[tor-relays] Fwd: Tor Guard Relay

[Mirimir]

On 06/09/2018 05:28 AM, Keifer Bly wrote:
>  I was asked by mirmir to send one of the emails as a txt file, and so here
> it is. It is at the google drive link below, I had tried to send it as an
> attachment, but got a note back saying it was being held because it was too
> big. The zip file contains the  contents of the email and the attached
> images. Thank you. I will try creating a spam filter for the email domain
> they are coming from, though a few of them have come from yahoo.com domain,
> which annoyingly I can't really block as some of my legitimate contacts use
> yahoo mail. I could try reporting this to Google, what do you think?
> 
> https://drive.google.com/open?id=0B_cH2cPZZmbTMmE2Ni1hc1BZbXliM0hMaTZnN19GcjFLTm4w

Thanks. But the text there doesn't contain headers. But that's less an
issue, because from headers aren't spoofed. The question now is whether
this is simple trolling, or attempts to infiltrate machines of relay
operators. Someone experienced with malware analysis could examine the
images for attack code, as Roman suggested. But that's over my head.

Blocking *.mexyst.com domains, as Neel suggested, will likely stop most
of them, with little or no downside. But blocking yahoo.com isn't
workable for many. But if they're all as salacious as Keifer's example,
blocking on language seems workable. Or language plus domain.

As with Efail, this is a reminder of the risks of decoding HTML, loading
embedded images, and fetching remote content. And the importance of
compartmentalizing email and browsing from credentials for relay
management (and other high-impact stuff, such as finances).

> On Fri, Jun 8, 2018 at 9:57 PM Mirimir <mirimir at riseup.net> wrote:
> 
>> On 06/08/2018 05:03 PM, Keifer Bly wrote:
>>> This is one of the about 20 emails that have been received. Upon looking
>> it
>>> looks like they are spoofing the [tor-relays] subject line. My apologies
>>> for the subject change but could not find a way to forward the emails
>>> without forwarding them from an old conversation. Thank you. (The subject
>>> this is in reference to is "Spam Emails Received From This Mailing
>> List").
>>
>> OK, so they're just using subject lines from the list. And not spoofing
>> the from address.
>>
>> But what you forwarded doesn't include the headers. By googling, I get
>> this:
>>
>> | 1) Open the message in your Gmail inbox.
>> | 2) Click the down-arrow in the top-right corner of the message.
>> | 3) Click the "Show original" link toward the bottom of the options
>> |    box. The message will open in a separate window with the full
>> |    message headers at the top.
>>
>> Just save that as a text file, and send it to me as an attachment.
>>
>> Why the bloody hell someone would target users of this list in that way
>> is bizarre. And why you? Rather than me, who is admittedly an outspoken
>> jerk sometimes ;)
>>
>>> ---------- Forwarded message ---------
>>> From: Becky Janet <beckyjanet335900 at re.mexyst.com>
>>> Date: Fri, Jun 8, 2018 at 7:48 PM
>>> Subject: Re: [tor-relays] Tor Guard Relay
>>> To: Keifer Bly <keifer.bly at gmail.com>
>>>
>>>
>>> first you need to trust someone to find real sex partner. So if you want
>> to
>>> find real sex partner then you need to trust me. Always i'm telling you
>>> it's totally f r e e. Just connect with My Private Page
>>> <http://datingflirt.info/1stold> by submitting you mail, name, age etc.
>> I'm
>>> assure you if it's ask any cc then no need to connect with me. So just
>>> trust and try. Trust Me & Try It Now NCTB ; After completing this task
>>> check your mail ,Automatically you will get my personal phone no in your
>>> mail within 5 min. Just check your mail (inbox/s p a m) and call me asap.
>>> I'm waiting for your cam
>>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>