It was a great Monday morning. We cuddled our Rottweiler puppy. Kathy poured me a cup of coffee, I went over to the office to read my email. There was a well written note from someone that wanted to buy SANS, (for five to ten million - good luck with that). And yours truly, a person well known for beyond average paranoia, actually responded. I have had two cups of coffee now and deleted two emails, one to Press@SANS, the other to SCORE@SANS from Russia offering to buy SANS. Not sure what the scam is exactly, but sure it is a scam.
Here is the latest, notice the wording problem:
Hello
In my search for a business partner i got your contact in google search. My client is willing to invest $10 Million to $50 million but my client said he need a trusted partner who he can have a meeting at the point of releasing his funds.
I told my client that you have a good profile with your company which i got details about you on my search on google lookup. Can we trust you.
Can we make a plan for a long term business relationship.
Please reply.
For and on Behalf of the Investor 395,
Shosse Kosmonavtov Perm, Russia
Tel: +44 703197576
Here are the headers:
To: score@sans.org
Reply-To: lee@suhrr.com
Received: from mail1b.den.sans.org (LHLO mail1b.den.sans.org) (10.2.2.42) by mail1b.den.sans.org with LMTP; Mon, 25 Apr 2016 20:39:13 +0100 (BST)
Received: from mail1b.den.sans.org (localhost [127.0.0.1]) by mail1b.den.sans.org (Postfix) with ESMTPS id 1DD468EE08F0 for <snorthcutt@sans.edu>; Mon, 25 Apr 2016 20:39:13 +0100 (BST)
Received: from localhost (localhost [127.0.0.1]) by mail1b.den.sans.org (Postfix) with ESMTP id 0F9F78EE08E9 for <snorthcutt@sans.edu>; Mon, 25 Apr 2016 20:39:13 +0100 (BST)
Received: from mail1b.den.sans.org ([127.0.0.1]) by localhost (mail1b.den.sans.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id wGdUDkluscQ3 for <snorthcutt@sans.edu>; Mon, 25 Apr 2016 20:39:12 +0100 (BST)
Received: from savfw21a.sans.org (savfw21a.den.sans.org [10.2.2.25]) by mail1b.den.sans.org (Postfix) with ESMTP id E3C718EE04D1 for <snorthcutt@zimbra.sans.org>; Mon, 25 Apr 2016 20:39:12 +0100 (BST)
Received: from smtp21a.den.sans.org (smtp21a.den.sans.org [10.2.2.12]) by savfw21a.sans.org with ESMTP id 4A5llAcy88XXWhLd for <snorthcutt@zimbra.sans.org>; Mon, 25 Apr 2016 19:39:12 +0000 (GMT)
Received: from suhrr.com (unknown [50.244.188.212]) by smtp21a.den.sans.org (Postfix) with ESMTP id 31198408A5 for <score@sans.org>; Mon, 25 Apr 2016 19:39:12 +0000 (UTC)
X-Asg-Debug-Id: 1461613152-04861a11f6fad20001-6JivnH
X-Barracuda-Bbl-Ip: 50.244.188.212
X-Barracuda-Rbl-Ip: 50.244.188.212
X-Quarantine-Id: <wGdUDkluscQ3>
X-Barracuda-Apparent-Source-Ip: 50.244.188.212
Return-Path: melvin@suhrr.com
Mime-Version: 1.0
X-Virus-Scanned: amavisd-new at mail1b.den.sans.org
X-Virus-Scanned: by bsmtpd at sans.org
X-Barracuda-Spam-Status: No, SCORE=0.60 using global scores of TAG_LEVEL=3.5 QUARANTINE_LEVEL=4.0 KILL_LEVEL=1000.0 tests=ADVANCE_FEE_1, BSF_SC0_MISMATCH_TO, BSF_SC5_MJ1963, HTML_MESSAGE, MIME_HTML_ONLY, RDNS_NONE
X-Barracuda-Rbl-Trusted-Forwarder: 10.2.2.12
Content-Transfer-Encoding: quoted-printable
Message-Id: <20160425153912.8DDD0BDB8E87662D@suhrr.com>
X-Barracuda-Spam-Score: 0.60
X-Barracuda-Url: https://spam.sans.org:443/cgi-mod/mark.cgi
X-Asg-Orig-Subj: RE: Great Investment Offer
X-Barracuda-Connect: smtp21a.den.sans.org[10.2.2.12]
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.29050 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 BSF_SC0_MISMATCH_TO Envelope rcpt doesn't match header 0.00 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.00 HTML_MESSAGE BODY: HTML included in message 0.00 ADVANCE_FEE_1 Appears to be advance fee fraud (Nigerian 419) 0.10 RDNS_NONE Delivered to trusted network by a host with no rDNS 0.50 BSF_SC5_MJ1963 Custom Rule MJ1963
Content-Type: text/html; charset="iso-8859-1"
X-Barracuda-Start-Time: 1461613152
X-Barracuda-Brts-Status: 1
X-Barracuda-Envelope-From: melvin@suhrr.com
RE: Great Investment Offer
No comments:
Post a Comment