home.social

#maliciousactor — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #maliciousactor, aggregated by home.social.

  1. Ok, this is interesting and it's confusing. The domain hungerrush.com is not affiliated with any of my domains. The only similarity is that we both use Cloudflare. But this is coming to my personal email domain. DNSlytics doesn't show anything out of order for hungerrush.com and their DNS servers are not my DNS servers so it's not like Cloudflare has accidentally mixed our accounts. Also not sure how or why this was accepted by #MailCow when the SPF records for the domain clearly do not list the IP address of the mail server that sent this to me as being valid. #hacking #MaliciousActor #ThreatActor #email #threats

    Return-Path: <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>
    Delivered-To: [email protected]
    Received: from mc01.bofhcorp.com ([fd4d:6169:6c63:6f77::e])
            by 4d492a470590 with LMTP
            id ePC8ETjOp2k40BwA8UTzlA
            (envelope-from <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>)
            for <[email protected]>; Wed, 04 Mar 2026 01:16:24 -0500
    X-Original-To: [email protected]
    Received: from o8.e.hungerrush.com (o8.e.hungerrush.com [159.183.101.69])
            (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
             key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
            (No client certificate requested)
            by mc01.bofhcorp.com (Postcow) with ESMTPS id CA5B83F7C7
            for <[email protected]>; Wed,  4 Mar 2026 01:16:22 -0500 (EST)
    Authentication-Results: mc01.bofhcorp.com;      dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM;        spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com";    dmarc=pass (policy=quarantine) header.from=hungerrush.com
    Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ellenburg.email;
            s=dkim; t=1772604983;
            h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
             to:to:cc:mime-version:mime-version:content-type:content-type:
             dkim-signature; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=;
            b=DauNC+S6ttdO/quZoBv0L089Gbgb0LvdV7nODvq5YhJnH1auSFd06y1oxdCooyZkX8SWnM
            MEU+0j5NHJFhYJ42EktQhZEswJQgFTt1KuoVHnsqmNrXTeT1tmXdyboARXMA+vR4xNylrL
            BmEetbNPCOr63tzqNaFDSnJ3FOX5NF0fQoKtBKhNgo4JRR8zt4UfSA2UBMBUJQN6u8nYgo
            Ehw5r+S/3dUQFjty1iBGiHCkRSUsg1swgOHBVr/4LNxFyUli1T6U8cx+1pkQ7+yLUwhdzy
            rLPsJQg48Vi0MhM4RGMm/VXISY47jJ9QwzSpvqN0cilIX5xK8CwQcRsEwT/z3A==
    Arc-Authentication-Results: i=1;
            mc01.bofhcorp.com;
            dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM;
            spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com";
            dmarc=pass (policy=quarantine) header.from=hungerrush.com
    Arc-Seal: i=1; a=rsa-sha256; d=ellenburg.email; s=dkim; cv=none; t=1772604983;
            b=XgkqoDAX6WgAOrkYbxC1iSMvL3Y8BNYAmWV0zc4+qnmFOIXZk/F5Lah+JGjpq0J1bplLw4
            +ctYOFPsiT/hRipThKyqAQKg8tbepc2WHhDfMfx0ZIBQ1pvSPLprPxXNWxShf1BGzYsk/p
            w43+BjfHPBaTUjfh33bRq9n+muIgQZWb0IrE3j3IxaQqbPH4gNGy3PRSQeJ0h8d+H2LDcz
            Ww33NM3dr46k9zG8G9zCz01UsQliOfyccWEBeEaZvKAOLRd8GJ9mVq0RdHaYx0OD7CAPCB
