[sf-lug] Suspicious email purportedly from LinuxMafia

Michael Paoli Michael.Paoli at cal.berkeley.edu
Wed Mar 9 18:09:38 PST 2016 

Jim,

Thanks for taking an interest/look.

Okay, maybe a bit (/quite) redundant now after Rick's posting,
but for a slightly different take on same (and since I had
just about finished draft response anyway) ...

For such emails, more generally speaking, I start with such clues as
From: address, Subject: field data, and Date: field data,
often from those it's pretty obvious if it's spam/phish email, in which
case I typically don't examine further (if it looks and smells like
spam/phish, it probably is).

If I have need/reason to examine further, I may look at text of body -
but not something that does HTML interpretation or anything like
that ... or at least certainly not a GUI web browser, though on
very rare occasion I might inspect with a text-only no-Java,
no-JavaScript web browser - notably lynx (though there are also others).
Again, same rule - if it looks/smells like spam/phish, it probably is.

If I have need/reason to examine further (like maybe I'm curious and/or
bored, or perhaps not clear if it's spam/phish, or not), I'll examine full
headers.  That's generally the most definitive
as to whether or not it's spam/phish or not ... or more
precisely/accurately, if it was a legitimate sender and the sender
purported to be or not.  There can always be the fairly rare case
by comparison, where the email of a legitimate user gets cracked
and someone/something abuses the access to their account, to send
spam/phish - in which case it's from authorized sender's account
and all or most all the headers would be as "normal", but the content,
etc., would most generally quite clearly be spam/phish (unless it's
much more craftily targeted spear phishing - but that's a pretty tiny
percentage, and isn't as likely to be noticed until one looks more
carefully at details (typically body and/or headers).

So the example you provide ... .ZIP attachment - typically
malware for Microsoft platforms (one may be able to confirm that
with ClamAV or the like).  @linuxmafia.com - very few legit senders
from that domain.  All or most all that exist would likely to be
quite/highly clueful and not send to list they're not subscribed
to ... so I'm guessing if it's something like that, another major
hint it's probably forged ... and that's before we even start looking
at more of the "hard" data of actual headers evidence.

So, ... example email, before examining headers in detail, already
reeks of spam/phish.  We can examine headers.  Typically most useful
is Received: headers - though sometimes others may be rather to quite
useful/informative ... or not.

Additional comments further below in-line:

> From: jim <jim at well.com>
> Subject: [sf-lug] Suspicious email from LinuxMafia
> Date: Wed, 9 Mar 2016 16:18:33 +0000

