<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Yes, it is extremely strange, it arouses my suspicion. Why would they specifically choose the tor server operator’s list which isn’t going to have large amounts of people for them to meet to begin with? I am concerned this might be an attempted attack against the network trying to lure in the tor network server operators and effect their computers with something malicious. The attachments of the one email did not appear to have any suspicious code, however who knows what may be on the website they are advertising. I have created the suggested filter in m Gmail, thanks for the advice. However, is there a way we can ban email addresses from the relay operators list? It seems like removing the email addresses that have been sending these from the list might be a good idea, if that is possible.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks.</p><p class=MsoNormal><o:p> </o:p></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='border:none;padding:0in'><b>From: </b><a href="mailto:mirimir@riseup.net">Mirimir</a><br><b>Sent: </b>Saturday, June 9, 2018 6:11 PM<br><b>To: </b><a href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.org</a><br><b>Subject: </b>Re: [tor-relays] Fwd: Tor Guard Relay</p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>On 06/09/2018 01:51 PM, Keifer Bly wrote:</p><p class=MsoNormal>> I just scanned the picture files using Avast, which I use a a lot and it is</p><p class=MsoNormal>> a pretty great anti virus program based off of my use with it. Here is the</p><p class=MsoNormal>> contents of the email in programming code; I don't know about other email</p><p class=MsoNormal>> services but in Gmail this can be retrieved by signing into the web version</p><p class=MsoNormal>> (in a web browser) clicking the more options button (next to the replay</p><p class=MsoNormal>> button) and clicking "show original".</p><p class=MsoNormal>> </p><p class=MsoNormal>>>From what I can tell looking at the code, it is encoded using base64 and</p><p class=MsoNormal>> the ip address of the web server it was sent from is 104.161.37.109.</p><p class=MsoNormal>> </p><p class=MsoNormal>> However, as for telling anything else, it seems like that would be</p><p class=MsoNormal>> difficult to do without the right equipment. Let me know what you think.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks for source with headers. I don't see anything useful, though, I</p><p class=MsoNormal>do see that "In-Reply-To: <5b182b2c.1c69fb81.390f6.f0ea@mx.google.com>"</p><p class=MsoNormal>is correct, so the sender is probably subscribed to the list. Getting</p><p class=MsoNormal>that right from messages in the online archives would be nontrivial.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>But damn: "I joined this site so that i could weed through the guys who</p><p class=MsoNormal>aren’t serious and reliable enough to invite to my house where i feel</p><p class=MsoNormal>comfortable." Trolling the tor-relays list for nice guys to date? That</p><p class=MsoNormal>is bizarre.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>> On Sat, Jun 9, 2018 at 5:26 PM Mirimir <mirimir@riseup.net> wrote:</p><p class=MsoNormal>> </p><p class=MsoNormal>>> On 06/09/2018 05:28 AM, Keifer Bly wrote:</p><p class=MsoNormal>>>> I was asked by mirmir to send one of the emails as a txt file, and so</p><p class=MsoNormal>>> here</p><p class=MsoNormal>>>> it is. It is at the google drive link below, I had tried to send it as an</p><p class=MsoNormal>>>> attachment, but got a note back saying it was being held because it was</p><p class=MsoNormal>>> too</p><p class=MsoNormal>>>> big. The zip file contains the contents of the email and the attached</p><p class=MsoNormal>>>> images. Thank you. I will try creating a spam filter for the email domain</p><p class=MsoNormal>>>> they are coming from, though a few of them have come from yahoo.com</p><p class=MsoNormal>>> domain,</p><p class=MsoNormal>>>> which annoyingly I can't really block as some of my legitimate contacts</p><p class=MsoNormal>>> use</p><p class=MsoNormal>>>> yahoo mail. I could try reporting this to Google, what do you think?</p><p class=MsoNormal>>>><o:p> </o:p></p><p class=MsoNormal>>>><o:p> </o:p></p><p class=MsoNormal>>> https://drive.google.com/open?id=0B_cH2cPZZmbTMmE2Ni1hc1BZbXliM0hMaTZnN19GcjFLTm4w</p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>>> Thanks. But the text there doesn't contain headers. But that's less an</p><p class=MsoNormal>>> issue, because from headers aren't spoofed. The question now is whether</p><p class=MsoNormal>>> this is simple trolling, or attempts to infiltrate machines of relay</p><p class=MsoNormal>>> operators. Someone experienced with malware analysis could examine the</p><p class=MsoNormal>>> images for attack code, as Roman suggested. But that's over my head.</p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>>> Blocking *.mexyst.com domains, as Neel suggested, will likely stop most</p><p class=MsoNormal>>> of them, with little or no downside. But blocking yahoo.com isn't</p><p class=MsoNormal>>> workable for many. But if they're all as salacious as Keifer's example,</p><p class=MsoNormal>>> blocking on language seems workable. Or language plus domain.