Donald Trump's generous present

This phishing attempt stretches its credibility in multiple respects. For one thing, Donald Trump is not known as a generous person, either with his own money or with public money (or anything else I can think of, except for unprecedented amounts of lies, disruption and disregard for the rule of law). Perhaps the originators of this scam confused him with Elon Musk, who for a while made the news by presenting a few, well-chosen Trump voters with a million-dollar check. Last time I checked, buying votes in a public election was a serious crime in an overwhelming majority of countries, but if you have enough money, anything goes these days in the United States.

I found today in my spam folder a phishing e-mail, in itself not remarkable in any particular way, except for purporting to come from the office of (to put it mildly) the most controversial president in the recent history of the United States.

The source code of the e-mail (anonymized to remove my personal data, but leaving in place all data that may point to the e-mail originator):

[non-essential headers deleted here]

Delivered-To: XXXXXX@gmail.com
Received: by 2002:a05:6a11:d48d:b0:600:d8b7:e1cc with SMTP id oa13csp1060947pxc;
Fri, 27 Jun 2025 08:00:09 -0700 (PDT)

[more non-essential headers deleted here]

dkim=pass header.i=@plala.or.jp header.s=p20240201 header.b=fJbAIay8;
spf=pass (google.com: domain of k-asuka@jade.plala.or.jp designates 60.36.166.36 as permitted sender) smtp.mailfrom=k-asuka@jade.plala.or.jp;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=plala.or.jp
Return-Path: <k-asuka@jade.plala.or.jp>

[more non-essential headers were deleted here]

id <20250627145957.WYEU12938.msa14.plala.or.jp@mweb13>;
Fri, 27 Jun 2025 23:59:57 +0900
Date: Fri, 27 Jun 2025 23:59:57 +0900
From: "Donald Trump 47th president of the United States." <k-asuka@jade.plala.or.jp>
Reply-To: potus46s@gmail.com
Message-ID: <20250627235957.U1RBY.2091.root@mweb13>
Subject: Release of Your compensation Fund
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
Sensitivity: Normal
X-VirusScan: Outbound; mvir-ac14;

Fri, 27 Jun 2025 23:59:57 +0900

Dear Beneficiary,

I, Donald J. Trump, 47th President of the United States of America, am pleased to inform you that I have signed an executive order for the release of your outstanding inheritance fund. The fund, valued at US$51,000,000, will be delivered to you via a Bank draft check or Bank ATM card through the payer bank.

To proceed with the process smoothly, please reconfirm the following information:
- Your full name:
- Home address:
- Cell phone number:

Your prompt response will be highly appreciated.

Signed,
Mr. Donald J. Trump
47th President of the United States of America

A few technical notes first:

  • plala.or.jp is a legitimate business domain of the NTT Japanese telecom giant. It is not a spamhouse, but being used as a domain for private mobile phone subscribers in Japan, unavoidably it is often used for the distribution of spam, phishing and various types of Internet fraud.
  • k-asuka@jade.plala.or.jp is the user account that sent the phishing e-mail.
  • 60.36.166.36 is the IP address used to send the phishing e-mail (most likely a mobile phone).
  • potus46s@gmail.com is the Reply-To field value, which is the simplest way to make an e-mail appear (to inexperienced users) like it came from this address. What the Reply-To field actually does is tell your e-mail software to use this address if you hit the Reply button in your e-mail software. It does not mean that the original e-mail comes from potus46s@gmail.com. It does mean, however, that someone created the potus46s@gmail.com e-mail account (and likely a whole batch of other, similarly named Gmail accounts) to collect replies to the phishing e-mail. By the time you read this, Gmail most likely has already deleted this account.

The whole point with this scam is that, until deleted, the e-mail account potus46s@gmail.com collected all e-mail sent as a reply to the original message, and very likely forwarded it automatically to a chain of other addresses where Gmail cannot delete it. The phishing message was sent to a very large collection of e-mail addresses stolen by hackers in many different ways. Unless you hit Reply and send the information requested in the phishing e-mail, the scammers have no way to know anything else about you. They have no way of knowing if you actually received or read the phishing e-mail. If you do reply with the requested information, on the other hand, you will be targeted by endless amounts of Internet, telephone, postal, and direct scams, spam and fraud.

Of course, there is the matter of the lack of credibility of the president of the United States using a Gmail address. Even Trump should know better than this (albeit apparently many in his closest circle of advisors do not, as their clueless Internet habits have been amply reported by e.g. BBC, American Oversight, OPB, CBS, BBC, ABC). The whitehouse.gov e-mail domain would seem a more credible source of presidential e-mail. However, there are multiple ways to spoof even a domain like whitehouse.gov, so an e-mail that appears to come from this domain is not necessarily genuine.

If you do type whitehouse.gov in your web browser, you will be led to a web site serving a large amount of self-aggrandizing political slop and very little real information.