[volunteers] Linode "support" scam

[Rick Moen]

Quoting Don Marti (dmarti at zgp.org):

> Looks like the Linode support scammers are at it again, including this 
> list -- fake "account limit" emails with a demand for documents to keep 
> them from shutting off your account.

I've just now caught up on this, mostly on account of having been at the
2021 World Science Fiction Convention (in D.C.) with my wife over the
Christmas holiday, and (after getting back) having to dig my way through
a huge pile of accumulated e-mail.

I see two of those mails in the Web archives for (IIRC) this mailing
list and the web-team one.  And, two things.  

_One_, the origin is (not surprisingly) completely forged.  Here is the
earliest Received header from the one that hit web-team (that accepts
per /etc/aliases all inbound mail for webmaster@):

Received: from so254-56.mailgun.net ([198.61.254.56]:13436)
        by mail.svlug.org with esmtp (Exim 4.44 #1) id 1n2Hza-0002HU-BN
        for <webmaster at svlug.org>; Tue, 28 Dec 2021 11:21:38 -0800l

Domain "mailgun.net" is one of those scummy targeted-marketin e-mail
services, one of many such -- part of the industry made [in]famous by
the firm Constant Contact.

So, no surprise, the scam mail forges support at linode.com as (alleged)
sender.  I cannot recall offhand whether the antique MTA setup on
lists.svlug.org does competent enforcement of SPF antiforgery policies.
I'm a little tired, and also tired of having to handle these things, but
am guessing "not'.  Here is Linode's published SPF policy:

$ dig -t txt linode.com +short +tcp | grep spf
"v=spf1 a:outbound.mail.linode.com include:sendersv4b.mail.linode.com include:_spf.google.com include:mktomail.com" " ip4:52.71.30.102 ip4:97.107.141.36 ip6:2600:3c03::f03c:91ff:fe6e:fda0 ip4:66.175.208.40 ip6:2600:3c03::f03c:92ff:fe0a:9257" " include:md02.com include:amazonses.com -all"

That's a little complicsated, but at a quick guess, friggin' Mailgun.net
IPs probably aren't a match, so the forgery should have been caught as
an SPF antiforgery failure, if there were SPF checking enforced at
mail.svlug.org .  (My own MTA _does_ enforce SPF policies, but this one 
got reputation-washed via SVLUG's mail server.)

I'm undecided whether I want to remove "support at linode.com" from
Mailman's whitelist, which would take us back to any mail purporting to
be from there getting held for listadmin approval.  FWIW, I believe I
whitelisted (in Mailman) both that address and the corresponding
Joker.com address (used to send out domain-administration notices) 
because those can be _so_ urgent that we don't want to miss seeing them
just because nobody approved them from held messages.

I'll consider that matter, anyway.  At minimum, I'm tempted to put in a
Mailman filter autodiscarding any posting arriving with a Received header 
that mentions mailgun.net, because, frankly, screw those guys.

_Two_, as a reminder, SVLUG's Linode virthost is _down_ deliberately on
account of credibly-alleged security breach of hte virthost.  Therefore,
the scam is hilariously transparently fraudulent at this time.

-- 
Cheers,        "Public health is not private health.  Epidemics are not personal
Rick Moen      diseases, and pandemics are not even national:  They take place 
rick at linuxmafia.com          across the shared immune system of human society."
McQ! (4x80)                  -- Indi Samarajiva, https://t.co/bW2w059PYp