Discussion:
Fake get_iplayer mail
Dave Widgery
2018-11-12 14:55:31 UTC
Permalink
Hi

Sorry if this is a bit off topic, but recently I have been getting quite
a lot (4-5 a week) of emails pretending to be from get_iplayer,
sometimes they show get_iplayer in the address field sometime there are
one or more letters changed for example get_xplryer or get_iplaygr.

The strange this is that I am not getting these on my current registered
get_iplayer email address, but on a different address that I stopped
using with get_iplayer a few years ago.

I wondered if anyone else has experienced this? I am not sure if the
mails are malicious or just spam as I have just deleted them without
opening them.

Regards
Dave


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Az
2018-11-12 15:05:27 UTC
Permalink
On Monday 12 November 2018 14:55,
Hi
Sorry if this is a bit off topic, but recently I have been getting quite a lot (4-5 a
week) of emails pretending to be from get_iplayer, sometimes they show get_iplayer in
the address field sometime there are one or more letters changed for example get_xplryer
or get_iplaygr.
The strange this is that I am not getting these on my current registered get_iplayer
email address, but on a different address that I stopped using with get_iplayer a few
years ago.
I wondered if anyone else has experienced this? I am not sure if the mails are
malicious or just spam as I have just deleted them without opening them.
Regards
Dave
Weird. Not had that before. Is there anything significant in the
headers to e.g. show their path and origin?

--
Az
Mark Carroll
2018-11-12 15:26:27 UTC
Permalink
Post by Az
Weird. Not had that before. Is there anything significant in the
headers to e.g. show their path and origin?
I could check if the IP of the sender gets redirected to a tarpit by my
firewall.

-- Mark
Mark Carroll
2018-11-12 15:07:33 UTC
Permalink
Post by Dave Widgery
Sorry if this is a bit off topic, but recently I have been getting quite
a lot (4-5 a week) of emails pretending to be from get_iplayer,
I hadn't had any seeming to be from get_iplayer since Richard's on
November 4th though I do block some known spam senders before they would
even hit a junk mail folder so I wouldn't necessarily even know if my
filtering had caught subsequent e-mail.

-- Mark
Dave Widgery
2018-11-12 15:34:19 UTC
Permalink
Hi Mark

Thanks for the reply

Below are the headers from two of the messages, but it all looks a bit
random to me, I also don't understand half of it.

I haven't opened the attachments, but they indicate that they are HTML
pages, I think that it is probably spam advertising, as I said the
bizarre thing is that I haven't used ***@orange.fr with
get_iplayer for several years, so I am guessing that somebody has
managed to trawl through some old cached emails somewhere and grabbed
likely address to try and disguise spam.

I posted to see if anyone else had received similar or whether it was
just me.

Dave

Headers Below
----------------

Subject : Rencontre sous tension entre Trump et Macron à Paris

Date : Sun, 11 Nov 2018 08:42:28 GMT

From : get_iplayer <***@p-a2qyv4gx.bestdivorcelawyermontgomery.com>

To : Daviq WIDGERY <***@orange.fr>

Content-Type : multipart/mixed

Message-ID : <***@e5122adc75o1i62B2>

MIME-Version : 1.0

Received : from opme11dod10nd1.rouen.francetelecom.fr ([10.79.5.104]) by
opme11dob09nd1.rouen.francetelecom.fr with LMTP id
iMLqJHTr51sydQAA3clxRA ; Sun, 11 Nov 2018 09:42:28 +0100,from
opme11ppr02nd1.rouen.francetelecom.fr ([10.79.5.104]) by
opme11dod10nd1.rouen.francetelecom.fr with LMTP id
kDS8JHTr51u3egAACQs+1g ; Sun, 11 Nov 2018 09:42:28 +0100,from mwinf5c85
([10.79.5.104]) by opme11ppr02nd1.rouen.francetelecom.fr with LMTP id
ULiSI3Tr51s4VgAA7xAy+w ; Sun, 11 Nov 2018 09:42:28 +0100,from
p-a2qyv4gx.bestdivorcelawyermontgomery.com ([37.212.82.130]) by
mwinf5c85 with ME id yYiS1y01Z2oiXlh01YiTZn; Sun, 11 Nov 2018 09:42:28
+0100

