Anyone seeing crazy amounts of spoofing that are going out to what looks like address book entries? In other words, not from your client, not from your server, but spoofing an email address that's yours, and going to recipients that look like your address book (e.g., grouped by last name and to people you know). I don't want to point fingers, and I have no evidence of this in any way, but it almost looks like a social network site, that may have access to address book entries, got hit -- and someone is spoofing big time. The other option would be a Mac virus hitting address book entries. Anyone seeing anything this? Neil
I received one today. Came from an aol user, via aol servers. It looks like malware on their (windows) computer. On Fri, Apr 4, 2014 at 1:17 PM, Neil Ticktin <neil-lists@xplain.com> wrote:
Anyone seeing crazy amounts of spoofing that are going out to what looks like address book entries?
In other words, not from your client, not from your server, but spoofing an email address that's yours, and going to recipients that look like your address book (e.g., grouped by last name and to people you know).
I don't want to point fingers, and I have no evidence of this in any way, but it almost looks like a social network site, that may have access to address book entries, got hit -- and someone is spoofing big time.
The other option would be a Mac virus hitting address book entries.
Anyone seeing anything this?
Neil
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
The last time I saw something like this (personally) was a few years ago, happening to younger friends of mine who used Facebook. The problem wasn't Facebook itself though. What happened: - Some person they knew shared a link/URL on Facebook, stating "funny video!" or the like -- same person probably had some compromised system of their own - Facebook friend visits link/URL - Link/site contained both malicious Javascript and Flash exploits to install a trojan/malware. (The exploits at the time were so new that anti-virus/malware software didn't detect them) -- The "funny video" got shown, so the visitor had no idea what was going on under the hood - Trojan/malware under the hood begins scanning all address books (including any local browser content cache that looks like an address book, as well as things like Outlook address books -- pretty much everything under the sun), as well as tried to figure out what their own name was - Same trojan/malware attempted TCP port 25 connection to whatever SMTP server was configured in a local Email client (I forget how it worked this out, but it wasn't using an open relay from what I could tell) and proceeded to send Email to multiple recipients as follows: -- SMTP-level MAIL FROM was their own Email address -- SMTP-level RCPT TO was to themselves (I think?) -- Mail header From: line was their own name + Email address -- Mail header To: line was to themselves -- Mail header Cc: line contained multiple address book recipients -- Body of mail contained aforementioned link/URL and nothing else (if I remember correctly) I was one of the CC'd individuals. What got my attention was the fact that I got two mails about the same thing -- one from a younger friend of mine, and one later from one of the people on the CC list (indicating something was spreading). Once I got my hands on my younger friends' laptop, I found the malware itself actively running and ended up reformatting the entire system. Not sure if this is what you were seeing or not; if so it may just be another form of the same thing. In short, yes, addressbook scanning is something that some malwares now do. -- | Jeremy Chadwick jdc@koitsu.org | | UNIX Systems Administrator http://jdc.koitsu.org/ | | Making life hard for others since 1977. PGP 4BD6C0CB | On Fri, Apr 04, 2014 at 01:17:25PM -0700, Neil Ticktin wrote:
Anyone seeing crazy amounts of spoofing that are going out to what looks like address book entries?
In other words, not from your client, not from your server, but spoofing an email address that's yours, and going to recipients that look like your address book (e.g., grouped by last name and to people you know).
I don't want to point fingers, and I have no evidence of this in any way, but it almost looks like a social network site, that may have access to address book entries, got hit -- and someone is spoofing big time.
The other option would be a Mac virus hitting address book entries.
Anyone seeing anything this?
