IBM’s Watson is such an effective spoofbot that he makes me want to say “DPASTE, IRC AND FUCK YOU”

Let’s sift through this here sack of fan mailⁱ and see what the fates do offer us this exquisite Fall day, itself an esteemed member of an august autumn of such subliminity that I cannot begin to describe the joy it brings me, quite possibly because I can’t even recall ever having experienced a season of weather so gushingly generous as this one. So, to the letter:ⁱⁱ

From – Wed Oct 21 12:29:09 2015
X-Account-Key: account9
X-UIDL: 2671
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3on0074.outbound.protection.outlook.com [157.55.234.74])
by smtp.misk.com (MiskSMTP) with ESMTP (TLS) id 330734437-1889642
for [me]; Wed, 21 Oct 2015 11:08:57 -0400
Return-Path: <grahame.frear@maillis.com>
Received: from VI1PR03MB1375.eurprd03.prod.outlook.com (10.163.249.141) by VI1PR03MB1373.eurprd03.prod.outlook.com (10.163.249.139) with Microsoft SMTP Server (TLS) id 15.1.300.14; Wed, 21 Oct 2015 15:08:54 +0000
Received: from VI1PR03MB1375.eurprd03.prod.outlook.com ([10.163.249.141]) by
VI1PR03MB1375.eurprd03.prod.outlook.com ([10.163.249.141]) with mapi id
15.01.0300.010; Wed, 21 Oct 2015 15:08:54 +0000
From: Grahame Frear <grahame.frear@maillis.com>
To: [redacted]
CC: [redacted]

Subject: revised purchase request
Thread-Topic: revised purchase request
Thread-Index: AQHRDBJYcbBQ0gmrGkeQffV4hmZWVA==
Date: Wed, 21 Oct 2015 15:08:54 +0000
Message-ID: <VI1PR03MB1375336316B4C9812E1A7C53F3380@VI1PR03MB1375.eurprd03.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is )
smtp.mailfrom=grahame.frear@maillis.com;
X-x-originating-ip: [161.202.72.169]
x-microsoft-exchange-diagnostics: 1;VI1PR03MB1373;5:+lt8kKldZWLNJ32y9alCNO5SduwB1jlTx63yuhpEFhSAgXj8Q6HsL1lXCwjcSxG8djr4i1sD6BXMb8rDcuxu120sAtz8bnfr0cB7i/dphOc1gj1gDgey/Kjtu9I5SEDNKfTGkrePiA2byiqHC3tO8Q==;24:QaLGfwmI547pG8C+c1gWugW+hYOX+ccnQo07Z6wscbyE41VprFDMt2gxDPYmlDJA4Ko/M5qVMOUXNmCBVezz6iJN/yIk4UVQvD1bLvYLZG8=;20:nVtTmeWKrgICNbi+bti/vtcVxfUIt6ugVOYLdV9QJBxzse29Ut9f68O2cHOlFqO1QpSrKrF0i+kgTf9X8IVETw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR03MB1373;
x-microsoft-antispam-prvs: <VI1PR03MB1373ADE1515E9D9ADE3E6B91F3380@VI1PR03MB1373.eurprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(2401047)(520078)(8121501046)(5005006)(3002001)(102115026);SRVR:VI1PR03MB1373;BCL:0;PCL:0;RULEID:;SRVR:VI1PR03MB1373;
x-forefront-prvs: 073631BD3D
x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6009001)(189002)(199003)(5002640100001)(5007970100001)(16236675004)(50986999)(77096005)(19627405001)(111086002)(74316001)(110136002)(105586002)(99936001)(86362001)(76576001)(229853001)(10400500002)(46102003)(33656002)(2351001)(5001960100002)(64706001)(189998001)(66066001)(2501003)(1411001)(106356001)(97736004)(92566002)(122556002)(4590100002)(5004730100002)(19625215002)(87936001)(54356999)(81156007)(40100003)(2900100001)(5003600100002)(102836002)(558084003)(5008740100001)(106116001)(5890100001)(101416001)(11100500001)(133083001);DIR:OUT;SFP:1101;SCL:1;SRVR:VI1PR03MB1373;H:VI1PR03MB1375.eurprd03.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
received-spf: None (protection.outlook.com: maillis.com does not designate
permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/mixed;
boundary=”_004_VI1PR03MB1375336316B4C9812E1A7C53F3380VI1PR03MB1375eurp_”
MIME-Version: 1.0
X-OriginatorOrg: maillis.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Oct 2015 15:08:54.2669 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95b747b3-7bdd-4d21-8ce1-c1c8eabbbd83
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR03MB1373
X-To-Not-Matched: true
X-Originating-IP: 157.55.234.74
X-Rcpt-To: [me]
X-SpamDetect: : 0.000000
X-LangGuess: English
X-Avast: Message is clean
X-Encryption: SSL encrypted
X-MyRbl: Color=Unknown (rbl) Age=0 Spam=0 Notspam=0 Stars=0 Good=0 Friend=0 Surbl=0 Catch=0 r=0 ip=157.55.234.74
X-IP-stats: Incoming Last 0, First 411, in=582, out=0, spam=0 ip=157.55.234.74

