Hi all
It seems there is a SWINOG member who should clean his computer.
Happy hunting Serge
-------- Forwarded Message -------- Subject: Re: [swinog] Coop.ch geoblocking? Date: Mon, 21 Jun 2021 17:57:11 +0200 From: Roger in3days@in3days.org Reply-To: Roger in3days@in3days.org To: Serge Droz s.droz@protonmail.ch
Good day!
We mail document to you again. You can discover it at the link lower:
annanigrodermatologia.it/mac-lesch/s_droz-80.zip
Hoi Roger > > ich denke nur das diese unterdrückung von unerwünschten meinungen falsch > ist . > Das sehe ich auch so. Aber das macht Coop ja nicht. > und im sinne coop finde ich es erstens nutzlos und zweitens bedenklich > wenn man security probleme mit regionalesn beschänkungen zu vermindern > versucht statt sie zu beseitigen > Keine Ahnung warum das Coop macht, ist aber ihr Recht, ist ja Ihre Webseite. Gruss Serge > .. so long ;) > > Roger > > > On 28.02.2021 19:37, Serge Droz wrote: >> I think you misunderstand what free speech is. Free speach means, you >> cannot be punished for what you say, nothing more. It does not guarantee >> you an audience, or a platform. >> An, although a bit US centric, explanation is here: >> https://www.aclu.org/other/what-censorship >> >> If blocking is a good idea for security reasons is en entirely different >> questions, and has nothing what so ever to do with free speech or >> censorship. >>
Best >> Serge >> >> >> >> -- >> Serge Droz >> Security Lead >>
Proton Technologies AG >> -- Serge Droz Security Lead Proton Technologies AG
Full headers would be rather useful to determine the real origin of that message...
Greets, Jeroen
On 20210621, at 21:35, Serge Droz s.droz@protonmail.ch wrote:
Hi all
It seems there is a SWINOG member who should clean his computer.
Happy hunting Serge
-------- Forwarded Message -------- Subject: Re: [swinog] Coop.ch geoblocking? Date: Mon, 21 Jun 2021 17:57:11 +0200 From: Roger in3days@in3days.org Reply-To: Roger in3days@in3days.org To: Serge Droz s.droz@protonmail.ch
Good day!
We mail document to you again. You can discover it at the link lower:
annanigrodermatologia.it/mac-lesch/s_droz-80.zip
Hoi Roger > > ich denke nur das diese unterdrückung von unerwünschten meinungen falsch > ist . > Das sehe ich auch so. Aber das macht Coop ja nicht. > und im sinne coop finde ich es erstens nutzlos und zweitens bedenklich > wenn man security probleme mit regionalesn beschänkungen zu vermindern > versucht statt sie zu beseitigen > Keine Ahnung warum das Coop macht, ist aber ihr Recht, ist ja Ihre Webseite. Gruss Serge > .. so long ;) > > Roger > > > On 28.02.2021 19:37, Serge Droz wrote: >> I think you misunderstand what free speech is. Free speach means, you >> cannot be punished for what you say, nothing more. It does not guarantee >> you an audience, or a platform. >> An, although a bit US centric, explanation is here: >> https://www.aclu.org/other/what-censorship >> >> If blocking is a good idea for security reasons is en entirely different >> questions, and has nothing what so ever to do with free speech or >> censorship. >>
Best >> Serge >> >> >> >> -- >> Serge Droz >> Security Lead >>
Proton Technologies AG >> -- Serge Droz Security Lead Proton Technologies AG
