Phishing email from a REAL .gov.za?

Mr Scratch

Expert Member
Joined
May 15, 2013
Messages
4,838
Hello,

I received the usual morning phishing emails like any other day, but today I saw one from "Nphiri@nwpg.gov.za" that somehow got past my filter. Ok so maybe it's a spoofed gov address that somehow managed to sneak its way in? I checked the headers and found the following:

Message ID <57F781470200002A000A7356@webmail.nwpg.gov.za>
From: Naomi Nthutang <Nphiri@nwpg.gov.za>Using Novell GroupWise Internet Agent 12.0.4
To: XXX@gmail.com
SPF: PASS with IP 196.15.218.221

Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of nphiri@nwpg.gov.za designates 196.15.218.221 as permitted sender) smtp.mailfrom=Nphiri@nwpg.gov.za

Received: by mail1.nwpg.gov.za (Postfix, from userid 1999) id 466668E0E3C; Fri,

Received: from NWPGDOa-MTA by webmail.nwpg.gov.za with Novell_GroupWise; Fri, 14 Oct 2016 06:04:47 +0200

X-Mailer: Novell GroupWise Internet Agent 12.0.4

In the attachment, which was designed to resemble the login screen of a popular email service, I found some metadata the ****wit didn't remove:

=09<META NAME=3D"GENERATOR" CONTENT=3D"LibreOffice 4.0.2.2 (Linux)">
=09<META NAME=3D"AUTHOR" CONTENT=3D"Thys Beer">
=09<META NAME=3D"CREATED" CONTENT=3D"20130612;15581400">
=09<META NAME=3D"CHANGEDBY" CONTENT=3D"Thys Beer">
=09<META NAME=3D"CHANGED" CONTENT=3D"20130904;11253200">

I found this: https://webmail.nwpg.gov.za/gw/webacc

Anyone know where I can report this? Seems like this mail account was compromised by someone.
 

Beachless

Executive Member
Joined
Oct 6, 2010
Messages
6,003
There has been several governent hacks the last while with details exposed. Im sure its quite common these days as most of the systems I know of are in a terrible state.
 

scienide

Expert Member
Joined
Apr 21, 2008
Messages
1,510
jesus who still uses groupwise

most government offices.

We have only now moved over to hosted exchange.

Novell for login till some idiot at National Office wakes up and rolls out the MS servers that have been standing there for the last 2 years...
 
Top