Traffic Infringement Malspam

This appeared in my email today:

From: 		Avis Vanhise <[email protected]>
Subject: 	TRAFFIC INFRINGMENT NOTICE
Message:
PHOTOGRAPHIC EVIDENCE
This is automatically generated message, please do not reply.

ou have been issued with a traffic infrigement:


 

Reason: negligent driving
Infringement No:  886658188
Date of issue:  11/10/2016 
Amount due: $  221  AUD

This fine will be sent to you by mail to your adress, but you can check it now, please click here   

https://traffic-law/notification/

This fine must be paid within the statutory period of up to 12.18.2016.

No, I didn’t fail to copy it, they misspelled “you” and “address”. The wording’s got the usual eastern-european mangling of phrasing, and it was neat that it identified that I’m Australian, sending me a fine in AUD. They used two different date-display formats, dots and slashes, but both dates seem to be in US date format, MM/DD/YYYY which is another tell.

The link is hilariously obvious, and actually links to a google docs “export file” link, which sadly doesn’t work anymore:

sorry this is infected

Good work Google! The first time I clicked on it, I got a “this file has been clicked on too many times” error, which is sad in itself. It’s pretty horrifying that people fail for this kind of thing over and over, but as the saying goes “there’s a new person born every day that hasn’t seen x”.

There’s some notable headers in the original message which lead me to the usual conclusion; un-patched or poorly written wordpress plugins, bouncing off open SMTP relays, hit from Chinese IPs are the source of many of the internet’s woes. :(

X-Originator: 	46.161.56.178 (BeijingNet - AS50896)
X-Mail-from: 	[email protected]
X-WP-MailID: 	7f774d628be406901fc5393d33be5224
X-WP-AV: 		skaner antywirusowy poczty Nowej Poczty
X-WP-SPAM: 		NO 0000015 [QbZU]    

Fun facts:

  • The message originated from a Chinese IP address, woo!
  • The reverse DNS for the Chinese IP is a Russian doman name (pinspb.ru) which is even more fun.
  • Due to the open relay on mx-out.tlen.pl, SPF records for the domain didn’t help.


#malspam #work