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Sure, here you go:
Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 References: 7A5xjOA_IhApwauOLPwy0scprYxTA4bjrjcS6Ejp5HrXsPGcbyrTV2ABvFGl8gGpkVDyKFXPU2FKFTdfnoqycA==@protonmail.internalid X-Pm-Date: Mon, 21 Jun 2021 15:57:11 +0000 X-Pm-External-Id: 6FC07FDF38760D4D03211162AA001EDFAE9F5412@unknown X-Pm-Internal-Id: 7A5xjOA_IhApwauOLPwy0scprYxTA4bjrjcS6Ejp5HrXsPGcbyrTV2ABvFGl8gGpkVDyKFXPU2FKFTdfnoqycA== To: "Serge Droz" s.droz@protonmail.ch Reply-To: "Roger" in3days@in3days.org From: "Roger" in3days@in3days.org Subject: Re: [swinog] Coop.ch geoblocking? X-Pm-Transfer-Encryption: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Delivered-To: s.droz@protonmail.ch X-Original-To: s.droz@protonmail.ch X-Antiabuse: Sender Address Domain - in3days.org X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12] X-Antiabuse: Original Domain - protonmail.ch X-Antiabuse: Primary Hostname - cloudserver2.webbossuk.com X-Antiabuse: This header was added to track abuse, please include it with any abuse report X-Authenticated-Sender: cloudserver2.webbossuk.com: in3days@in3days.org Return-Path: in3days@in3days.org X-Get-Message-Sender-Via: cloudserver2.webbossuk.com: authenticated_id: in3days@in3days.org X-Pm-Content-Encryption: on-delivery Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=in3days.org ; s=default; h=MIME-Version:Message-ID:Subject:From:To:Date:Content-Type:
Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=uAxy3zLHqvfXb2TMYjrhYr5Z2Iu5r3NwESS4F1OCQg8=; b=pK1dKfuL2dIP2X5U9hf1z+iIGv e9DBaAUxWcNJsesFiRorFjvKyzPWnZ+20RDKKpGfsaEjcu7xuxyYrZbfICXsM0mzgfCry/DVoe+QU c2uMZspDly4ulZf0mp4o2Yx66GNBHlh0s0yZOjzrBc9whwJSk01vPFoKc/qthRVzR2Tc4GrsW4MlF R02FpGbOo3XzfjLoWwRWn52qVGvEaScq2tk8O4YAWm14iMUIGPHMZbmT9UWsODV7TvQDyRjQTb9YA IaffxFi0eEjohCq5WyMOBJbGq91Me/rI9o8Hhsqv5bnh3W1qI4K5L+nUn2tvRckpY/S9r2+BQORdE 99Vu9hyQ==; X-Pm-Spam: 0yeiAIic37iBOIJChpR3Y2bi4AiOiuHVZb8miiACL3cpJI6ZC2CIIMQGw2YDZDNmd
RkNDzGUOOgDz4EGN2NiU0sIHzCJIYIS6gsHImIzlNwX3iW0YOAiwiACL2cvNUicmwiAOLACiwVmc 3b0JogIjwi0ILAjgGB1U0XFh9fTETEFUUByT6YEUEIFh8gTE0WFbYh2lTBycEUgYVjcmk3JbX4Gg w4CMFIQN9ORlF05TINFQgojR2cuVVyZGvGRIZMXg09mbHI1BxpYmg2gcY4WgGB1UFIlJ9yY2uFxZ IADuIBCMEVM11FX0B1NURU0gE9kQTWgoRNSFpCBTbNmslRWdCZpBBtbizXNZYdWlt4GXCMx4RLIE fU1SVFkMfRUSVQgUVzTWn2FcZBSogMXYSY2BxpYWECBZSl0Ny9GIEILRNpIHh25ZdVHymBSZmct9 4gXG0XVYa9GygM3JGZt9luYWgG4XM4CxLREIUSf1lHU0EkVTI1ElhN3c2ZgUFzaGgGEIRtEJvBST icEBBzSyuWdaYRX1sUmcGIv5BudClWNZcN3hslmcVeuxZhIHkGlbX4Gtx4CMEILR1fSUMkFVSQUg zVWT2cnFBoZSgXMYYQXghVGb3cgQ5lb2hHZIblGkLREIUSg0Igb3gEsRcl2n0FmbXdlJ4tXGxC4M IRELf1USkVMFRfSUgUYRTVWznF2cSZoBMgYX2SBYYxWpEBCZ0SNl9yIGLERIINHph52ZHdyVBmZS tm9cX4Gg25WZWZvxUtcGvnJZbBSkh12bWac5AwbigjALUNkWJ9FRlTQ9wgQkjmVUZlW2gQWZmdhl EgIGsmVcYkXgg4Wa3UhBhhbWgXMdUJEMi4GXHIg0fQ== X-Pm-Spamscore: 0 X-Pm-Origin: external X-Pm-Spam-Action: dunno Message-Id: 6FC07FDF38760D4D03211162AA001EDFAE9F5412@unknown Received: from [136.35.59.161] (port=45371 helo=in3days.org) by cloudserver2.webbossuk.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from in3days@in3days.org) id 1lvNEU-00069P-CD for s.droz@protonmail.ch; Mon, 21 Jun 2021 17:57:10 +0100 Received: from cloudserver2.webbossuk.com (cloudserver2.webbossuk.com [95.172.