Spamming of NANOG list members
Hello NANOG Community, It has come to our attention there are spamming messages being sent to members of the NANOG mail list spoofed to look as though they are coming from the NANOG organization. The messages being sent refer to NANOG Remittance, with an attachment containing a virus. These messages are not flowing through NANOG servers, nor using the NANOG domain. They are not messages coming from the NANOG organization. Please be aware if you receive a message matching this description and always make sure to scan attachments for a virus. Cheers, Valerie Valerie Wittkop - NANOG Program Director 305 E. Eisenhower Pkwy, Suite 100, Ann Arbor, MI 48108 Tel: +1 866 902 1336, ext 103
Appreciate the warning! On 23/05/2019 19:46, Valerie Wittkop wrote:
These messages are not flowing through NANOG servers, nor using the NANOG domain. They are not messages coming from the NANOG organization. Please be aware if you receive a message matching this description and always make sure to scan attachments for a virus.
The one I received looked like this:
From: "NANOG" <service@cegips.pl>
... Has it been considered switching to "-all", instead of only "~all" in the spf record?
$ dig +short +nocmd +nocomments TXT nanog.org "v=spf1 include:_spf.google.com ip4:104.20.199.50 ip4:104.20.198.50 ip4:50.31.151.75 ip4:50.31.151.76 ip6:2001:1838:2001:8::19 ip6:2001:1838:2001:8::20 ip6:2400:cb00:2048:1::6814:c632 ip6:2400:cb00:2048:1::6814:c732 ~all"
-Christoffer
On Thu, May 23, 2019 at 4:13 PM Hansen, Christoffer < christoffer@netravnen.de> wrote:
Appreciate the warning!
On 23/05/2019 19:46, Valerie Wittkop wrote:
These messages are not flowing through NANOG servers, nor using the NANOG domain. They are not messages coming from the NANOG organization. Please be aware if you receive a message matching this description and always make sure to scan attachments for a virus.
The one I received looked like this:
From: "NANOG" <service@cegips.pl>
...
Has it been considered switching to "-all", instead of only "~all" in the spf record?
$ dig +short +nocmd +nocomments TXT nanog.org "v=spf1 include:_spf.google.com ip4:104.20.199.50 ip4:104.20.198.50 ip4:50.31.151.75 ip4:50.31.151.76 ip6:2001:1838:2001:8::19 ip6:2001:1838:2001:8::20 ip6:2400:cb00:2048:1::6814:c632 ip6:2400:cb00:2048:1::6814:c732 ~all"
-Christoffer
The SPF record wouldn't make a difference since that email was sent from @ cegips.pl, not from @nanog.org. You'd have to change the SPF record for the cegips.pl domain to impact their ability to send from that address.
On 5/23/19 4:16 PM, Matt Harris wrote:
On Thu, May 23, 2019 at 4:13 PM Hansen, Christoffer <christoffer@netravnen.de <mailto:christoffer@netravnen.de>> wrote:
Appreciate the warning!
On 23/05/2019 19:46, Valerie Wittkop wrote: > These messages are not flowing through NANOG servers, nor using the NANOG domain. They are not messages coming from the NANOG organization. Please be aware if you receive a message matching this description and always make sure to scan attachments for a virus.
The one I received looked like this:
> From: "NANOG" <service@cegips.pl <mailto:service@cegips.pl>>
...
Has it been considered switching to "-all", instead of only "~all" in the spf record?
> $ dig +short +nocmd +nocomments TXT nanog.org <http://nanog.org> > "v=spf1 include:_spf.google.com <http://spf.google.com> ip4:104.20.199.50 ip4:104.20.198.50 ip4:50.31.151.75 ip4:50.31.151.76 ip6:2001:1838:2001:8::19 ip6:2001:1838:2001:8::20 ip6:2400:cb00:2048:1::6814:c632 ip6:2400:cb00:2048:1::6814:c732 ~all"
-Christoffer
The SPF record wouldn't make a difference since that email was sent from @cegips.pl <http://cegips.pl>, not from @nanog.org <http://nanog.org>. You'd have to change the SPF record for the cegips.pl <http://cegips.pl> domain to impact their ability to send from that address.
