<div><div dir="auto">I meant to direct my reply to OP, sorry.</div></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 25, 2019 at 12:00 AM Alex Carver <<a href="mailto:agcarver%2Bale@acarver.net">agcarver+ale@acarver.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Right, that's why it's a "hacked machine" :)<br>
<br>
On 2019-03-24 20:58, dev null zero two wrote:<br>
> 99% chance it's sent from a compromised server.<br>
> <br>
> On Sun, Mar 24, 2019 at 11:56 PM Alex Carver via Ale <<a href="mailto:ale@ale.org" target="_blank">ale@ale.org</a>> wrote:<br>
> <br>
>> I got a raft of them sent to my personal server from various hacked<br>
>> machines. A bunch in Brazil, one at Digital Ocean, another at Amazon<br>
>> EC2. In my case they always wrote the from and to to be the same<br>
>> address so I added another ACL to the mail server to block anything that<br>
>> came from the outside and claimed to be from me and to me. It all went<br>
>> away after that.<br>
>><br>
>> Of course these started showing up long after I had already been<br>
>> blocking entire netblocks for abuse (hundreds of relay attempts per<br>
>> minute) so I may have already been ignoring some sources.<br>
>><br>
>> On 2019-03-24 19:39, Ben Coleman via Ale wrote:<br>
>>> I'm sure you've gotten them - those emails claiming that they've hacked<br>
>>> you, and have video evidence of you activities while you're (ehem)<br>
>>> interacting with certain sites, and that this evidence can all go away<br>
>>> if you'll only deposit a certain amount of money into their bitcoin<br>
>>> account. The latest tack they've been taking is to combine your email<br>
>>> with those caches of passwords from various exploits so they can appear<br>
>>> to know your passwords (yeah, one I used 10 years ago).<br>
>>><br>
>>> But what I didn't realize was how inexperienced (at least some of) these<br>
>>> guys are at the actual spamming game. On a whim, I popped up the<br>
>>> headers for one of these (I've been amused before on how, for example,<br>
>>> some of these claim to have included a 'tracking pixel' on what is<br>
>>> actually a text/plain email). To my surprise, there was but one<br>
>>> Received header. Straight from their server to mine (well, they did try<br>
>>> to spoof the HELO to look like it was an outlook mail server, but if you<br>
>>> know anything about Received headers, you know to ignore that). No<br>
>>> obfuscation of the headers at all. And it was in the network of a VPS<br>
>>> vendor. Now, it's possible that someone's had their VPS hacked, but<br>
>>> since this whole faux extortion thing is really script-kiddie level<br>
>>> stuff, it wouldn't surprise me if someone was stupid enough to send this<br>
>>> stuff out from their own VPS.<br>
>>><br>
>>> I felt transported back to the early 2000s when it was actually useful<br>
>>> to read Received headers, figure out where an email came from (even if<br>
>>> the spammer tried to inject bogus Received headers), and report it to<br>
>>> their ISP, with results (usually the spammer account shut down - I've<br>
>>> got my share of "positive" results, including one from Afterburner (for<br>
>>> those who remember him)). Those days pretty much went away when the<br>
>>> spammers joined up with the botnet crowd.<br>
>>><br>
>>> So, I sent off a report to the VPS vendor's abuse account. And went and<br>
>>> found another that originated off of an Amazon EC2 and shot off a report<br>
>>> to Amazon's abuse account. Don't know yet if this will do any good.<br>
>>> But if any other ALEers have a nostalgic spot for the early<br>
>>> antispamming days, this may be a place where you can play again.<br>
>>><br>
>>> Ben<br>
>>><br>
>>><br>
>>> _______________________________________________<br>
>>> Ale mailing list<br>
>>> <a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
>>> <a href="https://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">https://mail.ale.org/mailman/listinfo/ale</a><br>
>>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>>> <a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>>><br>
>><br>
>> _______________________________________________<br>
>> Ale mailing list<br>
>> <a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
>> <a href="https://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">https://mail.ale.org/mailman/listinfo/ale</a><br>
>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>> <a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>><br>
<br>
</blockquote></div></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Sent from my mobile. Please excuse the brevity, spelling, and punctuation.</div>