[neomutt-devel] spear phishing attack on me

Alejandro Colomar alx at kernel.org
Wed Apr 9 11:47:41 CEST 2025 

Hi Serge,

On Tue, Apr 08, 2025 at 11:14:52PM -0500, Serge E. Hallyn wrote:
> On Tue, Apr 08, 2025 at 02:31:37PM +0200, Alejandro Colomar wrote:
> > Hi everyone,
> > 
> > I'm writing to the mailing lists of every project in which I have write
> > permissions: shadow, linux-man, and neomutt.  I also CCed maintainers,
> > LWN, and my contact in the Linux foundation.  In BCC is my contact from
> > Google for my sponsorship, which might be of help, and also another
> > friend from Google.
> > 
> > Last week someone reported to me a vulnerability in shadow utils.  It
> > was a real vulnerability, although something relatively unimportant
> > (needs physical presence of the attacker, or a way to read memory of a
> > setuid-root program --which means they probably already own the
> > system--).  In fact, we kind of knew its existence already, and I've
> > been working on mitigating it, and we've discussed it in the project.
> > 
> > The report seemed legitimate in the begining, although I was suspicious
> > that it was only sent to me (I'm involved in the project, and am the
> > main contributor by number of commits, but Serge and Iker are the
> > maintainers (I maintain the stable branches only), and the guidelines
> > say they should have been CCd), but that's something that could happen,
> > so I continued discussing the vulnerability with this person.  In my
> > responses, I added to CC the co-maintainers.  When this person replied
> > to me, it removed the co-maintainers from CC, which again is suspicious,
> > but is something that could happen.
> > 
> > This person tried me to open a couple of PNG files, supposedly showing
> > an exploit for the vulnerability.  Of course I didn't open any of them.
> > I replied asking for a text-based alternative, because it would be
> > ironic that talking about vulnerabilities I would have to open
> > "unnamed.png" and "unnamed-1.png".  The person didn't reply again, which
> > to me was the confirmation that it was an attack, and they realized they
> > got caught.
> 
> (Had asked this previously privately, but this seems worth discussing
> publically)  Would be great to analyze the images.

Yup; I'm attaching the mail containing the suspicious images to this
message.  The mail is contained in a compressed tarball signed and
armored, to make it more difficult to accidentally open the images
(MUAs open them carelessly if they can, in some cases).

I created the tarball with:

        $ tar czf ~/Downloads/suspicious_mail.tar.gz cur/1743721130.26271_1.devuan,U=7595:2,RS;
        $ gpg --armor --sign ~/Downloads/suspicious_mail.tar.gz;

It can be open this way:

        alx at devuan:~/Downloads/sus$ ls
        suspicious_mail.tar.gz.asc
        alx at devuan:~/Downloads/sus$ gpg --output sus_mail.tar.gz --verify suspicious_mail.tar.gz.asc
        gpg: Signature made Wed Apr  9 02:06:19 2025 CEST
        gpg:                using RSA key 4BB26DF6EF466E6956003022EB89995CC290C2A9
        gpg: Good signature from "Alejandro Colomar <alx at alejandro-colomar.es>" [ultimate]
        gpg:                 aka "Alejandro Colomar <alx at kernel.org>" [ultimate]
        gpg:                 aka "Alejandro Colomar Andres <alx.manpages at gmail.com>" [ultimate]
        alx at devuan:~/Downloads/sus$ ls
        sus_mail.tar.gz  suspicious_mail.tar.gz.asc
        alx at devuan:~/Downloads/sus$ gunzip --keep sus_mail.tar.gz
        alx at devuan:~/Downloads/sus$ ls
        sus_mail.tar  sus_mail.tar.gz  suspicious_mail.tar.gz.asc
        alx at devuan:~/Downloads/sus$ tar tvf sus_mail.tar
        -rw------- alx/alx       31193 2025-04-04 00:58 cur/1743721130.26271_1.devuan,U=7595:2,RS
        alx at devuan:~/Downloads/sus$ tar xf sus_mail.tar
        alx at devuan:~/Downloads/sus$ ls
        cur  sus_mail.tar  sus_mail.tar.gz  suspicious_mail.tar.gz.asc
        alx at devuan:~/Downloads/sus$ ls cur/
        '1743721130.26271_1.devuan,U=7595:2,RS'
        alx at devuan:~/Downloads/sus$ grep -r From: cur/
        cur/1743721130.26271_1.devuan,U=7595:2,RS:From: Mahdi Hamedani Nezhad <hamedaninezhadmahdi at gmail.com>


Have a lovely day!
Alex

> Of course it *is* always possible (unless you've found even more
> evidence to the contrary) that the reporter is legit and just...
> awkward.  Google does come up with a "security researcher" by that
> name.  So I wouldn't go whole-hog on the witch hunt just yet, but
> the whole thing definitely is fishy.
> 
> > I don't know why exactly they targeted me, but I assume it's because of
> > my involvement in one of these projects, so maintainers of these
> > projects should be especially careful these days, in case they try
> > another vector.
> > 
> > As for me, if anyone tries to impersonate me, please make sure it's me.
> > I almost always sign my email and *always* sign my git commits with my
> > PGP key.  If in doubt, please verify it's me.  I have never changed my
> > PGP master key, and keep it almost always offline, so that should
> > ultimately be the way to know it's me.  The key was certified by Michael
> > Kerrisk, and he knows me physically, in case we ever need to verify (say
> > if my master key ever is stolen and I need to revoke it).  This attack
> > was unsuccessful, but if I'm a target of interest, they might succeed in
> > another attack.  Don't trust me too much.
> > 
> > As for the attacker, I've reported to Google via
> > <https://support.google.com/mail/contact/abuse>, although I'm not sure
> > if they'll do much.  It would be interesting to learn the IP of the
> > owner of the account, and if it used a VPN to connect to gmail, if it
> > tried to attack any other people, and any other patterns that might be
> > useful to learn who is interested in this attack.  Maybe my contact at
> > Google can talk to people within Google to investigate this further.  Or
> > maybe some of you know someone at Google that can help investigate this.
> > The attacker is "Mahdi Hamedani Nezhad <hamedaninezhadmahdi at gmail.com>".
> > I presume this is a false name, trying to impersonate someone; I assume
> > noone would try to attack someone else using their real name.  There's a
> > real person with that name --or so it seems in LinkedIn--, and is a
> > security researcher in Iran.
> > 
> > 
> > Have a lovely day!
> > Alex
> > 
> > -- 
> > <https://www.alejandro-colomar.es/>
> 
> 

-- 
<https://www.alejandro-colomar.es/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://mailman.neomutt.org/pipermail/neomutt-devel-neomutt.org/attachments/20250409/85e79ebf/attachment.sig>

More information about the neomutt-devel mailing list