Re: [AusNOG] Bigpond email abuse

[Jett Jackson]

Working in healthcare and I've seen a huge uptick in phishing emails like 
these, they're frustratingly difficult to filter out.

They follow the general format of a reply, although I do notice they strip the 
message info block in the top email in the chain, presumably this is so people 
don't notice the date on the old email thread.


Jett Jackson
Hosting and Automation Lead

E   j...@lumity.com.au
T   1300 LUMITY (1300 586 489)
W  www.LUMITY.com.au
A   PO BOX 4089 | Success, WA 6964



-Original Message-
From: AusNOG  On Behalf Of James Williamson
Sent: 2 June 2021 1:03 PM
To: ausnog@lists.ausnog.net
Subject: [AusNOG] Bigpond email abuse

Hi All,

We saw an external user a few months ago who had their Bigpond address 
compromised, and the entire mailbox dumped. Afterwards, they discovered friends 
and colleagues are receiving replies to years-old threads (although the new 
message is from a random email address), usually with some sort of phishing 
link. Now we've seen it again with a second and unrelated Bigpond user.

Has anybody seen anything similar before? I'm not familiar with this breed of 
spam, and to see two of them from the same host has my curiosity up a bit. 
Trying to find other cases like this eluded my Google-fu.

[example, redactions mine]
From: Robyn *** 
Sent: Friday, 21 May 2021 2:32 AM
To: Allison *** 
Subject: Re: RE: 

--EMAIL FROM EXTERNAL ADDRESS, CHECK LINKS & ATTACHMENTS BEFORE CLICKING OR 
OPENING THEM--
 

Good afternoon,
It's Robyn ***. Please look at the report and deal with any problems. Here 
is the document link:
https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2F1drv.ms%2Fu%2Fs!***%3Fe%3Dysj***&data=04%7C01%7Cjett%40lumity.com.au%7C182a25cc8120451ff8d92583dfab%7C7a9a5d2e2e474e409f91ebb62bb590e9%7C0%7C0%7C637582070598594551%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Y%2BI5oR8jPr9z%2FFBSVBgx6UbGEuD4K4ThSFacfDjVi%2F0%3D&reserved=0
password: 5214 


On 2018-12-07 15:34, Allison  wrote:
Hi Allison

Thanks so much for your time in showing me around  recently. I was really  
impressed with your knowledge of the programs and facilities, and the * in 
general.
(snip)
[end example]

Cheers,
James
___
AusNOG mailing list
AusNOG@lists.ausnog.net
https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.ausnog.net%2Fmailman%2Flistinfo%2Fausnog&data=04%7C01%7Cjett%40lumity.com.au%7C182a25cc8120451ff8d92583dfab%7C7a9a5d2e2e474e409f91ebb62bb590e9%7C0%7C0%7C637582070598594551%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=y5tOABGRcdnKLN82OHgw2jc5bB2U0YnZs12Wp1qJgCI%3D&reserved=0
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Bigpond email abuse

[Bradley Amm]

And enable MFA


Get Outlook for iOS

From: AusNOG  on behalf of Phil Memery 

Sent: Wednesday, June 2, 2021 1:43:12 PM
To: James Williamson 
Cc: ausnog@lists.ausnog.net 
Subject: Re: [AusNOG] Bigpond email abuse

Greetings James (and Others)

Yes I have seen it (I have well and truly deleted the SPAM emails and moved on 
though).

It was a google hosted domain. From recollection the user changed his access 
details related to the domain and his email, end of problem. So it seems not to 
be just a bigpond or Google issue.

A good reminder to "change passwords" and make sure they are of a good secure 
structure. I am often still amazed out how poor some individuals are about 
passwords.


Regards, Phil

- Original Message -
From: "James Williamson" 
To: ausnog@lists.ausnog.net
Sent: Wednesday, 2 June, 2021 3:03:22 PM
Subject: [AusNOG] Bigpond email abuse

Hi All,

We saw an external user a few months ago who had their Bigpond address 
compromised, and the entire mailbox dumped. Afterwards, they discovered friends 
and colleagues are receiving replies to years-old threads (although the new 
message is from a random email address), usually with some sort of phishing 
link. Now we've seen it again with a second and unrelated Bigpond user.

Has anybody seen anything similar before? I'm not familiar with this breed of 
spam, and to see two of them from the same host has my curiosity up a bit. 
Trying to find other cases like this eluded my Google-fu.

[example, redactions mine]
From: Robyn *** 
Sent: Friday, 21 May 2021 2:32 AM
To: Allison *** 
Subject: Re: RE: 

--EMAIL FROM EXTERNAL ADDRESS, CHECK LINKS & ATTACHMENTS BEFORE CLICKING OR 
OPENING THEM--


Good afternoon,
It's Robyn ***. Please look at the report and deal with any problems. Here 
is the document link:
https://1drv.ms/u/s!***?e=ysj***
password: 5214


On 2018-12-07 15:34, Allison  wrote:
Hi Allison

Thanks so much for your time in showing me around  recently. I was
really  impressed with your knowledge of the programs and facilities,
and the * in general.
(snip)
[end example]

Cheers,
James
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
--
Phil Memery www.clevernetit.com.au  
A.B.N: 24 172 081 538
DELL PartnerDirect Registered
   www.hillclimbracing.com
+61 (0) 417 315 935
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

[AusNOG] NSW Department of Education Mail Server Sysadmin Contact

[Tim Dykes]

Anyone know how to reach the email administrators within NSW DET? Client of
mine is having email delivery issues sending to det.nsw.edu.au

Tim Dykes
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog