[neomutt-devel] spear phishing attack on me

Alejandro Colomar alx at kernel.org
Wed Apr 9 11:51:06 CEST 2025 

On Wed, Apr 09, 2025 at 11:47:45AM +0200, Alejandro Colomar wrote:
> Hi Serge,
> 
> On Tue, Apr 08, 2025 at 11:14:52PM -0500, Serge E. Hallyn wrote:
> > On Tue, Apr 08, 2025 at 02:31:37PM +0200, Alejandro Colomar wrote:
> > > Hi everyone,
> > > 
> > > I'm writing to the mailing lists of every project in which I have write
> > > permissions: shadow, linux-man, and neomutt.  I also CCed maintainers,
> > > LWN, and my contact in the Linux foundation.  In BCC is my contact from
> > > Google for my sponsorship, which might be of help, and also another
> > > friend from Google.
> > > 
> > > Last week someone reported to me a vulnerability in shadow utils.  It
> > > was a real vulnerability, although something relatively unimportant
> > > (needs physical presence of the attacker, or a way to read memory of a
> > > setuid-root program --which means they probably already own the
> > > system--).  In fact, we kind of knew its existence already, and I've
> > > been working on mitigating it, and we've discussed it in the project.
> > > 
> > > The report seemed legitimate in the begining, although I was suspicious
> > > that it was only sent to me (I'm involved in the project, and am the
> > > main contributor by number of commits, but Serge and Iker are the
> > > maintainers (I maintain the stable branches only), and the guidelines
> > > say they should have been CCd), but that's something that could happen,
> > > so I continued discussing the vulnerability with this person.  In my
> > > responses, I added to CC the co-maintainers.  When this person replied
> > > to me, it removed the co-maintainers from CC, which again is suspicious,
> > > but is something that could happen.
> > > 
> > > This person tried me to open a couple of PNG files, supposedly showing
> > > an exploit for the vulnerability.  Of course I didn't open any of them.
> > > I replied asking for a text-based alternative, because it would be
> > > ironic that talking about vulnerabilities I would have to open
> > > "unnamed.png" and "unnamed-1.png".  The person didn't reply again, which
> > > to me was the confirmation that it was an attack, and they realized they
> > > got caught.
> > 
> > (Had asked this previously privately, but this seems worth discussing
> > publically)  Would be great to analyze the images.
> 
> Yup; I'm attaching the mail containing the suspicious images to this
> message.  The mail is contained in a compressed tarball signed and
> armored, to make it more difficult to accidentally open the images
> (MUAs open them carelessly if they can, in some cases).

Oops, I forgot to actually attach it.  Hopefully fixed this time.  :)

> 
> I created the tarball with:
> 
>         $ tar czf ~/Downloads/suspicious_mail.tar.gz cur/1743721130.26271_1.devuan,U=7595:2,RS;
>         $ gpg --armor --sign ~/Downloads/suspicious_mail.tar.gz;
> 
> It can be open this way:
> 
>         alx at devuan:~/Downloads/sus$ ls
>         suspicious_mail.tar.gz.asc
>         alx at devuan:~/Downloads/sus$ gpg --output sus_mail.tar.gz --verify suspicious_mail.tar.gz.asc
>         gpg: Signature made Wed Apr  9 02:06:19 2025 CEST
>         gpg:                using RSA key 4BB26DF6EF466E6956003022EB89995CC290C2A9
>         gpg: Good signature from "Alejandro Colomar <alx at alejandro-colomar.es>" [ultimate]
>         gpg:                 aka "Alejandro Colomar <alx at kernel.org>" [ultimate]
>         gpg:                 aka "Alejandro Colomar Andres <alx.manpages at gmail.com>" [ultimate]
>         alx at devuan:~/Downloads/sus$ ls
>         sus_mail.tar.gz  suspicious_mail.tar.gz.asc
>         alx at devuan:~/Downloads/sus$ gunzip --keep sus_mail.tar.gz
>         alx at devuan:~/Downloads/sus$ ls
>         sus_mail.tar  sus_mail.tar.gz  suspicious_mail.tar.gz.asc
>         alx at devuan:~/Downloads/sus$ tar tvf sus_mail.tar
>         -rw------- alx/alx       31193 2025-04-04 00:58 cur/1743721130.26271_1.devuan,U=7595:2,RS
>         alx at devuan:~/Downloads/sus$ tar xf sus_mail.tar
>         alx at devuan:~/Downloads/sus$ ls
>         cur  sus_mail.tar  sus_mail.tar.gz  suspicious_mail.tar.gz.asc
>         alx at devuan:~/Downloads/sus$ ls cur/
>         '1743721130.26271_1.devuan,U=7595:2,RS'
>         alx at devuan:~/Downloads/sus$ grep -r From: cur/
>         cur/1743721130.26271_1.devuan,U=7595:2,RS:From: Mahdi Hamedani Nezhad <hamedaninezhadmahdi at gmail.com>
> 
> 
> Have a lovely day!
> Alex
> 
> > Of course it *is* always possible (unless you've found even more
> > evidence to the contrary) that the reporter is legit and just...
> > awkward.  Google does come up with a "security researcher" by that
> > name.  So I wouldn't go whole-hog on the witch hunt just yet, but
> > the whole thing definitely is fishy.
> > 
> > > I don't know why exactly they targeted me, but I assume it's because of
> > > my involvement in one of these projects, so maintainers of these
> > > projects should be especially careful these days, in case they try
> > > another vector.
> > > 
> > > As for me, if anyone tries to impersonate me, please make sure it's me.
> > > I almost always sign my email and *always* sign my git commits with my
> > > PGP key.  If in doubt, please verify it's me.  I have never changed my
> > > PGP master key, and keep it almost always offline, so that should
> > > ultimately be the way to know it's me.  The key was certified by Michael
> > > Kerrisk, and he knows me physically, in case we ever need to verify (say
> > > if my master key ever is stolen and I need to revoke it).  This attack
> > > was unsuccessful, but if I'm a target of interest, they might succeed in
> > > another attack.  Don't trust me too much.
> > > 
> > > As for the attacker, I've reported to Google via
> > > <https://support.google.com/mail/contact/abuse>, although I'm not sure
> > > if they'll do much.  It would be interesting to learn the IP of the
> > > owner of the account, and if it used a VPN to connect to gmail, if it
> > > tried to attack any other people, and any other patterns that might be
> > > useful to learn who is interested in this attack.  Maybe my contact at
> > > Google can talk to people within Google to investigate this further.  Or
> > > maybe some of you know someone at Google that can help investigate this.
> > > The attacker is "Mahdi Hamedani Nezhad <hamedaninezhadmahdi at gmail.com>".
> > > I presume this is a false name, trying to impersonate someone; I assume
> > > noone would try to attack someone else using their real name.  There's a
> > > real person with that name --or so it seems in LinkedIn--, and is a
> > > security researcher in Iran.
> > > 
> > > 
> > > Have a lovely day!
> > > Alex
> > > 
> > > -- 
> > > <https://www.alejandro-colomar.es/>
> > 
> > 
> 
> -- 
> <https://www.alejandro-colomar.es/>



-- 
<https://www.alejandro-colomar.es/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suspicious_mail.tar.gz.asc
Type: application/pgp-keys
Size: 21946 bytes
Desc: not available
URL: <https://mailman.neomutt.org/pipermail/neomutt-devel-neomutt.org/attachments/20250409/273621ea/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://mailman.neomutt.org/pipermail/neomutt-devel-neomutt.org/attachments/20250409/273621ea/attachment.sig>

More information about the neomutt-devel mailing list