[193673] in North American Network Operators' Group
Re: Someone's scraping NANOG for phishing purposes again
daemon@ATHENA.MIT.EDU (Elizabeth Zwicky via NANOG)
Fri Feb 10 13:59:44 2017
X-Original-To: nanog@nanog.org
Date: Fri, 10 Feb 2017 18:59:29 +0000 (UTC)
To: Alexander Harrowell <a.harrowell@gmail.com>,
Suresh Ramasubramanian <ops.lists@gmail.com>
In-Reply-To: <CA+qGm=_0ZoKwjuiWUpqxZCQwPwtVSd4v7U4ibbO6_1PCM1+FDQ@mail.gmail.com>
From: Elizabeth Zwicky via NANOG <nanog@nanog.org>
Reply-To: Elizabeth Zwicky <zwicky@yahoo-inc.com>
Cc: David Ulevitch <davidu@everydns.net>,
Brandon Galbraith <brandon.galbraith@gmail.com>, NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
This is the sort of mail, based on stolen address books from numerous sites=
and sometimes on mined Facebook data, that the same spam group has been se=
nding since mid 2013. At some point in 2016 they started permuting the data=
; previously, if A's addressbook had been stolen, the mail always came "Fro=
m:" A, but now if A's addressbook had B and C in it, the mail might be "Fro=
m:" B to C.=C2=A0
It is of course possible that they have new sources of data, although I hav=
en't seen any particular evidence of that recently. (I have seen evidence t=
hat they have moderately increased competence in getting their spam deliver=
ed and read, which has been their main problem in recent years.) Addressboo=
k data stays useful until all of your contacts get new email addresses.
Elizabeth ZwickyOn Friday, February 10, 2017, 10:34:58 AM PST, Alexander Ha=
rrowell <a.harrowell@gmail.com> wrote:Yes. The names are used in the From: =
but not the e-mail addresses. The
payload is inside SecureServer.net's 43.255.154.0/24 - 43.255.154.125 and
43.255.154.66. Headers follow. Note: I think Anne P. Mitchell is a LinkedIn
contact of mine.
Message 1)
Delivered-To: a.harrowell@gmail.com
Received: by 10.80.169.228 with SMTP id n91csp49041edc;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Wed, 8 Feb 2017 16:09:01 -0800 (PST)
X-Received: by 10.223.131.34 with SMTP id 31mr179054wrd.119.1486598941445;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Wed, 08 Feb 2017 16:09:01 -0800 (PST)
Return-Path: <wolfgang@cziczatka.com>
Received: from mx21lb.world4you.com (mx21lb.world4you.com. [81.19.149.131])
=C2=A0 =C2=A0 =C2=A0 =C2=A0 by mx.google.com with ESMTPS id p26si10875705wr=
p.311.2017.02.08.16.09.01
=C2=A0 =C2=A0 =C2=A0 =C2=A0 (version=3DTLS1_2 cipher=3DECDHE-RSA-AES128-GCM=
-SHA256 bits=3D128/128);
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Wed, 08 Feb 2017 16:09:01 -0800 (PST)
Received-SPF: pass (google.com: domain of wolfgang@cziczatka.com
designates 81.19.149.131 as permitted sender) client-ip=3D81.19.149.131;
Authentication-Results: mx.google.com;
=C2=A0 =C2=A0 =C2=A0 spf=3Dpass (google.com: domain of wolfgang@cziczatka.c=
om
designates 81.19.149.131 as permitted sender)
smtp.mailfrom=3Dwolfgang@cziczatka.com
Received: from [117.243.182.154] (helo=3Ddydt-PC) by
mx21lb.world4you.com with esmtpsa
(TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from
<wolfgang@cziczatka.com>) id 1cbcIF-0005OX-87; Thu, 09 Feb 2017
01:09:00 +0100
From: Brandon Galbraith <wolfgang@cziczatka.com>
To: Alexander Harrowell <a.harrowell@gmail.com>, "Nathanael C.
