Authors: Kévin <mailto:email@example.com>
If you've found this link in a header in an email, great news I finally get to tell you three things.
1. free.mg hasn't sent this email and the link is junk
2. who ever is running this campaign is an idiot because I own the domain and have full control of it
3. speak to your ISP because they need to respect DMARC instructions better (I run a reject policy for SPF / DKIM fails)
I get thousands of mail-deamon rejects from shittily configured spam drone servers and more from poorly configured end point SMTP servers because of course half the email addresses don't exist.
Sometimes they'll slip through and it starts an endless cycle of bounces between the internal and external relays.
To spot a non-legitimate email from free.mg, the botnet seems to have a pretty standard method :
Here is an example, the sending IP and receiving servers should be shamed publically and can in my professional opinion just get fucked if they don't want this to be seen.
Return-path: => Karoline67@free.mg Received: from [220.127.116.11] (port=1171 helo=exiur) by server.klungkungkab.go.id with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from => Karoline67@free.mg) id 1nET3s-0007yW-FK; Mon, 31 Jan 2022 17:33:27 +0800 MIME-Version: 1.0 Subject: Let the smile never disappear from your face, let your heart beat in tune with joy and gladness, let this day be successful and happy! Content-Type: multipart/alternative; boundary="08bd0b5f546f455e7227913aee4a61952bb811" From: Karoline18@love.lt Date: Mon, 31 Jan 2022 12:32:51 +0300 Message-ID: <9541119080.12996.8742767761011.JavaMail.firstname.lastname@example.org> List-Help: http://free.mg/ru/subscribe_confirm?hash=4jgjn5aerq4fj3zlagj0rvn5kjzmtin0n2ed7qmy6ec776sqis2g7fog08wkbults X-Priority: 3 Reply-To: email@example.com
Made with disdain à Paris • Barcelona • Oslo </3
CC BY-NC-SA 4.0