https://old.reddit.com/r/sysadmin/comments/qsun7o/email_from_fbi_looks_odd/ jump to content my subreddits edit subscriptions * popular * -all * -random * -users | * AskReddit * -pics * -gaming * -news * -funny * -movies * -todayilearned * -tifu * -TwoXChromosomes * -videos * -worldnews * -explainlikeimfive * -mildlyinteresting * -aww * -dataisbeautiful * -askscience * -Music * -Jokes * -nottheonion * -IAmA * -Showerthoughts * -OldSchoolCool * -LifeProTips * -books * -gifs * -science * -space * -food * -gadgets * -Art * -sports * -Futurology * -GetMotivated * -nosleep * -UpliftingNews * -DIY * -photoshopbattles * -Documentaries * -EarthPorn * -philosophy * -WritingPrompts * -history * -InternetIsBeautiful * -creepy * -listentothis * -announcements * -blog more >> sysadmin sysadmin * comments * other discussions (1) Want to join? Log in or sign up in seconds.| * English [ ][] [ ]limit my search to r/sysadmin use the following search parameters to narrow your results: subreddit:subreddit find submissions in "subreddit" author:username find submissions by "username" site:example.com find submissions from "example.com" url:text search for "text" in url selftext:text search for "text" in self post contents self:yes (or self:no) include (or exclude) self posts nsfw:yes (or nsfw:no) include (or exclude) results marked as NSFW e.g. subreddit:aww site:imgur.com dog see the search faq for details. advanced search: by author, subreddit... this post was submitted on 13 Nov 2021 670 points (97% upvoted) shortlink: [https://redd.it/qsun] [ ][ ] [ ]remember mereset password login ATF Submit a new text post Get an ad-free experience with special benefits, and directly support Reddit. get reddit premium sysadmin joinleave648,554 readers 2,401 users here now A reddit dedicated to the profession of Computer System Administration --------------------------------------------------------------------- Rules 1. Community members shall conduct themselves with professionalism. 2. Do not expressly advertise your product. More details on the rules may be found in the wiki. --------------------------------------------------------------------- For IT career related questions, please visit /r/ITCareerQuestions --------------------------------------------------------------------- Please check out our Frequently Asked Questions, which includes lists of subreddits, webpages, books, and other articles of interest that every sysadmin should read! Checkout the Wiki Users are encouraged to contribute to and grow our Wiki. So you want to be a sysadmin? RTFM --------------------------------------------------------------------- Sysadmin Jobs Official IRC Channel - #reddit-sysadmin on irc.libera.chat Official Discord - https://discord.gg/sysadmin --------------------------------------------------------------------- * Link Flair Filters * Gilded Comments a community for 13 years BTF MODERATORS * message the mods * Moderator list hidden. Learn More discussions in r/sysadmin <> X 284 * 13 comments FBI Email Domains Hack and Spam Inbound 3106 * 546 comments I just got fired after having accepted my counter offer 2 months ago. 83 * 50 comments Rogue System Administrator 670 * 344 comments Email From FBI Looks Odd 15 * 10 comments Spoofed our website. 176 * 42 comments Experience and worth validated today with instant doubling of salary to 200k 26 * 40 comments IT Student - considering dropping out and pursuing underwater basket weaving. 13 * 20 comments How many of you Linux System Administrator's have degrees? 1020 * 363 comments Unpopular Opinion - We've helped normalized our workplace abuse because we get paid "enough" * 1 comment Windows Update and groundhog day - Auth errors Welcome to Reddit, the front page of the internet. Become a Redditor and join one of thousands of communities. x 669 670 671 Email From FBI Looks Odd (self.sysadmin) submitted 17 hours ago * by DymoPoly[silver_48]2[gold_48][klvxk1wggf] 2 Yeah, this is terrifying to receive. Email from FBI supposedly just came through: eims @ic.fbi.gov Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure. Stay safe, U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group I tried calling the local field office, but it's 11:30pm CT and the operator was of no help. EDIT: First glance I assumed bullshit, but... Received: from mx-east-ic.fbi.gov ([153.31.119.142]:33505 helo=mx-east.fbi.gov) envelope-from DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fbi.gov; s=cjis; t=1636779463; x=1668315463; h=date:from:to:message-id:subject:mime-version; bh=UlyBPHe3aElw3Vfnk/pqYLsBAoJGDFR1NyZFcSfpl5g=; b=N3YzXzJEbQCTJGh8qqjkYu/A5DTE7yoloPgO0r84N+Bm2ae6f+SxzsEq nbjnF2hC0WtiVIMMUVGzxWSiZjq1flEygQGI/JVjjk/tgVVPO5BcX4Os4 vIeg2pT+r/TLTgq4XZDIfGXa0wLKRAi8+e/Qtcc0qYNuTINJDuVxkGNUD 62DNKYw5uq/YHyxw+nl4XQwUNmQCcT5SIhebDEODaZq2oVHJeO5shrN42 urRJ40Pt9EGcRuzNoimtUtDYfiz3Ddf6vkFF8YTBZr5pWDJ6v22oy4mNK F8HINSI9+7LPX/5Td1y7uErbGvgAya5MId02w9r/p3GsHJgSFalgIn+uY Q==; X-IronPort-AV: E=McAfee;i="6200,9189,10166"; a="4964109" X-IronPort-AV: E=Sophos;i="5.87,231,1631577600"; d="scan'208";a="4964109" Received: from dap00025.str0.eims.cjis ([10.67.35.50]) by wvadc-dmz-pmo003-fbi.enet.cjis with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Nov 2021 04:57:41 +0000 Received: from dap00040.str0.eims.cjis (dap00040.str0.eims.cjis [10.66.2.72]) by dap00025.str0.eims.cjis (8.14.4/8.13.8) with ESMTP id 1AD4vf5M029322 for <[my email...]>; Fri, 12 Nov 2021 23:57:41 -0500 Date: Fri, 12 Nov 2021 23:57:41 -0500 (EST) From: eims@ic.fbi.gov v=DMARC1; p=reject; rua=mailto:dmarc-feedback@fbi.gov,mailto:reports@dmarc.cyber.dhs.gov; ruf=mailto:dmarc-feedback@fbi.gov; pct=100 * 344 comments * share * save * hide * report top 200 commentsshow all 344 sorted by: best topnewcontroversialoldrandomq&alive (beta) [ ] Want to add to the discussion? Post a comment! Create an account [-]rawzone 554 points555 points556 points 12 hours ago[p4yzxkaed5] (10 children) Yup its spam: https://twitter.com/spamhaus/status/1459452609979371520 * permalink * embed * save * report * give award * reply [-]WaldoTJ 40 points41 points42 points 5 hours ago (7 children) but what is the POINT? not advertising anything but the name "Vinny Troia" is mentioned. no links, no trojan attachments. maybe to get you to reply? makes no sense. * permalink * embed * save * parent * report * give award * reply [-]gregsting 44 points45 points46 points 4 hours ago (2 children) Seems weird to me. The question is also on Tweeter and the answer is:"It's a guess, but our thought is that its a combination scare-ware (get people to shut things down or make changes in a hurry), and a character assassination against the guy named in it, AND a way to make the FBI scramble." * permalink * embed * save * parent * report * give award * reply [-]rawzone 29 points30 points31 points 4 hours ago (1 child) Pretty much the same as Spamhaus thinks is going on yes. Convince people to shut things down just in case, while veracity is determined, character assassination of Vinny Troia who was mentioned in it, and flooding the FBI with calls. Or, as someone else said, "for the lulz". Maybe all of the above. Maybe something else! https://twitter.com/spamhaus/status/1459573839977926660 What ever it was you can be sure the FBI are trying to figure things out. If we ever will see a report on it I don't know. But I've seen crazier things in my life. * permalink * embed * save * parent * report * give award * reply [-]Norwedditor 6 points7 points8 points 2 hours ago (0 children) Not included there is show of force. * permalink * embed * save * parent * report * give award * reply [-]Ludacon 7 points8 points9 points 3 hours ago (1 child) It almost seems like a prank or an anonymous warning about a hole in the email systems? I'm with ya on the WHY? Seems like if you broke in to that level you would have plan beyond hahaha lets send some cryptic scammy email. * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]Fr0gm4n 3 points4 points5 points 2 hours ago (0 children) Troia is a self aggrandizing, self important, "security