Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Nasty threatening spam / scam targeted at Mrs Weaver  (Read 296 times)

Weaver

  • Kitizen
  • ****
  • Posts: 4145
  • Retd sw dev; A&A; 3 × 7km ADSL2; IPv6; Firebrick
Nasty threatening spam / scam targeted at Mrs Weaver
« on: January 10, 2018, 10:36:18 AM »

A particularly unpleasant scam attempt, Mrs Weaver was a very slightly put out :

From Spamcop’s header analysis, it appears that it originated from the network of timeweb.ru

-- message headers begin --
Return-Path: <return@dropthecoins.com>
Received: from murder (frontend-2.ukservers.net [10.0.17.167])
       by cyrus-aws-05.ukservers.net with LMTPA;
       Wed, 10 Jan 2018 04:00:05 +0000
X-Sieve: CMU Sieve 2.4
Received: from mailex-1-forwarder.ukservers.net (mx1.ukservers.net [10.0.17.169])
       by frontend-2.ukservers.net (Cyrus v2.2.13-Debian-2.2.13-10) with LMTPA;
       Wed, 10 Jan 2018 04:00:05 +0000
Received: from mailex-1.ukservers.net (mailex-1.ukservers.net [10.0.17.169])
       by mailex-1-forwarder.ukservers.net (Postfix) with ESMTP id 6CDEF20001
       for <janet@skyeshepherdhuts.co.uk>; Wed, 10 Jan 2018 04:00:05 +0000 (GMT)
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=5.23.55.60; helo=weeer10.dropthecoins.com; envelope-from=return@dropthecoins.com; receiver=janet@skyeshepherdhuts.co.uk
Received: from weeer10.dropthecoins.com (unknown [5.23.55.60])
       by mailex-1.ukservers.net (Postfix mx-mailex-1) with ESMTP id 304504002C
       for <janet@skyeshepherdhuts.co.uk>; Wed, 10 Jan 2018 04:00:04 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=dropthecoins.com;
     h=To:Subject:Date:From:Reply-To:MIME-Version:List-Unsubscribe:Content-Type:Content-Transfer-Encoding; i=members@dropthecoins.com;
     bh=Pzjb1Ur4Jz7vef9CVa9QkqDoeDo=;
     b=neJmSr4qUA8ny8126hPn32R0O5JSyX1k7IbehpdSZnmShrlQKwy8RKRPIeFpQHDaoNkOiew3c9XO
     jLVReoFNGRjX/ydDIspJsexYizE9X7yR+FFMJCUn2JBWWWniLPGTCNCcHvzIc7WPzwhG5+sEnJch
     +h+N3JIRglxBcETnqDs=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=default; d=dropthecoins.com;
     b=acgDjIfYxojKO6D0Q/ecY3UssWe3ldrTF5xRiyBD9BAR8w82Aj60/GWyndQAJJKbJOAJGVFu1HTi
     H6VJl+uxPhHQtxjt6BGW4H+B09NAtgL7nn3lx/cDYKHxPXjoQQiCBHRkAISU9aaqn4DSAlmpFxKq
     ceSG1IRTJH6mWf/y9Io=;
To: janet@skyeshepherdhuts.co.uk
Subject: =?UTF-8?B?RUVPTTogW2phbmV0QHNreWVzaGVwaGVyZGh1dHMuY28udWtdIDEwIErQsG4gMjAxOCAwMTowNTozNyBBbGwgaW4geW91ciBoYW5kcw==?=
Date: Tue, 09 Jan 2018 21:37:57 -0600
From: "Emily Robinson" <members@dropthecoins.com>
Reply-To: members@dropthecoins.com
MIME-Version: 1.0
X-Mailer-LID: 12
X-Mailer-SID: 17
List-Unsubscribe: <https://www.yessoftware.com/unsubscribe.php>
Content-Type: multipart/alternative; charset="UTF-8"; boundary="b1_c7a1fb9c54562a3ea3b9ee9bb6524dd2"
Content-Transfer-Encoding: quoted-printable\n\n
Message-Id: <20180110040005.304504002C@mailex-1.ukservers.net>
X-UKServers-IP: 5.23.55.60
X-Envelope-To: janet@skyeshepherdhuts.co.uk
       
Тicket Dеtails
Email: janet@skyeshepherdhuts.co.uk
Camera ready,Notification: 10-01-2018
Status: Waiting for Reply
16xuXaHy9A7f20wJnKmIkF9XrA5Sy46Lu7_Priority:
Normal
........................................................................