>
>     I do minor administration for the sf-lug mailing list,
> working under the name of Saunders^H^H^H^H^H^H^H^H
> sf-lug-owner at linuxmafia.com
>
>     sf-lug-owner at linuxmafia.com got email today. I'd like
> help figuring it out.
>
> * The sender appears as admin <adm79 at linuxmafia.com>
> * The Subject field is  DOC-418DF795B8DB
>
> * The message body seems empty.
> * There's an attachment  DOC-418DF795B8DB.zip  (2.7KB)
>
> I've copied the complete header information below; I myself
> have not sufficient experience to be confident in my interpretation
> of the header and other info.
> * It seems to have gotten to me via the well, which got it from
>   a sender named mailmanbounces at linuxmafia.com
> * at the bottom are a couple of Apple-Mail clauses that
>   seem to encapsulate the attachment, which claims
>   to be 7-bit ASCII.
>
> The message source below shows the following
> (beware: read-only, there may be malicious code hidden) :
>
> ----------------------------------------------------------------
>
> From - Wed Mar  9 15:27:50 2016
> X-Account-Key: account1
> X-UIDL: 366774.jSfAttEYpPpZ1gscU,LPY8mBuMZznl2XWCRvStObEEk=
> X-Mozilla-Status: 0005
> X-Mozilla-Status2: 00000000
> X-Mozilla-Keys:
> Return-Path: mailman-bounces at linuxmafia.com
> Received: from zimbra.well.com (LHLO zimbra.well.com) (172.30.1.189) by
>  zimbra.well.com with LMTP; Wed, 9 Mar 2016 05:00:33 -0800 (PST)
> Received: from localhost (localhost.localdomain [127.0.0.1])
> 	by zimbra.well.com (Postfix) with ESMTP id ABE8D100B9839
> 	for <jim at well.com>; Wed,  9 Mar 2016 05:00:33 -0800 (PST)
> X-Virus-Scanned: amavisd-new at well.com
> X-Spam-Flag: NO
> X-Spam-Score: -1.9
> X-Spam-Level:
> X-Spam-Status: No, score=-1.9 tagged_above=-10 required=5
> 	tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001,
> 	SPF_HELO_PASS=-0.001, TVD_SPACE_RATIO=0.001]
> 	autolearn=ham autolearn_force=no
> Received: from zimbra.well.com ([127.0.0.1])
> 	by localhost (zimbra.well.com [127.0.0.1]) (amavisd-new, port 10024)
> 	with ESMTP id p0-W4jevKv6I for <jim at well.com>;
> 	Wed,  9 Mar 2016 05:00:33 -0800 (PST)
> Received: from xmx.well.com (xmx.well.com [172.30.1.105])
> 	by zimbra.well.com (Postfix) with ESMTP id 2130B100B982C
> 	for <jim at zimbra.well.com>; Wed,  9 Mar 2016 05:00:33 -0800 (PST)
> X-Date: Wed, 9 Mar 2016 05:00:32 -0800
> Received: from linuxmafia.com (linuxmafia.COM [198.144.195.186])
> 	by xmx.well.com (8.14.4/8.14.3) with ESMTP id u29D0VLY003339
> 	(version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO)
> 	for <jim at well.com>; Wed, 9 Mar 2016 05:00:32 -0800
> Received: from localhost ([127.0.0.1] helo=linuxmafia.com)
> 	by linuxmafia.com with esmtp (Exim 4.72)
> 	(envelope-from <mailman-bounces at linuxmafia.com>)
> 	id 1addj5-0000GO-30
> 	for jim at well.com; Wed, 09 Mar 2016 05:00:31 -0800
> Received: from [5.239.148.71] (helo=Olive)
> 	by linuxmafia.com with esmtp (Exim 4.72)
> 	(envelope-from <adm79 at linuxmafia.com>) id 1addj0-0000GE-4T
> 	for sf-lug-owner at linuxmafia.com; Wed, 09 Mar 2016 05:00:29 -0800

Next, start with the Received: headers, bottom up ... above would
appear to be received by linuxmafia.com (as we'd expect in this case),
and from 5.239.148.71.  And where in the world is 5.239.148.71
and who/what is responsible for it?

$ geoiplookup 5.239.148.71
GeoIP Country Edition: IR, Iran, Islamic Republic of
$

Rick may travel a bit :-)  But highly unlikely some legitimate email
from some other linuxmafia.com user would suddenly be coming out of Iran.
We can declare it phish/spam here and stop, ... or check yet further.

$ dig -x 5.239.148.71 +short
$

No "reverse" DNS for that IP, so not likely to be a legitimate email
server that sent it.

Looking increasingly improbable to be legit.

$ whois -H 5.239.148.71 2>&1 | less
...
inetnum:        5.239.144.0 - 5.239.179.255
netname:        TCIQOM
descr:          Telecommunication Company of Qom
country:        IR
...

I'd probably give up and declare it phish/scam by then.
If it happened to come via an IP address we could more-or-less
reasonably trust and/or presume was at least mostly giving us
accurate information, we could go up the Received: chain of
headers more, but in this case since we have no reason to presume
that IP that talked to the linuxmafia.com. server told us the truth
all of the other Received: header data may be forged anyway.  Or
not, but we can't trust it.  Maybe it's a legit ISP mostly doing
their job, and something that went through their email server(s),
and maybe we have a chain that goes back to, e.g. some Microsoft
Windows box that's a zombie in someone's spam/phish bot network.
Or maybe that IP is from such a malware infested bot zombie
already.  Could research and perhaps figure out which, but in this
case I'm not that interested to do so.  No shortage 'o spam/phish
etc. out there one can investigate in detail if one wishes.  This
is just one among many trillions or more of such messages.

