[ale] Those "You've been hacked" emails

Jim Kinney jim.kinney at gmail.com
Mon Mar 25 07:46:02 EDT 2019 

Those lying scumbags. Won't tell me what video I was watching. Won't even send teaser of what they claim to have. Just keep demanding money. Like I'm gonna pay upfront without knowing what I'm getting.

On March 25, 2019 12:00:44 AM EDT, dev null zero two via Ale <ale at ale.org> wrote:
>I meant to direct my reply to OP, sorry.
>
>On Mon, Mar 25, 2019 at 12:00 AM Alex Carver <agcarver+ale at acarver.net>
>wrote:
>
>> Right, that's why it's a "hacked machine" :)
>>
>> On 2019-03-24 20:58, dev null zero two wrote:
>> > 99% chance it's sent from a compromised server.
>> >
>> > On Sun, Mar 24, 2019 at 11:56 PM Alex Carver via Ale <ale at ale.org>
>> wrote:
>> >
>> >> I got a raft of them sent to my personal server from various
>hacked
>> >> machines.  A bunch in Brazil, one at Digital Ocean, another at
>Amazon
>> >> EC2.  In my case they always wrote the from and to to be the same
>> >> address so I added another ACL to the mail server to block
>anything that
>> >> came from the outside and claimed to be from me and to me.  It all
>went
>> >> away after that.
>> >>
>> >> Of course these started showing up long after I had already been
>> >> blocking entire netblocks for abuse (hundreds of relay attempts
>per
>> >> minute) so I may have already been ignoring some sources.
>> >>
>> >> On 2019-03-24 19:39, Ben Coleman via Ale wrote:
>> >>> I'm sure you've gotten them - those emails claiming that they've
>hacked
>> >>> you, and have video evidence of you activities while you're
>(ehem)
>> >>> interacting with certain sites, and that this evidence can all go
>away
>> >>> if you'll only deposit a certain amount of money into their
>bitcoin
>> >>> account.  The latest tack they've been taking is to combine your
>email
>> >>> with those caches of passwords from various exploits so they can
>appear
>> >>> to know your passwords (yeah, one I used 10 years ago).
>> >>>
>> >>> But what I didn't realize was how inexperienced (at least some
>of)
>> these
>> >>> guys are at the actual spamming game.  On a whim, I popped up the
>> >>> headers for one of these (I've been amused before on how, for
>example,
>> >>> some of these claim to have included a 'tracking pixel' on what
>is
>> >>> actually a text/plain email).  To my surprise, there was but one
>> >>> Received header.  Straight from their server to mine (well, they
>did
>> try
>> >>> to spoof the HELO to look like it was an outlook mail server, but
>if
>> you
>> >>> know anything about Received headers, you know to ignore that). 
>No
>> >>> obfuscation of the headers at all.  And it was in the network of
>a VPS
>> >>> vendor.  Now, it's possible that someone's had their VPS hacked,
>but
>> >>> since this whole faux extortion thing is really script-kiddie
>level
>> >>> stuff, it wouldn't surprise me if someone was stupid enough to
>send
>> this
>> >>> stuff out from their own VPS.
>> >>>
>> >>> I felt transported back to the early 2000s when it was actually
>useful
>> >>> to read Received headers, figure out where an email came from
>(even if
>> >>> the spammer tried to inject bogus Received headers), and report
>it to
>> >>> their ISP, with results (usually the spammer account shut down -
>I've
>> >>> got my share of "positive" results, including one from
>Afterburner (for
>> >>> those who remember him)).  Those days pretty much went away when
>the
>> >>> spammers joined up with the botnet crowd.
>> >>>
>> >>> So, I sent off a report to the VPS vendor's abuse account.  And
>went
>> and
>> >>> found another that originated off of an Amazon EC2 and shot off a
>> report
>> >>> to Amazon's abuse account.  Don't know yet if this will do any
>good.
>> >>> But if any other ALEers have a nostalgic spot for the early
>> >>> antispamming days, this may be a place where you can play again.
>> >>>
>> >>> Ben
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Ale mailing list
>> >>> Ale at ale.org
>> >>> https://mail.ale.org/mailman/listinfo/ale
>> >>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >>> http://mail.ale.org/mailman/listinfo
>> >>>
>> >>
>> >> _______________________________________________
>> >> Ale mailing list
>> >> Ale at ale.org
>> >> https://mail.ale.org/mailman/listinfo/ale
>> >> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >> http://mail.ale.org/mailman/listinfo
>> >>
>>
>> --
>Sent from my mobile. Please excuse the brevity, spelling, and
>punctuation.

-- 
Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20190325/48d86f28/attachment.html>

More information about the Ale mailing list