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailin025.protonmail.ch (Postfix) with ESMTPS id 4G7yKH3NF6z9vNPW for s.droz@protonmail.ch; Mon, 21 Jun 2021 18:11:47 +0000 (UTC) Mime-Version: 1.0 Date: Mon, 21 Jun 2021 17:57:11 +0200 Authentication-Results: mailin025.protonmail.ch; dkim=pass (2048-bit key) header.d=in3days.org header.i=@in3days.org header.b="pK1dKfuL" Authentication-Results: mailin025.protonmail.ch; spf=none smtp.mailfrom=in3days@in3days.org Authentication-Results: mailin025.protonmail.ch; dmarc=none (p=none dis=none) header.from=in3days.org Authentication-Results: mailin025.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=in3days.org header.a=rsa-sha256
On 21.06.21 23:42, Jeroen Massar wrote:
Full headers would be rather useful to determine the real origin of that message...
Greets, Jeroen
On 20210621, at 21:35, Serge Droz s.droz@protonmail.ch wrote:
Hi all
It seems there is a SWINOG member who should clean his computer.
Happy hunting Serge
-------- Forwarded Message -------- Subject: Re: [swinog] Coop.ch geoblocking? Date: Mon, 21 Jun 2021 17:57:11 +0200 From: Roger in3days@in3days.org Reply-To: Roger in3days@in3days.org To: Serge Droz s.droz@protonmail.ch
Good day!
We mail document to you again. You can discover it at the link lower:
annanigrodermatologia.it/mac-lesch/s_droz-80.zip
Hoi Roger > > ich denke nur das diese unterdrückung von unerwünschten meinungen falsch > ist . > Das sehe ich auch so. Aber das macht Coop ja nicht. > und im sinne coop finde ich es erstens nutzlos und zweitens bedenklich > wenn man security probleme mit regionalesn beschänkungen zu vermindern > versucht statt sie zu beseitigen > Keine Ahnung warum das Coop macht, ist aber ihr Recht, ist ja Ihre Webseite. Gruss Serge > .. so long ;) > > Roger > > > On 28.02.2021 19:37, Serge Droz wrote: >> I think you misunderstand what free speech is. Free speach means, you >> cannot be punished for what you say, nothing more. It does not guarantee >> you an audience, or a platform. >> An, although a bit US centric, explanation is here: >> https://www.aclu.org/other/what-censorship >> >> If blocking is a good idea for security reasons is en entirely different >> questions, and has nothing what so ever to do with free speech or >> censorship. >>
Best >> Serge >> >> >> >> -- >> Serge Droz >> Security Lead >>
Proton Technologies AG >> -- Serge Droz Security Lead Proton Technologies AG
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
-- Dr. Serge Droz Senior Security Engineer
TLDR: Spam outside of swinog list by participating in mailinglist...
That is a very odd ordering of headers:
Received: from [136.35.59.161] (port=45371 helo=in3days.org) by cloudserver2.webbossuk.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from in3days@in3days.org) id 1lvNEU-00069P-CD for s.droz@protonmail.ch; Mon, 21 Jun 2021 17:57:10 +0100 Received: from cloudserver2.webbossuk.com (cloudserver2.webbossuk.com [95.172.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailin025.protonmail.ch (Postfix) with ESMTPS id 4G7yKH3NF6z9vNPW for s.droz@protonmail.ch; Mon, 21 Jun 2021 18:11:47 +0000 (UTC)
Those normally go the other way around (top one is the newest).
