nanog mailing list archives
Re: Someone's scraping NANOG for phishing purposes again
From: Alexander Harrowell <a.harrowell () gmail com>
Date: Fri, 10 Feb 2017 18:05:13 +0000
Yes. The names are used in the From: but not the e-mail addresses. The
payload is inside SecureServer.net's 43.255.154.0/24 - 43.255.154.125 and
43.255.154.66. Headers follow. Note: I think Anne P. Mitchell is a LinkedIn
contact of mine.
Message 1)
Delivered-To: a.harrowell () gmail com
Received: by 10.80.169.228 with SMTP id n91csp49041edc;
Wed, 8 Feb 2017 16:09:01 -0800 (PST)
X-Received: by 10.223.131.34 with SMTP id 31mr179054wrd.119.1486598941445;
Wed, 08 Feb 2017 16:09:01 -0800 (PST)
Return-Path: <wolfgang () cziczatka com>
Received: from mx21lb.world4you.com (mx21lb.world4you.com. [81.19.149.131])
by mx.google.com with ESMTPS id p26si10875705wrp.311.2017.02.08.16.09.01
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Wed, 08 Feb 2017 16:09:01 -0800 (PST)
Received-SPF: pass (google.com: domain of wolfgang () cziczatka com
designates 81.19.149.131 as permitted sender) client-ip=81.19.149.131;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of wolfgang () cziczatka com
designates 81.19.149.131 as permitted sender)
smtp.mailfrom=wolfgang () cziczatka com
Received: from [117.243.182.154] (helo=dydt-PC) by
mx21lb.world4you.com with esmtpsa
(TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from
<wolfgang () cziczatka com>) id 1cbcIF-0005OX-87; Thu, 09 Feb 2017
01:09:00 +0100
From: Brandon Galbraith <wolfgang () cziczatka com>
To: Alexander Harrowell <a.harrowell () gmail com>, "Nathanael C.
Cariaga" <nccariaga () stluke com ph>, aduitsis <aduitsis () gmail com>,
David Ulevitch <davidu () everydns net>
Subject: take a look at that
Date: Thu, 9 Feb 2017 00:08:49 +0000
Message-ID: <1514273443.20170209030849 () cziczatka com>
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0016_017DBA64.1747A7CE"
Content-Language: en-gb
MIME-Version: 1.0
X-SA-Do-Not-Run: Yes
X-AV-Do-Run: Yes
X-SA-Exim-Connect-IP: 117.243.182.154
X-SA-Exim-Mail-From: wolfgang () cziczatka com
X-SA-Exim-Scanned: No (on mx21lb.world4you.com); SAEximRunCond expanded to false
------=_NextPart_000_0016_017DBA64.1747A7CE
Message 2)
Delivered-To: a.harrowell () gmail com
Received: by 10.80.169.228 with SMTP id n91csp50480edc;
Wed, 8 Feb 2017 16:14:21 -0800 (PST)
X-Received: by 10.28.135.82 with SMTP id j79mr18959559wmd.19.1486599261495;
Wed, 08 Feb 2017 16:14:21 -0800 (PST)
Return-Path: <info () ocreschauvin fr>
Received: from smtp.nfrance.com (smtp-4.nfrance.com. [80.247.229.46])
by mx.google.com with ESMTPS id f124si4142408wmd.153.2017.02.08.16.14.21
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Wed, 08 Feb 2017 16:14:21 -0800 (PST)
Received-SPF: neutral (google.com: 80.247.229.46 is neither permitted
nor denied by best guess record for domain of info () ocreschauvin fr)
client-ip=80.247.229.46;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 80.247.229.46 is neither permitted nor
denied by best guess record for domain of info () ocreschauvin fr)
smtp.mailfrom=info () ocreschauvin fr
Received: from tqzb-PC (unknown [197.45.161.242]) (using TLSv1.2 with
cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client
certificate requested) by smtp.nfrance.com (Postfix) with ESMTPSA id
28E1612D7A7; Thu,
9 Feb 2017 01:14:18 +0100 (CET)
From: Owen DeLong <info () ocreschauvin fr>
To: Brian Mengel <bmengel () gmail com>, Andrew Latham
<lathama () gmail com>, Alexander Harrowell <a.harrowell () gmail com>,
"Anne P. Mitchell Esq." <amitchell () isipp com>
Subject: do you have any ideas?
Date: Thu, 9 Feb 2017 06:14:13 +0600
Message-ID: <1846552645.20170209031413 () ocreschauvin fr>
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_005C_010D479E.32101F4A"
Content-Language: en-us
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.78 on 80.247.229.46
------=_NextPart_000_005C_010D479E.32101F4A
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
RGVhciBmcmllbmQhIA0KDQpJJ3ZlIGJlZW4gd3JpdGluZyBhbiAgYXJ0aWNsZSBhbmQgSSd2ZSBj
b21lIGFjcm9zcyB0aGF0ICBzdHJhbmdlICBzdHVmZiwgIGRvIHlvdSBoYXZlICBhbnkgIGlkZWFz
IHdoYXQgY291bGQgaXQgYmU/IEp1c3QgdGFrZSBhICBsb29rIGh0dHA6Ly9tYXgudHJpcHN0aXht
ZW1vcmllcy5jb20vZjRmNQ0KDQpCZXN0IHdpc2hlcywgT3dlbiBEZUxvbmcNCg0K
------=_NextPart_000_005C_010D479E.32101F4A
------=_NextPart_000_005C_010D479E.32101F4A--
On Fri, Feb 10, 2017 at 5:46 PM, Suresh Ramasubramanian <ops.lists () gmail com
wrote:
Or a nanog member might be infected and the malware is scraping his
mailbox for bogus froms. Got headers?
On 10/02/17, 9:40 AM, "NANOG on behalf of Alexander Harrowell" <
nanog-bounces () nanog org on behalf of a.harrowell () gmail com> wrote:
I'm getting suspicious e-mail pretending to come from leading
NANOGers. Not
the first time this has happened, but you may want to be warned.
Yours,
Alex Harrowell
Current thread:
- Someone's scraping NANOG for phishing purposes again Alexander Harrowell (Feb 10)
- Re: Someone's scraping NANOG for phishing purposes again Josh Luthman (Feb 10)
- Re: Someone's scraping NANOG for phishing purposes again Alexander Harrowell (Feb 10)
- Re: Someone's scraping NANOG for phishing purposes again Suresh Ramasubramanian (Feb 10)
- Re: Someone's scraping NANOG for phishing purposes again Andrew Latham (Feb 10)
- Re: Someone's scraping NANOG for phishing purposes again Rich Kulawiec (Feb 10)
- Re: Someone's scraping NANOG for phishing purposes again valdis . kletnieks (Feb 10)
- Re: Someone's scraping NANOG for phishing purposes again Andrew Latham (Feb 10)
- Re: Someone's scraping NANOG for phishing purposes again Alexander Harrowell (Feb 10)
- Re: Someone's scraping NANOG for phishing purposes again Elizabeth Zwicky via NANOG (Feb 10)
- Re: Someone's scraping NANOG for phishing purposes again Josh Luthman (Feb 10)