Skip to main content

Posts

Showing posts with the label spam

Chop That Dollar

Its been quite some time since I've received a 419 spam message in my inbox. But - like matter itself - 419 never dies - only changes form. I found the message below in my inbox this morning. I was pleased to note that the message originated from Yahoo, and contained several classic red flags for spam that even the neophyte mail server admin knows to watch out for, like from & reply-to headers with different different domains. This is the kind of l33t security I've come to expect from Yahoo. But hey, the Russians did it , and no one can be expected to secure their customers from state sponsored attacks. Susan here is no doubt a member of Nigeria's elite NIA . From: Susan ***** desmondwilliams614 yahoo.com Subject: Hello, Date: Sat, 18 Mar 2017 12:12:52 +0000 (UTC) Reply-To: desmondwilliams614 yahoo.com Susan ***** deswill0119 yahoo.fr Hello, Greetings. With warm heart I offer my friendship and greetings, and I hope that this mail will meets you in good time. Ho...

Email server using amavisd-new fails with (!)DENIED ACCESS from IP 1.2.3.4, policy bank ''

I have used ClamAV and Spamassassin for many years. I've had a less experience with Amavis (now amavisd-new), but I've decided to give it a try with a new mail server deployment I've been working on. As a reference for my install, I relied on the documentation provided by Amavis for integration with Postfix  as well as a somewhat-outdated but still-relevant walkthrough published by CentOS . Prior to integration with amavisd, Postfix worked fine. Similarly, I had no issues with Spamassassin on its own. But once I finished my install of amavisd-new, things quickly went wrong. Attempting to send messages to accounts hosted on my email server resulted in the following chaing of errors in my maillog: Jan 13 18:17:34 hostname amavis[31578]: Net::Server: 2016/01/13-18:17:34 CONNECT TCP Peer: "[192.168.1.1]:40209" Local: "[127.0.0.1]:10024" Jan 13 18:17:34 hostname amavis[31578]: loaded base policy bank Jan 13 18:17:34 hostname amavis[31578]: lookup_ip_...

Nasty little Dropbox phishing spam

This morning I received an interesting message from someone I haven't heard from in a while through email. The subject line was "FIND PDF COPY" (in all caps). Inside the body of the message, embedded within the normal garbage footer attached by their email client, was this: I may very well have gotten suckered into this one if it weren't for the all caps subject line. The person who ostensibly sent me this message is, somewhat ironically, the type of person to include all caps text in their email - but there was something a little too weird about the grammatical solipsism intrinsic to the phrase "FIND PDF COPY" even for this supposed sender. So I took the two seconds out of my day to hover my mouse over the link and, what would you know, dropbox was not the target at all. The link forwarded to "goto-saketen.com" instead. Just to be sure I took a look at the headers of the message. This did in fact come from the sender it claimed to, althou...

DocuSign Spam

Spam has been going out appearing as sourced from DocuSign. Examples are included below. According to DocuSign, this issue has been ongoing since at least as early as January 3rd . Recent activity has accelarted in the last week, with new evidence and examples coming to light. Stay safe out there.

Phishing Alert - NACHA Spam with BONUS: How to Read Headers to Identify the Source of Fraudulent Email

A few million of the emails below are making the rounds. The phishing emails attempt to be from NACHA, an ACH trade organization, and tell readers that a recent direct deposit was declined and to just DOWNLOAD THIS SOFTWARE to CLAIM YOUR FREE CASH NOW!!!11! NACHA itself is aware of the tomfoolery: The From: and Reply To: headers are both forged in this email. Because of this, I suspect that jamnaytac.com, who is included in the Reply To: but now the From: is going to be receiving some grief / spam complaints that have nothing to do with them. So who is responsible for this? Below I have included the email headers for this spam message. This one is mildly interesting because it makes some shallow attempts at being deceptive to a lazy reader. When reading headers, what we are interested in mostly are the Received: lines. Almost every other item (mouth breathers: note the almost) can be forged. Received: lines can be forged to, but only by adding lines that should not be ...

Weekly Links

Isn't it strange that the most successful sites aren't ones that produce content, but rather are gate keepers to the content of others? The phenomenon of network traffic is strangely circular - go to a website, click a link, from that site find a link, click it to find more links to click. I know you're not hear to read. You are here to CLICK. Well, never let it be said that I don't give my public what it wants. I'll try to make this minor aggregation a weekly event. Network World - Are the Spam Police Worse Than the Spammers? ("Spoiler Alert" - More so Every Day) Fierce Telecom - CenturyLink Goes 100G, Puts On Big Boy Pants Reason Magazine - Manipulating the Media For Fun and Profit Finally, CEI has brought to magnificent life Leonard Read’s 1958 essay "I, Pencil" - the concise work of genius that lead me to the study of economics - in the form of a beautiful short film. At a time when so many of us find it so difficult to appreciate th...

Windows 8 Rootkit Discovered in the Wild

That Was Quick Italian security consultants ITSEC discovered the security hole following an analysis of the Unified Extensible Firmware Interface (UEFI), a successor to the legacy BIOS firmware interface, that Microsoft began fully supporting with 64-bit versions of Windows 7. Tip of the Hat to The Register, linked above.  [EDIT: The article specifies the payload as a "bootkit". This was deliberately omitted on my part. The word "bootkit" strikes me as part of that trend to modify prefixes of words to make them ludicrously specific, like how Watergate became EverythingUnderTheSun-Gate. Its a cheap way to feign familiarity through reference. Is there a relevant disharmony between the terms bootloader and rootkit I'm ignoring? If so feel free to shine light on my ignorance via email or in the comments.] Since we are on the topic of hardware hacking, last week I caught a printer spamming - as in, a printer that was network available that had been compromis...