–_004_VI1PR03MB1375336316B4C9812E1A7C53F3380VI1PR03MB1375eurp_
Content-Type: multipart/alternative;
boundary=”_000_VI1PR03MB1375336316B4C9812E1A7C53F3380VI1PR03MB1375eurp_”

–_000_VI1PR03MB1375336316B4C9812E1A7C53F3380VI1PR03MB1375eurp_
Content-Type: text/plain; charset=”iso-8859-1″
Content-Transfer-Encoding: quoted-printable

Good day

We did not receive a response from you about our ORDER.
check the attached revised PO and send us Commercial Invoice by
returning email and your possible estimated delivery time.

Thanks
K.Grahame Frear
Tel: (011) 974 8815 EXT 524
Fax: (011) 974 8816

–_004_VI1PR03MB1375336316B4C9812E1A7C53F3380VI1PR03MB1375eurp_
Content-Type: application/zip; name=”scanimage004.zip”
Content-Description: scanimage004.zip
Content-Disposition: attachment; filename=”scanimage004.zip”; size=2736;
creation-date=”Wed, 21 Oct 2015 15:08:31 GMT”;
modification-date=”Wed, 21 Oct 2015 15:08:31 GMT”
Content-Transfer-Encoding: base64

[redacted]

–_004_VI1PR03MB1375336316B4C9812E1A7C53F3380VI1PR03MB1375eurp_–

Given that I have some interests in the construction industry – and that some of my affairs include drafting contracts, reviewing invoices, and signing purchase orders – and that it was to this work e-mail accountⁱⁱⁱ that this letter was addressed,^iv the message seen above represents a really rather sophisticated attack. Certainly one of the best that I can recall seeing and miles more convincing than the rotten bitcoin-flavoured garbaje requesting that you to access your webwallet by visiting b1ockchain.com or offering you an “emergency back-up file” by downloading some .jar attachment. This is far beyond that, to the extent that the 2.7 kb zip file this message carried surely found its way onto the hard drives of a handful of less savvy and less skeptical individuals.^v

Save the illegitimate phone number, the e-mail address appears superficially plausible^vi and the business itself^vii can be externally verified. It would therefore appear that the e-mail accounts of Mr. Freare, and perhaps that of several of his colleagues, were compromised and that the address’ new puppeteers are firmly in command of his credentials.^viii The next question, then, is what can we determine about said string-pullers.

Well, we have an X-Originating-IP addresses, 161.202.72.169, and something calling itself^ix an “X-X-Originating-IP address,” being 157.55.234.74. Let’s see who these belong to :

IP : 161.202.72.169
Host : a9.48.caa1.ip4.static.sl-reverse.com
Country : Switzerland

Domain Name: sl-reverse.com
Registry Domain ID: 1931372850_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.corporatedomains.com
Registrar URL: www.cscprotectsbrands.com
Updated Date: 2015-05-22T13:57:11Z
Creation Date: 2015-05-22T13:54:48Z
Registrar Registration Expiration Date: 2016-05-22T13:54:48Z
Registrar: CSC CORPORATE DOMAINS, INC.
Sponsoring Registrar IANA ID: 299
Registrant Name: IBM Corporation
Registrant Organization: International Business Machines Corporation

Big Blue eh ? So THAT’S why the e-mail sounded so reasonable and un-Nigerian Princey, that Jeopardy-trouncing robot, Watson, has been repurposed for spoofing !

