[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Spam Emails Received From This Mailing List

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Spam Emails Received From This Mailing List
From: Mirimir <mirimir@xxxxxxxxxx>
Date: Thu, 14 Jun 2018 16:13:16 -1100
Autocrypt: addr=mirimir@xxxxxxxxxx; prefer-encrypt=mutual; keydata= xsBNBFEN49cBCADWl1VZKYO8L+f/65G2nBWzh41VTAZDcJSxMWXrBSvpJzzLt6sJf0L0Rjmy W4VPxJMCm/32auRAp8Xx1iNmBpvYENSM1YJVWfk43tlSOY8CR3TVODMxWPhUu48Pb9OKSntz WHGwdZmOr14zF9vr4PaS9A6+Hyt9FPKuGcQFw7K8jK1Hpp5XgdY/DMHKeaJykJ8JH1HBTFTT OJdxIWu6cZ+spNaNfKdnNjk98hMPw69isVGzcm7b3lJUsjVnMSqnrtZ8CSIv1njyxJH7NB5n LzrE7EiXR37k+4Poc9/DeLSAKrq5N3ZMpX1EDOoXFa8lLVGWHBTwVN/tl7FLM0NmVuL5ABEB AAHNHG1pcmltaXIgPG1pcmltaXJAcmlzZXVwLm5ldD7CwIEEEwECACsCGyMGCwkIBwMCBhUI AgkKCwQWAgMBAh4BAheAAhkBBQJafNQ7BQkNMVdkAAoJEGINZVEXwuQ+5LoIAKyZQDkNqj+Y E26o1bdEQlmOLhhXev45euNCnaFrnbOyKLivHdF4vvXyWBTzJmCsoRxTJ0A3Zmwa3ZihbKaU FCAdRgspLfA+TGICVYOztB+faWV18k5OTCk7ZiBQ/mOMQA4p3RPOV+UCgdelvZRHrFdUgHro dho/FqZhRoPdsPPB08QBisDO7SfFMMe9U9EZ03n4f2TvMgaTjK/kZCopwgLj2nB11SnCYfWJ jxUFDs+VFObf/jSK8T0SX9O6p430NWZm30vutUVac9lfodMjBcJqTnFxmZrwQomlCYGvSqNw 4Xy5+/gBzv/flXHngQSU053smHRtrMlGK5OU1RSixDfOwE0EUQ3j1wEIAMDcexhcaIO5jpl+ SHM14zuBvF2QG61IpH4Lag6nQmSMTljizuJg2kLaLbfc69AxmjuL5obqYi5ywXn4kQKqiwfa OHvVlKn662/J5YgXuc8tRLyqvgb+hibtAnlhWAuusP0eoQQP6SAASRjtrb8RVapTzJXy2Snf PtkcdtkTLLLcyeGoDOkpPkspnnp8avvI9ayzhGFLg9qNWaIuBMudxT6oHK4rZH+Sv6km9viI /ziV6E8Z+PpvMsGdebeYBLQA7ueuTbyOGbDyProwvocrKynI/UM40VYS8bS1PjWtljUlj7Vx 8C/746hnfdge0m24jnaWfu5UDjwpsHzs/JXqklsAEQEAAcLAZQQYAQIADwIbDAUCWnzURgUJ DTFXbwAKCRBiDWVRF8LkPsCjCACNvnnmpcDwEbtXUFZD/+ewNlPfM9o0mIXgi7DIVR9MVCw/ u14+mJUlQny4jPRV+hv/erjbiqEcVPZ296J3I4kUvO4slI+ZyODsRQSzwMz6ihwC6nN1xove YSBzVKKQrV+FDHVk6dJVLtgPdewOR9ZAar7mEbCLTJZ/e5aVb+NrlC1jWx3V3mMGCKOsEHhu 97cu3AswlxhzqPjczTo3rjtcfxdjeGU6mIEEAlhUlVDdfbGLODIyCXrP39zYxYXFFpVcbGAu +cndl1AQkIXUiMoJuzTMU8TQ+zz8yLof9fB7Y8O8VbmZBPQqN2IiHPeGbfqZjk/uHjJQUayI +beL0kxL
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 14 Jun 2018 22:52:16 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1529031123; bh=2v10CpvkKTfgT6LVVxv6sqq7k+Ec/Yaku6cm4/n81Gk=; h=Subject:To:References:From:Date:In-Reply-To:From; b=l1iIuOD9RGMRaMiNGr+iUQ/Cy27avLYKRZhkKMWJJY7nmCpIzIwxh3Srt7cjl5TpB pFU08/ZHlIb+nU7sn7K8hlPQaLUNlQOAh+iJTEhA/KMyiaVuGznirx8Ma43obVzIhO UYMqAubtfgDB3+v7B5yXF27k1+p5evP/ow7mGzc8=
In-reply-to: <735655f3-2bc7-5ee0-ea9e-c36d964b001e@riseup.net>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Openpgp: preference=signencrypt
References: <5b1b1e44.1c69fb81.340b7.660c@mx.google.com> <9c1561a3-6414-890d-8862-314a91ac3457@riseup.net> <735655f3-2bc7-5ee0-ea9e-c36d964b001e@riseup.net>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On 06/14/2018 02:18 PM, Mirimir wrote:
> On 06/14/2018 04:33 AM, nusenu wrote:
>> this kind of spam also happens if you post emails to tor-dev.
>>
>> last spam sender address: rosegregory714756@xxxxxxxxxxxxx
> 
> It seems that they've given up on me, after some days with no reply. So
> is that a pattern for y'all?

