A Message From “Theodore Alien Support”

I got a message tonight.  It’s some sort of phishing something or something.  I’d love to hear people explain  what the purpose of this email is.  It’s clearly some sort of weird probe… or is it?

 

 

Google has nothing to tell me about this person.  I cannot figure out why www.isafish.net has any connection to my inbox.  Why do they want me to look at that image… ah.

It must be that someone has put a script in a subdirectory that’s somehow executable and I assume this is the “attack.”  Would be fun to chase this down, wouldn’t it?

Oh and here are the mail headers, redacted somewhat:

Theodore Alien Support <pac_veracruz@mail2keen.com> 
Personal message
To: REPLACED1 REPLACED2 <redacted@redacted.com> 
Flocked-Prokofiev-Calico: ⁨bee868f515eaf⁩
X-Forwarded-For: ⁨redacted@redacted.com rREPLACED2@mail.redacted_utensil.net⁩
Arc-Seal: ⁨i=1; a=rsa-sha256; t=1516889739; cv=none; d=google.com; s=arc-20160816; b=M3XzWmNu0e5OwSe04lsE8MEIHNGaSIXuEXc73wRWcaT5MZhJpU944i43SpQsJadim9 r8EK8FWbTo6pDvBxahgRTUMZP/tszzqIxAg1Pt5/aCRvn69YXdiSR9aYyYqLuTdnabGW yNaK/HrdGBYM5Y1H+QU7wUPzFlv7vSDS2OQdohdWdeXQFQPtqu/8H6bRyk4b3p/Xjdul tgBt8pqM6kLRdOWlGul3Rus3yYd/6Smo7cgJEAWImRQqZKb9rkWRIDK48tS52WgGVrph YDCRTEPaLPChti1IKW7jB84q0Hpl2x1PSabrqKd3jLm1k9QFUzos4UMl06hla5HamcdU sN3w==⁩
X-Received: ⁨by 10.36.74.200 with SMTP id k191mr13908240itb.69.1516889740540; Thu, 25 Jan 2018 06:15:40 -0800 (PST)⁩
X-Received: ⁨by 10.36.43.67 with SMTP id h64mr12684973ita.121.1516889739452; Thu, 25 Jan 2018 06:15:39 -0800 (PST)⁩
X-Gm-Message-State: ⁨AKwxytfXtR2vzu4PFgJHDZUVCowkHUaqjllY86x/JJEa9SD5yXyO+GuP EZrvCWYdzFbRHJ1+O54dOiY1JMWJNj4K8k6Kn+NW6xo3Knnns4k=⁩
Return-Path: ⁨<redacted+caf_=rREPLACED2=mail.redacted_utensil.net@gmail.com>⁩
Arc-Authentication-Results: ⁨i=1; mx.google.com; spf=neutral (google.com: 162.241.241.28 is neither permitted nor denied by best guess record for domain of pac_veracruz@mail2keen.com) smtp.mailfrom=pac_veracruz@mail2keen.com⁩
X-Forwarded-To: ⁨rREPLACED2@mail.redacted_utensil.net⁩
Bilingual-Bolsheviks: ⁨9b2c349fedaf4⁩
X-Google-Smtp-Source: ⁨AH8x225Sbj8xhCRLPCHu4tEnytl0Q+adM8pXftZdZnSbVVlw72grrrRzPwDk8I/JTwY72/ao4IAG⁩
Mime-Version: ⁨1.0⁩
Authentication-Results: ⁨mx.google.com; spf=neutral (google.com: 162.241.241.28 is neither permitted nor denied by best guess record for domain of pac_veracruz@mail2keen.com) smtp.mailfrom=pac_veracruz@mail2keen.com⁩
Clearness-Impede: ⁨personalizing⁩
⁨<163ccb8c.3d62c5f4.3865977197775@mys.mysafehostuae.com>⁩
