Opened 7 years ago
Closed 13 months ago
#1980 closed task (wontfix)
phishing on "Discuss" mailing list
| Reported by: | strk | Owned by: | jsanz |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | SysAdmin/Mailman | Keywords: | mailman, phishing |
| Cc: | neteler@… |
Description
discuss mailing list got a phishing attack (1), as far as I can tell conducted via
se2mxb211.globaltestmarket.com
The attack implied writing in the name of a mailing list subscriber.
I guess configuring the mail server to check for SPF (2) could help with this.
Blacklisting globaltestmarket.com domain could be also a good idea. And removing the message from mailing list too.
(1) https://lists.osgeo.org/pipermail/discuss/2017-August/017683.html
Change History (6)
follow-up: 3 comment:1 by , 7 years ago
comment:2 by , 7 years ago
| Cc: | added |
|---|---|
| Keywords: | mailman phishing added |
comment:3 by , 7 years ago
Replying to jsanz:
Hi @strk,
Sorry but no idea on how to configure mailman to prevent this to happen again. Maybe Markus can give a hand on this? (CCed)
I guess that this prevention could be done at postfix level, in order to DISCARD emails from that domain (to be added to /etc/postfix/access and then properly update the postfix configuration to make us of this file).
I've removed those two mails from
/var/lib/mailman/archives/private/discuss.mbox/discuss.mbox
and then run
/usr/lib/mailman/bin/arch discuss
but still, both messages appear at the archives :-(
I believe that they actually *remained*. One needs to edit all the affected files in
/var/lib/mailman/archives/public/discuss/2017-August/
to get rid of this junk:
grep -l "Important Notice To All Amazon Customers" /var/lib/mailman/archives/public/discuss/2017-August/* /var/lib/mailman/archives/public/discuss/2017-August/017680.html /var/lib/mailman/archives/public/discuss/2017-August/017683.html /var/lib/mailman/archives/public/discuss/2017-August/017684.html /var/lib/mailman/archives/public/discuss/2017-August/017685.html /var/lib/mailman/archives/public/discuss/2017-August/017687.html /var/lib/mailman/archives/public/discuss/2017-August/035384.html /var/lib/mailman/archives/public/discuss/2017-August/035389.html /var/lib/mailman/archives/public/discuss/2017-August/author.html /var/lib/mailman/archives/public/discuss/2017-August/date.html /var/lib/mailman/archives/public/discuss/2017-August/index.html /var/lib/mailman/archives/public/discuss/2017-August/subject.html /var/lib/mailman/archives/public/discuss/2017-August/thread.html
I didn't dare to remove the entire folder and re-generate it from the mbox file. Perhaps the mailman service would need to be stopped during this procedure since we are still in August?
comment:4 by , 7 years ago
Well I was following this guide
https://wiki.osgeo.org/wiki/SAC:Mailing_Lists#Remove_Mails_from_Archive
But now that I read it carefully I see that I should have removed the HTML archives and then run the arch command (I didn't). Generating the archives took less than 5 minutes so I guess it's ok to do it anytime.
I'll try this ASAP.
Thanks for the pointer!!
follow-up: 6 comment:5 by , 13 months ago
jsanz did this ever happen ? Should ticket be closed as obsoleted ?
comment:6 by , 13 months ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
Replying to strk:
jsanz did this ever happen ? Should ticket be closed as obsoleted ?
Yeah, let's close it as obsolete.
Hi @strk,
Sorry but no idea on how to configure mailman to prevent this to happen again. Maybe Markus can give a hand on this? (CCed)
I've removed those two mails from
and then run
but still, both messages appear at the archives :-(