Everyone knows about the already classic “Advanced Fee Fraud”, also known as the “Nigerian Scam” (http://en.wikipedia.org/wiki/Advance_fee_fraud). But, not everybody has seen the Japanese version of this scam (Figure 1).

Fig. 1: The Japanese scam

This is a very fancy scam: We usually see the same old story about very rich men who were killed by the government and the poor relatives trying to get the money out of the 3rd world country with your help. But this one is different.

First of all, it thinks big. Very big… really, I have never seen such an idea before: “I made this money through a contract awarded to me by the ministry during the relocation of OSAKA AIRPORT”. And it gets even better: “I am not safe if I go back to Japan because I did not finish the contract“. So now the Osaka airport should be somewhere… on the road? This is really nice, isn’t it?

If you have a look at the main header, you see the From, Reply-To and Sender fields. The sender field isn’t seen in an email very often because it is somehow in a gray area. According to RFC 822, this field should be used only when the person submitting the message to the network is different than shown by the “From” header field. Because of this, it should be authenticated, but what kind of authentication is not clear. Some mail clients expect that the email address used in this field can be used to reach the sender, others do not. Because of this uncertainty, most email clients prefer either to remove this field completely or to add a hidden field in the headers with the name “X-Sender”.

So, is our “Japanese contractor” using deprecated mass mailing software?
Note that there is no “To:” field. Of course, any decent anti spam product will penalize this email when it detects something like this.

According to the other headers, the email is supposed to have been sent though Gmail. There are even the DKIM headers and a new header called “X-Google-Sender-Auth”. Google doesn’t add something like this though. All these indications show that the spammer has used a special software to send mass mailing though the Gmail. It is really sad to see that Google doesn’t enforce a clear email sending policy though its servers.

But, because of these twists in the email, I assume that the spammers thought it wouldn’t be so bad to have an escape route. This is why the Reply-To email address points to yahoo.com.hk (Yahoo! Hong Kong).

Unfortunately for the spammer, after all this trouble just to send the email, it made the same mistakes which all the Fee Fraud emails make: It uses known keywords like “million dollars”, “Att: My name is”, it tries not to add the formal way of addressing in the From text (“Mr. ”) but then uses an email address called mr.otoya22@gmail.com and the formal addressing in the Subject. These are also other important hints which can help an automated system for spam detection to safely mark this email as a scam.

Avira Antispam detects this email with a “Very High” spam probability without even calling any Realtime Blacklists – no wonder since we see so many spam indicators. As usual, Avira advices to never respond to such emails and never trust such persons who promise huge amounts of money.

Sorin Mustaca
Manager International Software Development