----- Forwarded message from Rick Moen <rick(a)linuxmafia.com> -----
Date: Sat, 21 Nov 2020 12:41:28 -0800
From: Rick Moen <rick(a)linuxmafia.com>
To: Al <aw009(a)sunnyside.com>
Cc: Michael Paoli <Michael.Paoli(a)cal.berkeley.edu>
Subject: Re: Fwd: cooperation
I'm going to also send this to balug-admin for collective knowledge.
Quoting Al Whaley (aw009(a)sunnyside.com):
> Rick,
> this one caught my eye... it seems to have gone through mailman on
> linuxmafia for the SFLUG mailing list.
_Sort_ of, but mostly not.
You as a listadmin for the SF-LUG mailing list receive copies from
Mailman of outside mail addressed to the sf-lug-owner(a)linuxmafia.com
alias (note -owner suffix). If the initial MTA defences don't reject
the inbound mail to that role alias address, then it'll get out to the
listadmins, i.e., to you + me + Jim Stockford (the SF-LUG list's
three-person listadmin roster).
If you check full headers, you'll find that the 419 scam mail
originated from Microsoft Hotmail IP address 40.92.51.100. See these
Received headers for that initial information:
From mailman-bounces(a)linuxmafia.com Sat Nov 21 09: 9:52 2020
Return-path: <mailman-bounces(a)linuxmafia.com>
Envelope-to: rick(a)linuxmafia.com
Delivery-date: Sat, 21 Nov 2020 09:09:52 -0800
Received: from localhost ([127.0.0.1] helo=linuxmafia.com)
by linuxmafia.com with esmtp (Exim 4.72)
(envelope-from <mailman-bounces(a)linuxmafia.com>)
id 1kgWOV-0005CC-Vj; Sat, 21 Nov 2020 09:09:52 -0800
Received: from mail-db8eur06olkn2100.outbound.protection.outlook.com
([40.92.51.100]
helo=EUR06-DB8-obe.outbound.protection.outlook.com)
by linuxmafia.com with esmtp (Exim 4.72)
(envelope-from <jmpumjzzjjsxssvvvzzz(a)hotmail.com>)
id 1kgWOQ-0005C3-Vq; Sat, 21 Nov 2020 09:09:50 -0800
Grepping the MTA logs for that IP....
linuxmafia:/var/log/exim4# zgrep 40.92.51.100 mainlog*
mainlog:2020-11-21 09:09:50 1kgWOQ-0005C3-Vq SA: Action: scanned but message isn't spam: score=0.8 required=4.0 (scanned in 3/3 secs | Message-Id: 1kgWOQ-0005C3-Vq). From <jmpumjzzjjsxssvvvzzz(a)hotmail.com> (host=mail-db8eur06olkn2100.outbound.protection.outlook.com
[40.92.51.100]) for sf-lug-owner(a)linuxmafia.com, sf-lug(a)linuxmafia.com mainlog:2020-11-21 09:09:50 1kgWOQ-0005C3-Vq <= jmpumjzzjjsxssvvvzzz(a)hotmail.com H=mail-db8eur06olkn2100.outbound.protection.outlook.com (EUR06-DB8-obe.outbound.protection.outlook.com) [40.92.51.100] P=esmtp S=8365 id=AM6PR08MB424596EC3D85FB4BE09C3DD6CDFE0(a)AM6PR08MB4245.eurprd08.prod.outlook.com
linuxmafia:/var/log/exim4#
...you can see that the SMTP session, i.e., the SMTP envelope
information embodied in the SMTP delivery conversation, must have contained
MAIL FROM: <jmpumjzzjjsxssvvvzzz(a)hotmail.com>
RCPT TO: <sf-lug-owner(a)linuxmafia.com>
RCPT TO: <sf-lug(a)linuxmafia.com>
Measured spamicity (0.8) at receiving MTA level was nowhere near high
enough for my MTA to reject (4.0), because this really _was_ from a
Hotmail user, and the mail's body text was not sufficiently spammy to a
degree that automated MTA-level spamd scanning for garbage adjudged
processed meat, so this 419 scam mail got passed along to the Mailman
MLM. Mailman passed through the copy _back_ to the MTA that was
addressed out to the listadmins, _but_ by contrast lodged the direct
mailing list copy in Mailman's admin queue for sf-lug(a)linuxmafia.com,
whence it will expire out in five days and then automatically get thrown
away.
