Ok, you probably don't believe it. Well neither did I. When Mrs. Hillary Miguel sent me this email (addressed to "undisclosed recipients", I did not give up my day-time job.
-- OFFICIAL WINNING NOTIFICATION. Dr. Pedro Marios Ruben. The Microsoft Internet E-mail lottery Awards is sponsored by our |
There is nothing very remarkable about the body of this message. It is the usual unconvincing spammer bullshit, with poor spammer grammar, a highly unlikely spammer offer of 1 million euros (and a Dell Laptop? gosh oh gee! forget the million euros! I'll just have the laptop) and unlikely spammer patrons -- Bill Gates -- I know he's into charities -- but how many of us would believe that Bill would come out of retirement just for this? Ok, I know this spam may not be targeting the top ten percent of the population, but I get the feeling that the spammers may be so ill-informed and ignorant, they don't even realise that Citizen Gates is no longer CEO of Microsoft.
But the reason your humble blogger is mentioning our little Microsoft Lottery spammer is because the headers appeared genuine! The return-path header, all the received headers and the IP addresses (withheld) were consistent with an email that had come from a well known University in Ankara, Turkey.
How could this be? Are these enterprising young turks, being taught how to spam? Well, not likely! My eye happened to catch this header:
User-Agent: SquirrelMail/1.4.9a
SquirrelMail, it seems, is a webmail package written in PHP. I am not familiar with it, but according to their website, the latest version is 1.4.17, and there are some warnings about vulnerabilities in earlier versions. If I can believe the received headers, it looks as if the source of the original message was 84.120.79.142, which appears to be a dynamic address owned by Cableuropa - ONO. All IP addresses run by this outfit have a poor reputation it seems. This was most likely the source of the attack against the University server.
This suggests that someone at the Middle Eastern Technical University needs to do some maintenance work on their servers.
And if you use SquirrelMail, you might want to check their website here.