Anyone else getting the 'spam' bomb threat?
I've now heard from several operators - our selves included - about getting an e-mail bomb threat to our datacenters asking for $5,000 USD or the "bomb will be detonated". Is this being seen on a wide spread e-mail blast to the RIR contacts, or am I just unlucky to know like 6 other data center folks who have also gotten this e-mail? It seems like a very odd/bizarre spam/threat campaign which would carry significant jail time.
we received it as well -----Original Message----- From: "Matt Hoppes" <mattlists@rivervalleyinternet.net> Sent: Tuesday, October 19, 2021 8:21am To: "North American Network Operators' Group" <nanog@nanog.org> Subject: Anyone else getting the 'spam' bomb threat? I've now heard from several operators - our selves included - about getting an e-mail bomb threat to our datacenters asking for $5,000 USD or the "bomb will be detonated". Is this being seen on a wide spread e-mail blast to the RIR contacts, or am I just unlucky to know like 6 other data center folks who have also gotten this e-mail? It seems like a very odd/bizarre spam/threat campaign which would carry significant jail time.
Yup, same here Travis From: NANOG <nanog-bounces+tgarrison=netviscom.com@nanog.org> On Behalf Of Shawn L via NANOG Sent: Tuesday, October 19, 2021 7:25 AM To: Matt Hoppes <mattlists@rivervalleyinternet.net> Cc: North American Network Operators' Group <nanog@nanog.org> Subject: RE: Anyone else getting the 'spam' bomb threat? we received it as well -----Original Message----- From: "Matt Hoppes" <mattlists@rivervalleyinternet.net<mailto:mattlists@rivervalleyinternet.net>> Sent: Tuesday, October 19, 2021 8:21am To: "North American Network Operators' Group" <nanog@nanog.org<mailto:nanog@nanog.org>> Subject: Anyone else getting the 'spam' bomb threat? I've now heard from several operators - our selves included - about getting an e-mail bomb threat to our datacenters asking for $5,000 USD or the "bomb will be detonated". Is this being seen on a wide spread e-mail blast to the RIR contacts, or am I just unlucky to know like 6 other data center folks who have also gotten this e-mail? It seems like a very odd/bizarre spam/threat campaign which would carry significant jail time.
We received 2, and I heard from other operators that they had received it as well. This is the second or third "threat" in a matter of a couple of weeks. Seems like someone scraped some information from somewhere. ---------------------------------------- From: Travis Garrison <tgarrison@netviscom.com> Sent: 10/19/21 8:32 AM To: Matt Hoppes <mattlists@rivervalleyinternet.net> Cc: "Nanog@nanog.org" <Nanog@nanog.org> Subject: RE: Anyone else getting the 'spam' bomb threat? Yup, same here Travis From: NANOG <nanog-bounces+tgarrison=netviscom.com@nanog.org> On Behalf Of Shawn L via NANOG Sent: Tuesday, October 19, 2021 7:25 AM To: Matt Hoppes <mattlists@rivervalleyinternet.net> Cc: North American Network Operators' Group <nanog@nanog.org> Subject: RE: Anyone else getting the 'spam' bomb threat? ---------------------------------------- we received it as well -----Original Message----- From: "Matt Hoppes" <mattlists@rivervalleyinternet.net> Sent: Tuesday, October 19, 2021 8:21am To: "North American Network Operators' Group" <nanog@nanog.org> Subject: Anyone else getting the 'spam' bomb threat? I've now heard from several operators - our selves included - about getting an e-mail bomb threat to our datacenters asking for $5,000 USD or the "bomb will be detonated". Is this being seen on a wide spread e-mail blast to the RIR contacts, or am I just unlucky to know like 6 other data center folks who have also gotten this e-mail? It seems like a very odd/bizarre spam/threat campaign which would carry significant jail time.
Are you contacting your LEO? Or is this so spammy just hit delete? I feel like even spam chosen poorly comes with consequences. On 10/19/21 8:29 AM, Travis Garrison wrote:
Yup, same here
Travis
*From:* NANOG <nanog-bounces+tgarrison=netviscom.com@nanog.org> *On Behalf Of *Shawn L via NANOG *Sent:* Tuesday, October 19, 2021 7:25 AM *To:* Matt Hoppes <mattlists@rivervalleyinternet.net> *Cc:* North American Network Operators' Group <nanog@nanog.org> *Subject:* RE: Anyone else getting the 'spam' bomb threat?
we received it as well
-----Original Message----- From: "Matt Hoppes" <mattlists@rivervalleyinternet.net <mailto:mattlists@rivervalleyinternet.net>> Sent: Tuesday, October 19, 2021 8:21am To: "North American Network Operators' Group" <nanog@nanog.org <mailto:nanog@nanog.org>> Subject: Anyone else getting the 'spam' bomb threat?
