Mailing List Archive

Our police department has gotten three (that I’m aware of) so far this morning. Almost certainly phony, but the authorities won’t have the luxury of blowing it off like you can w/the sextortion cases.

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357

From: Joseph Brennan [mailto:brennan@columbia.edu]
Sent: Thursday, December 13, 2018 9:57 AM
To: Mailing-List spamassassin
Subject: New bitcoin ransom message today


There is a new Bitcoin ransom spam. It threatens to blow up a bomb unless the bitcoin payment is made, so the body text is different. Subjects include:

Bomb is in your building
Rescue service will complicate the situation
Think twice
keep calm

We got a group of them from 194.58.61/24

I do not have a good copy of the body yet, and do not know what rules it already hits. If anyone else here got these maybe you can beat me to getting a sample.

I'll send more later if I get more information.

--
Joseph Brennan
Lead, Email and Systems Applications
[http://cuit.columbia.edu/sites/all/themes/ias/ascuit/images/logo.png]

As requested:
http://puffin.net/software/spam/samples/0061_bitcoin_splosion.txt
I MUNGED the "To".
It's the latest of two sent to me by an awesome volunteer. :)

First thoughts:
Both were base64 encoded.
Both have "disclaimers" that they're not terrorists. :roll-eyes:

John Hardin: I'll ask for a full bundle from this volunteer (he's in your time zone), and send you full spamples of everything relevant.
- "Chip"

Kevin Miller skrev den 2018-12-13 20:25:

joining topposters department :=)

xmax is comming to town


> Our police department has gotten three (that I’m aware of) so far
> this morning. Almost certainly phony, but the authorities won’t
> have the luxury of blowing it off like you can w/the sextortion cases.
>
>
> ...Kevin
>
> --
>
> Kevin Miller
>
> Network/email Administrator, CBJ MIS Dept.
>
> 155 South Seward Street
>
> Juneau, Alaska 99801
>
> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No:
> 307357
>
> FROM: Joseph Brennan [mailto:brennan@columbia.edu]
> SENT: Thursday, December 13, 2018 9:57 AM
> TO: Mailing-List spamassassin
> SUBJECT: New bitcoin ransom message today
>
> There is a new Bitcoin ransom spam. It threatens to blow up a bomb
> unless the bitcoin payment is made, so the body text is different.
> Subjects include:
>
> Bomb is in your building
>
> Rescue service will complicate the situation
>
> Think twice
>
> keep calm
>
> We got a group of them from 194.58.61/24
>
> I do not have a good copy of the body yet, and do not know what rules
> it already hits. If anyone else here got these maybe you can beat me
> to getting a sample.
>
> I'll send more later if I get more information.
>
> --
>
> Joseph Brennan
> Lead, Email and Systems Applications

Chip M. skrev den 2018-12-13 22:33:
> As requested:
> http://puffin.net/software/spam/samples/0061_bitcoin_splosion.txt
> I MUNGED the "To".
> It's the latest of two sent to me by an awesome volunteer. :)
>
> First thoughts:
> Both were base64 encoded.
> Both have "disclaimers" that they're not terrorists. :roll-eyes:
>
> John Hardin: I'll ask for a full bundle from this volunteer (he's in
> your time zone), and send you full spamples of everything relevant.
> - "Chip"

Authentication-Results: linode.junc.eu; dmarc=fail (p=quarantine
dis=none) header.from=IowaHoneypot.com
Authentication-Results: linode.junc.eu; dkim=none; dkim-atps=neutral

is it possible to solve ?

dont make dmarc policy if not dkim signed, if spf is important disable
dkim in dmarc f= param

to the above spample, its valid dkim signed ?, blacklist it based on
that so, no need to be using btc on it

good xmax

Yeah, some of us are stuck with Outlook. Sucks but if top posting is the worst thing that happens to me today I'm waaaaay ahead of the game.

Used to be a plugin that worked with Outlook 2007 which would do a proper layout but it stopped working with newer versions.