The one I received was from _rainphil.com_ and came with an ugly Trojan attached as a PDF. Has anyone else received this type or am I just fortunate? Richard Golodner
Mine came 21 May. It was a .doc. Sent from charter.net, with the user portion of the sender very similar to a nanog contributor. And it arrived oddly coincident with my visit to the cvent registration page. Any others who had that coincidence? —Sandy
On May 23, 2019, at 5:39 PM, Richard <rgolodner@infratection.com> wrote:
On 5/23/19 4:16 PM, Matt Harris wrote:
On Thu, May 23, 2019 at 4:13 PM Hansen, Christoffer <christoffer@netravnen.de> wrote: Appreciate the warning!
On 23/05/2019 19:46, Valerie Wittkop wrote:
These messages are not flowing through NANOG servers, nor using the NANOG domain. They are not messages coming from the NANOG organization. Please be aware if you receive a message matching this description and always make sure to scan attachments for a virus.
The one I received looked like this:
From: "NANOG" <service@cegips.pl>
...
Has it been considered switching to "-all", instead of only "~all" in the spf record?
$ dig +short +nocmd +nocomments TXT nanog.org "v=spf1 include:_spf.google.com ip4:104.20.199.50 ip4:104.20.198.50 ip4:50.31.151.75 ip4:50.31.151.76 ip6:2001:1838:2001:8::19 ip6:2001:1838:2001:8::20 ip6:2400:cb00:2048:1::6814:c632 ip6:2400:cb00:2048:1::6814:c732 ~all"
-Christoffer
The SPF record wouldn't make a difference since that email was sent from @cegips.pl, not from @nanog.org. You'd have to change the SPF record for the cegips.pl domain to impact their ability to send from that address.
The one I received was from rainphil.com and came with an ugly Trojan attached as a PDF.
Has anyone else received this type or am I just fortunate?
Richard Golodner
So sheer coincidence. Literally. —Sandy
On May 23, 2019, at 7:07 PM, Niels Bakker <niels=nanog@bakker.net> wrote:
* sandy@tislabs.com (Sandra Murphy) [Fri 24 May 2019, 00:28 CEST]:
And it arrived oddly coincident with my visit to the cvent registration page. Any others who had that coincidence?
No, and I've gotten like five by now.
-- Niels.
Question: Is the member list with email addresses public?? Otherwise, one has to wonder how they got these addresses? Anne Anne P. Mitchell, Attorney at Law CEO/President, Institute for Social Internet Public Policy GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Board of Directors, Denver Internet Exchange Board of Directors, Asilomar Microcomputer Workshop Legal Counsel: The CyberGreen Institute Former Counsel: Mail Abuse Prevention System (MAPS) Ret. Professor of Law, Lincoln Law School of San Jose
On May 24, 2019, at 1:26 AM, Sandra Murphy <sandy@tislabs.com> wrote:
So sheer coincidence. Literally.
—Sandy
On May 23, 2019, at 7:07 PM, Niels Bakker <niels=nanog@bakker.net> wrote:
* sandy@tislabs.com (Sandra Murphy) [Fri 24 May 2019, 00:28 CEST]:
And it arrived oddly coincident with my visit to the cvent registration page. Any others who had that coincidence?
No, and I've gotten like five by now.
-- Niels.
On Fri, May 24, 2019 at 8:08 AM Anne P. Mitchell, Esq. <amitchell@isipp.com> wrote:
Question: Is the member list with email addresses public?? Otherwise, one has to wonder how they got these addresses?