I've now heard from several operators - our selves included - about getting an e-mail bomb threat to our datacenters asking for $5,000 USD or the "bomb will be detonated".
Is this being seen on a wide spread e-mail blast to the RIR contacts, or am I just unlucky to know like 6 other data center folks who have also gotten this e-mail?
It seems like a very odd/bizarre spam/threat campaign which would carry significant jail time.
On Tue, 19 Oct 2021, at 08:40, Matt Hoppes wrote:
Are you contacting your LEO? Or is this so spammy just hit delete?
I feel like even spam chosen poorly comes with consequences.
I hit delete after I saw Frantech had already reported it the FBI as per their website. Whoever this is seems to be scraping ASN WHOIS data, the spam got sent to the noc@ address that's in whois for my ASN and IP space. -- Sadiq Saif https://bastetrix.com
We have a distinct abuse address (not just abuse@) and that is where the messages were sent. We didn't receive the bomb threat ones. We only received the (somewhat more amusing) messages entitled "Your network has been PWNED" and "Fuck you". The situation loses its humor entirely with the introduction of bomb threats. Seems like a script kiddie taking things way too far. -- Hunter Fuller (they) Router Jockey VBH M-1A +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Tue, Oct 19, 2021 at 8:57 AM Sadiq Saif <sadiq@bastetrix.com> wrote:
On Tue, 19 Oct 2021, at 08:40, Matt Hoppes wrote:
Are you contacting your LEO? Or is this so spammy just hit delete?
I feel like even spam chosen poorly comes with consequences.
I hit delete after I saw Frantech had already reported it the FBI as per their website.
Whoever this is seems to be scraping ASN WHOIS data, the spam got sent to the noc@ address that's in whois for my ASN and IP space. -- Sadiq Saif https://bastetrix.com
On Tue, Oct 19, 2021, at 16:00, Hunter Fuller via NANOG wrote:
We have a distinct abuse address (not just abuse@) and that is where the messages were sent.
We didn't receive the bomb threat ones. We only received the (somewhat more amusing) messages entitled "Your network has been PWNED" and "Fuck you".
Hi, We got the same here at France-IX. It was on friday 15th. Hopefully, they "PWNED" all our Cisco and Mikrotik routers (of which we have none).
The situation loses its humor entirely with the introduction of bomb threats. Seems like a script kiddie taking things way too far.
I heard that yesterday (19th) evening there was law enforcement deployment and evacuation in the area of a major Paris (FR, EU) telco hotel, apparently due to "threats to a business in the area". Details (popcorn) on FrNOG (in french) : https://www.mail-archive.com/frnog@frnog.org/msg67540.html
I put what we received up on pastebin entirely with headers (and redacted our info). https://pastebin.com/kLjPm8Nk Warm regards, -M< On Wed, Oct 20, 2021 at 9:19 AM Radu-Adrian Feurdean < nanog@radu-adrian.feurdean.net> wrote:
On Tue, Oct 19, 2021, at 16:00, Hunter Fuller via NANOG wrote:
We have a distinct abuse address (not just abuse@) and that is where the messages were sent.
We didn't receive the bomb threat ones. We only received the (somewhat more amusing) messages entitled "Your network has been PWNED" and "Fuck you".
Hi,
We got the same here at France-IX. It was on friday 15th. Hopefully, they "PWNED" all our Cisco and Mikrotik routers (of which we have none).
The situation loses its humor entirely with the introduction of bomb threats. Seems like a script kiddie taking things way too far.
I heard that yesterday (19th) evening there was law enforcement deployment and evacuation in the area of a major Paris (FR, EU) telco hotel, apparently due to "threats to a business in the area". Details (popcorn) on FrNOG (in french) : https://www.mail-archive.com/frnog@frnog.org/msg67540.html
The thing is, who is in office to care? Oh wait, guess equipment *is* important -----Original Message----- From: NANOG <nanog-bounces+bkain1=ford.com@nanog.org> On Behalf Of Sadiq Saif Sent: Tuesday, October 19, 2021 9:11 AM To: nanog@nanog.org Subject: Re: Anyone else getting the 'spam' bomb threat? WARNING: This message originated outside of Ford Motor Company. Use caution when opening attachments, clicking links, or responding. On Tue, 19 Oct 2021, at 08:40, Matt Hoppes wrote:
Are you contacting your LEO? Or is this so spammy just hit delete?
I feel like even spam chosen poorly comes with consequences.
