[ale] Those "You've been hacked" emails

dev null zero two dev.null.02 at gmail.com
Mon Mar 25 00:00:44 EDT 2019


I meant to direct my reply to OP, sorry.

On Mon, Mar 25, 2019 at 12:00 AM Alex Carver <agcarver+ale at acarver.net>
wrote:

> Right, that's why it's a "hacked machine" :)
>
> On 2019-03-24 20:58, dev null zero two wrote:
> > 99% chance it's sent from a compromised server.
> >
> > On Sun, Mar 24, 2019 at 11:56 PM Alex Carver via Ale <ale at ale.org>
> wrote:
> >
> >> I got a raft of them sent to my personal server from various hacked
> >> machines.  A bunch in Brazil, one at Digital Ocean, another at Amazon
> >> EC2.  In my case they always wrote the from and to to be the same
> >> address so I added another ACL to the mail server to block anything that
> >> came from the outside and claimed to be from me and to me.  It all went
> >> away after that.
> >>
> >> Of course these started showing up long after I had already been
> >> blocking entire netblocks for abuse (hundreds of relay attempts per
> >> minute) so I may have already been ignoring some sources.
> >>
> >> On 2019-03-24 19:39, Ben Coleman via Ale wrote:
> >>> I'm sure you've gotten them - those emails claiming that they've hacked
> >>> you, and have video evidence of you activities while you're (ehem)
> >>> interacting with certain sites, and that this evidence can all go away
> >>> if you'll only deposit a certain amount of money into their bitcoin
> >>> account.  The latest tack they've been taking is to combine your email
> >>> with those caches of passwords from various exploits so they can appear
> >>> to know your passwords (yeah, one I used 10 years ago).
> >>>
> >>> But what I didn't realize was how inexperienced (at least some of)
> these
> >>> guys are at the actual spamming game.  On a whim, I popped up the
> >>> headers for one of these (I've been amused before on how, for example,
> >>> some of these claim to have included a 'tracking pixel' on what is
> >>> actually a text/plain email).  To my surprise, there was but one
> >>> Received header.  Straight from their server to mine (well, they did
> try
> >>> to spoof the HELO to look like it was an outlook mail server, but if
> you
> >>> know anything about Received headers, you know to ignore that).  No
> >>> obfuscation of the headers at all.  And it was in the network of a VPS
> >>> vendor.  Now, it's possible that someone's had their VPS hacked, but
> >>> since this whole faux extortion thing is really script-kiddie level
> >>> stuff, it wouldn't surprise me if someone was stupid enough to send
> this
> >>> stuff out from their own VPS.
> >>>
> >>> I felt transported back to the early 2000s when it was actually useful
> >>> to read Received headers, figure out where an email came from (even if
> >>> the spammer tried to inject bogus Received headers), and report it to
> >>> their ISP, with results (usually the spammer account shut down - I've
> >>> got my share of "positive" results, including one from Afterburner (for
> >>> those who remember him)).  Those days pretty much went away when the
> >>> spammers joined up with the botnet crowd.
> >>>
> >>> So, I sent off a report to the VPS vendor's abuse account.  And went
> and
> >>> found another that originated off of an Amazon EC2 and shot off a
> report
> >>> to Amazon's abuse account.  Don't know yet if this will do any good.
> >>> But if any other ALEers have a nostalgic spot for the early
> >>> antispamming days, this may be a place where you can play again.
> >>>
> >>> Ben
> >>>
> >>>
> >>> _______________________________________________
> >>> Ale mailing list
> >>> Ale at ale.org
> >>> https://mail.ale.org/mailman/listinfo/ale
> >>> See JOBS, ANNOUNCE and SCHOOLS lists at
> >>> http://mail.ale.org/mailman/listinfo
> >>>
> >>
> >> _______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> https://mail.ale.org/mailman/listinfo/ale
> >> See JOBS, ANNOUNCE and SCHOOLS lists at
> >> http://mail.ale.org/mailman/listinfo
> >>
>
> --
Sent from my mobile. Please excuse the brevity, spelling, and punctuation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20190325/df47de65/attachment.html>


More information about the Ale mailing list