<div dir="ltr"><div>
<span style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">I just scanned the picture files using Avast, which I use a a lot and it is a pretty great anti virus program based off of my use with it. Here is the contents of the email in programming code; I don't know about other email services but in Gmail this can be retrieved by signing into the web version (in a web browser) clicking the more options button (next to the replay button) and clicking "show original". </span><div style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">From what I can tell looking at the code, it is encoded using base64 and the ip address of the web server it was sent from is 104.161.37.109. </div><div style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">However, as for telling anything else, it seems like that would be difficult to do without the right equipment. Let me know what you think.</div><div style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Again it's a link to view it on Google Drive as the list doesn't seem to allow attachments being sent to it. Thanks.</div>
<br></div><div><br></div><a href="https://drive.google.com/open?id=0B_cH2cPZZmbTWnN6TE83SlV2RzRzbG9ISGhSX0U4X1k1TFNv">https://drive.google.com/open?id=0B_cH2cPZZmbTWnN6TE83SlV2RzRzbG9ISGhSX0U4X1k1TFNv</a><div><br></div><div><br><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Sat, Jun 9, 2018 at 5:26 PM Mirimir <<a href="mailto:mirimir@riseup.net">mirimir@riseup.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 06/09/2018 05:28 AM, Keifer Bly wrote:<br>
> I was asked by mirmir to send one of the emails as a txt file, and so here<br>
> it is. It is at the google drive link below, I had tried to send it as an<br>
> attachment, but got a note back saying it was being held because it was too<br>
> big. The zip file contains the contents of the email and the attached<br>
> images. Thank you. I will try creating a spam filter for the email domain<br>
> they are coming from, though a few of them have come from <a href="http://yahoo.com" rel="noreferrer" target="_blank">yahoo.com</a> domain,<br>
> which annoyingly I can't really block as some of my legitimate contacts use<br>
> yahoo mail. I could try reporting this to Google, what do you think?<br>
> <br>
> <a href="https://drive.google.com/open?id=0B_cH2cPZZmbTMmE2Ni1hc1BZbXliM0hMaTZnN19GcjFLTm4w" rel="noreferrer" target="_blank">https://drive.google.com/open?id=0B_cH2cPZZmbTMmE2Ni1hc1BZbXliM0hMaTZnN19GcjFLTm4w</a><br>
<br>
Thanks. But the text there doesn't contain headers. But that's less an<br>
issue, because from headers aren't spoofed. The question now is whether<br>
this is simple trolling, or attempts to infiltrate machines of relay<br>
operators. Someone experienced with malware analysis could examine the<br>
images for attack code, as Roman suggested. But that's over my head.<br>
<br>
Blocking *.<a href="http://mexyst.com" rel="noreferrer" target="_blank">mexyst.com</a> domains, as Neel suggested, will likely stop most<br>
of them, with little or no downside. But blocking <a href="http://yahoo.com" rel="noreferrer" target="_blank">yahoo.com</a> isn't<br>
workable for many. But if they're all as salacious as Keifer's example,<br>
blocking on language seems workable. Or language plus domain.<br>
<br>
As with Efail, this is a reminder of the risks of decoding HTML, loading<br>
embedded images, and fetching remote content. And the importance of<br>
compartmentalizing email and browsing from credentials for relay<br>
management (and other high-impact stuff, such as finances).<br>
<br>
> On Fri, Jun 8, 2018 at 9:57 PM Mirimir <<a href="mailto:mirimir@riseup.net" target="_blank">mirimir@riseup.net</a>> wrote:<br>
> <br>
>> On 06/08/2018 05:03 PM, Keifer Bly wrote:<br>
>>> This is one of the about 20 emails that have been received. Upon looking<br>
>> it<br>
>>> looks like they are spoofing the [tor-relays] subject line. My apologies<br>
>>> for the subject change but could not find a way to forward the emails<br>
>>> without forwarding them from an old conversation. Thank you. (The subject<br>
>>> this is in reference to is "Spam Emails Received From This Mailing<br>
>> List").<br>
>><br>
>> OK, so they're just using subject lines from the list. And not spoofing<br>
>> the from address.<br>
>><br>
>> But what you forwarded doesn't include the headers. By googling, I get<br>
>> this:<br>
>><br>
>> | 1) Open the message in your Gmail inbox.<br>
>> | 2) Click the down-arrow in the top-right corner of the message.<br>
>> | 3) Click the "Show original" link toward the bottom of the options<br>
>> | box. The message will open in a separate window with the full<br>
>> | message headers at the top.<br>
>><br>
>> Just save that as a text file, and send it to me as an attachment.<br>
>><br>
>> Why the bloody hell someone would target users of this list in that way<br>
>> is bizarre. And why you? Rather than me, who is admittedly an outspoken<br>
>> jerk sometimes ;)<br>
>><br>
>>> ---------- Forwarded message ---------<br>
>>> From: Becky Janet <<a href="mailto:beckyjanet335900@re.mexyst.com" target="_blank">beckyjanet335900@re.mexyst.com</a>><br>
>>> Date: Fri, Jun 8, 2018 at 7:48 PM<br>
>>> Subject: Re: [tor-relays] Tor Guard Relay<br>
>>> To: Keifer Bly <<a href="mailto:keifer.bly@gmail.com" target="_blank">keifer.bly@gmail.com</a>><br>
>>><br>
>>><br>
>>> first you need to trust someone to find real sex partner. So if you want<br>
>> to<br>
>>> find real sex partner then you need to trust me. Always i'm telling you<br>
>>> it's totally f r e e. Just connect with My Private Page<br>
>>> <<a href="http://datingflirt.info/1stold" rel="noreferrer" target="_blank">http://datingflirt.info/1stold</a>> by submitting you mail, name, age etc.<br>
>> I'm<br>
>>> assure you if it's ask any cc then no need to connect with me. So just<br>
>>> trust and try. Trust Me & Try It Now NCTB ; After completing this task<br>
>>> check your mail ,Automatically you will get my personal phone no in your<br>
>>> mail within 5 min. Just check your mail (inbox/s p a m) and call me asap.<br>
>>> I'm waiting for your cam<br>
>>><br>
>> _______________________________________________<br>
>> tor-relays mailing list<br>
>> <a href="mailto:tor-relays@lists.torproject.org" target="_blank">tor-relays@lists.torproject.org</a><br>
>> <a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" rel="noreferrer" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a><br>
>><br>
> <br>
_______________________________________________<br>
tor-relays mailing list<br>
<a href="mailto:tor-relays@lists.torproject.org" target="_blank">tor-relays@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" rel="noreferrer" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a><br>
</blockquote></div>