X-ME-Entity : ofr

X-Blumshenk : 37C59B20B537

X-me-spamlevel : not-spam

X-ME-bounce-domain : orange.fr

X-ME-engine : default

X-3 : C04062A24B

X-bcc : ***@orange.fr

X-87A5B461319318 : 6204AB20202B2A59623

X-Mailer : Microsoft CDO for Windows 2000

Priority : normal

X-285B44B623A023B : 8B7286A74561

X-MimeOLE : Produced By Microsoft MimeOLE

X-B616684 : 99BA53328371B767

thread-index : AdR5s4GQT8Zp0RqHjIqtU38OwW6pjQ==

X-ME-IP : 37.212.82.130

X-ME-Helo : p-a2qyv4gx.bestdivorcelawyermontgomery.com

Content-Class : urn:content-classes:message

X-Floochskunk : A4A38B59

X-Guhcrenk : 2164741B0C71A0939288

X-me-spamcause :
(-100)(0000)gggruggvucftvghtrhhoucdtuddrgedtkedrkeeigdekkecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfogfdpggftiffpkfenuceurghilhhouhhtmecugedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepthfhvffufffkgggtoffnkgfqsehmtdejpeeftdejnecuhfhrohhmpedfghgvthgpihhplhgrhigvrhdfuceoufhirhhgrhgrphesphdqrgdvqhihvhegghigrdgsvghsthguihhvohhrtggvlhgrfiihvghrmhhonhhtghhomhgvrhihrdgtohhmqeenucfkphepfeejrddvuddvrdekvddrudeftdenucfrrghrrghmpehhvghlohepphdqrgdvqhihvhegghigrdgsvghsthguihhvohhrtggvlhgrfiihvghrmhhonhhtghhomhgvrhihrdgtohhmpdhinhgvthepfeejrddvuddvrdekvddrudeftddpmhgrihhlfhhrohhmpehsihhrghhrrghpsehpqdgrvdhqhihvgehggidrsggvshhtughivhhorhgtvghlrgifhigvrhhmohhnthhgohhmvghrhidrtghomhdprhgtphhtthhopeifihgughgvrhihrdgurghvihgusehorhgrnhhgvgdrfhhrnecuvehluhhsthgvrhfuihiivgeptd

X-14B1BB07851B : 11648C2419C5B7A9032

X-657 : 652B0AB7

Thread-Topic : Prodfig

Return-Path : <***@p-a2qyv4gx.bestdivorcelawyermontgomery.com>

-----------------------------------------------------

Subject : Rugby - Bleus - Mathieu Bastareaud (Bleus) : « Je n'ai pas
envie...

Date : Sun, 11 Nov 2018 08:48:14 GMT

From : get_xplryer <***@c-2idzjrjm.hazelvieworchards.ca>

To : Dacid WIDGERY <***@orange.fr>

Content-Type : multipart/mixed

X-Bessneg : 57BC943

Message-ID : <***@mbwr9vto14ffk2144>

MIME-Version : 1.0

Received : from opme11dod13nd1.rouen.francetelecom.fr ([10.79.5.104]) by
opme11dob09nd1.rouen.francetelecom.fr with LMTP id
SEsqAc7s51vzfgAA3clxRA ; Sun, 11 Nov 2018 09:48:14 +0100,from
opme11ppr03nd1.rouen.francetelecom.fr ([10.79.5.104]) by
opme11dod13nd1.rouen.francetelecom.fr with LMTP id
0Jz2AM7s51todgAA2f/vCw ; Sun, 11 Nov 2018 09:48:14 +0100,from mwinf5c34
([10.79.5.104]) by opme11ppr03nd1.rouen.francetelecom.fr with LMTP id
uBpRO83s51uTVQAAtmqC1Q ; Sun, 11 Nov 2018 09:48:14 +0100,from
c-2idzjrjm.hazelvieworchards.ca ([14.247.186.25]) by mwinf5c34 with ME
id yYo41y00M0ZJY2N01YoBFw; Sun, 11 Nov 2018 09:48:13 +0100

