[ale] Those "You've been hacked" emails
Ben Coleman
oloryn at benshome.net
Sun Mar 24 22:39:06 EDT 2019
I'm sure you've gotten them - those emails claiming that they've hacked
you, and have video evidence of you activities while you're (ehem)
interacting with certain sites, and that this evidence can all go away
if you'll only deposit a certain amount of money into their bitcoin
account. The latest tack they've been taking is to combine your email
with those caches of passwords from various exploits so they can appear
to know your passwords (yeah, one I used 10 years ago).
But what I didn't realize was how inexperienced (at least some of) these
guys are at the actual spamming game. On a whim, I popped up the
headers for one of these (I've been amused before on how, for example,
some of these claim to have included a 'tracking pixel' on what is
actually a text/plain email). To my surprise, there was but one
Received header. Straight from their server to mine (well, they did try
to spoof the HELO to look like it was an outlook mail server, but if you
know anything about Received headers, you know to ignore that). No
obfuscation of the headers at all. And it was in the network of a VPS
vendor. Now, it's possible that someone's had their VPS hacked, but
since this whole faux extortion thing is really script-kiddie level
stuff, it wouldn't surprise me if someone was stupid enough to send this
stuff out from their own VPS.
I felt transported back to the early 2000s when it was actually useful
to read Received headers, figure out where an email came from (even if
the spammer tried to inject bogus Received headers), and report it to
their ISP, with results (usually the spammer account shut down - I've
got my share of "positive" results, including one from Afterburner (for
those who remember him)). Those days pretty much went away when the
spammers joined up with the botnet crowd.
So, I sent off a report to the VPS vendor's abuse account. And went and
found another that originated off of an Amazon EC2 and shot off a report
to Amazon's abuse account. Don't know yet if this will do any good.
But if any other ALEers have a nostalgic spot for the early
antispamming days, this may be a place where you can play again.
Ben
--
Ben Coleman oloryn at benshome.net | For the wise man, doing right trumps
http://oloryn.benshome.net/ | looking right. For the fool, looking
Amateur Radio NJ8J | right trumps doing right.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://mail.ale.org/pipermail/ale/attachments/20190324/054b268c/attachment.sig>
More information about the Ale
mailing list