Good day,


If u were more watchful
while caress yourself, I wouldn't worry you. I don't think that playing with yourself is
extremely terrible, but when all your friends,
relatives, сolleagues receive
video of it- it is
obviously
for u.

I seized virus on a porn web-site which was visited by
you. When the target click on a play button,
device starts recording the screen and all cameras on your
device starts working.

Moreover, soft makes a rdp supplied with keylogger function from the
system , so I could get all contacts
from ur e-mail, messengers and other social networks. I've
chosen dis e-mail because It's your
corporate address, so you should read
it.

 I think that 400 usd is pretty
enough for this little false. I made a split screen
video(records from screen (interesting
category ) and camera ooooooh... its awful AF)

So its ur choice, if u want me to erase ur disgrace use my bitсоin
wallеt address:
1LYz7EgAF8PU6bSN8GDecnz9Gg814fs81W

 You have one day after opening my message, I put the special tracking
pixel in it, so when you will open it I will see.If ya want me to
share proofs with ya, reply on this message
and I will send my creation to five contacts that I've got from ur
device.

P.S.. You are able to complain to cops, but
I don't think that they can help, the
investigation will last for one year- I'm from Ukraine - so I dgf lmao
« Last Edit: January 10, 2018, 12:14:58 PM by Weaver »
Logged

broadstairs

  • Kitizen
  • ****
  • Posts: 2810
Re: Nasty threatening spam / scam targeted at Mrs Weaver
« Reply #1 on: January 10, 2018, 11:07:21 AM »

Unfortunately these things are becoming more common. One thing I would say is that it would be a good idea to comment out Janet's email address (or at least the domain part) as these things are scanned for by spammers. I find that my new hosting company who also host my email have a very good spam trap and very little gets through.

Stuart
Logged
ISP:TalkTalk Connection:FTTC Cab:ECI Router:ZyXEL VMG3925-B10B

d2d4j

  • Reg Member
  • ***
  • Posts: 575
Re: Nasty threatening spam / scam targeted at Mrs Weaver
« Reply #2 on: January 10, 2018, 11:19:36 AM »

Hi

I could be wrong but this just looks like a scripted spam, which is likely to be sent from a compromised system

Email addresses are not hard to get hold off or guessed/randomly created (a little like shouting John in a supermarket- see how many look)

The best thing to do is not respond and add to filters you use for blocking

I know you know what your doing so do mean any offence

Many thanks

John
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3388
Re: Nasty threatening spam / scam targeted at Mrs Weaver
« Reply #3 on: January 10, 2018, 11:27:02 AM »

I assume it got past a spam filter?   I get very spam these days, Google spam filters seem well set up.   Even then if headers are all ok, spam nearly always gets caught.

There is a downside of course to Google’s spam filters, occasionally a little to enthusiastic.   I am currently in the dog house with Apple as I ‘ignored’ several quite important emails regarding a problem with one of my Apps.   The reason I ignored them was, Google had sent it all to spam. ::)

Logged

Weaver

  • Kitizen
  • ****
  • Posts: 4145
  • Retd sw dev; A&A; 3 × 7km ADSL2; IPv6; Firebrick
Re: Nasty threatening spam / scam targeted at Mrs Weaver
« Reply #4 on: January 10, 2018, 12:11:13 PM »

No good I’m afraid, commenting out email addresses as this is a widely publicised one which is one of the public contact points for her business.

It did indeed get past the spam filters, note its use if DKIM and so on, to help make it look legit. I think that it may have come  from a server hosted by the aforementioned timeweb.ru as they are a hosting company not an ISP, looking at their website. They're in Moscow and probably very legit, so this for all I know poss provides a reputable home even for bad guys.

A full-headers copy went off to the police's scam reporting contact email, NFIBPhishing@city-of-london.pnn.police.uk, as I see they are asking for phishes etc.