Cariaga" <nccariaga@stluke.com.ph>, aduitsis <aduitsis@gmail.com>,
David Ulevitch <davidu@everydns.net>
Subject: take a look at that
Date: Thu, 9 Feb 2017 00:08:49 +0000
Message-ID: <1514273443.20170209030849@cziczatka.com>
Content-Type: multipart/alternative;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 boundary=3D"----=3D_NextPart_000_0016_017DBA64.=
1747A7CE"
Content-Language: en-gb
MIME-Version: 1.0
X-SA-Do-Not-Run: Yes
X-AV-Do-Run: Yes
X-SA-Exim-Connect-IP: 117.243.182.154
X-SA-Exim-Mail-From: wolfgang@cziczatka.com
X-SA-Exim-Scanned: No (on mx21lb.world4you.com); SAEximRunCond expanded to =
false
------=3D_NextPart_000_0016_017DBA64.1747A7CE
Message 2)
Delivered-To: a.harrowell@gmail.com
Received: by 10.80.169.228 with SMTP id n91csp50480edc;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Wed, 8 Feb 2017 16:14:21 -0800 (PST)
X-Received: by 10.28.135.82 with SMTP id j79mr18959559wmd.19.1486599261495;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Wed, 08 Feb 2017 16:14:21 -0800 (PST)
Return-Path: <info@ocreschauvin.fr>
Received: from smtp.nfrance.com (smtp-4.nfrance.com. [80.247.229.46])
=C2=A0 =C2=A0 =C2=A0 =C2=A0 by mx.google.com with ESMTPS id f124si4142408wm=
d.153.2017.02.08.16.14.21
=C2=A0 =C2=A0 =C2=A0 =C2=A0 (version=3DTLS1_2 cipher=3DECDHE-RSA-AES128-GCM=
-SHA256 bits=3D128/128);
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Wed, 08 Feb 2017 16:14:21 -0800 (PST)
Received-SPF: neutral (google.com: 80.247.229.46 is neither permitted
nor denied by best guess record for domain of info@ocreschauvin.fr)
client-ip=3D80.247.229.46;
Authentication-Results: mx.google.com;
=C2=A0 =C2=A0 =C2=A0 spf=3Dneutral (google.com: 80.247.229.46 is neither pe=
rmitted nor
denied by best guess record for domain of info@ocreschauvin.fr)
smtp.mailfrom=3Dinfo@ocreschauvin.fr
Received: from tqzb-PC (unknown [197.45.161.242]) (using TLSv1.2 with
cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client
certificate requested) by smtp.nfrance.com (Postfix) with ESMTPSA id
28E1612D7A7; Thu,
=C2=A0 9 Feb 2017 01:14:18 +0100 (CET)
From: Owen DeLong <info@ocreschauvin.fr>
To: Brian Mengel <bmengel@gmail.com>, Andrew Latham
<lathama@gmail.com>, Alexander Harrowell <a.harrowell@gmail.com>,
"Anne P. Mitchell Esq." <amitchell@isipp.com>
Subject: do you have any ideas?
Date: Thu, 9 Feb 2017 06:14:13 +0600
Message-ID: <1846552645.20170209031413@ocreschauvin.fr>
Content-Type: multipart/alternative;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 boundary=3D"----=3D_NextPart_000_005C_010D479E.=
32101F4A"
Content-Language: en-us
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.78 on 80.247.229.46
------=3D_NextPart_000_005C_010D479E.32101F4A
Content-Type: text/plain; charset=3D"utf-8"
Content-Transfer-Encoding: base64
RGVhciBmcmllbmQhIA0KDQpJJ3ZlIGJlZW4gd3JpdGluZyBhbiAgYXJ0aWNsZSBhbmQgSSd2ZSB=
j
b21lIGFjcm9zcyB0aGF0ICBzdHJhbmdlICBzdHVmZiwgIGRvIHlvdSBoYXZlICBhbnkgIGlkZWF=
z
IHdoYXQgY291bGQgaXQgYmU/IEp1c3QgdGFrZSBhICBsb29rIGh0dHA6Ly9tYXgudHJpcHN0aXh=
t
ZW1vcmllcy5jb20vZjRmNQ0KDQpCZXN0IHdpc2hlcywgT3dlbiBEZUxvbmcNCg0K
------=3D_NextPart_000_005C_010D479E.32101F4A
------=3D_NextPart_000_005C_010D479E.32101F4A--
On Fri, Feb 10, 2017 at 5:46 PM, Suresh Ramasubramanian <ops.lists@gmail.co=
m
> wrote:
> Or a nanog member might be infected and the malware is scraping his
> mailbox for bogus froms.=C2=A0 Got headers?
>
> On 10/02/17, 9:40 AM, "NANOG on behalf of Alexander Harrowell" <
> nanog-bounces@nanog.org on behalf of a.harrowell@gmail.com> wrote:
>
>=C2=A0 =C2=A0 I'm getting suspicious e-mail pretending to come from leadin=
g
> NANOGers. Not
>=C2=A0 =C2=A0 the first time this has happened, but you may want to be war=
ned.
>
>=C2=A0 =C2=A0 Yours,
>
>=C2=A0 =C2=A0 Alex Harrowell
>
>
>
>
