Hector Martin

At the time, Googling this IP address yielded a web forum with public poster IPs... and a user posted from that IP to sell firearms. Yes, really. I neglected to screenshot it at the time and the forum is gone, but that was pretty hilarious. Remember, that was a static IP.

So now let's look at software versions. The e-mail is from 2012. Surely a CERT agency would be running up to date server software, right? Horde 4.1.4, was released on 2007-03-14. Exim 4.63 was released on 2006-07-31. That's 5 year old software.

So now, onto the message itself. They used PGP and I guess pulled my public key from my website or keyservers. However, instead of using in-line PGP, or PGP/MIME, they just attached a separately encrypted message as an attachment. That's... odd.

The message itself decrypted properly, but just asked for an interview with only the vaguest of hints of what this was about. The message was unsigned. No public key was provided to reply, none existed in the keyservers for this address, nor on their website.

They also sent it to my old 1024-bit ELG public key, which by then was superseded and obsoleted, and I was using a new 4096-bit RSA key which had been published to the keyservers and my website in 2011.

So I had no way to send an encrypted reply, and no way to verify that the message really came from them (in particular, given the horrible SMTP server config, this is literally indistinguishable from a spoofed e-mail anyone could send).

So I replied in cleartext, asking for a key, *explicitly* asked for a signed message and a verbatim public key for me to use. They replied in the same style, just with the public key pasted into the encrypted message, but no signature.