Nevertheless... there are two options for this kind of spam:
- something subscribe(s|d) to the list and just spams directly - something parses the mailman archives and spams directly
Nothing list-admins or members could do anything about. Closing the archives is a silly option, closing subscriptions another silly one, why bother having a mailinglist in that case. Noting that
I suggest using a mailhost that has proper spam filtering, considering it is trivial to identify that the sending host is not properly configured, why bother accepting mail from it? Then again, from the order of those headers, does not look like the receiver is properly configured either.
Greets, Jeroen
--
On 20210622, at 08:40, Serge Droz s.droz@protonmail.ch wrote:
Sure, here you go:
Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 References: 7A5xjOA_IhApwauOLPwy0scprYxTA4bjrjcS6Ejp5HrXsPGcbyrTV2ABvFGl8gGpkVDyKFXPU2FKFTdfnoqycA==@protonmail.internalid X-Pm-Date: Mon, 21 Jun 2021 15:57:11 +0000 X-Pm-External-Id: 6FC07FDF38760D4D03211162AA001EDFAE9F5412@unknown X-Pm-Internal-Id: 7A5xjOA_IhApwauOLPwy0scprYxTA4bjrjcS6Ejp5HrXsPGcbyrTV2ABvFGl8gGpkVDyKFXPU2FKFTdfnoqycA== To: "Serge Droz" s.droz@protonmail.ch Reply-To: "Roger" in3days@in3days.org From: "Roger" in3days@in3days.org Subject: Re: [swinog] Coop.ch geoblocking? X-Pm-Transfer-Encryption: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Delivered-To: s.droz@protonmail.ch X-Original-To: s.droz@protonmail.ch X-Antiabuse: Sender Address Domain - in3days.org X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12] X-Antiabuse: Original Domain - protonmail.ch X-Antiabuse: Primary Hostname - cloudserver2.webbossuk.com X-Antiabuse: This header was added to track abuse, please include it with any abuse report X-Authenticated-Sender: cloudserver2.webbossuk.com: in3days@in3days.org Return-Path: in3days@in3days.org X-Get-Message-Sender-Via: cloudserver2.webbossuk.com: authenticated_id: in3days@in3days.org X-Pm-Content-Encryption: on-delivery Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=in3days.org ; s=default; h=MIME-Version:Message-ID:Subject:From:To:Date:Content-Type:
Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=uAxy3zLHqvfXb2TMYjrhYr5Z2Iu5r3NwESS4F1OCQg8=; b=pK1dKfuL2dIP2X5U9hf1z+iIGv e9DBaAUxWcNJsesFiRorFjvKyzPWnZ+20RDKKpGfsaEjcu7xuxyYrZbfICXsM0mzgfCry/DVoe+QU c2uMZspDly4ulZf0mp4o2Yx66GNBHlh0s0yZOjzrBc9whwJSk01vPFoKc/qthRVzR2Tc4GrsW4MlF R02FpGbOo3XzfjLoWwRWn52qVGvEaScq2tk8O4YAWm14iMUIGPHMZbmT9UWsODV7TvQDyRjQTb9YA IaffxFi0eEjohCq5WyMOBJbGq91Me/rI9o8Hhsqv5bnh3W1qI4K5L+nUn2tvRckpY/S9r2+BQORdE 99Vu9hyQ==; X-Pm-Spam: 0yeiAIic37iBOIJChpR3Y2bi4AiOiuHVZb8miiACL3cpJI6ZC2CIIMQGw2YDZDNmd