consultant" whose public image is media personality first, actual security professional second. His website was hacked a few years go serving up spam redirects and I still laugh whenever his name comes up. * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]pepoluanJack of All Trades 47 points48 points49 points 9 hours ago (0 children) Your answer should be upvoted more. Spamhaus is trustworthy information source. * permalink * embed * save * parent * report * give award * reply [-]Alarmed_Tell_3509 13 points14 points15 points 9 hours ago (0 children) Newsweek and the sun have run articles now too. I read the Newsweek article and it seems pretty surprisingly accurate for a news report on tech. * permalink * embed * save * parent * report * give award * reply [-]wowneatlookatthat 197 points198 points199 points 16 hours ago (17 children) Generally when the FBI reaches out, the special agent assigned to your case would provide their contact info to setup a dialogue. The signature also denotes they're supposedly with DHS, so they wouldn't be sending from an FBI domain. Did you look at the headers? * permalink * embed * save * report * give award * reply [-]DymoPoly[S] 42 points43 points44 points 16 hours ago* (3 children) Yeah. Looks legit. Wild. * permalink * embed * save * parent * report * give award * reply [-]MaxHedrome 76 points77 points78 points 16 hours ago[vu6om0xnb7] (1 child) fbi subdomain hijacked? ....."dope" * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]antiduhDevOps 17 points18 points19 points 9 hours ago (0 children) I'm having a bit of a hard time reading the headers on mobile, but something doesn't look right to me. I don't see your border mx anywhere in there (but you could've removed the headers for your servers). You can't trust any of the headers except for the ones your server attached. I don't see any information in there that comes from a trusted source, actually identifying that the email was received by you from a server on an fbi address. * permalink * embed * save * parent * report * give award * reply [-]amishbillJack of All Trades 4 points5 points6 points 10 hours ago (0 children) I've had this happen, though it was emailed through a social site in response to a post. It included contact info. Luckily I was able to pass it off to Legal. * permalink * embed * save * parent * report * give award * reply [-]dogedude81 52 points53 points54 points 16 hours ago (11 children) I doubt the FBI would reach out by email. * permalink * embed * save * parent * report * give award * reply [-]ZealTheSealLinux Admin 17 points18 points19 points 7 hours ago (3 children) The FBI absolutely will reach out via email. * permalink * embed * save * parent * report * give award * reply load more comments (3 replies) [-]billy_teats 27 points28 points29 points 9 hours ago (4 children) The fbi showed us this year that they do reach out, but when that fails they get permission from a judge to patch the vulnerability themselves by hacking corporations. * permalink * embed * save * parent * report * give award * reply [-]LazlowKSysadmin 25 points26 points27 points 7 hours ago (1 child) Obviously 4th amendment complications aside, I get a real kick out of seeing a real "we are assisting you whether you like it your not". * permalink * embed * save * parent * report * give award * reply [-]computergeek125 10 points11 points12 points 6 hours ago (0 children) https://www.starwars.com/video/congratulations-you-are-being-rescued * permalink * embed * save * parent * report * give award * reply [-]adayton01 12 points13 points14 points 7 hours ago (0 children) Additional RED Flag: transmitted on Weekend. * permalink * embed * save * parent * report * give award * reply [-]skat_in_the_hat 2 points3 points4 points 6 hours ago (0 children) We hacked your company and created a satellite server. Then assigned all your machines to it. Have a nice day <3 fbi * permalink * embed * save * parent * report * give award * reply load more comments (2 replies) [-]heytchap_ 172 points173 points174 points 16 hours ago (10 children) That's written too casually for the FBI. we deal with them often on the security side of the house and not only is this email written too casually, but it's also too verbose and specific - especially for initial contact. This is junk. * permalink * embed * save * report * give award * reply [-]beefstake 62 points63 points64 points 10 hours ago (6 children) The FBI email you need to concerned about is the one that simply asks you to call Special Agent X at your earliest convenience. * permalink * embed * save * parent * report * give award * reply [-]kaze2k6 35 points36 points37 points 9 hours ago (5 children) You've definitely fucked up if you're in touch with Special Agent X. That guy means business. * permalink * embed * save * parent * report * give award * reply [-]bmy1978 8 points9 points10 points 7 hours ago (3 children) If you think dealing with Special Agent X is intense, wait until you deal with Special Agent Y. * permalink * embed * save * parent * report * give award * reply [-]galad2003 5 points6 points7 points 6 hours ago (2 children) Special Agent Z however is a pussy. * permalink * embed * save * parent * report * give award * reply load more comments (2 replies) [-]Averag3_Hom3boy 1 point2 points3 points 3 hours ago (0 children) Naw, Special Agent X is a great guy. Basically if you ever need anything, you can be sure that Special Agent X gon' give it to ya. * permalink * embed * save * parent * report * give award * reply [-]ryazwinski 15 points16 points17 points 9 hours ago (0 children) not to mention the spelling and grammar errors. ;) * permalink * embed * save * parent * report * give award * reply [-]DerfK 18 points19 points20 points 7 hours ago (0 children) it's also too verbose and specific Alarms rang for me at the part where they can't do anything due to intelligence gathering but then start naming names. * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]Inner-Wall5937 132 points133 points134 points 16 hours ago (10 children) got it too. i called the FBI helpdesk and they are getting flooded with calls... The header is showing its coming from the FBI... lady said maybe they were hacked but she wasnt sure * permalink * embed * save * report * give award * reply [-]michaelkrieger 103 points104 points105 points 16 hours ago (8 children) Maybe that's the point? Flood resources and divert them from something else like a legit attack happening at the same time. * permalink * embed * save * parent * report * give award * reply [-]crshovrd 81 points82 points83 points 15 hours ago (2 children) Die Hard has entered the chat. * permalink * embed * save * parent * report * give award * reply [-]Opheria13 14 points15 points16 points 9 hours ago (1 child) * Creedence Clearwater Revival plays in the background * * permalink * embed * save * parent * report * give award * reply [-]adayton01 3 points4 points5 points 7 hours ago (0 children) Rubbing toes on carpet. * permalink * embed * save * parent * report * give award * reply [-]noir_lord 22 points23 points24 points 14 hours ago (1 child) It's a Firesale!. * permalink * embed * save * parent * report * give award * reply [-]BadUsername_Numbers 13 points14 points15 points 13 hours ago (0 children) Amaaaaaziiing graaaaaceee * permalink * embed * save * parent * report * give award * reply [-]f0urtyfive 7 points8 points9 points 8 hours ago (0 children) Late this this party, but from what I read elsewhere, Vinny Troia has been writing a book about the group mentioned, probably just an attempt to smear him. * permalink * embed * save * parent * report * give award * reply [-]ChefBoyAreWeFucked 2 points3 points4 points 8 hours ago (0 children) I doubt their help desk is actively mitigating or investigating anything. * permalink * embed * save * parent * report * give award * reply [-]Ramb1ingGho5t 1 point2 points3 points 7 hours ago (0 children) Or a dry run * permalink * embed * save * parent * report * give award * reply [-]thisguy_right_here 