Suspicious email messages? Play it safe.

The last few weeks I’ve been getting emails, supposedly from Mailgun, notifying me that they need to verify ownership of my email address and that if I don’t click the link to do so, my account will be “temporarily… put on hold until verification is complete.”

Now, let’s be clear right up front. Any time you get a message with such content, be extremely wary. How often do legitimate companies send out such requests, anyway? Let’s examine these emails a little more closely. Here’s a screenshot from Thunderbird of a recent message:

This one actually got tagged as SPAM by my Spamassassin mail filter. Not all of them have, but the message content is similar in all I’ve gotten like this.

As you can see by the subject line, my mail server correctly tagged this as spam, and it landed in my junk folder. Not all of them have, however. But when an email like this arrives, how do you know if it’s legit or not? Well, a few things immediately stand out:

1. Take a look at the “From” address, would you! Does anyone in his right mind think that Mailgun account notification emails would come from “info@goskydive.ca” ? Seriously? Whoever sent me this needs to take a break from his computer, go find an airport, and go skydiving. It would be better usage of his time. Actually, second thoughts — he needs to read his Bible, find a Scriptural church, and learn how to do something productive with his life.
2. Notice the total lack of details. If this was really Mailgun, there should be more explanation what they’re up to, why they need something done, etc. (But I still wouldn’t trust it: more on that later.)
3. Does the email format look like something a corporation would put together? How professional is it to start every line with ## and interject a random * here and there?
4. The reassuring “it only takes a few seconds.” This reeks of spam tactics, trying to disarm you and get you to take the bait.

OK, so this email has a nice HTML link we could click on. Suppose you really aren’t sure if a message is legit or not, what should you do?

1. DO NOT CLICK LINKS WITHOUT INVESTIGATION. Hover your mouse over the link and view the URL it links to. Have a look at this screenshot, and notice the URL that appears in Thunderbird’s lower left corner when I hover my mouse over the “Verify your account” link. (yeah, I know, some of the rest of those Spam messages are plain silly! Who said I need to burn pounds, do hair recovery, or get rid of skin tags / moles? sigh… well, I guess it would be nice to stop the ringing in my ears, but I doubt there’s any help to be had in my Junk folder!)
   
   There’s just no reason to believe that the domain “03securitysystems.com” is in any way affiliated with Mailgun!
2. If you’re still in doubt, don’t click any links in email messages like this. Go to your online account yourself, and see if there’s some notice of action required on your part; or call the company in question and see what they say. In this case, I could go log into Mailgun myself and see if any notice shows up in my online account.

Let’s have more fun with this!

Here’s the whois on the domain linked in the spam email. James Finley may well be a pseudonym, and at any rate it doesn’t sound like Mailgun to me.

Here’s one that didn’t even try to hide the wacky link. Note the highlighted sections below. This one is kindergarten-easy to spot as spam.

But some are a little more crafty. Have a look at this:

Whoa, so that’s really from mailgun.org?! This must be the real deal — or is it? Let’s dig deeper. Easy things first: why not just do a simple web search for mailgun? Perhaps mailgun.org isn’t even the right domain? Sure enough, take a look:

It’s mailgun.com, not mailgun.org.

OK, so the “real” Mailgun lives at mailgun.com. So we can naturally be wary of correspondence from mailgun.org. I also viewed the message source.

Now, I am no expert at reading mail headers. Quite the contrary, I find them to be quite a messy mumbo-jumbo of confusing and seemingly repetitous data. But the domain highlighted is a jewel of a find. Why would Mailgun be affiliated with the “gundogdirect.com” domain? I wonder if there’s header spoofing going on here but again, I simply am not studied up enough on mail headers to know for sure. If you’re reading this and can shed light on it for us, please chime in with a comment below!

So, what if I clicked on one of those links? I’m not sure what would happen and I don’t want to find out. I’m tempted to try it in a virtual machine so I can easily revert to an earlier snapshot if malware-related damage is done to the computer, but that takes time and resources and this blog is a hobby… I can’t take time to do everything, though that experiment would be fun. But my hunch is that one of two or three things would happen:

• I might be taken to a fake Mailgun “account verification” page where I’d be prompted to enter my mailgun username and password. But this site would be run by others, who’d harvest the information I provide in the form and then use my account to spam others. Not a good scenario.
• There’s a possibility I’d be taken to a site / page that would attempt in some way to exploit a vulnerability, or download a file, to compromise my computer. Inappropriate content might even be involved (in this case, I’d be very likely to see a block page thanks to my trusty internet filter).
• In the best of cases, someone might just be trying to sell me something.

In conclusion, let me stress this. If you have a computer and use email, be careful! Be suspicious of any emails you’re not expecting; and any email that calls you to click on a link or open an attachment. Do your home work; a few simple tests are not hard. If in doubt, call a trusted friend who’s techy; he may be able to help you figure it out. Be wary, be careful, and don’t trust everything you read on your screen. Remember that in today’s world, what with firewalls, AV software, and all, humans and their potential for bad decisions are the weakest link in the security chain. Stay safe!