            oU3OVtXHM6BkaljOmSpBYG+bMf0FELppgF3Xh3kxjZqDp6T9ILy/MDF0C5qSLg==
    Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hungerrush.com;
            h=content-type:date:from:mime-version:subject:to:cc:content-type:date:
            from:subject:to;
            s=s1; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=;
            b=rUHDecOMPHV2uRHVRS0QWXTT+DvTlfnrkdErDM9S70AwIj6KcAGTRyXZ7HWShgumJh6C
            ZsLMIfaTz18zNbjmNvBnpTrFu53vh/91UsRE77gNqjXqcEZ1+GgyODFGuksZXJII5MGOmX
            kPjd7aoLNGV8IoW1vIJFeNFhn+V+V+Mqe8KZjDEYOS4vwhtYDZcLrEM1ycDSAwjxQXZQjo
            jhoKUzn0eMiJwAbZ+pv6rOFPboWo1TrML56rf2GnFaxzx02OzSzvtNW8zymZo+A91KcDBc
            CMBzB0a+gH4jTqq7Nru7UXy7HzJs65WKmzi0oP+6om74zfPstkxZIOyOdx8SuZmg==
    Received: by recvd-78b965c8d8-zdgqr with SMTP id recvd-78b965c8d8-zdgqr-1-69A7CE26-1C
            2026-03-04 06:16:06.443112518 +0000 UTC m=+6594257.398878059
    Received: from MTU0Mjg0MjA (unknown)
            by geopod-ismtpd-14 (SG) with HTTP
            id R8ef3HgJSzKAWjTspVFOVg
            Wed, 04 Mar 2026 06:16:06.389 +0000 (UTC)
    Content-Type: multipart/alternative; boundary=756eec60870d3d536fbdd68742e52497a4b942240da0929eb9086137701f
    Date: Wed, 04 Mar 2026 06:16:20 +0000 (UTC) (03/03/2026 11:16:20 PM)
    From: [email protected]
    Mime-Version: 1.0
    Message-Id: <R8ef3HgJSzKAWjTspVFOVg@geopod-ismtpd-14>
    Subject: Important Security Concern
    X-Sg-Eid:
     u001.0C7K3f28Upwcc83Ki/sssUs41HbZm8V+OpCWByUHpnkIo3Cf3hm/pW0EfJzflgf36jw5Gp3JgFJ4tuWJQPsEAbcJU6UF8Ihcb1M62yBTRoE0vsUfZz2XJX+RWG3qaANKO1EBHzIuX62fzw1ozL1hsUCBi4ED9i/f8vMAlSBOsVfoeGi/Px3FbeZ5xedkeohgriOTDEtF5uvWrlpvLmUwmg==
    To: [email protected]
    X-Entity-Id: u001.GsWs5sr1vbo83iYQd0snJg==
    X-Last-Tls-Session-Version: TLSv1.3
    X-Rspamd-Queue-Id: CA5B83F7C7
    X-Spamd-Result: default: False [4.83 / 15.00];
            BAD_REP_POLICIES(2.00)[];
            IP_REPUTATION_SPAM(1.64)[asn: 11377(0.40), country: US(0.01), ip: 159.183.101.69(0.00)];
            URI_COUNT_ODD(1.00)[1];
            RBL_SENDERSCORE_REPUT_9(-1.00)[159.183.101.69:from];
            MV_CASE(0.50)[];
            MID_RHS_NOT_FQDN(0.50)[];
            FORGED_SENDER(0.30)[[email protected],[email protected]];
            MIME_GOOD(-0.10)[multipart/alternative,text/plain];
            MX_GOOD(-0.01)[];
            BAYES_SPAM(0.00)[22.47%];
            RCVD_TLS_LAST(0.00)[];
            R_DKIM_ALLOW(0.00)[hungerrush.com:s=s1];
            RCPT_MAILCOW_DOMAIN(0.00)[ellenburg.email];
            MIME_TRACE(0.00)[0:+,1:+,2:~];
            ARC_NA(0.00)[];
            RCPT_COUNT_ONE(0.00)[1];
            TO_MATCH_ENVRCPT_ALL(0.00)[];
            DMARC_POLICY_ALLOW(0.00)[hungerrush.com,quarantine];
            ARC_SIGNED(0.00)[ellenburg.email:s=dkim:i=1];
            ALIAS_RESOLVED(0.00)[];
            TO_DN_NONE(0.00)[];
            RCVD_COUNT_TWO(0.00)[2];
            TAGGED_FROM(0.00)[15428420-0e13-george=ellenburg.email];
            R_SPF_ALLOW(0.00)[+ip4:159.183.101.69];
            FROM_NO_DN(0.00)[];
            ASN(0.00)[asn:11377, ipnet:159.183.64.0/18, country:US];
            DKIM_TRACE(0.00)[hungerrush.com:+];
            MISSING_XM_UA(0.00)[];
            FROM_NEQ_ENVFROM(0.00)[[email protected],[email protected]]
