Re: [mailop] Any Apple email team on the list? Interesting tidbit like to shed light on...

[Atro Tossavainen via mailop]

On Tue, May 02, 2023 at 10:11:46PM -0400, John Levine via mailop wrote:
> It appears that Michael Peddemors via mailop  said:
> >Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.2\))
> 
> I sent a message to myself from
> 
>  Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.500.231\))
> 
> There's no X-Universal anything. Wherever it came from, it's not the
> Mac mail progaram.

Our traps get a slow but steady drip of messages from Apple outbounds.

Last month, one tenth of a percent of those messages (which tells the
astute reader there's got to have been at least one thousand such
messages) contained the header X-Universally-Unique-Identifier.

Almost half of the messages we got were mail sent from anywhere else
_to_ an Apple account that has been configured to forward email to
an address that has never worked (before being made into a spamtrap),
though.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Any Apple email team on the list? Interesting tidbit like to shed light on...

[John Levine via mailop]

It appears that Michael Peddemors via mailop  said:
>Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.2\))

I sent a message to myself from

 Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.500.231\))

There's no X-Universal anything. Wherever it came from, it's not the
Mac mail progaram.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Any Apple email team on the list? Interesting tidbit like to shed light on...

[Michael Peddemors via mailop]

Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.2\))
X-Universally-Unique-Identifier: DDB4B009-F0E0-4255-8DC7-

Trying to understand if this is an unintended disclosure..

Of course, UUID's etc are important tools for verification, and can be 
useful in validating authenticity, but embedding it in the headers can 
have unintended consequences.


Of course, I cannot verify if it is actually the unique ID for this 
person's device (obfuscated of course), but if it were, and was sent in 
response to a phishing lure, or to a malware actor, then they could tie 
that unique device to the end user.


I could understand if it was shared with their service provider, but the 
rest of the world probably should not have access to it.


Am I correct in my assessment?

--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Requests with mixed caesar cipher encoding from microsoft ips

[Tom I via mailop]

On 02/05/2023 18:18, Michael Peddemors via mailop wrote:
Do you have a sampling of the IPs, and we can see if it correlates with 
some of our datasets?


We saw similar requests earlier this year, around February and March. 
One of our applications generates URLs in the form "...?key=chars>=" - the name is simply to make the URLs less 
opaque when users handle lots of links at once, but it also served to 
make it a bit more obvious when the names are gibberish in the logs.


A few examples of the bad requests we saw, slightly anonymised:

key=emxxeigu=uhtu-ubee -> rot13 -> rzkkrvth=hugh-horr
key=czxkeyje=avdxl -> rot13 -> pmkxrlwr=niqky
key=xzfadaut=dybef -> rot13 -> kmsnqnhg=qlors

It's not quite fully rot13 as Ugo mentioned, in our case the parameter 
names were untouched while the values were not-quite-rot13'd, in the 3 
examples above the n= should have been "Hugh Horr", "Nicky", and "Clare" 
respectively.


We suspect somebody sent a number of links via email using Outlook or 
Office365, or uploaded the links in a spreadsheet to Office365, or 
attached them in an email.


The requests came from 40.94.90.{8,34,46,48,75,77}, 40.94.31.14, 
40.94.97.26, 40.94.87.69 - unclear if they're users of Azure or MS 
infrastructure itself.


None of the requests posed a security issue as the URL keys didn't match 
and so nothing of value was returned, however it's still curious what it 
is and why it happens only to some links!


Happy to share more information off-list if this is useful.

Tom


Sure would be nice if the big guys, did a better job of SWIP on their 
ranges, so we know which ones they operate, vs the ones they rent.


On 2023-05-02 07:34, Abuse Department - Advision via mailop wrote:

Hi all,

since 28/04 we are observing a huge amount of requests coming from 
Microsoft ips to our link tracking system.
In the emails we send we override al links to point to our link 
tracking system, but we are seeing that many tracking requests are 
coming with the query string parameters obfuscated using some sort of 
mixed caesar cipher with different shifts. Sometime we observe rot13 
encoding other times different shifts and encodings.


At first we think about some malicious activity but the strange thing 
is that almost all ips the requests are coming from are Microsoft ips 
(more than 1600 ips) and in some request we were able to decode we see 
correct parameters and legit urls.


I'm starting to think that this is not a malicious activity but some 
kind of anonymization/url checking action from some Microsoft or anti 
Malware system.


Those are some example of the encoded parameters

p=9d520546fb60360d4fcecf7e2001fac1/133h/0duu/ef/41a/4g6a/ef/ef/ef//uggcf://jjj.lbhghcf.dbz/dubaafy/HDiy6dBD47yeUDYLFKXZ-lDt/afbghefe?efybbe=2%2526dcee=4
/ttn.php?p=a91f671306f35ce073a3406d8ea06934/133h/0duu/ef/58f/4g6a/ef/ef/ef//uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg
p=bb00e96455bb5a80df7ecab6680f8d96/133h/0duu/ef/58f/4g6a/ef/ef/ef//uggcf://jjj.abdfcbbx.dbz/zbeffduvfey.vg/
 

the last part (starting with uggcf://) is the final destination url 
the clicker will be redirected to. Sometime we are able to decode 
them, for example


uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg
applying rot13 twice give
https://www.instagram.com/moreschi_srl/?nl=vg 




Any idea?

Ugo

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Requests with mixed caesar cipher encoding from microsoft ips

[Michael Peddemors via mailop]

Do you have a sampling of the IPs, and we can see if it correlates with 
some of our datasets?


