[sf-lug] Suspicious email purportedly from LinuxMafia
jim
jim at well.com
Wed Mar 9 21:11:22 PST 2016
Thanks, Michael,
I found your reply really helpful, mainly with respect to
* which header fields you inspect
* using the lynx text-only web browser (to avoid
the chance of triggering scripts, yes?)
* "spear phishing" which is spam carefully
crafted to appeal (and fool) a particular
reader.
* "start with the Received headers, bottom up..."
* $ geoiplookup 5.239.148.71
GeoIP Country Edition: IR, Iran, Islamic Republic of
$
* $ dig -x 5.239.148.71 +short
$
No "reverse" DNS for that IP, so not likely to be a
legitimate email server
* the envelope "From " sender and the data from that
(not to be confusedwith the "From: " header field)
is also an excellent starting point.
* $ whois -H 5.239.148.71 2>&1 | less
...
inetnum: 5.239.144.0 - 5.239.179.255
netname: TCIQOM
descr: Telecommunication Company of Qom
country: IR
...
012345678901234567890123456789012345678901234567890123456789
On 03/10/2016 02:09 AM, Michael Paoli wrote:
> Jim,
>
> Thanks for taking an interest/look.
>
> Okay, maybe a bit (/quite) redundant now after Rick's posting,
> but for a slightly different take on same (and since I had
> just about finished draft response anyway) ...
>
> For such emails, more generally speaking, I start with such clues as
> From: address, Subject: field data, and Date: field data,
> often from those it's pretty obvious if it's spam/phish email, in which
> case I typically don't examine further (if it looks and smells like
> spam/phish, it probably is).
>
> If I have need/reason to examine further, I may look at text of body -
> but not something that does HTML interpretation or anything like
> that ... or at least certainly not a GUI web browser, though on
> very rare occasion I might inspect with a text-only no-Java,
> no-JavaScript web browser - notably lynx (though there are also others).
> Again, same rule - if it looks/smells like spam/phish, it probably is.
>
> If I have need/reason to examine further (like maybe I'm curious and/or
> bored, or perhaps not clear if it's spam/phish, or not), I'll examine
> full
> headers. That's generally the most definitive
> as to whether or not it's spam/phish or not ... or more
> precisely/accurately, if it was a legitimate sender and the sender
> purported to be or not. There can always be the fairly rare case
> by comparison, where the email of a legitimate user gets cracked
> and someone/something abuses the access to their account, to send
> spam/phish - in which case it's from authorized sender's account
> and all or most all the headers would be as "normal", but the content,
> etc., would most generally quite clearly be spam/phish (unless it's
> much more craftily targeted spear phishing - but that's a pretty tiny
> percentage, and isn't as likely to be noticed until one looks more
> carefully at details (typically body and/or headers).
>
> So the example you provide ... .ZIP attachment - typically
> malware for Microsoft platforms (one may be able to confirm that
> with ClamAV or the like). @linuxmafia.com - very few legit senders
> from that domain. All or most all that exist would likely to be
> quite/highly clueful and not send to list they're not subscribed
> to ... so I'm guessing if it's something like that, another major
> hint it's probably forged ... and that's before we even start looking
> at more of the "hard" data of actual headers evidence.
>
> So, ... example email, before examining headers in detail, already
> reeks of spam/phish. We can examine headers. Typically most useful
> is Received: headers - though sometimes others may be rather to quite
> useful/informative ... or not.
>
> Additional comments further below in-line:
>
>> From: jim <jim at well.com>
>> Subject: [sf-lug] Suspicious email from LinuxMafia
>> Date: Wed, 9 Mar 2016 16:18:33 +0000
>
>>
>> I do minor administration for the sf-lug mailing list,
>> working under the name of Saunders^H^H^H^H^H^H^H^H
>> sf-lug-owner at linuxmafia.com
>>
>> sf-lug-owner at linuxmafia.com got email today. I'd like
>> help figuring it out.
>>
>> * The sender appears as admin <adm79 at linuxmafia.com>
>> * The Subject field is DOC-418DF795B8DB
>>
>> * The message body seems empty.
>> * There's an attachment DOC-418DF795B8DB.zip (2.7KB)
>>
>> I've copied the complete header information below; I myself
>> have not sufficient experience to be confident in my interpretation
>> of the header and other info.
