Opened 7 years ago

Closed 14 months ago

#1980 closed task (wontfix)

phishing on "Discuss" mailing list

Reported by: strk Owned by: jsanz
Priority: normal Milestone:
Component: SysAdmin/Mailman Keywords: mailman, phishing
Cc: neteler@…

Description

discuss mailing list got a phishing attack (1), as far as I can tell conducted via

se2mxb211.globaltestmarket.com                                                

The attack implied writing in the name of a mailing list subscriber.

I guess configuring the mail server to check for SPF (2) could help with this.

Blacklisting globaltestmarket.com domain could be also a good idea. And removing the message from mailing list too.

(1) https://lists.osgeo.org/pipermail/discuss/2017-August/017683.html

(2) https://en.wikipedia.org/wiki/Sender_Policy_Framework

Change History (6)

comment:1 by jsanz, 7 years ago

Hi @strk,

Sorry but no idea on how to configure mailman to prevent this to happen again. Maybe Markus can give a hand on this? (CCed)

I've removed those two mails from

/var/lib/mailman/archives/private/discuss.mbox/discuss.mbox

and then run

/usr/lib/mailman/bin/arch discuss

but still, both messages appear at the archives :-(

comment:2 by jsanz, 7 years ago

Cc: neteler@… added
Keywords: mailman phishing added

in reply to:  1 comment:3 by neteler, 7 years ago

Replying to jsanz:

Hi @strk,

Sorry but no idea on how to configure mailman to prevent this to happen again. Maybe Markus can give a hand on this? (CCed)

I guess that this prevention could be done at postfix level, in order to DISCARD emails from that domain (to be added to /etc/postfix/access and then properly update the postfix configuration to make us of this file).

I've removed those two mails from

/var/lib/mailman/archives/private/discuss.mbox/discuss.mbox

and then run

/usr/lib/mailman/bin/arch discuss

but still, both messages appear at the archives :-(

I believe that they actually *remained*. One needs to edit all the affected files in

/var/lib/mailman/archives/public/discuss/2017-August/

to get rid of this junk:

grep -l "Important Notice To All Amazon Customers" /var/lib/mailman/archives/public/discuss/2017-August/*
/var/lib/mailman/archives/public/discuss/2017-August/017680.html
/var/lib/mailman/archives/public/discuss/2017-August/017683.html
/var/lib/mailman/archives/public/discuss/2017-August/017684.html
/var/lib/mailman/archives/public/discuss/2017-August/017685.html
/var/lib/mailman/archives/public/discuss/2017-August/017687.html
/var/lib/mailman/archives/public/discuss/2017-August/035384.html
/var/lib/mailman/archives/public/discuss/2017-August/035389.html
/var/lib/mailman/archives/public/discuss/2017-August/author.html
/var/lib/mailman/archives/public/discuss/2017-August/date.html
/var/lib/mailman/archives/public/discuss/2017-August/index.html
/var/lib/mailman/archives/public/discuss/2017-August/subject.html
/var/lib/mailman/archives/public/discuss/2017-August/thread.html

I didn't dare to remove the entire folder and re-generate it from the mbox file. Perhaps the mailman service would need to be stopped during this procedure since we are still in August?

comment:4 by jsanz, 7 years ago

Well I was following this guide

https://wiki.osgeo.org/wiki/SAC:Mailing_Lists#Remove_Mails_from_Archive

But now that I read it carefully I see that I should have removed the HTML archives and then run the arch command (I didn't). Generating the archives took less than 5 minutes so I guess it's ok to do it anytime.

I'll try this ASAP.

Thanks for the pointer!!

comment:5 by strk, 14 months ago

jsanz did this ever happen ? Should ticket be closed as obsoleted ?

in reply to:  5 comment:6 by jsanz, 14 months ago

Resolution: wontfix
Status: newclosed

Replying to strk:

jsanz did this ever happen ? Should ticket be closed as obsoleted ?

Yeah, let's close it as obsolete.

Note: See TracTickets for help on using tickets.