Skip to content

email

๐ŸŽฃ The Curious Case of the Beg Bounty Bait โ€” or: Licence to Phish

Not every day do I get an email from a very serious security researcher, clearly a man on a mission to save the internet โ€” one vague, copy-pasted email at a time.

Hereโ€™s the message I received:

From: Peter Hooks <peterhooks007@gmail.com>
Subject: Security Vulnerability Disclosure

Hi Team,

Iโ€™ve identified security vulnerabilities in your app that may put users at risk. Iโ€™d like to report these responsibly and help ensure they are resolved quickly.

Please advise on your disclosure protocol, or share details if you have a Bug Bounty program in place.

Looking forward to your reply.

Best regards,
Peter Hooks

Right. Letโ€™s unpack this.

๐Ÿงฏ”Your App” โ€” What App?

I’m not a company. I’m not a startup. I’m not even a garage-based stealth tech bro.
I run a personal WordPress blog. Thatโ€™s it.

There is no โ€œapp.โ€ There are no โ€œusers at riskโ€ (unless you count me, and Iฬทฬ“ฬœโ€™ฬทฬ‹ฬ mฬดฬ“ฬช ฬดอฬนaฬธฬฝอ™lฬตฬฟฬฃrฬธฬฝอ‡eฬตฬˆอ–aฬถฬ‹อ–dฬตฬ‡อ“yฬดฬ‚ฬผ ฬดอ‚ฬ–bฬถฬ‹ฬ eฬถฬฬปyฬดอ„อ‡oฬธฬ’ฬฃnฬธฬฬฆdฬดฬ†ฬŸ ฬถอ’อ‰sฬถอ€อ…aฬถอ—ฬกvฬดอŠอ™iฬตฬŠอ–nฬตฬ†อ–gฬธฬ”ฬก).

๐Ÿ•ต๏ธโ€โ™‚๏ธ The Anatomy of a Beg Bounty Email

This little email ticks all the classic marks of what the security community affectionately calls a beg bounty โ€” someone scanning random domains, finding trivial or non-issues, and fishing for a payout.

Want to see how common this is? Check out:

๐Ÿ“ฎ My (Admittedly Snarky) Reply

I couldnโ€™t resist. Hereโ€™s the reply I sent:

Hi Peter,

Thanks for your email and your keen interest in my โ€œappโ€ โ€” spoiler alert: there isnโ€™t one. Just a humble personal blog here.

Your message hits all the classic marks of a beg bounty reconnaissance email:

  • โœ… Generic โ€œHi Teamโ€ greeting โ€” because who needs names?
  • โœ… Vague claims of โ€œsecurity vulnerabilitiesโ€ with zero specifics
  • โœ… Polite inquiry about a bug bounty program (spoiler: none here, James)
  • โœ… No proof, no details, just good old-fashioned mystery
  • โœ… Friendly tone crafted to reel in easy targets
  • โœ… Email address proudly featuring โ€œ007โ€ โ€” very covert ops of you

Bravo. You almost had me convinced.

Iโ€™ll be featuring this charming little interaction in a blog post soon โ€” starring you, of course. If you ever feel like upgrading from vague templates to actual evidence, Iโ€™m all ears. Until then, happy fishing!

Cheers,
Amedee

๐Ÿ˜ข No Reply

Sadly, Peter didnโ€™t write back.

No scathing rebuttal.
No actual vulnerabilities.
No awkward attempt at pivoting.
Just… silence.


#crying
#missionfailed

๐Ÿ›ก๏ธ A Note for Fellow Nerds

If youโ€™ve got a domain name, no matter how small, thereโ€™s a good chance youโ€™ll get emails like this.

Hereโ€™s how to handle them:

  • Stay calm โ€” most of these are low-effort probes.
  • Donโ€™t pay โ€” you owe nothing to random strangers on the internet.
  • Donโ€™t panic โ€” vague threats are just that: vague.
  • Do check your stuff occasionally for actual issues.
  • Bonus: write a blog post about it and enjoy the catharsis.

