A spammer misses a glorious opportunity
Most of the spam that I collect on the machines that I run my sinkhole SMTP server on is boring spam. Since it's boring, I've tried to block as much of it as possible; still, there are plenty of cases that get through, because that sort of spam can come from all over. Today I got what initially looked like one of those boring spams that sneak through. It appeared in my log like this:
[...] from 18.104.22.168 / <REDACTED@justice.gov.za> to <REDACTED>: [...] helo 'mail3.justice.gov.za' [...]
I saw that and shrugged; clearly it was another forged advance fee fraud
spam, just like the ones claiming to be from the FBI.
But when I looked at the full metadata of the logged message,
I got a surprise. There in the metadata was the
resolved, verified DNS name of the sending IP and it was
This wasn't email pretending to be from the South Africa's Department
of Justice; this actually was email from
one of the DoJ's mail servers. The reverse DNS is real and valid,
and in fact this IP is one of the four MX servers for
(a second MX server is right beside it in that /24).
So why do I call this a spammer missing a glorious opportunity? Well, let me show you the important bits of the spam message itself:
From: REDACTED <REDACTED@justice.gov.za>
To: "email@example.com" <firstname.lastname@example.org>
Subject: HELPDESKTo All,
Today Monday 12th of March 2018. We are shutting down your present web-mail to create space for 2018 Outlook Web Access with a high visual definition and Space.
This service creates more space and easy access to email. Please update your account by clicking on the link below and fill information for Activation.
That's right. Given the golden opportunity of access to the real, legitimate mail servers of the Department of Justice of South Africa (likely via a compromised account), the spammer used it to send not the most genuine looking advance fee fraud you could imagine, but a garden variety, completely untargeted phish spam.
Of course there's decent, boring reasons for this. For a start, the actual IP address source of advance fee fraud spam is completely unimportant, because the recipients who will even think of checking that aren't the kind of people who will fall for the spam in the first place. If anything, advance fee fraud spammers apparently may deliberately make their spam look bad and suspicious, so that anyone who actually answers is highly likely to be gullible enough to go through with the whole thing, instead of wasting their time. If that's so, sending from the real justice.gov.za is, if anything, a thing to avoid.
Still, I wish the spam message had been advance fee fraud. That's the way the universe should be when you get the chance to use justice.gov.za for your spam.