Everyone who posts does so with an email address that becomes known to everyone who subscribes and published everywhere someone publicly archives the messages. It's common practice by spammers to harvest addresses by subscribing to mailing lists. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
Almost always indiscriminately. They probably would be wise to avoid mailing lists of sys admins, network admins, etc., but they don't. *shrugs* ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "William Herrin" <bill@herrin.us> To: "Anne P. Mitchell, Esq." <amitchell@isipp.com> Cc: "J. Hellenthal via NANOG" <nanog@nanog.org> Sent: Friday, May 24, 2019 10:14:47 AM Subject: Re: Spamming of NANOG list members On Fri, May 24, 2019 at 8:08 AM Anne P. Mitchell, Esq. < amitchell@isipp.com > wrote: Question: Is the member list with email addresses public?? Otherwise, one has to wonder how they got these addresses? Everyone who posts does so with an email address that becomes known to everyone who subscribes and published everywhere someone publicly archives the messages. It's common practice by spammers to harvest addresses by subscribing to mailing lists. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
Anne, the way that such addresses are often harvested is that one of the spammers (or his agent) becomes a member of the list and simply records the addresses of persons posting to the list. They then get spammed. - Brian On Fri, May 24, 2019 at 09:07:28AM -0600, Anne P. Mitchell, Esq. wrote:
Question: Is the member list with email addresses public?? Otherwise, one has to wonder how they got these addresses?
Anne
On Fri, May 24, 2019 at 08:17:31AM -0700, Brian Kantor wrote:
Anne, the way that such addresses are often harvested is that one of the spammers (or his agent) becomes a member of the list and simply records the addresses of persons posting to the list. They then get spammed.
I rather suspect that's exactly what's happening here. I've gotten three, but a colleague who is subscribed but has never posted has gotten zero, despite sharing the same email infrastructure and thus precisely the same configuration. ----rsk
On 5/24/19 11:36 AM, Rich Kulawiec wrote:
On Fri, May 24, 2019 at 08:17:31AM -0700, Brian Kantor wrote:
Anne, the way that such addresses are often harvested is that one of the spammers (or his agent) becomes a member of the list and simply records the addresses of persons posting to the list. They then get spammed.
I rather suspect that's exactly what's happening here. I've gotten three, but a colleague who is subscribed but has never posted has gotten zero, despite sharing the same email infrastructure and thus precisely the same configuration.
----rsk
It's easy enough to sign up and trawl the archives....
-- John PGP Public Key: 412934AC
Anybody else noticed a significant uptick in these e-mails? When I first saw this thread, I hadn't seen any. A couple days later, I got my first one. (yay!) Now I'm getting 2-3 a day. (yay?)
* bryan@shout.net (Bryan Holloway) [Sat 01 Jun 2019, 01:54 CEST]:
Anybody else noticed a significant uptick in these e-mails?
When I first saw this thread, I hadn't seen any. A couple days later, I got my first one. (yay!) Now I'm getting 2-3 a day. (yay?)
Yes. It's pretty annoying. And somebody seems to be burning through a lot of stolen credentials. I wonder what the success rate is... -- Niels.
On 5/31/19 8:07 PM, Niels Bakker wrote:
* bryan@shout.net (Bryan Holloway) [Sat 01 Jun 2019, 01:54 CEST]:
Anybody else noticed a significant uptick in these e-mails?
When I first saw this thread, I hadn't seen any. A couple days later, I got my first one. (yay!) Now I'm getting 2-3 a day. (yay?)
Yes. It's pretty annoying. And somebody seems to be burning through a lot of stolen credentials. I wonder what the success rate is...
-- Niels.
I am getting several a day as well as ugly MS Word based trojan. They come to me from all over the world with the subject line: "NANOG Payment Remittance Advice" I agree with Niels, someone or some spamming outfit is burning through quite a bit of stolen credentials. Richard Golodner Infratection
On 5/31/2019 8:05 PM, Richard wrote:
On 5/31/19 8:07 PM, Niels Bakker wrote:
* bryan@shout.net (Bryan Holloway) [Sat 01 Jun 2019, 01:54 CEST]:
Anybody else noticed a significant uptick in these e-mails?