Why in the MLM admin queue? Two reasons:
1. Since in this case the scam mail's internal SMTP headers were
'implicitly addressed', i.e., there were no To: or Cc: addresses
whatsoever inside the message proper, only SMTP envelope addressees
(outside the message proper), Mailman will never send such mail out to
subscribers, on account of Mailman's built-in filter blocking all
'implicitly addressed' mail. I.e., Mailman requires that valid mail to
subscribers specify on either the internal To: header or the internal CC:
header the mailing list's direct address or an alias the listadmins have
specified inside the admin WebUI. If that header is _not_ present, the
message deterministically lodges in the admin queue, flagged as
'implicitly addressed'.
2. Also, it didn't originate from a subscriber, hence would (for that
reason as well) have been intercepted and held as being from a
non-subscribed address.
> it's not in the archives so I'm assuming it didn't go out to
> everyone, unless you deleted it, and it wasn't marked
> as being sent for moderation...
> what am I missing here?
Naturally, I would love for inbound junkmail filtering to reject even
more than it already does, but, frankly, linuxmafia.com system-level
spam-rejection is already quite good. Diminishing returns and false
positives rapidly become a problem as one tries to make MTA spam
immune response even better.
Where I sit, it seems to me it's a fact of life that being a Mailman
addressee on any [listname]-owner aliases _is_ going to get you
increased MLM-mediated spam because of being a member of that alias, as
additional protections covering MLM subscribers simply don't apply to
that admin-role alias address.
Speaking of that, I believe it's past time that I remove Jim Stockford
(i.e., jim(a)well.com) from the sf-lug-owner(a)linuxmafia.com roster, and
I'm going to do that right now.
It realised I probably needed to get around to that, about a year or so
ago, when he was _publicly_ claiming on the SF-LUG mailing list that
linuxmafia.com is an SMTP spam source, very likely because of having
received some amount of junkmail via the sf-lug-owner alias. (His
public accusation was, however, _unbelievably_ vague, so I couldn't
investigate his claim.)
You, by contrast, did exactly the right thing in asking me rather than
going on a public accusation campaign, so the comparison is night and
day. That distinction having been made, to this day I resent Jim's
(false) public accusation, and the only thing that mitigates it is that,
for unclear personal reasons, Jim has been lately unable to discharge
his responsibilities.
I didn't want to delete him from the roster in haste, since Jim founded
the group, and supposedly solemnly committed to being _the_ listadmin
responsible for it, (but has never actually done the job, over the
entire 15-year period I've given SF-LUG temporary mailing list hosting,
pending them getting their server running again -- which never
happened).
Done. jim(a)well.com is now omitted from the SF-LUG listadmin roster.
(Just for the record: This means that the _sole_ requirement I insisted
on, before being willing to grant SF-LUG temporary mailing list hosting
to help after whatever mysterious failure destroyed SF-LUG's -own-
mailing list server in late 2005 -- the requirement that Jim shoulder
listadmin duties so I don't have my workload increased by SF-LUG's
presence on my server -- has been continuously in default from that day
in December 2005 to the present.)
----- End forwarded message -----
I get emails ... <sigh>
... seems to be a lot 'o these goin' around:
Threat/extortion emails (mostly all bark no or negligible bite).
Seems they're probably targeting those more probable to fall for it,
e.g. smaller businesses and such that aren't particularly tech savvy,
... not that their targeting is particularly accurate, but maybe at
least what they aim for by the content of their email.
Trimmed and redacted for brevity, etc., both of these from same IP:
------------------------------------------------------------------------
Received: from dedi.coronaxy.com ([185.198.58.92]:38380)
by balug-sf-lug-v2.balug.org
for <balug-announce(a)lists.balug.org>; Tue, 27 Oct 2020 04:41:53 +0000
To: balug-announce(a)lists.balug.org
Date: Tue, 27 Oct 2020 04:41:34 +0000
From: Patrick Wilson <patrick-wilson(a)coronaxy.com>
Subject: Your website www.balug.org has been hacked
We are the Cozy Bear and we have chosen www.balug.org as target for
our next DDoS attack.
