Fishing and Proton and GPG

Hopefully spammers do not parse these blog posts, but I don’t get a lot of spam. So, when I receive some, I usually look through them just in case the filter was over eager. Props to Zoho by the way; I can’t recall having had legitimate mail being classified as spam during the 2 years or so I’ve used them for my personal domain. Today I received a (second) attempt at fishing. Well, fishing, not even that really, the mail claims, in cleverly vague terms, to have hacked my ‘os’ and ‘email’, and in exchange for silence I should send some amount to a bitcoin address. What is interesting is that this email has my own email address in the from and return-path fields. Either this person did hack my account, or Zoho allows impersonation a bit too easily. In the mail body I see the spf authentication failed (the IP is indeed different, the domain is .com.ar). Not sure if the DKIM result should be there too, but it isn’t. Recently I set up a DMARC record, hookup up to dmarcian (free for low volume domains), and at the moment I’m not restricting any fails from being sent, just in case (which case I’m not sure, but it’s what’s advised). I guess I could set the policy to reject in order to get rid of this kind of spam. It’s kinda fun to learn all this stuff this way though.

So apart from the technical side of spam, what was interesting was searching for that bitcoin address, since, I expected other people to warn against the hoax. Not all, but many of the hits on the first two pages were actually pages (with identical copy, so clearly content farmed) treating the threat seriously and recommending you run some (likely fake) anti-malware software (Windows, even though the mail is delightfully unspecific with ‘os’). So I guess these pages are part of the fishing campaign. I can fully imagine that this is enough to convince people to send money, and they bitcoin being bitcoin, we can easily check the ledger to see they indeed are doing that, and the creator of the campaign is also taking money from the account as of yesterday: 182PJESsEWbuJ8PEgfM58p64jbok3i1gNU.

And now for something completely different. Yesterday I spent my time not clearing out bitcoin addresses, but discovering how easy it is to send and receive GPG signed and encrypted mail with Protonmail. You may have read earlier messages about how it wasn’t so easy to set up clients with my keypair, so I guess that’s the nice for which Proton gets and deserves all its fame. I’d like to add that I also discovered key exchange in Kmail can be as easy as clicking ‘add my public key’ when you’re drafting a new email. Too bad Proton doesn’t do IMAP/SMTP without that silly bridge of theirs, and is kinda expensive in case you want to hook up your own domain.