It was a great Monday morning. We cuddled our Rottweiler puppy. Kathy poured me a cup of coffee, I went over to the office to read my email. There was a well written note from someone that wanted to buy SANS, (for five to ten million - good luck with that). And yours truly, a person well known for beyond average paranoia, actually responded. I have had two cups of coffee now and deleted two emails, one to Press@SANS, the other to SCORE@SANS from Russia offering to buy SANS. Not sure what the scam is exactly, but sure it is a scam.
Here is the latest, notice the wording problem:
In my search for a business partner i got your contact in google search. My client is willing to invest $10 Million to $50 million but my client said he need a trusted partner who he can have a meeting at the point of releasing his funds.
I told my client that you have a good profile with your company which i got details about you on my search on google lookup. Can we trust you.
Can we make a plan for a long term business relationship.
For and on Behalf of the Investor 395,
Shosse Kosmonavtov Perm, Russia
Tel: +44 703197576
Here are the headers:
Received: from mail1b.den.sans.org (LHLO mail1b.den.sans.org) (10.2.2.42) by mail1b.den.sans.org with LMTP; Mon, 25 Apr 2016 20:39:13 +0100 (BST)
Received: from mail1b.den.sans.org (localhost [127.0.0.1]) by mail1b.den.sans.org (Postfix) with ESMTPS id 1DD468EE08F0 for <firstname.lastname@example.org>; Mon, 25 Apr 2016 20:39:13 +0100 (BST)
Received: from localhost (localhost [127.0.0.1]) by mail1b.den.sans.org (Postfix) with ESMTP id 0F9F78EE08E9 for <email@example.com>; Mon, 25 Apr 2016 20:39:13 +0100 (BST)
Received: from mail1b.den.sans.org ([127.0.0.1]) by localhost (mail1b.den.sans.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id wGdUDkluscQ3 for <firstname.lastname@example.org>; Mon, 25 Apr 2016 20:39:12 +0100 (BST)
Received: from savfw21a.sans.org (savfw21a.den.sans.org [10.2.2.25]) by mail1b.den.sans.org (Postfix) with ESMTP id E3C718EE04D1 for <email@example.com>; Mon, 25 Apr 2016 20:39:12 +0100 (BST)
Received: from smtp21a.den.sans.org (smtp21a.den.sans.org [10.2.2.12]) by savfw21a.sans.org with ESMTP id 4A5llAcy88XXWhLd for <firstname.lastname@example.org>; Mon, 25 Apr 2016 19:39:12 +0000 (GMT)
Received: from suhrr.com (unknown [220.127.116.11]) by smtp21a.den.sans.org (Postfix) with ESMTP id 31198408A5 for <email@example.com>; Mon, 25 Apr 2016 19:39:12 +0000 (UTC)
X-Virus-Scanned: amavisd-new at mail1b.den.sans.org
X-Virus-Scanned: by bsmtpd at sans.org
X-Barracuda-Spam-Status: No, SCORE=0.60 using global scores of TAG_LEVEL=3.5 QUARANTINE_LEVEL=4.0 KILL_LEVEL=1000.0 tests=ADVANCE_FEE_1, BSF_SC0_MISMATCH_TO, BSF_SC5_MJ1963, HTML_MESSAGE, MIME_HTML_ONLY, RDNS_NONE
X-Asg-Orig-Subj: RE: Great Investment Offer
X-Barracuda-Spam-Report: Code version 3.2, rules version 18.104.22.168050 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 BSF_SC0_MISMATCH_TO Envelope rcpt doesn't match header 0.00 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.00 HTML_MESSAGE BODY: HTML included in message 0.00 ADVANCE_FEE_1 Appears to be advance fee fraud (Nigerian 419) 0.10 RDNS_NONE Delivered to trusted network by a host with no rDNS 0.50 BSF_SC5_MJ1963 Custom Rule MJ1963
Content-Type: text/html; charset="iso-8859-1"
RE: Great Investment Offer