This is the analysis provided by Spamcop, whose engine sent off reports to the abuse contacts as you see at the bottom.
--
Parsing header:

Received:  from murder (frontend-2.ukservers.net [10.0.17.167]) by cyrus-aws-05.ukservers.net with LMTPA; Wed, 10 Jan 2018 04:00:05 +0000
host 10.0.17.167 (getting name) no name
10.0.17.167 discarded

Received:  from mailex-1-forwarder.ukservers.net (mx1.ukservers.net [10.0.17.169]) by frontend-2.ukservers.net (Cyrus v2.2.13-Debian-2.2.13-10) with LMTPA; Wed, 10 Jan 2018 04:00:05 +0000
host 10.0.17.169 (getting name) no name
10.0.17.169 discarded

Received:  from mailex-1.ukservers.net (mailex-1.ukservers.net [10.0.17.169]) by mailex-1-forwarder.ukservers.net (Postfix) with ESMTP id 6CDEF20001 for <x>; Wed, 10 Jan 2018 04:00:05 +0000 (GMT)
host 10.0.17.169 (getting name) no name
10.0.17.169 discarded

Received:  from weeer10.dropthecoins.com (unknown [5.23.55.60]) by mailex-1.ukservers.net (Postfix mx-mailex-1) with ESMTP id 304504002C for <x>; Wed, 10 Jan 2018 04:00:04 +0000 (GMT)
host 5.23.55.60 (getting name) no name
Possible spammer: 5.23.55.60
Received line accepted
Tracking message source: 5.23.55.60:
Routing details for 5.23.55.60
[refresh/show] Cached whois for 5.23.55.60 : abuse@timeweb.ru
Using abuse net on abuse@timeweb.ru
abuse net timeweb.ru = abuse@timeweb.ru, postmaster@timeweb.ru
Using best contacts abuse@timeweb.ru postmaster@timeweb.ru
Message is 6 hours old
5.23.55.60 not listed in cbl.abuseat.org
5.23.55.60 not listed in dnsbl.sorbs.net
5.23.55.60 not listed in accredit.habeas.com
5.23.55.60 not listed in plus.bondedsender.org
5.23.55.60 not listed in iadb.isipp.com
Finding links in message body
error: couldn't parse head
Message body parser requires full, accurate copy of message
More information on this error..
no links found
Reports regarding this spam have already been sent:
Re: 5.23.55.60 (Administrator of network where email originates)
   Reportid: 6765342199 To: postmaster@timeweb.ru
   Reportid: 6765342200 To: abuse@timeweb.ru
If reported today, reports would be sent to:
Re: 5.23.55.60 (Administrator of network where email originates)

postmaster@timeweb.ru
abuse@timeweb.ru

Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3388
Re: Nasty threatening spam / scam targeted at Mrs Weaver
« Reply #5 on: January 10, 2018, 12:24:10 PM »

I personally doubt whether masking of email addresses does much good.

I have a few email addresses that appear in full plain text on web pages, where there is a legal requirement do so.  Eg for “contact us” links, I use support@ or admin@ etc.   None have ever received any spam, other than targetted approaches from uninvited but genuine  businesses.

My personal email on the other hand appears nowhere in public does get its share of spam.  Clearly, it simply leaks from the umpteen commercial organisations that harvest it from hotel bookings, internet shopping etc,  then sell it on.
« Last Edit: January 10, 2018, 12:34:14 PM by sevenlayermuddle »
Logged

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 30602
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Nasty threatening spam / scam targeted at Mrs Weaver
« Reply #6 on: January 10, 2018, 04:35:27 PM »

Obviously scam spam that appears to be targetting domain names.   A quick google shows lots of others receiving similar email over the past few months.
Only thing that varies is the amount requested and the bitcoin wallet no.

Sadly it looks like at least one person this morning has been fooled by it and paid up linky
Code: [Select]
10/01/2018 10:32 BTC 0.020
which is approx US$300
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

Weaver

  • Kitizen
  • ****
  • Posts: 4145
  • Retd sw dev; A&A; 3 × 7km ADSL2; IPv6; Firebrick
Re: Nasty threatening spam / scam targeted at Mrs Weaver
« Reply #7 on: January 10, 2018, 06:14:32 PM »

I have in the distant past tried various ways of both html- and uri-obfuscating email addresses in main html text or in mailto: links so that a real web browser will understand an email address but a cheesy, cheap, home-brewed scanner app won't. I do have to admit though that I'm not too sure how effective such things are nowadays, especially as there could now be popular libraries or well passed-around cut-n-paste code snippets just for this job spreading across the net, a development that would mean that even script kiddies and programmers fairly devoid of clue could get a more sophisticated scan of the page content done at low cost, without going all the way towards buying a full working tag soup html parser. Unless you can just buy one in, proper tag soup syntactic analysis is something that is incredibly hard to write and test and is huge, as the sheer verbosity of html5’s ‘anything goes’ syntactic spec shows.
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 3388
Re: Nasty threatening spam / scam targeted at Mrs Weaver
« Reply #8 on: January 10, 2018, 09:15:01 PM »