RkNDzGUOOgDz4EGN2NiU0sIHzCJIYIS6gsHImIzlNwX3iW0YOAiwiACL2cvNUicmwiAOLACiwVmc 3b0JogIjwi0ILAjgGB1U0XFh9fTETEFUUByT6YEUEIFh8gTE0WFbYh2lTBycEUgYVjcmk3JbX4Gg w4CMFIQN9ORlF05TINFQgojR2cuVVyZGvGRIZMXg09mbHI1BxpYmg2gcY4WgGB1UFIlJ9yY2uFxZ IADuIBCMEVM11FX0B1NURU0gE9kQTWgoRNSFpCBTbNmslRWdCZpBBtbizXNZYdWlt4GXCMx4RLIE fU1SVFkMfRUSVQgUVzTWn2FcZBSogMXYSY2BxpYWECBZSl0Ny9GIEILRNpIHh25ZdVHymBSZmct9 4gXG0XVYa9GygM3JGZt9luYWgG4XM4CxLREIUSf1lHU0EkVTI1ElhN3c2ZgUFzaGgGEIRtEJvBST icEBBzSyuWdaYRX1sUmcGIv5BudClWNZcN3hslmcVeuxZhIHkGlbX4Gtx4CMEILR1fSUMkFVSQUg zVWT2cnFBoZSgXMYYQXghVGb3cgQ5lb2hHZIblGkLREIUSg0Igb3gEsRcl2n0FmbXdlJ4tXGxC4M IRELf1USkVMFRfSUgUYRTVWznF2cSZoBMgYX2SBYYxWpEBCZ0SNl9yIGLERIINHph52ZHdyVBmZS tm9cX4Gg25WZWZvxUtcGvnJZbBSkh12bWac5AwbigjALUNkWJ9FRlTQ9wgQkjmVUZlW2gQWZmdhl EgIGsmVcYkXgg4Wa3UhBhhbWgXMdUJEMi4GXHIg0fQ== X-Pm-Spamscore: 0 X-Pm-Origin: external X-Pm-Spam-Action: dunno Message-Id: 6FC07FDF38760D4D03211162AA001EDFAE9F5412@unknown Received: from [136.35.59.161] (port=45371 helo=in3days.org) by cloudserver2.webbossuk.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from in3days@in3days.org) id 1lvNEU-00069P-CD for s.droz@protonmail.ch; Mon, 21 Jun 2021 17:57:10 +0100 Received: from cloudserver2.webbossuk.com (cloudserver2.webbossuk.com [95.172.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailin025.protonmail.ch (Postfix) with ESMTPS id 4G7yKH3NF6z9vNPW for s.droz@protonmail.ch; Mon, 21 Jun 2021 18:11:47 +0000 (UTC) Mime-Version: 1.0 Date: Mon, 21 Jun 2021 17:57:11 +0200 Authentication-Results: mailin025.protonmail.ch; dkim=pass (2048-bit key) header.d=in3days.org header.i=@in3days.org header.b="pK1dKfuL" Authentication-Results: mailin025.protonmail.ch; spf=none smtp.mailfrom=in3days@in3days.org Authentication-Results: mailin025.protonmail.ch; dmarc=none (p=none dis=none) header.from=in3days.org Authentication-Results: mailin025.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=in3days.org header.a=rsa-sha256
On 21.06.21 23:42, Jeroen Massar wrote:
Full headers would be rather useful to determine the real origin of that message...
Greets, Jeroen
On 20210621, at 21:35, Serge Droz s.droz@protonmail.ch wrote:
Hi all
It seems there is a SWINOG member who should clean his computer.
Happy hunting Serge
-------- Forwarded Message -------- Subject: Re: [swinog] Coop.ch geoblocking? Date: Mon, 21 Jun 2021 17:57:11 +0200 From: Roger in3days@in3days.org Reply-To: Roger in3days@in3days.org To: Serge Droz s.droz@protonmail.ch
Good day!