X-ME-Entity : ofr

X-me-spamlevel : not-spam

X-ME-bounce-domain : orange.fr

X-ME-engine : default

X-bcc : ***@orange.fr

X-Mailer : Microsoft CDO for Windows 2000

Priority : normal

X-58C57658 : 5A75A6C74498980C4937

X-13 : 5642A115

X-MimeOLE : Produced By Microsoft MimeOLE

X-Bezcral : 23

thread-index : AdR5tE5ARZIibHgXSQbZyBTorPFIaQ==

X-ME-IP : 14.247.186.25

X-ME-Helo : c-2idzjrjm.hazelvieworchards.ca

Content-Class : urn:content-classes:message

X-37C270C8CB5579A6 : 3406A72C71A765934

X-me-spamcause :
(-80)(0000)gggruggvucftvghtrhhoucdtuddrgedtkedrkeeigdeludcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfogfdpggftiffpkfenuceurghilhhouhhtmecugedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnefhohhrghgvugcuthhhihguucdlvddtmdenucfjughrpehthffvufffkfggtgfonfgkqfesmhdtjeepfedtjeenucfhrhhomhepfdhgvghtpgigphhlrhihvghrfdcuoefhohhnkhhskhhoohhsthestgdqvdhiugiijhhrjhhmrdhhrgiivghlvhhivgifohhrtghhrghrughsrdgtrgeqnecukfhppedugedrvdegjedrudekiedrvdehnecurfgrrhgrmhephhgvlhhopegtqddvihguiihjrhhjmhdrhhgriigvlhhvihgvfihorhgthhgrrhgushdrtggrpdhinhgvthepudegrddvgeejrddukeeirddvhedpmhgrihhlfhhrohhmpehfohhnkhhskhhoohhsthestgdqvdhiugiijhhrjhhmrdhhrgiivghlvhhivgifohhrtghhrghrughsrdgtrgdprhgtphhtthhopeifihgughgvrhihrdgurghvihgusehorhgrnhhgvgdrfhhrnecuvehluhhsthgvrhfuihiivgeptd

X-873116CBB : 0A160508B21624

Thread-Topic : Trulgreft

X-A46B5373 : 289812C8B56AA7A3

Return-Path : <***@c-2idzjrjm.hazelvieworchards.ca>

X-Swooctbley : 0373CC3390769C7856

X-01AA9 : CA21

------ Original Message ------
From: "Mark Carroll" <***@ixod.org>
To: "get_iplayer" <***@lists.infradead.org>
Sent: 12/11/2018 16:07:33
Subject: Re: Fake get_iplayer mail
Post by Mark Carroll
Post by Dave Widgery
Sorry if this is a bit off topic, but recently I have been getting quite
a lot (4-5 a week) of emails pretending to be from get_iplayer,
I hadn't had any seeming to be from get_iplayer since Richard's on
November 4th though I do block some known spam senders before they would
even hit a junk mail folder so I wouldn't necessarily even know if my
filtering had caught subsequent e-mail.
-- Mark
_______________________________________________
get_iplayer mailing list
http://lists.infradead.org/mailman/listinfo/get_iplayer
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Mark Carroll
2018-11-12 15:55:07 UTC
Permalink
Post by Dave Widgery
ULiSI3Tr51s4VgAA7xAy+w ; Sun, 11 Nov 2018 09:42:28 +0100,from
p-a2qyv4gx.bestdivorcelawyermontgomery.com ([37.212.82.130]) by
c-2idzjrjm.hazelvieworchards.ca ([14.247.186.25]) by mwinf5c34 with ME
id yYo41y00M0ZJY2N01YoBFw; Sun, 11 Nov 2018 09:48:13 +0100
Both these subnets appear on the level 1 blacklist from UCEPROTECT:
in the dnsbl-1 file that I download from uceprotect.net. That explains
why they never got to my mail system. Sorry to hear that Google's
spam-blocking isn't also catching them!

-- Mark
Dave Widgery
2018-11-12 22:41:56 UTC
Permalink
Hi Mark,

FYI I am not receiving the mails via google, but via my orange.fr email
account, they obviously don't do as much checking as google.