Arc-Message-Signature: ⁨i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:clearness-impede:to:cleanup-devise :mime-version:bilingual-bolsheviks:flocked-prokofiev-calico:subject :date:message-id:from:arc-authentication-results; bh=AIy9tpfYuu6x6tAPASWTBdjsu/wYhov9GfLmDgBEGeY=; b=GkVihLFR+EbS3nl6eeJBMiUkS5Y0TORDE9kRwMtst0QDtmLEHbzJlFktrOPEyad/xQ yuvhGISIos+j+Osm5aaxeyhuKK7HSaK3/Tyo+XxdJ1dseOF2RH4SbjSKxVTGPjMQx5jl VdklZBE+6tKpEgnuPbhoogNuss2+XJiC+3grBNKRi4LiPiSQmMzm7SUZvMvgRSwPcDWf wkaZA0a4HMm6G5M1iSkEIyKuhJ/uH03w7u92Kx3+K6eWznhqWqnQ3GQlYdqMlgcANleR KAcR8DJX2McfJcMtaKV5tMjlgodAzK8mJqmHOVSoBZvqzNwc12WvUykkl6Apc5jGoWT+ YYQQ==⁩
Cleanup-Devise: ⁨3f53d172d89e88a⁩
Content-Transfer-Encoding: ⁨7bit⁩
X-Google-Dkim-Signature: ⁨v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:delivered-to :from:message-id:date:subject:flocked-prokofiev-calico :bilingual-bolsheviks:mime-version:cleanup-devise:to :clearness-impede:content-transfer-encoding; bh=AIy9tpfYuu6x6tAPASWTBdjsu/wYhov9GfLmDgBEGeY=; b=TD28784zjAZtjInhDNBznz38Yi1leREdGhFRpbCxf0lnV9TbQcp1T3IquBIyMYVz4a xqQG0S/36byCz3nehppL0LZ4QOH3xO+6KFHo2qzzrHScd7BuYp1sqr2fP5ZWeOk+HcRQ u8+u654G8UYrdFQR27pagMH98gmjXwFam0yyp6kUSNJoE6gB6UOBxeuDNSlwtt34LQrZ sivSPvgZU8SCtbWZ8B6BG4IkdW3OjCHRB4KNcWb0VBo6jqzm7HknwLSBaTNpHKDgHh+V FbvHUqutkpA2Rh0DvgSuntqn0xC+aEIRxJDaMvEcoIE3VfxTaqWQQj61ByvlKrkYUlIC ZHnw==⁩
X-Original-Authentication-Results: ⁨mx.google.com; spf=neutral (google.com: 162.241.241.28 is neither permitted nor denied by best guess record for domain of pac_veracruz@mail2keen.com) smtp.mailfrom=pac_veracruz@mail2keen.com⁩
Content-Type: ⁨text/html; charset=UTF-8⁩
Received-Spf: ⁨neutral (google.com: 162.241.241.28 is neither permitted nor denied by best guess record for domain of pac_veracruz@mail2keen.com) client-ip=162.241.241.28;⁩
Delivered-To: ⁨<rREPLACED2@redacted_utensil.net>⁩
Delivered-To: ⁨redacted@redacted.com⁩
Received: ⁨from linode.redacted_utensil.net by linode.redacted_utensil.net (Dovecot) with LMTP id dM24D43maVrwbAAAmhsNrQ for <rREPLACED2@redacted_utensil.net>; Thu, 25 Jan 2018 06:15:41 -0800⁩
Received: ⁨from mail-it0-f48.google.com (mail-it0-f48.google.com [209.85.214.48]) by linode.redacted_utensil.net (Postfix) with ESMTPS id 223A06010B for <rREPLACED2@mail.redacted_utensil.net>; Thu, 25 Jan 2018 06:15:41 -0800 (PST)⁩
Received: ⁨by mail-it0-f48.google.com with SMTP id m11so21781844iti.1 for <rREPLACED2@mail.redacted_utensil.net>; Thu, 25 Jan 2018 06:15:41 -0800 (PST)⁩
Received: ⁨by 10.107.43.17 with SMTP id r17csp2020551ior; Thu, 25 Jan 2018 06:15:39 -0800 (PST)⁩
Received: ⁨from mys.mysafehostuae.com (mys.mysafehostuae.com. [162.241.241.28]) by mx.google.com with ESMTP id p13si912687itp.147.2018.01.25.06.15.39 for <redacted@redacted.com>; Thu, 25 Jan 2018 06:15:39 -0800 (PST)⁩

It looks like a place called mys.mysafehostuae.com originally sent it.  I went to look at http://mysafehostuae.com and it looks like this: