As usual, spammers trying to fool me and many others, and the best way to protect you against them is by sharing how they operate. (And by using a proper spam filter, which is part of Google mail. And today some message was in my spam folder which seemed to be legitimate. Well, okay… There was another hint telling me something wasn’t right. Multiple hints even.
Delivered-To: Received: by 10.50.83.72 with SMTP id o8csp50152igy; Thu, 5 Jun 2014 10:35:17 -0700 (PDT) X-Received: by 10.180.76.210 with SMTP id m18mr17979380wiw.49.1401989716698; Thu, 05 Jun 2014 10:35:16 -0700 (PDT) Return-Path: Received: from sm1.white-lines.net (sm1.white-lines.net. [188.8.131.52]) by mx.google.com with ESMTP id cn1si16467631wib.60.2014.06.05.10.35.16 for <firstname.lastname@example.org>; Thu, 05 Jun 2014 10:35:16 -0700 (PDT) Received-SPF: pass (google.com: domain of designates 184.108.40.206 as permitted sender) client-ip=220.127.116.11; Received: by sm1.white-lines.net id hi2736000dsi for ; Thu, 5 Jun 2014 17:35:15 +0200 (envelope-from ) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable From: Security Team <email@example.com> Return-Path: bounce- To: Subject: Your website has a security leak! Message-ID: User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 Date: Thu, 05 Jun 2014 17:35:15 +0200 Hello, during a routine check, we discovered that the server hosting your domain h= as a security leak and is currently vulnerable. Your website is at risk of = being hacked! It's also running an outdated PHP version. For further security details and secure managed server offers, please visit= our website: http://www.security-fix-required.com// Thank you, Security Division Managed Root Server
So, what did they do to make it seem legitimate? Well, it was a simple plain-text email with just a small amount of text. Apparently someone discovered a security leak in my website and is warning me about it. Since there are always white-hat hackers on the Internet who search for such things to warn the site owners, it could be legitimate. It even seems an automated message from an automated vulnerability scanner. So, it will probably fool a few people into clicking on the link in the email.
And that was the first thing that set me off. The domain name is a bit long and the URL ends with what seems to be a GUID or other identifier. If I would click on it, the site would confirm my address as legitimate and perhaps it would redirect me to some online advertisement or even a malware site. So, first lesson: If a URL has a weird number in it, it should be automatically suspicious!
Of course, the message doesn’t give me any information, just a warning. If they had detected something, they could have included a few more details. At least, they could have named the domain that they’ve checked. I have multiple domain names so this warning tells me nothing about the site.
They also mentioned a leak in an older version of PHP in my website, but my website doesn’t use PHP. I know this blog does, but this blog is hosted. It’s not on my server. And the host is making sure it stays safe with the latest updates. (At least, I hope they do but fortunately they have many other customers too.) If they had left away the remark about PHP, it might have looked more legitimate.
The fact that they don’t leave a name is reasonable, since hackers prefer to be anonymous. But hackers would use an alias instead, not some name of some server.
Of course, it also helped that this email ended up in my spam folder. Reporting spam thus helps protect others.If it had not been in my spam folder I would have reported it as spam myself, so Google would recognise it as spam in the future.
Some further analysis by using RobTex tells me the domain is very new. It was registered today, so probably not blacklisted yet. A Google search for the domain name is also interesting. These two should offer plenty of warnings about the site.
Of course, this wasn’t the only spam message, but it was the most tempting. Another message I received tried to sell me a specific kind of blue pills. A third one tempted me with some video but not only did Google detect it as spam, My virus scanner detected the URL inside the spam as potentially malicious. And Ruby Palace wants me as visitor, even though online gambling sites are illegal in the Netherlands if they target Dutch consumers. Since the email was in Dutch, one extra law was broken.
Again, the best weapon against spam is educating people about all the tricks spammers use and to make sure spam gets reported as such. If you use Yahoo mail, Windows Live email or Google mail, reporting spam as such should be a simple option.