For more context on this phenomenon, donโ€™t miss:

๐Ÿงต tl;dr

If your โ€œsecurity researcherโ€:

  • doesnโ€™t say what they found,
  • doesnโ€™t mention your actual domain or service,
  • asks for a bug bounty up front,
  • signs with a Gmail address ending in 007

โ€ฆitโ€™s probably not the start of a beautiful friendship.

Got a similar email? Want help crafting a reply thatโ€™s equally professional and petty?
Feel free to drop a comment or reach out โ€” Iโ€™ll even throw in a checklist.

Until then: stay patched, stay skeptical, and stay snarky. ๐Ÿ˜Ž

How I organize my message flow

Email

I use 2 email clients at the same time: Thunderbird and Gmail.

  • Thunderbird: runs on my local system, it’s very fast, it shows me all the metadata of an email in the way I want, the email list is not paged, I can use it for high volume actions on email. These happen on my local system, and then the IMAP protocol gradually syncs it to Gmail. I also find that Thunderbird’s email notifications integrate nicer in Ubuntu.
  • Gmail: can’t be beaten for search. It also groups mail conversations. And then there are labels!
How to turn on Conversation View in Gmail

Gmail has several tabs: Primary, Social, Promotions, Updates and Forums. Gmail is usually smart enough that it can classify most emails in the correct tab. If it doesn’t: drag the email to the correct tab, and Gmail will ask you if all future emails of that sender should go to the same tab. This system works well enough for me. My email routine is to first check the tabs Social, Promotions and Forums, and delete or unsubscribe from most emails that end up there. All emails about the go to Updates. I clean up the other emails in that tab (delete, unsubscribe, filter, archive) so that only the emails remain. Those I give a label – more about that later. Then I go to the Inbox. Any emails there (shouldn’t be many) are also taken care of: delete, unsubscribe, filter, archive or reply.

Enable Gmail tabs
Gmail tabs

Google has 3 Send options: regular Send, Schedule send (which I don’t use) and Send + Archive. The last one is probably my favorite button. When I reply to an email, it is in most cases a final action on that item, so after the email is sent, it’s dealt with, and I don’t need to see it in my Inbox any more. And if there is a reply on the email, then the entire conversation will just go to the Inbox again (unarchived).

Send + Archive

I love labels! At the level of an individual email, you can add several labels. The tabs are also labels, so if you add the label Inbox to an archived email, then it will be shown in the Inbox again. At the level of the entire mailbox, labels behave a bit like mail folders. You can even have labels within labels, in a directory structure. Contrary to traditional mail clients, where an email could only be in one mail folder, you can add as many labels as you want.
The labels are also shown as folders in an IMAP mail client like Thunderbird. If you move an email from one folder to another, then the corresponding label gets updated in Gmail.
The filters that I use in my are work/jobhunt, work/jobhunt/call_back, work/jobhunt/not_interesting, work/jobhunt/not_interesting/freelance, work/jobhunt/not_interesting/abroad, work/jobsites and work/coaching. The emails that end up with the abroad label, are source material for my blog post Working Abroad?

The label list on the left looks like a directory structure. It’s actually a mix of labels and traditional folders like Sent, Drafts, Spam, Trash,… Those are always visible at the top. Then there is a neat little trick for labels. If you have a lot of labels, like me, then Gmail will hide some of them behind a “More” button. You can influence which labels are always visible by selecting Show if unread on that label. This only applies to top-level labels. When there are no unread emails with that label or any of it’s sublabels, then the label will be hidden below the More button. As soon as there are unread mails with that label or any of it’s sublabels, then the label will be visible. Mark all mails as read, and the label is out of view. Again, less clutter, you only see it when you need it.

Show if unread

Filters, filters, filters. I think I have a gazillion filters. (208, actually – I exported them to XML so I could count them) Each time I have more than two emails that have something meaningful in common, I make a filter. Most of my filters have the setting ‘Skip Inbox’. They will remain unread in the label where I put them, and I’ll read them when it’s convenient for me. For example, emails that are automatically labelled takeaway aren’t important and don’t need to be in the Inbox, but when I want to order takeaway, I take a look in that folder to see if there are any promo codes.

