I was temporarily suspended (Updated) from Substack for Spam/Phishing, this is the Story, so far...
Apparently someone impersonated Substack.
Apparently someone impersonated Substack or someone else. And such had National Security implications at least for the USA. This post was originally from Jun 12, 2025, I updated it with the relevant metadata, whois info and what I am going to do next. I was inspired to update it by Tuğba Avci´s comments to my original Post, my deep thanks to her!. Thanks Tuğba Avci!.
I do not authorize psychological nor psychiatric formulations, interpretations nor diagnosis, etc. I do not authorize any Religious use of my texts. Rights Reserved. I am not a lawyer, this is not legal advice nor advice of any kind. I am not a Cybersecurity researcher and I am not knowledgeable enough. But I think it is in the Public Interest and there are some precedents.
A few weeks ago I was temporarily suspended from Substack, they said apparently erroneously, because they thought I committed spam and/or phishing.
I did not do such things, I appealed twice/thrice, I showed them at that point I had only sent four emails from my email account associated with Substack, and explained one was to an NGO, a Mexican one, two to a private prominent citizen of the US who did not answer to me and one to Mexican police authorities.
I sent them a redacted screen capture showing I had then only sent four emails.
Several weeks before I received paired emails from The Bored Millennial:
Highly Sensitive:
And as slow as possible, aka Tuğba Avci:
The three paired emails emerged from a comment I did to a Post of them and they gave a like to my comment. I don´t think those Substack Writers sent the spam, I think they gave only the like.
As is apparent, the emails sent afterwards are clearly spam: they direct to a telegram channel, are poorly redacted and in broken text and advertise something.
The IP addresses from where they were sent came clean on the Spamhaus database of IP addresses associated with spam.
According to bgp-tools those IP addresses belong to Mailgun Technologies Inc. So the IP addresses are related by that fact. They are not IP addresses belonging to Substack Writers but to a Company acquired by Rackspace: Mailgun Technologies Inc.
I am not a Cybersecurity researcher and my knowledge of email messaging, spam, phishing and spearphishing is rudimentary.
A little over a decade ago I was a collateral victim of a State Sponsored Campaign, probably because a misconfigurated router provided by my ISP. I am a human rights victim and victim of familial abuse among others, but I doubt said event and the spam/phishing I was erroneously banned for, so said Substack in an email they sent me, and the spam-phishing emails I received are related to them.
Beyond the what´s the point?, there is the apparently more people are affected.
Nevertheless it was or is a possibility, but I doubt it.
Hence I contacted some Human Rights Governmental Organizations in my country without useful help from them, so far, or received no reply. Figures, who cares?, same as usual for me…
I doubt The Bored Millennial, Highly Sensitive and as slow as possible sent the spam. They had no incentive as far as I can see, and they must have been aware, somehow they could get banned for it.
My initial thought was their accounts were compromised, hence I did nothing until I got banned!.
The linked references as email sender accounts, "the mailto": and websites are the same meaning according to the emails both the spam and the like messages were sent by the same Substack account, not by someone merely appearing to be the same Substack user.
They trace from the URL, https or mailto:, to the same Webpage in Substack, which cursorily seems to be from the True Substack Writers:
The spam messages seemed to have been sent by domains from *.substack.com, so my guess is someone either impersonated Substack while sending the spam/phishing or someone had control of Substack email servers.
But the IP addresses belong to Mailgun Technologies Inc, according to bgp-tools.
So it got more complicated because now it appears to me Mailgun Technologies Inc might be the one with the problem and not Substack. Or both!, or neither! who knows!?. :)
Again, I do not know enough about the cybersecurity issues, those are my guesses.
Nevertheless, I contacted a prominent CyberSecurity researcher, the New York Times and Bloomberg, and I had not received yet a reply from either of them.
To the last two I sent a copy of the emails in txt format. I offered them to the Cybersecurity researcher.
I also contacted the IC3 from the FBI, the Federal Trade Commission, the Department of Homeland Security and some Authorities in my country.
Two authorities in my country replied, one asked for my personal data to proceed with a formal complaint, and another sent me to a secure dropbox without stating motive nor legal grounding to do so, provided by a foreign company.
I read in several news outlets, including Bloomberg and CNN that spamming has been an issue in Substack for around two years. In reddit several apparently former Substack users complained of being banned apparently on the same grounds as I: sending spam and or phishing, which they denied.