And what about the other one, the “x-x” ip ?

NetRange: 157.54.0.0 – 157.60.255.255
CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14
NetName: MSFT-GFS
NetHandle: NET-157-54-0-0-1
Parent: NET157 (NET-157-0-0-0-0)
NetType: Direct Assignment
OriginAS: AS8075
Organization: Microsoft Corporation (MSFT)

And here we find Microsoft, that purveyor of surveillance appliances for the multitudes. Wonderful. That leaves us with IBM’s Watson to craft the letters so as to be grammatically sound and maximally effective,^x while Microsoft forges a payload that it knows will find a hole in its operating system, which it also knows is used prolifically in the construction industry. Grrreat !

All of which is to say that while the USG and its various tentacles pollute the movie theatres, roads, built environments, computers, banks, and just about everything you interact with, the DPASTE, IRC AND FUCK YOU approach seems less and less extreme by the day.

After severing my ties to social media, I guess it’s the next logical step, even if it still seems a distant dream.

___ ___ ___

1. They love me, they really love me !↩
2. Emphasis added.↩
3. See u guise ! I can haz professional ! Sometimes…↩
4. As opposed to the one listed on the contact page.↩
5. Were e-mail users in the habit of looking at the headers, the seemingly endless bouncing about of the message, like a pinball in a record-setting effort, would be a dead giveaway that something was amiss. Alas, expecting this thoroughness and hygiene of so base a man as the average e-mail user would be like expecting a monkey to wash his hands before dinner so as to prevent infection.↩
6. A little further investigation reveals that the e-mail addresses ending in @maillis.com originate from only their Greek and Bulgarian offices. Read into that what you will.↩
7. To quote : “M. J. Maillis group is manufacturing and distributing complete secondary packaging systems, machines and material in Strapping, Wrapping and Box Handling.”↩
8. Indeed, dear friends, outside of Bitcoin, “people” honestly believe with full faith and conviction that an e-mail from your account IS FROM YOU NO MATTER WHAT. In their mooing minds, no one has ever used password123 nor left their computer logged-on and unlocked at a cafe while they went to the bathroom. Impossibru ! Sure, we’ve all forged a hand-written signature at one point in our lives and told lies aplenty, but e-mail is e-mail ! So if your friend Bob sends you a message telling you to find a bridge and jump well then by golly you’d better find a way to work that into your busy schedule, mister!↩
9. I not only tried search engining what the fuck a “x-x” is, but I even asked my WoT. It’s an open mystery at this point !↩
10. If ever there was a use for AI, it’s game shows and e-mail spam/phishing/spoofing. If you don’t believe me, compare the above with this human-crafted e-mail and decide for yourself which is more likely to yield the intended effect :

    Dear Purchasing Manager,

    Hope this email find you well.

    This is Linda Yao, a lovely girl from China, manufacturer of Jinan Pan European Glass Co.,Ltd for 30 years with high quality and pretty competitive price.

    After saw your website, We thought you might be interested in our products（Tempered Glass，Laminated Glass, Insulating Glass and Mirror，etc).

    Would you like to get some samples for testing , my friend ?

    We still have many other products, we can send you our more information if it’s okay for you.

    We are here waiting for your reply.

    Thanks and regards

    Linda Yao

    Jinan Pan European Glass Co., Ltd
    Address: Jinan City, Shandong Province
    Tel: 0086-0531-89006216
    Fax: 0086-0531-89006216
    Email；sales08@paneuropeanglass.com.cn
    Skype:paneuropeanglass01
    Website:www.paneuropeanglass.com.en.alibaba.com

    So my new “lovely” female friend is supposed to give me a boner, that much is clear, which is far more than a bullshit e-mail from a young male Chinese could ever hope to elicit, that much is also clear, but this is still offensively unpersuasive. As fucking if the construction industry doesn’t live and die by the WoT and was just sitting around, twiddling my thumbs and waiting for random chica to descend from on high ready and willing with pan-european blowjobs. Right.↩