Someone's scraping NANOG for phishing purposes again
I'm getting suspicious e-mail pretending to come from leading NANOGers. Not the first time this has happened, but you may want to be warned. Yours, Alex Harrowell
Thank you for the notice. Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Feb 10, 2017 12:42 PM, "Alexander Harrowell" <a.harrowell@gmail.com> wrote:
I'm getting suspicious e-mail pretending to come from leading NANOGers. Not the first time this has happened, but you may want to be warned.
Yours,
Alex Harrowell
Interestingly, the phishes are both using NANOG members' names as forged From: fields, they're also being sent to NANOG people specifically - each one comes with half a dozen addresses of which usually one or two are familiar to me as frequent contributors. On Fri, Feb 10, 2017 at 5:42 PM, Josh Luthman <josh@imaginenetworksllc.com> wrote:
Thank you for the notice.
Josh Luthman Office: 937-552-2340 <(937)%20552-2340> Direct: 937-552-2343 <(937)%20552-2343> 1100 Wayne St Suite 1337 Troy, OH 45373
On Feb 10, 2017 12:42 PM, "Alexander Harrowell" <a.harrowell@gmail.com> wrote:
I'm getting suspicious e-mail pretending to come from leading NANOGers. Not the first time this has happened, but you may want to be warned.
Yours,
Alex Harrowell
Or a nanog member might be infected and the malware is scraping his mailbox for bogus froms. Got headers? On 10/02/17, 9:40 AM, "NANOG on behalf of Alexander Harrowell" <nanog-bounces@nanog.org on behalf of a.harrowell@gmail.com> wrote: I'm getting suspicious e-mail pretending to come from leading NANOGers. Not the first time this has happened, but you may want to be warned. Yours, Alex Harrowell
On a great many mailing lists, Suresh is spot on as this looks more like infected user but headers would be good. On Fri, Feb 10, 2017 at 11:46 AM, Suresh Ramasubramanian < ops.lists@gmail.com> wrote:
Or a nanog member might be infected and the malware is scraping his
mailbox for bogus froms. Got headers?
On 10/02/17, 9:40 AM, "NANOG on behalf of Alexander Harrowell" <
nanog-bounces@nanog.org on behalf of a.harrowell@gmail.com> wrote:
I'm getting suspicious e-mail pretending to come from leading
NANOGers. Not
the first time this has happened, but you may want to be warned.
Yours,
Alex Harrowell
-- - Andrew "lathama" Latham http://lathama.org -
On Fri, Feb 10, 2017 at 11:56:02AM -0600, Andrew Latham wrote:
On a great many mailing lists, Suresh is spot on as this looks more like infected user but headers would be good.
Here are a couple recent specimens that appear to fit this pattern: -------------------------------------------------------- Received: from route-level2.fsdata.se (route-level2.fsdata.se [89.221.252.217]) by taos.firemountain.net (8.15.1/8.14.9) with ESMTPS id v190EnHs001330 (version=TLSv1 cipher=AES128-SHA bits=128 verify=NO) for <rsk@gsp.org>; Wed, 8 Feb 2017 19:15:01 -0500 (EST) From: <info@onlinemarket.se> To: Jon Lewis <jlewis@lewis.org>, jamie rishaw <j@arpa.com>, Michael Thomas <mike@mtcc.com>, Rich Kulawiec <rsk@gsp.org> Subject: =?utf-8?B?d2hhdCBhIG5pY2Ugc3VycHJpc2U=?= Date: Wed, 8 Feb 2017 19:14:20 -0500 Message-ID: <1355759249.20170209031420@onlinemarket.se> -------------------------------------------------------- -------------------------------------------------------- Received: from mcegress-14-lw-3.correio.biz (mcegress-14-lw-3.correio.biz [191.252.14.3]) by taos.firemountain.net (8.15.1/8.14.9) with ESMTP id v0B5dsb7001374 for <rsk@gsp.org>; Wed, 11 Jan 2017 00:40:06 -0500 (EST) From: "Mikael Abrahamsson" <jdenoy@jdlabs.fr> To: "John Curran" <jcurran@arin.net>, "Paul Graydon" <paul@paulgraydon.co.uk>, "Rich Kulawiec" <rsk@gsp.org>, "Seth Mattinen" <sethm@rollernet.us> Subject: =?utf-8?B?ZmFudGFzdGljIHBsYWNl?= Date: Wed, 11 Jan 2017 01:38:43 -0400 Message-ID: <1961406061.20170111083843@jdlabs.fr> -------------------------------------------------------- ---rsk
On Fri, 10 Feb 2017 13:22:31 -0500, Rich Kulawiec said:
On Fri, Feb 10, 2017 at 11:56:02AM -0600, Andrew Latham wrote:
On a great many mailing lists, Suresh is spot on as this looks more like infected user but headers would be good.