    X-Evolution-Source: a61fb74e0da811eda3a3e4401e58eba051b5dcfa

  2. Ok, this is interesting and it's confusing. The domain hungerrush.com is not affiliated with any of my domains. The only similarity is that we both use Cloudflare. But this is coming to my personal email domain. DNSlytics doesn't show anything out of order for hungerrush.com and their DNS servers are not my DNS servers so it's not like Cloudflare has accidentally mixed our accounts. Also not sure how or why this was accepted by #MailCow when the SPF records for the domain clearly do not list the IP address of the mail server that sent this to me as being valid. #hacking #MaliciousActor #ThreatActor #email #threats

    Return-Path: <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>
    Delivered-To: [email protected]
    Received: from mc01.bofhcorp.com ([fd4d:6169:6c63:6f77::e])
            by 4d492a470590 with LMTP
            id ePC8ETjOp2k40BwA8UTzlA
            (envelope-from <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>)
            for <[email protected]>; Wed, 04 Mar 2026 01:16:24 -0500
    X-Original-To: [email protected]
    Received: from o8.e.hungerrush.com (o8.e.hungerrush.com [159.183.101.69])
            (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
             key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
            (No client certificate requested)
            by mc01.bofhcorp.com (Postcow) with ESMTPS id CA5B83F7C7
            for <[email protected]>; Wed,  4 Mar 2026 01:16:22 -0500 (EST)
    Authentication-Results: mc01.bofhcorp.com;      dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM;        spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com";    dmarc=pass (policy=quarantine) header.from=hungerrush.com
    Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ellenburg.email;
            s=dkim; t=1772604983;
            h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
             to:to:cc:mime-version:mime-version:content-type:content-type:
             dkim-signature; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=;
            b=DauNC+S6ttdO/quZoBv0L089Gbgb0LvdV7nODvq5YhJnH1auSFd06y1oxdCooyZkX8SWnM
            MEU+0j5NHJFhYJ42EktQhZEswJQgFTt1KuoVHnsqmNrXTeT1tmXdyboARXMA+vR4xNylrL
            BmEetbNPCOr63tzqNaFDSnJ3FOX5NF0fQoKtBKhNgo4JRR8zt4UfSA2UBMBUJQN6u8nYgo
            Ehw5r+S/3dUQFjty1iBGiHCkRSUsg1swgOHBVr/4LNxFyUli1T6U8cx+1pkQ7+yLUwhdzy
            rLPsJQg48Vi0MhM4RGMm/VXISY47jJ9QwzSpvqN0cilIX5xK8CwQcRsEwT/z3A==
    Arc-Authentication-Results: i=1;
            mc01.bofhcorp.com;
            dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM;
            spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com";
            dmarc=pass (policy=quarantine) header.from=hungerrush.com
    Arc-Seal: i=1; a=rsa-sha256; d=ellenburg.email; s=dkim; cv=none; t=1772604983;
            b=XgkqoDAX6WgAOrkYbxC1iSMvL3Y8BNYAmWV0zc4+qnmFOIXZk/F5Lah+JGjpq0J1bplLw4
            +ctYOFPsiT/hRipThKyqAQKg8tbepc2WHhDfMfx0ZIBQ1pvSPLprPxXNWxShf1BGzYsk/p
            w43+BjfHPBaTUjfh33bRq9n+muIgQZWb0IrE3j3IxaQqbPH4gNGy3PRSQeJ0h8d+H2LDcz
            Ww33NM3dr46k9zG8G9zCz01UsQliOfyccWEBeEaZvKAOLRd8GJ9mVq0RdHaYx0OD7CAPCB
            oU3OVtXHM6BkaljOmSpBYG+bMf0FELppgF3Xh3kxjZqDp6T9ILy/MDF0C5qSLg==
    Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hungerrush.com;
            h=content-type:date:from:mime-version:subject:to:cc:content-type:date:
            from:subject:to;
            s=s1; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=;
            b=rUHDecOMPHV2uRHVRS0QWXTT+DvTlfnrkdErDM9S70AwIj6KcAGTRyXZ7HWShgumJh6C
            ZsLMIfaTz18zNbjmNvBnpTrFu53vh/91UsRE77gNqjXqcEZ1+GgyODFGuksZXJII5MGOmX
            kPjd7aoLNGV8IoW1vIJFeNFhn+V+V+Mqe8KZjDEYOS4vwhtYDZcLrEM1ycDSAwjxQXZQjo
            jhoKUzn0eMiJwAbZ+pv6rOFPboWo1TrML56rf2GnFaxzx02OzSzvtNW8zymZo+A91KcDBc
            CMBzB0a+gH4jTqq7Nru7UXy7HzJs65WKmzi0oP+6om74zfPstkxZIOyOdx8SuZmg==
    Received: by recvd-78b965c8d8-zdgqr with SMTP id recvd-78b965c8d8-zdgqr-1-69A7CE26-1C
            2026-03-04 06:16:06.443112518 +0000 UTC m=+6594257.398878059
    Received: from MTU0Mjg0MjA (unknown)
            by geopod-ismtpd-14 (SG) with HTTP
            id R8ef3HgJSzKAWjTspVFOVg
            Wed, 04 Mar 2026 06:16:06.389 +0000 (UTC)
    Content-Type: multipart/alternative; boundary=756eec60870d3d536fbdd68742e52497a4b942240da0929eb9086137701f
    Date: Wed, 04 Mar 2026 06:16:20 +0000 (UTC) (03/03/2026 11:16:20 PM)
    From: [email protected]
    Mime-Version: 1.0
    Message-Id: <R8ef3HgJSzKAWjTspVFOVg@geopod-ismtpd-14>
    Subject: Important Security Concern
    X-Sg-Eid:
     u001.0C7K3f28Upwcc83Ki/sssUs41HbZm8V+OpCWByUHpnkIo3Cf3hm/pW0EfJzflgf36jw5Gp3JgFJ4tuWJQPsEAbcJU6UF8Ihcb1M62yBTRoE0vsUfZz2XJX+RWG3qaANKO1EBHzIuX62fzw1ozL1hsUCBi4ED9i/f8vMAlSBOsVfoeGi/Px3FbeZ5xedkeohgriOTDEtF5uvWrlpvLmUwmg==
    To: [email protected]
    X-Entity-Id: u001.GsWs5sr1vbo83iYQd0snJg==
    X-Last-Tls-Session-Version: TLSv1.3
    X-Rspamd-Queue-Id: CA5B83F7C7
    X-Spamd-Result: default: False [4.83 / 15.00];
            BAD_REP_POLICIES(2.00)[];
            IP_REPUTATION_SPAM(1.64)[asn: 11377(0.40), country: US(0.01), ip: 159.183.101.69(0.00)];
            URI_COUNT_ODD(1.00)[1];
            RBL_SENDERSCORE_REPUT_9(-1.00)[159.183.101.69:from];
            MV_CASE(0.50)[];
            MID_RHS_NOT_FQDN(0.50)[];
            FORGED_SENDER(0.30)[[email protected],[email protected]];
            MIME_GOOD(-0.10)[multipart/alternative,text/plain];
            MX_GOOD(-0.01)[];
            BAYES_SPAM(0.00)[22.47%];
            RCVD_TLS_LAST(0.00)[];
            R_DKIM_ALLOW(0.00)[hungerrush.com:s=s1];
            RCPT_MAILCOW_DOMAIN(0.00)[ellenburg.email];
            MIME_TRACE(0.00)[0:+,1:+,2:~];
            ARC_NA(0.00)[];
            RCPT_COUNT_ONE(0.00)[1];
            TO_MATCH_ENVRCPT_ALL(0.00)[];
            DMARC_POLICY_ALLOW(0.00)[hungerrush.com,quarantine];
            ARC_SIGNED(0.00)[ellenburg.email:s=dkim:i=1];
            ALIAS_RESOLVED(0.00)[];
            TO_DN_NONE(0.00)[];
            RCVD_COUNT_TWO(0.00)[2];
            TAGGED_FROM(0.00)[15428420-0e13-george=ellenburg.email];
            R_SPF_ALLOW(0.00)[+ip4:159.183.101.69];
            FROM_NO_DN(0.00)[];
            ASN(0.00)[asn:11377, ipnet:159.183.64.0/18, country:US];
            DKIM_TRACE(0.00)[hungerrush.com:+];
            MISSING_XM_UA(0.00)[];
            FROM_NEQ_ENVFROM(0.00)[[email protected],[email protected]]
    X-Evolution-Source: a61fb74e0da811eda3a3e4401e58eba051b5dcfa

