On September 26, 2015, I saw the first pair of examples of what appeared to be much smarter SMTP spam. Both the envelope 'From ' sender and the internal 'From: ' sender were credibly forged to impersonate two personal friends, Michael Siladi and Alison Stern. That wasn't new: Forging of the envelope sender has been a well-tested art since the infamous revenge-spam attack against Joe Doll in 1997 that gave the world the term 'Joe-job'.[1]
What was new was the personalised tailoring of some of the body text _and_ most especially the use of recipients in the To: and Cc: headers who were among Michael and Alison's frequent contact addresses -- other people in the science fiction convention-running community and private mailing lists for convention-running. Not that it matters, but the injection point of those mails, back in September, was IP address 212.40.185.205 in Germany, with the prior-hop Received header (before the one for the German mail provider) claiming that it had originated at an ISP POP in Bogota, Colombia. Both Michael and Alison are in Mountain View, California. Back then in September, I sent Michael and Alison a detailed header analysis, pointing out the probable significance of the highly personalised recipient list: I inferred that the spammers had not only harvested detailed traffic information from malware on the MS-Windows box of someone in Michael & Alison's social circle, but also was now using traffic analysis -- turning loose Bayesian classifier software on harvested data concerning who corresponds with whom -- to programmatically compose _more-credible_ spam targeted at the forged sender's known associates, with some message-text contents likewise personalised to the sender. Today, another blast of forged mail arrived on about six diverse mailing lists for science-fiction convention-running plus the "basfa' discussion mailing list of the Bay Area Science Fiction Society -- purporting to be from Michael Siladi, as before. Each of the targeted mailing lists duly transmitted the forgeries to all recipients. The targeted mailing lists + other CC'd/To'd recipients were picked from ones Michael corresponds with. The phrase 'artshow15' in the body text is a name of a private mailing list operated for the 2015 BayCon, a local science fiction convention in the San Francisco Bay Area of which Michael is convention chair. I have posted full data on the BASFA copy of the forgery, plus my personal analysis, here: http://linuxmafia.com/pipermail/conspire/2015-November/008205.html http://linuxmafia.com/pipermail/conspire/2015-November/008206.html Notice my point that Michael's ISP, Netcom, is still in 2015 failing to publish any MX-authentication data (SPF, DKIM, or variants thereof) in its DNS, so it's no wonder that forgeries of Michael's address could not be detected. In my second post, I concluded: I expect a lot of mailing lists will soon have forged-mail spam problems -- not a problem until now. This is a wake-up call. Anyone else seeing this? Other thoughts? [1] See the 'Joe-job' entries on http://linuxmafia.com/kb/Mail/ , if you don't know this story. (I was among the many recipients of the flamebait attempt to lure anti-spam people to attack Joe Doll, probably because I was a regular poster to net.admin.net-abuse.email at the time.) _______________________________________________ luv-main mailing list [email protected] http://lists.luv.asn.au/listinfo/luv-main