The one I found in my mailbox yesterday tends to support "multiple users infected with a spamming botnet": Received: from smtp.interfree.it (smtp.interfree.it [80.91.55.53]) by mr3.cc.vt.edu (8.14.7/8.14.7) with ESMTP id v190Ro7i021554 for <Valdis.Kletnieks@vt.edu>; Wed, 8 Feb 2017 19:27:56 -0500 Received: from [59.55.63.88] (helo=jame-PC) by smtp.interfree.it with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from <bazzanie@interfree.it>) id 1cbcaI-0007Zj-Cz; Thu, 09 Feb 2017 01:27:42 +0100 Message-id: <1427704941.20170209032724@interfree.it> Subject: look at that, it's amazing! From: "William Herrin" <bazzanie@interfree.it> Date: Thu, 9 Feb 2017 06:27:24 +0600 (Wed 19:27 EST) To: "Ronald F. Guilmette" <rfg@tristatelogic.com>, "Robert Webb" <rwebb@ropeguru.com>, "Valdis Kletnieks" <Valdis.Kletnieks@vt.edu>, "Scott Brim" <scott.brim@gmail.com>
Yes. The names are used in the From: but not the e-mail addresses. The payload is inside SecureServer.net's 43.255.154.0/24 - 43.255.154.125 and 43.255.154.66. Headers follow. Note: I think Anne P. Mitchell is a LinkedIn contact of mine. Message 1) Delivered-To: a.harrowell@gmail.com Received: by 10.80.169.228 with SMTP id n91csp49041edc; Wed, 8 Feb 2017 16:09:01 -0800 (PST) X-Received: by 10.223.131.34 with SMTP id 31mr179054wrd.119.1486598941445; Wed, 08 Feb 2017 16:09:01 -0800 (PST) Return-Path: <wolfgang@cziczatka.com> Received: from mx21lb.world4you.com (mx21lb.world4you.com. [81.19.149.131]) by mx.google.com with ESMTPS id p26si10875705wrp.311.2017.02.08.16.09.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Feb 2017 16:09:01 -0800 (PST) Received-SPF: pass (google.com: domain of wolfgang@cziczatka.com designates 81.19.149.131 as permitted sender) client-ip=81.19.149.131; Authentication-Results: mx.google.com; spf=pass (google.com: domain of wolfgang@cziczatka.com designates 81.19.149.131 as permitted sender) smtp.mailfrom=wolfgang@cziczatka.com Received: from [117.243.182.154] (helo=dydt-PC) by mx21lb.world4you.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <wolfgang@cziczatka.com>) id 1cbcIF-0005OX-87; Thu, 09 Feb 2017 01:09:00 +0100 From: Brandon Galbraith <wolfgang@cziczatka.com> To: Alexander Harrowell <a.harrowell@gmail.com>, "Nathanael C. Cariaga" <nccariaga@stluke.com.ph>, aduitsis <aduitsis@gmail.com>, David Ulevitch <davidu@everydns.net> Subject: take a look at that Date: Thu, 9 Feb 2017 00:08:49 +0000 Message-ID: <1514273443.20170209030849@cziczatka.com> Content-Type: multipart/alternative; boundary="----=_NextPart_000_0016_017DBA64.1747A7CE" Content-Language: en-gb MIME-Version: 1.0 X-SA-Do-Not-Run: Yes X-AV-Do-Run: Yes X-SA-Exim-Connect-IP: 117.243.182.154 X-SA-Exim-Mail-From: wolfgang@cziczatka.com X-SA-Exim-Scanned: No (on mx21lb.world4you.com); SAEximRunCond expanded to false ------=_NextPart_000_0016_017DBA64.1747A7CE Message 2) Delivered-To: a.harrowell@gmail.com Received: by 10.80.169.228 with SMTP id n91csp50480edc; Wed, 8 Feb 2017 16:14:21 -0800 (PST) X-Received: by 10.28.135.82 with SMTP id j79mr18959559wmd.19.1486599261495; Wed, 08 Feb 2017 16:14:21 -0800 (PST) Return-Path: <info@ocreschauvin.fr> Received: from smtp.nfrance.com (smtp-4.nfrance.com. [80.247.229.46]) by mx.google.com with ESMTPS id f124si4142408wmd.153.2017.02.08.16.14.