Someone's scraping NANOG for phishing purposes again
Elizabeth Zwicky
zwicky at yahoo-inc.com
Fri Feb 10 18:59:29 UTC 2017
This is the sort of mail, based on stolen address books from numerous sites and sometimes on mined Facebook data, that the same spam group has been sending since mid 2013. At some point in 2016 they started permuting the data; previously, if A's addressbook had been stolen, the mail always came "From:" A, but now if A's addressbook had B and C in it, the mail might be "From:" B to C.
It is of course possible that they have new sources of data, although I haven't seen any particular evidence of that recently. (I have seen evidence that they have moderately increased competence in getting their spam delivered and read, which has been their main problem in recent years.) Addressbook data stays useful until all of your contacts get new email addresses.
Elizabeth ZwickyOn Friday, February 10, 2017, 10:34:58 AM PST, Alexander Harrowell <a.harrowell at gmail.com> wrote:Yes. The names are used in the From: but not the e-mail addresses. The
payload is inside SecureServer.net's 43.255.154.0/24 - 43.255.154.125 and
43.255.154.66. Headers follow. Note: I think Anne P. Mitchell is a LinkedIn
contact of mine.
Message 1)
Delivered-To: a.harrowell at gmail.com
Received: by 10.80.169.228 with SMTP id n91csp49041edc;
Wed, 8 Feb 2017 16:09:01 -0800 (PST)
X-Received: by 10.223.131.34 with SMTP id 31mr179054wrd.119.1486598941445;
Wed, 08 Feb 2017 16:09:01 -0800 (PST)
Return-Path: <wolfgang at cziczatka.com>
Received: from mx21lb.world4you.com (mx21lb.world4you.com. [81.19.149.131])
by mx.google.com with ESMTPS id p26si10875705wrp.311.2017.02.08.16.09.01
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Wed, 08 Feb 2017 16:09:01 -0800 (PST)
Received-SPF: pass (google.com: domain of wolfgang at cziczatka.com
designates 81.19.149.131 as permitted sender) client-ip=81.19.149.131;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of wolfgang at cziczatka.com
designates 81.19.149.131 as permitted sender)
smtp.mailfrom=wolfgang at cziczatka.com
Received: from [117.243.182.154] (helo=dydt-PC) by
mx21lb.world4you.com with esmtpsa
(TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from
<wolfgang at cziczatka.com>) id 1cbcIF-0005OX-87; Thu, 09 Feb 2017
01:09:00 +0100
From: Brandon Galbraith <wolfgang at cziczatka.com>
To: Alexander Harrowell <a.harrowell at gmail.com>, "Nathanael C.
Cariaga" <nccariaga at stluke.com.ph>, aduitsis <aduitsis at gmail.com>,
David Ulevitch <davidu at everydns.net>
Subject: take a look at that
Date: Thu, 9 Feb 2017 00:08:49 +0000
Message-ID: <1514273443.20170209030849 at cziczatka.com>
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0016_017DBA64.1747A7CE"
Content-Language: en-gb
MIME-Version: 1.0
X-SA-Do-Not-Run: Yes
X-AV-Do-Run: Yes
X-SA-Exim-Connect-IP: 117.243.182.154
X-SA-Exim-Mail-From: wolfgang at cziczatka.com
X-SA-Exim-Scanned: No (on mx21lb.world4you.com); SAEximRunCond expanded to false
------=_NextPart_000_0016_017DBA64.1747A7CE
Message 2)
Delivered-To: a.harrowell at gmail.com
Received: by 10.80.169.228 with SMTP id n91csp50480edc;
Wed, 8 Feb 2017 16:14:21 -0800 (PST)
X-Received: by 10.28.135.82 with SMTP id j79mr18959559wmd.19.1486599261495;
Wed, 08 Feb 2017 16:14:21 -0800 (PST)
Return-Path: <info at ocreschauvin.fr>
Received: from smtp.nfrance.com (smtp-4.nfrance.com. [80.247.229.46])
by mx.google.com with ESMTPS id f124si4142408wmd.153.2017.02.08.16.14.21
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Wed, 08 Feb 2017 16:14:21 -0800 (PST)
Received-SPF: neutral (google.com: 80.247.229.46 is neither permitted
nor denied by best guess record for domain of info at ocreschauvin.fr)
client-ip=80.247.229.46;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 80.247.229.46 is neither permitted nor
denied by best guess record for domain of info at ocreschauvin.fr)
smtp.mailfrom=info at ocreschauvin.fr
Received: from tqzb-PC (unknown [197.45.161.242]) (using TLSv1.2 with
cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client
certificate requested) by smtp.nfrance.com (Postfix) with ESMTPSA id
28E1612D7A7; Thu,
9 Feb 2017 01:14:18 +0100 (CET)
From: Owen DeLong <info at ocreschauvin.fr>
To: Brian Mengel <bmengel at gmail.com>, Andrew Latham
<lathama at gmail.com>, Alexander Harrowell <a.harrowell at gmail.com>,
"Anne P. Mitchell Esq." <amitchell at isipp.com>
Subject: do you have any ideas?
Date: Thu, 9 Feb 2017 06:14:13 +0600
Message-ID: <1846552645.20170209031413 at ocreschauvin.fr>
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_005C_010D479E.32101F4A"
Content-Language: en-us
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.78 on 80.247.229.46
------=_NextPart_000_005C_010D479E.32101F4A
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
RGVhciBmcmllbmQhIA0KDQpJJ3ZlIGJlZW4gd3JpdGluZyBhbiAgYXJ0aWNsZSBhbmQgSSd2ZSBj
b21lIGFjcm9zcyB0aGF0ICBzdHJhbmdlICBzdHVmZiwgIGRvIHlvdSBoYXZlICBhbnkgIGlkZWFz
IHdoYXQgY291bGQgaXQgYmU/IEp1c3QgdGFrZSBhICBsb29rIGh0dHA6Ly9tYXgudHJpcHN0aXht
ZW1vcmllcy5jb20vZjRmNQ0KDQpCZXN0IHdpc2hlcywgT3dlbiBEZUxvbmcNCg0K
------=_NextPart_000_005C_010D479E.32101F4A
------=_NextPart_000_005C_010D479E.32101F4A--
On Fri, Feb 10, 2017 at 5:46 PM, Suresh Ramasubramanian <ops.lists at gmail.com
> wrote:
> Or a nanog member might be infected and the malware is scraping his
> mailbox for bogus froms. Got headers?
>
> On 10/02/17, 9:40 AM, "NANOG on behalf of Alexander Harrowell" <
> nanog-bounces at nanog.org on behalf of a.harrowell at gmail.com> wrote:
>
> I'm getting suspicious e-mail pretending to come from leading
> NANOGers. Not
> the first time this has happened, but you may want to be warned.
>
> Yours,
>
> Alex Harrowell
>
>
>
>
More information about the NANOG
mailing list