When I first saw this thread, I hadn't seen any. A couple days later, I got my first one. (yay!) Now I'm getting 2-3 a day. (yay?)
Yes. It's pretty annoying. And somebody seems to be burning through a lot of stolen credentials. I wonder what the success rate is...
-- Niels.
I am getting several a day as well as ugly MS Word based trojan.
They come to me from all over the world with the subject line:
"NANOG Payment Remittance Advice"
I agree with Niels, someone or some spamming outfit is burning
through quite a bit of stolen credentials.
Richard Golodner
Infratection
It's Emotet (again). Cheers, - ferg -- Paul Ferguson Principal, Threat Intelligence Gigamon Seattle, WA USA
There are also variants of it with subjects like " Ref Id: %VARIABLE% " and "%Domain.tld% Ref Id: %VARIABLE% " And as Bryan said, we are increasingly getting more and more as well. M. Omer GOLGELI --- AS202365 June 1, 2019 6:05 AM, "Richard" <rgolodner@infratection.com (mailto:rgolodner@infratection.com?to=%22Richard%22%20<rgolodner@infratection.com>)> wrote: On 5/31/19 8:07 PM, Niels Bakker wrote: * bryan@shout.net (mailto:bryan@shout.net) (Bryan Holloway) [Sat 01 Jun 2019, 01:54 CEST]:Anybody else noticed a significant uptick in these e-mails? When I first saw this thread, I hadn't seen any. A couple days later, I got my first one. (yay!) Now I'm getting 2-3 a day. (yay?) Yes. It's pretty annoying. And somebody seems to be burning through a lot of stolen credentials. I wonder what the success rate is... -- Niels. I am getting several a day as well as ugly MS Word based trojan. They come to me from all over the world with the subject line: "NANOG Payment Remittance Advice" I agree with Niels, someone or some spamming outfit is burning through quite a bit of stolen credentials. Richard Golodner Infratection
M. Omer GOLGELI wrote:
There are also variants of it with subjects like
" Ref Id: %VARIABLE% " and "%Domain.tld% Ref Id: %VARIABLE% "
And as Bryan said, we are increasingly getting more and more as well.
I wonder if this crap corresponds positively with the price of Bitcoin. -- S.C.
* sc@ottie.org (Scott Christopher) [Sat 01 Jun 2019, 12:04 CEST]:
I wonder if this crap corresponds positively with the price of Bitcoin.
Only speculation (read: market manipulation) by holders of massive amounts of bitcoin drives the price of cryptocurrencies: https://davidgerard.co.uk/blockchain/2019/05/18/number-go-down-the-single-tr... -- Niels.
See this as well today But gmail auto trashed it :) Col
On 1 Jun 2019, at 14:50, Niels Bakker <niels=nanog@bakker.net> wrote:
* sc@ottie.org (Scott Christopher) [Sat 01 Jun 2019, 12:04 CEST]:
I wonder if this crap corresponds positively with the price of Bitcoin.
Only speculation (read: market manipulation) by holders of massive amounts of bitcoin drives the price of cryptocurrencies: https://davidgerard.co.uk/blockchain/2019/05/18/number-go-down-the-single-tr...
-- Niels.
On 5/31/19 5:53 PM, Bryan Holloway wrote:
Anybody else noticed a significant uptick in these e-mails?
When I first saw this thread, I hadn't seen any. A couple days later, I got my first one. (yay!) Now I'm getting 2-3 a day. (yay?)
