I was temporarily suspended from Substack for Spam/Phishing, this is the Story, so far...
Apparently someone impersonated Substack.
Apparently someone impersonated Substack. And such had National Security implications at least for the USA.
This Post of mine has been updated. I keep this one because it has Tuğba Avci´s comments which I think are very important.
I do not authorize psychological nor psychiatric formulations, interpretations nor diagnosis, etc. I do not authorize any Religious use of my texts. Rights Reserved. I am not a lawyer, this is not legal advice nor advice of any kind. I am not a Cybersecurity researcher and I am not knowledgeable enough.
A few week ago I was temporarily suspended from Substack, they said apparently erroneously, because they thought I committed spam and/or phishing.
I did not do such things, I appealed twice/thrice, I showed them at that point I had only sent four emails from my email account associated with Substack, and explained one was to an NGO, a Mexican one, two to a private prominent citizen of the US who did not answer to me and one to Mexican police authorities.
I sent them a redacted screen capture showing I had then only sent four emails.
Several weeks before I received paired emails from The Bored Millennial:
Highly Sensitive:
And as slow as possible, aka Tuğba Avci:
The three paired emails emerged from a comment I did to a post of them and they gave a like to my comment.
As is apparent, the emails sent afterwards are clearly spam: they direct to a telegram channel, are poorly redacted and in broken text and advertise something.
The IP addresses from where they were sent came clean on the Spamhaus database of IP addresses associated with spam.
I am not a Cybersecurity researcher and my knowledge of email messaging, spam, phishing and spearphishing is rudimentary.
A little over a decade ago I was a collateral victim of a State Sponsored Campaign, probably because a misconfigurated router provided my ISP. I am a human rights victim and victim of familial abuse among others, but I doubt said event and the spam/phishing I was erroneously banned for and which I received are related to them. Nevertheless it was or is a possibility, but I doubt it. Hence I contacted some Human Rights Governmental Organizations in my country without useful help from them, so far, or received no reply. Figures, who cares?, same as usual for me…
I doubt The Bored Millennial, Highly Sensitive and as slow as possible sent the spam. They had no incentive as far as I can see, and they must have been aware, somehow they could get banned for it.
My initial thought was their accounts were compromised, hence I did nothing until I got banned!.
Then I realized the spam messages seemed to have been sent by domains from *.substack.com, so my guess is someone either impersonated Substack while sending the spam/phishing or someone had control of Substack email servers.
Again, I do not know enough about the cybersecurity issues, those are my guesses.
Nevertheless, I contacted a prominent CyberSecurity researcher, the New York Times and Bloomberg, and I had not received yet a reply from either of them.
To the last two I sent a copy of the emails in txt format. I offered them to the Cybersecurity researcher.
I also contacted the IC3 from the FBI, the Federal Trade Commission, the Department of Homeland Security and some Authorities in my country.
Two authorities in my country replied, one asked for my personal data to proceed with a formal complaint, and another sent me to a secure dropbox without stating motive nor legal grounding to do so, provided by a foreign company.
I read in several news outlets, including Bloomberg and CNN that spamming has been an issue in Substack for around two years. In reddit several apparently former Substack users complained of being banned apparently on the same grounds as I: sending spam and or phishing, which they denied.
On X, formerly twitter I tried to contact the CyberCommand and some others, but you know X: better shout at a mountain, at least there you might hear an eco.
I contacted the FBI and DHS because I can see a National Security Issue: if someone is in control, partial or total of Substack servers, there being prominent people in Substack, those can be targets, being High Value Targets of spearphishing campaigns, not merely spam. It is called living off the land: Some small time hackers, like some spammers, gain control of a server, and then the really big bad competent dudes have patsies to take the blame. Rarely small time hackers patch, close the vulnerabilities of the servers they gained control of, making it possible for more advanced hackers to overtake their control.
If people can impersonate, phish, Substack, then they can also spearphish High Value Targets in Substack by being overrun by a State Threat Actor, or being directly targeted using whatever vulnerability makes possible for someone to impersonate Substack itself, if such were the case. For most people such is rarely a threat, but for some People it is something to worry about, be careful, and take mitigations steps.
I contacted the Federal Trade Commission because they receive complaints about phishing, as I suspected it might be someone was impersonating Substack. But since I lost no money, the report form has that entry, I doubt they will do something. Specially me being a foreigner, but I tried.
I contacted my authorities because I was apparently the victim of someone impersonating me to send spam according to the early claims by Substack, which got me banned. Then they said it was probably erroneous and case closed as for me. Obviously whether my personal data, such as my email is in someone else´s hand who is a bad actor I don´t know.
But as I saw it a few days afterwards, it is more likely someone was impersonating Substack, not just me. And they probably impersonated The Bored Millennial, Highly Sensitive and as slow as possible by apparently impersonating Substack. But such is my guess.
No one has clarified what was going on, or whether it is or will be an issue, and apparently it is an around two years long problem with using Substack.
Again, as I said in the past, I am grateful I can write and Post in Substack.
I offered them the emails and they did not reply.
I am narrating this because it might be useful at least to Substack writers or readers accused, perhaps, falsely, of spamming and/or phishing.
There are other economic incentives in allowing such, not doing enough to fight spam/phishing, but beyond being my wild guesses, it is up to the affected to do their own thinking, digging, complaining, etc.
I lost zero money. And I think I have done enough: at least I tried to document it, complain and offer the data I have. To Substack and several authorities and News Media.
And it could explain the around two years old problem with spam/phishing using Substack: either someone took control of some Substack servers, or someone successfully at least to me managed to impersonate Substack.
Again, I admit I do not know enough about those issues, those are my guesses from where I stand, to the best of my limited knowledge.
Thanks.
Federico Soto del Alba.
My note https://substack.com/@tugbaavci/note/c-111477430?r=17c8x0&utm_medium=ios&utm_source=notes-share-action
Hi Federico, a similar incident occurred a couple of months ago when someone created a different Substack handle using my profile photo and publication name. Unfortunately, I couldn't see the comments from that account because they had blocked me. Fortunately, some readers emailed me about it and reported the account, which Substack then blocked. Are you still able to see those comments?