Hey Martin, Pardon me if in looking at the headers you checked for this, but is it possible that someone is just spoofing the inkscape.org email address in a spam campaign? (That would be exposed by confirm the IP address is in fact our managed server)
As far as I can tell we don't have a DKIM, DMARC or SPF record configured on the domain. That would make a spoof at least more likely explanation for the bounced emails than a server breach, not to say that is in fact what the cause is.
Ryan
On 07/15/2018 01:36 PM, doctormo@...400... wrote:
Dear developers,
I've just now been alerted to some activity on our webserver py1. Email bounces from users started arriving to me (the webmaster) and I quickly tried to gather information about what kind of event we had. One of the bounces contained headers showing the emails were coming from our server.
I have thus shut down postfix on py1 as a precaution, the website will be unable to send email for the time being.
I've been digging through the logs to find out what kind of issue we have:
- A service ticket has been created for OSUOSL to investigate
- None of the email addresses appear in our user accounts list, so our
database is unlikely to have been compromised.
- There's been an sshd attack against the server today from 3:12am to
18:23pm but no actual signs of a break in.
- Email appear at 18:53, unknown quantity (more than 40), logs do not
report quantity at this time. So it might be something pretending to be py1 to osuosl's smtp server.
I'll reply here when I know more, although I probably won't hear back from osuosl until tomorrow.
Best regards, Martin Owens
Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Inkscape-devel mailing list Inkscape-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/inkscape-devel