Intriguing. I've not yet received a single one. -- Grant. . . . unix || die
WARNING: I AM ABOUT TO PONTIFICATE! Many of the lists etc I'm on get spamt and that's followed by a stream of "we're getting spamt!" (either directly or scraped) agonizing, over and over. I've been involved in the spam problems since before some of you were bornt (ok I'll stop with the stupid past participles), late 90s, and the net since the 1970s. Instead of this non-stop quarter century of agonizing maybe it's high time to admit failure, that we designed a system which is subject to spam and that was a mistake, a big mistake. I know, where's the FUSSP, the proposal, so you can shoot it down? I won't do that, not here. But I do think we need, and have needed for a couple of decades, some sort of radical rethink. Times have changed, ideas which were not practical 20 years ago are perhaps possible today due to, if nothing else, cheaper, faster hardware and networks etc. I guess I'm an idealist but I also get a little sick of the endless cycle of complaining, agonizing, and assertions that everything has been tried and nothing can help which mostly amount to we like/hate email just as it is. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
There's little doubt that this thread has caused an order of magnitude more messages in people's inboxes than the SPAM they're talking about. ----- Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP ----- Original Message ----- From: bzs@theworld.com To: nanog@nanog.org Sent: Saturday, June 1, 2019 3:18:42 PM Subject: Re: Spamming of NANOG list members WARNING: I AM ABOUT TO PONTIFICATE! Many of the lists etc I'm on get spamt and that's followed by a stream of "we're getting spamt!" (either directly or scraped) agonizing, over and over. I've been involved in the spam problems since before some of you were bornt (ok I'll stop with the stupid past participles), late 90s, and the net since the 1970s. Instead of this non-stop quarter century of agonizing maybe it's high time to admit failure, that we designed a system which is subject to spam and that was a mistake, a big mistake. I know, where's the FUSSP, the proposal, so you can shoot it down? I won't do that, not here. But I do think we need, and have needed for a couple of decades, some sort of radical rethink. Times have changed, ideas which were not practical 20 years ago are perhaps possible today due to, if nothing else, cheaper, faster hardware and networks etc. I guess I'm an idealist but I also get a little sick of the endless cycle of complaining, agonizing, and assertions that everything has been tried and nothing can help which mostly amount to we like/hate email just as it is. -- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Rich Kulawiec wrote:
On Fri, May 24, 2019 at 08:17:31AM -0700, Brian Kantor wrote:
Anne, the way that such addresses are often harvested is that one of the spammers (or his agent) becomes a member of the list and simply records the addresses of persons posting to the list. They then get spammed.
I rather suspect that's exactly what's happening here. I've gotten three, but a colleague who is subscribed but has never posted has gotten zero, despite sharing the same email infrastructure and thus precisely the same configuration.
Not even that - google your email address inside " " and see where it can be harvested. -- S.C.
Anne P. Mitchell, Esq. wrote:
Question: Is the member list with email addresses public?? Otherwise, one has to wonder how they got these addresses?
https://marc.info/?l=nanog&r=1&w=2 and https://lists.gt.net/nanog/ mangle email addresses in the headers but do nothing about email addresses that are quoted / attributed in the body. -- S.C.
On Fri, May 24, 2019 at 06:34:25PM +0300, Scott Christopher wrote:
https://marc.info/?l=nanog&r=1&w=2 and https://lists.gt.net/nanog/ mangle email addresses in the headers but do nothing about email addresses that are quoted / attributed in the body.