I hit delete after I saw Frantech had already reported it the FBI as per their website. Whoever this is seems to be scraping ASN WHOIS data, the spam got sent to the noc@ address that's in whois for my ASN and IP space. -- Sadiq Saif https://clicktime.symantec.com/3CGqBWqm6zQeVfjidfCLhna7Vc?u=https%3A%2F%2Fba...
I got one and I don’t have a datacenter. I’d better check my pockets…. From: NANOG [mailto:nanog-bounces+milt=net2atlanta.com@nanog.org] On Behalf Of Travis Garrison Sent: Tuesday, October 19, 2021 8:29 AM To: Matt Hoppes Cc: Nanog@nanog.org Subject: RE: Anyone else getting the 'spam' bomb threat? Yup, same here Travis From: NANOG <nanog-bounces+tgarrison=netviscom.com@nanog.org> On Behalf Of Shawn L via NANOG Sent: Tuesday, October 19, 2021 7:25 AM To: Matt Hoppes <mattlists@rivervalleyinternet.net> Cc: North American Network Operators' Group <nanog@nanog.org> Subject: RE: Anyone else getting the 'spam' bomb threat? we received it as well -----Original Message----- From: "Matt Hoppes" < <mailto:mattlists@rivervalleyinternet.net> mattlists@rivervalleyinternet.net> Sent: Tuesday, October 19, 2021 8:21am To: "North American Network Operators' Group" < <mailto:nanog@nanog.org> nanog@nanog.org> Subject: Anyone else getting the 'spam' bomb threat? I've now heard from several operators - our selves included - about getting an e-mail bomb threat to our datacenters asking for $5,000 USD or the "bomb will be detonated". Is this being seen on a wide spread e-mail blast to the RIR contacts, or am I just unlucky to know like 6 other data center folks who have also gotten this e-mail? It seems like a very odd/bizarre spam/threat campaign which would carry significant jail time.
Yes, it's from the operator of bytefend and they have been sending numerous threatening emails for months. You can check the statement from the victim Frantech from the link below: https://frantech.ca/ On Tue, Oct 19, 2021 at 9:34 PM Ray Bellis <ray@bellis.me.uk> wrote:
On 19/10/2021 13:29, Travis Garrison wrote:
Yup, same here
and here.
For now we're just ignoring it, but if anyone wants to quote us (ISC, a DNS root server operator) in the event of law enforcement action please let me know.
Ray
Matt Hoppes wrote:
I've now heard from several operators - our selves included - about getting an e-mail bomb threat to our datacenters asking for $5,000 USD or the "bomb will be detonated".
Is this being seen on a wide spread e-mail blast to the RIR contacts, or am I just unlucky to know like 6 other data center folks who have also gotten this e-mail?
It seems like a very odd/bizarre spam/threat campaign which would carry significant jail time.
And now I REALLY want to get moving on a service to drop a drone on spammers. (Active Countermeasures!) Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra Theory is when you know everything but nothing works. Practice is when everything works but no one knows why. In our lab, theory and practice are combined: nothing works and no one knows why. ... unknown
The kid sending these (if it is Bytefend, who has a history/tweets of bragging about attacking Frantech within the past month if I understand correctly) is going to be looking at serious jail time given the amount of evacuations he's caused already. A brief list: https://abc6onyourside.com/news/local/police-clear-downtown-columbus-buildin... https://miami.cbslocal.com/2021/10/19/miami-att-call-center-evacuated-bomb-t... https://www.wwlp.com/news/local-news/franklin-county/greenfield-police-and-f... https://www.mystateline.com/news/local-news/rockford-university-evacuated-du... https://globalnews.ca/news/8274492/bomb-threats-kitchener-waterloo/amp/ https://amp.newsobserver.com/news/local/crime/article255116937.html https://www.technicianonline.com/news/nc-state-receives-bomb-threat-universi... On Tue, Oct 19, 2021, 11:30 AM Miles Fidelman <mfidelman@meetinghouse.net> wrote:
Matt Hoppes wrote:
I've now heard from several operators - our selves included - about getting an e-mail bomb threat to our datacenters asking for $5,000 USD or the "bomb will be detonated".
Is this being seen on a wide spread e-mail blast to the RIR contacts, or am I just unlucky to know like 6 other data center folks who have also gotten this e-mail?
It seems like a very odd/bizarre spam/threat campaign which would carry significant jail time.
And now I REALLY want to get moving on a service to drop a drone on spammers. (Active Countermeasures!)
Miles Fidelman
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
Theory is when you know everything but nothing works. Practice is when everything works but no one knows why. In our lab, theory and practice are combined: nothing works and no one knows why. ... unknown
Honestly, for how 'spammy' that e-mail looked it's hard to believe anyone took it seriously - but also, you never know. On 10/19/21 12:51 PM, Jon Sands wrote:
The kid sending these (if it is Bytefend, who has a history/tweets of bragging about attacking Frantech within the past month if I understand correctly) is going to be looking at serious jail time given the amount of evacuations he's caused already. A brief list:
https://abc6onyourside.com/news/local/police-clear-downtown-columbus-buildin...
https://miami.cbslocal.com/2021/10/19/miami-att-call-center-evacuated-bomb-t...
https://www.wwlp.com/news/local-news/franklin-county/greenfield-police-and-f...
https://www.mystateline.com/news/local-news/rockford-university-evacuated-du...
https://globalnews.ca/news/8274492/bomb-threats-kitchener-waterloo/amp/
https://amp.newsobserver.com/news/local/crime/article255116937.html
https://www.technicianonline.com/news/nc-state-receives-bomb-threat-universi...
On Tue, Oct 19, 2021, 11:30 AM Miles Fidelman <mfidelman@meetinghouse.net <mailto:mfidelman@meetinghouse.net>> wrote:
Matt Hoppes wrote: > I've now heard from several operators - our selves included - about > getting an e-mail bomb threat to our datacenters asking for $5,000 USD > or the "bomb will be detonated". > > Is this being seen on a wide spread e-mail blast to the RIR contacts, > or am I just unlucky to know like 6 other data center folks who have > also gotten this e-mail? > > It seems like a very odd/bizarre spam/threat campaign which would > carry significant jail time.
And now I REALLY want to get moving on a service to drop a drone on spammers. (Active Countermeasures!)
Miles Fidelman
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
Theory is when you know everything but nothing works. Practice is when everything works but no one knows why. In our lab, theory and practice are combined: nothing works and no one knows why. ... unknown
scammers and attackers aren't well known for their eloquent prose... As soon as you decide to not take one thing seriously, how do you draw the line? three spelling mistakes and the wrong tense of a verb means its fake? I'd rather not play chicken with peoples' lives. On Tue, Oct 19, 2021, 14:11 Matt Hoppes <mattlists@rivervalleyinternet.net> wrote:
Honestly, for how 'spammy' that e-mail looked it's hard to believe anyone took it seriously - but also, you never know.
On 10/19/21 12:51 PM, Jon Sands wrote:
The kid sending these (if it is Bytefend, who has a history/tweets of bragging about attacking Frantech within the past month if I understand correctly) is going to be looking at serious jail time given the amount of evacuations he's caused already. A brief list:
https://abc6onyourside.com/news/local/police-clear-downtown-columbus-buildin...
https://miami.cbslocal.com/2021/10/19/miami-att-call-center-evacuated-bomb-t...
https://www.wwlp.com/news/local-news/franklin-county/greenfield-police-and-f...
https://www.mystateline.com/news/local-news/rockford-university-evacuated-du...
https://globalnews.ca/news/8274492/bomb-threats-kitchener-waterloo/amp/
https://amp.newsobserver.com/news/local/crime/article255116937.html
https://www.technicianonline.com/news/nc-state-receives-bomb-threat-universi...
On Tue, Oct 19, 2021, 11:30 AM Miles Fidelman <mfidelman@meetinghouse.net <mailto:mfidelman@meetinghouse.net>> wrote:
Matt Hoppes wrote: > I've now heard from several operators - our selves included -
about
> getting an e-mail bomb threat to our datacenters asking for $5,000 USD > or the "bomb will be detonated". > > Is this being seen on a wide spread e-mail blast to the RIR contacts, > or am I just unlucky to know like 6 other data center folks who
have
> also gotten this e-mail? > > It seems like a very odd/bizarre spam/threat campaign which would > carry significant jail time.
And now I REALLY want to get moving on a service to drop a drone on spammers. (Active Countermeasures!)
Miles Fidelman
-- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
Theory is when you know everything but nothing works. Practice is when everything works but no one knows why. In our lab, theory and practice are combined: nothing works and no one knows why. ... unknown
participants (16)
-
Baldur Norddahl
-
Hunter Fuller
-
Jon Sands
-
Kain, Becki (.)
-
Martin Hannigan
-
Matt Hoppes
-
Miles Fidelman
-
Milt Aitken
-
Neil Hanlon
-
Radu-Adrian Feurdean
-
Ray Bellis
-
Robert Berlin
-
Sadiq Saif
-
Shawn L
-
Siyuan Miao
-
Travis Garrison