On X, formerly twitter I tried to contact the CyberCommand and some others, but you know X: better shout at a mountain, at least there you might hear an eco.
I contacted the FBI and DHS because I can see a National Security Issue: if someone is in control, partial or total of Substack servers or, now also or alernatively, Mailgun Technologies Inc servers, there being prominent people in Substack, those can be targets, being High Value Targets of spearphishing campaigns, not merely spam.
It is called living off the land: Some small time hackers, like some spammers, gain control of a server, and then the really big bad competent dudes have patsies to take the blame. Rarely small time hackers patch, close the vulnerabilities of the servers they gained control of, making it possible for more advanced hackers to overtake their control.
If people can impersonate, phish, Substack or Mailgun Technologies Inc, then they can also spearphish High Value Targets in Substack by being overrun by a State Threat Actor, or being directly targeted using whatever vulnerability makes possible for someone to impersonate Substack itself, if such were the case. For most people such is rarely a threat, but for some People it is something to worry about, be careful, and take mitigations steps.
But now, reading about two incidents affecting Mailgun Technologies Inc and two of its users, it is possible someone might be targeting Substack Writers, including those three I quoted and possibly:
But then three Substack Writers in less than a week?.
Then what about mi mi mi?. :P
I can´t see how someone stole my credentials. I get it is possible through various means, but I don´t browse much the Web in this device, and when I do I try to only browse pages with Good Reputation. Precisely to avoid fingerprinting, targeting and miscellanous. Perhaps I failed in guarding my credentials, but I doubt it.
But around that date I did change my security configuration in Substack.
Still, spearphishing by impersonating me from whatever vulnerability I could have on this Apple Device might be a problem for High Value Targets writing in Substack and receiving email from Substack, through Mailgun Technologies Inc. As far and poorly as I get it…
But I do get there are mitigations which Substack and/or Mailgun Technologies Inc could apply to avoid that. But I don´t know how effective those would be to protect High Value Targets.
So even then, given I am not sure, I think it is important someone takes a detailed look at what was or is going on because it might still have National Security implications at least for the US.
Beyond the impact on Substack Writers who can loose their money if they get banned before the month ends, when I guess they will received their monies, because apparently doing spam and or phishing. My speculation. And Substack might get an income on the payment reversal, my guess.
Or I put forth this small, petite and petty example, which is along the lines of what happened with the spam emails:
Don´t do this please, it is a hypothetical, not an invitation: Imagine someone wants for Marco Rubio (who does not seem to have a Substack account) or the State Department to kick my ass, such nefarious individual impersonates me and sends an offensive, threatening or abusing Substack Comment to him or it apparently from me and I get shafted for it. Kick the hornets nest on my behalf nefariously speaking.
Then what?. As far as I can see it does still have National Security implications, but for mi mi mi!.
I contacted the Federal Trade Commission because they receive complaints about phishing, as I suspected it might be someone was impersonating Substack. But since I lost no money, the report form has that entry, I doubt they will do something. Specially me being a foreigner, but I tried.
I contacted my authorities because I was apparently the victim of someone impersonating me to send spam according to the early claims by Substack, which got me banned. Then they said it was probably erroneous and case closed as for me. Obviously whether my personal data, such as my email is in someone else´s hand who is a bad actor I don´t know.
But as I see it now, it is likely someone was impersonating Substack or Mailgun Technologies Inc, cyber exploiting Substack users, and not just me. Or cyber exploiting Substack and/or Mailgun Technologies Inc.
And they probably impersonated The Bored Millennial, Highly Sensitive and as slow as possible by apparently impersonating Substack and/or Mailgun Technologies Inc.. But such is my guess.
No one has clarified what was going on, or whether it is or will be an issue, and apparently it is an around two years long problem with using Substack.
Again, as I said in the past, I am grateful I can write and Post in Substack.
I offered them the emails and they did not reply.
I am narrating this because it might be useful at least to Substack writers or readers accused, perhaps, falsely, of spamming and/or phishing.
There are other economic incentives in allowing such, not doing enough to fight spam/phishing, but beyond being my wild guesses, it is up to the affected to do their own thinking, digging, complaining, etc.
I lost zero money. And I think I have done enough: at least I tried to document it, complain and offer the data I have. To Substack and several authorities and News Media.
And it could explain the around two years old problem with spam/phishing using Substack: either someone took control of some Substack servers, took control of some Mailgun Technologies Inc servers, or is exploiting Substack Writers.
Either, all or neither. I have no idea what exactly is going on…
Again, I admit I do not know enough about those issues, those are my guesses from where I stand, to the best of my limited knowledge.
What to do?, well I see three choices:
Report it to Substack. (I already offered the emails, I got no reply)
Report it to Mailgun Technologies Inc.
Report it to Spamhaus.
Let´s try the second first!.
This is the, I think relevant info supporting some of what I narrated this. It is technical stuff and most readers probably can skip it:
These two emails were sent with an 1 second difference, from these two related IP addresses 159.135.235.32 and 159.135.230.34 [159.135.23?.???]:
This is the Spam email:
From forum@mg1.substack.com Wed Apr 23 17:23:21 2025
Authentication-Results: spf.icloud.com; spf=pass (spf.icloud.com: domain of bounce+77777e.072c7b-PROTEGIDO/EDITADO=icloud.com@mg1.substack.com designates 159.135.235.32 as permitted sender) smtp.mailfrom="bounce+77777e.072c7b-PROTEGIDO/EDITADO=icloud.com@mg1.substack.com"
Apparently according to Substack this is the sender: <https://tugbaavci.substack.com/>
This is the Like email:
From reaction@mg1.substack.com Wed Apr 23 17:23:20 2025
Authentication-Results: spf.icloud.com; spf=pass (spf.icloud.com: domain of bounce+77777e.072c7b-PROTEGIDO/EDITADO=icloud.com@mg1.substack.com designates 159.135.230.34 as permitted sender) smtp.mailfrom="bounce+77777e.072c7b-PROTEGIDO/EDITADO=icloud.com@mg1.substack.com"
Apparently according to Substack this is the sender: <https://tugbaavci.substack.com/>
These two emails were sent with an 8 seconds difference, from these two related IP addresses 161.38.202.234 and 161.38.200.89 [161.38.20?.???]:
This is the Spam email:
From forum@mg1.substack.com Thu Apr 24 11:48:04 2025
Authentication-Results: spf.icloud.com; spf=pass (spf.icloud.com: domain of bounce+77777e.072c7b-PROTEGIDO/EDITADO=icloud.com@mg1.substack.com designates 161.38.202.234 as permitted sender) smtp.mailfrom="bounce+77777e.072c7b-PROTEGIDO/EDITADO=icloud.com@mg1.substack.com"
Apparently according to Substack this is the sender: <https://marievandoorne.substack.com/>
This is the like email:
From reaction@mg1.substack.com Thu Apr 24 11:47:56 2025
Authentication-Results: spf.icloud.com; spf=pass (spf.icloud.com: domain of bounce+77777e.072c7b-PROTEGIDO/EDITADO=icloud.com@mg1.substack.com designates 161.38.200.89 as permitted sender) smtp.mailfrom="bounce+77777e.072c7b-PROTEGIDO/EDITADO=icloud.com@mg1.substack.com"
Apparently according to Substack this is the sender: <https://marievandoorne.substack.com/>
These two emails were sent with a four seconds difference, from these two related IP addresses 159.112.244.50 and 161.38.202.234
This is the spam email:
From forum@mg1.substack.com Fri Apr 18 18:40:50 2025
Authentication-Results: spf.icloud.com; spf=pass (spf.icloud.com: domain of bounce+77777e.072c7b-PROTEGIDO/EDITADO=icloud.com@mg1.substack.com designates 159.112.244.50 as permitted sender) smtp.mailfrom="bounce+77777e.072c7b-PROTEGIDO/EDITADO=icloud.com@mg1.substack.com"
Apparently according to Substack this is the sender: <https://highlysensitivewoman.substack.com/>
This is the like email:
From reaction@mg1.substack.com Fri Apr 18 18:40:46 2025
Authentication-Results: spf.icloud.com; spf=pass (spf.icloud.com: domain of bounce+77777e.072c7b-PROTEGIDO/EDITADO=icloud.com@mg1.substack.com designates 161.38.202.234 as permitted sender) smtp.mailfrom="bounce+77777e.072c7b-PROTEGIDO/EDITADO=icloud.com@mg1.substack.com"
Apparently according to Substack this is the sender: <https://highlysensitivewoman.substack.com/>
Update: I already contacted Mailgun Technologies Inc.
I also sent an email with the three spamming email headers, I think, to abuse@mailgun.com
Thanks.
Federico Soto del Alba.