Opened 8 years ago
Last modified 8 years ago
#1792 new task
SCAM on postgis-users
| Reported by: | strk | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | SysAdmin | Keywords: | spam, scam, phishing |
| Cc: |
Description
We just received a SCAM mail on the postgis-users mailing lits.
The mail had the From of a trusted user, but looking at the headers the message arrived from an unusual place:
Received: from srvzimbra.fstbm.ac.ma (unknown [196.200.177.4]) by lists.osgeo.org (Postfix) with SMTP id A668A60BF3CA for <postgis-users@lists.osgeo.org>; Wed, 14 Sep 2016 21:30:19 -0700 (PDT)
The usual provenance of this user's mail is:
Received: from halon3.space2u.com (halon3.space2u.com [194.237.215.136]) by lists.osgeo.org (Postfix) with ESMTPS id C070B614774A for <postgis-users@lists.osgeo.org>; Wed, 11 May 2016 05:16:43 -0700 (PDT)
The user come from Norway, while the SCAM mail IP is reported to be in Morocco: http://anti-hacker-alliance.com/index.php?ip=196.200.177.6
Is there a policy to block source IPs for mailman, or should it be done at the IP filter level ?
Change History (7)
comment:1 by , 8 years ago
comment:2 by , 8 years ago
| Component: | Systems Admin → Mailing Lists |
|---|---|
| Owner: | changed from to |
Moving under the "Mailing Lists" component, in case the lists admin has ideas on how to deal with this (maybe refuse mail from IP addresses not having a valid reverse-lookup?)
Nicklas, I guess one thing you could do if you are in control of the "jordogskog.no" domain is define a sender policy for it, specifying which IPs would be allowed to send mail in that name (see https://en.wikipedia.org/wiki/Sender_Policy_Framework). The rest I think would be up to the OSGeo mail service, to refuse mail coming from non-trusted sources...
Changing mail seems premature, the moderation bit should just give us an idea about whether or not the attacker is going to use your email further (for the kind of attack, it may be a one-shot).
comment:3 by , 8 years ago
| Keywords: | spam scam phishing added |
|---|
comment:4 by , 8 years ago
Sandro sorry, this is beyond my mailman skills I'm afraid, no idea on how to help. Probably better to reassign to SAC, maybe more capable people than me can help on this.
comment:5 by , 8 years ago
| Component: | Mailing Lists → Systems Admin |
|---|---|
| Owner: | changed from to |
comment:6 by , 8 years ago
Hopefully this problem is over.
Now there should be a SPF-record enabled at my domain that is supposed to stop those spam mails.
comment:7 by , 8 years ago
I don't know if the OSGeo mailing list server does check for SPF records though. Does anyone else do ?
It is my name that is used. I am not sure what to do. I have changed from space2u.com I am now using greengeeks.com as mail host. But this happened also before the switch.
If those emails don't come from any of my machines or phone or my mail host, then I guess I cannot block them either?
I can change my address and use nicklas@… instead of nicklas.aven@…, then it is easier for osgeo to block.
Any hints on what is happening and what I can do is appreciated. "I" have been spamming more than OSGEO lately.