>> * It seems to have gotten to me via the well, which got it from
>> a sender named mailmanbounces at linuxmafia.com
>> * at the bottom are a couple of Apple-Mail clauses that
>> seem to encapsulate the attachment, which claims
>> to be 7-bit ASCII.
>>
>> The message source below shows the following
>> (beware: read-only, there may be malicious code hidden) :
>>
>> ----------------------------------------------------------------
>>
>> From - Wed Mar 9 15:27:50 2016
>> X-Account-Key: account1
>> X-UIDL: 366774.jSfAttEYpPpZ1gscU,LPY8mBuMZznl2XWCRvStObEEk=
>> X-Mozilla-Status: 0005
>> X-Mozilla-Status2: 00000000
>> X-Mozilla-Keys:
>> Return-Path: mailman-bounces at linuxmafia.com
>> Received: from zimbra.well.com (LHLO zimbra.well.com) (172.30.1.189) by
>> zimbra.well.com with LMTP; Wed, 9 Mar 2016 05:00:33 -0800 (PST)
>> Received: from localhost (localhost.localdomain [127.0.0.1])
>> by zimbra.well.com (Postfix) with ESMTP id ABE8D100B9839
>> for <jim at well.com>; Wed, 9 Mar 2016 05:00:33 -0800 (PST)
>> X-Virus-Scanned: amavisd-new at well.com
>> X-Spam-Flag: NO
>> X-Spam-Score: -1.9
>> X-Spam-Level:
>> X-Spam-Status: No, score=-1.9 tagged_above=-10 required=5
>> tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001,
>> SPF_HELO_PASS=-0.001, TVD_SPACE_RATIO=0.001]
>> autolearn=ham autolearn_force=no
>> Received: from zimbra.well.com ([127.0.0.1])
>> by localhost (zimbra.well.com [127.0.0.1]) (amavisd-new, port 10024)
>> with ESMTP id p0-W4jevKv6I for <jim at well.com>;
>> Wed, 9 Mar 2016 05:00:33 -0800 (PST)
>> Received: from xmx.well.com (xmx.well.com [172.30.1.105])
>> by zimbra.well.com (Postfix) with ESMTP id 2130B100B982C
>> for <jim at zimbra.well.com>; Wed, 9 Mar 2016 05:00:33 -0800 (PST)
>> X-Date: Wed, 9 Mar 2016 05:00:32 -0800
>> Received: from linuxmafia.com (linuxmafia.COM [198.144.195.186])
>> by xmx.well.com (8.14.4/8.14.3) with ESMTP id u29D0VLY003339
>> (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO)
>> for <jim at well.com>; Wed, 9 Mar 2016 05:00:32 -0800
>> Received: from localhost ([127.0.0.1] helo=linuxmafia.com)
>> by linuxmafia.com with esmtp (Exim 4.72)
>> (envelope-from <mailman-bounces at linuxmafia.com>)
>> id 1addj5-0000GO-30
>> for jim at well.com; Wed, 09 Mar 2016 05:00:31 -0800
>> Received: from [5.239.148.71] (helo=Olive)
>> by linuxmafia.com with esmtp (Exim 4.72)
>> (envelope-from <adm79 at linuxmafia.com>) id 1addj0-0000GE-4T
>> for sf-lug-owner at linuxmafia.com; Wed, 09 Mar 2016 05:00:29 -0800
>
> Next, start with the Received: headers, bottom up ... above would
> appear to be received by linuxmafia.com (as we'd expect in this case),
> and from 5.239.148.71. And where in the world is 5.239.148.71
> and who/what is responsible for it?
>
> $ geoiplookup 5.239.148.71
> GeoIP Country Edition: IR, Iran, Islamic Republic of
> $
>
> Rick may travel a bit :-) But highly unlikely some legitimate email
> from some other linuxmafia.com user would suddenly be coming out of Iran.
> We can declare it phish/spam here and stop, ... or check yet further.
>
> $ dig -x 5.239.148.71 +short
> $
>
> No "reverse" DNS for that IP, so not likely to be a legitimate email
> server that sent it.
>
> Looking increasingly improbable to be legit.
>
> $ whois -H 5.239.148.71 2>&1 | less
> ...
> inetnum: 5.239.144.0 - 5.239.179.255
> netname: TCIQOM
> descr: Telecommunication Company of Qom
> country: IR
> ...