  3. Ok, this is interesting and it's confusing. The domain hungerrush.com is not affiliated with any of my domains. The only similarity is that we both use Cloudflare. But this is coming to my personal email domain. DNSlytics doesn't show anything out of order for hungerrush.com and their DNS servers are not my DNS servers so it's not like Cloudflare has accidentally mixed our accounts. Also not sure how or why this was accepted by #MailCow when the SPF records for the domain clearly do not list the IP address of the mail server that sent this to me as being valid. #hacking #MaliciousActor #ThreatActor #email #threats

    Return-Path: <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>
    Delivered-To: [email protected]
    Received: from mc01.bofhcorp.com ([fd4d:6169:6c63:6f77::e])
            by 4d492a470590 with LMTP
            id ePC8ETjOp2k40BwA8UTzlA
            (envelope-from <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>)
            for <[email protected]>; Wed, 04 Mar 2026 01:16:24 -0500
    X-Original-To: [email protected]
    Received: from o8.e.hungerrush.com (o8.e.hungerrush.com [159.183.101.69])
            (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
             key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
            (No client certificate requested)
            by mc01.bofhcorp.com (Postcow) with ESMTPS id CA5B83F7C7
            for <[email protected]>; Wed,  4 Mar 2026 01:16:22 -0500 (EST)
    Authentication-Results: mc01.bofhcorp.com;      dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM;        spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com";    dmarc=pass (policy=quarantine) header.from=hungerrush.com
    Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ellenburg.email;
            s=dkim; t=1772604983;
            h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
             to:to:cc:mime-version:mime-version:content-type:content-type:
             dkim-signature; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=;
            b=DauNC+S6ttdO/quZoBv0L089Gbgb0LvdV7nODvq5YhJnH1auSFd06y1oxdCooyZkX8SWnM
            MEU+0j5NHJFhYJ42EktQhZEswJQgFTt1KuoVHnsqmNrXTeT1tmXdyboARXMA+vR4xNylrL
            BmEetbNPCOr63tzqNaFDSnJ3FOX5NF0fQoKtBKhNgo4JRR8zt4UfSA2UBMBUJQN6u8nYgo
            Ehw5r+S/3dUQFjty1iBGiHCkRSUsg1swgOHBVr/4LNxFyUli1T6U8cx+1pkQ7+yLUwhdzy
            rLPsJQg48Vi0MhM4RGMm/VXISY47jJ9QwzSpvqN0cilIX5xK8CwQcRsEwT/z3A==
    Arc-Authentication-Results: i=1;
            mc01.bofhcorp.com;
            dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM;
            spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com";
            dmarc=pass (policy=quarantine) header.from=hungerrush.com
    Arc-Seal: i=1; a=rsa-sha256; d=ellenburg.email; s=dkim; cv=none; t=1772604983;
            b=XgkqoDAX6WgAOrkYbxC1iSMvL3Y8BNYAmWV0zc4+qnmFOIXZk/F5Lah+JGjpq0J1bplLw4
            +ctYOFPsiT/hRipThKyqAQKg8tbepc2WHhDfMfx0ZIBQ1pvSPLprPxXNWxShf1BGzYsk/p
            w43+BjfHPBaTUjfh33bRq9n+muIgQZWb0IrE3j3IxaQqbPH4gNGy3PRSQeJ0h8d+H2LDcz
            Ww33NM3dr46k9zG8G9zCz01UsQliOfyccWEBeEaZvKAOLRd8GJ9mVq0RdHaYx0OD7CAPCB
            oU3OVtXHM6BkaljOmSpBYG+bMf0FELppgF3Xh3kxjZqDp6T9ILy/MDF0C5qSLg==
    Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hungerrush.com;
