I just received this email ostensibly from business reputation firm Dub & Bradstreet. The fact that I don’t actually have a business at present time didn’t escape me, but the verbiage of the email is compelling, and I can see why someone might inadvisedly click on the attachement





I carefully saved the attachement and went over to VirusTotal and uploaded it there. No suprise, it is malware. See for yourself


Looking at the headers we see that this was sent from an IP in Mexico, presumably not a sending platform used by D&B

Received: from fixed-189-17-231.iusacell.net (fixed-189-17-231.iusacell.net [] (may be forged))


inetnum: 187.188/15 

status: allocated
aut-num: N/A
owner: Iusacell PCS de Mexico, S.A. de C.V.
ownerid: MX-IPMS2-LACNIC
responsible: Rafel Rodriguez Sanchez
address: Montes Urales, 460, Col. Lomas de Chapultepec
address: 11000 – Mxico – DF
country: MX
phone: +52 55 51095068
owner-c: CHD
tech-c: CHD
abuse-c: CHD
inetrev: 187.188/15
nsstat: 20131119 AA
nslastaa: 20131119
created: 20111208
changed: 20120604


The From: is alert@dnb.com and D&B has SPF records, but does not publish firm -all assertions which would allow a receiving system to reject such mail with 100% confidence and so we see this result: 

Authentication-Results: iecc.com; spf=softfail



; <<>> DiG 9.8.3-P1 <<>> dnb.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25745
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;dnb.com. IN TXT

dnb.com. 300 IN TXT “v=spf1 mx ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ” “ip4: ip4: ip4: include:alerts.wallst.com ~all”

;; Query time: 100 msec
;; WHEN: Thu Nov 21 09:07:43 2013
;; MSG SIZE rcvd: 342