Neil
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
I've seen (work, family, friends) an increased amount of spoofing since February 25. The first two emails I looked at that day were sent thru email servers in UK and France. Tony Patti CIO S. Walter Packaging Corp. From: Outages [mailto:outages-bounces@outages.org] On Behalf Of Neil Ticktin Sent: Friday, April 04, 2014 4:17 PM To: outages Subject: [outages] Crazy amts of spoofing? Anyone seeing crazy amounts of spoofing that are going out to what looks like address book entries? In other words, not from your client, not from your server, but spoofing an email address that's yours, and going to recipients that look like your address book (e.g., grouped by last name and to people you know). I don't want to point fingers, and I have no evidence of this in any way, but it almost looks like a social network site, that may have access to address book entries, got hit -- and someone is spoofing big time. The other option would be a Mac virus hitting address book entries. Anyone seeing anything this? Neil
I've seen this-sporadically-for a year now probably, although my users started reporting it in March (or maybe February 25th). -- ERIC HENSON Solutions Architect for Systems Organization PFSweb | www.pfsweb.com<http://www.pfsweb.com/> p: 972.881.2900 x3104 m: 972.948.3424 From: Outages [mailto:outages-bounces@outages.org] On Behalf Of Tony Patti Sent: Friday, April 04, 2014 4:02 PM To: 'Neil Ticktin'; 'outages' Subject: Re: [outages] Crazy amts of spoofing? I've seen (work, family, friends) an increased amount of spoofing since February 25. The first two emails I looked at that day were sent thru email servers in UK and France. Tony Patti CIO S. Walter Packaging Corp. From: Outages [mailto:outages-bounces@outages.org] On Behalf Of Neil Ticktin Sent: Friday, April 04, 2014 4:17 PM To: outages Subject: [outages] Crazy amts of spoofing? Anyone seeing crazy amounts of spoofing that are going out to what looks like address book entries? In other words, not from your client, not from your server, but spoofing an email address that's yours, and going to recipients that look like your address book (e.g., grouped by last name and to people you know). I don't want to point fingers, and I have no evidence of this in any way, but it almost looks like a social network site, that may have access to address book entries, got hit -- and someone is spoofing big time. The other option would be a Mac virus hitting address book entries. Anyone seeing anything this? Neil ------------------------ This email was scanned by BitDefender.
While not spoofing specifically, we've been seeing abnormally high amounts of general nefarious network activity this year. It was especially bad during the height of the ntp ddos problem in January/February but still seems higher than it was last year. Sent from my iPhone On Apr 4, 2014, at 5:22 PM, "Eric Henson" <ehenson@pfsweb.com<mailto:ehenson@pfsweb.com>> wrote: I’ve seen this—sporadically—for a year now probably, although my users started reporting it in March (or maybe February 25th). -- ERIC HENSON Solutions Architect for Systems Organization PFSweb | www.pfsweb.com<http://www.pfsweb.com/> p: 972.881.2900 x3104 m: 972.948.3424 From: Outages [mailto:outages-bounces@outages.org] On Behalf Of Tony Patti Sent: Friday, April 04, 2014 4:02 PM To: 'Neil Ticktin'; 'outages' Subject: Re: [outages] Crazy amts of spoofing? I’ve seen (work, family, friends) an increased amount of spoofing since February 25. The first two emails I looked at that day were sent thru email servers in UK and France. Tony Patti CIO S. Walter Packaging Corp. From: Outages [mailto:outages-bounces@outages.org] On Behalf Of Neil Ticktin Sent: Friday, April 04, 2014 4:17 PM To: outages Subject: [outages] Crazy amts of spoofing? Anyone seeing crazy amounts of spoofing that are going out to what looks like address book entries? In other words, not from your client, not from your server, but spoofing an email address that's yours, and going to recipients that look like your address book (e.g., grouped by last name and to people you know). I don't want to point fingers, and I have no evidence of this in any way, but it almost looks like a social network site, that may have access to address book entries, got hit -- and someone is spoofing big time. The other option would be a Mac virus hitting address book entries. Anyone seeing anything this? Neil ------------------------ This email was scanned by BitDefender. ------------------------ This email was scanned by BitDefender. _______________________________________________ Outages mailing list Outages@outages.org<mailto:Outages@outages.org> https://puck.nether.net/mailman/listinfo/outages
I keep an old email address out there just so I can trend the spam in the world. I usually get 250-300 messages a day of junk in that mailbox, with peak counts being M-F 6am to 6pm Mountain Time. Since Thursday last week, I have been averaging almost 450 a day, with a peak of 630 messages yesterday. I have had reports from a few family members saying they have seen Email with my name on it, but smash keyboard email addresses over the past few weeks as well. From: Outages [mailto:outages-bounces@outages.org] On Behalf Of Bill Wichers Sent: Friday, April 4, 2014 3:24 PM To: Eric Henson Cc: outages Subject: Re: [outages] Crazy amts of spoofing? While not spoofing specifically, we've been seeing abnormally high amounts of general nefarious network activity this year. It was especially bad during the height of the ntp ddos problem in January/February but still seems