OK, so much for that hypothesis. Just got one from Camryn. It actually
seems responsive ...

| Hey I'm glad to see someone real responding haha

... and it appeared within minutes of my post to the list. So there's
apparently a human involved, who's actively watching the list.

Also, as before, the In-Reply-To header matches my Message-ID header.

But something interesting. The ultimate message source is "localhost
(unknown [107.178.101.4])". From https://ipinfo.io/ I get that this is
"vox21.hurters.biz". With a little work, I get to
"http://hurters.biz/?domain=hurters.biz?reqp=1&qaspoofip=206.190.145.84&reqp=1&reqr=";
which shows:

| Welcome to hurters.biz
| This Web page is parked for FREE, courtesy of GoDaddy.com.

From https://ipinfo.io/ I get to 206.190.145.84.adsl.inet-telecom.org
which looks a lot like a home ADSL account. Botnet maybe?

And what is "qaspoofip"?

Again, this is all on mellowhost.com by Input Output Flood LLC. The
abuse contact is Gabriel Ramuglia (abuse@xxxxxxxxxxx).

Anyway, here's the https://ipinfo.io/ data:

Received: from us37.axiobyte.com (us37.axiobyte.com [104.161.37.171])

ip: "104.161.37.171"
hostname: "us37.axiobyte.com"
city: "Dhaka"
region: "Dhaka Division"
country: "BD"
loc: "23.7231,90.4086"
postal: "1000"
asn: Object
asn: "AS53755"
name: "Input Output Flood LLC"
domain: "ioflood.com"
route: "104.161.32.0/20"
type: "hosting"
company: Object
name: "Mellowhost"
domain: "mellowhost.com"
type: "hosting"

Received: from localhost (unknown [107.178.101.4])

ip: "107.178.101.4"
hostname: "vox21.hurters.biz"
city: "Dhaka"
region: "Dhaka"
country: "BD"
loc: "23.8179,90.4103"
postal: "1206"
asn: Object
asn: "AS53755"
name: "Input Output Flood LLC"
domain: "ioflood.com"
route: "107.178.64.0/18"
type: "hosting"
company: Object
name: "Mellowhost"
domain: "mellowhost.com"
type: "hosting"

... domain=hurters.biz ... qaspoofip=206.190.145.84 ...

ip: "206.190.145.84"
hostname: "206.190.145.84.adsl.inet-telecom.org"
city: "Providence"
region: "Utah"
country: "US"
loc: "41.6929,-111.8150"
postal: "84332"
asn: Object
asn: "AS29854"
name: "WestHost, Inc."
domain: "westhost.com"
route: "206.190.128.0/19"
type: "hosting"
company: Object
name: "Hosting Services, Inc."
domain: "banahosting.com"
type: "hosting"



> I finally did review the images, in a Debian LiveCD with no network
> connectivity. They're not bad porn, really. Images from Becky and Camryn
> have no obvious watermarks, but those from Rose are marked
> "cherryscott". And they're clearly @CherryScott23. If I could, I'd tweet
> her about the ripoff.
> 
> So anyway, our spammer is clearly using stock image libraries. And maybe
> that was obvious.
> 
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays@xxxxxxxxxxxxxxxxxxxx
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] Spam Emails Received From This Mailing List
  - From: Keifer Bly
- Re: [tor-relays] Spam Emails Received From This Mailing List
  - From: nusenu
- Re: [tor-relays] Spam Emails Received From This Mailing List
  - From: Mirimir

Prev by Author: Re: [tor-relays] Spam Emails Received From This Mailing List
Next by Author: Re: [tor-relays] Spam Emails Received From This Mailing List
Previous by thread: Re: [tor-relays] Spam Emails Received From This Mailing List
Next by thread: Re: [tor-relays] Spam Emails Received From This Mailing List
Index(es):
- Author
- Thread