There is zero, as in 0.0, point in mangling/obfuscating/etc. email addresses in forlon and misguided and ultimately futile attempts to keep spammers from getting their hands on them. I wrote about this extensively a few years ago so please let me cite myself in these two messages [1]: http://www.firemountain.net/pipermail/novalug/2014-July/041213.html http://www.firemountain.net/pipermail/novalug/2014-August/041230.html On the other hand, there are a lot of reasons NOT to mangle/obfuscate/etc. email addresses, including the use of archives by people who come along later and are trying to track down authors of messages of interest. ---rsk [1] As long as those are, there's still more: as one thought experiment, consider how many of the addresses on this very list can be correctly deduced by using simple constructions based on real names. By example, let's suppose John Smith at example.net is on this list. We could readily guess: john@example.net smith@example.net johnsmith@example.net john-smith@example.net john.smith@example.net jsmith@example.net j.smith@example.net smithj@example.net smith.j@example.net and similar variations, and if you compare that to the results of egrep "^From: " nanog | sort -u you'll quickly see that a very simple script could come up with roughly half the addresses on this list immediately. One of the implications of this, given the widespread adoption of uniform algorithmic generation of email addresses by much of the corporate and government and nonprofit &etc. worlds, is that an attacker who has very little knowledge of the corpus of valid email addresses at any such entity can make a first-order pass at enumerating them by combining a script such as the one I posited above with lists of the 1000 most common first and last names in the appropriate locale. Of course if the attacker has even a small sample of known-valid addresses, then it's not necessary to use the myriad variations that such a script would generate, only the one that appears to be in use at the target.
Rich, Comment’s inline: On May 24, 2019, at 5:58 PM, Rich Kulawiec <rsk@gsp.org> wrote
On Fri, May 24, 2019 at 06:34:25PM +0300, Scott Christopher wrote:
https://marc.info/?l=nanog&r=1&w=2 and https://lists.gt.net/nanog/ mangle email addresses in the headers but do nothing about email addresses that are quoted / attributed in the body.
There is zero, as in 0.0, point in mangling/obfuscating/etc. email addresses in forlon and misguided and ultimately futile attempts to keep spammers from getting their hands on them. I wrote about this extensively a few years ago so please let me cite myself in these two messages [1]:
http://www.firemountain.net/pipermail/novalug/2014-July/041213.html http://www.firemountain.net/pipermail/novalug/2014-August/041230.html
I guess you don’t get Comcast abuse reports, below is an example: "e7f05f85ba44ad3393e7b086eed202ee b2cca3a3ae3825c36999e12722e83830" <eed6df6cd94ee61a5091e4d46af49993@gmail.com>, "Ed d95a762f93c99703afe76d25f1679ea4" <d9bf58b67f09a3bec99fff00b2f12160@comcast.net> Let me see you figure out who on a shared server sent that message, hell, it’s gmail.com and comcast.net so appears on the logs probably significantly on most single use corporate servers as well.
On the other hand, there are a lot of reasons NOT to mangle/obfuscate/etc. email addresses, including the use of archives by people who come along later and are trying to track down authors of messages of interest.
This I sort of agree with on the above example, at least to some extent. FBL’s are meant to alert to issues, as far as tracking them down it’s more of the mail ops job, so they are sort of allowed to make it a PIMA to avoid causing more issues by confirming.
---rsk
Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300
On 5/24/19 4:11 PM, Eric Tykwinski wrote:
I guess you don’t get Comcast abuse reports, below is an example: "e7f05f85ba44ad3393e7b086eed202ee b2cca3a3ae3825c36999e12722e83830" <eed6df6cd94ee61a5091e4d46af49993@gmail.com>, "Ed d95a762f93c99703afe76d25f1679ea4" <d9bf58b67f09a3bec99fff00b2f12160@comcast.net>
Those look like they are probably MD5 hashes (I'm guessing) of names. So your proposed algorithm would be trivial to extend to add MD5 hashes of permutations. -- Grant. . . . unix || die
participants (20)
-
Anne P. Mitchell, Esq.
-
Brian Kantor
-
Bryan Holloway
-
bzs@theworld.com
-
colin johnston
-
Eric Tykwinski
-
Grant Taylor
-
Hansen, Christoffer
-
John Peach
-
M. Omer GOLGELI
-
Matt Harris
-
Mike Hammett
-
Niels Bakker
-
Paul Ferguson
-
Rich Kulawiec
-
Richard
-
Sandra Murphy
-
Scott Christopher
-
Valerie Wittkop
-
William Herrin