Spamming of NANOG list members

vwittkop · May 23, 2019, 5:46pm

Hello NANOG Community,

It has come to our attention there are spamming messages being sent to members of the NANOG mail list spoofed to look as though they are coming from the NANOG organization. The messages being sent refer to NANOG Remittance, with an attachment containing a virus.

These messages are not flowing through NANOG servers, nor using the NANOG domain. They are not messages coming from the NANOG organization. Please be aware if you receive a message matching this description and always make sure to scan attachments for a virus.

Christoffer_Hansen · May 23, 2019, 9:12pm

Appreciate the warning!

These messages are not flowing through NANOG servers, nor using the NANOG domain. They are not messages coming from the NANOG organization. Please be aware if you receive a message matching this description and always make sure to scan attachments for a virus.

The one I received looked like this:

From: "NANOG" <service@cegips.pl>

...

Has it been considered switching to "-all", instead of only "~all" in
the spf record?

$ dig +short +nocmd +nocomments TXT nanog.org
"v=spf1 include:_spf.google.com ip4:104.20.199.50 ip4:104.20.198.50 ip4:50.31.151.75 ip4:50.31.151.76 ip6:2001:1838:2001:8::19 ip6:2001:1838:2001:8::20 ip6:2400:cb00:2048:1::6814:c632 ip6:2400:cb00:2048:1::6814:c732 ~all"

-Christoffer

spam_header.txt (1.38 KB)

Matt_Harris · May 23, 2019, 9:16pm

The SPF record wouldn’t make a difference since that email was sent from @cegips.pl, not from @nanog.org. You’d have to change the SPF record for the cegips.pl domain to impact their ability to send from that address.

Richard1 · May 23, 2019, 9:39pm

The one I received was from _rainphil.com_ and came with an ugly Trojan
attached as a PDF.

Has anyone else received this type or am I just fortunate?

Richard Golodner

Sandra_Murphy · May 23, 2019, 10:27pm

Mine came 21 May. It was a .doc.

And it arrived oddly coincident with my visit to the cvent registration page. Any others who had that coincidence?

—Sandy

Niels_Bakker · May 23, 2019, 11:07pm

* sandy@tislabs.com (Sandra Murphy) [Fri 24 May 2019, 00:28 CEST]:

And it arrived oddly coincident with my visit to the cvent registration page. Any others who had that coincidence?

No, and I've gotten like five by now.

-- Niels.

Sandra_Murphy · May 24, 2019, 7:26am

So sheer coincidence. Literally.

—Sandy

Anne_Mitchell · May 24, 2019, 3:07pm

Question: Is the member list with email addresses public?? Otherwise, one has to wonder how they got these addresses?

Anne

Anne P. Mitchell,
Attorney at Law
CEO/President, Institute for Social Internet Public Policy
GDPR, CCPA (CA) & CCDPA (CO) Compliance Consultant
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Board of Directors, Denver Internet Exchange
Board of Directors, Asilomar Microcomputer Workshop
Legal Counsel: The CyberGreen Institute
Former Counsel: Mail Abuse Prevention System (MAPS)
Ret. Professor of Law, Lincoln Law School of San Jose

William_Herrin · May 24, 2019, 3:14pm

Everyone who posts does so with an email address that becomes known to everyone who subscribes and published everywhere someone publicly archives the messages. It’s common practice by spammers to harvest addresses by subscribing to mailing lists.

Regards,
Bill Herrin

Brian_Kantor · May 24, 2019, 3:17pm

Anne, the way that such addresses are often harvested is that one of
the spammers (or his agent) becomes a member of the list and simply
records the addresses of persons posting to the list. They then
get spammed.
- Brian

Mike_Hammett · May 24, 2019, 3:26pm

Almost always indiscriminately. They probably would be wise to avoid mailing lists of sys admins, network admins, etc., but they don’t. shrugs

Scott_Christopher2 · May 24, 2019, 3:34pm

Anne P. Mitchell, Esq. wrote:

Question: Is the member list with email addresses public?? Otherwise,
one has to wonder how they got these addresses?

MARC: Mailing list ARChives and https://lists.gt.net/nanog/ mangle email addresses in the headers but do nothing about email addresses that are quoted / attributed in the body.

Rich_Kulawiec · May 24, 2019, 3:36pm

I rather suspect that's exactly what's happening here. I've gotten three,
but a colleague who is subscribed but has never posted has gotten zero,
despite sharing the same email infrastructure and thus precisely the
same configuration.

