Hector Martin

Let's go ahead and document the fails for posterity. First I got was a cold e-mail, with the nondescript subject (translated) "I am interested in your work", a "message.pgp" attachment, and a "please read the attached message" style body.

Note how their e-mail server claims to be "http://ccn-cert.es ", but its IP address (213.192.250.68) had no reverse DNS set (unknown). This is a big no-no; my server had a permissive config at the time, but many others would've rejected this message (as mine would today).

Of note, CCN-CERT is the CERT team of the National Cryptologic Center, which is a child agency of the National Intelligence Center, which is the main Spanish intelligence agency. http://ccn-cert.es  resolved to a different IP, FWIW.

Now, the fun thing is they are using Horde IMP, a webmail program. And it records the browser's IP address as a Received header. So the e-mail was sent from 80.38.105.203. That's a typical static IP address range for Spain's largest (ex-national) ISP, Telefonica. Think AT&T.

At the time, Googling this IP address yielded a web forum with public poster IPs... and a user posted from that IP to sell firearms. Yes, really. I neglected to screenshot it at the time and the forum is gone, but that was pretty hilarious. Remember, that was a static IP.

So now let's look at software versions. The e-mail is from 2012. Surely a CERT agency would be running up to date server software, right? Horde 4.1.4, was released on 2007-03-14. Exim 4.63 was released on 2006-07-31. That's 5 year old software.

So now, onto the message itself. They used PGP and I guess pulled my public key from my website or keyservers. However, instead of using in-line PGP, or PGP/MIME, they just attached a separately encrypted message as an attachment. That's... odd.