            h=content-type:date:from:mime-version:subject:to:cc:content-type:date:
            from:subject:to;
            s=s1; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=;
            b=rUHDecOMPHV2uRHVRS0QWXTT+DvTlfnrkdErDM9S70AwIj6KcAGTRyXZ7HWShgumJh6C
            ZsLMIfaTz18zNbjmNvBnpTrFu53vh/91UsRE77gNqjXqcEZ1+GgyODFGuksZXJII5MGOmX
            kPjd7aoLNGV8IoW1vIJFeNFhn+V+V+Mqe8KZjDEYOS4vwhtYDZcLrEM1ycDSAwjxQXZQjo
            jhoKUzn0eMiJwAbZ+pv6rOFPboWo1TrML56rf2GnFaxzx02OzSzvtNW8zymZo+A91KcDBc
            CMBzB0a+gH4jTqq7Nru7UXy7HzJs65WKmzi0oP+6om74zfPstkxZIOyOdx8SuZmg==
    Received: by recvd-78b965c8d8-zdgqr with SMTP id recvd-78b965c8d8-zdgqr-1-69A7CE26-1C
            2026-03-04 06:16:06.443112518 +0000 UTC m=+6594257.398878059
    Received: from MTU0Mjg0MjA (unknown)
            by geopod-ismtpd-14 (SG) with HTTP
            id R8ef3HgJSzKAWjTspVFOVg
            Wed, 04 Mar 2026 06:16:06.389 +0000 (UTC)
    Content-Type: multipart/alternative; boundary=756eec60870d3d536fbdd68742e52497a4b942240da0929eb9086137701f
    Date: Wed, 04 Mar 2026 06:16:20 +0000 (UTC) (03/03/2026 11:16:20 PM)
    From: [email protected]
    Mime-Version: 1.0
    Message-Id: <R8ef3HgJSzKAWjTspVFOVg@geopod-ismtpd-14>
    Subject: Important Security Concern
    X-Sg-Eid:
     u001.0C7K3f28Upwcc83Ki/sssUs41HbZm8V+OpCWByUHpnkIo3Cf3hm/pW0EfJzflgf36jw5Gp3JgFJ4tuWJQPsEAbcJU6UF8Ihcb1M62yBTRoE0vsUfZz2XJX+RWG3qaANKO1EBHzIuX62fzw1ozL1hsUCBi4ED9i/f8vMAlSBOsVfoeGi/Px3FbeZ5xedkeohgriOTDEtF5uvWrlpvLmUwmg==
    To: [email protected]
    X-Entity-Id: u001.GsWs5sr1vbo83iYQd0snJg==
    X-Last-Tls-Session-Version: TLSv1.3
    X-Rspamd-Queue-Id: CA5B83F7C7
    X-Spamd-Result: default: False [4.83 / 15.00];
            BAD_REP_POLICIES(2.00)[];
            IP_REPUTATION_SPAM(1.64)[asn: 11377(0.40), country: US(0.01), ip: 159.183.101.69(0.00)];
            URI_COUNT_ODD(1.00)[1];
            RBL_SENDERSCORE_REPUT_9(-1.00)[159.183.101.69:from];
            MV_CASE(0.50)[];
            MID_RHS_NOT_FQDN(0.50)[];
            FORGED_SENDER(0.30)[[email protected],[email protected]];
            MIME_GOOD(-0.10)[multipart/alternative,text/plain];
            MX_GOOD(-0.01)[];
            BAYES_SPAM(0.00)[22.47%];
            RCVD_TLS_LAST(0.00)[];
            R_DKIM_ALLOW(0.00)[hungerrush.com:s=s1];
            RCPT_MAILCOW_DOMAIN(0.00)[ellenburg.email];
            MIME_TRACE(0.00)[0:+,1:+,2:~];
            ARC_NA(0.00)[];
            RCPT_COUNT_ONE(0.00)[1];
            TO_MATCH_ENVRCPT_ALL(0.00)[];
            DMARC_POLICY_ALLOW(0.00)[hungerrush.com,quarantine];
            ARC_SIGNED(0.00)[ellenburg.email:s=dkim:i=1];
            ALIAS_RESOLVED(0.00)[];
            TO_DN_NONE(0.00)[];
            RCVD_COUNT_TWO(0.00)[2];
            TAGGED_FROM(0.00)[15428420-0e13-george=ellenburg.email];
            R_SPF_ALLOW(0.00)[+ip4:159.183.101.69];
            FROM_NO_DN(0.00)[];
            ASN(0.00)[asn:11377, ipnet:159.183.64.0/18, country:US];
            DKIM_TRACE(0.00)[hungerrush.com:+];
            MISSING_XM_UA(0.00)[];
            FROM_NEQ_ENVFROM(0.00)[[email protected],[email protected]]
    X-Evolution-Source: a61fb74e0da811eda3a3e4401e58eba051b5dcfa

