Opened 6 years ago

Last modified 6 years ago

#1532 new task

getting spam sexual e-mail which seems to be replies from osgeo-conf or board

Reported by: bartvde Owned by: sac@…
Priority: normal Milestone:
Component: Systems Admin Keywords:
Cc:

Description (last modified by warmerdam)

Envelope-To: bartvde@osgis.nl
X-Antiabuse: This header was added to track abuse, please include it with any abuse report
X-Antiabuse: Primary Hostname - mx12.loverhearts.com
X-Antiabuse: Original Domain - osgis.nl
X-Antiabuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-Antiabuse: Sender Address Domain - loverhearts.com
In-Reply-To: <473E3550-36FC-4DC9-8B94-8525D50B3588@osgis.nl>
Return-Path: <julie70622@loverhearts.com>
Mime-Version: 1.0
X-Virus-Scanned: Clear (ClamAV 0.98.5/20836/Tue Aug 25 22:51:25 2015)
X-Priority: 3 (Normal)
Message-Id: <22099b5fb5ce1e39b582c36a2fe32ba2@leadrace.biz>
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Dkim-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=loverhearts.com; s=default; h=References:In-Reply-To:Content-Transfer-Encoding:Content-Type:MIME-Version:To:Reply-To:From:Subject:Date:Message-ID; bh=/df1EM6z7sse98QYSgU4somupBh2YrDa0q+QG0PINGM=; b=dJKpHTYTrLPsE/WKyfd9Hu5lWTksz3C+VAiMUbODP45bVTBxFkcmhcnQGDqUU2lp/svznK9VZJ1NvCICFX8Vo1oKXBG0MiONWcxOut6kXBqhj60Nh6r2zjWteTTI5iWXpcmQIT4s72fMd9q8ePJlGsa6Arko8Fnj8CXpoOZarxU=;
Delivery-Date: Wed, 26 Aug 2015 05:06:23 +0200
X-Get-Message-Sender-Via: mx12.loverhearts.com: authenticated_id: julie@loverhearts.com
Content-Transfer-Encoding: quoted-printable
References: <473E3550-36FC-4DC9-8B94-8525D50B3588@osgis.nl>
Content-Type: multipart/mixed; boundary="_=_swift_v4_1440558369_2afe50087a4c7bdc8af7cefba5fe540b_=_"
X-Spam-Score: 1.6 (+)
Delivered-To: osgisa-bartvde@osgis.nl
Received: from [104.236.255.68] (helo=mx12.loverhearts.com) by www270.your-server.de with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.80.1) (envelope-from <julie70622@loverhearts.com>) id 1ZUR2Y-0004hm-RO for bartvde@osgis.nl; Wed, 26 Aug 2015 05:06:23 +0200
Received: from [155.94.64.78] (port=54935 helo=leadrace.biz) by mx12.loverhearts.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.85) (envelope-from <julie70622@loverhearts.com>) id 1ZUR2N-0006FP-UP for bartvde@osgis.nl; Tue, 25 Aug 2015 23:06:08 -0400
Re:  [OSGeo-Conf] Board Digest, Vol 107, Issue 16

Hey Bart,I am willing to meet up with you just as long as you can prove to me that you aren't going to do anything crazy. You just need to go along to this site Unlock phone number Click Here check out my picture and do the date security verification…then call/text me after that.I've asked you nicely what I need you to do to ensure my safety.I have a healthy conscious about meeting a stranger online Bart Eijnden without doing this first.There has been multiple women attacked and murdered from Bart Eijndenguys on cl, I can't take risk until u verify. If you can’t do that simple thing then I’m sure as not going to have s e x with you. I am sorry. Take care......

Thanks

Julie Anna
Send via iPhone

Change History (9)

comment:1 Changed 6 years ago by bartvde

Is this e-mail address subscribed to any of those lists by any chance? Or what else might be going on?

comment:2 Changed 6 years ago by warmerdam

Description: modified (diff)

comment:3 Changed 6 years ago by warmerdam

Bart,

I'm not seeing any sign of someone from loverhearts.com signed up to this list. I'm not sure about how to do a cross-list search. The email headers don't seem to suggest the email went through OSGeo mail servers, so it would appear they are just doing a minimal masquerade as being from our list by spoofing the subject line.

