Hector Martin

Note how their e-mail server claims to be "http://ccn-cert.es ", but its IP address (213.192.250.68) had no reverse DNS set (unknown). This is a big no-no; my server had a permissive config at the time, but many others would've rejected this message (as mine would today).

Of note, CCN-CERT is the CERT team of the National Cryptologic Center, which is a child agency of the National Intelligence Center, which is the main Spanish intelligence agency. http://ccn-cert.es  resolved to a different IP, FWIW.

Now, the fun thing is they are using Horde IMP, a webmail program. And it records the browser's IP address as a Received header. So the e-mail was sent from 80.38.105.203. That's a typical static IP address range for Spain's largest (ex-national) ISP, Telefonica. Think AT&T.

At the time, Googling this IP address yielded a web forum with public poster IPs... and a user posted from that IP to sell firearms. Yes, really. I neglected to screenshot it at the time and the forum is gone, but that was pretty hilarious. Remember, that was a static IP.

So now let's look at software versions. The e-mail is from 2012. Surely a CERT agency would be running up to date server software, right? Horde 4.1.4, was released on 2007-03-14. Exim 4.63 was released on 2006-07-31. That's 5 year old software.

So now, onto the message itself. They used PGP and I guess pulled my public key from my website or keyservers. However, instead of using in-line PGP, or PGP/MIME, they just attached a separately encrypted message as an attachment. That's... odd.

The message itself decrypted properly, but just asked for an interview with only the vaguest of hints of what this was about. The message was unsigned. No public key was provided to reply, none existed in the keyservers for this address, nor on their website.