A spammer misses a glorious opportunity

March 12, 2018

Most of the spam that I collect on the machines that I run my sinkhole SMTP server on is boring spam. Since it's boring, I've tried to block as much of it as possible; still, there are plenty of cases that get through, because that sort of spam can come from all over. Today I got what initially looked like one of those boring spams that sneak through. It appeared in my log like this:

[...] from / <REDACTED@justice.gov.za> to <REDACTED>: [...] helo 'mail3.justice.gov.za' [...]

I saw that and shrugged; clearly it was another forged advance fee fraud spam, just like the ones claiming to be from the FBI. But when I looked at the full metadata of the logged message, I got a surprise. There in the metadata was the resolved, verified DNS name of the sending IP and it was mail3.justice.gov.za. This wasn't email pretending to be from the South Africa's Department of Justice; this actually was email from one of the DoJ's mail servers. The reverse DNS is real and valid, and in fact this IP is one of the four MX servers for justice.gov.za (a second MX server is right beside it in that /24).

So why do I call this a spammer missing a glorious opportunity? Well, let me show you the important bits of the spam message itself:

From: REDACTED <REDACTED@justice.gov.za>
To: "info@cc.com" <info@cc.com>

To All,

Today Monday 12th of March 2018. We are shutting down your present web-mail to create space for 2018 Outlook Web Access with a high visual definition and Space.
This service creates more space and easy access to email. Please update your account by clicking on the link below and fill information for Activation.


That's right. Given the golden opportunity of access to the real, legitimate mail servers of the Department of Justice of South Africa (likely via a compromised account), the spammer used it to send not the most genuine looking advance fee fraud you could imagine, but a garden variety, completely untargeted phish spam.

Of course there's decent, boring reasons for this. For a start, the actual IP address source of advance fee fraud spam is completely unimportant, because the recipients who will even think of checking that aren't the kind of people who will fall for the spam in the first place. If anything, advance fee fraud spammers apparently may deliberately make their spam look bad and suspicious, so that anyone who actually answers is highly likely to be gullible enough to go through with the whole thing, instead of wasting their time. If that's so, sending from the real justice.gov.za is, if anything, a thing to avoid.

Still, I wish the spam message had been advance fee fraud. That's the way the universe should be when you get the chance to use justice.gov.za for your spam.

Written on 12 March 2018.
« Linux is good at exposing the truth of how motherboards are wired
Why Let's Encrypt's short certificate lifetimes are a great thing »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Mar 12 22:54:33 2018
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.