higher than it was last year. Sent from my iPhone On Apr 4, 2014, at 5:22 PM, "Eric Henson" <ehenson@pfsweb.com<mailto:ehenson@pfsweb.com>> wrote: I've seen this-sporadically-for a year now probably, although my users started reporting it in March (or maybe February 25th). -- ERIC HENSON Solutions Architect for Systems Organization PFSweb | www.pfsweb.com<http://www.pfsweb.com/> p: 972.881.2900 x3104 m: 972.948.3424 From: Outages [mailto:outages-bounces@outages.org] On Behalf Of Tony Patti Sent: Friday, April 04, 2014 4:02 PM To: 'Neil Ticktin'; 'outages' Subject: Re: [outages] Crazy amts of spoofing? I've seen (work, family, friends) an increased amount of spoofing since February 25. The first two emails I looked at that day were sent thru email servers in UK and France. Tony Patti CIO S. Walter Packaging Corp. From: Outages [mailto:outages-bounces@outages.org] On Behalf Of Neil Ticktin Sent: Friday, April 04, 2014 4:17 PM To: outages Subject: [outages] Crazy amts of spoofing? Anyone seeing crazy amounts of spoofing that are going out to what looks like address book entries? In other words, not from your client, not from your server, but spoofing an email address that's yours, and going to recipients that look like your address book (e.g., grouped by last name and to people you know). I don't want to point fingers, and I have no evidence of this in any way, but it almost looks like a social network site, that may have access to address book entries, got hit -- and someone is spoofing big time. The other option would be a Mac virus hitting address book entries. Anyone seeing anything this? Neil ------------------------ This email was scanned by BitDefender. ------------------------ This email was scanned by BitDefender. _______________________________________________ Outages mailing list Outages@outages.org<mailto:Outages@outages.org> https://puck.nether.net/mailman/listinfo/outages
[ moving to -discuss; hope everyone's there ] It's been posited that the end of security updates for WinXP will be likely to cause an uptick in the amount of bot sent spam and attacks. Something which -- by the way -- might be easier to kill off if all edge network operators were implementing BCP38. BCP38: ask for it by name! Cheers, -- jr 'www.bcp38.info' a ----- Original Message -----
From: "Blake Pfankuch - Mailing List" <blake.mailinglist@pfankuch.me> To: "Bill Wichers" <billw@waveform.net>, "Eric Henson" <ehenson@pfsweb.com> Cc: "outages" <outages@outages.org> Sent: Friday, April 4, 2014 11:23:47 PM Subject: Re: [outages] Crazy amts of spoofing? I keep an old email address out there just so I can trend the spam in the world. I usually get 250-300 messages a day of junk in that mailbox, with peak counts being M-F 6am to 6pm Mountain Time.
Since Thursday last week, I have been averaging almost 450 a day, with a peak of 630 messages yesterday. I have had reports from a few family members saying they have seen Email with my name on it, but smash keyboard email addresses over the past few weeks as well.
From: Outages [mailto:outages-bounces@outages.org] On Behalf Of Bill Wichers Sent: Friday, April 4, 2014 3:24 PM To: Eric Henson Cc: outages Subject: Re: [outages] Crazy amts of spoofing?
While not spoofing specifically, we've been seeing abnormally high amounts of general nefarious network activity this year. It was especially bad during the height of the ntp ddos problem in January/February but still seems higher than it was last year.
Sent from my iPhone
On Apr 4, 2014, at 5:22 PM, "Eric Henson" <ehenson@pfsweb.com<mailto:ehenson@pfsweb.com>> wrote: I've seen this-sporadically-for a year now probably, although my users started reporting it in March (or maybe February 25th).
-- ERIC HENSON Solutions Architect for Systems Organization PFSweb | www.pfsweb.com<http://www.pfsweb.com/> p: 972.881.2900 x3104 m: 972.948.3424
From: Outages [mailto:outages-bounces@outages.org] On Behalf Of Tony Patti Sent: Friday, April 04, 2014 4:02 PM To: 'Neil Ticktin'; 'outages' Subject: Re: [outages] Crazy amts of spoofing?
I've seen (work, family, friends) an increased amount of spoofing since February 25.
The first two emails I looked at that day were sent thru email servers in UK and France.
Tony Patti CIO S. Walter Packaging Corp.
From: Outages [mailto:outages-bounces@outages.org] On Behalf Of Neil Ticktin Sent: Friday, April 04, 2014 4:17 PM To: outages Subject: [outages] Crazy amts of spoofing?
Anyone seeing crazy amounts of spoofing that are going out to what looks like address book entries?
In other words, not from your client, not from your server, but spoofing an email address that's yours, and going to recipients that look like your address book (e.g., grouped by last name and to people you know).
I don't want to point fingers, and I have no evidence of this in any way, but it almost looks like a social network site, that may have access to address book entries, got hit -- and someone is spoofing big time.
The other option would be a Mac virus hitting address book entries.
Anyone seeing anything this?
Neil
------------------------ This email was scanned by BitDefender.
------------------------ This email was scanned by BitDefender. _______________________________________________ Outages mailing list Outages@outages.org<mailto:Outages@outages.org> https://puck.nether.net/mailman/listinfo/outages
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages
-- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
participants (8)
-
Bill Wichers -
Blake Pfankuch - Mailing List -
Byron Lunz -
Eric Henson -
Jay Ashworth -
Jeremy Chadwick -
Neil Ticktin -
Tony Patti