerable account receivable clerk...

loganspappy

@izzion said in 📧 The Official Spam Emails Thread™:

I go that one too. I agree it's pretty clever. Here's a copy. Only difference is name at end. The link on the "doc" file goes to
http://www.unotrading.co.jp/api/get.php?id=[balh blah]
which is blocked in firefox as a deceptive site.

=============
Who the fuck are you and why is there a charge from [my_business_domain].com on my card?

Here you can view my statement , get back to me asap.

bofa_card_statement_[my_first_name].doc

Thank you

Caleb Newman

dcon

@loganspappy I was so tempted to Reply that... (I got several of those yesterday)

Tsaukpaetra

I don't know anyone named Heere...

Sure, could you repeat that? Google didn't quite understand...

Original

Boner

Valentine's spam from Asus

Onyx

@Boner I got one from friggin Cortana of all things, but I accidentally cleared it.

Can't find any other screenshots or references, but it was one of those cheesy "Roses are red" modifications, ending with "I can help you organize a Valentine's date" or something like that.

RaceProUK

@Onyx said in 📧 The Official Spam Emails Thread™:

I got one from friggin Cortana of all things

/me isn't looking forward to her Cortana sending her Valentine's spam

Or any spam, for that matter.

Onyx

@RaceProUK said in 📧 The Official Spam Emails Thread™:

Well, at least it was just a notification, not an email, so that's something at least.

Popping up You need some updates while I was shooting peoplealiens online and minimizing my game in the middle of the match, now that is annoying.

remi

Yesterday, I got a scam in French that was trying to be chummy by saying that they hoped "I was having a blast" (using whatever service they faked being).

Except that it was machine-translated to French, giving something like "we hope you are having an explosion". Um, no, I hope I'm not...

Onyx

@remi said in 📧 The Official Spam Emails Thread™:

we hope you are having an explosion