But for your viewing pleasure: https://www.cnn.com/2018/12/13/us/email-bomb-threats/index.html

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357


-----Original Message-----
From: Benny Pedersen [mailto:me@junc.eu]
Sent: Thursday, December 13, 2018 1:19 PM
To: users@spamassassin.apache.org
Subject: Re: New bitcoin ransom message today

Kevin Miller skrev den 2018-12-13 20:25:

joining topposters department :=)

xmax is comming to town

SVC: Administrator skrev den 2018-12-13 23:55:
> Yeah, some of us are stuck with Outlook.

oh

> Sucks but if top posting is
> the worst thing that happens to me today I'm waaaaay ahead of the
> game.

if the computer in front could run php, i would install roundcube on it
to replace outdated software :=)

> Used to be a plugin that worked with Outlook 2007 which would do a
> proper layout but it stopped working with newer versions.

time to update with opensource solutions

> But for your viewing pleasure:
> https://www.cnn.com/2018/12/13/us/email-bomb-threats/index.html

i dont read fake news sites, like wise you dont read dr.dk ? :=)

On Thu, 13 Dec 2018, Chip M. wrote:

> As requested:
> http://puffin.net/software/spam/samples/0061_bitcoin_splosion.txt
> I MUNGED the "To".
> It's the latest of two sent to me by an awesome volunteer. :)
>
> First thoughts:
> Both were base64 encoded.
> Both have "disclaimers" that they're not terrorists. :roll-eyes:

It hits damned near nothing...

> John Hardin: I'll ask for a full bundle from this volunteer (he's in your time zone), and send you full spamples of everything relevant.
> - "Chip"

Thanks. I'll see what I can do, but I suspect that not having anything in
the masscheck corpus will make it difficult to get rules published.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Any time law enforcement becomes a revenue center, the system
becomes corrupt.
-----------------------------------------------------------------------
2 days until Bill of Rights day

On Thu, 13 Dec 2018, John Hardin wrote:

> On Thu, 13 Dec 2018, Chip M. wrote:
>
>> As requested:
>> http://puffin.net/software/spam/samples/0061_bitcoin_splosion.txt
>> I MUNGED the "To".
>> It's the latest of two sent to me by an awesome volunteer. :)
>>
>> First thoughts:
>> Both were base64 encoded.
>> Both have "disclaimers" that they're not terrorists. :roll-eyes:
>
> It hits damned near nothing...
>
>> John Hardin: I'll ask for a full bundle from this volunteer (he's in your
>> time zone), and send you full spamples of everything relevant.
>> - "Chip"
>
> Thanks. I'll see what I can do, but I suspect that not having anything in the
> masscheck corpus will make it difficult to get rules published.

Initial rules checked into my sandbox.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The more you believe you can create heaven on earth
the more likely you are to set up guillotines in the public square
to hasten the process. -- James Lileks
-----------------------------------------------------------------------
2 days until Bill of Rights day

BUF... this is getting beyond a joke!!!!  There are people paying to many of the BTC wallets of the scammers, hence acommodating its veracity...
:-(

-----PedroD

On 12/13/2018 5:55 PM, SVC: Administrator wrote:
> Yeah, some of us are stuck with Outlook. Sucks but if top posting is the worst thing that happens to me today I'm waaaaay ahead of the game.
>
> Used to be a plugin that worked with Outlook 2007 which would do a proper layout but it stopped working with newer versions.
>
> But for your viewing pleasure: https://www.cnn.com/2018/12/13/us/email-bomb-threats/index.html

Frankly I've given up on trying to do a specific type of posting because
I have to use different clients on my phone, laptop, work machine, etc.
and I just have to do whatever works in the client I'm using.  I accept
whatever anyone else chooses to use because it's often out of their
control. 

10 years ago enforcing it made sense.  Now, too many large firms enforce
their preference.

--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On 12/13/2018 8:10 PM, John Hardin wrote:
>
> Initial rules checked into my sandbox.

Also, these rash of spams are the target of my KAM_CRIM rules in
KAM.cf.  I've updated for the current explosive issue and open to spamples.

However, many of us are not seeing these spams because of the IP
addresses and good RBLs.  I've actually not had one get through our
filters in a few weeks.

