The last time I saw something like this (personally) was a few years ago, happening to younger friends of mine who used Facebook. The problem wasn't Facebook itself though. What happened: - Some person they knew shared a link/URL on Facebook, stating "funny video!" or the like -- same person probably had some compromised system of their own - Facebook friend visits link/URL - Link/site contained both malicious Javascript and Flash exploits to install a trojan/malware. (The exploits at the time were so new that anti-virus/malware software didn't detect them) -- The "funny video" got shown, so the visitor had no idea what was going on under the hood - Trojan/malware under the hood begins scanning all address books (including any local browser content cache that looks like an address book, as well as things like Outlook address books -- pretty much everything under the sun), as well as tried to figure out what their own name was - Same trojan/malware attempted TCP port 25 connection to whatever SMTP server was configured in a local Email client (I forget how it worked this out, but it wasn't using an open relay from what I could tell) and proceeded to send Email to multiple recipients as follows: -- SMTP-level MAIL FROM was their own Email address -- SMTP-level RCPT TO was to themselves (I think?) -- Mail header From: line was their own name + Email address -- Mail header To: line was to themselves -- Mail header Cc: line contained multiple address book recipients -- Body of mail contained aforementioned link/URL and nothing else (if I remember correctly) I was one of the CC'd individuals. What got my attention was the fact that I got two mails about the same thing -- one from a younger friend of mine, and one later from one of the people on the CC list (indicating something was spreading). Once I got my hands on my younger friends' laptop, I found the malware itself actively running and ended up reformatting the entire system. Not sure if this is what you were seeing or not; if so it may just be another form of the same thing. In short, yes, addressbook scanning is something that some malwares now do. -- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator http://jdc.koitsu.org/ | | Making life hard for others since 1977. PGP 4BD6C0CB | On Fri, Apr 04, 2014 at 01:17:25PM -0700, Neil Ticktin wrote:
Anyone seeing crazy amounts of spoofing that are going out to what looks like address book entries?
In other words, not from your client, not from your server, but spoofing an email address that's yours, and going to recipients that look like your address book (e.g., grouped by last name and to people you know).
I don't want to point fingers, and I have no evidence of this in any way, but it almost looks like a social network site, that may have access to address book entries, got hit -- and someone is spoofing big time.
The other option would be a Mac virus hitting address book entries.
Anyone seeing anything this?
Neil
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages