Why is a very anonymous spammer exhorting me to "not forget about all my tasks"?

Question

I just got spam that in its entirety said: "Hi, don't forget about all my tasks." It's in plain text; there is no hidden content. Fake sender with my domain name, using a name that I do not have in my previous collection of spam. (I save it all for a month, in case of filter mismatches and some amount of morbid curiosity.) What could be the possible angle here?

Return-Path: <AmericanExpress@welcome.aexp.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on example.edu
X-Spam-Status: No, score=2.3 required=5.0 tests=BAYES_05,BOGO_T25_HAM,
        FSL_HELO_NON_FQDN_1,HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_BRBL_LASTEXT,
        RDNS_NONE,SPF_FAIL,TO_EQ_FM_DOM_SPF_FAIL,TVD_RCVD_SINGLE autolearn=no
        autolearn_force=no version=3.4.0
X-Spam-Level: xx
X-Original-To: mattdm@example.org
Delivered-To: mattdm@example.example.org
Received: from KVKRYIUZS (unknown [113.105.180.234])
        by example.example.org (Postfix) with ESMTP id 2F21785E4E11
        for <mattdm@example.org>; Mon,  9 Jan 2017 12:49:11 -0500 (EST)
Message-ID: <ZA6SW6MK.8115640@welcome.aexp.com>
Date: Tue, 10 Jan 2017 01:16:51 +0800
From: Jacob Lamothe <Jacob.Lamothe@example.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101
        Thunderbird/24.2.0
MIME-Version: 1.0
To: attdm@example.org
Subject: Hello from Lamothe
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi, don't forget about all my tasks.

Thanks.

That's it — no other message parts. I replaced my domain with example.org. All of the X- headers are legit and from my own system. The "Return-Path" envelope header is interesting, as a quick search sees that implicated in several phishing attacks.

I do have a couple of other messages with that same Return-Path. They are virtually identical, and look like:

Return-Path: <AmericanExpress@welcome.aexp.com>
X-Original-To: mattdm@example.org
Delivered-To: mattdm@example.example.org
Received: from 80.red-80-34-69.staticip.rima-tde.net
        (80.red-80-34-69.staticip.rima-tde.net [80.34.69.80])
        by example.example.org (Postfix) with ESMTP id 10B988048645
        for <mattdm@example.org>; Thu, 22 Dec 2016 17:23:33 -0500 (EST)
Received: from [145.214.112.131] (port=28899 helo=[10.0.4.34]) by 80.34.69.80
        with asmtp id 1rqLaL-000MX-00 for mattdm@example.org; Thu, 22 Dec 2016
        22:50:38 +0100
Message-ID: <399761218.20161222215038@welcome.aexp.com>
Date: Thu, 22 Dec 2016 22:50:38 +0100
From: Fax Scanner <scanner@example.org>
MIME-Version: 1.0
To: mattdm@example.org
Subject: You have recevied a message
Content-Type: multipart/mixed;
        boundary="------------050107040507000606080309"

This is a multi-part message in MIME format.
--------------050107040507000606080309
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

You have received a message on efax.
Please download and open document attached.

Scanner eFax system.

--------------050107040507000606080309
Content-Type: application/zip; name="Message efax system-5733.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Message efax system-8631.zip"
 [removed]
    --------------050107040507000606080309

"Removed" is a zip file containing a javascript trojan. (Identified by an online scanner as a possible ransomware downloader.) So, maybe there's some relation? But, the headers don't look similar — different format for Message-ID, no User-Agent in the second, etc. And the came several weeks before the one above. I definitely understand what the fake scans are all about — but if they connect to the message above, I can't see how.

Answer 1

This is typical malware/phishing/market spam "discoveries".

1. Validate recipient email address
2. Validate sender email address
3. confirm your email server allow mail relay from same domain origin without authentication
4. Confirm your email server accept and whitelisted the return path instead of bouncing the message.

113.105.180.234 belongs to ChinaNet Guangdong Province Network netblock.

In fact, it is normal for spam attacker to launch spam discover and attack using cheapest ISP they can find. Spreading the attack from multiple service providers will increase their success rate. In addition, spammer can "cross sell" vulnerable server and email address to others.

Disable open-relay only mean spammer can't use your email server to attack others. You need another level of security to prevent scammer sending mail by phishing as user insideyour domain(e.g., scanner@example.org ,Jacob.Lamothe@example.org ), which people will fell into pray and think it is legitimate mail.

Please go through your mail server restriction setting to find out what is the best strategy. Do take note that, before you implement such restriction, you must check out whether there is any internal services(that may not have the authentication abiliites) affect by the restriction. You may need to give explicit internal-IP exception for those services..

Answer 2

Depending on whether or not there were any tracking pixels in the email, they might be checking if your address is active. If so, they might be hoping you reply to confirm that the account really is active, and that you're the sort of person who would reply to suspicious emails (e.g. a potential mark).