Hi,
Jeroen Massar schrieb am Tue, Jun 22, 2021 at 08:58:00AM +0200:
That is a very odd ordering of headers:
Received: from [136.35.59.161] (port=45371 helo=in3days.org) by cloudserver2.webbossuk.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from in3days@in3days.org) id 1lvNEU-00069P-CD for s.droz@protonmail.ch; Mon, 21 Jun 2021 17:57:10 +0100 Received: from cloudserver2.webbossuk.com (cloudserver2.webbossuk.com [95.172.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailin025.protonmail.ch (Postfix) with ESMTPS id 4G7yKH3NF6z9vNPW for s.droz@protonmail.ch; Mon, 21 Jun 2021 18:11:47 +0000 (UTC)
Those normally go the other way around (top one is the newest).
Unfortunately some broken wannabe mail servers reorder them. Most prominent example is that groupware server named Microsoft Exchange which claims to also be a mail server (but fails in many aspects).
Nevertheless... there are two options for this kind of spam:
- something subscribe(s|d) to the list and just spams directly
- something parses the mailman archives and spams directly
I suspect a third option and that one is what Serge wrote initially:
Someone who was already subscribed to the list for a while caught an Emotet-like malware earlier this year on a client device which reads this list's mail. That malware scraped the infected computer's mail archive and forwarded/exfiltrated it to the malware operators. And now that malware gang replies to these mails to persons in the mail headers with faked real names from other persons also listed in these headers.
And since this is about a mail from a mailing list, none of the IPs or e-mail addresses in the headers of the mail forwarded by Serge need to be related to the actually infected host or its owner. (With non-mailing-list mails it's much easier to figure out the infected host as it's usually a host of either the sender or one of its recipients — unless BCC was used of course.)
Nothing list-admins or members could do anything about.
Sure.
But Serge is nevertheless completely right when he writes:
It seems there is a SWINOG member who should clean his computer.
Exactly: Someone subscribed to this list runs a computer which got infected with an Emotet-like malware which scrapes local mail archives, usually those of Microsoft Outlook.
Regards, Axel