We just had a phishing mail come through to wikimediauk-l a few days ago. The email wasn't sent by the poster - but by someone else using his email address. His university gave some advice, but I'm not sure what they mean nor how to effectively implement this using any settings we have in Mailman ... so in the general case, is there anything we can do about this type of phishing mail?
- d.
---------- Forwarded message ---------- From: MCANDREW Ewan Ewan.McAndrew@ed.ac.uk Date: 24 August 2017 at 11:10 Subject: FW: I170821-0616 about "Phidhing scam problem Fwd: [Wikimediauk-l] #4947276 Invoice secondary Notice" has been resolved To: Lucy Crompton-Reid lucy.crompton-reid@wikimedia.org.uk, "john.lubbock@wikimedia.org.uk" john.lubbock@wikimedia.org.uk, Richard Nevell richard.nevell@wikimedia.org.uk
Hi all,
Please see below message regarding the phishing message on the Wiki mailing lists.
Are we able to provide the ‘pure mail headers’?
Best,
Ewan
Ewan McAndrew Wikimedian in Residence
Tel: 07719 330076 Email: ewan.mcandrew@ed.ac.uk Subscribe to the mailing list: wikimedia@mlist.is.ed.ac.uk My working hours are 10.30am to 6.30pm Monday to Friday. Wikipedia Project Page for the residency: https://en.wikipedia.org/wiki/Wikipedia:University_of_Edinburgh
The University of Edinburgh, Floor H (West), Argyle House, 3 Lady Lawson Street, Edinburgh, EH3 9DR. www.ed.ac.uk
From: UoE UniDesk Number I170821-0616 Sent: 24 August 2017 10:04 To: MCANDREW Ewan Subject: I170821-0616 about "Phidhing scam problem Fwd: [Wikimediauk-l] #4947276 Invoice secondary Notice" has been resolved
Hello Ewan
The mail admins have taken a further look at this and have added the following information:
'The quoted message is a digest containing the scam message and not the original scam message. It contains no information to show where the original came from as it only shows an excerpt of its headers.
However, it does *apparently* contain a from address like
Ewan.McAndrew@ed.ac.uk< liane.eichenberger@buendes-bueroservice.de>
and that *suggests* that the original *may* have come from liane.eichenberger@buendes-bueroservice.de - but it is impossible to be sure of anything without seeing the original. That would presumably require the cooperation of the list manager or any list member who receives individual messages rather than digests.'
In summary then ideally the UoE postmaster would need to see 'pure' mail headers from an individual message, as opposed to those from a digest.
Best wishes Jono
....................
Hi,
full message header below ? please can you help.
NB: Wondering if this is actually a University of Edinburgh email account problem or if it is a gmail or Wikimedia mailing list being compromised problem however as I have received another phishing spam message from a different email address from this Wikimedia mailing list now (purporting to be from Jason Evans at the National Library of Wales).
-- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
-- Richard Nevell Project Coordinator Wikimedia UK - sign up to our newsletter +44 (0) 20 3372 0765
Wikimedia UK is a Company Limited by Guarantee registered in England and Wales, Registered No. 6741827. Registered Charity No.1144513. Registered Office 5-11 Lavington Street, London SE1 0NZ. United Kingdom. Wikimedia UK is the UK chapter of a global Wikimedia movement. The Wikimedia projects are run by the Wikimedia Foundation (who operate Wikipedia, amongst other projects).
Wikimedia UK is an independent non-profit charity with no legal control over Wikipedia nor responsibility for its contents.
I think, as with many things, we need to wait for the WMF to update mailman. I'm no expert, but...
On 24 August 2017 at 21:10, David Gerard dgerard@gmail.com wrote:
We just had a phishing mail come through to wikimediauk-l a few days ago. The email wasn't sent by the poster - but by someone else using his email address. His university gave some advice, but I'm not sure what they mean nor how to effectively implement this using any settings we have in Mailman ... so in the general case, is there anything we can do about this type of phishing mail?
- d.
