[ale] Those "You've been hacked" emails

DJ-Pfulio djpfulio at jdpfu.com
Mon Mar 25 10:48:33 EDT 2019 

But didn't they claim that you had good taste in video choices?

I would enable hard-fails on SPF records, but too many airlines can't seem to
get their SPF records correct for all the outside email senders they use.

And I have to ask ....  "legitimate Office 365 email" ... hasn't ever happened
to me. Is that a thing?



On 3/25/19 7:46 AM, Jim Kinney via Ale wrote:
> Those lying scumbags. Won't tell me what video I was watching. Won't even send
> teaser of what they claim to have. Just keep demanding money. Like I'm gonna pay
> upfront without knowing what I'm getting.
> 
> On March 25, 2019 12:00:44 AM EDT, dev null zero two via Ale <ale at ale.org> wrote:
> 
>     I meant to direct my reply to OP, sorry.
> 
>     On Mon, Mar 25, 2019 at 12:00 AM Alex Carver <agcarver+ale at acarver.net
>     <mailto:agcarver%2Bale at acarver.net>> wrote:
> 
>         Right, that's why it's a "hacked machine" :)
> 
>         On 2019-03-24 20:58, dev null zero two wrote:
>         > 99% chance it's sent from a compromised server.
>         >
>         > On Sun, Mar 24, 2019 at 11:56 PM Alex Carver via Ale <ale at ale.org
>         <mailto:ale at ale.org>> wrote:
>         >
>         >> I got a raft of them sent to my personal server from various hacked
>         >> machines.  A bunch in Brazil, one at Digital Ocean, another at Amazon
>         >> EC2.  In my case they always wrote the from and to to be the same
>         >> address so I added another ACL to the mail server to block anything that
>         >> came from the outside and claimed to be from me and to me.  It all went
>         >> away after that.
>         >>
>         >> Of course these started showing up long after I had already been
>         >> blocking entire netblocks for abuse (hundreds of relay attempts per
>         >> minute) so I may have already been ignoring some sources.
>         >>
>         >> On 2019-03-24 19:39, Ben Coleman via Ale wrote:
>         >>> I'm sure you've gotten them - those emails claiming that they've hacked
>         >>> you, and have video evidence of you activities while you're (ehem)
>         >>> interacting with certain sites, and that this evidence can all go away
>         >>> if you'll only deposit a certain amount of money into their bitcoin
>         >>> account.  The latest tack they've been taking is to combine your email
>         >>> with those caches of passwords from various exploits so they can appear
>         >>> to know your passwords (yeah, one I used 10 years ago).
>         >>>
>         >>> But what I didn't realize was how inexperienced (at least some of) these
>         >>> guys are at the actual spamming game.  On a whim, I popped up the
>         >>> headers for one of these (I've been amused before on how, for example,
>         >>> some of these claim to have included a 'tracking pixel' on what is
>         >>> actually a text/plain email).  To my surprise, there was but one
>         >>> Received header.  Straight from their server to mine (well, they did try
>         >>> to spoof the HELO to look like it was an outlook mail server, but if you
>         >>> know anything about Received headers, you know to ignore that).  No
>         >>> obfuscation of the headers at all.  And it was in the network of a VPS
>         >>> vendor.  Now, it's possible that someone's had their VPS hacked, but
>         >>> since this whole faux extortion thing is really script-kiddie level
>         >>> stuff, it wouldn't surprise me if someone was stupid enough to send this
>         >>> stuff out from their own VPS.
>         >>>
>         >>> I felt transported back to the early 2000s when it was actually useful
>         >>> to read Received headers, figure out where an email came from (even if
>         >>> the spammer tried to inject bogus Received headers), and report it to
>         >>> their ISP, with results (usually the spammer account shut down - I've
>         >>> got my share of "positive" results, including one from Afterburner (for
>         >>> those who remember him)).  Those days pretty much went away when the
>         >>> spammers joined up with the botnet crowd.
>         >>>
>         >>> So, I sent off a report to the VPS vendor's abuse account.  And went and
>         >>> found another that originated off of an Amazon EC2 and shot off a report
>         >>> to Amazon's abuse account.  Don't know yet if this will do any good.
>         >>> But if any other ALEers have a nostalgic spot for the early
>         >>> antispamming days, this may be a place where you can play again.

More information about the Ale mailing list