[ale] Those "You've been hacked" emails

Alex Carver agcarver+ale at acarver.net
Sun Mar 24 23:59:54 EDT 2019 

Right, that's why it's a "hacked machine" :)

On 2019-03-24 20:58, dev null zero two wrote:
> 99% chance it's sent from a compromised server.
> 
> On Sun, Mar 24, 2019 at 11:56 PM Alex Carver via Ale <ale at ale.org> wrote:
> 
>> I got a raft of them sent to my personal server from various hacked
>> machines.  A bunch in Brazil, one at Digital Ocean, another at Amazon
>> EC2.  In my case they always wrote the from and to to be the same
>> address so I added another ACL to the mail server to block anything that
>> came from the outside and claimed to be from me and to me.  It all went
>> away after that.
>>
>> Of course these started showing up long after I had already been
>> blocking entire netblocks for abuse (hundreds of relay attempts per
>> minute) so I may have already been ignoring some sources.
>>
>> On 2019-03-24 19:39, Ben Coleman via Ale wrote:
>>> I'm sure you've gotten them - those emails claiming that they've hacked
>>> you, and have video evidence of you activities while you're (ehem)
>>> interacting with certain sites, and that this evidence can all go away
>>> if you'll only deposit a certain amount of money into their bitcoin
>>> account.  The latest tack they've been taking is to combine your email
>>> with those caches of passwords from various exploits so they can appear
>>> to know your passwords (yeah, one I used 10 years ago).
>>>
>>> But what I didn't realize was how inexperienced (at least some of) these
>>> guys are at the actual spamming game.  On a whim, I popped up the
>>> headers for one of these (I've been amused before on how, for example,
>>> some of these claim to have included a 'tracking pixel' on what is
>>> actually a text/plain email).  To my surprise, there was but one
>>> Received header.  Straight from their server to mine (well, they did try
>>> to spoof the HELO to look like it was an outlook mail server, but if you
>>> know anything about Received headers, you know to ignore that).  No
>>> obfuscation of the headers at all.  And it was in the network of a VPS
>>> vendor.  Now, it's possible that someone's had their VPS hacked, but
>>> since this whole faux extortion thing is really script-kiddie level
>>> stuff, it wouldn't surprise me if someone was stupid enough to send this
>>> stuff out from their own VPS.
>>>
>>> I felt transported back to the early 2000s when it was actually useful
>>> to read Received headers, figure out where an email came from (even if
>>> the spammer tried to inject bogus Received headers), and report it to
>>> their ISP, with results (usually the spammer account shut down - I've
>>> got my share of "positive" results, including one from Afterburner (for
>>> those who remember him)).  Those days pretty much went away when the
>>> spammers joined up with the botnet crowd.
>>>
>>> So, I sent off a report to the VPS vendor's abuse account.  And went and
>>> found another that originated off of an Amazon EC2 and shot off a report
>>> to Amazon's abuse account.  Don't know yet if this will do any good.
>>> But if any other ALEers have a nostalgic spot for the early
>>> antispamming days, this may be a place where you can play again.
>>>
>>> Ben
>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> https://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> https://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>

More information about the Ale mailing list