---------- Forwarded message ---------- From: MCANDREW Ewan Ewan.McAndrew@ed.ac.uk Date: 24 August 2017 at 11:10 Subject: FW: I170821-0616 about "Phidhing scam problem Fwd: [Wikimediauk-l] #4947276 Invoice secondary Notice" has been resolved To: Lucy Crompton-Reid lucy.crompton-reid@wikimedia.org.uk, "john.lubbock@wikimedia.org.uk" john.lubbock@wikimedia.org.uk, Richard Nevell richard.nevell@wikimedia.org.uk
Hi all,
Please see below message regarding the phishing message on the Wiki mailing lists.
Are we able to provide the ‘pure mail headers’?
Best,
Ewan
Ewan McAndrew Wikimedian in Residence
Tel: 07719 330076 Email: ewan.mcandrew@ed.ac.uk Subscribe to the mailing list: wikimedia@mlist.is.ed.ac.uk My working hours are 10.30am to 6.30pm Monday to Friday. Wikipedia Project Page for the residency: https://en.wikipedia.org/wiki/Wikipedia:University_of_Edinburgh
The University of Edinburgh, Floor H (West), Argyle House, 3 Lady Lawson Street, Edinburgh, EH3 9DR. www.ed.ac.uk
From: UoE UniDesk Number I170821-0616 Sent: 24 August 2017 10:04 To: MCANDREW Ewan Subject: I170821-0616 about "Phidhing scam problem Fwd: [Wikimediauk-l] #4947276 Invoice secondary Notice" has been resolved
Hello Ewan
The mail admins have taken a further look at this and have added the following information:
'The quoted message is a digest containing the scam message and not the original scam message. It contains no information to show where the original came from as it only shows an excerpt of its headers.
However, it does *apparently* contain a from address like
Ewan.McAndrew@ed.ac.uk< liane.eichenberger@buendes-bueroservice.de>
and that *suggests* that the original *may* have come from liane.eichenberger@buendes-bueroservice.de - but it is impossible to be sure of anything without seeing the original. That would presumably require the cooperation of the list manager or any list member who receives individual messages rather than digests.'
In summary then ideally the UoE postmaster would need to see 'pure' mail headers from an individual message, as opposed to those from a digest.
Best wishes Jono
....................
Hi,
full message header below ? please can you help.
NB: Wondering if this is actually a University of Edinburgh email account problem or if it is a gmail or Wikimedia mailing list being compromised problem however as I have received another phishing spam message from a different email address from this Wikimedia mailing list now (purporting to be from Jason Evans at the National Library of Wales).
-- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
-- Richard Nevell Project Coordinator Wikimedia UK - sign up to our newsletter +44 (0) 20 3372 0765
Wikimedia UK is a Company Limited by Guarantee registered in England and Wales, Registered No. 6741827. Registered Charity No.1144513. Registered Office 5-11 Lavington Street, London SE1 0NZ. United Kingdom. Wikimedia UK is the UK chapter of a global Wikimedia movement. The Wikimedia projects are run by the Wikimedia Foundation (who operate Wikipedia, amongst other projects).
Wikimedia UK is an independent non-profit charity with no legal control over Wikipedia nor responsibility for its contents.
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
Known bug. Ticket for reference:
https://phabricator.wikimedia.org/T160529
Ewan,
A full copy of the original email including full headers can be accessed here: https://pastebin.com/BaTMUArr
All,
You're over thinking this. Either someone subscribed the email address invoicing@kibamf.com to wikimediauk-l, or they knew it was already a subscriber. And then they sent a message specifying that email address in the From field. Hey pesto, message delivered.
Additionally, in the From Name where people specify their real name (e.g. I would specify "Katie Chan" or for example in David's case "David Gerard"", they specified "Ewan.McAndrew@ed.ac.uk".
That is an entirely sender specified property, even fixing T160529 wouldn't stop that (though I would obviously want that fixed!).
Regards,
Katie
On 24/08/2017 21:10, David Gerard wrote:
We just had a phishing mail come through to wikimediauk-l a few days ago. The email wasn't sent by the poster - but by someone else using his email address. His university gave some advice, but I'm not sure what they mean nor how to effectively implement this using any settings we have in Mailman ... so in the general case, is there anything we can do about this type of phishing mail?
- d.
