This appeared in my email today:
From: Avis Vanhise <firstname.lastname@example.org> Subject: TRAFFIC INFRINGMENT NOTICE Message: PHOTOGRAPHIC EVIDENCE This is automatically generated message, please do not reply. ou have been issued with a traffic infrigement: Reason: negligent driving Infringement No: 886658188 Date of issue: 11/10/2016 Amount due: $ 221 AUD This fine will be sent to you by mail to your adress, but you can check it now, please click here https://traffic-law/notification/ This fine must be paid within the statutory period of up to 12.18.2016.
No, I didn’t fail to copy it, they misspelled “you” and “address”. The wording’s got the usual eastern-european mangling of phrasing, and it was neat that it identified that I’m Australian, sending me a fine in AUD. They used two different date-display formats, dots and slashes, but both dates seem to be in US date format, MM/DD/YYYY which is another tell.
The link is hilariously obvious, and actually links to a google docs “export file” link, which sadly doesn’t work anymore:
Good work Google! The first time I clicked on it, I got a “this file has been clicked on too many times” error, which is sad in itself. It’s pretty horrifying that people fail for this kind of thing over and over, but as the saying goes “there’s a new person born every day that hasn’t seen x”.
There’s some notable headers in the original message which lead me to the usual conclusion; un-patched or poorly written wordpress plugins, bouncing off open SMTP relays, hit from Chinese IPs are the source of many of the internet’s woes. :(
X-Originator: 188.8.131.52 (BeijingNet - AS50896) X-Mail-from: email@example.com X-WP-MailID: 7f774d628be406901fc5393d33be5224 X-WP-AV: skaner antywirusowy poczty Nowej Poczty X-WP-SPAM: NO 0000015 [QbZU]
- The message originated from a Chinese IP address, woo!
- The reverse DNS for the Chinese IP is a Russian doman name (
pinspb.ru) which is even more fun.
- Due to the open relay on
mx-out.tlen.pl, SPF records for the domain didn’t help.