12 points13 points14 points 10 hours ago (0 children) Its not uncommon for a company to be DDoS'd to hide a separate attack. * permalink * embed * save * parent * report * give award * reply [-]burgerkingbathroom 94 points95 points96 points 16 hours ago (29 children) They have an open relay that allows sending from an fbi.gov address and someone is taking advantage? But sounds like whomever is sending knows a list of admin IT contacts to send to... This is amazing * permalink * embed * save * report * give award * reply [-]techied 87 points88 points89 points 16 hours ago (26 children) The real question is what fucking IT company gave all our emails out * permalink * embed * save * parent * report * give award * reply [-]Pretend_Technician49 54 points55 points56 points 15 hours ago (13 children) This is what was the concern for me... I was directly e-mailed and I happen to have that e-mail address as an ARIN contact with a specific IP subnet. I thought the FBI saw traffic from the IP block and e-mailed the ARIN contact. Who else received the e-mail has that e-mail on the ARIN whois? * permalink * embed * save * parent * report * give award * reply [-]DymoPoly[S] 39 points40 points41 points 15 hours ago (0 children) Mine is used for an ARIN contact also. * permalink * embed * save * parent * report * give award * reply [-]Tritanium 27 points28 points29 points 15 hours ago* (6 children) I also received it on an address that is used for ARIN whois for an IP block. I use it for a bunch of other stuff too though * permalink * embed * save * parent * report * give award * reply [-]DymoPoly[S] 22 points23 points24 points 15 hours ago (5 children) Mine is used for an ARIN contact also. * permalink * embed * save * parent * report * give award * reply [-]Masiosare 12 points13 points14 points 13 hours ago (0 children) MIne is not registered in ARIN but it's used as the contact for some domains. IMO, that's the sketchiest part. I can understand the FBI got hacked, but where did this email list come from? * permalink * embed * save * parent * report * give award * reply [-]lithidhave you tried turning it off? and leave it off. 11 points 12 points13 points 11 hours ago (2 children) Did you ever use SolarWinds? My buddy who does not use his email for ARIN also got the email, but I think he just doesn't remember using it there. He also used SolarWinds but moved away from them 1-2 years ago. That was his first assumption. * permalink * embed * save * parent * report * give award * reply load more comments (2 replies) [-]av8rgeek 6 points7 points8 points 12 hours ago (0 children) Mine was the "host master" so only used for ARIN. * permalink * embed * save * parent * report * give award * reply [-]b4its2l8g8r 3 points4 points5 points 12 hours ago (0 children) Got it too. My email is used lots of places including ARIN, but we used to use Solar winds as well. * permalink * embed * save * parent * report * give award * reply [-]Alarmed_Tell_3509 9 points10 points11 points 15 hours ago (2 children) Same here ARIN contact instead of my primary. * permalink * embed * save * parent * report * give award * reply load more comments (2 replies) [-]jlick 2 points3 points4 points 9 hours ago (0 children) I got it on an email address used for ARIN and domain registrations. I haven't seen it show up on any other addresses. If that's the source, they are using a current registration dump as I got a ton more SPAM on previously used registration addresses. * permalink * embed * save * parent * report * give award * reply [-]486_8088Je ne sais quoi [?] 22 points23 points24 points 10 hours ago (3 children) what fucking IT company gave all our emails out a) AT&T b) linkedin c) IG d) Facebook g) All of the Above * permalink * embed * save * parent * report * give award * reply [-]binarypower 1 point2 points3 points 4 hours ago (1 child) And every conference you or your boss went to and got the free swag beer koozie * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) load more comments (1 reply) [-]burgerkingbathroom 9 points10 points11 points 15 hours ago (1 child) I'm wondering if they got into that fbi mailbox and there was a contact list. * permalink * embed * save * parent * report * give award * reply [-]DymoPoly[S] 7 points8 points9 points 15 hours ago (0 children) ...well shit. * permalink * embed * save * parent * report * give award * reply [-]kookieman6 6 points7 points8 points 10 hours ago (0 children) If its all of us? ARIN for sure.. * permalink * embed * save * parent * report * give award * reply [-]tomstorey_ 2 points3 points4 points 15 hours ago (0 children) One of the myriad that have had a leak probably. * permalink * embed * save * parent * report * give award * reply [-]DrGraffix 2 points3 points4 points 10 hours ago (0 children) Definitely Solarwinds * permalink * embed * save * parent * report * give award * reply [-]Tekmyster 1 point2 points3 points 12 hours ago (0 children) Recently I have been getting daily emails on a group internal email (same as this FBI email) from gmail accounts. I think my boss used it for something with a comcast or rcn order purchase. I have been filtering these emails along with my team and was weary of something larger going on possibly as they all seemed to have links. My email is on arin also but as a technical contact and other contacts as of writing this have not received anything. * permalink * embed * save * parent * report * give award * reply load more comments (2 replies) [-]anonymous_commentor 3 points4 points5 points 9 hours ago (0 children) The address mine was sent to was once our point of contact for our ARIN accounts. He left but I kept the address alive for, well, just in case. Well, this is the first email to it in years. Glad I kept it. * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]Girardo76 285 points286 points287 points 16 hours ago (13 children) I love this subreddit. We got the same thing tonight. I panicked for about a minute and then realized it's bogus. Header analysis is pretty interesting. This a fairly new piece of spam as far as I can tell. * permalink * embed * save * report * give award * reply [-]Girardo76 195 points196 points197 points 16 hours ago (5 children) When I say the headers are interesting, it appears to be actually coming from or through FBI mail servers. Except for the DKIM Signature Body Hash Verified failure. Pour one out for the FBI sysadmins... * permalink * embed * save * parent * report * give award * reply [-]Fasterup 55 points56 points57 points 8 hours ago (1 child) . Pour one out for the FBI sysadmins... I am waiting for a post later today: "So I work for this government agency and this stupid intern bypassed our change processes because the Dirctor came knocking when I wasn't around. So now I have to clean both the AD and the emails servers" * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]thedavekingSysadmin 68 points69 points70 points 15 hours ago (1 child) Did you paste the full body into the "header" checks though? If you do, then I expect you'll see what I see on mine - all checks pass. I look forward to hearing the explanation for this one on the news. * permalink * embed * save * parent * report * give award * reply [-]torgefaehrlich 33 points34 points35 points 14 hours ago (0 children) Client side dkim checks can fail for a number of reasons. They can only be reliably done on the receiving mta. * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]HellfireHD 27 points28 points29 points 16 hours ago (3 children) We got it too, about an hour ago. * permalink * embed * save * parent * report * give award * reply [-]bilingual-german 9 points10 points11 points 6 hours ago* (2 children) To the members who got a similar email: Did you receive the email on the email address used to register with Reddit? on twitter someone says FBI email infrastructure was compromised: https://twitter.com/GossiTheDog/status/1459451749811593219 via: https://news.ycombinator.com/item?id=29209011 * permalink * embed * save * parent * report * give award * reply load more comments (2 replies) [-]DazzlingRutabega 5 points6 points7 points 5 hours ago (1 child) The FBI email allegedly got hacked. https://www.newsweek.com/ fbi-email-system-reportedly-hacked-fake-dhs-cyberattack-messages-1648966 * permalink * embed * save * parent * report * give award * reply [-]Dax420 5 points6 points7 points 4 hours ago (0 children) "Hacked" in this case probably just means they are running an open SMTP relay. * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]walksthiswalk 384 points385 points386 points 17 hours ago (40 children) That reads like some absolute bullshit. * permalink * embed * save * report * give award * reply [-]DymoPoly[S] 128 points129 points130 points 16 hours ago* (28 children) Yeah, my first read through I was like wait what. Vinny Troia is a legit cyber security expert... Just odd that there's nothing else? Would expect something fake like this to have malicious links, attachments, bitcoin address, phone number for grandma... something? EDIT: Also the header, should have included that in the original post. * permalink * embed * save * parent * report * give award * reply [-]walksthiswalk 157 points158 points159 points 16 hours ago (17 children) They're social engineering you to authenticate into your security laYers aND make a change, or to reply and make admissions to your security infra solution so they can isolate their point of entry without guessing. Dont reply, and don't make changes without careful review. * permalink * embed * save * parent * report * give award * reply [-]Inner-Wall5937 20 points21 points22 points 16 hours ago (15 children) what if i replied, what do i do now? * permalink * embed * save * parent * report * give award * reply [-]Pretend_Technician49 30 points31 points32 points 15 hours ago (3 children) I replied asking how they got my e-mail? Response: From: EIMS@FBI.GOV ---------------------------------------------------------------------------------------------- This is a system account and not monitored by a human. If you have a problem please contact the Helpdesk at +1 (304) My concern was the reply headers was the SAME IP address as the original e-mail... * permalink * embed * save * parent * report * give award * reply [-]quentech 7 points8 points9 points 7 hours ago (1 child) Wait - are you a different person than OP who also received this same email? That would certainly point towards bullshit. Or are you just OP forgetting to respond under the correct account? * permalink * embed * save * parent * report * give award * reply [-]Pretend_Technician49 4 points5 points6 points 5 hours ago (0 children) I'm not OP. I received the email at 9:30 PM PST and it looked like spam on my phone. Same boat, I dug into the headers and saw the FBI email servers, the fact they only emailed me, and the response was from the same FBI email server, I was very concerned. After seeing OP's post and the responses that everyone else was seeing the same message, deemed it as fake. * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]walksthiswalk 53 points54 points55 points 16 hours ago (6 children) Turn your badge in and pour a Glenmorangie rocks. * permalink * embed * save * parent * report * give award * reply [-]DumbshitOnTheRightOf course I'm crazy but I'm not wrong 5 points6 points7 points 9 hours ago (1 child) Not a Highland Park 18? * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) load more comments (4 replies) [-]DymoPoly[S] 8 points9 points10 points 16 hours ago (2 children) Should be fine as long as you gave no info away that could be used to interreact with your services. Did they respond lol? * permalink * embed * save * parent * report * give award * reply [-]Inner-Wall5937 6 points7 points8 points 16 hours ago (1 child) it was an auto response with the FBI helpdesk number. no links or anything * permalink * embed * save * parent * report * give award * reply [-]DymoPoly[S] 7 points8 points9 points 16 hours ago (0 children) You're fine then. * permalink * embed * save * parent * report * give award * reply [-]quentech 2 points3 points4 points 7 hours ago (0 children) Wait - are you a different person than OP who also received this same email? That would certainly point towards bullshit. Or are you just OP forgetting to respond under the correct account? * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]shadowh511DevOps 41 points42 points43 points 11 hours ago (1 child) Congratulations, welcome to your first attack by a state level actor. * permalink * embed * save * parent * report * give award * reply [-]Norwedditor 3 points4 points5 points 2 hours ago (0 children) Yeah, replied elsewhere this is a show of force and they aren't even worried about burning the vector. * permalink * embed * save * parent * report * give award * reply [-]disclosure5 23 points24 points25 points 16 hours ago (5 children) I'm starting the feel the whole thing is capitalising on a hack to smear Vinny Troia. * permalink * embed * save * parent * report * give award * reply [-]wowneatlookatthat 12 points13 points14 points 15 hours ago (4 children) Yeah - if you check his Twitter there's one person in particular who seems to have it out for him * permalink * embed * save * parent * report * give award * reply [-]HangryHangryHIPAA 6 points7 points8 points 11 hours ago (3 children) Well, he did try to play whitehat and blackhat at the same time and got called out on it. That tends to not ingratiate you with either group. * permalink * embed * save * parent * report * give award * reply [-]pizzaboy192 5 points6 points7 points 8 hours ago (2 children) Isn't that just greyhat? * permalink * embed * save * parent * report * give award * reply [-]Rzah 14 points15 points16 points 7 hours ago (0 children) zebrahat * permalink * embed * save * parent * report * give award * reply [-]skat_in_the_hat 2 points3 points4 points 7 hours ago (0 children) If i put just a little bit of shit in your water bottle, is it still drinkable? How about a big shit nugget? * permalink * embed * save * parent * report * give award * reply [-]WiamlySecurity Admin 2 points3 points4 points 6 hours ago (1 child) The FBI wouldn't try to actively mitigate shit. They're an investigative agency, there are other organizations that would be doing that, and they wouldn't send you things in an email... * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]swingadminadmin of swing 99 points100 points101 points 13 hours ago* (7 children) The DHS is not part of the FBI and does not send emails from FBI.gov. CISA.gov is a subdivision of DHS, and is aptly named the Cybersecurity and Infrastructure Security Agency. Receiving an email from that domain would probably freak me out. None of the agencies runs a "Cyber Threat Detection and Analysis | Network Analysis Group" * permalink * embed * save * parent * report * give award * reply [-]draeathSr. Sysadmin 2 points3 points4 points 4 hours ago (0 children) I got an email from CISA once. They thought we were compromised because we were talking to azure blob storage. (Some malware was using said storage solution as part of it's C&C, and I guess someone at CISA didn't realize that was a shared platform?) We did our best to check things out on our end anyway, but that did not exactly instill me with confidence in CISA. * permalink * embed * save * parent * report * give award * reply [-]gangaskan 5 points6 points7 points 7 hours ago (5 children) as alarming as it would be, i think them coming to your office in person would be more of a pants shitter. we have a guy from the FBI that comes in to assist our police agency from time to time, i always feel uneasy around him for whatever reason. maybe it stems from my childhoold downloading illegal software, movies, music, and games lol. i raped the interent pretty hard in my teenage years. so much that comcast had an internal invesigation on my connection. needless to say i either faced prosecution or my internet was gone. * permalink * embed * save * parent * report * give award * reply [-]Hoodfu 