~alpine/users

1

Your account associated with your alpine-user@lists.alpinelinux.org has been limited Reason ...

Stefan Hartmann <stefanh@hafenthal.de>
Details
Message ID
<3530b06a-bf3b-a3ef-ecce-1162bea953df@hafenthal.de>
DKIM signature
missing
Download raw message
2 years ago 
Hello,

yesterday I received a suspicious email from alpinelinux.org:

"Notification
Dear alpine-user,Your account associated with your 
alpine-user@lists.alpinelinux.org has been limitedReason: Messages - 
Delivery Process Failed .
What happens when new messages are inaccessible?
Once a new message is limited, it will be inaccessible—users will not 
be able to receive new messages.
Want to keep the account and receive new messages?
..."

There is a pushbutton which yields to 
https://siasky.net/EABzry9_94YhAghJPa5QmmPjGdw01d_BAgdPmQJCkk0vlA#alpine-user@lists.alpinelinux.org

I analyzed this with burp:
The pushbutton makes a post

POST //img/Jesse.php HTTP/1.1

Host: ommarts.com

...
email=alpine-user%40lists.alpinelinux.org&password=spearphising%3F

It returns a 200 OK.

Uses alpinelinux.org really the php-script
http://ommarts.com//img/Jesse.php ???

Suspicious!

The messages comes from
...
Received: from nld3-dev1.alpinelinux.org (nld3-dev1.alpinelinux.org 
[147.75.101.119])
by gw1.hafenthal.de (Postfix) with ESMTPS id 0D51BA80B87
for <sh@hafenthal.de>; Fri,  7 Oct 2022 20:24:23 +0000 (UTC)
...
which seams OK.
Nb. received on a Alpinelinux mailrelay!

Was there a breach?

-- 
Stefan Hartmann - ib.hafenthal.de
alice <alice@ayaya.dev>
Details
Message ID
<CNGL0SZ4Q7TS.3CDJTID300GWK@sumire>
In-Reply-To
<3530b06a-bf3b-a3ef-ecce-1162bea953df@hafenthal.de> (view parent)
DKIM signature
missing
Download raw message
2 years ago 
On Sat Oct 8, 2022 at 2:03 PM CEST, Stefan Hartmann wrote:
> Hello,
>
> yesterday I received a suspicious email from alpinelinux.org:
>
> "Notification
> Dear alpine-user,Your account associated with your 
> alpine-user@lists.alpinelinux.org has been limitedReason: Messages - 
> Delivery Process Failed .
> What happens when new messages are inaccessible?
> Once a new message is limited, it will be inaccessible—users will not 
> be able to receive new messages.
> Want to keep the account and receive new messages?
> ..."
>
> There is a pushbutton which yields to 
> https://siasky.net/EABzry9_94YhAghJPa5QmmPjGdw01d_BAgdPmQJCkk0vlA#alpine-user@lists.alpinelinux.org
>
> I analyzed this with burp:
> The pushbutton makes a post
>
> POST //img/Jesse.php HTTP/1.1
>
> Host: ommarts.com
>
> ...
> email=alpine-user%40lists.alpinelinux.org&password=spearphising%3F
>
> It returns a 200 OK.
>
> Uses alpinelinux.org really the php-script
> http://ommarts.com//img/Jesse.php ???
>
> Suspicious!
>
> The messages comes from
> ...
> Received: from nld3-dev1.alpinelinux.org (nld3-dev1.alpinelinux.org 
> [147.75.101.119])
> by gw1.hafenthal.de (Postfix) with ESMTPS id 0D51BA80B87
> for <sh@hafenthal.de>; Fri,  7 Oct 2022 20:24:23 +0000 (UTC)
> ...
> which seams OK.
> Nb. received on a Alpinelinux mailrelay!
>
> Was there a breach?
if you're referring to:
https://lists.alpinelinux.org/~alpine/devel/%3C7e33418c8ccc805ee91c2176c2960a5a%4admin.reservasmi2u.mx%3E
then this is just random spam sent to the mailing list, without even a
spoofed From:. though it does look quite believable :)
(i personally see these like ~12 times a week with all the mailing lists
i'm subsribed to, so i didn't think anything of it)
>
> -- 
> Stefan Hartmann - ib.hafenthal.de
Reply to thread Export thread (mbox)