Someone's scraping NANOG for phishing purposes again

• Previous message (by thread): Someone's scraping NANOG for phishing purposes again
• Next message (by thread): Someone's scraping NANOG for phishing purposes again
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes. The names are used in the From: but not the e-mail addresses. The
payload is inside SecureServer.net's 43.255.154.0/24 - 43.255.154.125 and
43.255.154.66. Headers follow. Note: I think Anne P. Mitchell is a LinkedIn
contact of mine.

Message 1)

Delivered-To: a.harrowell at gmail.com
Received: by 10.80.169.228 with SMTP id n91csp49041edc;
        Wed, 8 Feb 2017 16:09:01 -0800 (PST)
X-Received: by 10.223.131.34 with SMTP id 31mr179054wrd.119.1486598941445;
        Wed, 08 Feb 2017 16:09:01 -0800 (PST)
Return-Path: <wolfgang at cziczatka.com>
Received: from mx21lb.world4you.com (mx21lb.world4you.com. [81.19.149.131])
        by mx.google.com with ESMTPS id p26si10875705wrp.311.2017.02.08.16.09.01
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 08 Feb 2017 16:09:01 -0800 (PST)
Received-SPF: pass (google.com: domain of wolfgang at cziczatka.com
designates 81.19.149.131 as permitted sender) client-ip=81.19.149.131;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of wolfgang at cziczatka.com
designates 81.19.149.131 as permitted sender)
smtp.mailfrom=wolfgang at cziczatka.com
Received: from [117.243.182.154] (helo=dydt-PC) by
mx21lb.world4you.com with esmtpsa
(TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from
<wolfgang at cziczatka.com>) id 1cbcIF-0005OX-87; Thu, 09 Feb 2017
01:09:00 +0100
From: Brandon Galbraith <wolfgang at cziczatka.com>
To: Alexander Harrowell <a.harrowell at gmail.com>, "Nathanael C.
Cariaga" <nccariaga at stluke.com.ph>, aduitsis <aduitsis at gmail.com>,
David Ulevitch <davidu at everydns.net>
Subject: take a look at that
Date: Thu, 9 Feb 2017 00:08:49 +0000
Message-ID: <1514273443.20170209030849 at cziczatka.com>
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0016_017DBA64.1747A7CE"
Content-Language: en-gb
MIME-Version: 1.0
X-SA-Do-Not-Run: Yes
X-AV-Do-Run: Yes
X-SA-Exim-Connect-IP: 117.243.182.154
X-SA-Exim-Mail-From: wolfgang at cziczatka.com
X-SA-Exim-Scanned: No (on mx21lb.world4you.com); SAEximRunCond expanded to false

------=_NextPart_000_0016_017DBA64.1747A7CE

Message 2)


Delivered-To: a.harrowell at gmail.com
Received: by 10.80.169.228 with SMTP id n91csp50480edc;
        Wed, 8 Feb 2017 16:14:21 -0800 (PST)
X-Received: by 10.28.135.82 with SMTP id j79mr18959559wmd.19.1486599261495;
        Wed, 08 Feb 2017 16:14:21 -0800 (PST)
Return-Path: <info at ocreschauvin.fr>
Received: from smtp.nfrance.com (smtp-4.nfrance.com. [80.247.229.46])
        by mx.google.com with ESMTPS id f124si4142408wmd.153.2017.02.08.16.14.21
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 08 Feb 2017 16:14:21 -0800 (PST)
Received-SPF: neutral (google.com: 80.247.229.46 is neither permitted
nor denied by best guess record for domain of info at ocreschauvin.fr)
client-ip=80.247.229.46;
Authentication-Results: mx.google.com;
       spf=neutral (google.com: 80.247.229.46 is neither permitted nor
denied by best guess record for domain of info at ocreschauvin.fr)
smtp.mailfrom=info at ocreschauvin.fr
Received: from tqzb-PC (unknown [197.45.161.242]) (using TLSv1.2 with
cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client
certificate requested) by smtp.nfrance.com (Postfix) with ESMTPSA id
28E1612D7A7; Thu,
  9 Feb 2017 01:14:18 +0100 (CET)
From: Owen DeLong <info at ocreschauvin.fr>
To: Brian Mengel <bmengel at gmail.com>, Andrew Latham
<lathama at gmail.com>, Alexander Harrowell <a.harrowell at gmail.com>,
"Anne P. Mitchell Esq." <amitchell at isipp.com>
Subject: do you have any ideas?
Date: Thu, 9 Feb 2017 06:14:13 +0600
Message-ID: <1846552645.20170209031413 at ocreschauvin.fr>
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_005C_010D479E.32101F4A"
Content-Language: en-us
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.78 on 80.247.229.46

------=_NextPart_000_005C_010D479E.32101F4A
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

RGVhciBmcmllbmQhIA0KDQpJJ3ZlIGJlZW4gd3JpdGluZyBhbiAgYXJ0aWNsZSBhbmQgSSd2ZSBj
b21lIGFjcm9zcyB0aGF0ICBzdHJhbmdlICBzdHVmZiwgIGRvIHlvdSBoYXZlICBhbnkgIGlkZWFz
IHdoYXQgY291bGQgaXQgYmU/IEp1c3QgdGFrZSBhICBsb29rIGh0dHA6Ly9tYXgudHJpcHN0aXht
ZW1vcmllcy5jb20vZjRmNQ0KDQpCZXN0IHdpc2hlcywgT3dlbiBEZUxvbmcNCg0K
------=_NextPart_000_005C_010D479E.32101F4A

------=_NextPart_000_005C_010D479E.32101F4A--



On Fri, Feb 10, 2017 at 5:46 PM, Suresh Ramasubramanian <ops.lists at gmail.com
> wrote:

> Or a nanog member might be infected and the malware is scraping his
> mailbox for bogus froms.  Got headers?
>
> On 10/02/17, 9:40 AM, "NANOG on behalf of Alexander Harrowell" <
> nanog-bounces at nanog.org on behalf of a.harrowell at gmail.com> wrote:
>
>     I'm getting suspicious e-mail pretending to come from leading
> NANOGers. Not
>     the first time this has happened, but you may want to be warned.
>
>     Yours,
>
>     Alex Harrowell
>
>
>
>

• Previous message (by thread): Someone's scraping NANOG for phishing purposes again
• Next message (by thread): Someone's scraping NANOG for phishing purposes again
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]