5 points6 points7 points 6 hours ago (3 children) They're just people. There's a reason why most of their arrests are entrapment based, because that's mostly what they're capable of pulling off. Various documentaries follow FBI agents who made some big score, and 3/4 of it was easily handed to them and then a bunch of agents in a room brainstormed for a bit. * permalink * embed * save * parent * report * give award * reply load more comments (3 replies) load more comments (1 reply) [-]rlanthony 20 points21 points22 points 11 hours ago (0 children) Yeah, that's like 1000% more technical than I'd send to anyone. * permalink * embed * save * parent * report * give award * reply [-]Xalenn 20 points21 points22 points 8 hours ago (0 children) The most obvious BS is them telling you who it is, and that they're secretly working with them. No way they would give that info out, especially in a cold email like this. * permalink * embed * save * parent * report * give award * reply [-]playaspec 14 points15 points16 points 5 hours ago* (0 children) That reads like some absolute bullshit. $ nslookup 153.31.119.142 142.119.31.153.in-addr.arpa name = mx-east-ic.fbi.gov. [DEL:Are you suggesting that the FBI's mail server is compromised and sending phishing emails?:DEL] Well, THIS is embarrasing: "FBI Email System Reportedly Hacked to Send Fake DHS Cyberattack Messages" * permalink * embed * save * parent * report * give award * reply [-]wells68 72 points73 points74 points 16 hours ago (15 children) Red flags: sophisticated chain / huge chance / proxies trough / multiple global accelerators / whom is believed ... need I go on? * permalink * embed * save * report * give award * reply [-]DymoPoly[S] 25 points26 points27 points 16 hours ago* (13 children) Aware, but header looked ok. Received: from mx-east-ic.fbi.gov ([153.31.119.142]:33505 helo= mx-east.fbi.gov) envelope-from * permalink * embed * save * parent * report * give award * reply [-]Ishkabibblebab 21 points22 points23 points 9 hours ago (9 children) What I find interesting is it makes it look like the original email came from ic.fbi.gov - ic is the "high side" or top secret/sci level systems. You don't ever send email from an ic server to any unclassified system. You go to the unclass system to send it. * permalink * embed * save * parent * report * give award * reply [-]coyote_denCpt. Jack Harkness of All Trades 3 points4 points5 points 6 hours ago (3 children) ic.gov is the domain used for JWICS but ic.fbi.gov is not. If I had to guess, their JWICS domain would be fbi.ic.gov. There are unclassified intelligence community (IC) resources on NIPRNet/ internet and they might use a domain like this. * permalink * embed * save * parent * report * give award * reply [-]mclarty 2 points3 points4 points 5 hours ago* (1 child) Yeah, I had the same reaction the first time I got an email from an ic.fbi.gov address. I was like "how did this thing get to me?". FWIW ... fbi.ic.gov resolves. [DEL:Probably a honeypot that NSA is staring at all day.:DEL] Every ic.gov site resolves to the same IP. * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]Ishkabibblebab 2 points3 points4 points 3 hours ago (0 children) You know what I think you're right - it's been a number of years since I worked in the intel community so the ic part immediately stuck out to me, but now that I think about it the domains are formatted org.ic.gov and not ic.org.gov * permalink * embed * save * parent * report * give award * reply [-]St_MeowDevOps 2 points3 points4 points 6 hours ago (0 children) https://twitter.com/proofofwork1/status/1459560481446842374?s=20 It used to be used for unclass emails as well but they dropped that a while ago. * permalink * embed * save * parent * report * give award * reply load more comments (4 replies) [-]TumsFestivalEveryDay 3 points4 points5 points 8 hours ago (1 child) The FBI wouldn't ever merely email you for something this severe. * permalink * embed * save * parent * report * give award * reply [-]DymoPoly[S] 1 point2 points3 points 7 hours ago (0 children) Yes that's the assumption, but it IS from them. That was the issue. * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]BifronsOnline 2 points3 points4 points 3 hours ago (0 children) Seriously. This email was tech word-salad. It was a giant paragraph and said basically nothing. Lots of sysadmins need to get some critical thinking skills, quick. * permalink * embed * save * parent * report * give award * reply [-]TechSalad 54 points55 points56 points 15 hours ago (0 children) We got it too (we're a local government org). I read it and went "BS--this is spam." Then checked the headers more closely and went "uh...FBI got hacked?" This will be fun to watch play out. * permalink * embed * save * report * give award * reply [-]BickNlinkoEverything with wires and blinking lights 60 points61 points62 points 15 hours ago (2 children) Bro, TheDarkOveord has your nodes in his crosshairs. You better get ready to reconfigure your conflux points so you dont get hit with a hydra from the Gibson, then you'll be in deep shit, bro. -ZeroCool * permalink * embed * save * report * give award * reply [-]DymoPoly[S] 21 points22 points23 points 15 hours ago (1 child) We're going to hyperspace maaan. * permalink * embed * save * parent * report * give award * reply [-]BickNlinkoEverything with wires and blinking lights 13 points14 points15 points 15 hours ago (0 children) Straight to plaid. * permalink * embed * save * parent * report * give award * reply [-]Floris 35 points36 points37 points 13 hours ago (0 children) Yep, woke up to this thinking it's fake and clicked spam and turned around in bed. Then realised it that I noticed it showed as authenticated. I do run some services and thought it was worth a second glance over. Checked the IP, checked the header of the email .. yeh, seems legit. Read the email: Yeh no, can't be legit. Searched r/sysadmin and found this thread. So thank you; it helped confirm I can stay in bed. Ha! It doesn't happen too often that you get an email from the feds about some threat. * permalink * embed * save * report * give award * reply [-]sayhitozach 22 points23 points24 points 15 hours ago (0 children) Received this as well. It's worded so over the top that it instantly comes off as fake, but then you look at the headers and think "wait....what..?" Shout out to those who pointed out that mxtoolbox link, didn't even think to check that. I submitted this to CISecurity as well, hoping they can verify, reach out to those at the FBI who need to know, and maybe update its members. I can usually spot a fake email fairly quickly, but this one was so bizarre with no links and seemingly just information. * permalink * embed * save * report * give award * reply [-]Tritanium 16 points17 points18 points 16 hours ago* (7 children) I got this exact email too and it seems weirdly worded to be coming from the fbi. edit: removed a question about SPF, DMARC, and DKIM * permalink * embed * save * report * give award * reply [-]Inner-Wall5937 3 points4 points5 points 16 hours ago (1 child) its coming from FBI.... * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) load more comments (5 replies) [-]thedavekingSysadmin 15 points16 points17 points 15 hours ago (3 children) I got this exact message to a 18 month old email hosted on Gmail. This address doesn't get much spam or social engineering so it stands out. A little worried because I recently linked it to Mimestream. Header and body checks all pass both mxtoolbox and google toolbox analyzers and it really came from what looks like an actual FBI IP address, unless maybe it was injected directly into my mailbox with bogus headers. But the content is obviously bogus. They don't mention anything verifiable about my infrastructure, but do share who the attacker is? Sure, OK. * permalink * embed * save * report * give award * reply [-]DymoPoly[S] 7 points8 points9 points 15 hours ago (1 child) Is the address tied to a domain registration maybe? And yeah, the email looks like an