This is just a very quick update about the sextortion, blackmail, bomb threat, we will kill you spam campaigns that have plagued all of us for several months now. It is a bit complicated to follow, but hopefully it will shed some light on this campaign that other researchers who are following it more closely & deeper will be able to use & hopefully assist in their work to get it all shut down and catch the criminals.
I have previously posted several posts about this campaign, where some of the spam was assisted in delivery by a misconfiguration on Godaddy’s name server set up ( and almost certainly by other big name DNS hosting services). Godaddy have now “fixed” the security hole / misconfiguration / exploit that allowed this to happen on their systems, although there might still be a few dangling domains that haven’t been found yet, hidden away in scammer accounts. They will soon be found ( hopefully) and Godaddy will finally clean up completely. These previous attacks or malspam campaigns all involved domains that had been registered for a long time, some belonging to well known companies & organisations. This newer, more recent campaign or sets of campaigns appears to involve mainly newly registered domains, a high proportion appear to be registered via Namecheap as registrar using top level domain names currently or frequently on offer for as little as $1, probably purchased in bulk using stolen payment details.
Then there were mainstream tech journalists who posted these:
Now we are noticing a change in these sextortion, blackmail, bomb threat, we will kill you or harm you spam campaigns.
There appear to be 2 distinctly different sets of bad actors involved. We see quite lot of spam messages coming via a botnet of compromised servers worldwide. These tend to be scammers buying space on an existing botnet where the IP addresses are so well known that just about every spam filtering system in existence will block 99% of them. These come from spoofed email addresses, some will exist, some will appear to be your own email address and some will be totally made up. Almost all of these will either fail SPF checks or have no SPF entry at all.
The big concern is another well established campaign from what is believed to be the same criminals who abused the security hole / Misconfiguration in Godaddy DNS services. These are using newly created domains.
Currently these criminal scammers are using .host domains, but over the last few weeks have been using .fr domains and .us domains in large numbers. with smaller amounts coming from .racing, .xyz, .stream, .science, .online and some .com accounts. Lots of the .com accounts have emails coming from or with helo “helo=smtp-out.domain-name.com”
I know there are other researchers investigating this campaign who have a lot more resources and ability to track these than I can do. I am just putting out there a few comments about what I have found.
Over the last month or so (and probably a lot longer) we have noticed numerous of these sextortion, blackmail spam emails being received that do pass all SPF, DKIM and Dmarc authentication. Most are still being caught by spam filters, but enough do get through to make it a viable business for the criminals.
All of these have headers that mention .gov servers ( the .gov entries are all spoofed and not genuine in any way as far as I can ascertain.)
One header as an example looks like this. The only guaranteed fully correct entry is the first IP in the below paste. The Received: from sub-736ip206.rev.onenet.cw ([184.108.40.206] All other entries in an email header can be & frequently are spoofed.
Received: from sub-736ip206.rev.onenet.cw ([220.127.116.11]:42920 helo=construiremo.host) by my email server with esmtp (Exim 4.91) (envelope-from <Christina.Durieux@construiremo.host>) id 1grrpx-0003Yf-UZ for firstname.lastname@example.org; Thu, 07 Feb 2019 22:08:02 +0000 Received: from [18.104.22.168] (helo=[192.168.1.31]) by relay.palatinetownship-il.gov with esmtpa envelope from <email@example.com> authenticated with firstname.lastname@example.org message id 1grrpx-0000zd-jt for email@example.com; Thu, 7 Feb 2019 20:35:36 +0200 Received: from [22.214.171.124] (helo=[192.168.1.05]) by relay.knoxvilleia.gov with esmtpa envelope from <firstname.lastname@example.org> authenticated with email@example.com message id 1grrpx-0000dq-hj for firstname.lastname@example.org; Thu, 7 Feb 2019 20:35:36 +0200 Content-Type: text/html; charset="utf-8" Subject: account has been hacked Date: Fri, 8 Feb 2019 01:08:01 +0300 Mime-Version: 1.0 X-swoldrich: doossbrup To: "EVERNOTE" <email@example.com> X-chastdil: zooptoom X-swanksit: cluskdoopt X-Organization: grodgool X-honsamp: blimplon From: "EVERNOTE" <firstname.lastname@example.org> Content-Transfer-Encoding: base64 Message-ID: <email@example.com>
Looking up the “sending” domain we can see dozens of different IPs listed as the site https://check-host.net/check-report/a2a55ack9bf However very few, if any, will be the actual sending address. As you can see from the email headers it was 126.96.36.199 at 22.08 UTC on 7 February 2019. It will have changed numerous times since then. It is almost certain that all the servers that these are being sent from or used have been compromised in some way and are under the control, either temporarily or more permanently of this criminal gang.
