Hey guys,
On 21.06.21 21:35, Serge Droz wrote:
Hi all
It seems there is a SWINOG member who should clean his computer.
Happy hunting Serge
I don't think so. Root problem is the SWINOG mailman archive which happens to be very open:
http://lists.swinog.ch/public/swinog/2021-June/thread.html http://lists.swinog.ch/public/swinog/2021-June/007518.html
Even for a stupid crawler it is quite easy to collect your email address from there.
That's the reason why I don't like to post to this list: it automatically makes me a future victim of SWINOG external SPAM. I once posted something to this list (must be 10 years ago). It took less than a week for the first SPAM mails to arrive.
In fact, anyone who ever posted to this list is subject to direct spam.
SWINOG should really re-think its list archive...
On 22.06.21 08:58, Jeroen Massar wrote:
I suggest using a mailhost that has proper spam filtering, considering it is trivial to identify that the sending host is not properly configured, why bother accepting mail from it?
That's not enough. In first place, the SWINOG contributors should be protected from being crawled. -> SWINOG homework
On 21.06.21 23:42, Jeroen Massar wrote:
Full headers would be rather useful to determine the real origin of that message...
Full ACK. Preferrably in the correct order.
So for the sake of completeness, let's do the header dance:
X-Authenticated-Sender: cloudserver2.webbossuk.com: in3days@in3days.org X-Get-Message-Sender-Via: cloudserver2.webbossuk.com: authenticated_id: in3days@in3days.org Received: from cloudserver2.webbossuk.com (cloudserver2.webbossuk.com [95.172.31.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailin025.protonmail.ch (Postfix) with ESMTPS id 4G7yKH3NF6z9vNPW for s.droz@protonmail.ch; Mon, 21 Jun 2021 18:11:47 +0000 (UTC) Received: from [136.35.59.161] (port=45371 helo=in3days.org) by cloudserver2.webbossuk.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (Exim 4.93) (envelope-from in3days@in3days.org) id 1lvNEU-00069P-CD for s.droz@protonmail.ch; Mon, 21 Jun 2021 17:57:10 +0100
Email coming from 136-35-59-161.googlefiber.net [136.35.59.161] sent through cloudserver2.webbossuk.com (esmtpsa -> authenticated) which happens to host in3days.org.
So most probably a hacked web hosting account.
However, this does not help much, since the root cause is the SWINOG mailman archive. You will get spam from all over the world.
Gruass, Franco