</p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>>> As with Efail, this is a reminder of the risks of decoding HTML, loading</p><p class=MsoNormal>>> embedded images, and fetching remote content. And the importance of</p><p class=MsoNormal>>> compartmentalizing email and browsing from credentials for relay</p><p class=MsoNormal>>> management (and other high-impact stuff, such as finances).</p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>>>> On Fri, Jun 8, 2018 at 9:57 PM Mirimir <mirimir@riseup.net> wrote:</p><p class=MsoNormal>>>><o:p> </o:p></p><p class=MsoNormal>>>>> On 06/08/2018 05:03 PM, Keifer Bly wrote:</p><p class=MsoNormal>>>>>> This is one of the about 20 emails that have been received. Upon</p><p class=MsoNormal>>> looking</p><p class=MsoNormal>>>>> it</p><p class=MsoNormal>>>>>> looks like they are spoofing the [tor-relays] subject line. My</p><p class=MsoNormal>>> apologies</p><p class=MsoNormal>>>>>> for the subject change but could not find a way to forward the emails</p><p class=MsoNormal>>>>>> without forwarding them from an old conversation. Thank you. (The</p><p class=MsoNormal>>> subject</p><p class=MsoNormal>>>>>> this is in reference to is "Spam Emails Received From This Mailing</p><p class=MsoNormal>>>>> List").</p><p class=MsoNormal>>>>><o:p> </o:p></p><p class=MsoNormal>>>>> OK, so they're just using subject lines from the list. And not spoofing</p><p class=MsoNormal>>>>> the from address.</p><p class=MsoNormal>>>>><o:p> </o:p></p><p class=MsoNormal>>>>> But what you forwarded doesn't include the headers. By googling, I get</p><p class=MsoNormal>>>>> this:</p><p class=MsoNormal>>>>><o:p> </o:p></p><p class=MsoNormal>>>>> | 1) Open the message in your Gmail inbox.</p><p class=MsoNormal>>>>> | 2) Click the down-arrow in the top-right corner of the message.</p><p class=MsoNormal>>>>> | 3) Click the "Show original" link toward the bottom of the options</p><p class=MsoNormal>>>>> | box. The message will open in a separate window with the full</p><p class=MsoNormal>>>>> | message headers at the top.</p><p class=MsoNormal>>>>><o:p> </o:p></p><p class=MsoNormal>>>>> Just save that as a text file, and send it to me as an attachment.</p><p class=MsoNormal>>>>><o:p> </o:p></p><p class=MsoNormal>>>>> Why the bloody hell someone would target users of this list in that way</p><p class=MsoNormal>>>>> is bizarre. And why you? Rather than me, who is admittedly an outspoken</p><p class=MsoNormal>>>>> jerk sometimes ;)</p><p class=MsoNormal>>>>><o:p> </o:p></p><p class=MsoNormal>>>>>> ---------- Forwarded message ---------</p><p class=MsoNormal>>>>>> From: Becky Janet <beckyjanet335900@re.mexyst.com></p><p class=MsoNormal>>>>>> Date: Fri, Jun 8, 2018 at 7:48 PM</p><p class=MsoNormal>>>>>> Subject: Re: [tor-relays] Tor Guard Relay</p><p class=MsoNormal>>>>>> To: Keifer Bly <keifer.bly@gmail.com></p><p class=MsoNormal>>>>>><o:p> </o:p></p><p class=MsoNormal>>>>>><o:p> </o:p></p><p class=MsoNormal>>>>>> first you need to trust someone to find real sex partner. So if you</p><p class=MsoNormal>>> want</p><p class=MsoNormal>>>>> to</p><p class=MsoNormal>>>>>> find real sex partner then you need to trust me. Always i'm telling you</p><p class=MsoNormal>>>>>> it's totally f r e e. Just connect with My Private Page</p><p class=MsoNormal>>>>>> <http://datingflirt.info/1stold> by submitting you mail, name, age</p><p class=MsoNormal>>> etc.</p><p class=MsoNormal>>>>> I'm</p><p class=MsoNormal>>>>>> assure you if it's ask any cc then no need to connect with me. So just</p><p class=MsoNormal>>>>>> trust and try. Trust Me & Try It Now NCTB ; After completing this task</p><p class=MsoNormal>>>>>> check your mail ,Automatically you will get my personal phone no in</p><p class=MsoNormal>>> your</p><p class=MsoNormal>>>>>> mail within 5 min. Just check your mail (inbox/s p a m) and call me</p><p class=MsoNormal>>> asap.</p><p class=MsoNormal>>>>>> I'm waiting for your cam</p><p class=MsoNormal>>>>>><o:p> </o:p></p><p class=MsoNormal>>>>> _______________________________________________</p><p class=MsoNormal>>>>> tor-relays mailing list</p><p class=MsoNormal>>>>> tor-relays@lists.torproject.org</p><p class=MsoNormal>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</p><p class=MsoNormal>>>>><o:p> </o:p></p><p class=MsoNormal>>>><o:p> </o:p></p><p class=MsoNormal>>> _______________________________________________</p><p class=MsoNormal>>> tor-relays mailing list</p><p class=MsoNormal>>> tor-relays@lists.torproject.org</p><p class=MsoNormal>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</p><p class=MsoNormal>>><o:p> </o:p></p><p class=MsoNormal>> </p><p class=MsoNormal>_______________________________________________</p><p class=MsoNormal>tor-relays mailing list</p><p class=MsoNormal>tor-relays@lists.torproject.org</p><p class=MsoNormal>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</p><p class=MsoNormal><o:p> </o:p></p></div></body></html>