Another example recently received is this one received shortly after 7 am UTC today. I can only guarantee that the first IP in the email header is the IP it was received from. However I can confirm that the ilecrersuite.host had correct SPF & valid DKIM as shown at the time of receipt. which has now changed at 10.10 UTC.
Received: from [188.8.131.52] (port=50275 helo=ilecrersuite.host) by My email server with esmtp (Exim 4.91) (envelope-from <Goldie+Tissot@ilecrersuite.host>) id 1gs0JC-0006VC-JJ for firstname.lastname@example.org; Fri, 08 Feb 2019 07:10:47 +0000 Received: from [08.48.28.08] (helo=[192.168.1.51]) by relay.devazdhs.gov with esmtpa envelope from <email@example.com> authenticated with firstname.lastname@example.org message id 1gs0J9-0000zz-ze for email@example.com; Fri, 8 Feb 2019 04:26:07 +0200 Received: from [33.70.05.78] (helo=[192.168.1.68]) by relay.fortmyersbeachfl.gov with esmtpa envelope from <firstname.lastname@example.org> authenticated with email@example.com message id 1gs0J9-0000ia-hq for firstname.lastname@example.org; Fri, 8 Feb 2019 04:26:07 +0200 Date: Fri, 8 Feb 2019 10:10:43 +0300 X-yegspipt: tumpslesp Subject: account tastfroong To: "EVERNOTE" <email@example.com> Message-Id: <firstname.lastname@example.org> X-trodgip: waspprool X-bompslisk: yabfuf Content-Type: text/html; charset="utf-8" DKIM-Signature: v=1; a=rsa-sha256; d=ilecrersuite.host; t=1549609844; x=1549696244; s=koftnest; c=relaxed/relaxed; q=dns/txt; email@example.com; h=From:To:Date:MIME-Version; bh=ZlmFslbLWU6MeHeyetKNvWgRPc0S45GstETEdk5/FyU=; b=shCdVgDY4vjqxl62YHoiBFSS3q7sNX0bM3c4ZB7mjEcCyz2yo007bjjXoapykyk6zjQ+cHIoPouLzAMpu9QoITbR2j2GO2YJw2pkPcoYaJwQ8f1H+y5vIlyASCM+n2FQqxFYjdMYHO9jKbdsJ6Uge1/5XYw6Si6+BydBLg1sydA=; X-Organization: gliskgroosp Content-Transfer-Encoding: base64 X-groottech: droozploopt From: "Wilfred Peron" <Goldie+Tissot@ilecrersuite.host> Mime-Version: 1.0
The constant changing of SPF and DKIM records in the email authentication is a big problem for researchers looking at these. There are paid tools that help in lookups that give history, but with this sort of campaign, even they might not be fully reliable & up to date with information. However the fact that then vast majority of SPF lookups is v=spf1 +all which means that any sender is approved and can send email on behalf of the domain.
It is highly likely that the criminals are based in Russia.
This is a list of domains listed as sending domain since last night, that I have received on my server.
All of these are using numerous different DNS servers ( that also change very frequently)
some I have found are
These DNS servers come & go frequently but all appear to be hosted on 184.108.40.206 AS9123 timeweb.ru and possibly on other IP addresses in the same range ‘220.127.116.11 – 18.104.22.168’
Here a few screenshots of some recently received sextortion, blackmail scam emails showing senders & IP numbers received from.