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Feb 2017 16:14:21 -0800 (PST) Received-SPF: neutral (google.com: 80.247.229.46 is neither permitted nor denied by best guess record for domain of info@ocreschauvin.fr) client-ip=80.247.229.46; Authentication-Results: mx.google.com; spf=neutral (google.com: 80.247.229.46 is neither permitted nor denied by best guess record for domain of info@ocreschauvin.fr) smtp.mailfrom=info@ocreschauvin.fr Received: from tqzb-PC (unknown [197.45.161.242]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.nfrance.com (Postfix) with ESMTPSA id 28E1612D7A7; Thu, 9 Feb 2017 01:14:18 +0100 (CET) From: Owen DeLong <info@ocreschauvin.fr> To: Brian Mengel <bmengel@gmail.com>, Andrew Latham <lathama@gmail.com>, Alexander Harrowell <a.harrowell@gmail.com>, "Anne P. Mitchell Esq." <amitchell@isipp.com> Subject: do you have any ideas? Date: Thu, 9 Feb 2017 06:14:13 +0600 Message-ID: <1846552645.20170209031413@ocreschauvin.fr> Content-Type: multipart/alternative; boundary="----=_NextPart_000_005C_010D479E.32101F4A" Content-Language: en-us MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 80.247.229.46 ------=_NextPart_000_005C_010D479E.32101F4A Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RGVhciBmcmllbmQhIA0KDQpJJ3ZlIGJlZW4gd3JpdGluZyBhbiAgYXJ0aWNsZSBhbmQgSSd2ZSBj b21lIGFjcm9zcyB0aGF0ICBzdHJhbmdlICBzdHVmZiwgIGRvIHlvdSBoYXZlICBhbnkgIGlkZWFz IHdoYXQgY291bGQgaXQgYmU/IEp1c3QgdGFrZSBhICBsb29rIGh0dHA6Ly9tYXgudHJpcHN0aXht ZW1vcmllcy5jb20vZjRmNQ0KDQpCZXN0IHdpc2hlcywgT3dlbiBEZUxvbmcNCg0K ------=_NextPart_000_005C_010D479E.32101F4A ------=_NextPart_000_005C_010D479E.32101F4A-- On Fri, Feb 10, 2017 at 5:46 PM, Suresh Ramasubramanian <ops.lists@gmail.com
wrote:
Or a nanog member might be infected and the malware is scraping his mailbox for bogus froms. Got headers?
On 10/02/17, 9:40 AM, "NANOG on behalf of Alexander Harrowell" < nanog-bounces@nanog.org on behalf of a.harrowell@gmail.com> wrote:
I'm getting suspicious e-mail pretending to come from leading NANOGers. Not the first time this has happened, but you may want to be warned.
Yours,
Alex Harrowell
This is the sort of mail, based on stolen address books from numerous sites and sometimes on mined Facebook data, that the same spam group has been sending since mid 2013. At some point in 2016 they started permuting the data; previously, if A's addressbook had been stolen, the mail always came "From:" A, but now if A's addressbook had B and C in it, the mail might be "From:" B to C. It is of course possible that they have new sources of data, although I haven't seen any particular evidence of that recently. (I have seen evidence that they have moderately increased competence in getting their spam delivered and read, which has been their main problem in recent years.) Addressbook data stays useful until all of your contacts get new email addresses. Elizabeth ZwickyOn Friday, February 10, 2017, 10:34:58 AM PST, Alexander Harrowell <a.harrowell@gmail.com> wrote:Yes. The names are used in the From: but not the e-mail addresses. The payload is inside SecureServer.net's 43.255.154.0/24 - 43.255.154.125 and 43.255.154.66. Headers follow. Note: I think Anne P. Mitchell is a LinkedIn contact of mine. Message 1) Delivered-To: a.harrowell@gmail.com Received: by 10.80.169.228 with SMTP id n91csp49041edc; Wed, 8 Feb 2017 16:09:01 -0800 (PST) X-Received: by 10.223.131.34 with SMTP id 31mr179054wrd.119.1486598941445; Wed, 08 Feb 2017 16:09:01 -0800 (PST) Return-Path: <wolfgang@cziczatka.com> Received: from mx21lb.world4you.com (mx21lb.world4you.com. [81.19.149.131]) by mx.google.com with ESMTPS id p26si10875705wrp.311.2017.02.08.16.09.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Feb 2017 16:09:01 -0800 (PST) Received-SPF: pass (google.com: domain of wolfgang@cziczatka.com designates 81.19.149.131 as permitted sender) client-ip=81.19.149.131; Authentication-Results: mx.google.com; spf=pass (google.com: domain of wolfgang@cziczatka.com designates 81.19.149.131 as permitted sender) smtp.mailfrom=wolfgang@cziczatka.com Received: from [117.243.182.154] (helo=dydt-PC) by mx21lb.world4you.