obvious fake at first, but then... * permalink * embed * save * parent * report * give award * reply [-]thedavekingSysadmin 5 points6 points7 points 15 hours ago (0 children) Yep it's on the registrations for a couple domains but they have the privacy enabled. So I think registrars can read it. But I've given this email out enough I'm not shocked criminals would have it. It's just that once I saw the message passed all the headers and body checks I got a bit paranoid for a minute. * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]klaineranfange 14 points15 points16 points 13 hours ago (3 children) Biggest red flag is that they appear to care. I'm not a sysadmin, but have worked in the gov for a while, and they don't care enough to email you about vulnerabilities. They announce through a press release statement, usually by a senior leader if there is something they want you to know. Also, they use general language unless the issue has already been fixed. * permalink * embed * save * report * give award * reply [-]coyote_denCpt. Jack Harkness of All Trades 1 point2 points3 points 6 hours ago (0 children) Either they don't care, or they care enough they wouldn't rely on email to contact you. Or they just patch it themselves! * permalink * embed * save * parent * report * give award * reply load more comments (2 replies) [-]Nihilist_Servo 9 points10 points11 points 11 hours ago (0 children) Coming from compromised FBI/DHS infra https://twitter.com/spamhaus/status/1459450061696417792?t= wYGLRTsSSGtQcNlOvgkoVg&s=19 * permalink * embed * save * report * give award * reply [-]FudgeeO98 28 points29 points30 points 15 hours ago (1 child) Im not a sysadmin, I only have a homelab... and I got this email on my GMail account. I loce this sub Oh, Im not even American. FBI gonna need to check some logs! * permalink * embed * save * report * give award * reply load more comments (1 reply) [-]pixelcontrollers 7 points8 points9 points 16 hours ago (0 children) Sounds like the FBI got psychologically hacked . * permalink * embed * save * report * give award * reply [-]kookieman6 8 points9 points10 points 9 hours ago (0 children) QUICK! They might blackhole our intelligence nodes through fastflux tech! Whoever wrote this could have done better. They already managed to make it come from an FBI email lol. * permalink * embed * save * report * give award * reply [-]_Dadministrator_ 6 points7 points8 points 10 hours ago (0 children) God bless Reddit. I got this email and reported it to our SOC immediately. Our email was identical. * permalink * embed * save * report * give award * reply [-]ender-_ 8 points9 points10 points 9 hours ago (0 children) FBI e-mail infrastructure has been compromised: https://twitter.com/ GossiTheDog/status/1459451749811593219 * permalink * embed * save * report * give award * reply [-]Mundane_General_6549 21 points22 points23 points 16 hours ago (0 children) Got it as well. Passed through MS 365 mailboxes. Looks like the FBI was compromised. * permalink * embed * save * report * give award * reply [-]ImmunityBadger 17 points18 points19 points 16 hours ago (2 children) A DHS email would surely come from a dhs.gov email and not fbi.gov considering the FBI falls under DOJ, an entirely different department. * permalink * embed * save * report * give award * reply [-]DymoPoly[S] 5 points6 points7 points 16 hours ago (0 children) Yeah I don't know, but this is from: Received: from mx-east-ic.fbi.gov ([153.31.119.142]:33505 helo= mx-east.fbi.gov) envelope-from * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]Mr_Bish 7 points8 points9 points 8 hours ago (0 children) It seems like retaliation. Troia's company Night Lion Security put out a very detailed report on the identity of The Dark Overlord. They even made an infographic: https://nightlion.com/blog/2021/ infographic-thedarkoverlord-shinyhunters/ Full report: https://nightlion.com/blog/2020/ the-dark-overlord-cyber-terrorist-investigation/ * permalink * embed * save * report * give award * reply [-]eye_gargle 17 points18 points19 points 12 hours ago (1 child) This is interesting. Vinny Troia recently called out some guy on Raidforums in a Twitter post. 4 hours later you get this email with his name on it. Seems like some sort of weird troll than a phishing attack. IDK, maybe both. * permalink * embed * save * report * give award * reply load more comments (1 reply) [-]dudooradmin 6 points7 points8 points 16 hours ago (1 child) We received this as well tonight. Have our managed protection company looking at our logs/traffic to see if they can confirm anything. * permalink * embed * save * report * give award * reply [-]DymoPoly[S] 18 points19 points20 points 16 hours ago (0 children) It's looking like the FBI needs to check their logs... * permalink * embed * save * parent * report * give award * reply [-]jordanl171 5 points6 points7 points 8 hours ago (0 children) FBI has an unpatched Exchange server. * permalink * embed * save * report * give award * reply [-]fuzzylogic_y2k 4 points5 points6 points 3 hours ago (1 child) Having been on the receiving end of an FBI notification like this. They call. * permalink * embed * save * report * give award * reply load more comments (1 reply) [+]zingzing175 4 points5 points6 points 15 hours ago (0 children) Just got this as well. * permalink * embed * save * report * give award * reply [+]ravioliisgood 4 points5 points6 points 15 hours ago (1 child) Also got this. Has everyone here ever reported any type of ransomware, phishing or fraud to the FBI through their online portal? Maybe a database of all emails who have submitted received this email. * permalink * embed * save * report * give award * reply load more comments (1 reply) [-]greenstarthree 3 points4 points5 points 14 hours ago (0 children) At least they can watch everyone react to it through their webcams. * permalink * embed * save * report * give award * reply [-]flomoloko 5 points6 points7 points 7 hours ago (0 children) Kinda disappointed. Didn't get the email.. * permalink * embed * save * report * give award * reply [-]AmatureMD 3 points4 points5 points 15 hours ago (0 children) I just received the same thing. It set off enough spidey sense to start googling. * permalink * embed * save * report * give award * reply [-]HeadStew 3 points4 points5 points 14 hours ago (2 children) The dude mentioned in the Spam has a YouTube Channel https:// incogtube.com/channel/UC3oLfbN6HpQCTV-IHzyJrvQ * permalink * embed * save * report * give award * reply [-]Fancy-Strepsils 10 points11 points12 points 14 hours ago (1 child) Yeah because he's a well known and respected cyber security researcher. This is basically the criminals way of saying 'fuck the police' * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]vabelloIT Manager 4 points5 points6 points 11 hours ago (1 child) "This is the FBI. We will start a case investigating... wait... the call is coming from INSIDE THE HOUSE!!" * permalink * embed * save * report * give award * reply load more comments (1 reply) [-]No_Dream_11 3 points4 points5 points 10 hours ago (0 children) Got this on a dead business email too. It's gotta be bogus. * permalink * embed * save * report * give award * reply [-]jlick 3 points4 points5 points 10 hours ago (1 child) I got this several hours ago, had a chuckle at what nonsense it was but was on my phone and couldn't check headers. Came home and finally checked the headers and it damn well looked like it came from the FBI itself. Although others have reported it failing verification, the message I received has full SPF, DMARC and DKIM verification. On mxtoolbox I get: DMARC Compliant SPF Alignment SPF Authenticated DKIM Alignment DKIM Authenticated Full report: https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx? huid=9e1d10b6-cc6d-4cb3-bda7-9adaf9ea78b7 Remember, for full verification you need to paste both headers AND body despite the directions to only paste headers. * permalink * embed * save * report * give award * reply [-]jlick 3 points4 points5 points 9 hours ago (0 