DON’T CLICK THAT LINK (Unless it’s us)

Don’t do it!

A common piece of advice we often give to users is:

Do not click any links in unexpected emails.

Good advice. Let’s put it to the test:

The South African Revenue Service (SARS) brand is notorious for being used in Phishing attacks, trying to trick users into divulging banking or other personal information.

See some of the samples here: (Yes, I know it’s a link…)

SARS also shares warnings for things to look out regarding phishing mails:

  • “Members of the public are randomly emailed with false “spoofed” emails made to look as if these emails were sent from SARS, but are in fact fraudulent emails aimed at enticing unsuspecting taxpayers to part with personal information such as bank account details.”
  • “Importantly, SARS will not send you any hyperlinks to other websites – even those of banks.”

Good advise, however, the following happened:


It is a Phish?

Yesterday, I received an email message with subject “Please rate your SARS experience“. Now, if you’re a law abiding citizen of the Republic, you’ll know that your online eFiling deadline was 31 October 2018. So emails like these could be expected, but could also be phishing:

In this instance, Gmail is kind enough to show us that the email did not originate from SARS, but came in via bounce.mkt2356[.]com:

South African Revenue Service (SARS) via 

And they are asking me to click on a link, which is bad. So let’s investigate further…


The Post Office

For this analogy, we’ll run with the idea that I have a letter that I’d like to send to the friendly people at Eskom to enquire about their power generating capability as we are having Stage2 load shedding today.

I decide to drop my well worded letter off at the big red metal post box at the Hatfield Post Office in Pretoria, South Africa.

Upon receiving my letter, the Post Office adds something called an email header to it. An email header keeps track of (among others) all those stamps added to your envelope as it travels past different post offices and mail sorting stations on its way to the friendly folks at Eskom.


Message IDs

One of the many fields contained in the email header is called the Message-ID. This field can help us in our quest to determine where the email originated from. This is in essence the name and serial number of the post box at Hatfield Post Office, as well as a uniquely created tracking number for my letter.

Our SARS email had the following Message-ID:

Message-ID: <>

Normally, you’d expect the portion after the “@” sign to denote a legitimate domain. For example, emails sent from Gmail will have something like this for a Message-ID:

Message-ID: <>

However, in our case rbg13.atlis1 isn’t a valid domain, which is odd for an email received from SARS.


Received Fields

Next, lets look at the “Received” field. This field records all the email servers which handles an email on it’s way to it’s destination.

For our letter we sent to Eskom, the Received fields will look something like this (simplified, I know):

Received: by Hatfield Post Office from Some Guy; 29 Nov 2018 13:15

Received: by Tshwane Distribution Center  from Hatfield Post Office; 29 Nov 2018 16:00

Received: by Midrand Distribution Center from Tshwane Distribution Center; 30 Nov 2018 09:00

Received: by Midrand Post Office from Midrand Distribution Center; 30 Nov 2018 12:15

Received: by Eskom Offices from Midrand Post Office; 30 Nov 2018 16:15

In our case, the Received fields show the SARS email traveled the following path to my Gmail account:

1. mail6613.grapevine.mkt7212[.]com

Yes, that shows a pretty short path. Basically one hop from the mkt7212[.]com server to Gmail’s server.


The Link

Next up is the link in the email (the reason I wrote this whole thing).

If you scroll up and look at the screenshot again, you’ll see that the email contains a “Survey Link” to click and complete.

This link in the email shows that it’s for:


(I’ve changed the URL a bit as it’s most likely unique to each address the mail was sent to)

But mkt2356[.]com isn’t SARS. Let’s take a look where you’ll end up if you clicked it:

So, clicking that link for http://links.mkt2356[.]com would actually get you to the legitimate SARS website https://tools.sars[.]

However, to make things worse, mkt2356[.]com has a Certificate Name Mismatch error, which will be cause lots of security products to warn you before visiting the site:

And here’s what it looks like when you eventually end at the actual SARS website:

So, it turns out that the MKTxxx domains are owned by IBM’s Watson Campaign Automation digital marketing solution.

So What??

Ok, so at this point you are asking the following: “Come on dude, it’s just SARS using a marketing company to send out emails with unique links so that they can track who actually clicks it after which it take you to the actual SARS page so no need for all this screenshots and stuff so get of your horse and enjoy your load shedding.

Well, my point is this:

This is not helpful.

We can’t be telling people “DON’T CLICK ON ANYTHING! JUST DON’T” and then send them crappy survey emails with links we want them to click. So the message becomes:


*Unless we send you stuff via a third party, so then please go ahead and click it, even if it was set up crappy, don’t worry, it’s fine, trust us.


That my friend, is confusing.