Inkscape Website: Attack and Spam

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Inkscape Website: Attack and Spam

doctormo
Dear developers,

I've just now been alerted to some activity on our webserver py1. Email
bounces from users started arriving to me (the webmaster) and I quickly
tried to gather information about what kind of event we had. One of the
bounces contained headers showing the emails were coming from our
server.

I have thus shut down postfix on py1 as a precaution, the website will
be unable to send email for the time being.

I've been digging through the logs to find out what kind of issue we
have:

 * A service ticket has been created for OSUOSL to investigate
 * None of the email addresses appear in our user accounts list, so our
database is unlikely to have been  compromised.
 * There's been an sshd attack against the server today from 3:12am to
18:23pm but no actual signs of a break in.
 * Email appear at 18:53, unknown quantity (more than 40), logs do not
report quantity at this time. So it might be something pretending to be
py1 to osuosl's smtp server.

I'll reply here when I know more, although I probably won't hear back
from osuosl until tomorrow.

Best regards, Martin Owens

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Reply | Threaded
Open this post in threaded view
|

Re: Inkscape Website: Attack and Spam

Inkscape - Dev mailing list
Hey Martin,
Pardon me if in looking at the headers you checked for this, but is it
possible that someone is just spoofing the inkscape.org email address in
a spam campaign? (That would be exposed by confirm the IP address is in
fact our managed server)

As far as I can tell we don't have a DKIM, DMARC or SPF record
configured on the domain. That would make a spoof at least more likely
explanation for the bounced emails than a server breach, not to say that
is in fact what the cause is.

Ryan

On 07/15/2018 01:36 PM, [hidden email] wrote:

> Dear developers,
>
> I've just now been alerted to some activity on our webserver py1. Email
> bounces from users started arriving to me (the webmaster) and I quickly
> tried to gather information about what kind of event we had. One of the
> bounces contained headers showing the emails were coming from our
> server.
>
> I have thus shut down postfix on py1 as a precaution, the website will
> be unable to send email for the time being.
>
> I've been digging through the logs to find out what kind of issue we
> have:
>
>  * A service ticket has been created for OSUOSL to investigate
>  * None of the email addresses appear in our user accounts list, so our
> database is unlikely to have been  compromised.
>  * There's been an sshd attack against the server today from 3:12am to
> 18:23pm but no actual signs of a break in.
>  * Email appear at 18:53, unknown quantity (more than 40), logs do not
> report quantity at this time. So it might be something pretending to be
> py1 to osuosl's smtp server.
>
> I'll reply here when I know more, although I probably won't hear back
> from osuosl until tomorrow.
>
> Best regards, Martin Owens
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Inkscape-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/inkscape-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Inkscape Website: Attack and Spam

doctormo
Hi Ryan,

I can send along the email I have and see what you think. It could be
that the server is fine and it's a spoof in the smtp transport to
another osuosl server. But it looks like it routed through osuosl.

Best Regards, Martin Owens

On Mon, 2018-07-16 at 13:42 -0600, Ryan Gorley via Inkscape-devel
wrote:

> Pardon me if in looking at the headers you checked for this, but is
> it
> possible that someone is just spoofing the inkscape.org email address
> in
> a spam campaign? (That would be exposed by confirm the IP address is
> in
> fact our managed server)
>
> As far as I can tell we don't have a DKIM, DMARC or SPF record
> configured on the domain. That would make a spoof at least more
> likely
> explanation for the bounced emails than a server breach, not to say
> that
> is in fact what the cause is.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel
Reply | Threaded
Open this post in threaded view
|

Re: Inkscape Website: Attack and Spam

Inkscape - Dev mailing list
Yeah, forward it over. I'll at least look and see if anything looks off
to me.


Ryan Gorley
Founder + Creative Director

https://dijt.co
1.801.999.1530 ×101
1.801.898.7926

On 07/16/2018 02:13 PM, [hidden email] wrote:

> Hi Ryan,
>
> I can send along the email I have and see what you think. It could be
> that the server is fine and it's a spoof in the smtp transport to
> another osuosl server. But it looks like it routed through osuosl.
>
> Best Regards, Martin Owens
>
> On Mon, 2018-07-16 at 13:42 -0600, Ryan Gorley via Inkscape-devel
> wrote:
>> Pardon me if in looking at the headers you checked for this, but is
>> it
>> possible that someone is just spoofing the inkscape.org email address
>> in
>> a spam campaign? (That would be exposed by confirm the IP address is
>> in
>> fact our managed server)
>>
>> As far as I can tell we don't have a DKIM, DMARC or SPF record
>> configured on the domain. That would make a spoof at least more
>> likely
>> explanation for the bounced emails than a server breach, not to say
>> that
>> is in fact what the cause is.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Inkscape-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/inkscape-devel

signature.asc (849 bytes) Download Attachment