I received this email this morning:
Let’s talk about all the red flags here.
❌ It’s spam.
❌ It was sent from a DigitalOcean IP address with no reverse DNS record.
❌ It fails the SPF check for the domain it was sent from.
❌ It doesn’t have a DKIM signature.
❌ The domain doesn’t have a DMARC policy.
❌ The sender doesn’t identify themselves by name in this email or anywhere on their website. (The results of a web search of an email address on their website, “bearrailgun@gmail.com”, seem to suggest that their name is “Andrii”.)
❌ The English in the email is poor. (Perhaps not surprising since “Andrii” is a Ukrainian name, but still a red flag.)
❌ The formatting of the email is poor (note that what you see is exactly what’s in the email; it’s a plain-text email with no HTML part).
❌ It was sent to an email address I don’t give out anymore and haven’t in many years.
❌ It’s an advertisement sent using a U.S. company’s infrastructure to a user in the U.S. in violation of the U.S. CAN-SPAM Act (e.g., sending company not identified; no mailing address provided; arguable whether “send me a mail for not bothering you again” constitutes valid unsubscribe instructions under the Act).
❌ The tool it’s purporting to sell is something that a competent developer could write a rough version of, if they needed it, in a shell script in about a half hour, or a “clean” version of in about double that.
❌ The domain “overlinux.com” was registered in 2024 but there’s a blog posting on the web site claiming to be from 2022.
❌ The contact email address published on the home page of the website is different from the one published on the contact page.
❌ The one and only blog posting on the website has two obviously bogus comments on it.
❌ The “Recent Comments” section at the bottom of every page on the website is bizarrely broken:
The “Download now” link, which one would expect to be a link to the comment, is instead a link to some completely bizarre, irrelevant article on a different site, https://bafybeiemxf5abjwjbikoz4mc3a3dla6ual3jsgpdr4cjr3oz3evfyavhwq.ipfs.dweb.link/wiki/Psychosocial_recovery.html.
❌ The “Check internet” link to the right of that “Download now” link, which one would expect to be a link to the article, is actually a link to the (bogus) comment.
❌ Similarly for the second “Check internet” link, and the “More information” link to the left of it points at another bizarre link on a different site, https://wikifreehand.com/sv/Psykisk_st%C3%B6rning.
❌ The Facebook button link in the website footer points at “https://www.facebook.com/wordpress“.
❌ The Twitter button link in the website footer points at “https://twitter.com/wordpress” (this is like shooting fish in a barrel).
❌ The Instagram button link in the website footer points at “https://www.instagram.com/explore/tags/wordcamp/“.
❌ The email button link in the website footer goes to the address “wordpress@example.com”.
❌ The Contacts page on the website lists a Skype handle (Skype does not exist anymore).
❌ The Telegram channel advertised on the website was apparently created June 17, has only three subscribers, has message retention set to 1 day, and (perhaps unsurprisingly given the message retention) has no visible messages in it.
❌ The website claims to be for a company that offers “Creating software for desktop, servers, embedded boards, hardware and software startups”, “Kernel hacking / Hacking, optimization, drivers creation, porting, migration. Inside-out,” and “Firmware for all platforms / Creating/modifying firmware for Openwrt, Android, Crypto miners, routers, embedded hardware boards,” but there is no evidence provided on the website that this entity has ever produced anything like that in the past.
❌ The “Spike Monitor” program offered for download on the website is a static binary Linux executable, with no source code available for examination.
On the flip-side, everything is not entirely hopeless. A web search for “repu1sion”, the (defunct) Skype handle listed on the website, reveals Andrii’s GitHub profile. This tells us three things:
- His full name is Andrii Guriev.
- He does, in fact, appear to be Ukrainian.
- He does, in fact, appear to have at least some minimal programming skills, judging from the fact that there are code contributions showing on his profile.
This search yields some other info:
- This is probably his reddit profile.
- He advertises himself on Upwork as an “Expert C/C++ Linux software developer”. He has “63 total jobs, 7,840 total hours” there with “100% job success”.
After having done all this digging and learned all this, the question I am left with his simple: is this guy just dumb or clueless, or is his anonymous email advertising “Spike Monitor” to me and other supposed “kernel devs” an attempt to get us to run his malware on our computers?
Just to offer one theory, a person who brags on his website about writing “crypto monitors” might be the kind of person who would implement a process monitor tool that is explicitly designed to be run for long periods of time and to only display some processes, and then build a crypto miner into the tool and exclude the crypto miner’s processes from the tool’s output.
That’s just one example. There are of course any number of other malicious things that could be hidden in a tool like this which is distributed as a binary executable with no source code available.
Because I’m suspicious, I’ve captured a complete mirror of the website advertised in the email, including the free version of the “Spike Monitor” tool, and uploaded it here. Feel free to take a look if you want to dig deeper into whether there is something nefarious going on here.