>
> I'd probably give up and declare it phish/scam by then.
> If it happened to come via an IP address we could more-or-less
> reasonably trust and/or presume was at least mostly giving us
> accurate information, we could go up the Received: chain of
> headers more, but in this case since we have no reason to presume
> that IP that talked to the linuxmafia.com. server told us the truth
> all of the other Received: header data may be forged anyway. Or
> not, but we can't trust it. Maybe it's a legit ISP mostly doing
> their job, and something that went through their email server(s),
> and maybe we have a chain that goes back to, e.g. some Microsoft
> Windows box that's a zombie in someone's spam/phish bot network.
> Or maybe that IP is from such a malware infested bot zombie
> already. Could research and perhaps figure out which, but in this
> case I'm not that interested to do so. No shortage 'o spam/phish
> etc. out there one can investigate in detail if one wishes. This
> is just one among many trillions or more of such messages.
>
> I'd generally rather spend time doing other things. :-)
>
> There are also additional and/or alternative ways to get to pretty
> much the same conclusions - e.g., as Rick mentioned, the
> envelope "From " sender and the data from that (not to be confused
> with the "From: " header field) is also an excellent starting
> point. And with spam/phish, if nothing else, content is
> typically a pretty clear dead giveaway ... but who the heck wants
> to actually *read* that, ... ugh. ;-) (If I can determine by
> sender or purported sender and subject that it's spam/phish or
> highly probable to be so, I typically don't even examine it
> further).
>
>> Content-Type: multipart/mixed;
>> boundary=Apple-Mail-A6B670A7-7D07-F956-841E-2BDC62E0408E
>> Content-Transfer-Encoding: 7bit
>> From: admin <adm79 at linuxmafia.com>
>> Mime-Version: 1.0 (1.0)
>> Date: Wed, 09 Mar 2016 16:30:17 +0430
>> Message-Id: <2EFC41B8-150B-7388-875F-0C60C5DC at linuxmafia.com>
>> To: sf-lug-owner at linuxmafia.com
>> X-Mailer: iPhone Mail (11B554a)
>> X-Scanned-By: CanIt (www . roaringpenguin . com)
>> Subject: DOC-418DF795B8DB
>> Sender: mailman-bounces at linuxmafia.com
>> Errors-To: mailman-bounces at linuxmafia.com
>> X-SA-Exim-Connect-IP: 127.0.0.1
>> X-SA-Exim-Mail-From: mailman-bounces at linuxmafia.com
>> X-SA-Exim-Scanned: No (on linuxmafia.com); SAEximRunCond expanded to