----rsk

John_Peach1 · May 24, 2019, 3:40pm

Anne, the way that such addresses are often harvested is that one of
the spammers (or his agent) becomes a member of the list and simply
records the addresses of persons posting to the list. They then
get spammed.

I rather suspect that's exactly what's happening here. I've gotten three,
but a colleague who is subscribed but has never posted has gotten zero,
despite sharing the same email infrastructure and thus precisely the
same configuration.

----rsk

It's easy enough to sign up and trawl the archives....

Scott_Christopher2 · May 24, 2019, 3:40pm

Rich Kulawiec wrote:

Rich_Kulawiec · May 24, 2019, 9:58pm

There is zero, as in 0.0, point in mangling/obfuscating/etc. email
addresses in forlon and misguided and ultimately futile attempts to keep
spammers from getting their hands on them. I wrote about this extensively
a few years ago so please let me cite myself in these two messages [1]:

http://www.firemountain.net/pipermail/novalug/2014-July/041213.html
http://www.firemountain.net/pipermail/novalug/2014-August/041230.html

On the other hand, there are a lot of reasons NOT to mangle/obfuscate/etc.
email addresses, including the use of archives by people who come along
later and are trying to track down authors of messages of interest.

---rsk

[1] As long as those are, there's still more: as one thought experiment,
consider how many of the addresses on this very list can be correctly
deduced by using simple constructions based on real names. By example,
let's suppose John Smith at example.net is on this list. We could
readily guess:

  john@example.net
  smith@example.net
  johnsmith@example.net
  john-smith@example.net
  john.smith@example.net
  jsmith@example.net
  j.smith@example.net
  smithj@example.net
  smith.j@example.net

and similar variations, and if you compare that to the results of

egrep "^From: " nanog | sort -u

you'll quickly see that a very simple script could come up with roughly
half the addresses on this list immediately.

One of the implications of this, given the widespread adoption of
uniform algorithmic generation of email addresses by much of the
corporate and government and nonprofit &etc. worlds, is that an
attacker who has very little knowledge of the corpus of valid email
addresses at any such entity can make a first-order pass at enumerating
them by combining a script such as the one I posited above with lists
of the 1000 most common first and last names in the appropriate locale.
Of course if the attacker has even a small sample of known-valid
addresses, then it's not necessary to use the myriad variations that
such a script would generate, only the one that appears to be in use
at the target.

Eric_Tykwinski · May 24, 2019, 10:11pm

Rich,

Comment’s inline:

MARC: Mailing list ARChives and https://lists.gt.net/nanog/
mangle email addresses in the headers but do nothing about email addresses
that are quoted / attributed in the body.

There is zero, as in 0.0, point in mangling/obfuscating/etc. email
addresses in forlon and misguided and ultimately futile attempts to keep
spammers from getting their hands on them. I wrote about this extensively
a few years ago so please let me cite myself in these two messages [1]:

[Novalug] IMPORTANT: the "novalug" list is moving
[Novalug] IMPORTANT: the "novalug" list is moving

I guess you don’t get Comcast abuse reports, below is an example:

Let me see you figure out who on a shared server sent that message, hell, it’s gmail.com and comcast.net so appears on the logs probably significantly on most single use corporate servers as well.

On the other hand, there are a lot of reasons NOT to mangle/obfuscate/etc.
email addresses, including the use of archives by people who come along
later and are trying to track down authors of messages of interest.

This I sort of agree with on the above example, at least to some extent. FBL’s are meant to alert to issues, as far as tracking them down it’s more of the mail ops job, so they are sort of allowed to make it a PIMA to avoid causing more issues by confirming.

---rsk

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

Grant_Taylor1 · May 24, 2019, 10:38pm

Those look like they are probably MD5 hashes (I'm guessing) of names.

So your proposed algorithm would be trivial to extend to add MD5 hashes of permutations.

Bryan_Holloway1 · May 31, 2019, 11:53pm

Anybody else noticed a significant uptick in these e-mails?

When I first saw this thread, I hadn't seen any. A couple days later, I got my first one. (yay!) Now I'm getting 2-3 a day. (yay?)

Niels_Bakker · June 1, 2019, 1:07am

* bryan@shout.net (Bryan Holloway) [Sat 01 Jun 2019, 01:54 CEST]:

Anybody else noticed a significant uptick in these e-mails?

When I first saw this thread, I hadn't seen any. A couple days later, I got my first one. (yay!) Now I'm getting 2-3 a day. (yay?)

Yes. It's pretty annoying. And somebody seems to be burning through a lot of stolen credentials. I wonder what the success rate is...

-- Niels.