I'm not sure that we can do anything about this.

comment:4 Changed 6 years ago by msmitherdc

I just got a similar kind of message as Bart when replying to a board motion.

comment:5 Changed 6 years ago by Jeff McKenna

If you do a "whois" on the loverhearts domain you can see the email address connected to it, and then do a Google search and you can see that this person is attached to many scams. (that address is not a member of the board or conference-dev lists)

comment:6 in reply to:  3 Changed 6 years ago by EliL

Replying to warmerdam:

Bart,

I'm not seeing any sign of someone from loverhearts.com signed up to this list. I'm not sure about how to do a cross-list search. The email headers don't seem to suggest the email went through OSGeo mail servers, so it would appear they are just doing a minimal masquerade as being from our list by spoofing the subject line.

I'm not sure that we can do anything about this.

Is the list of subscribers an appropriate number? I would expect both the Board and Conference list to have fewer than 200 members, most of which would be recognizable email addresses. And probably not too many recent subscription joins.

comment:7 Changed 6 years ago by EliL

This may also just be a temporary clever (subject line matching) result of our public archives that will work itself out as email providers stop letting matching subject lines through. A minimal look at the content of the email makes it quite clearly spam.

comment:8 Changed 6 years ago by Jeff McKenna

I don't see anyone suspicious. Other than 0az(dot)post(at)blogger(dot)com which I guess is valid.

comment:9 Changed 6 years ago by neteler

Ok I also got one now and checked on mail.osgeo.org:

mail:/var/log# grep 104.236.231.253 mail.log
Aug 27 10:42:06 mail postfix/smtpd[18471]: warning: hostname mx1.meetmeloves.com does not resolve to address 104.236.231.253
Aug 27 10:42:06 mail postfix/smtpd[18471]: connect from unknown[104.236.231.253]
Aug 27 10:42:06 mail postgrey[2048]: action=greylist, reason=new, client_name=unknown, client_address=104.236.231.253, sender=bouncereply+neteler=osgeo.org@meetmeloves.com, recipient=neteler@osgeo.org
Aug 27 10:42:06 mail postfix/smtpd[18471]: NOQUEUE: reject: RCPT from unknown[104.236.231.253]: 450 4.2.0 <neteler@osgeo.org>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/osgeo.org.html; from=<bouncereply+neteler=osgeo.org@meetmeloves.com> to=<neteler@osgeo.org> proto=ESMTP helo=<mx1.meetmeloves.com>
Aug 27 10:42:06 mail postfix/smtpd[18471]: disconnect from unknown[104.236.231.253]
Aug 27 11:18:38 mail postfix/smtpd[20621]: warning: hostname mx1.meetmeloves.com does not resolve to address 104.236.231.253
Aug 27 11:18:38 mail postfix/smtpd[20621]: connect from unknown[104.236.231.253]
Aug 27 11:18:38 mail postgrey[2048]: action=pass, reason=triplet found, delay=2192, client_name=unknown, client_address=104.236.231.253, sender=bouncereply+neteler=osgeo.org@meetmeloves.com, recipient=neteler@osgeo.org
Aug 27 11:18:38 mail postfix/smtpd[20621]: D2F2D842B: client=unknown[104.236.231.253]
Aug 27 11:18:39 mail postfix/smtpd[20621]: disconnect from unknown[104.236.231.253]

mail:/var/log# nslookup  104.236.231.253
Server:		140.211.166.130
Address:	140.211.166.130#53
Non-authoritative answer:
253.231.236.104.in-addr.arpa	name = mx1.meetmeloves.com.

Whois: http://bgp.he.net/dns/meetmeloves.com#_whois

I don't know if it is worthwhile to contact there abuse address mentioned therein. They'll change name/address anyway...

Note: See TracTickets for help on using tickets.