I'd generally rather spend time doing other things.  :-)

There are also additional and/or alternative ways to get to pretty
much the same conclusions - e.g., as Rick mentioned, the
envelope "From " sender and the data from that (not to be confused
with the "From: " header field) is also an excellent starting
point.  And with spam/phish, if nothing else, content is
typically a pretty clear dead giveaway ... but who the heck wants
to actually *read* that, ... ugh.  ;-)  (If I can determine by
sender or purported sender and subject that it's spam/phish or
highly probable to be so, I typically don't even examine it
further).

> Content-Type: multipart/mixed;
> 	boundary=Apple-Mail-A6B670A7-7D07-F956-841E-2BDC62E0408E
> Content-Transfer-Encoding: 7bit
> From: admin <adm79 at linuxmafia.com>
> Mime-Version: 1.0 (1.0)
> Date: Wed, 09 Mar 2016 16:30:17 +0430
> Message-Id: <2EFC41B8-150B-7388-875F-0C60C5DC at linuxmafia.com>
> To: sf-lug-owner at linuxmafia.com
> X-Mailer: iPhone Mail (11B554a)
> X-Scanned-By: CanIt (www . roaringpenguin . com)
> Subject: DOC-418DF795B8DB
> Sender: mailman-bounces at linuxmafia.com
> Errors-To: mailman-bounces at linuxmafia.com
> X-SA-Exim-Connect-IP: 127.0.0.1
> X-SA-Exim-Mail-From: mailman-bounces at linuxmafia.com
> X-SA-Exim-Scanned: No (on linuxmafia.com); SAEximRunCond expanded to false
>
>
> --Apple-Mail-A6B670A7-7D07-F956-841E-2BDC62E0408E
> Content-Type: text/plain;
> 	charset=us-ascii
> Content-Transfer-Encoding: 7bit
>
>
>
>
> --Apple-Mail-A6B670A7-7D07-F956-841E-2BDC62E0408E
> Content-Type: application/zip;
> 	name=DOC-418DF795B8DB.zip
> Content-Disposition: attachment;
> 	filename=DOC-418DF795B8DB.zip
> Content-Transfer-Encoding: base64
>
> UEsDBBQAAgAIALxxaUhGlKN/cQoAANIYAAAQAAAATEVKNTA0MzIzOTIwMi5qc8VYa3MbtxX9
> npn8B3gzyVCyRFqx6/hRTSrZdOLGr1q0447ED9hdkIQJAmsAK5F29N977sUuKdJkOp1pp5oh
> CS1wL+7j3Nf2eteiP69cUCLUVeV8FJfSBzFyXhTOXiqrlS1Wm8fiTH/+bFR39eDL9eNvvwGR