children) Had a few extra thoughts... Maybe the IP doesn't belong to the FBI... nope, registered in ARIN to them and forward and reverse DNS all match up. If it didn't come through the FBI, the sender must've hijacked the FBI's network routing and DNS server or the signing keys, all of which seems a lot less likely than a hack of an email server. * permalink * embed * save * parent * report * give award * reply [-]Fair_Pomegranate5829 7 points8 points9 points 16 hours ago (9 children) We tried to blackhole the transit nodes. I am a noob and that sounds like BS. * permalink * embed * save * report * give award * reply [-]Selfish_Development_ 9 points10 points11 points 15 hours ago (6 children) You can black hole routes on a transit. If I don't want your network in my network? On my edge / transit router: ip route x.x.x.x 255.255.0.0 null0 Your network is now being blackholed in my network. * permalink * embed * save * parent * report * give award * reply [-]kookieman6 1 point2 points3 points 9 hours ago (0 children) I blackhole subnets all the time. But the context made me chuckle. A blackhole is a route, no "fastflux technology" is going to just magically jump over a route in a routing table lol * permalink * embed * save * parent * report * give award * reply load more comments (5 replies) load more comments (2 replies) [-]Lshrsh 2 points3 points4 points 15 hours ago (0 children) Just received this as well * permalink * embed * save * report * give award * reply [-]smellycoat 2 points3 points4 points 11 hours ago (0 children) Got this overnight. Came in to an address published in Whois records for one of our domains which normally gets a ton of lazy spam. But it looks like it really came from the FBI's mailservers even though the content is complete nonsense! Very weird! * permalink * embed * save * report * give award * reply [-]ResponsibleContact39 2 points3 points4 points 9 hours ago (0 children) In my experience, if it was truly the FBI contacting you, the contact would be an agent from a local branch office, and it would be over the phone since if they know your email address and job title, they also know your phone number. * permalink * embed * save * report * give award * reply [-]anonymous_commentor 2 points3 points4 points 9 hours ago (0 children) Newsweek is reporting that this is a case of a hacked server at the FBI or something like that: https://www.newsweek.com/ fbi-email-system-reportedly-hacked-fake-dhs-cyberattack-messages-1648966 * permalink * embed * save * report * give award * reply [-]BrightSign_nerdSysadmin 2 points3 points4 points 8 hours ago (0 children) "...however there is a huge chance..." As soon as I saw the word "huge", I knew it was complete bullshit and didn't need to read any further. No need to waste any more brainpower or time on that one. * permalink * embed * save * report * give award * reply [-]WilliamBarnhill 2 points3 points4 points 8 hours ago (0 children) I suggest you report this through the appropriate channels via: https://us-cert.cisa.gov/forms/report https://www.ic3.gov/Home/ ComplaintChoice While this is almost certainly bogus, as well as lame, appearing to come from government servers raises the level os seriousness. This could be viewed as impersonating an FBI agent. Please report it so they can act accordingly. * permalink * embed * save * report * give award * reply [-]wgu-bb 2 points3 points4 points 7 hours ago (0 children) The header looks so good, but the email body looks so bad. * permalink * embed * save * report * give award * reply [-]jcpham 2 points3 points4 points 7 hours ago (2 children) It sounds to me like the FBI has a secret list of ARIN/Whois contacts- domain privacy be damned - and someone is trying to sound the alarm /tinfoil * permalink * embed * save * report * give award * reply load more comments (2 replies) [-]The_Original_Miser 2 points3 points4 points 6 hours ago (0 children) That's a lot of word salad to be legit....imho * permalink * embed * save * report * give award * reply [-]Computer_Dad_in_IT 2 points3 points4 points 5 hours ago (0 children) I can tell you from experience, if the FBI has any concern about malicious actors trying to infiltrate your network, they don't send an email. They just show up and ask to speak to the technology /info sec group. * permalink * embed * save * report * give award * reply [-]crshovrd 3 points4 points5 points 14 hours ago (0 children) Sounds like Vinny and TheDarkOverlord go way back. What a pair. * permalink * embed * save * report * give award * reply [-]ph0b0ten 4 points5 points6 points 11 hours ago (2 children) Its spam https://mobile.twitter.com/spamhaus?ref_src= twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor https://www.newsweek.com/ fbi-email-system-reportedly-hacked-fake-dhs-cyberattack-messages-1648966? amp=1 * permalink * embed * save * report * give award * reply [-]PE1NUT 18 points19 points20 points 10 hours ago (1 child) Newsweek quotes Reddit as a source, Reddit quotes Newsweek as a source. * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]SirArthurPT 6 points7 points8 points 16 hours ago (6 children) What a lame piece of crap! Looks like whoever managed to hack FBI's server is being watching too much Startrek or other sci-fi movies! "Blackhole the traffic", "fastflux"... What about zero point energy? * permalink * embed * save * report * give award * reply [-]RespektMaAuthoritah 10 points11 points12 points 16 hours ago (1 child) I think we should be much more concerned that the fbi got hacked and ignite the nonsense in the email. * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) [-]WellMakeItSomehow 5 points6 points7 points 10 hours ago (2 children) Those are real terms: https://en.wikipedia.org/wiki/Black_hole_%28networking%29 https://en.wikipedia.org/wiki/Fast_flux * permalink * embed * save * parent * report * give award * reply load more comments (2 replies) [-]Inle-rah 2 points3 points4 points 16 hours ago (0 children) Don't talk about zero point energy in public clearance paradigms, rookie. * permalink * embed * save * parent * report * give award * reply [-]primeski 1 point2 points3 points 15 hours ago (0 children) Thanks for this post, I got it as well * permalink * embed * save * report * give award * reply [-]eproteus 1 point2 points3 points 11 hours ago (5 children) I got one too. Where indeed did they get these email addresses? I'm the only one in the company who got it, and I happen to have the most responsibility for "virtualized clusters" or the like. Coincidence? * permalink * embed * save * report * give award * reply load more comments (5 replies) [-]hotdog114 1 point2 points3 points 10 hours ago (0 children) This reads like the architect's speech in matrix 3, which is all about trying to blind with science. Which is an odd thing to do if you're targeting highly skilled people who do understand what they're doing. * permalink * embed * save * report * give award * reply [-]vl-chris 1 point2 points3 points 9 hours ago (3 children) This sounded way too smart to be coming from a government agency. Someone went ham in the "cool hacker words" dictionary. * permalink * embed * save * report * give award * reply load more comments (3 replies) [-]otpw 1 point2 points3 points 9 hours ago (1 child) How would I block this from coming in, using the headers, so we don't receive any tickets? * permalink * embed * save * report * give award * reply load more comments (1 reply) [-]bitslammerSecurity/ISRM 1 point2 points3 points 9 hours ago* (0 children) In my experience they don't email if there's something serious, they show up in person. * permalink * embed * save * report * give award * reply [-]hosalabadA toothless cog spinning freely in the machine. 