Phishing alert,

January 22, 2015

An Internet user contacted me earlier on Facebook with a screenshot showing what looked like an email from [email protected] It’s only when I reached home in the evening that I was able to analyze.


Screenshot, courtesy of Facebook user

The content shows an image link that most probably will open to somewhere outside The funny part is the Google Docs mention (which is a fake footer). I had nostalgic moments.

Let’s analyze the email header.

Authentication-Results:; spf=none (sender IP is [email protected]; dkim=none; x-hmca=none [email protected]

I hid the sender IP address on purpose ^^

When I ran an IP lookup, it came out that the location of that address is the United States, while the Mauritian Government email servers reside in Mauritius itself.


Next, the header says spf=none. However, a few months ago I was delighted to find the Government finally implemented SPF & DKIM. I did a quick check and responds positive for SPF while fails. The following test shows that there are no MX record for; therefore the email could not have originated from a designated email server.

; <<>> DiG 9.8.3-P1 <<>> MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40672
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;         IN  MX

;; AUTHORITY SECTION:      156 IN  SOA 2015012000 28800 7200 604800 600

;; Query time: 199 msec
;; WHEN: Thu Jan 22 20:57:45 2015
;; MSG SIZE  rcvd: 104

Please ignore the SOA part of, I know it raises eyebrows to see a Government purchasing a domain name at GoDaddy. Well… erhmm…

Finally, a look at the email content source.


A code excerpt copied as it appears in the email source

So, the folder icon that we see in the screenshot above is actually pulled from a WordPress blog at The text Proposal is a link to a address, where a subdomain has been created.

The spammers did put some effort.

I should thank Yudish for providing me the header details from the email he received. Later, however when I checked my email spambox, I happened to have received it too. Million dollar question now, where did the spammers get so many Mauritian email addresses? O.o

                         Google Docs makes it easy to create, store and share =
online documents, spreadsheets and presentations..

This part might make some people giggle as it appears the Google Docs footer had to pull the Google logo from Wikipedia.

Folks have been discussing this incident in the Mauritius Internet Users mailing list. I sent a phishing alert to CERT-MU through their vulnerability email as their Incident Reporting Tool is a nonsense; something which I voiced in the Cyber Security Conference. Hmm, but it seems like no one is interested in improving that.

Well, folks, CERT-MU says it or not, just be on guard if you receive emails from