Spammer almost fooled me!

Posted on by

SpammerI generally manage to recognise spam quite easily. But this email from payments-messages@amazon.co.uk did an almost-excellent reasonable well trick to fool me. And why did it almost fool me? Because I’ve occasionally bought stuff from Amazon, including the British site.

What made it look reliable was the fact that all links to the Amazon website did indeed point to the Amazon website. Most spammers show one URL in the email but hidden beneath it, you get redirected to a completely different website. So, where did it go wrong for this spammer?

Well, I had not ordered anything from Amazon and I definitely did not return anything to them either. So, this message was unfamiliar to me. It was strange, thus suspicious. Still, I did not see anything harmful until I looked down and saw an extra message and an attachment included in the email…

Spammer IIAnd that was even more suspicious! It is very likely not a document but some malware-thing hidden in a document. I don’t know and I don’t want to know. Opening it will infect my system so it stays closed.

The email claims there’s an “advanced electronic signature” attached to this note and I need to add it as a trusted certificate. Well, never do such a silly thing because someone asks you nicely by email. It can be reasonable harmless and just include advertisements in every webpage you visit from then on. Or, it allows some hacker to do a man-in-the-middle attack with your online banking account. That would cost you a lot of money!

There was a third reason why I knew its fake. I have a whole domain name with the possibility to create an unlimited amount of email aliases. I use a special alias for Amazon and this email was not received by that account.

I also use Google Apps and created a Google group within my domain for those aliases that tend to receive a lot of spam. So, spammers end in this group from where I can collect any data and offer it to anyone I like. And this email arrived in my spam-box! Thus, I knew it was spam before I even looked at it. Still, some emails just make me curious and the Google group is a reasonable safe area to contain this kind of spam.

Too bad, though. I would have liked the extra cash in my bank account.

Still, there are a few more things that should warn you that this is a fake email. For example, the email tells you to download and install Adobe Acrobat Reader but the attached document is a Word document, not an Adobe document. (Not a PDF.) And, the talk about the electronic signature is highly suspicious.

For the technicians among you, there’s even a clear warning signal in the headers of this email:

Received-SPF: fail (google.com: domain of payments-messages@amazon.co.uk does not designate 2.179.101.14 as permitted sender) client-ip=2.179.101.14;
Authentication-Results: mx.google.com;
       spf=fail (google.com: domain of payments-messages@amazon.co.uk does not designate 2.179.101.14 as permitted sender) smtp.mail=payments-messages@amazon.co.uk;
       dmarc=fail (p=QUARANTINE dis=QUARANTINE) header.from=amazon.co.uk

That’s right! Amazon has a special protection on their domain name and Google will check this SPF thing. And the original IP address from where this email was sent is not a valid IP address that is used by Amazon. In fact, spammers seem to use this IP address for more of their spamming and hacking attempts.

So, what do we learn from all this? Well, first of all the use of email aliases tells me this is spam before I even see it. Second of all, you need to read carefully and see if the email makes some strange suggestions. Third, be careful when opening attachments. Better yet, never open any attachment that you did not ask for!