>> false
>>
>>
>> --Apple-Mail-A6B670A7-7D07-F956-841E-2BDC62E0408E
>> Content-Type: text/plain;
>> charset=us-ascii
>> Content-Transfer-Encoding: 7bit
>>
>>
>>
>>
>> --Apple-Mail-A6B670A7-7D07-F956-841E-2BDC62E0408E
>> Content-Type: application/zip;
>> name=DOC-418DF795B8DB.zip
>> Content-Disposition: attachment;
>> filename=DOC-418DF795B8DB.zip
>> Content-Transfer-Encoding: base64
>>
>> UEsDBBQAAgAIALxxaUhGlKN/cQoAANIYAAAQAAAATEVKNTA0MzIzOTIwMi5qc8VYa3MbtxX9
>> npn8B3gzyVCyRFqx6/hRTSrZdOLGr1q0447ED9hdkIQJAmsAK5F29N977sUuKdJkOp1pp5oh
>> CS1wL+7j3Nf2eteiP69cUCLUVeV8FJfSBzFyXhTOXiqrlS1Wm8fiTH/+bFR39eDL9eNvvwGR
>> mL+S9Ss/waPz7HV2u5N5aaeqzA6y3OvxJDqL5Uxao60KAesQcWJsFJZX+Wm2dzsbMd1YRsX7
>> Uyzw+7yf7R2IbH6W3c5evjOLOKZTMzmbuTjB/sTNVNDFtGE7xlNdYFG4WaWitmOs3xP7z6Ps
>> QHSyShex9sS5qlVuHBZS+8pIS8/6czpaSVviur691B6/jm4cGRkmiR1WwfEVl8rjt1SF8zLq
>> S+JgZ8rGM+ISvbagHkMskX1PPCyMNqlnufKGbjjIRtoYNtKgTxQvcfzN93S89zavnqh5Jm6L
>> rEuk0lo90Qa3sCWNKyTbbqQ9M4h1EXhHEaO5IiZv2Q9qrGd0UtuRtFEzVW5kMYUYfsFqQE/4
>> mcxXW7b2SUGklXdlXTR6hairenm/+lTrSMRR032XEFx9YDlhmkIn1xULeLtkE72mU/lHOoZP
>> EUm837E6w0WZ1xWRAlXKAxZ166DajqW2hq6BKEbP05Xw7Ky2OkS6vkuMzyZEnytZTFiL3IOu
>> tYUx7PcQZZ4n/0XlZ9pKQ0eheamLVq0cBNDBFxMoTdvAxSIRhUoZk7ua/bYC0cmM7vi7O4Ue
>> Vf8d6fWShIFBAUDwzdngal7oBoxj5cZeVkCpNIRf6cvD3OmEAwbOB4L6ix/xza53VdQzPls6
>> yA06EtXDBSo0PD+8fEGEv9LxqOSMRC89BysbrPaB1VHzyjiWezB4k+0NEbw9JAHxrirhMjE2
>> LpeGkoCWkDsIUbqiJkAjrrF8zA/6Rs3S/7zVbRf0HD+PV1TPw6+Dly9w9pYOELGzYrfXpI1f
>> 3kx/r3/7gCMI23DeZJHzozt3bt+/f3h0f//oznDYnPX6iZ/ipFVXLV2nJfhpuMe69Pb3hdgX
>> ZyqG5WWHXgG3qryhl6O0lsuAh87iaiWK2nsSbCkhuPytkl7OxJdGsT9e5x9VEa/FOQ4NxYkV
>> Km0I5MslneNDIjpRI6/iJ6jIN6xx9gr4sUF8aXm+bR7skKVHbJ6unNEm4rWHo9oWBOSOsK5U
>> Yk98EaSzmMjwhMDo1YGgbxsPBDuJjEknf+afrruyyi/5/fFH2nwkKq9GyBWqxF7jizd2Opns
>> 8MXDdV88VREaBgEAMMPwZ6Yli25YVu6w3KlzRkl7LQa+VkKPRolYB1BYZw8Zeu2lbEIG4cp4
>> 7b8rszEDNpvYADWxRbLXIw3IcH0EeIK4miiPu8lVKtiLLIoFvK3mSE7g0Ql1MREyCONkiUCF
>> kFAaZNqK531xKL679+Du3b3kpM0Lj5M0P/wgOrT42jn0dG9L8CUDfcXv580nXbLLK8gjbh0f
>> i4uM7HWRwd0jZEb1WCwre3g3WEAcDr9lhP44HC4dfne4hzrV/ncvZRXRQFoo6c0CqjPgNCl/
>> KY0u2bXGK1kugG0D78OydKyTkHm8yjCkLdYs8GBRJYEf0tNb9HhT0+TADTPAMN9+w6g9z5yl
>> a5FeF/igLkQqSwXXEGR5P6NECWcvHLcEQRapxFokf0qiSL/ItWOVDW+AR3Rw7bff4GLWobnJ
>> J54umtSd5FTvqW5JM0pMlSRm5QJi0Fn0BQUfKJwhmzjPZO4qVF5zwUNNG7J17i0vpD/y1Gwq
>> 30fz8XW5EZjZCbG+dEBjkCPSSV6h6vD9M+REK7F4+pprHyoEYI62LxUW58fS6s98lIpr4MpT
