From: Brad Smith [email@example.com]Morgan Stanley? They must mean this Morgan Stanley. How did they confuse me with Morgan Stanley? Because I mention them on my website here. Now, I only know of one company that sends spam like this.. but more about them later.
To: Morgan Stanley [mstanley@redacted]
Date: 11 February 2015 at 15:24
Subject: Morgan, HR related question
Hi Morgan, could you let me know a time we could talk in the next few days? For HR managers we measure and video the essential functions and physical requirements of each key job so that clients like Coca-Cola and Publix can reduce their hiring risk and job injury risk. I thought you would like to quickly view the process, some interesting examples, and how to use them in your role. Just let me know a time that works in your schedule and I will confirm back, talk then!
VP, Product Management
This message is confidential and intended only for the original recipient. If you have received this message in error, please delete it or mail us back with re move in the sub ject. If any follow-up is needed I show your contact information as Morgan Stanley, mstanley@redacted and our address if needed is 3200 Downwood Circle, Ste 410, Atlanta, GA, 30327. Thank you.
Let's check the veracity of the message.. first, the mail headers.
Received: from [22.214.171.124] (port=1355 helo=mail.unicorehealth.net)We can see that the SPF record for unicorehealth.net matches it to 126.96.36.199. The domain unicorehealth.net is also hosted on the same IP, so we can be reasonably assured that this is not a forgery. Let's look at the WHOIS details for that domain..
by [redacted] with esmtp (Exim 4.80)
for mstanley@redacted; Wed, 11 Feb 2015 15:24:20 +0000
Received: from 31617334.unicorehealth.net
by mail.unicorehealth.net (Right Sender 3.3) with ASMTP id YRJ55117
for <mstanley@redacted>; Wed, 11 Feb 2015 10:24:17 -0500
From: "Brad Smith" <firstname.lastname@example.org>
To: "Morgan Stanley" <mstanley@redacted>
Subject: Morgan, HR related question
Date: Wed, 11 Feb 2015 10:24:12 -0500
X-Mailer: SMTP-Mailer 3.4
Received-SPF: pass ([redacted]: domain of email@example.com designates 188.8.131.52 as permitted sender) client-ip=184.108.40.206 firstname.lastname@example.org helo=mail.unicorehealth.net
X-Mythic-Debug: Threshold = On =
X-Spam-Status: No, score=-1.1
Registrant Name: Brad Smith
Registrant Organization: Unicore Health
Registrant Street: 3200 Downwood Circle
Registrant Street: Suite 410
Registrant City: Atlanta
Registrant State/Province: Georgia
Registrant Postal Code: 30327
Registrant Country: United States
Registrant Phone: +1.6785226363
Registrant Phone Ext:
Registrant Fax Ext:
Registrant Email: email@example.com
This links unicorehealth.net with unicorehealth.com. Indeed, we can find "Bradley Smith" on the unicorehealth.com web site.
I emailed Mr Smith back twice and asked him how he came across the email address. He didn't bother to reply.
Previously I mentioned that I have seen this type of spam before from one particular company, BizSummits, run by Michael Price. In particular, they look for potential names on a website and then spam them, a technique that is highly inaccurate but does seem to be relatively successful nonetheless.
Now, Unicore Health is not BizSummits. But they both use a virtual office address in Altanta, about ten miles apart. So perhaps there is some personal connection between the two businesses or the people behind them.
One of Mr Price's other businesses is called PlugMeIn (plugmein.com), which claims to reveal the email addresses of key people on certain websites. If this uses the same approach as the BizSummits spam, then it might well be just as inaccurate. And perhaps Unicore Health is using PlugMeIn technology to find email addresses.
But since Brad Smith didn't bother to reply to me, I can't tell if this spam was the result of faulty software, a bad email address list or just plain stupidity. Personally, I won't be buying anything from them soon.
UPDATE - January 2017
For various reasons, I ended revisiting this post and discovered that unicorehealth.net now displays a site "Hartford HR Summit" which is definitely a BizSummits / Michael Price site.