---------- Forwarded message ---------- From: MCANDREW Ewan Ewan.McAndrew@ed.ac.uk Date: 24 August 2017 at 11:10 Subject: FW: I170821-0616 about "Phidhing scam problem Fwd: [Wikimediauk-l] #4947276 Invoice secondary Notice" has been resolved To: Lucy Crompton-Reid lucy.crompton-reid@wikimedia.org.uk, "john.lubbock@wikimedia.org.uk" john.lubbock@wikimedia.org.uk, Richard Nevell richard.nevell@wikimedia.org.uk
Hi all,
Please see below message regarding the phishing message on the Wiki mailing lists.
Are we able to provide the ‘pure mail headers’?
Best,
Ewan
Ewan McAndrew Wikimedian in Residence
Tel: 07719 330076 Email: ewan.mcandrew@ed.ac.uk Subscribe to the mailing list: wikimedia@mlist.is.ed.ac.uk My working hours are 10.30am to 6.30pm Monday to Friday. Wikipedia Project Page for the residency: https://en.wikipedia.org/wiki/Wikipedia:University_of_Edinburgh
The University of Edinburgh, Floor H (West), Argyle House, 3 Lady Lawson Street, Edinburgh, EH3 9DR. www.ed.ac.uk
From: UoE UniDesk Number I170821-0616 Sent: 24 August 2017 10:04 To: MCANDREW Ewan Subject: I170821-0616 about "Phidhing scam problem Fwd: [Wikimediauk-l] #4947276 Invoice secondary Notice" has been resolved
Hello Ewan
The mail admins have taken a further look at this and have added the following information:
'The quoted message is a digest containing the scam message and not the original scam message. It contains no information to show where the original came from as it only shows an excerpt of its headers.
However, it does *apparently* contain a from address like
Ewan.McAndrew@ed.ac.uk< liane.eichenberger@buendes-bueroservice.de>
and that *suggests* that the original *may* have come from liane.eichenberger@buendes-bueroservice.de - but it is impossible to be sure of anything without seeing the original. That would presumably require the cooperation of the list manager or any list member who receives individual messages rather than digests.'
In summary then ideally the UoE postmaster would need to see 'pure' mail headers from an individual message, as opposed to those from a digest.
Best wishes Jono
....................
Hi,
full message header below ? please can you help.
NB: Wondering if this is actually a University of Edinburgh email account problem or if it is a gmail or Wikimedia mailing list being compromised problem however as I have received another phishing spam message from a different email address from this Wikimedia mailing list now (purporting to be from Jason Evans at the National Library of Wales).
-- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
-- Richard Nevell Project Coordinator Wikimedia UK - sign up to our newsletter +44 (0) 20 3372 0765
Wikimedia UK is a Company Limited by Guarantee registered in England and Wales, Registered No. 6741827. Registered Charity No.1144513. Registered Office 5-11 Lavington Street, London SE1 0NZ. United Kingdom. Wikimedia UK is the UK chapter of a global Wikimedia movement. The Wikimedia projects are run by the Wikimedia Foundation (who operate Wikipedia, amongst other projects).
Wikimedia UK is an independent non-profit charity with no legal control over Wikipedia nor responsibility for its contents.
Listadmins mailing list Listadmins@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/listadmins
"From: Ewan.McAndrew@ed.ac.uk invoicing@kibamf.com" Sigh,Thanks for the mail, Katie.
Here I blame many email clients that show only the real name. «Your name is "john.doe@example.com"? That's not a problem, I think it will be enough to show that, no need to additionally mention that your email is gangster@evilguys.biz» And there are some really popular ones doing this. :( Not sure how these will turn out if evilguys.biz set up DMARC, once we additionally add From-header replacement into the mix.
Obviously, the link from the email leads to a virus download, so be careful those peeking at it: https://www.virustotal.com/#/file/17bba5b4fbf997163f1f0f316b5bc08bd1cdde4e8c...
Note: I am a bit confused by the mention on the thread of " Ewan.McAndrew@ed.ac.uk< liane.eichenberger@buendes-bueroservice.de>" were there *several* phishing emails with a "Ewan name"? If they continue playing impersonating Ewan that way, emails using such name could be blocked with a regex in the list config.
Regards
PS: Gmail is complaining that ed.ac.uk email server doesn't support STARTTLS That is something they can implement, unlike avoiding such messages.
listadmins@lists.wikimedia.org