  4. Ok, this is interesting and it's confusing. The domain hungerrush.com is not affiliated with any of my domains. The only similarity is that we both use Cloudflare. But this is coming to my personal email domain. DNSlytics doesn't show anything out of order for hungerrush.com and their DNS servers are not my DNS servers so it's not like Cloudflare has accidentally mixed our accounts. Also not sure how or why this was accepted by #MailCow when the SPF records for the domain clearly do not list the IP address of the mail server that sent this to me as being valid. #hacking #MaliciousActor #ThreatActor #email #threats

    Return-Path: <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>
    Delivered-To: [email protected]
    Received: from mc01.bofhcorp.com ([fd4d:6169:6c63:6f77::e])
            by 4d492a470590 with LMTP
            id ePC8ETjOp2k40BwA8UTzlA
            (envelope-from <bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com>)
            for <[email protected]>; Wed, 04 Mar 2026 01:16:24 -0500
    X-Original-To: [email protected]
    Received: from o8.e.hungerrush.com (o8.e.hungerrush.com [159.183.101.69])
            (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
             key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
            (No client certificate requested)
            by mc01.bofhcorp.com (Postcow) with ESMTPS id CA5B83F7C7
            for <[email protected]>; Wed,  4 Mar 2026 01:16:22 -0500 (EST)
    Authentication-Results: mc01.bofhcorp.com;      dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM;        spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com";    dmarc=pass (policy=quarantine) header.from=hungerrush.com
    Arc-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ellenburg.email;
            s=dkim; t=1772604983;
            h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
             to:to:cc:mime-version:mime-version:content-type:content-type:
             dkim-signature; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=;
            b=DauNC+S6ttdO/quZoBv0L089Gbgb0LvdV7nODvq5YhJnH1auSFd06y1oxdCooyZkX8SWnM
            MEU+0j5NHJFhYJ42EktQhZEswJQgFTt1KuoVHnsqmNrXTeT1tmXdyboARXMA+vR4xNylrL
            BmEetbNPCOr63tzqNaFDSnJ3FOX5NF0fQoKtBKhNgo4JRR8zt4UfSA2UBMBUJQN6u8nYgo
            Ehw5r+S/3dUQFjty1iBGiHCkRSUsg1swgOHBVr/4LNxFyUli1T6U8cx+1pkQ7+yLUwhdzy
            rLPsJQg48Vi0MhM4RGMm/VXISY47jJ9QwzSpvqN0cilIX5xK8CwQcRsEwT/z3A==
    Arc-Authentication-Results: i=1;
            mc01.bofhcorp.com;
            dkim=pass header.d=hungerrush.com header.s=s1 header.b=rUHDecOM;
            spf=pass (mc01.bofhcorp.com: domain of "bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com" designates 159.183.101.69 as permitted sender) smtp.mailfrom="bounces+15428420-0e13-george=ellenburg.email@em8199.hungerrush.com";
            dmarc=pass (policy=quarantine) header.from=hungerrush.com
    Arc-Seal: i=1; a=rsa-sha256; d=ellenburg.email; s=dkim; cv=none; t=1772604983;
            b=XgkqoDAX6WgAOrkYbxC1iSMvL3Y8BNYAmWV0zc4+qnmFOIXZk/F5Lah+JGjpq0J1bplLw4
            +ctYOFPsiT/hRipThKyqAQKg8tbepc2WHhDfMfx0ZIBQ1pvSPLprPxXNWxShf1BGzYsk/p
            w43+BjfHPBaTUjfh33bRq9n+muIgQZWb0IrE3j3IxaQqbPH4gNGy3PRSQeJ0h8d+H2LDcz
            Ww33NM3dr46k9zG8G9zCz01UsQliOfyccWEBeEaZvKAOLRd8GJ9mVq0RdHaYx0OD7CAPCB
            oU3OVtXHM6BkaljOmSpBYG+bMf0FELppgF3Xh3kxjZqDp6T9ILy/MDF0C5qSLg==
    Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hungerrush.com;
            h=content-type:date:from:mime-version:subject:to:cc:content-type:date:
            from:subject:to;
            s=s1; bh=3OmNKI/mpxlfrxxqyS2f3WGBsqm4mduaJHUdqKevnhU=;
            b=rUHDecOMPHV2uRHVRS0QWXTT+DvTlfnrkdErDM9S70AwIj6KcAGTRyXZ7HWShgumJh6C
            ZsLMIfaTz18zNbjmNvBnpTrFu53vh/91UsRE77gNqjXqcEZ1+GgyODFGuksZXJII5MGOmX
            kPjd7aoLNGV8IoW1vIJFeNFhn+V+V+Mqe8KZjDEYOS4vwhtYDZcLrEM1ycDSAwjxQXZQjo
            jhoKUzn0eMiJwAbZ+pv6rOFPboWo1TrML56rf2GnFaxzx02OzSzvtNW8zymZo+A91KcDBc
            CMBzB0a+gH4jTqq7Nru7UXy7HzJs65WKmzi0oP+6om74zfPstkxZIOyOdx8SuZmg==
    Received: by recvd-78b965c8d8-zdgqr with SMTP id recvd-78b965c8d8-zdgqr-1-69A7CE26-1C
            2026-03-04 06:16:06.443112518 +0000 UTC m=+6594257.398878059
    Received: from MTU0Mjg0MjA (unknown)
            by geopod-ismtpd-14 (SG) with HTTP
            id R8ef3HgJSzKAWjTspVFOVg
            Wed, 04 Mar 2026 06:16:06.389 +0000 (UTC)
    Content-Type: multipart/alternative; boundary=756eec60870d3d536fbdd68742e52497a4b942240da0929eb9086137701f
    Date: Wed, 04 Mar 2026 06:16:20 +0000 (UTC) (03/03/2026 11:16:20 PM)
    From: [email protected]
    Mime-Version: 1.0
    Message-Id: <R8ef3HgJSzKAWjTspVFOVg@geopod-ismtpd-14>
    Subject: Important Security Concern
    X-Sg-Eid:
     u001.0C7K3f28Upwcc83Ki/sssUs41HbZm8V+OpCWByUHpnkIo3Cf3hm/pW0EfJzflgf36jw5Gp3JgFJ4tuWJQPsEAbcJU6UF8Ihcb1M62yBTRoE0vsUfZz2XJX+RWG3qaANKO1EBHzIuX62fzw1ozL1hsUCBi4ED9i/f8vMAlSBOsVfoeGi/Px3FbeZ5xedkeohgriOTDEtF5uvWrlpvLmUwmg==
    To: [email protected]
    X-Entity-Id: u001.GsWs5sr1vbo83iYQd0snJg==
    X-Last-Tls-Session-Version: TLSv1.3
    X-Rspamd-Queue-Id: CA5B83F7C7
    X-Spamd-Result: default: False [4.83 / 15.00];
            BAD_REP_POLICIES(2.00)[];
            IP_REPUTATION_SPAM(1.64)[asn: 11377(0.40), country: US(0.01), ip: 159.183.101.69(0.00)];
            URI_COUNT_ODD(1.00)[1];
            RBL_SENDERSCORE_REPUT_9(-1.00)[159.183.101.69:from];
            MV_CASE(0.50)[];
            MID_RHS_NOT_FQDN(0.50)[];
            FORGED_SENDER(0.30)[[email protected],[email protected]];
            MIME_GOOD(-0.10)[multipart/alternative,text/plain];
            MX_GOOD(-0.01)[];
            BAYES_SPAM(0.00)[22.47%];
            RCVD_TLS_LAST(0.00)[];
            R_DKIM_ALLOW(0.00)[hungerrush.com:s=s1];
            RCPT_MAILCOW_DOMAIN(0.00)[ellenburg.email];
            MIME_TRACE(0.00)[0:+,1:+,2:~];
            ARC_NA(0.00)[];
            RCPT_COUNT_ONE(0.00)[1];
            TO_MATCH_ENVRCPT_ALL(0.00)[];
            DMARC_POLICY_ALLOW(0.00)[hungerrush.com,quarantine];
            ARC_SIGNED(0.00)[ellenburg.email:s=dkim:i=1];
            ALIAS_RESOLVED(0.00)[];
            TO_DN_NONE(0.00)[];
            RCVD_COUNT_TWO(0.00)[2];
            TAGGED_FROM(0.00)[15428420-0e13-george=ellenburg.email];
            R_SPF_ALLOW(0.00)[+ip4:159.183.101.69];
            FROM_NO_DN(0.00)[];
            ASN(0.00)[asn:11377, ipnet:159.183.64.0/18, country:US];
            DKIM_TRACE(0.00)[hungerrush.com:+];
            MISSING_XM_UA(0.00)[];
            FROM_NEQ_ENVFROM(0.00)[[email protected],[email protected]]
    X-Evolution-Source: a61fb74e0da811eda3a3e4401e58eba051b5dcfa