Hi All:
I received an E-mail with an attachment claiming something
on my network is infected and that I should look at the
attachment to find out what.
Normally I think everything with an attachment is phishing
to get me to run malware but:
#1: The sites linked to in it seem to be legit German
government websites based on Wikipedia entries that
haven't changed in several years.
(Looked at archive.org)
#2: The attachment is a .txt file which I've normally
assumed to be safe.
#3: None of the usual dead giveaways that most phishing
E-mails have.
If it is a phishing E-mail it has got to be the cleverest
one I've ever seen, though someone would try to be cleaver
considering the target would be holders of IP blocks.
I right clicked and checked properties to make sure the
attached ip_addresses.txt file really is a text file and
not some fancy trickery with reverse direction characters
( As seen on Hackers Are Trying Something New (Again) - Watch Out! - YouTube )
I tried poking around to see if there was some vulnerability
in notepad (or some versions of it) that I didn't know about
and only found a vulnerability in the text editor on Macs
but nothing with Windows Notepad.
The other thing I felt was a bit off is that the originating
mail server is in Deutsche Telekom AG space and not IP Space
registered to the German government. I'm thinking someone
could rent some IP space from Deutsche Telekom AG with a
connection to them in a data center and get the DNS delegated
to them so they could set the reverse DNS to whatever they want.
A lot of effort to try to look legit by coming out of Germany
and having a government domain in the reverse DNS to look like
a plausible legit outsourcing but again Network operators are
the target audience so the normal tricks that work on the
general public won't work with this group so I can see someone
going that far.
I'll attach the E-mail below with all headers. Has anyone
else gotten these? Is there some security risk opening it
in Windows Notepad that I don't know about or is it actually
safe to open this?
Return-Path: <abuse@cyber.bka.de>
Delivered-To: [REDACTED]
Received: from ezp08-pco.easydns.vpn ([10.5.10.148])
by ezb03-pco.easydns.vpn with LMTP
id oCfeBO/yEmTokhgAzaFxkQ
(envelope-from <abuse@cyber.bka.de>)
for <[REDACTED]>; Thu, 16 Mar 2023 10:43:59 +0000
Received: from smtp.easymail.ca ([127.0.0.1])
by ezp08-pco.easydns.vpn with LMTP
id WCB5BO/yEmSHdgEABcrfzg
(envelope-from <abuse@cyber.bka.de>); Thu, 16 Mar 2023 10:43:59 +0000
Received: from localhost (localhost [127.0.0.1])
by smtp.easymail.ca (Postfix) with ESMTP id 0DC85557DF
for <arin@ve4.ca>; Thu, 16 Mar 2023 10:43:59 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at ezp08-pco.easydns.vpn
X-Spam-Flag: NO
X-Spam-Score: 0.075
X-Spam-Level:
X-Spam-Status: No, score=0.075 required=4 tests=[BAYES_00=-1.9,
DEAR_SOMETHING=1.973, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from smtp.easymail.ca ([127.0.0.1])
by localhost (ezp08-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id d0XbPteZN-Io for <arin@ve4.ca>;
Thu, 16 Mar 2023 10:43:55 +0000 (UTC)
Received: from mail.cyber.bka.de (mail.cyber.bka.de [80.146.190.22])
by smtp.easymail.ca (Postfix) with ESMTPS id 0BC0C557DC
for <arin@ve4.ca>; Thu, 16 Mar 2023 10:43:54 +0000 (UTC)