195[.]250[.]27[.]30, UK IP 107[.]59[.]4[.]235), generating an SPF softfail and DMARC fail. The body is a mass-template sextortion demand: anonymous device-compromise claims, a Bitcoin payment demand of approximately $2,100 to address 119YUFBrK7CiVwrPLDK9Sz3F32dauv26i, and a 50-hour deadline. No links or attachments were included. The Bitcoin address appears on public scam-tracking resources connected to prior sextortion campaigns.# Bitcoin Sextortion via Spoofed Legitimate Domain: SPF Softfail Lets Extortion Template Through
A sextortion email with a $2,100 Bitcoin demand cleared the recipient's gateway by spoofing a long-established legitimate domain in the From header while routing through unauthorized relay infrastructure that produced only an SPF softfail. The absence of links and attachments stripped away the detection layers most email security tools rely on, leaving the message to be evaluated on content alone.
The From header displayed an address at a long-established domain (registered in 2002) that would appear credible to both humans and spam filters. The message was never sent from that domain's authorized mail servers. Instead, it traversed two relay hops: an SMTP relay at 195[.]250[.]27[.]30 (reverse DNS: s3418[.]mex1[.]stableserver[.]net, geolocation: Mexico City) and an upstream hop at 107[.]59[.]4[.]235 (no PTR record, UK allocation). Neither IP is authorized by the spoofed domain's SPF policy. The intermediary relay domains observed in the headers (14307[.]com, 75970[.]com) carry minimal WHOIS data consistent with throwaway bulk-mail infrastructure.
The body followed a well-worn sextortion template:
119YUFBrK7CiVwrPLDK9Sz3F32dauv26iLow personalization, heavy typos, and odd diacritics throughout match the characteristics of a mass-targeting template distributed at scale. The Bitcoin address has prior reports on public scam-tracking resources for use in sextortion campaigns.
The SPF result for this message was softfail, not fail. The distinction matters operationally. A softfail (~all in the SPF policy) is designed as a warning mechanism rather than a hard rejection trigger. Many gateway configurations log or deprioritize softfail rather than quarantine or reject. Attackers who spoof domains with ~all policies exploit exactly this gap.
DMARC failed for the spoofed From domain because the sending IPs are not covered by the domain's SPF record and no DKIM signature aligned to that domain was present. However, DMARC enforcement is only as effective as the receiving organization's inbound policy enforcement. A DMARC fail on an inbound message does not automatically block it unless the receiving gateway is configured to act on the p=reject or p=quarantine policy of the sending domain.
Critically, the message had no links and no attachments. URL-reputation engines, link-sandboxing, and attachment-detonation checks all had nothing to evaluate. The message had to be caught on header analysis, sender authentication signals, and behavioral content patterns alone. This is a deliberate evasion technique for social engineering attacks delivered entirely in prose.
See Your Risk: Calculate how many threats your SEG is missing
The IRONSCALES platform correlated the SPF softfail with the relay infrastructure anomaly (Mexico City IP, no-PTR UK hop, throwaway relay domains) and the content profile. Sender risk was flagged as high. The Bitcoin address in the body matched records on external scam-tracking databases, providing a cross-reference signal that confirmed the extortion nature of the message rather than leaving it in a gray zone.
No gateway-level block occurred. Detection relied on post-delivery behavioral analysis correlating infrastructure, authentication posture, and content signals together.
Sextortion campaigns are not sophisticated at the technical level, but they are calibrated to exploit gaps in gateway configuration. A few high-value controls:
Harden SPF policy evaluation. Treat softfail as a meaningful negative signal at the gateway, not just in spam scoring. If your domain uses ~all, consider moving to -all and auditing all authorized sending sources first.
Enforce on DMARC fails. If the sending domain publishes a DMARC record with a policy of p=quarantine or p=reject, your inbound gateway should honor that signal. Many organizations receive the DMARC fail signal but do not act on it.
Content-only detection is a weak backstop. Messages with no links and no attachments expose the limits of gateway tools that depend on URL reputation and file scanning. Post-delivery analysis using phishing behavioral modeling catches what content filters miss.
User guidance is not enough. Sextortion templates are designed to trigger shame and panic, suppressing the recipient's willingness to report the message. Detection must happen at the platform level before the message reaches the inbox.
| Type | Indicator | Notes |
|---|---|---|
| Bitcoin address | 119YUFBrK7CiVwrPLDK9Sz3F32dauv26i | Payment demand; linked to prior sextortion campaigns on scam-tracking databases |
| Relay IP | 195[.]250[.]27[.]30 | PTR: s3418[.]mex1[.]stableserver[.]net; Mexico City; SPF softfail source |
| Relay IP | 107[.]59[.]4[.]235 | No PTR; UK allocation; upstream relay hop |
| Relay domain | 14307[.]com | Throwaway relay domain; minimal WHOIS |
| Relay domain | 75970[.]com | Throwaway relay domain; minimal WHOIS |
| Authentication | SPF=softfail, DMARC=fail | From domain not authorized for sending IPs |
| MITRE | T1566 | Phishing |
| MITRE | T1656 | Impersonation |
| Attack | What happened |
|---|---|
| The Webinar Invite That Came With an Apple Wallet Pass and a Three-Hop Redirect Chain | A Google Calendar invite for a fake AI webinar passed full authentication and carried an .ics file, an Apple Wallet .pkpass. |
| The Bank Statement You Had to Unlock With Your Birthday: PII-Gated PDF Evasion From Authenticated Infrastructure | A fully authenticated email from banking infrastructure delivered a password-protected PDF that required the recipient's mobile number and date of birth... |
| The Spreadsheet That Arrived Twice: CR/LF Filename Obfuscation and a Base64 Shadow Payload | A clinical data report arrived as a .xlsx with CR/LF control characters in the filename and a companion .b64 base64 payload. |
| Perfect Authentication, Zero Payload: The Yahoo Free-Mail BEC That Microsoft Flagged but Didn't Block | A Yahoo free-mail account with perfect SPF, DKIM, and DMARC authentication sent a zero-payload account change request to a state government health agency. |
| The $250 Donation Receipt That Nobody Authorized | A legitimate nonprofit fundraising platform sent a real donation receipt for a $250 charge the recipient never made. |