> mL+S9Ss/waPz7HV2u5N5aaeqzA6y3OvxJDqL5Uxao60KAesQcWJsFJZX+Wm2dzsbMd1YRsX7
> Uyzw+7yf7R2IbH6W3c5evjOLOKZTMzmbuTjB/sTNVNDFtGE7xlNdYFG4WaWitmOs3xP7z6Ps
> QHSyShex9sS5qlVuHBZS+8pIS8/6czpaSVviur691B6/jm4cGRkmiR1WwfEVl8rjt1SF8zLq
> S+JgZ8rGM+ISvbagHkMskX1PPCyMNqlnufKGbjjIRtoYNtKgTxQvcfzN93S89zavnqh5Jm6L
> rEuk0lo90Qa3sCWNKyTbbqQ9M4h1EXhHEaO5IiZv2Q9qrGd0UtuRtFEzVW5kMYUYfsFqQE/4
> mcxXW7b2SUGklXdlXTR6hairenm/+lTrSMRR032XEFx9YDlhmkIn1xULeLtkE72mU/lHOoZP
> EUm837E6w0WZ1xWRAlXKAxZ166DajqW2hq6BKEbP05Xw7Ky2OkS6vkuMzyZEnytZTFiL3IOu
> tYUx7PcQZZ4n/0XlZ9pKQ0eheamLVq0cBNDBFxMoTdvAxSIRhUoZk7ua/bYC0cmM7vi7O4Ue
> Vf8d6fWShIFBAUDwzdngal7oBoxj5cZeVkCpNIRf6cvD3OmEAwbOB4L6ix/xza53VdQzPls6
> yA06EtXDBSo0PD+8fEGEv9LxqOSMRC89BysbrPaB1VHzyjiWezB4k+0NEbw9JAHxrirhMjE2
> LpeGkoCWkDsIUbqiJkAjrrF8zA/6Rs3S/7zVbRf0HD+PV1TPw6+Dly9w9pYOELGzYrfXpI1f
> 3kx/r3/7gCMI23DeZJHzozt3bt+/f3h0f//oznDYnPX6iZ/ipFVXLV2nJfhpuMe69Pb3hdgX
> ZyqG5WWHXgG3qryhl6O0lsuAh87iaiWK2nsSbCkhuPytkl7OxJdGsT9e5x9VEa/FOQ4NxYkV
> Km0I5MslneNDIjpRI6/iJ6jIN6xx9gr4sUF8aXm+bR7skKVHbJ6unNEm4rWHo9oWBOSOsK5U
> Yk98EaSzmMjwhMDo1YGgbxsPBDuJjEknf+afrruyyi/5/fFH2nwkKq9GyBWqxF7jizd2Opns
> 8MXDdV88VREaBgEAMMPwZ6Yli25YVu6w3KlzRkl7LQa+VkKPRolYB1BYZw8Zeu2lbEIG4cp4
> 7b8rszEDNpvYADWxRbLXIw3IcH0EeIK4miiPu8lVKtiLLIoFvK3mSE7g0Ql1MREyCONkiUCF
> kFAaZNqK531xKL679+Du3b3kpM0Lj5M0P/wgOrT42jn0dG9L8CUDfcXv580nXbLLK8gjbh0f
> i4uM7HWRwd0jZEb1WCwre3g3WEAcDr9lhP44HC4dfne4hzrV/ncvZRXRQFoo6c0CqjPgNCl/
> KY0u2bXGK1kugG0D78OydKyTkHm8yjCkLdYs8GBRJYEf0tNb9HhT0+TADTPAMN9+w6g9z5yl
> a5FeF/igLkQqSwXXEGR5P6NECWcvHLcEQRapxFokf0qiSL/ItWOVDW+AR3Rw7bff4GLWobnJ
> J54umtSd5FTvqW5JM0pMlSRm5QJi0Fn0BQUfKJwhmzjPZO4qVF5zwUNNG7J17i0vpD/y1Gwq
> 30fz8XW5EZjZCbG+dEBjkCPSSV6h6vD9M+REK7F4+pprHyoEYI62LxUW58fS6s98lIpr4MpT
> GKnJSk9J9tNuashQVXWqqcTDpoJzxkxzVMGm3MEQuZbJjiQELSKxoUYLlSuj3NEqtVTonHqw
> jLuEyhVTZPemw3NBN6V7rL0csXIK/hl2bvIhNJ6lnvURRd7Dw6OjA9Evx8gL4qRA6xNW4bmE
> DBLJCEqJ2lL8IjN7uAGBQhDRoIDTS2qRS0QN0iNcJTof/1EDOOK7o7sP797fa/DcSUl3rWaq
> kaxNfK/V1R7FeDrRja5icDcECclroh8dNQhrSWRZ9tGpxxfIOQopoiXasd2BAkmhC/QqafUr
> mlGj/EGKfLHDAzFhGe0ZGdnVaOrxu+B+OcXC0YbJ122OfHd0B+UWyUAIyvRBrSsSI/o3FnZT
> h9UOie/sDgUgObMWW+W/IoRpVmLirih/Q3y0sShPYRlZbeC+bTpVxC6wSj1hrksVNrpPxXOL
> KxfZcB1u16K3L04iJoC8jlTxDv8rfyhiW1XjwHCj0SRNFTMVucfLXYyOs5nE3KEoShzHY+WM
> 9BwpGHAcTyzcMaLM29B0rMifaKJ5EtMcoBRm5OU7uwPrrw/w7D2VyQXCRUYxVnFpBWRkaeD8
> toDLlXkgNqp0RKPhEFxRk8VQ9uaFqqjBBecHIk/lPiComvGze4PDMcpsAGlnVcxLfdnWcn3Z
> LWho42pHtU5fZI9XNeIWHbgpauciW56/yAhV11uDohvkpRq4Z2jeO1wmD8SPG3kHOADnpjR1
> wt7pYv9/iwZoioH+q/T3ZKKKKcXbSppwuhjIMekIffeh59I1HKRNCxZW9t5G+u8tLytUg/IJ
> htdyNQB0UVNRMdCWsl0uMrp+b4tPdsnaNcqO4+Sma6hhoU9EAkZlTA83EfpwhzpPbuDDWx7m
> u5QYboi843x7fcocPDXTKxUu7h9lsZqZHadKSiwIpE72C6eiAoijcLuUtY1M1B/QCE6DeyU1
> RSkuqmepHE9irB71emPiFCpZqC5N04hxsAKn2BRZiAhq5E5Vc//AQ3ItewFthpr1jBuH3sMH
> i0n+0/17ZVfx2wLO/aTLdrshdW8F0eniebnEzRIy+UJYso0QA8wzuXdTZTeJkKUmrqQxjRtn
> jNRTUVeUAzAeo50gXczikMYn4hVoZglpqpLC0yAuMY7HdUCzR8hva27m+/4cqGms3QArbXc1
> kaKlQZJyawDdigsWoOlMd2x3Wm5iG4pbGMEEfmGMDvzqJiL5eWmp6ARO4didtq+3sK08Ya59
> 5YEqsGqAyJPPn4qRRpKlRDvShrqaVHs3jZSs0Z9XvksE5xfZ86cXa41uR+jygF4PRjVfFmrm
> FdGau1G71d1wdxoy4DUFxtwzoe3ZeFHQcEvNLO7czookSLli6YwZxptzfA8xvpwPeeuaM8JK
> GVJ6hzrtvXQt1RQGiy67iCGDGOsIX1sVCllhfh61y0aCRoCtM+Rylwe4jQKjS0p51MinK5PQ
> j5uvpj/abP/u936iJxumxVBF1dMrw683aOKUyd/odHwsahpGSwiBIvyVaxuUrE93f6HpLhU0
> NMrZ2Lz752+jjKXNQnkyfvOJquKnZ+FZ8Rq2yohDO5s+83LMc1ga9pvwnqBSinH/dPBKbLR/
> LQQ/Bblpt9b/n6ipPlNpIDoxBliT48YB7GfxKLuB9v+nx4kjv3A4buPhK+e/ou2t4cB/W8+3
> gFlDPd8DMn55g6G6VjvxhMooChmLiehchcFg8NszQxJfty8AUVzXw35w8ksy258W/5/BfmUI
> OOU/zAw3WH1tkB1g2NoUNID4F1BLAQIUABQAAgAIALxxaUhGlKN/cQoAANIYAAAQAAAAAAAA
> AAEAIAAAAAAAAABMRUo1MDQzMjM5MjAyLmpzUEsFBgAAAAABAAEAPgAAAJ8KAAAAAA==
>
> --Apple-Mail-A6B670A7-7D07-F956-841E-2BDC62E0408E--
>
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> Information about SF-LUG is at http://www.sf-lug.org/

More information about the sf-lug mailing list