1 point2 points3 points 9 hours ago (0 children) Lol send an agent to the front desk with ID, kthx. * permalink * embed * save * report * give award * reply [-]lpa2020Security Admin 1 point2 points3 points 8 hours ago (0 children) The FBI's mail infrastructure may have been compromised. Sources: https://twitter.com/spamhaus/status/1459450061696417792?s=20 https://mobile.twitter.com/gossithedog/status/1459451749811593219 * permalink * embed * save * report * give award * reply [-]munchmo 1 point2 points3 points 8 hours ago (1 child) Why is Homeland Security sending email from an FBI domain? * permalink * embed * save * report * give award * reply load more comments (1 reply) [-]murty_the_beardedSysadmin 1 point2 points3 points 7 hours ago (0 children) Got this overnight as well, hell of a thing to read half awake on your phone. It came to us over an email distribution list I didn't even know existed, something a previous admin must have set when registering our domain. That was my first tip off soemthing was amiss. Newsweek has a little blurb on it now, though I don't there's really any new or different information that what folks have already covered in this thread: https://www.newsweek.com/ fbi-email-system-reportedly-hacked-fake-dhs-cyberattack-messages-1648966 Glad I did a little more research and found this thread before hitting the panic. * permalink * embed * save * report * give award * reply [-]Wolfeh2012 1 point2 points3 points 7 hours ago (3 children) Independent verification. If they're contacting you, you should attempt contacting them through official channels to verify their authenticity before making any changes. * permalink * embed * save * report * give award * reply load more comments (3 replies) [-]murzeig 1 point2 points3 points 6 hours ago (0 children) Fake as fuck. I've dealt with the feds and USAF a few times for cyber crime and the communication style reads nothing alike. Your email reads like a total scam using lots of technical jargon to inflate the importance of the email. * permalink * embed * save * report * give award * reply [-]ExperienceKnown 1 point2 points3 points 5 hours ago (0 children) https://www.reddit.com/r/sysadmin/comments/qt3360/ fbi_email_domains_hack_and_spam_inbound/?utm_source=share&utm_medium= ios_app&utm_name=iossmf * permalink * embed * save * report * give award * reply [-]mixduptransistor 1 point2 points3 points 4 hours ago (0 children) Number one clue this is fake: The FBI is not part of the Department of Homeland Security, it is an agency of the Department of Justice * permalink * embed * save * report * give award * reply [-]Throwaway384616181 1 point2 points3 points 1 hour ago (0 children) Tip for anyone fielding emails from alphabet soup agencies. They will never contact you from an ic.gov domain. Also, the order in the domains is wrong here, the top level domain would be ic.gov and the agency would have a subdomain. * permalink * embed * save * report * give award * reply [-]Inner-Wall5937 4 points5 points6 points 16 hours ago (9 children) run the header through https://mxtoolbox.com/EmailHeaders.aspx and you will see the issues. its fake.... * permalink * embed * save * report * give award * reply [-]Masiosare 12 points13 points14 points 13 hours ago (0 children) The headers pass DKIM and SPF. The email is obviously fake, but it came from an FBI server. * permalink * embed * save * parent * report * give award * reply [-]thedavekingSysadmin 10 points11 points12 points 15 hours ago (0 children) It's definitely faked somehow but on my copy all checks pass, including DKIM checks on the body content. * permalink * embed * save * parent * report * give award * reply [-]DymoPoly[S] 4 points5 points6 points 16 hours ago* (5 children) v=DMARC1; p=reject; rua=mailto:dmarc-feedback@fbi.gov,mailto: reports@dmarc.cyber.dhs.gov; ruf=mailto:dmarc-feedback@fbi.gov; pct= 100 Received: from mx-east-ic.fbi.gov ([153.31.119.142]:33505 helo= mx-east.fbi.gov) envelope-from Dkim Signature fails. But boy oh boy. * permalink * embed * save * parent * report * give award * reply [-]Masiosare 8 points9 points10 points 13 hours ago (0 children) It doesn't fail. https://i.imgur.com/eKVpLbZ.png * permalink * embed * save * parent * report * give award * reply [-]jlick 6 points7 points8 points 10 hours ago (2 children) Make sure to paste header AND body for verification. Not all checks will pass if the body is omitted. Also if the mail has been forwarded from its original destination that may also add extra stuff to make verification fail. The copy I received passed all verifications. * permalink * embed * save * parent * report * give award * reply load more comments (2 replies) load more comments (1 reply) [-]nmmmnu 1 point2 points3 points 14 hours ago (0 children) Thanks. DKIM not authenticated. I know is a skam, but it was so well made. They even found hole so they can send from "real" FBI IP address * permalink * embed * save * parent * report * give award * reply [-]martor01 3 points4 points5 points 13 hours ago (1 child) The Dark Overlord (also known as the TDO) is an international hacker organization which garners significant publicity through cybercrime extortion of high-profile targets and public demands for ransom to prevent the release of confidential or potentially embarrassing documents. In 2020, the group members became the feature of Hunting Cyber Criminals, a non-fiction book by cybersecurity author Vinny Troia (Wiley Books). In the book, Troia suggest the remaining group members are still at large and living in Calgary, Canada.[19] He also claimed that members of The Dark Overlord became part of ShinyHunters and GnosticPlayers.[20] Maybe its them lol * permalink * embed * save * report * give award * reply load more comments (1 reply) [-]LocoCoyote 2 points3 points4 points 16 hours ago (4 children) Fake * permalink * embed * save * report * give award * reply [-]DymoPoly[S] 5 points6 points7 points 16 hours ago (3 children) Any idea what the point would be? Also, what in our chain of email reception and/or from the FBI allowed this legit looking email domain through? * permalink * embed * save * parent * report * give award * reply [-]max4186 8 points9 points10 points 15 hours ago (1 child) My guess is to make Vinny Troia look bad, seeing as he's a cyber security researcher who is being painted as a criminal in the email. I am fairly confident that it was sent directly from the FBI, from a local device that was compromised based on this local IP: Received: from dap00025.str0.eims.cjis ([10.67.35.50]) by wvadc-dmz-pmo003-fbi.enet.cjis with ESMTP/TLS/ ECDHE-RSA-AES256-GCM-SHA384; 13 Nov 2021 05:55:04 +0000 * permalink * embed * save * parent * report * give award * reply load more comments (1 reply) load more comments (1 reply) [-]RespektMaAuthoritah 1 point2 points3 points 16 hours ago (0 children) Have seen it too. Headers are from fbi named servers. * permalink * embed * save * report * give award * reply [-]JohnWickBOFH (+tth_tth)+Shan +-+ GET OFF MY LAWN 1 point2 points3 points 13 hours ago (0 children) Whelp. I guess the FBI Got hacked then. * permalink * embed * save * report * give award * reply [-]KnockKnockWT 1 point2 points3 points 12 hours ago (3 children) Does wvadc-dmz-pmo004-fbi.enet.cjis look odd to others? .cjis is not a TLD. Though they could have their own TLD. * permalink * embed * save * report * give award * reply [-]Buzzard 4 points5 points6 points 11 hours ago (0 children) Yeah it's a bit odd, but google shows that it lines up with an internal domain name the FBI used in 2010. The email is fake, but it is being sent through FBI servers. * permalink * embed * save * parent * report * give award * reply load more comments (2 replies) load more comments (61 replies) * about * blog * about * advertising * careers * help * site rules * Reddit help center * reddiquette * mod guidelines * contact us * apps & tools * Reddit for iPhone * Reddit for Android * mobile website * <3 * reddit premium * reddit coins * redditgifts Use of this site constitutes acceptance of our User Agreement and Privacy Policy. (c) 2021 reddit inc. All rights reserved. REDDIT and the ALIEN Logo are registered trademarks of reddit inc. Advertise - technology [pixel] p Rendered by PID 24871 on reddit-service-r2-loggedout-6c854ff4db-j76dc at 2021-11-13 23:00:56.935769+00:00 running e4fde55 .