Email templates. Write a draft email, click on the 3 dots bottom right, save draft as template. Now I can reuse the same text so that I don’t have to write for the umpteenth time that I don’t do freelance. I could send an autoreply with templates, but for now I’ll still do it manually.

LinkedIn

I can be short about that: it’s a mess. You can only access LinkedIn messages from the website, and if you have a lot of messages, then it behaves like a garbage pile. Some people also have an expectation that it’s some sort of instant messaging. For me it definitely isn’t. And just like with email: I archive LinkedIn chats as soon as I have replied.

I used to have an autoreply that told people to email me, and gave a link to my CV and my blog. What do you think, should I enable that again?

Living without email for a month

Remember when my webserver was acting up? Well, I was so fed up with it, that I took a preconfigured Bitnami WordPress image and ran that on AWS. I don’t care how Bitnami configured it, as long as it works.

As a minor detail, postfix/procmail/dovecot were of course not installed or configured. Meh. This annoyed the Mrs. a bit because she didn’t get her newsletters. But I was so fed up with all the technical problems, that I waited a month to do anything about it.

Doing sudo apt-get -y install postfix procmail dovecot-pop3d and copying over the configs from the old server solved that.

Did I miss email during that month? Not at all. People were able to contact met through Twitter, Facebook, Telegram and all the other social networks. And I had an entire month without spam. Wonderful!

Wat betekent dataretentie voor een geek zoals ik?

Vandaag staat er op de website van Het Nieuwsblad een artikel met als titel ‘Staatsveiligheid ziet wie u mailt, wanneer en met welk toestel‘. Dat is uiteraard een beetje sensatie met als bedoeling het klikvee aan te trekken. Waar het eigenlijk om gaat, is het omzetten van de Europese dataretentie richtlijn 06/24/EG naar nationale wetgeving. En ja, de StaatsSicherheit is รฉรฉn van de vele mogelijke ontvangers van telefoon- en emaillogs. Naast de politie, die daarvoor een onderzoeksrechter moet aanspreken. Maar bon, mij gaat het nu even niet om wie die gegevens kan inkijken, of hoe lang ze bijgehouden moeten worden.

Wat mij wel interesseert: is de voorgestelde wetgeving ook op mij van toepassing? Hoezo, zou je denken, ik ben toch geen internetprovider. Dat niet, maar ik maak ook geen gebruik van een Telenet- of Belgacom-mailbox. Ik heb mijn eigen mailserver, die in een datacenter ergens in Duitsland staat en daar rechtstreeks aan het internet hangt. Ik heb een aantal verschillende domeinnamen, waaronder een Zweedse, en die zijn geregistreerd via een Franse registrar. Ik ben niet de enige gebruiker van die mailserver, mijn echtgenote en mijn schoonouders gebruiken die ook. In feite doe ik zo ongeveer hetzelfde als een klein hostingbedrijf, maar dan als privรฉpersoon. En het is nu net de bedoeling van de voorgestelde wet dat kleine hostingbedrijven ook in het vizier komen.

En wat wanneer ik telnet op poort 25? Dan heb ik als afzender geen mailserver gebruikt, dus geen logging. En ja ik spreek vloeiend SMTP. HELO daar!
Hoe zit het eigenlijk met muggles die buitenlandse mailservers gebruiken zoals Gmail? Want wie gebruikt nu nog providermail, zeg eens eerlijk.

Ga ik nu mijn root wachtwoord moeten afgeven?

Ik heb al aan een aantal mensen gevraagd of ik nu ook verplicht ga worden om maillogs een jaar lang bij te houden, maar de enige antwoorden die ik ondertussen wel al gekregen heb, draaien rond de pot. Wordt vervolgd.

Das Leben der Anderen
Das Leben der Anderen (2006) was trouwens nog eens op tv. Gat in uw cultuur als je die nog niet gezien hebt.