[ale] Those "You've been hacked" emails

Alex Carver agcarver+ale at acarver.net
Sun Mar 24 23:56:36 EDT 2019 

I got a raft of them sent to my personal server from various hacked
machines.  A bunch in Brazil, one at Digital Ocean, another at Amazon
EC2.  In my case they always wrote the from and to to be the same
address so I added another ACL to the mail server to block anything that
came from the outside and claimed to be from me and to me.  It all went
away after that.

Of course these started showing up long after I had already been
blocking entire netblocks for abuse (hundreds of relay attempts per
minute) so I may have already been ignoring some sources.

On 2019-03-24 19:39, Ben Coleman via Ale wrote:
> I'm sure you've gotten them - those emails claiming that they've hacked
> you, and have video evidence of you activities while you're (ehem)
> interacting with certain sites, and that this evidence can all go away
> if you'll only deposit a certain amount of money into their bitcoin
> account.  The latest tack they've been taking is to combine your email
> with those caches of passwords from various exploits so they can appear
> to know your passwords (yeah, one I used 10 years ago).
> 
> But what I didn't realize was how inexperienced (at least some of) these
> guys are at the actual spamming game.  On a whim, I popped up the
> headers for one of these (I've been amused before on how, for example,
> some of these claim to have included a 'tracking pixel' on what is
> actually a text/plain email).  To my surprise, there was but one
> Received header.  Straight from their server to mine (well, they did try
> to spoof the HELO to look like it was an outlook mail server, but if you
> know anything about Received headers, you know to ignore that).  No
> obfuscation of the headers at all.  And it was in the network of a VPS
> vendor.  Now, it's possible that someone's had their VPS hacked, but
> since this whole faux extortion thing is really script-kiddie level
> stuff, it wouldn't surprise me if someone was stupid enough to send this
> stuff out from their own VPS.
> 
> I felt transported back to the early 2000s when it was actually useful
> to read Received headers, figure out where an email came from (even if
> the spammer tried to inject bogus Received headers), and report it to
> their ISP, with results (usually the spammer account shut down - I've
> got my share of "positive" results, including one from Afterburner (for
> those who remember him)).  Those days pretty much went away when the
> spammers joined up with the botnet crowd.
> 
> So, I sent off a report to the VPS vendor's abuse account.  And went and
> found another that originated off of an Amazon EC2 and shot off a report
> to Amazon's abuse account.  Don't know yet if this will do any good.
> But if any other ALEers have a nostalgic spot for the early
> antispamming days, this may be a place where you can play again.
> 
> Ben
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

More information about the Ale mailing list