On topic, does remind me of an Episode of Charlie Brooker’s Black Mirror series, originally channel 4, now Netflix.     I’ve looked it up - Series 3, episode 3, “Shut up and Dance”.  Rather distrurbing.  Not universally acclaimed, but appropriate to this thread.  A boy is blackmailed as in Weaver’s spam, it all ends badly. :'(

Off topic, Netflix have just released another series of Black Mirror.  I’m absolutely not a fan of Netflix’s own material, but I make Black Mirror an exception.   Excellent IMO (other episodes have no relation at all to this topic).  :)
Logged

Weaver

  • Kitizen
  • ****
  • Posts: 4145
  • Retd sw dev; A&A; 3 × 7km ADSL2; IPv6; Firebrick
Re: Nasty threatening spam / scam targeted at Mrs Weaver
« Reply #9 on: January 12, 2018, 11:42:45 PM »

I have recently put together some extra anti-spam defences of my own having done a bit of reading. I found a couple of tips which I thought would be well worth trying:

1. One idea is that of having MX records that are broken. These are assigned a low numeric value for the MX priority field. Low numbered MX mean highest priority, most preferred, so sending mail servers will try the duff entry first. Correctly designed software which follows the specs will just pass on to the next higher numbered MX entry and all will be well. However it is argued that some spam distribution engines have quite cheesy, nasty code and will just fail because they don't implement the specs correctly, possibly by design because they don't want to waste any time at all, they just want to get on to sending to the next victim as quickly as possible.

2. The second idea is that of having multiple high-priority-field-numbered (low priority) MX entries that all point to an existent but _evil_ ‘SMTP’ server. The designers of Project Tarbaby explain it like this:
Quote
“Spammers however often try to go in the "back door" thinking that your backup servers hae less spam filtering than your main email server. So they send email to the highest numbered MX record first. And spammers don't retry so they make an attempt, it fails, and they go on to the next victim. In the process if we detect a spam bot signature then the IP address of the spam bot is added to our DNS blacklist. If you are also using our blacklist then there is an added bonus in that our blacklist will tune itself to your spam so that if the spam bots later try your main server then they will be caught.”

Tarbaby (tarbaby.junkemailfilter.com) is an evil mail server which wastes spammers time, takes forever to respond and messes them around. (If you are familiar with “Lenny” the hilarious audio automaton that wastes nuisance callers’ time then this is the SMTP equivalent.)

To use it, add lots of different high-numbered MX records that all point to tarbaby.junkemailfilter.com.

The idea is that this not only protects you, it protects others as well and if enough people use it and the bad guys do get caught out then it could mean they don't achieve much with all the time that is being wasted.

I have strengthened this technique with an additional trick of my own, which I won't describe in an open page, where malefactors might pick up a valuable tip.
Logged

d2d4j

  • Reg Member
  • ***
  • Posts: 575
Re: Nasty threatening spam / scam targeted at Mrs Weaver
« Reply #10 on: January 13, 2018, 09:36:54 AM »

Hi weaver

Kudos to you

I am not sure it would work in a commercial environment, where email is time critical

Also, everything you have posted is well known, and has its uses to a degree against certain type of spam, and none against other types. Eg some mail scripts just send email without waiting for mail server responses then move on to next in their list

I should mention if you use SA, do you have SA update daily - most users of SA never update SA for latest daily changes

Many thanks

John
Logged

Weaver

  • Kitizen
  • ****
  • Posts: 4145
  • Retd sw dev; A&A; 3 × 7km ADSL2; IPv6; Firebrick
Re: Nasty threatening spam / scam targeted at Mrs Weaver
« Reply #11 on: January 13, 2018, 04:32:39 PM »

@ds4j I'm not following you in respect of the time-critical point. I may be misunderstanding? The high-priority non-existent server idea will introduce a tiny delay while sending servers switch to the next mx, but that should be very quick as they will get an immediate failure from dns lookup. As for tarbaby, no legit servers will ever go near it.

It is indeed well-known stuff, but was new to me and so I thought it might be of interest to other kitizens. I claim zero original invention, and I agreee that I am very skeptical about its effectiveness, but I thought that it would be interesting to _evaluate it_. The problem is that existing spam defences are so good that we don't get enough spam for a decent statistical analysis, nor do I have a proper control. A pair of well-publicised honeypots would be needed to do it properly.
Logged
 

anything