--
Kevin A. McGrail
VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Thu, Dec 13, 2018 at 09:33:58PM -0000, Chip M. wrote:
> As requested:
> http://puffin.net/software/spam/samples/0061_bitcoin_splosion.txt
> I MUNGED the "To".
> It's the latest of two sent to me by an awesome volunteer. :)
>
> First thoughts:
> Both were base64 encoded.
> Both have "disclaimers" that they're not terrorists. :roll-eyes:
>
this rule works iff you are using SA 4.x:

body HASHBL_BTC eval:check_hashbl_bodyre('bl.btcblack.it', 'raw/max=10/shuffle', '\b([13][a-km-zA-HJ-NP-Z1-9]{25,34})\b')
describe HASHBL_BTC Message contains BTC address found on BTCBL
priority HASHBL_BTC -100 # required priority to launch async lookups

It will check if the btc address has been used for fraudolent purposes and it has been reported to
bitcoinabuse or bitcoinwhoswho web sites.

Giovanni

On Wed, 18 Dec 2019, John Hardin wrote:
>Can you post a spample

This is a very interesting pattern that I've seen in a few (9) spams
this week.
Here's a spample (with only the To header MUNGED):
http://puffin.net/software/spam/samples/0062_snow_style_chaff_aws.txt
Lindsay, is that what you're seeing?

All 9 have scored above SA's default threshold, however most just
barely. The biggest scoring hit was "TO_NO_BRKTS_DYNIP".
None hit any GIBBERISH test, though that could be an issue with the
webhost (it's a shared "plain vanilla" SA install, not a custom
tuned one).

What I found interesting was both the style chaff and the use of
"storage.googleapis" to hide the payload.
Google appears to have disabled the one in this spample.
The one I looked at yesterday had a "Meta refresh" to an
intermediate URL, which had a javascript redirect
(via "window.location.href") to the final target.
Both domains were relatively recently registered and both are _NOT_
on any major domain blocklist.

Another interesting "tell" is its sloppy/ridiculous SPF:
v=spf1 ip4:52.0.0.0/8 ip4:3.0.0.0/8 ip4:54.0.0.0/8 ip4:107.0.0.0/8 ip4:18.0.0.0/8 ip4:34.0.0.0/8 -all
Perhaps they're anticipating Amazon gobbling up more IP space?!?


Since the OP asked about non-SA approaches...
All hit my own filter's style size ratio test, with a
range of 98.3% to 99.1%.
I'm not a Perl programmer, so do not know if that is a practical
test to implement in SA.
It amazes me how much ham scores high on that!
I did a quick check of the last month for a highly diverse domain
and of emails with at least 90% "style", 16.7% were spam (all snow)
and 7% were ham (all ESP).
Next week I'll be datamining, so will look at that in more detail.


I've been scoring "storage.googleapis", however it's used by a lot
of non-security-competent Hammers, so it's difficult to give it more
than a small score.
IMO it would be worthwhile to score it at least a wee bit in case
that would help anybody convince their PHB that it's a Bad Practice.

John, perhaps a meta for style issues, AWS, and googleapis?
- "Chip"

On 2019-12-19 17:45, Chip M. wrote:

> Another interesting "tell" is its sloppy/ridiculous SPF:
> v=spf1 ip4:52.0.0.0/8 ip4:3.0.0.0/8 ip4:54.0.0.0/8 ip4:107.0.0.0/8
> ip4:18.0.0.0/8 ip4:34.0.0.0/8 -all
> Perhaps they're anticipating Amazon gobbling up more IP space?!?

sadly spf supports 0.0.0.0/0, if spf was designed sane it would be max
256 ipv4 and one ipv6

if one create a perl module to calc ipv4 / ipv6 in that it can see if
ips is under 256 to be accepted as pass, then it changes

time to block domains with over so many ips

On Thu, 2019-12-19 at 16:56 +0000, Chip M. wrote:
> On Wed, 18 Dec 2019, John Hardin wrote:
> > Can you post a spample
>
> This is a very interesting pattern that I've seen in a few (9) spams
> this week.
> Here's a spample (with only the To header MUNGED):
>
> http://puffin.net/software/spam/samples/0062_snow_style_chaff_aws.txt
> Lindsay, is that what you're seeing?

Exactly.

All of these verifiably come from Amazon IP addresses. I filed one
abuse report with Amazon, jumping through all the hoops spec'd in their
whois listing, but I doubt if it does any good. The Big Guys don't need
to allocate any of their hard-earned resources to clamping down on spam
sent trom their customers' accounts :(

--
Lindsay Haisley | "UNIX is user-friendly, it just
FMP Computer Services | chooses its friends."
512-259-1190 | -- Andreas Bogk
http://www.fmp.com |