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <wolfgang@cziczatka.com>) id 1cbcIF-0005OX-87; Thu, 09 Feb 2017 01:09:00 +0100 From: Brandon Galbraith <wolfgang@cziczatka.com> To: Alexander Harrowell <a.harrowell@gmail.com>, "Nathanael C. Cariaga" <nccariaga@stluke.com.ph>, aduitsis <aduitsis@gmail.com>, David Ulevitch <davidu@everydns.net> Subject: take a look at that Date: Thu, 9 Feb 2017 00:08:49 +0000 Message-ID: <1514273443.20170209030849@cziczatka.com> Content-Type: multipart/alternative; boundary="----=_NextPart_000_0016_017DBA64.1747A7CE" Content-Language: en-gb MIME-Version: 1.0 X-SA-Do-Not-Run: Yes X-AV-Do-Run: Yes X-SA-Exim-Connect-IP: 117.243.182.154 X-SA-Exim-Mail-From: wolfgang@cziczatka.com X-SA-Exim-Scanned: No (on mx21lb.world4you.com); SAEximRunCond expanded to false ------=_NextPart_000_0016_017DBA64.1747A7CE Message 2) Delivered-To: a.harrowell@gmail.com Received: by 10.80.169.228 with SMTP id n91csp50480edc; Wed, 8 Feb 2017 16:14:21 -0800 (PST) X-Received: by 10.28.135.82 with SMTP id j79mr18959559wmd.19.1486599261495; Wed, 08 Feb 2017 16:14:21 -0800 (PST) Return-Path: <info@ocreschauvin.fr> Received: from smtp.nfrance.com (smtp-4.nfrance.com. [80.247.229.46]) by mx.google.com with ESMTPS id f124si4142408wmd.153.2017.02.08.16.14.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Feb 2017 16:14:21 -0800 (PST) Received-SPF: neutral (google.com: 80.247.229.46 is neither permitted nor denied by best guess record for domain of info@ocreschauvin.fr) client-ip=80.247.229.46; Authentication-Results: mx.google.com; spf=neutral (google.com: 80.247.229.46 is neither permitted nor denied by best guess record for domain of info@ocreschauvin.fr) smtp.mailfrom=info@ocreschauvin.fr Received: from tqzb-PC (unknown [197.45.161.242]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.nfrance.com (Postfix) with ESMTPSA id 28E1612D7A7; Thu, 9 Feb 2017 01:14:18 +0100 (CET) From: Owen DeLong <info@ocreschauvin.fr> To: Brian Mengel <bmengel@gmail.com>, Andrew Latham <lathama@gmail.com>, Alexander Harrowell <a.harrowell@gmail.com>, "Anne P. Mitchell Esq." <amitchell@isipp.com> Subject: do you have any ideas? Date: Thu, 9 Feb 2017 06:14:13 +0600 Message-ID: <1846552645.20170209031413@ocreschauvin.fr> Content-Type: multipart/alternative; boundary="----=_NextPart_000_005C_010D479E.32101F4A" Content-Language: en-us MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 80.247.229.46 ------=_NextPart_000_005C_010D479E.32101F4A Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RGVhciBmcmllbmQhIA0KDQpJJ3ZlIGJlZW4gd3JpdGluZyBhbiAgYXJ0aWNsZSBhbmQgSSd2ZSBj b21lIGFjcm9zcyB0aGF0ICBzdHJhbmdlICBzdHVmZiwgIGRvIHlvdSBoYXZlICBhbnkgIGlkZWFz IHdoYXQgY291bGQgaXQgYmU/IEp1c3QgdGFrZSBhICBsb29rIGh0dHA6Ly9tYXgudHJpcHN0aXht ZW1vcmllcy5jb20vZjRmNQ0KDQpCZXN0IHdpc2hlcywgT3dlbiBEZUxvbmcNCg0K ------=_NextPart_000_005C_010D479E.32101F4A ------=_NextPart_000_005C_010D479E.32101F4A-- On Fri, Feb 10, 2017 at 5:46 PM, Suresh Ramasubramanian <ops.lists@gmail.com
wrote:
Or a nanog member might be infected and the malware is scraping his mailbox for bogus froms. Got headers?
On 10/02/17, 9:40 AM, "NANOG on behalf of Alexander Harrowell" < nanog-bounces@nanog.org on behalf of a.harrowell@gmail.com> wrote:
I'm getting suspicious e-mail pretending to come from leading NANOGers. Not the first time this has happened, but you may want to be warned.
Yours,
Alex Harrowell
participants (7)
-
Alexander Harrowell -
Andrew Latham -
Elizabeth Zwicky -
Josh Luthman -
Rich Kulawiec -
Suresh Ramasubramanian -
valdis.kletnieks@vt.edu