We mail document to you again. You can discover it at the link lower:
annanigrodermatologia.it/mac-lesch/s_droz-80.zip
Hoi Roger > > ich denke nur das diese unterdrückung von unerwünschten meinungen falsch > ist . > Das sehe ich auch so. Aber das macht Coop ja nicht. > und im sinne coop finde ich es erstens nutzlos und zweitens bedenklich > wenn man security probleme mit regionalesn beschänkungen zu vermindern > versucht statt sie zu beseitigen > Keine Ahnung warum das Coop macht, ist aber ihr Recht, ist ja Ihre Webseite. Gruss Serge > .. so long ;) > > Roger > > > On 28.02.2021 19:37, Serge Droz wrote: >> I think you misunderstand what free speech is. Free speach means, you >> cannot be punished for what you say, nothing more. It does not guarantee >> you an audience, or a platform. >> An, although a bit US centric, explanation is here: >> https://www.aclu.org/other/what-censorship >> >> If blocking is a good idea for security reasons is en entirely different >> questions, and has nothing what so ever to do with free speech or >> censorship. >>
Best >> Serge >> >> >> >> -- >> Serge Droz >> Security Lead >>
Proton Technologies AG >> -- Serge Droz Security Lead Proton Technologies AG
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
-- Dr. Serge Droz Senior Security Engineer
Hi,
Jeroen Massar schrieb am Tue, Jun 22, 2021 at 08:58:00AM +0200:
That is a very odd ordering of headers:
Received: from [136.35.59.161] (port=45371 helo=in3days.org) by cloudserver2.webbossuk.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from in3days@in3days.org) id 1lvNEU-00069P-CD for s.droz@protonmail.ch; Mon, 21 Jun 2021 17:57:10 +0100 Received: from cloudserver2.webbossuk.com (cloudserver2.webbossuk.com [95.172.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailin025.protonmail.ch (Postfix) with ESMTPS id 4G7yKH3NF6z9vNPW for s.droz@protonmail.ch; Mon, 21 Jun 2021 18:11:47 +0000 (UTC)
Those normally go the other way around (top one is the newest).
Unfortunately some broken wannabe mail servers reorder them. Most prominent example is that groupware server named Microsoft Exchange which claims to also be a mail server (but fails in many aspects).
Nevertheless... there are two options for this kind of spam:
- something subscribe(s|d) to the list and just spams directly
- something parses the mailman archives and spams directly
I suspect a third option and that one is what Serge wrote initially:
Someone who was already subscribed to the list for a while caught an Emotet-like malware earlier this year on a client device which reads this list's mail. That malware scraped the infected computer's mail archive and forwarded/exfiltrated it to the malware operators. And now that malware gang replies to these mails to persons in the mail headers with faked real names from other persons also listed in these headers.
And since this is about a mail from a mailing list, none of the IPs or e-mail addresses in the headers of the mail forwarded by Serge need to be related to the actually infected host or its owner. (With non-mailing-list mails it's much easier to figure out the infected host as it's usually a host of either the sender or one of its recipients — unless BCC was used of course.)
Nothing list-admins or members could do anything about.
Sure.
But Serge is nevertheless completely right when he writes:
It seems there is a SWINOG member who should clean his computer.
Exactly: Someone subscribed to this list runs a computer which got infected with an Emotet-like malware which scrapes local mail archives, usually those of Microsoft Outlook.
Regards, Axel
Hey guys,
On 21.06.21 21:35, Serge Droz wrote:
Hi all
It seems there is a SWINOG member who should clean his computer.
Happy hunting Serge
I don't think so. Root problem is the SWINOG mailman archive which happens to be very open:
http://lists.swinog.ch/public/swinog/2021-June/thread.html http://lists.swinog.ch/public/swinog/2021-June/007518.html
Even for a stupid crawler it is quite easy to collect your email address from there.
That's the reason why I don't like to post to this list: it automatically makes me a future victim of SWINOG external SPAM. I once posted something to this list (must be 10 years ago). It took less than a week for the first SPAM mails to arrive.
In fact, anyone who ever posted to this list is subject to direct spam.
SWINOG should really re-think its list archive...
On 22.06.21 08:58, Jeroen Massar wrote:
I suggest using a mailhost that has proper spam filtering, considering it is trivial to identify that the sending host is not properly configured, why bother accepting mail from it?
That's not enough. In first place, the SWINOG contributors should be protected from being crawled. -> SWINOG homework
On 21.06.21 23:42, Jeroen Massar wrote:
Full headers would be rather useful to determine the real origin of that message...
Full ACK. Preferrably in the correct order.
