[ale] Those "You've been hacked" emails

Lightner, Jeffrey JLightner at dsservices.com
Mon Mar 25 11:16:10 EDT 2019


"Legitimate" in the sense that many organizations (including ours) unfortunately DO use Office 365 for email so one has to accept them or block many customers.   I'm seeing more and more organizations going that way.  In fact, I've seen several go away from Gmail/GSuite to Office 365 for mail and apps.

Maybe we need an SPF/DKIM flag day where all the big ISPs and mail providers start blocking email from domains that don't provide TXT for SPF or DKIM like the recent DNS flag day for lack of edns.   If enough companies got their email blocked automatically they'd work on getting those records added.  

Office 365 by the way requires one to setup an SPF to start sending from a domain.

-----Original Message-----
From: Ale <ale-bounces at ale.org> On Behalf Of DJ-Pfulio via Ale
Sent: Monday, March 25, 2019 10:49 AM
To: ale at ale.org
Subject: Re: [ale] Those "You've been hacked" emails

But didn't they claim that you had good taste in video choices?

I would enable hard-fails on SPF records, but too many airlines can't seem to get their SPF records correct for all the outside email senders they use.

And I have to ask ....  "legitimate Office 365 email" ... hasn't ever happened to me. Is that a thing?



On 3/25/19 7:46 AM, Jim Kinney via Ale wrote:
> Those lying scumbags. Won't tell me what video I was watching. Won't 
> even send teaser of what they claim to have. Just keep demanding 
> money. Like I'm gonna pay upfront without knowing what I'm getting.
> 
> On March 25, 2019 12:00:44 AM EDT, dev null zero two via Ale <ale at ale.org> wrote:
> 
>     I meant to direct my reply to OP, sorry.
> 
>     On Mon, Mar 25, 2019 at 12:00 AM Alex Carver <agcarver+ale at acarver.net
>     <mailto:agcarver%2Bale at acarver.net>> wrote:
> 
>         Right, that's why it's a "hacked machine" :)
> 
>         On 2019-03-24 20:58, dev null zero two wrote:
>         > 99% chance it's sent from a compromised server.
>         >
>         > On Sun, Mar 24, 2019 at 11:56 PM Alex Carver via Ale <ale at ale.org
>         <mailto:ale at ale.org>> wrote:
>         >
>         >> I got a raft of them sent to my personal server from various hacked
>         >> machines.  A bunch in Brazil, one at Digital Ocean, another at Amazon
>         >> EC2.  In my case they always wrote the from and to to be the same
>         >> address so I added another ACL to the mail server to block anything that
>         >> came from the outside and claimed to be from me and to me.  It all went
>         >> away after that.
>         >>
>         >> Of course these started showing up long after I had already been
>         >> blocking entire netblocks for abuse (hundreds of relay attempts per
>         >> minute) so I may have already been ignoring some sources.
>         >>
>         >> On 2019-03-24 19:39, Ben Coleman via Ale wrote:
>         >>> I'm sure you've gotten them - those emails claiming that they've hacked
>         >>> you, and have video evidence of you activities while you're (ehem)
>         >>> interacting with certain sites, and that this evidence can all go away
>         >>> if you'll only deposit a certain amount of money into their bitcoin
>         >>> account.  The latest tack they've been taking is to combine your email
>         >>> with those caches of passwords from various exploits so they can appear
>         >>> to know your passwords (yeah, one I used 10 years ago).
>         >>>
>         >>> But what I didn't realize was how inexperienced (at least some of) these
>         >>> guys are at the actual spamming game.  On a whim, I popped up the
>         >>> headers for one of these (I've been amused before on how, for example,
>         >>> some of these claim to have included a 'tracking pixel' on what is
>         >>> actually a text/plain email).  To my surprise, there was but one
>         >>> Received header.  Straight from their server to mine (well, they did try
>         >>> to spoof the HELO to look like it was an outlook mail server, but if you
>         >>> know anything about Received headers, you know to ignore that).  No
>         >>> obfuscation of the headers at all.  And it was in the network of a VPS
>         >>> vendor.  Now, it's possible that someone's had their VPS hacked, but
>         >>> since this whole faux extortion thing is really script-kiddie level
>         >>> stuff, it wouldn't surprise me if someone was stupid enough to send this
>         >>> stuff out from their own VPS.
>         >>>
>         >>> I felt transported back to the early 2000s when it was actually useful
>         >>> to read Received headers, figure out where an email came from (even if
>         >>> the spammer tried to inject bogus Received headers), and report it to
>         >>> their ISP, with results (usually the spammer account shut down - I've
>         >>> got my share of "positive" results, including one from Afterburner (for
>         >>> those who remember him)).  Those days pretty much went away when the
>         >>> spammers joined up with the botnet crowd.
>         >>>
>         >>> So, I sent off a report to the VPS vendor's abuse account.  And went and
>         >>> found another that originated off of an Amazon EC2 and shot off a report
>         >>> to Amazon's abuse account.  Don't know yet if this will do any good.
>         >>> But if any other ALEers have a nostalgic spot for the early
>         >>> antispamming days, this may be a place where you can play again. 
_______________________________________________
Ale mailing list
Ale at ale.org
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo


More information about the Ale mailing list