Dave

------ Original Message ------
From: "Mark Carroll" <***@ixod.org>
To: "get_iplayer" <***@lists.infradead.org>
Sent: 12/11/2018 16:55:07
Subject: Re: Fake get_iplayer mail
Post by Mark Carroll
Post by Dave Widgery
ULiSI3Tr51s4VgAA7xAy+w ; Sun, 11 Nov 2018 09:42:28 +0100,from
p-a2qyv4gx.bestdivorcelawyermontgomery.com ([37.212.82.130]) by
c-2idzjrjm.hazelvieworchards.ca ([14.247.186.25]) by mwinf5c34 with ME
id yYo41y00M0ZJY2N01YoBFw; Sun, 11 Nov 2018 09:48:13 +0100
in the dnsbl-1 file that I download from uceprotect.net. That explains
why they never got to my mail system. Sorry to hear that Google's
spam-blocking isn't also catching them!
-- Mark
_______________________________________________
get_iplayer mailing list
http://lists.infradead.org/mailman/listinfo/get_iplayer
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
artisticforge Niemand
2018-11-12 15:26:36 UTC
Permalink
I have seen about 12 dozen in the last month.
the get_iplayer was jumbled or deliberately obscured .
about half were for porn sites and 6 for get rich quick scams.
you know the ones. "Dear Sir; I have $xxMillion USD in an African Bank".
Post by Dave Widgery
Hi
Sorry if this is a bit off topic, but recently I have been getting quite
a lot (4-5 a week) of emails pretending to be from get_iplayer,
sometimes they show get_iplayer in the address field sometime there are
one or more letters changed for example get_xplryer or get_iplaygr.
The strange this is that I am not getting these on my current registered
get_iplayer email address, but on a different address that I stopped
using with get_iplayer a few years ago.
I wondered if anyone else has experienced this? I am not sure if the
mails are malicious or just spam as I have just deleted them without
opening them.
Regards
Dave
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
_______________________________________________
get_iplayer mailing list
http://lists.infradead.org/mailman/listinfo/get_iplayer
--
terry l. ridder ><>
Vangelis forthnet
2018-11-12 15:29:41 UTC
Permalink
Post by Dave Widgery
The strange this is that I am not getting these
on my current registered get_iplayer email address
... Likewise here; except for the odd spam mail
that somehow manages to get through the list's
filters (last one was in Sept,

http://lists.infradead.org/pipermail/get_iplayer/2018-September/011988.html

NOTHING malicious there, just spam),

I have not got anything suspicious recently
pretending to have come from this list :-)
Post by Dave Widgery
but on a different address that I stopped
using with get_iplayer a few years ago.
It's possible THAT ONE got hacked/harvested
by a spam bot; I fear e-mails and related software
is not a field I am expert in, this list contains many
other members highly learned in this sector who,
no doubt, are able to offer you assistance towards
addressing the issue with that compromised
e-mail account...

Kind regards
Vangelis forthnet
2018-11-12 15:46:25 UTC
Permalink
Post by artisticforge Niemand
I have seen about 12 dozen in the last month.
Hi Terry :-) ;

144 spam e-mails in the course of a month
is an auful lot, TBH ... :-(
I surmise this is with your gmail account ?

My e-mail account is not free webmail,
but provided by my ISP, as part of their service;
they do filter spam adequately before
it even reaches my inbox...

I am pleased I don't get spam from this
list, given that my e-mail address (as much
as any other member's) is human readable
in both iterations of the list archives...

Best wishes
CJB
2018-11-12 15:51:43 UTC
Permalink
It appears that the spam is not actually coming from this list per se.

The spam emails seem to have a From or Subject as 'get_iplayer'

But the origin (looking at the raw headers) is nothing to do with get_iplayer.

BTW clicking on any embedded link could well place a trojan virus on
one's device.

CJB
Post by Vangelis forthnet
Post by artisticforge Niemand
I have seen about 12 dozen in the last month.
Hi Terry :-) ;
144 spam e-mails in the course of a month
is an auful lot, TBH ... :-(
I surmise this is with your gmail account ?
My e-mail account is not free webmail,
but provided by my ISP, as part of their service;
they do filter spam adequately before
it even reaches my inbox...
I am pleased I don't get spam from this
list, given that my e-mail address (as much
as any other member's) is human readable
in both iterations of the list archives...
Best wishes
_______________________________________________
get_iplayer mailing list
http://lists.infradead.org/mailman/listinfo/get_iplayer
Dave Widgery
2018-11-12 22:52:10 UTC
Permalink
Hi

I purposely haven't clicked on the links, as I suspected that they will
probably do something nasty,

It looks like I will keep deleting, or maybe report them as spam

Luckily this is not my primary email account therefore not giving me too
much grief.

Anyway thanks for all your input.

Dave

------ Original Message ------
From: "CJB" <***@gmail.com>
To: "Vangelis forthnet" <***@the.forthnet.gr>
Cc: ***@lists.infradead.org
Sent: 12/11/2018 16:51:43
Subject: Re: Fake get_iplayer mail
Post by CJB
It appears that the spam is not actually coming from this list per se.
The spam emails seem to have a From or Subject as 'get_iplayer'
But the origin (looking at the raw headers) is nothing to do with get_iplayer.
BTW clicking on any embedded link could well place a trojan virus on
one's device.
CJB
Post by Vangelis forthnet
Post by artisticforge Niemand
I have seen about 12 dozen in the last month.
Hi Terry :-) ;
144 spam e-mails in the course of a month
is an auful lot, TBH ... :-(
I surmise this is with your gmail account ?
My e-mail account is not free webmail,
but provided by my ISP, as part of their service;
they do filter spam adequately before
it even reaches my inbox...
I am pleased I don't get spam from this
list, given that my e-mail address (as much
as any other member's) is human readable
in both iterations of the list archives...
Best wishes
_______________________________________________
get_iplayer mailing list
http://lists.infradead.org/mailman/listinfo/get_iplayer
_______________________________________________
get_iplayer mailing list
http://lists.infradead.org/mailman/listinfo/get_iplayer
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
artisticforge Niemand
2018-11-12 16:25:25 UTC
Permalink
sorry

I hate spell checker on e-mail. I meant a dozen, 12 spam e-mails, I did
not mean 144 spam e-mails.

the 12 e-mails were just random porn sites and get-rich-quick scams.
I am far closer to grave than the cradle and "hi, I am Jennifer and I
want to be your love bug!"
just does not get there. After a certain age your a monk whether you
like it or not.
besides my body is just too broken and damaged.
On Mon, Nov 12, 2018 at 9:46 AM Vangelis forthnet
Post by Vangelis forthnet
Post by artisticforge Niemand
I have seen about 12 dozen in the last month.
Hi Terry :-) ;
144 spam e-mails in the course of a month
is an auful lot, TBH ... :-(
I surmise this is with your gmail account ?
My e-mail account is not free webmail,
but provided by my ISP, as part of their service;
they do filter spam adequately before
it even reaches my inbox...
I am pleased I don't get spam from this
list, given that my e-mail address (as much
as any other member's) is human readable
in both iterations of the list archives...
Best wishes
_______________________________________________
get_iplayer mailing list
http://lists.infradead.org/mailman/listinfo/get_iplayer
--
terry l. ridder ><>
Paul Oldham
2018-11-12 16:11:47 UTC
Permalink
Post by Dave Widgery
The strange this is that I am not getting these on my current registered
get_iplayer email address, but on a different address that I stopped
using with get_iplayer a few years ago.
So, it sounds like an old copy of the subscriber list is in circulation.
I suspect that at some point in the past the subscriber list was
available to members (and not just the list administrator as it is now)
rather than the list server having being hacked.

It happens.

It's like all those "we've hacked your PC, got video of you wanking, and
to prove it here's your password, send us money". Yup, it's definitely a
password I used to use, somewhere, I can tell from the format so that's
another site I used to use has had it's customer email and
authentication details pinched in some way.

Shrug. Moving on.
--
Paul
Az
2018-11-12 17:56:19 UTC
Permalink
On Monday 12 November 2018 14:55,
Hi
Sorry if this is a bit off topic, but recently I have been getting quite a lot (4-5 a
week) of emails pretending to be from get_iplayer, sometimes they show get_iplayer in
the address field sometime there are one or more letters changed for example get_xplryer
or get_iplaygr.
The strange this is that I am not getting these on my current registered get_iplayer
email address, but on a different address that I stopped using with get_iplayer a few
years ago.
I wondered if anyone else has experienced this? I am not sure if the mails are
malicious or just spam as I have just deleted them without opening them.
Regards
Dave
I expect someone got into the mailing list at some point and
harvested email addresses.

What you can do about it depends largely on your OS and email setup.

For windows, if you can set filters in your client to check that spam
header or anything else that looks suspicious it might help.

For anything *nix use something like spamassassin and forward your
mail to it and/or the same with procmail as the first step.

I maintain an SMTP server so I'm used to seeing 100s of these every
week. Using block lists and greylisting helps to cut out 99% of it.

--
Az
Peter Corlett
2018-11-13 13:17:01 UTC
Permalink
On Mon, Nov 12, 2018 at 05:56:19PM +0000, Az wrote:
[...]
I expect someone got into the mailing list at some point and harvested email
addresses.
There is a public archive of this mailing list, and spammers would have just
scraped it for addresses as part of their general nefarious web crawling. They
don't need to have "got into the mailing list".

Loading...