So for the sake of completeness, let's do the header dance:
X-Authenticated-Sender: cloudserver2.webbossuk.com: in3days@in3days.org X-Get-Message-Sender-Via: cloudserver2.webbossuk.com: authenticated_id: in3days@in3days.org Received: from cloudserver2.webbossuk.com (cloudserver2.webbossuk.com [95.172.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailin025.protonmail.ch (Postfix) with ESMTPS id 4G7yKH3NF6z9vNPW for s.droz@protonmail.ch; Mon, 21 Jun 2021 18:11:47 +0000 (UTC) Received: from [136.35.59.161] (port=45371 helo=in3days.org) by cloudserver2.webbossuk.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from in3days@in3days.org) id 1lvNEU-00069P-CD for s.droz@protonmail.ch; Mon, 21 Jun 2021 17:57:10 +0100
Email coming from 136-35-59-161.googlefiber.net [136.35.59.161] sent through cloudserver2.webbossuk.com (esmtpsa -> authenticated) which happens to host in3days.org.
So most probably a hacked web hosting account.
However, this does not help much, since the root cause is the SWINOG mailman archive. You will get spam from all over the world.
Gruass, Franco
On 2021-06-23 10:48, Franco wrote:
On 22.06.21 08:58, Jeroen Massar wrote:
I suggest using a mailhost that has proper spam filtering, considering it is trivial to identify that the sending host is not properly configured, why bother accepting mail from it?
That's not enough. In first place, the SWINOG contributors should be protected from being crawled. -> SWINOG homework
Won't fix a thing. Also as a public list, it is public.
As noted anybody can subscribe or archive the list.
As an example: https://www.mail-archive.com/swinog@lists.swinog.ch/msg07408.html
Apparently 3 years old: https://swinog.swinog.narkive.com
etc etc etc..
And a spammer can just simply also subscribe, next to the avenue of a hacked computer of one of the members who does not clean out their mailbox.
Greets, Jeroen
PS: I simply use my mail address everywhere publicly, as spam will come anyway from whatever source when the address is public somewhere, one just need to filter and classify properly: good old Spamassassin with a few RBLs, bit of mimedefang and you are pretty good already (5 per day in my case), any other (mostly paid) resources will bring spam amount close to 0 while being able to actually use your mail address.
Spam is the way of live and unfortunately there is always going to be some source where it will be coming from, as long as the spammers gain something from their spams... (that something I am still wondering about, but clearly they must gain something even if the procentiles are super low).
Oh, and yes, to avoid From: spamming, do have proper DKIM/SPF/DMARC checks, they 'solve' the spamming issue quite a bit, with only few mailinglists being problematic while forwarding.
maybe could each of us or not even unknown just one black sheep which forwards all the email to the bad guy
or more simple: maybe he grabbed email and content from the swinog mailarchive open to the whole world ? ;)
Roger
On 21.06.2021 21:35, Serge Droz wrote:
Hi all
It seems there is a SWINOG member who should clean his computer.
Happy hunting Serge
-------- Forwarded Message -------- Subject: Re: [swinog] Coop.ch geoblocking? Date: Mon, 21 Jun 2021 17:57:11 +0200 From: Roger in3days@in3days.org Reply-To: Roger in3days@in3days.org To: Serge Droz s.droz@protonmail.ch
Good day!
We mail document to you again. You can discover it at the link lower:
annanigrodermatologia.it/mac-lesch/s_droz-80.zip
Hoi Roger > > ich denke nur das diese unterdrückung von unerwünschten meinungen falsch > ist . > Das sehe ich auch so. Aber das macht Coop ja nicht. > und im sinne coop finde ich es erstens nutzlos und zweitens bedenklich > wenn man security probleme mit regionalesn beschänkungen zu vermindern > versucht statt sie zu beseitigen > Keine Ahnung warum das Coop macht, ist aber ihr Recht, ist ja Ihre Webseite. Gruss Serge > .. so long ;) > > Roger > > > On 28.02.2021 19:37, Serge Droz wrote: >> I think you misunderstand what free speech is. Free speach means, you >> cannot be punished for what you say, nothing more. It does not guarantee >> you an audience, or a platform. >> An, although a bit US centric, explanation is here: >> https://www.aclu.org/other/what-censorship >> >> If blocking is a good idea for security reasons is en entirely different >> questions, and has nothing what so ever to do with free speech or >> censorship. >>
Best >> Serge >> >> >> >> -- >> Serge Droz >> Security Lead >>
Proton Technologies AG >> -- Serge Droz Security Lead Proton Technologies AG
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog