Mildly interesting spam message

I’m currently waiting for a parcel to be delivered which is my new Olympus OM-D E-M5 that is coming from the US. I received a spam message that took me in for a minute, as I thought it was related to the camera.

Postal notification, Our company’s courier couldn’t make the delivery of parcel. Status deny:Fee isn’t paid. LOCATION OF YOUR PARCEL:Irving STATUS: sort order SERVICE: One-day Shipping NUMBER OF YOUR ITEM:U413001201NU FEATURES: No The label of your parcel is enclosed to the letter. You should print the label and show it in the nearest post office to get a parcel. Important information! If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it's keeping in the amount of $5.94 for each day of keeping over limited time. You can find the information about the procedure and conditions of parcels keeping in the nearest office. Thank you. Royal Mail Logistics Services.

First thing I did was to check the headers of the message (below). I noticed that it got an SPF pass, which I first thought a bit strange as the email was showing as being from [email protected], then I noticed it was actually “[email protected]via s2.ingenihost.com”, so the SPF pass was for the domain ingenihost.com.

Delivered-To: Received: by 10.194.54.37 with SMTP id g5csp160341wjp; Fri, 29 Jun 2012 15:10:46 -0700 (PDT) Received: by 10.224.72.138 with SMTP id m10mr7310631qaj.5.1341007846024; Fri, 29 Jun 2012 15:10:46 -0700 (PDT) Return-Path: Received: from s2.ingenihost.com (s2.ingenihost.com. [96.9.180.53]) by mx.google.com with ESMTPS id d3si6031089qao.0.2012.06.29.15.10.45 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 29 Jun 2012 15:10:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of [email protected] designates 96.9.180.53 as permitted sender) client-ip=96.9.180.53; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of [email protected] designates 96.9.180.53 as permitted sender) [email protected] Received: from colourfu by s2.ingenihost.com with local (Exim 4.69) (envelope-from ) id 1SkjOm-0002rY-Bf for ; Fri, 29 Jun 2012 18:10:44 -0400 To: Subject: Delivery information contains at the postal label From: "Royal Mail CS" X-Mailer: SayMailSMTP Reply-To: "Royal Mail CS" Mime-Version: 1.0 Content-Type:multipart/mixed;boundary="----------13410078444FEE27E45161A" Message-Id: Date: Fri, 29 Jun 2012 18:10:44 -0400 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - s2.ingenihost.com X-AntiAbuse: Original Domain - X-AntiAbuse: Originator/Caller UID/GID - [543 32003] / [47 12] X-AntiAbuse: Sender Address Domain - s2.ingenihost.com X-Source: /usr/bin/php X-Source-Args: /usr/bin/php /home/colourfu/public_html/.c007.php X-Source-Dir: colourfulspaces.com:/public_html

They actually screwed up the attachment, as the file didn’t have a name (filename=“”), so Gmail called it noname. I downloaded it and gave it a .zip extension, unzipped it and found a 44KB file called Label_Royal_Mail_Express_Services_UK4784256.exe. Out of interest I scanned it on Virus Total and found it contained a virus that Kaspersky calls Trojan-Dropper.Win32.Dapato.bkqg. Results for the scan are here.

So definitely not my new camera then. Reported it as spam in Gmail and on SpamCop so hopefully the senders IP gets blacklisted pretty soon.

top