Sure would be nice if the big guys, did a better job of SWIP on their 
ranges, so we know which ones they operate, vs the ones they rent.


On 2023-05-02 07:34, Abuse Department - Advision via mailop wrote:

Hi all,

since 28/04 we are observing a huge amount of requests coming from 
Microsoft ips to our link tracking system.
In the emails we send we override al links to point to our link tracking 
system, but we are seeing that many tracking requests are coming with 
the query string parameters obfuscated using some sort of mixed caesar 
cipher with different shifts. Sometime we observe rot13 encoding other 
times different shifts and encodings.


At first we think about some malicious activity but the strange thing is 
that almost all ips the requests are coming from are Microsoft ips (more 
than 1600 ips) and in some request we were able to decode we see correct 
parameters and legit urls.


I'm starting to think that this is not a malicious activity but some 
kind of anonymization/url checking action from some Microsoft or anti 
Malware system.


Those are some example of the encoded parameters

p=9d520546fb60360d4fcecf7e2001fac1/133h/0duu/ef/41a/4g6a/ef/ef/ef//uggcf://jjj.lbhghcf.dbz/dubaafy/HDiy6dBD47yeUDYLFKXZ-lDt/afbghefe?efybbe=2%2526dcee=4
/ttn.php?p=a91f671306f35ce073a3406d8ea06934/133h/0duu/ef/58f/4g6a/ef/ef/ef//uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg
p=bb00e96455bb5a80df7ecab6680f8d96/133h/0duu/ef/58f/4g6a/ef/ef/ef//uggcf://jjj.abdfcbbx.dbz/zbeffduvfey.vg/
 

the last part (starting with uggcf://) is the final destination url the 
clicker will be redirected to. Sometime we are able to decode them, for 
example


uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg
applying rot13 twice give
https://www.instagram.com/moreschi_srl/?nl=vg 




Any idea?

Ugo

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop



--
"Catch the Magic of Linux..."

Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.

604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Requests with mixed caesar cipher encoding from microsoft ips

[Daniel K. via mailop]

On 5/2/23 14:34, Abuse Department - Advision via mailop wrote:
> I'm starting to think that this is not a malicious activity but some
> kind of anonymization/url checking action from some Microsoft or anti
> Malware system.
> 
> Those are some example of the encoded parameters
> 
> [...]
> 
> uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg
> applying rot13 twice give
> https://www.instagram.com/moreschi_srl/?nl=vg

Surely, rot13 was only applied once... :) except for the 'vg' part.

There are many strange things happening on line, and only the originator
can answer as to intent.


We once came across a distant cousin of who you describe here, rot13
applied to HTTP requests.

So, instead of sending:

GET /url HTTP/1.1

they sent us:

TRG /hey UGGC/1.1

This failed, of course, but someone suggested handling the TRG verb, and
wrapping the response in rot13, to see what would happen.

We never did.


Daniel K.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Requests with mixed caesar cipher encoding from microsoft ips

[Abuse Department - Advision via mailop]

Hi all,

since 28/04 we are observing a huge amount of requests coming from
Microsoft ips to our link tracking system.
In the emails we send we override al links to point to our link tracking
system, but we are seeing that many tracking requests are coming with the
query string parameters obfuscated using some sort of mixed caesar cipher
with different shifts. Sometime we observe rot13 encoding other times
different shifts and encodings.

At first we think about some malicious activity but the strange thing is
that almost all ips the requests are coming from are Microsoft ips (more
than 1600 ips) and in some request we were able to decode we see correct
parameters and legit urls.

I'm starting to think that this is not a malicious activity but some kind
of anonymization/url checking action from some Microsoft or anti Malware
system.

Those are some example of the encoded parameters

p=9d520546fb60360d4fcecf7e2001fac1/133h/0duu/ef/41a/4g6a/ef/ef/ef//uggcf://jjj.lbhghcf.dbz/dubaafy/HDiy6dBD47yeUDYLFKXZ-lDt/afbghefe?efybbe=2%2526dcee=4
/ttn.php?p=a91f671306f35ce073a3406d8ea06934/133h/0duu/ef/58f/4g6a/ef/ef/ef//uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg
p=bb00e96455bb5a80df7ecab6680f8d96/133h/0duu/ef/58f/4g6a/ef/ef/ef//uggcf://jjj.abdfcbbx.dbz/
zbeffduvfey.vg/

the last part (starting with uggcf://) is the final destination url the
clicker will be redirected to. Sometime we are able to decode them, for
example

uggcf://jjj.vafgbtebz.dbz/zbeffduv_fey/?uy=vg
applying rot13 twice give
https://www.instagram.com/moreschi_srl/?nl=vg


Any idea?

Ugo
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Proofpoint contact needed - Duplicate ticket for IP block removal issue

[Paul Gregg via mailop]

On Tue, May 02, 2023 at 08:04:35AM +, Andy Onofrei via mailop wrote:
> Can anyone has a way to reach out to Proofpoint, my contacts are unresponsive 
> for the last weeks, after MAWWG.
> I have a ticket with status unresolved for several weeks, they seem to be 
> stuck on their queue.

Contacted offlist.

Thanks,
PG
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Proofpoint contact needed - Duplicate ticket for IP block removal issue

[Andy Onofrei via mailop]

Hi everyone,

Can anyone has a way to reach out to Proofpoint, my contacts are unresponsive 
for the last weeks, after MAWWG.
I have a ticket with status unresolved for several weeks, they seem to be stuck 
on their queue.

Thank you
Andy
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop