this post was submitted on 11 Jan 2024
209 points (95.6% liked)

Technology

59534 readers
3195 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

I've seen a few hundred of these emails in the past couple days coming in from multiple different companies.

I'm looking for more info.

at least one said it was zendesk, most did not say any software.

the tickets are being sent with CC addresses that contain large email lists. often others on the CC who don't know what's happening will reply "stop emailing me".

so far I've seen this coming in to multiple addresses and none of the sending companies are familiar either.

sounds familiar to anyone? any info on this? it's there a name i can lookup to find more info? i want to know what services this effects so i can properly protect my stuff and my work stuff.

all 49 comments
sorted by: hot top controversial new old
[–] surewhynotlem@lemmy.world 39 points 10 months ago* (last edited 10 months ago) (2 children)

Why do you think anything is hacked? It's trivially easy to send an email pretending to be someone else. There's no validation.

Do they contain valid data or something?

[–] corsicanguppy@lemmy.ca 2 points 10 months ago (1 children)

There's no validation.

SPF.

[–] surewhynotlem@lemmy.world 5 points 10 months ago (1 children)

Optional, but recommended. But doesn't guarantee anything unless both sides respect it. Also, IP spoofing is a thing.

Email is a broken protocol. There's a great copy pasta about why it can't or won't be fixed, which I unfortunately can't find. But it boils down to the fact that you can't get everyone to agree on, or implement, the fixes necessary to prevent spam.

[–] ripcord@lemmy.world 1 points 10 months ago

Use a host that requires it. Done?

[–] hperrin@lemmy.world 24 points 10 months ago (6 children)

Check out https://port87.com

It’s an email service that I developed to solve this kind of problem. Everything you sign up for has its own address, so if you get these to your bank address, you know it’s a scam.

If you’re happy with your current email provider, you can achieve a similar result with subaddressing (aka plus addressing), if you set up a filter for each new address.

[–] T156@lemmy.world 10 points 10 months ago (1 children)

If you’re happy with your current email provider, you can achieve a similar result with subaddressing (aka plus addressing), if you set up a filter for each new address.

Subadressing isn't quite as trustworthy, though, since it's trivial to strip the plus tag, or other marks from the email.

[–] hperrin@lemmy.world 5 points 10 months ago (1 children)

That is true. I think spam lists usually have many thousands of addresses though, so unless they’re doing it with a script, they’re probably not stripping the subaddresses.

But a service that lets you use a dash instead of a plus, like Port87, is a bit safer in that regard. The dash is also accepted everywhere, whereas some places (like Microsoft) don’t accept a plus in an email address.

[–] Appoxo@lemmy.dbzer0.com 3 points 10 months ago

As if they wouldnt deduplicate and sanitize their list.

This is probably a 5min question on Chatgpt and executing it.

[–] qaz@lemmy.world 3 points 10 months ago* (last edited 10 months ago) (1 children)

Interesting service. I’ve been doing this manually with Addy.io but that’s not feasible or desired by most, this could be a solution for that.

[–] hperrin@lemmy.world 2 points 10 months ago

I got the idea because I was doing it manually too with Sieve scripts on ProtonMail.

Please try it out, and if you like it, help spread the word. :)

[–] stealth_cookies@lemmy.ca 3 points 10 months ago (1 children)

Does the hyphen get accepted everywhere? I use aliases already for every sign up but a shocking number of websites reject emails with the + sign as invalid, often the ones I'm most concerned about.

[–] hperrin@lemmy.world 1 points 10 months ago

It’s worked everywhere I’ve tried it. Blocking the hyphen would be a really aggressive move, because that’s valid in usernames in most email services. I honestly don’t know why places block the plus.

[–] INeedMana@lemmy.world 2 points 10 months ago (1 children)

Interesting. Will port87 work with third-party mail clients?

[–] hperrin@lemmy.world 3 points 10 months ago

Not yet, but I’m working on that. SMTP works from a mail client, but I haven’t finished the IMAP server. I’m also working on customer domains, so you can bring your own domain. It’ll work with a single user setup (label@mydomain.com) or multi user setup (user-label@mydomain.com).

[–] Bocky@lemmy.today 1 points 10 months ago (1 children)

Or you can do it with duck.com for free

[–] hperrin@lemmy.world 2 points 10 months ago* (last edited 10 months ago)

Duck.com is a great service, but it doesn’t have the same features as Port87, and it has different goals and a different purpose as a service.

Duck.com is meant to keep your existing email address private. It forwards messages to your current email provider. You could use a duck.com address to keep a Port87 address private.

Port87 is meant to be your email provider. It doesn’t forward mail, but instead receives/sends mail for you. You get unlimited subaddresses with Port87, and each one has its own label in your account with its own settings, like whether to send push notifications, mark email as read, screen new senders, etc. It’s meant to help you stay organized by keeping your email categorized for you. It’s also available free. There are paid features, but you can receive mail to unlimited addresses for free.

The two services work very well together, and you can get the benefits of both!

[–] Nougat@kbin.social 20 points 10 months ago (1 children)

This is someone abusing ticketing systems that send autoresponses. Nothing has been hacked, the best thing for you to do is make a mailbox filter rule that trashes those and move on.

[–] knighthawk0811@lemmy.one 2 points 10 months ago (1 children)

I've done that, but it's spreading.

[–] Nougat@kbin.social 14 points 10 months ago

The people operating the ticketing systems that are being abused will need to individually take action to deal with those incoming false support requests. They’re already aware of it, you don’t need to try and tell anyone.

Another thing to be aware of - sometimes malicious actors will do this in order to overwhelm your mailbox because they’re doing a identity theft or account takeover thing against you, so watch out for emails that say some password of yours was changed, or a purchase was made or something. This might not apply to you, you mentioned other recipients. But it’s still good to know.

[–] Sanctus@lemmy.world 8 points 10 months ago (1 children)

I've only seen four or five. What do you use to filter your emails?

[–] knighthawk0811@lemmy.one 3 points 10 months ago (2 children)

other than specific filters and generic spam filter I have the "if content contains 'unsubscribe' then mark as read and never mark important"

[–] PoolloverNathan@programming.dev 5 points 10 months ago (1 children)

Watch out for email footers like "This is important account information. You cannot unsubscribe from these emails.".

[–] knighthawk0811@lemmy.one 2 points 10 months ago

oh, yeah. it's not perfect but it sure does remove so much crap i don't intend to read.

i recently missed an event invite because of it... luckily i was just a late responder and have not actually missed the event itself

i definitely have to "browse" the unimportant emails regularly

[–] Sanctus@lemmy.world 1 points 10 months ago (1 children)

Whose your email provider? Or do you self-host? If you have a provider you can report the spam to them so they can update their systems.

[–] knighthawk0811@lemmy.one 2 points 10 months ago (1 children)

I'm using Google. I've done that too. protecting inboxes is step one for sure, but i also want to know the extent of this. it's not enough for me to just block the emails and leave it at that.

if it keeps coming and i fail to block them all i want to have some info on the intent of this so I can properly educate others i work with to defend ourselves

[–] Sanctus@lemmy.world 2 points 10 months ago* (last edited 10 months ago)

Oh, we have a self-hosted exchange behind a watchguard and protected by Trend Micro. I haven't seen very many of these emails you mentioned and it could be because of them. Though I can say we do get spam and malicious emails relentlessly from Gmail aliases.

Edit: as for intent, initial emails are usually always to confirm the address is a valid or active email. So make sure no one responds.

[–] Appoxo@lemmy.dbzer0.com 3 points 10 months ago

You'd be surprised how many of those emails I am still somehow getting... Not at all surprised.

[–] greybeard@lemmy.one 2 points 10 months ago (1 children)

Where seeing it as well. I'm unsure what the scam is. The ticket systems we saw don't have any obvious connection to our industry. It is a lot of noise, but it wasn't like a coverup spam, because it hit multiple users in the org at once. Really a strange thing.

[–] knighthawk0811@lemmy.one 2 points 10 months ago (1 children)

i assume something just got popular with script kiddies, but i want to know what it is and what systems it effects so i can know if I'm protected or not.

gonna keep looking at least as long as i keep seeing this happening

[–] greybeard@lemmy.one 1 points 10 months ago (1 children)

Do yours have an onmicrosoft.com account CC'd? Both cases we have seen have had a different onmicrosoft.com account CC'd.

[–] knighthawk0811@lemmy.one 1 points 10 months ago (1 children)

not sure if all of them did, but some did for sure. off looking address too

[–] greybeard@lemmy.one 3 points 10 months ago* (last edited 10 months ago)

Thanks, that helps. I shared this with the mspgeek.org community to see if anyone else is seeing it.