>> GKnJSk9J9tNuashQVXWqqcTDpoJzxkxzVMGm3MEQuZbJjiQELSKxoUYLlSuj3NEqtVTonHqw
>> jLuEyhVTZPemw3NBN6V7rL0csXIK/hl2bvIhNJ6lnvURRd7Dw6OjA9Evx8gL4qRA6xNW4bmE
>> DBLJCEqJ2lL8IjN7uAGBQhDRoIDTS2qRS0QN0iNcJTof/1EDOOK7o7sP797fa/DcSUl3rWaq
>> kaxNfK/V1R7FeDrRja5icDcECclroh8dNQhrSWRZ9tGpxxfIOQopoiXasd2BAkmhC/QqafUr
>> mlGj/EGKfLHDAzFhGe0ZGdnVaOrxu+B+OcXC0YbJ122OfHd0B+UWyUAIyvRBrSsSI/o3FnZT
>> h9UOie/sDgUgObMWW+W/IoRpVmLirih/Q3y0sShPYRlZbeC+bTpVxC6wSj1hrksVNrpPxXOL
>> KxfZcB1u16K3L04iJoC8jlTxDv8rfyhiW1XjwHCj0SRNFTMVucfLXYyOs5nE3KEoShzHY+WM
>> 9BwpGHAcTyzcMaLM29B0rMifaKJ5EtMcoBRm5OU7uwPrrw/w7D2VyQXCRUYxVnFpBWRkaeD8
>> toDLlXkgNqp0RKPhEFxRk8VQ9uaFqqjBBecHIk/lPiComvGze4PDMcpsAGlnVcxLfdnWcn3Z
>> LWho42pHtU5fZI9XNeIWHbgpauciW56/yAhV11uDohvkpRq4Z2jeO1wmD8SPG3kHOADnpjR1
>> wt7pYv9/iwZoioH+q/T3ZKKKKcXbSppwuhjIMekIffeh59I1HKRNCxZW9t5G+u8tLytUg/IJ
>> htdyNQB0UVNRMdCWsl0uMrp+b4tPdsnaNcqO4+Sma6hhoU9EAkZlTA83EfpwhzpPbuDDWx7m
>> u5QYboi843x7fcocPDXTKxUu7h9lsZqZHadKSiwIpE72C6eiAoijcLuUtY1M1B/QCE6DeyU1
>> RSkuqmepHE9irB71emPiFCpZqC5N04hxsAKn2BRZiAhq5E5Vc//AQ3ItewFthpr1jBuH3sMH
>> i0n+0/17ZVfx2wLO/aTLdrshdW8F0eniebnEzRIy+UJYso0QA8wzuXdTZTeJkKUmrqQxjRtn
>> jNRTUVeUAzAeo50gXczikMYn4hVoZglpqpLC0yAuMY7HdUCzR8hva27m+/4cqGms3QArbXc1
>> kaKlQZJyawDdigsWoOlMd2x3Wm5iG4pbGMEEfmGMDvzqJiL5eWmp6ARO4didtq+3sK08Ya59
>> 5YEqsGqAyJPPn4qRRpKlRDvShrqaVHs3jZSs0Z9XvksE5xfZ86cXa41uR+jygF4PRjVfFmrm
>> FdGau1G71d1wdxoy4DUFxtwzoe3ZeFHQcEvNLO7czookSLli6YwZxptzfA8xvpwPeeuaM8JK
>> GVJ6hzrtvXQt1RQGiy67iCGDGOsIX1sVCllhfh61y0aCRoCtM+Rylwe4jQKjS0p51MinK5PQ
>> j5uvpj/abP/u936iJxumxVBF1dMrw683aOKUyd/odHwsahpGSwiBIvyVaxuUrE93f6HpLhU0
>> NMrZ2Lz752+jjKXNQnkyfvOJquKnZ+FZ8Rq2yohDO5s+83LMc1ga9pvwnqBSinH/dPBKbLR/
>> LQQ/Bblpt9b/n6ipPlNpIDoxBliT48YB7GfxKLuB9v+nx4kjv3A4buPhK+e/ou2t4cB/W8+3
>> gFlDPd8DMn55g6G6VjvxhMooChmLiehchcFg8NszQxJfty8AUVzXw35w8ksy258W/5/BfmUI
>> OOU/zAw3WH1tkB1g2NoUNID4F1BLAQIUABQAAgAIALxxaUhGlKN/cQoAANIYAAAQAAAAAAAA
>> AAEAIAAAAAAAAABMRUo1MDQzMjM5MjAyLmpzUEsFBgAAAAABAAEAPgAAAJ8KAAAAAA==
>>
>> --Apple-Mail-A6B670A7-7D07-F956-841E-2BDC62E0408E--
>>
>>
>> _______________________________________________
>> sf-lug mailing list
>> sf-lug at linuxmafia.com
>> http://linuxmafia.com/mailman/listinfo/sf-lug
>> Information about SF-LUG is at http://www.sf-lug.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20160310/3489ee6e/attachment.html>
More information about the sf-lug
mailing list