Your network will be subject to a DDoS attack starting at 2020
November 2nd (Monday).
THIS IS NOT A HOAX, and to prove it right now we will start a small
attack on www.balug.org that will last for 30 minutes.
This means that your website, e-mail and other connected services will
be unavailable for everyone.
We will refrain from attacking your servers for a small fee.
The current fee is $1200(USD) in bitcoins (BTC). The fee will increase
by 1000 USD for each day after deadline that passed without payment.
Please send Bitcoin to the following Bitcoin address (cAsE-SeNsitIve):
[REDACTED]
If you decide not to pay, we will start the attack on the indicated
date and uphold it until you do, there's no counter measure to this,
you will only end up wasting more money trying to find a solution
(Cloudflare, Sucuri, Imperva and similar services are useless, because
we will hit your network directly).
We will completely destroy your reputation and make sure your services
will remain offline until you pay.
We will also download your database and do as much damage as possible.
Once you have paid we won't start the attack and you will never hear
from us again.
------------------------------------------------------------------------
From <elijah-martin(a)coronaxy.com> Tue Oct 27 17:35:38 2020
Received: from dedi.coronaxy.com ([185.198.58.92]:56414)
for <balug-announce-owner(a)lists.balug.org>; Tue, 27 Oct 2020 17:35:38 +0000
To: balug-announce-owner(a)lists.balug.org
Date: Tue, 27 Oct 2020 17:35:16 +0000
From: Elijah Martin <elijah-martin(a)coronaxy.com>
Subject: If www.balug.org is important to you, you must read this
We have hacked your website(s) www.balug.org and extracted your databases.
We will systematically go through a series of steps of totally
damaging your reputation. First your database will be leaked or sold
to the highest bidder which they will use with whatever their
intentions are. Next if there are e-mails found they will be e-mailed
that their information has been sold or leaked and your site
www.balug.org was at fault thusly damaging your reputation and having
angry customers/associates with whatever angry customers/associates
do. Lastly any links that you have indexed in the search engines will
be de-indexed based off of blackhat techniques that we used in the
past to de-index our targets.
How do I stop this?
We are willing to refrain from destroying your site's reputation for a
small fee. The current fee is $1050(USD) in bitcoins (BTC).
Please send the bitcoin to the following Bitcoin address (Copy and
paste as it is case sensitive):
[REDACTED]
If you decide not to pay, we will start the attack at the indicated
date and uphold it until you do, there's no counter measure to this,
you will only end up wasting more money trying to find a solution. We
will completely destroy your reputation amongst google and your
customers.
This is not a hoax, do not reply to this email, don't try to reason or
negotiate, we will not read any replies. Once you have paid we will
stop what we were doing and you will never hear from us again!
------------------------------------------------------------------------
And yes, simple Internet search to confirm, and many such threats being
emailed about.
Maybe if I get bored and have some time some day, I'll put in an
anti-spam filter to specifically reject these upon attempted delivery
during the SMTP phase ... maybe with reject message/diagnostic
including something along the lines of:
Due to overwhelming request volume, we are no longer able to accept
ransomware/blackmail/threat requests for payment via email.
We do however, still accept such requests via USPS mail.
For prompt attention to your request, please send it via USPS to:
<automatically inserted email address they attempted to> c/o
ref: <automatically inserted reference on failed email attempt>
FBI: ATTN: ransomware/blackmail/threat requests for payment
<address>
USA
Thank you for your cooperation on these matters to help ensure prompt
attention by those relevant and responsible for handling your request.
Dropping larryp(a)inow.com from the forwarding aliases.
inow.com has two NS, neither of which function.
Let me know if/when I should add it back.
----- Forwarded message from Mailer-Daemon(a)balug.org -----
Date: Sat, 01 Aug 2020 09:16:03 +0000
From: "Mail Delivery System" <Mailer-Daemon(a)balug.org>
Reply-To: postmaster(a)balug.org
Subject: Mail delivery failed: returning message to sender
To: Michael.Paoli(a)cal.berkeley.edu
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
larryp(a)inow.com
(generated from balug-contact(a)balug.org)
Unrouteable address
----- End forwarded message -----